311 lines
14 KiB
Plaintext
311 lines
14 KiB
Plaintext
ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
|
|
3 Founded By: 3 : Network Information Access : 3 Founded By: 3
|
|
3 Guardian Of Time 3D: 17APR90 :D3 Guardian Of Time 3
|
|
3 Judge Dredd 3 : Judge Dredd : 3 Judge Dredd 3
|
|
@DDDDDDDDBDDDDDDDDDY : File 18 : @DDDDDDDDDBDDDDDDDDY
|
|
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
|
|
3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3
|
|
@DD: Computers User's Guide/Protection of Information :DY
|
|
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
|
|
|
|
This is a follow-up to the VERY basic Computer Fraud Series that was done
|
|
by Lord Kalkin. This series is comprised of three levels, the User's Guide,
|
|
the Management Guide, and the Executive Guide. Use it to your advantage.
|
|
|
|
$_Introduction
|
|
|
|
|
|
Today's computer technology, with microcomputers and on-line
|
|
access, has placed the power of the computer where it belongs, in
|
|
YOUR hands. YOU, the users, develop computer applications and
|
|
perform other data processing functions which previously were
|
|
only done by the computer operations personnel. These advances
|
|
have greatly improved our efficiency and effectiveness but, also
|
|
present a serious challenge in achieving adequate data security.
|
|
|
|
While excellent progress has been made in computer technology,
|
|
very little has been done to inform users of the vulnerability of
|
|
data and information to such threats as unauthorized
|
|
modification, disclosure, and destruction, either deliberate or
|
|
accidental. This guide will make you aware of some of the
|
|
undesirable things that can happen to data and will provide some
|
|
practical solutions for reducing your risks to these threats.
|
|
|
|
> WHO IS RESPONSIBLE FOR PROTECTING DATA AND INFORMATION?
|
|
The statement that "security is everyone's responsibility" is
|
|
absolutely true. Owners, developers, operators and users of
|
|
information systems each has a personal responsibility to protect
|
|
these resources. Functional managers have the responsibility to
|
|
provide appropriate security controls for any information
|
|
resources entrusted to them. These managers are personally
|
|
responsible for understanding the sensitivity and criticality of
|
|
their data and the extent of losses that could occur if the
|
|
resources are not protected. Managers must ensure that all users
|
|
of their data and systems are made aware of the practices and
|
|
procedures used to protect the information resources. When you
|
|
don't know what your security responsibilities are, ASK YOUR
|
|
MANAGER OR SUPERVISOR.
|
|
|
|
> WHAT IS "SENSITIVE" DATA?
|
|
All data is sensitive to some degree; exactly how sensitive is
|
|
unique to each business environment. Within the Federal
|
|
Government, personal information is sensitive to unauthorized
|
|
disclosure under the Privacy Act of 1974. In some cases, data is
|
|
far more sensitive to accidental errors or omissions that
|
|
compromise accuracy, integrity, or availability. For example, in
|
|
a Management Information System, inaccurate, incomplete, or
|
|
obsolete information can result in erroneous management decisions
|
|
which could cause serious damage and require time and money to
|
|
rectify. Data and information which are critical to an agency's
|
|
ability to perform its mission are sensitive to nonavailability.
|
|
|
|
Still other data are sensitive to fraudulent manipulation for
|
|
personal gain. Systems that process electronic funds transfers,
|
|
control inventories, issue checks, control accounts receivables
|
|
and payables, etc., can be fraudulently exploited resulting in
|
|
serious losses to an agency.
|
|
One way to determine the sensitivity of data is to ask the
|
|
questions "What will it cost if the data is wrong? Manipulated
|
|
for fraudulent purposes? Not available? Given to the wrong
|
|
person?" If the damage is more than you can tolerate, then the
|
|
data is sensitive and should have adequate security controls to
|
|
prevent or lessen the potential loss.
|
|
|
|
> WHAT RISKS ARE ASSOCIATED WITH THE USE OF COMPUTERS?
|
|
Over the past several decades, computers have taken over
|
|
virtually all of our major record-keeping functions. Recently,
|
|
personal computers have made it cost-effective to automate many
|
|
office functions. Computerization has many advantages and is here
|
|
to stay; however, automated systems introduce new risks, and we
|
|
should take steps to control those risks.
|
|
We should be concerned with the same risks that existed when
|
|
manual procedures were used, as well as some new risks created by
|
|
the unique nature of computers themselves. One risk introduced by
|
|
computers is the concentration of tremendous amounts of data in
|
|
one location. The greater the concentration, the greater the
|
|
consequences of loss or damage. Another example is that computer
|
|
users access information from remote terminals. We must be able
|
|
to positively identify the user, as well as ensure that the user
|
|
is only able to access information and functions that have been
|
|
authorized. Newspaper accounts of computer "hackers," computer
|
|
virus attacks, and other types of intruders underscore the
|
|
reality of the threat to government and commercial computer
|
|
systems.
|
|
|
|
> HOW MUCH SECURITY IS ENOUGH?
|
|
No matter how many controls or safeguards we use, we can never
|
|
achieve total security. We can, however, decrease the risk in
|
|
proportion to the strength of the protective measures. The degree
|
|
of protection is based on the value of the information; in other
|
|
words, how serious would be the consequences if a certain type of
|
|
information were to be wrongfully changed, disclosed, delayed, or
|
|
destroyed?
|
|
|
|
$_General Responsibilities
|
|
|
|
|
|
All Federal computer system users share certain general
|
|
responsibilities for information resource protection. The
|
|
following considerations should guide your actions.
|
|
|
|
Treat information as you would any valuable asset.
|
|
You would not walk away from your desk leaving cash or other
|
|
valuables unattended. You should take the same care to protect
|
|
information. If you are not sure of the value or sensitivity of
|
|
the various kinds of information you handle, ask your manager for
|
|
guidance.
|
|
|
|
Use government computer systems only for lawful and authorized
|
|
purposes.
|
|
The computer systems you use in your daily work should be used
|
|
only for authorized purposes and in a lawful manner. There are
|
|
computer crime laws that prescribe criminal penalties for those
|
|
who illegally access Federal computer systems or data.
|
|
Additionally, the unauthorized use of Federal computer systems or
|
|
use of authorized privileges for unauthorized purposes could
|
|
result in disciplinary action.
|
|
|
|
Observe policies and procedures established by agency
|
|
management.
|
|
Specific requirements for the protection of information have been
|
|
established by your agency. These requirements may be found in
|
|
policy manuals, rules, or procedures. Ask your manager if you are
|
|
unsure about your own responsibilities for protection of
|
|
information.
|
|
|
|
Recognize that you are accountable for your activities on
|
|
computer systems.
|
|
After you receive authorization to use any Federal computer
|
|
system, you become personally responsible and accountable for
|
|
your activity on the system. Accordingly, your use should be
|
|
restricted to those functions needed to carry out job
|
|
responsibilities.
|
|
|
|
Report unusual occurrences to your manager.
|
|
Many losses would be avoided if computer users would report any
|
|
circumstances that seem unusual or irregular. Warning signals
|
|
could include such things as unexplainable system activity that
|
|
you did not perform, data that appears to be of questionable
|
|
accuracy, and unexpected or incorrect processing results. If you
|
|
should notice anything of a questionable nature, bring it to your
|
|
manager's attention.
|
|
|
|
$_Security and Control Guidelines
|
|
|
|
Some common-sense protective measures can reduce the risk of
|
|
loss, damage, or disclosure of information. Following are the
|
|
most important areas of information systems controls that assure
|
|
that the system is properly used, resistant to disruptions, and
|
|
reliable.
|
|
|
|
Make certain no one can impersonate you.
|
|
If a password is used to verify your identity, this is the key to
|
|
system security. Do not disclose your password to anyone, or
|
|
allow anyone to observe your password as you enter it during the
|
|
sign-on process. If you choose your own password, avoid selecting
|
|
a password with any personal associations, or one that is very
|
|
simple or short. The aim is to select a password that would be
|
|
difficult to guess or derive. "1REDDOG" would be a better
|
|
password than "DUKE."
|
|
If your system allows you to change your own password, do so
|
|
regularly. Find out what your agency requires, and change
|
|
passwords at least that frequently. Periodic password changes
|
|
keep undetected intruders from continuously using the password of
|
|
a legitimate user.
|
|
|
|
After you are logged on, the computer will attribute all activity
|
|
to your user id. Therefore, never leave your terminal without
|
|
logging off -- even for a few minutes. Always log off or
|
|
otherwise inactivate your terminal so no one could perform any
|
|
activity under your user id when you are away from the area.
|
|
|
|
Safeguard sensitive information from disclosure to others.
|
|
People often forget to lock up sensitive reports and computer
|
|
media containing sensitive data when they leave their work areas.
|
|
Information carelessly left on top of desks and in unlocked
|
|
storage can be casually observed, or deliberately stolen. Every
|
|
employee who works with sensitive information should have
|
|
lockable space available for storage when information is not in
|
|
use. If you aren't sure what information should be locked up or
|
|
what locked storage is available, ask your manager.
|
|
|
|
While working, be aware of the visibility of data on your
|
|
personal computer or terminal display screen. You may need to
|
|
reposition equipment or furniture to eliminate over-the-shoulder
|
|
viewing. Be especially careful near windows and in public areas.
|
|
Label all sensitive diskettes and other computer media to alert
|
|
other employees of the need to be especially careful. When no
|
|
longer needed, sensitive information should be deleted or
|
|
discarded in such a way that unauthorized individuals cannot
|
|
recover the data. Printed reports should be finely shredded,
|
|
while data on magnetic media should be overwritten. Files that
|
|
are merely deleted are not really erased and can still be
|
|
recovered.
|
|
|
|
Install physical security devices or software on personal
|
|
computers.
|
|
The value and popularity of personal computers make theft a big
|
|
problem, especially in low-security office areas. Relatively
|
|
inexpensive hardware devices greatly reduce the risk of equipment
|
|
loss. Such devices involve lock-down cables or enclosures that
|
|
attach equipment to furniture. Another approach is to place
|
|
equipment in lockable cabinets.
|
|
When data is stored on a hard disk, take some steps to keep
|
|
unauthorized individuals from accessing that data. A power lock
|
|
device only allows key-holders to turn on power to the personal
|
|
computer. Where there is a need to segregate information between
|
|
multiple authorized users of a personal computer, additional
|
|
security in the form of software is probably needed. Specific
|
|
files could be encrypted to make them unintelligible to
|
|
unauthorized staff, or access control software can divide storage
|
|
space among authorized users, restricting each user to their own
|
|
files.
|
|
|
|
Avoid costly disruptions caused by data or hardware loss.
|
|
Disruptions and delays are expensive. No one enjoys working
|
|
frantically to re-enter work, do the same job twice, or fix
|
|
problems while new work piles up. Most disruptions can be
|
|
prevented, and the impact of disruptions can be minimized by
|
|
advance planning. Proper environmental conditions and power
|
|
supplies minimize equipment outages and information loss. Many
|
|
electrical circuits in office areas do not constitute an adequate
|
|
power source, so dedicated circuits for computer systems should
|
|
be considered. Make certain that your surroundings meet the
|
|
essential requirements for correct equipment operation. Cover
|
|
equipment when not in use to protect it from dust, water leaks,
|
|
and other hazards.
|
|
|
|
For protection from accidental or deliberate destruction of data,
|
|
regular data backups are essential. Complete system backups
|
|
should be taken at intervals determined by how quickly
|
|
information changes or by the volume of transactions. Backups
|
|
should be stored in another location, to guard against the
|
|
possibility of original and backup copies being destroyed by the
|
|
same fire or other disaster.
|
|
|
|
Maintain the authorized hardware/software configuration.
|
|
Some organizations have been affected by computer "viruses"
|
|
acquired through seemingly useful or innocent software obtained
|
|
from public access bulletin boards or other sources; others have
|
|
been liable for software illegally copied by employees. The
|
|
installation of unauthorized hardware can cause damage,
|
|
invalidate warranties, or have other negative consequences.
|
|
Install only hardware or software that has been acquired through
|
|
normal acquisition procedures and comply with all software
|
|
licensing agreement requirements.
|
|
|
|
> SUMMARY
|
|
Ultimately, computer security is the user's responsibility. You,
|
|
the user, must be alert to possible breaches in security and
|
|
adhere to the security regulations that have been established
|
|
within your agency. The security practices listed are not
|
|
inclusive, but rather designed to remind you and raise your
|
|
awareness towards securing your information resources:
|
|
|
|
> PROTECT YOUR EQUIPMENT
|
|
Keep it in a secure environment
|
|
Keep food, drink, and cigarettes AWAY from it
|
|
Know where the fire suppression equipment is located and know
|
|
how to use it
|
|
|
|
> PROTECT YOUR AREA
|
|
Keep unauthorized people AWAY from your equipment and data
|
|
Challenge strangers in your area
|
|
|
|
> PROTECT YOUR PASSWORD
|
|
Never write it down or give it to anyone
|
|
Don't use names, numbers or dates which are personally
|
|
identified with you
|
|
Change it often, but change it immediately if you think it has
|
|
been compromised
|
|
|
|
> PROTECT YOUR FILES
|
|
Don't allow unauthorized access to your files and data
|
|
NEVER leave your equipment unattended with your password
|
|
activated - SIGN OFF!
|
|
|
|
> PROTECT AGAINST VIRUSES
|
|
Don't use unauthorized software
|
|
Back up your files before implementing ANY new software
|
|
|
|
> LOCK UP STORAGE MEDIA CONTAINING SENSITIVE DATA
|
|
If the data or information is sensitive or critical to your
|
|
operation, lock it up!
|
|
|
|
> BACK UP YOUR DATA
|
|
Keep duplicates of your sensitive data in a safe place, out of
|
|
your immediate area
|
|
Back it up as often as necessary
|
|
|
|
> REPORT SECURITY VIOLATIONS
|
|
Tell your manager if you see any unauthorized changes to your
|
|
data
|
|
Immediately report any loss of data or programs, whether
|
|
automated or hard copy.
|
|
|
|
-JUDGE DREDD/NIA
|
|
|
|
[OTHER WORLD BBS]
|
|
|
|
|