informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/hacking/POLICIES/policyasc.hac

623 lines
20 KiB
Plaintext
Raw Permalink Blame History

A Draft Security Policy
This draft policy is provided as a model for your organization's consideration
and adoption. It was prepared by the National Computer Security Association.
We would appreciate your comments or revisions to it. You may write
us at Suite 309, 4401-A Connecticut Av NW, Washington, DC 20008. Or
you may call our BBS at 202-364-1304. Or you may call voice at 202-364-8252.
BASIC REQUIREMENTS
Each of the six basic requirements defined below are used by DoD in
evaluating system security, and are appropriate throughout all computer
systems, regardless of their actual security requirements.
Security Policy
<B>There must be an explicit and well-defined security policy enforced
by the system.<D> Given identified subjects and objects, there must
be a set of rules that are used by the system to determine whether
a given subject can be permitted to gain access to a specific object.
Computer systems of interest must enforce a mandatory security policy
that can effectively implement access rules for handling sensitive
information. These rules include requirements such as: <MI><169>No
person lacking proper personnel security clearance shall obtain access
to classified information.<170><D> In addition, discretionary security
controls are required to ensure that only selected users or groups
of users may obtain access to data <197> for instance, based on a
need-to-know basis.
Marking
<B>Access control labels must be associated with objects<D>. In order
to control access to information stored in a computer, according to
the rules of a mandatory security policy, it must be possible to mark
every object with a label that reliably identifies the object's sensitivity
level and/or the modes of access accorded those subjects who may potentially
access the object.
Identification
<B>Individual subjects must be identified<D>. Each access to information
must be mediated based on who is accessing the information and what
classes of information they are authorized to deal with. This identification
and authorization information must be securely maintained by the computer
system and be associated with every active element that performs some
security-relevant action in the system.
Accountability
<B>Audit information must be selectively kept and protected so that
actions affecting security can be traced to the responsible party.<D>
A trusted system must be able to record the occurrences of security-relevant
events in an audit log. The capability to select the audit events
to be recorded is necessary to minimize the expense of auditing and
to allow efficient analysis. Audit data must be protected from modification
and unauthorized destruction to permit detection and after-the-fact
investigations of security violations.
Assurance
<B>The computer system must contain hardware/software mechanisms that
can be independently evaluated to provide sufficient assurance that
the system enforces the policy, marking, identification, and accountability
requirements described above.<D> In order to assure that the four
requirements are enforced by a computer system, there must be some
identified and unified collection of hardware and software controls
that perform these functions. These mechanisms are typically embedded
in the operating system of mainframes, or a combination of operating
system features and added application software on LANs, and are designed
to carry out the assigned tasks in a secure manner. The basis for
trusting such system mechanisms in their operational setting must
be clearly documented such that it is possible to independently examine
the evidence to evaluate their sufficiency.
Continuous Protection
<B>The trusted mechanisms that enforce these basic requirements must
be continuously protected against tampering and/or unauthorized changes.<D>
No computer system can be considered truly secure if the basic hardware
and software mechanisms that enforce the security policy are themselves
subject to unauthorized modification or subversion. The continuous
protection requirement has direct implications throughout the computer
system's lifecycle.
IMPLEMENTATION CONCERNS
<MU>Creating<D> a security policy is fairly simple. You can copy
the material that follows, for instance, and get the chief to sign
it. <MU>Implementing<D> a security policy is more difficult.
* The organizations with the most success in implementing security
policies with PC users are those who get away from a project orientation
and somehow convince all staff that security is an ongoing business
function.
While seemingly everyone concerned with security agree that a policy
is important, not everyone agrees that it should be agency-wide. For
example, NASA's Richard W. Carr believes that a standard approach
like the NSA's C2 level of safeguarding is not cost-effective. Because
so much of NASA's scientific data is made public, Carr has opted for
local approaches to safeguarding information, rather than an agency-wide
approach.
HARDWARE CONCERNS
Before reviewing sophisticated data security issues, it is necessary
to consider the basic physical protection of the equipment itself.
Access
Access to micros should be physically limited to authorized users. Untrained
or malicious individuals could damage or make inappropriate use of
the equipment or the accessible data. At some organizations, such
as GTE, the entire microcomputer is kept in a locked room. If users
are reluctant to do this when they are finished with it, then they
are provided with an external hard disk that can be locked up.
* Do not permit users to leave workstations or micros unattended,
particularly if they are tied to a network.
* Install timelocks that activate after an interval of no keyboard
activity, and require password to resume entry.
* Change all passwords immediately whenever an employee leaves the
organization.
* Change passwords routinely - perhaps every other month - of all
employees.
Theft
Personal computers and their component parts are high-value items. Secure
the rooms where the hardware is located, or install lockdown systems
securing the equipment to a table or desk.
Environmental Damage
Electrical Power
Computers are sensitive to the quality of electrical power. Use surge
protectors. Also, micros should be powered from a source isolated
from heavy appliances or office equipment.
Smoking, Eating, and Drinking
Smoke can damage disks. Food and ashes that are dropped in the keyboard
can work down into the mechanism and cause malfunctions. Smoking,
eating, and drinking should be prohibited in the vicinity of computers.
Static Electricity
Static electricity can badly damage a computer. This danger can be
minimized through the use of anti-static sprays, carpets, or pads.
Magnetic Media Protection
Particular attention should be given to the protection of magnetic
media, as it is the primary means of data storage.
Floppy Disks
Floppy disks should be handled with care.
* Always store in the protective jacket.
* Protect from bending or similar handling.
* Maintain an acceptable temperature range (50-125 degrees F.)
* Avoid contact with magnetic fields, such as telephone handsets.
* Do not write on the diskette, either directly or through the jacket
or sleeve.
Hard Disks
Rough handling of hard disks may damage the device. Take care not
to jostle the unit unnecessarily. Never power off the system without
performing the recommended shutdown procedures.
Media Declassification or Destruction
Magnetic media, such as disks and tapes, that contain sensitive or
classified information should not be put in regular waste containers. They
should be cleared by degaussing and reused, or rendered useless by
shredding or burning.
Defective or damaged magnetic storage media that have been used in
a sensitive environment should not be returned to the vendor unless
they have been degaussed. This is required since many <169>ERASE<170>
commands do not actually erase the file. The DoD-approved erasure
method requires three overwrites of the file: first overwriting with
<169>1"s, then <170>0"s, and then random bits. Each overwrite should
be verified by visually inspecting the file contents, using some low-level
facility.
Electromagnetic Emanations
All electronic equipment emanates electromagnetic signals. Emanations
produced by computers, terminals, and communication lines can be detected
and translated into readable form by monitoring devices. Secure measures
intended to combat these radio frequency emissions are known as <169>TEMPEST<170>
controls. TEMPEST-certified equipment is available, and used regularly
by government organizations and contractors processing classified
data.
Hardware Modifications
Hardware modifications should be strictly controlled. Uncontrolled
or poorly considered hardware modifications can adversely affect the
operation of the computer. For example, any modifications to TEMPEST-approved
devices may invalidate their emanation-shielding ability. The configuration
of any hardware systems used for sensitive processing should be very
carefully monitored. Such devices should be sealed to prevent tampering,
and modifications made only by trusted, qualified personnel.
Trusted, Authorized Technicians
Advanced microelectronic techniques make computers vulnerable to <169>bugging.<170> A
transmitter chip can be installed by a hostile technician under the
guise of a system repair or upgrade. Therefore, the user should be
certain that the technician performing maintenance is both authorized
and qualified. Also, circuit boards or components removed in the
course of any maintenance at a classified facility should not leave
without qualified technical review.
DATA CONCERNS
Classification
Classify your information. IBM uses five classes of data, from unclassified,
with no restrictions, to <169>registered IBM confidential<170>, available
only to employees with a predetermined need to know. If your organization
has an approved classification system, use it. If not, develop one.
Labeling
Sensitive or classified information resources must be clearly labeled
as such. These <169>resources<170> include both the hardware and
the storage media.
External Classification Labels on Micros
Micros should have external classification labels indicating the highest
sensitivity of data processed on the device. Avoid using hard disk
systems for sensitive processing, as the data stored on a hard disk
cannot be reliably removed except by degaussing the entire disk surface. Also,
it is very difficult to ascertain that sensitive information has not
been stored on the disk. Consequently, hard disk systems must be
labeled to indicate the highest level of data sensitivity to which
they have ever been exposed.
Floppy Disk Labels
Label all floppy disks to indicate the type and sensitivity of data
on the disk. A floppy must be considered to assume the sensitivity
level of the device in which it is inserted. For example, a hard
disk that has some sensitive data must always be considered to be
a sensitive device, and any floppy disk inserted into any machine
connected (directly or through cabling) to such a hard disk must assume
that level of sensitivity. Conversely, if the floppy were more sensitive
than the hard disk, the hard disk now assumes the higher sensitivity
of the floppy.
Files
Files stored on a hard disk containing any sensitive files must be
handled as carefully as the most sensitive information stored on the
system. On such a system, even files that are assumed to be not sensitive
cannot be readily confirmed as such. Visual inspection of a file's
printed image does not really confirm what is physically stored in
the file space. Sensitive files, if they must be stored on hard disks,
should be handled very carefully. One means of emphasizing which
files are sensitive is to store them in a separated disk partition. However,
such methods, no matter how carefully controlled, do not ensure data
integrity.
Encryption
Data encryption provides a partial solution to the problem of labeling
as well as providing access control. Encryption is a technique for
rendering information unintelligible to those who don't have access
to the tools necessary to see it.
Hardware implementations of encryption can provide a higher degree
of security, since software-based implementations are susceptible
to penetration by interlopers. However, take steps to ensure the
integrity of the device. Sensitive equipment should be sealed and
the internal configuration audited.
Securing Data Media
Lock Floppy Disks
Diskettes should be locked in a secure container. Be sure that the
keys are unique and not interchangeable with the keys to other locks.
Use Removable Hard Disk Systems
When feasible, use removable hard disk systems instead of fixed disk
storage. At a minimum, keep hard disk systems in a secure area. Also,
consider installing power-on locks that restrict access to the machine
to individuals with lock keys. Again, the keys should be unique.
Backup
Make backup copies of all important software and data files.
Clearing Memory
Clear the micro's memory between users. Turning most micros off for
10 seconds is usually enough to accomplish this.
Data Transmission
Microcomputers can enable users to transfer data to or from a mainframe. Transferring
sensitive data should be carefully controlled and monitored. The
micro user is responsible for ensuring that sensitive or classified
information is transferred only to other computers designated for
sensitive data. The micro user is also responsible for the data transferred
from mainframe to micro. Note that such transmissions may include
information which the user may not have perceived as being transferred.
SOFTWARE CONCERNS
Software Vulnerabilities
The lack of micro hardware security engenders software insecurity. Because
modifications cannot be prevented, critical software, including operating
system routines, can be modified or destroyed. For example, encryption
schemes implemented in software can be forced to reveal their decryption
key.
Operating System Weaknesses
Unlike many mainframe computer operating systems, most micro operating
systems have not been developed for security considerations.
User Identification and Authentication
User identification is the process by which an individual identifies
himself to the system as a valid user. Authentication is the procedure
by which the user establishes that he is indeed that user, and has
a right to use the system. During the login process, the user enters
name or account number (identification) and password (authentication).
* Add password systems - software or hardware - to micros.
* Do not permit employees to use inappropriate passwords that are
easy to guess (first name, spouse's name, pet's name, birthday, etc.)
* Authentication (and, for multi-user micros and LANs, identification)
should occur whenever the system is powered up or rebooted.
Software Attacks - Trapdoors/Trojan Horses/Viruses
Don't use any software that is not a <169>known quantity<170>. Isolate
and test new software on a test system, where Trojan horses and viruses
can do little damage.
Consider a policy which prohibits users from bringing unapproved software
into the building. (Rockwell International has had such a written
policy since 1988.) If a user must bring in software, consider requiring
that it be tested by your virus test group first.
Follow the advice in the chapter on viruses.
Communication Attacks
Information transmitted over unprotected communications lines can
be intercepted by someone masquerading as you, actively receiving
your information, or through passive eavesdropping. Therefore, sensitive
information should be protected during transmission. Masquerading
can be thwarted through the use of dial-back. Dial-back is an interactive
security measure that works like this: The answering modem requests
the identification of the caller, then disconnects. If the caller's
ID matches an authorized ID in the answering system's user directory,
the answering system will call back the originating system at a prearranged
number. The effectiveness of dial-back as a security measure is questionable
due to digital PBXs (private branch exchange telephone systems) and
convenience features like call forwarding. Also, various methods
of call-back protection have been broken by hackers. Encryption is
one sure method of transmission protection.
Encryption can be adapted as a means of remote user authentication. A
user key, entered at the keyboard, authenticates the user. A second
encryption key can be stored in encrypted form in the calling system
firmware that authenticates the calling system as an approved communication
endpoint. When dial-back is used in conjunction with two-key encryption,
data access can be restricted to authorized users (with the user key)
with authorized systems (those whose modems have the correct second
key), located at authorized locations (those with phone numbers listed
in the answering system's phone directory).
Remote connections to other systems make micros susceptible to remote
attacks. A micro connected to a network, for example, may be subjected
to attack by other network users. The attacker could transmit control
characters that affect the interrupt logic of the micro in such a
way as to permit him to obtain full access to the micro and its peripherals,
even if he is incapable of passing the system's login challenge. The
attacker could use other techniques to examine the user's communication
package for dial-up phone numbers, access codes, passwords, etc.
HUMAN CONCERNS
To create computer security, four basic changes must occur in the
organization:
* <B>senior management must provide strong, overt support of the
program<D>. They must require personal accountability in their subordinates,
and they must set good examples.
* <B>employees must be educated<D>. Employees would support security
programs much more if they understood the need and the methods, and
felt that they were part of the program. Educate and involve them.
* <B>all members of the organization must participate in the program<D>.
Because information is handled by all employees, all must understand
the value of their contribution to security, and the value of the
information they access.
* <B>staff effort must be rewarded<D>. Be sure to reward those
who provide suggestions for improving security, who comply with security
policy, and who contribute in other ways.
The <169>human factors<170> in computer security are probably far
more important than the hardware or software you throw at the problem.
Perhaps security would be improved with some world-wide attitude change,
too. Ken Thompson, one of the co-developers of UNIX, writes <169>It
is only the inadequacy of the criminal code that saves the hackers
from very serious prosecution... There is an explosive situation brewing.
On the one hand, the press, television, and movies make heroes of
vandals by calling them whiz kids. On the other hand, the acts performed
by these kids will soon be punishable by years in prison... The act
of breaking into a computer system has to have the same social stigma
as breaking into a neighbor's house. It should not matter that the
neighbor's door is unlocked. The press must learn that misguided use
of a computer is no more amazing than drunk driving of an automobile.<170>
Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue View Git Blame Copy Permalink