Information is a strategic resource and a significant portion of organisational budget is spent on managing information. A security system is a set of mechanisms and techniques that protect a computer system, specifically the assets. They are protected against loss or harm including unauthorised access, unauthorised disclosure and interference of information.
Assets can be categorized into:
Resources – all instances of hardware, software, communication channels, operating environment, documentation and people
Data – files, databases, messages in transit, etc.
A security attack is the act or attempt to exploit vulnerability in a system. Security controls are the mechanisms used to control an attack. Attacks can be classified into active and passive attacks.
Passive attacks – attacker observes information without interfering with information or flow of information. He/she does not interfere with operation. Message content and message traffic is what is observed.
Active attacks – involves more than message or information observation. There is interference of traffic or message flow and may involve modification, deletion or destruction. This may be done through the attacker masquerading or impersonating as another user. There is denial or repudiation where someone does something and denies later. This is a threat against authentication and to some extent integrity.
1.1 Security goals
To retain a competitive advantage and to meet basic business requirements, organisations must endeavour to achieve the following security goals:
- Confidentiality – protect information value and preserve the confidentiality of sensitive data. Information should not be disclosed without authorization. Information the release of which is permitted to a certain section of the public should be identified and protected against unauthorised disclosure.
- Integrity – ensure the accuracy and reliability of the information stored on the computer systems. Information has integrity if it reflects some real world situation or is consistent with real world situation. Information should not be altered without authorisation. Hardware designed to perform some functions has lost integrity if it does not perform those functions correctly. Software has lost integrity if it does not perform according to its specifications. Communication channels should relay messages in a secure manner to ensure that integrity. People should ensure the system functions according to the specifications.
- Availability – ensure the continued availability of the information system and all its assets to legitimate users at an acceptable level of service or quality of service. Any event that degrades performance or quality of a system affects availability
- Ensure conformity to laws, regulations and standards.
1.2 Hazards (exposures) to information security
An exposure is a form of possible loss or harm. Examples of exposures include:
Unauthorised access resulting in a loss of computing time
Unauthorised disclosure – information revealed without authorisation
Destruction, especially with respect to hardware and software
Theft
Interference with system operation.
1.3 Threats to information security
These are circumstances that have potential to cause loss or harm i.e. circumstances that have a potential to bring about exposures.
- Human error
- Disgruntled employees
- Dishonest employees
- Greedy employees who sell information for financial gain
- Outsider access – hackers, crackers, criminals, terrorists, consultants, ex-consultants, ex-employees, competitors, government agencies, spies (industrial, military etc), disgruntled customers
- Acts of God/natural disasters – earthquakes, floods, hurricanes
- Foreign intelligence
- Accidents, fires, explosion
- Equipment failure
- Utility outage
- Water leaks, toxic spills
- Viruses – these are programmed threats
1.4 Vulnerability
A vulnerability is a weakness within the system that can potentially lead to loss or harm. The threat of natural disasters has instances that can make the system vulnerable. If a system has programmes that have threats (erroneous programmes) then the system is vulnerable.
1.5 Security controls
These include:
- Administrative controls – they include
- Policies – a policy can be seen as a mechanism for controlling security
- Administrative procedures – may be put in place by an organization to ensure that users only do that which they have been authorised to do
- Legal provisions – serve as security controls and discourage some form of physical threats
- Ethics
- Logical security controls – measures incorporated within the system to provide protection from adversaries who have already gained physical access
- Physical controls – any mechanism that has a physical form e.g. lockups
- Environmental controls
1.6 Administering security
- Risk analysis
- Security planning – a security plan identifies and organises the security activities of an organisation.
- Security policy
Risk analysis
The process involves:
- Identification of the assets
- Determination of the vulnerabilities
- Estimate the likelihood of exploitation
- Computation of expected annual loss
- Survey of applicable controls and their costs
- Projection of annual savings
Security policy
Security failures can be costly to business. Losses may be suffered as a result of the failure itself or costs can be incurred when recovering from the incident, followed by more costs to secure systems and prevent further failure. A well-defined set of security policies and procedures can prevent losses and save money.
The information systems security policy is the responsibility of top management of an organization who delegate its implementation to the appropriate level of management with permanent control.
The policy contributes to the protection of information assets. Its objective is to protect the information capital against all types of risks, accidental or intentional. An existing and enforced security policy should ensure systems conformity with laws and regulations, integrity of data, confidentiality and availability.
Key components of such a policy include the following:
- Management support and commitment – management should approve and support formal security awareness and training.
- Access philosophy – access to computerised information should be based on a documented ‘need-to-know, need-to-do’ basis.
- Compliance with relevant legislation and regulations
- Access authorisation – the data owner or manager responsible for the accurate use and reporting of the information should provide written authorisation for users to gain access to computerized information.
- Reviews of access authorisation – like any other control, access controls should be evaluated regularly to ensure they are still effective.
- Security awareness – all employees, including management, need to be made aware on a regular basis of the importance of security. A number of different mechanisms are available for raising security awareness including:
Distribution of a written security policy.
Training on a regular basis of new employees, users and support staff.
Non-disclosure statements signed by employees.
Use of different media in promulgating security e.g. company newsletter, web page, videos, etc.
Visible enforcement of security rules.
Simulate security incidents for improving security procedures.
Reward employees who report suspicious events.
Periodic audits.
Application controls
Application controls are controls over input, processing and output functions. Application controls include methods for ensuring that:
- Only complete, accurate and valid data is entered and updated in a computer system.
- Processing accomplishes the correct task.
- Processing results meet expectations.
- Data is maintained.
These controls may consist of edit tests, totals, reconciliations and identification and reporting of incorrect, missing or exception data. Automated controls should be coupled with manual procedures to ensure proper investigation of exceptions.
2.1 Input/origination controls
Input control procedures must ensure that every transaction to be processed is received, processed and recorded accurately and completely. These controls should ensure that only valid and authorised information is input and that these transactions are processed only once. In an integrated systems environment, output generated by one system is the input for another system, therefore, the edit checks, validations and access controls of the system generating the output must be reviewed as input/origination controls.
Input authorisation
Input authorization verifies that all transactions have been authorised and approved by management. Authorisation of input helps ensure that only authorized data is entered into the computer system for processing by applications. Authorisation can be performed online at the time when the data is entered into the system. A computer-generated report listing the items requiring manual authorization also may be generated. It is important that controls exist throughout processing to ensure that authorised data remains unchanged. This can be accomplished through various accuracy and completeness checks incorporated into an application’s design.
Types of authorisation include:
- Signatures on batch forms provide evidence of proper authorization.
- Online access controls ensure that only authorised individuals may access data or perform sensitive functions
- Unique passwords are necessary to ensure that access authorisation cannot be compromised through use of another individual’s authorised data access. Individual passwords also provide accountability for data changes.
- Terminal identification can be used to limit input to specific terminals as well as to individuals. Terminals can be equipped with hardware that transmits a unique
- identification such as a serial number that is authenticated by the system.
- Source documents are the forms used to record data. A source document may be a piece of paper, a turnaround document or an image displayed for online data input.
- A well-designed source document achieves several purposes. It increases the speed and accuracy with which data can be recorded, controls work flow, facilitates the preparation of the data in machine readable form for pattern recognition devices, increases the speed and accuracy with which data can be read and facilitates subsequent reference checking.
Batch controls and balancing
Batch controls group input transactions in order to provide control totals. The batch control can be based on total monetary amount, total items and total documents.
Batch header forms are a data preparation control. All input forms should be clearly identified with the application name and transaction codes. Where possible, pre-printed and pre-numbered forms with transaction identification codes and other constant data items are recommended. This would help ensure that all pertinent data has been recorded on the input forms and can reduce data recording/entry errors.
Input error reporting and handling
Input processing requires that controls be identified to verify that data are accepted into the system correctly, and that input errors are recognised and corrected. Data conversion error corrections are needed during the data conversion process. Errors can occur due to duplication of transactions and inaccurate data entry. These errors can, in turn, negatively impact on the completeness and accuracy of the data. Corrections to data should be processed through the normal data conversion process and should be verified, authorised and re-entered to the system as a part of normal processing.
Online integrity in online or database systems
Online systems also require control over input. Batches may be established by time of day, specific terminal or individual inputting the data. A supervisor should then review the online batch and release it to the system for processing. This method is preferred over review of the output by the same person preparing the input.
2.2 Processing, validation and editing
Data validation and editing
Procedures should be established to ensure that input data is validated and edited as close to the point of origination as possible. Preprogrammed input formats ensure that data is input to the correct field in the correct format. If input procedures allow supervisor overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log.
Data validation identifies data errors, incomplete or missing data and inconsistencies among related data items. Front-end data editing and validation can be performed if intelligent terminals are used. Edit controls are preventative controls that are used in a programme before data is processed. If the edit control is not in place or does not work correctly; the preventative control measures do not work effectively. This may cause processing of inaccurate data.
Processing control procedures
Processing controls ensure the completeness and accuracy of accumulated data. They ensure that data on a file/database remains complete and accurate until changed as a result of authorized processing or modification routines. The following are processing control techniques that can be used to address the issues of completeness and accuracy of accumulated data.
Data file control procedures
File controls should ensure that only authorised processing occurs to stored data. Types of controls over data files are:
- Before and after image reporting – computer data on a file prior to and after a transaction is processed can be recorded and reported. The before and after image makes it possible to trace the impact transactions have on computer records.
- Maintenance error reporting and handling – control procedures should be in place to ensure that all error reports are properly reconciled and corrections are submitted on a timely basis. To ensure segregation of duties, error corrections should be properly reviewed and authorised by personnel who did not initiate the transaction.
- Source documentation retention – source documentation should be retained for an adequate time period to enable retrieval, reconstruction or verification of data. Policies regarding the retention of source documentation should be enforced. Originating departments should maintain copies of source documentation and ensure that only authorised personnel have access. When appropriate, source documentation should be destroyed in a secure, controlled environment.
- Data file security – data file security controls prevent unauthorised users that may have access to the application to alter data files. These controls do not provide assurances relating to the validity of data, but ensure that unauthorised users who may have access to the application cannot improperly alter stored data.
2.3 Output controls
Output controls provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner. Output controls include the following:
- Logging and storage of negotiable, sensitive and critical forms in a secure place – negotiable, sensitive or critical forms should be properly logged and secured to provide adequate safeguards against theft or damage. The form log should be routinely reconciled to inventory on hand and any discrepancies should be properly researched.
- Computer generation of negotiable instruments, forms and signatures – the computer generation of negotiable instruments, forms and signatures should be properly controlled. A detailed listing of generated forms should be compared to the physical forms received.
All exceptions, rejections and mutilations should be accounted for properly.
2.4 Data integrity testing
Data integrity testing is a series of substantive tests that examines accuracy, completeness, consistency and authorisation of data holdings. It employs testing similar to that used for input control. Data integrity tests will indicate failures in input or processing controls. Controls for ensuring the integrity of accumulated data on a file can be exercised by checking data on the file regularly. When this checking is done against authorised source documentation, it is usual to check only a portion of the file at a time. Since the whole file is regularly checked in cycles, the control technique is often referred to as cyclical checking.
- Security in operating system: Access control security function
This is a function implemented at the operating system level and usually also availed at the application level by the operating system. It controls access to the system and system resources so that only authorised accesses are allowed, e.g.
- Protect the system from access by intruders
- Protect system resources from unauthorised access by otherwise legitimate system user
- Protect each user from inadvertent or malicious interference from another
It is a form of logical access control, which involves protection of resources from users who have physical access to the computer system.
The access control reference monitor model has a reference monitor, which intercepts all access attempts. It is always invoked when the target object is referenced and decides whether to deny or grant requests as per the rules incorporated within the monitor.
Typical operating system based access control mechanisms are:
- User identification and authentication
- Access control to the systems general objects e.g. files and devices
- Memory protection – prevent one programme from interfering with another i.e. any form of unauthorised access to another programme’s memory space.
3.1 Identification
Involves establishing identity of the subject (who are you?). Identification can use:
Identity, full name
Workstation ID, IP address
Magnetic card (requires a reader)
Smart card (inbuilt intelligence and computation capability)
Biometrics is the identification based on unique physical or behavioural patterns of people and may be:
- Physiological systems – something you are e.g. fingerprints
- Behavioural systems – how you work
They are quite effective when thresholds are sensible (substantial difference between two different people) and physical conditions of person are normal (equal to the time when reference was first made). They require expensive equipment and are rare. Also buyers are deterred by impersonation or belief that devices will be difficult to use. In addition, users dislike being measured.
3.2 Authentication
Involves verification of identity of subject (Are you who you say you are? Prove it!). Personal authentication may involve:
- Something you know: password, PIN, code phrase
- Something you have: keys, tokens, cards, smart cards
- Something you are: fingerprints, retina patterns, voice patterns
- The way you work: handwriting (signature), keystroke patterns
- Something you know: question about your background, favourite colour, pet name, etc.
3.3 Authorisation
Involves determining the access rights to various system objects/resources. The security requirement to be addressed is the protection against unauthorised access to system resources. There is need to define an authorisation policy as well as implementation mechanisms. An authorisation policy defines activities permitted or prohibited within the system. Authorisation mechanisms implement the authorisation policy and includes directory of access rights, access control lists (ACL) and access tickets or capabilities.
- Logical security
Logical access into the computer can be gained through several avenues. Each avenue is subject to appropriate levels of access security. Methods of access include the following:
- Operator console – these are privileged computer terminals, which controls mostcomputer operations and functions. To provide security, these terminals should be located in a suitably controlled location so that physical access can only be gained by authorised personnel.
- Online terminals – online access to computer systems through terminals typically require entry of at least a logon-identifier (logon-ID) and a password to gain access to the host computer system and may also require further entry of authentication data for access to application specific systems. Separate security and access control software may be employed on larger systems to improve the security provided by the operating system or application system.
- Batch job processing – this mode of access is indirect since access is achieved via processing of transactions. It generally involves accumulating input transactions and processing them as a batch after a given interval of time or after a certain number of transactions have been accumulated. Security is achieved by restricting who can accumulate transactions (data entry clerks) and who can initiate batch processing (computer operators or the automatic job scheduling system).
- Dial-up ports – use of dial-up ports involves hooking a remote terminal or PC to a telephone line and gaining access to the computer by dialling a telephone number that is directly or indirectly connected to the computer. Often a modem must interface between the remote terminal and the telephone line to encode and decode transmissions. Security is achieved by providing a means of identifying the remote user to determine authorisation to access. This may be a dial-back line, use of logon-ID and access control software or may require a computer operator to verify the identity of the caller and then provide the connection to the computer.
- Telecommunications network – telecommunications networks link a number of computer terminals or PCs to the host computer through a network of telecommunications lines. The lines can be private (i.e. dedicated to one user) or public such as a nation’s telephone system. Security should be provided in the same manner as that applied to online terminals.
4.1 Logical access issues and exposures
Inadequate logical access controls increase an organisation’s potential for losses resulting from exposures. These exposures can result in minor inconveniences or total shutdown of computer functions. Logical access controls reduce exposure to unauthorised alteration and manipulation of data and programmes. Exposures that exist from accidental or intentional exploitation of logical access control weaknesses include technical exposures and computer crime.
Technical exposures
This is the unauthorised (intentional or unauthorised) implementation or modification of data and software.
- Data diddling involves changing data before or as it is being entered into the computer. This is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect data.
- Trojan horses involve hiding malicious, fraudulent code in an authorized computer programme. This hidden code will be executed whenever the authorised programme is executed. A classic example is the Trojan horse in the payroll-calculating programme that shaves a barely noticeable amount off each paycheck and credits it to the perpetrator’s payroll account.
- Rounding down involves drawing off small amounts of money from a computerised transaction or account and rerouting this amount to the perpetrator’s account. The term ‘rounding down’ refers to rounding small fractions of a denomination down and transferring these small fractions into the unauthorised account. Since the amounts are so small, they are rarely noticed.
- Salami techniques involve the slicing of small amounts of money from a computerised transaction or account and are similar to the rounding down technique. The difference between them is that in rounding down the programme rounds off by the cent. For example, if a transaction amount was 234.39 the rounding down technique may round the transaction to 234.35. The salami technique truncates the last few digits from the transaction amount so 234.39 become 234.30 or 234.00 depending on the calculation built into the programme.
- Viruses are malicious programme code inserted into other executable code that can self-replicate and spread from computer to computer, via sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected machine or code. A virus can harmlessly display cute messages on computer terminals, dangerously erase or alter computer files or simply fill computer memory with junk to a point where the computer can no longer function. An added danger is that a virus may lie dormant for some time until triggered by a certain event or occurrence, such as a date (1 January – Happy New Year!) or being copied a pre-specified number of times. During this time the virus has silently been spreading.
- Worms are destructive programmes that may destroy data or utilise tremendous computer and communication resources but do not replicate like viruses. Such programmes do not change other programs, but can run independently and travel from machine to a machine across network connections. Worms may also have portions of themselves running on many different machines.
- Logic bombs are similar to computer viruses, but they do not self-replicate. The creation of logic bombs requires some specialised knowledge, as it involves programming the destruction or modification of data at a specific time in the future. However, unlike viruses or worms, logic bombs are very difficult to detect before they blow up; thus, of all the computer crime schemes, they have the greatest potential for damage. Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. The logic bomb may also be used as a tool of extortion, with a ransom being demanded in exchange for disclosure of the location of the bomb.
- Trap doors are exits out of an authorised programme that allow insertion of specific logic, such as programme interrupts, to permit a review of data during processing. These holes also permit insertion of unauthorised logic.
- Asynchronous attacks occur in multiprocessing environments where data move asynchronously (one character at a time with a start and stop signal) across telecommunication lines. As a result, numerous data transmissions must wait for the line to be free (and flowing in the proper direction) before being transmitted. Data that is waiting is susceptible to unauthorized accesses called asynchronous attacks. These attacks, which are usually very small pinlike insertions into cable, may be committed via hardware and are extremely hard to detect.
- Data leakage involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.
- Wire-tapping involves eavesdropping on information being transmitted over telecommunications lines.
- Piggybacking is the act of following an authorised person through a secured door or electronically attaching to an authorised telecommunication link to intercept and possibly alter transmissions.
- Shut down of the computer can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer. Only individuals knowing a high-level systems logon-ID can usually initiate the shut down process. This security measure is effective only if proper security access controls are in place for the high-level logon-ID and the telecommunications connections into the computer. Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.
- Denial of service is an attack that disrupts or completely denies service to legitimate users, networks, systems or other resources. The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.
Computer Viruses
A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user. Viruses are a significant and a very real logical access issue. The term virus is a generic term applied to a variety of malicious computer programmes. Traditional viruses attach themselves to other executable code, infect the user’s computer, replicate themselves on the user’s hard disk and then damage data, hard disk or files. Viruses usually attack four parts of the computer:
- Executable programme files
- File-directory system that tracks the location of all the computer’s files
- Boot and system areas that are needed to start the computer
- Data files
Control over viruses
Computer viruses are a threat to computers of any type. Their effects can range from the annoying but harmless prank to damaged files and crashed networks. In today’s environment, networks are the ideal way to propagate viruses through a system. The greatest risk is from electronic mail (e-mail) attachments from friends and/or anonymous people through the Internet. There are two major ways to prevent and detect viruses that infect computers and network systems.
- Having sound policies and procedures in place
- Technical means, including anti-virus software
Policies and procedures
Some of the policy and procedure controls that should be in place are:
- Build any system from original, clean master copies. Boot only from original diskettes whose write protection has always been in place.
- Allow no disk to be used until it has been scanned on a stand-alone machine that is used for no other purpose and is not connected to the network.
- Update virus software scanning definitions frequently.
- Write-protect all diskettes with .EXE or .COM extensions.
- Have vendors run demonstrations on their machines, not yours.
- Enforce a rule of not using shareware without first scanning the shareware thoroughly for a virus.
- Commercial software is occasionally supplied with a Trojan horse (viruses or worms). Scan before any new software is installed.
- Insist that field technicians scan their disks on a test machine before they use any of their disks on the system.
- Ensure that the network administrator uses workstation and server anti-virus software.
- Ensure that all servers are equipped with an activated current release of the virus detection software.
- Create a special master boot record that makes the hard disk inaccessible when booting from a diskette or CD-ROM. This ensures that the hard disk cannot be contaminated by the diskette or optical media.
- Consider encrypting files and then decrypt them before execution.
- Ensure that bridge, route and gateway updates are authentic. This is a very easy way to place and hide a Trojan horse.
- Backups are a vital element of anti-virus strategy. Be sure to have a sound and effective backup plan in place. This plan should account for scanning selected backup files for virus infection once a virus has been detected.
- Educate users so they will heed these policies and procedures.
- Review anti-virus policies and procedures at least once a year.
- Prepare a virus eradication procedure and identify a contact person.
Technical means
Technical methods of preventing viruses can be implemented through hardware and software means.
The following are hardware tactics that can reduce the risk of infection:
- Use workstations without floppy disks
- Use boot virus protection (i.e. built-in firmware based virus protection)
- Use remote booting
- Use a hardware based password
- Use write protected tabs on floppy disks
Software is by far the most common anti-virus tool. Anti-virus software should primarily be used as a preventative control. Unless updated periodically, anti-virus software will not be an effective tool against viruses.
The best way to protect the computer against viruses is to use anti-viral software. There are several kinds. Two types of scanners are available:
- One checks to see if your computer has any files that have been infected with known viruses
- The other checks for atypical instructions (such as instructions to modify operating system files) and prevents completion of the instruction until the user has verified that it is legitimate.
Once a virus has been detected, an eradication programme can be used to wipe the virus from the hard disk. Sometimes eradication programmes can kill the virus without having to delete the infected programme or data file, while other times those infected files must be deleted. Still other programmes, sometimes called inoculators, will not allow a programme to be run if it contains a virus.
There are three different types of anti-virus software:
- Scanners look for sequence of bits called signatures that are typical of virus programmes. Scanners examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. Scanners, therefore, need to be updated periodically to remain effective.
- Active monitors interpret DOS and ROM basic input-output (BIOS) calls, looking for virus like actions. Active monitors can be annoying because they cannot distinguish between a user request and a programme or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files.
- Integrity checkers compute a binary number on a known virus-free programme that is then stored in a database file. The number is called a cyclical redundancy check (CRC). When that programme is called to execute, the checker computes the CRC on the programme about to be executed and compares it to the number in the database.
A match means no infection; a mismatch means that a change in the programme has occurred. A change in the programme could mean a virus within it. Integrity checkers take advantage of the fact that executable programmes and boot sectors do not change very often, if at all.
Computer crime exposures
Computer crime encompasses a broad range of potentially illegal activities.
Computer systems can be used to steal money, goods, software or corporate information. Crimes also can be committed when the computer application process or data are manipulated to accept false or unauthorised transactions. There also is the simple, non-technical method of computer crime by stealing computer equipment.
Computer crime can be performed with absolutely nothing physically being taken or stolen. Simply viewing computerised data can provide an offender with enough intelligence to steal ideas or confidential information (intellectual property).
Committing crimes that exploit the computer and the information it contains can be damaging to the reputation, morale and very existence of an organisation. Loss of customers, embarrassment to management and legal actions against the organisation can be a result.
Threats to business include the following:
- Financial loss – these losses can be direct, through loss of electronic funds or indirect, through the costs of correcting the exposure.
- Legal repercussions – there are numerous privacy and human rights laws an organisation should consider when developing security policies and procedures. These laws can protect the organisation but can also protect the perpetrator from prosecution. In addition, not having proper security measures could expose the organisation to lawsuits from investors and insurers if a significant loss occurs from a security violation. Most companies also must comply with industry-specific regulatory agencies.
- Loss of credibility or competitive edge – many organisations, especially service firms such as banks, savings and loans and investment firms, need credibility and public trust to maintain a competitive edge. A security violation can severely damage this credibility, resulting in loss of business and prestige.
- Blackmail/Industrial espionage – by gaining access to confidential information or the means to adversely impact computer operations, a perpetrator can extort payments or services from an organisation by threatening to exploit the security breach.
- Disclosure of confidential, sensitive or embarrassing information – such events can damage an organisation’s credibility and its means of conducting business. Legal or regulatory actions against the company may also be the result of disclosure.
- Sabotage – some perpetrators are not looking for financial gain. They merely want to cause damage due to dislike of the organisation or for self-gratification.
Logical access violators are often the same people who exploit physical exposures, although the skills needed to exploit logical exposures are more technical and complex.
Hackers – hackers are typically attempting to test the limits of access restrictions to prove their ability to overcome the obstacles. They usually do not access a computer with the intent of destruction; however, this is quite often the result.
Employees – both authorised and unauthorised employees
Information system personnel – these individuals have the easiest access to computerised information since they are the custodians of this information. In addition to logical access controls, good segregation of duties and supervision help reduce
logical access violations by these individuals.
End users
Former employees
Interested or educated outsiders
- Competitors
- Foreigners
- Organised criminals
- Crackers (hackers paid by a third party)
- Phreackers (hackers attempting access into the telephone/communication system)
- Part-time and temporary personnel – remember that office cleaners often have a great deal of physical access and may well be competent in computing
- Vendors and consultants
- Accidental ignorant – someone who unknowingly perpetrates a violation
4.2 Access control software
Access control software is designed to prevent unauthorised access to data, use of system functions and programmes, unauthorised updates/changes to data and to detect or prevent an unauthorized attempt to access computer resources. Access control software interfaces with the operating system and acts as a central control for all security decisions. The access control software functions under the operating system software and provides the capability of restricting access to data processing resources either online or in batch processing.
Access control software generally performs the following tasks:
Verification of the user
Authorisation of access to defined resources
Restriction of users to specific terminals
Reports on unauthorised attempts to access computer resources, data or programmes
Access control software generally processes access requests in the following way:
Identification of users – users must identify themselves to the access control software such as name and account number
Authentication – users must prove that they are who they claim to be. Authentication is a two way process where the software must first verify the validity of the user and then proceed to verify prior knowledge information. For example, users may provide information on:
- Name, account number and password
- Objects such as badge, plastic cards and key
- Personal characteristics such as fingerprint, voice and signature
4.3 Logical security features, tools and procedures
1) Logon-IDs and passwords
This two-phase user identification/authentication process based on something you know can be used to restrict access to computerised information, transactions, programmes and system software. The computer can maintain an internal list of valid logon-IDs and a corresponding set of access rules for each logon-ID. These access rules identify the computer resources the user of the logon-ID can access and constitute the user’s authorisation.
The logon-ID provides individual’s identification and each user gets a unique logon-ID that can be identified by the system. The format of logon-Ids is typically standardized. The password provide individual’ authentication. Identification/authentication is a two-step process by which the computer system first verifies that the user has a valid logon-ID (user identification) and then requires the user to substantiate his/her validity via a password.
Features of passwords
- A password should be easy to remember but difficult for a perpetrator to guess.
- Initial password assignment should be done discreetly by the security administrator. When the user logs on for the first time, the system should force a password change to improve confidentiality. Initial password assignments should be randomly generated and assigned where possible on an individual and not a group basis. Accounts never used with or without an initial password should be removed from the system.
- If the wrong password is entered a predefined number of times, typically three, the logon- ID should be automatically and permanently deactivated (or at least for a significant period of time).
- If a logon-ID has been deactivated because of a forgotten password, the user should notify the security administrator. The administrator should then reactivate the logon-ID only after verifying the user’s identification.
- Passwords should be internally one-way encrypted. Encryption is a means of encoding data stored in a computer. This reduces the risk of a perpetrator gaining access to other users’ passwords (if the perpetrator cannot read and understand it, he cannot use it).
- Passwords should not be displayed in any form either on a computer screen when entered, on computer reports, in index or card files or written on pieces of paper taped inside a person’s desk. These are the first places a potential perpetrator will look.
- Passwords should be changed periodically. The best method is for the computer system to force the change by notifying the user prior to the password expiration date.
- Password must be unique to an individual. If a password is known to more than one person, the responsibility of the user for all activity within their account cannot be enforced.
Password syntax (format) rules
- Ideally, passwords should be five to eight characters in length. Anything shorter is too easy to guess, anything longer is too hard to remember.
- Passwords should allow for a combination of alpha, numeric, upper and lower case and special characters.
- Passwords should not be particularly identifiable with the user (such as first name, last name, spouse name, pet’s name, etc). Some organisations prohibit the use of vowels, making word association/guessing of passwords more difficult
- The system should not permit previous password(s) to be used after being changed.
- Logon-IDs not used after a number of days should be deactivated to prevent possible misuse.
- The system should automatically disconnect a logon session if no activity has occurred for a period of time (one hour). This reduces the risk of misuse of an active logon session left unattended because the user went to lunch, left for home, went to a meeting or otherwise forgot to logoff. This is often referred to as ‘time out’.
2) Logging computer access
With most security packages today, computer access and attempted access violations can be automatically logged by the computer and reported. The frequency of the security administrator’s review of computer access reports should be commensurate with the sensitivity of the computerized information being protected.
The review should identify patterns or trends that indicate abuse of access privileges, such as concentration on a sensitive application. It should also identify violations such as attempting computer file access that is not authorised and/or use of incorrect passwords. The violations should be reported and appropriate action taken.
3) Token devices, one-time passwords
A two-factor authentication technique such as microprocessor-controlled smart cards generates one-time passwords that are good for only one logon session. Users enter this password along with a password they have memorised to gain access to the system. This technique involves something you have (a device subject to theft) and something you know (a personal identification number). Such devices gain their one time password status because of a unique session characteristic (e.g. ID or time) appended to the password.
4) Biometric security access control
This control restricts computer access based on a physical feature of the user, such as a fingerprint or eye retina pattern. A reader is utilised to interpret the individual’s biometric features before permitting computer access. This is a very effective access control because it is difficult to circumvent, and traditionally has been used very little as an access control technique. However due to advances in hardware efficiencies and storage, this approach is becoming a more viable option as an access control mechanism. Biometric access controls are also the best means of authenticating a user’s identity based on something they are.
5) Terminal usage restraints
Terminal security – this security feature restricts the number of terminals that can access certain transactions based on the physical/logical address of the terminal.
Terminal locks – this security feature prevents turning on a computer terminal until a key lock is unlocked by a turnkey or card key.
6) Dial-back procedures
When a dial-up line is used, access should be restricted by a dial-back mechanism. Dial-back interrupts the telecommunications dial-up connection to the computer by dialling back the caller to validate user authority.
7) Restrict and monitor access to computer features that bypass security
Generally, only system software programmers should have access to these features:
- Bypass Label Processing (BLP) – BLP bypasses computer reading of the file label. Since most access control rules are based on file names (labels), this can bypass access security.
- System exits – this system software feature permits the user to perform complex system maintenance, which may be tailored to a specific environment or company. They often exist outside of the computer security system and thus are not restricted or reported in their use.
- Special system logon-IDs – these logon-IDs are often provided with the computer by the vendor. The names can be easily determined because they are the same for all similar computer systems. Passwords should be changed immediately upon installation to secure them.
8) Logging of online activity
Many computer systems can automatically log computer activity initiated through a logon-ID or computer terminal. This is known as a transaction log. The information can be used to provide a management/audit trail.
9) Data classification
Computer files, like documents have varying degrees of sensitivity. By assigning classes or levels of sensitivity to computer files, management can establish guidelines for the level of access control that should be assigned. Classifications should be simple, such as high, medium and low.
End user managers and the security administrator can use these classifications to assist with determining who should be able to access what.
A typical classification described by US National Institute of Standards and Technology has four data classifications:
1. Sensitive – applies to information that requires special precautions to ensure the integrity of the information, by protecting it from unauthorised modification or deletion. It is information that requires a higher than normal assurance of accuracy and completeness e.g. passwords, encryption parameters.
2. Confidential – applies to the most sensitive business information that is intended strictly for use within an organisation. Its unauthorised disclosure could seriously and adversely impact the organisation’s image in the eyes of the public e.g. application programme source code, project documentation, etc.
3. Private – applies to personal information that is intended for use within the organisation. Its unauthorised disclosure could seriously and adversely impact the organization and/ or its customers e.g. customer account data, e-mail messages, etc.
4. Public – applies to data that can be accessed by the public but can be updated/deleted by authorised people only e.g. company web pages, monetary transaction limit data etc.
10) Safeguards for confidential data on a PC
In today’s environment, it is not unusual to keep sensitive data on PCs and diskettes where it is more difficult to implement logical and physical access controls.
Sensitive data should not be stored in a microcomputer. The simplest and most effective way to secure data and software in a microcomputer is to remove the storage medium (such as the disk or tape) from the machine when it is not in use and lock it in a safe. Microcomputers with fixed disk systems may require additional security procedures for theft protection. Vendors offer lockable enclosures, clamping devices and cable fastening devices that help prevent equipment theft.
The computer can also be connected to a security system that sounds an alarm if equipment is moved. Passwords can also be allocated to individual files to prevent them being opened by an unauthorised person, one not in possession of the password. All sensitive data should be recorded on removable hard drives, which are more easily secured than fixed or floppy disks. Software can also be used to control access to microcomputer data. The basic software approach restricts access to programme and data files with a password system. Preventative controls such as encryption become more important for protecting sensitive data in the event that a PC or laptop is lost, stolen or sold.
- Physical security
5.1 Physical access exposures
Exposures that exist from accidental or intentional violation of these access paths include:
- Unauthorised entry
- Damage, vandalism or theft to equipment or documents
- Copying or viewing of sensitive or copyrighted information
- Alteration of sensitive equipment and information
- Public disclosure of sensitive information
- Abuse of data processing resources
- Blackmail
- Embezzlement
Possible perpetrators
- Employees with authorised or unauthorised access who are:
Disgruntled (upset by or concerned about some action by the organisation or its management)
On strike
Threatened by disciplinary action or dismissal
Addicted to a substance or gambling
Experiencing financial or emotional problems
Notified of their termination
- Former employees
- Interested or informed outsiders such as competitors, thieves, organised crime and hackers
- Accidental ignorant – someone who unknowingly perpetrates a violation (could be an employee or outsider)
The most likely source of exposure is from the uninformed, accidental or unknowing person, although the greatest impact may be from those with malicious or fraudulent intent.
From an information system perspective, facilities to be protected include the following:
- Programming area
- Computer room
- Operator consoles and terminals
- Tape library, tapes, disks and all magnetic media
- Storage room and supplies
- Offsite backup file storage facility
- Input/output control room
- Communication closet
- Telecommunication equipment (including radios, satellites, wiring. Modems and external network connections)
- Microcomputers and personal computers (PCs)
- Power sources
- Disposal sites
- Minicomputer establishments
- Dedicated telephones/Telephone lines
- Control units and front end processors
- Portable equipment (hand-held scanners and coding devices, bar code readers, laptop computers and notebooks, printers, pocket LAN adapters and others)
- Onsite and remote printers
- Local area networks
5.2 Physical access controls
Physical access controls are designed to protect the organisation from unauthorised access.
Examples of some of the more common access controls are:
- Bolting door locks – these locks require the traditional metal key to gain entry. The key should be stamped ‘Do not duplicate’.
- Combination door locks (cipher locks) – this system uses a numeric keypad or dial to gain entry. The combination should be changed at regular intervals or whenever an employee with access is transferred, fired or subject to disciplinary action. This reduces the risk of the combination being known by unauthorised people.
- Electronic door locks – this system uses a magnetic or embedded chip-based plastic card key or token entered into a sensor reader to gain access. A special code internally stored in the card or token is read by the sensor device that then activates the door locking mechanism. Electronic door locks have the following advantages over bolting and combination locks:
Through the special internal code, cards can be assigned to an identifiable individual.
Through the special internal code and sensor devices, access can be restricted based on the individual’s unique access needs. Restriction can be assigned to particular doors or to particular hours of the day.
They are difficult to duplicate
Card entry can be easily deactivated in the event an employee is terminated or a card is lost or stolen. Silent or audible alarms can be automatically activated if unauthorised entry is attempted.
- Biometric door locks – an individual’s unique body features, such as voice, retina, fingerprint or signature, activate these locks. This system is used in instances when extremely sensitive facilities must be protected, such as in the military.
- Manual logging – all visitors should be required to sign a visitor’s log indicating their name, company represented, reason for visiting and person to see. Logging typically is at the front reception desk and entrance to the computer room.
- Electronic logging – this is a feature of electronic and biometric security systems. All access can be logged, with unsuccessful attempts being highlighted.
- Identification badges (photo IDs) – badges should be worn and displayed by all personnel. Visitor badges should be a different colour from employee badges for easy identification.
- Video cameras – cameras should be located at strategic points and monitored by security guards.
- Security guards – guards are very useful if supplemented by video cameras and locked doors. Guards supplied by an external agency should be bonded to protect the organisation from loss.
- Controlled visitor access – all visitors should be escorted by a responsible employee.
- Bonded personnel – all service contract personnel, such as cleaning people and offsite storage services, should be bonded.
- Deadman doors – this system uses a pair of (two) doors, typically found in entries to facilities such as computer rooms and document stations. For the second door to operate, the first entry door must close and lock, with only one person permitted in the holding area.
- Computer terminal locks – these lock devices to the desk, prevent the computer from being turned on or disengage keyboard recognition, preventing use.
- Controlled single entry point – a controlled entry point monitored by a receptionist should be used by all incoming personnel.
- Alarm system – an alarm system should be linked to inactive entry points, motion detectors and the reverse flow of enter or exit only doors.
- Network security
Communication networks (Wide Area or Local Area Networks) generally include devices connected to the network, and programmes and files supporting the network operations. Control is accomplished through a network control terminal and specialised communications software.
The following are controls over the communication network:
- Network control functions should be performed by technically qualified operators.
- Network control functions should be separated and duties rotated on a regular basis where possible.
- Network control software must restrict operator access from performing certain functions such as ability to amend or delete operator activity logs.
- Network control software should maintain an audit trail of all operator activities.
- Audit trails should be reviewed periodically by operations management to detect any unauthorised network operation activities.
- Network operation standards and protocols should be documented and made available to the operators and should be reviewed periodically to ensure compliance.
- Network access by system engineers should be closely monitored and reviewed to direct unauthorised access to the network.
- Analysis should be performed to ensure workload balance, fast response time and system efficiency.
- A terminal identification file should be maintained by the communication software to check the authentication of a terminal when it tries to send or receive messages.
- Data encryption should be used where appropriate to protect messages from disclosure during transmission.
Some common network management and control software include Novell NetWare, Windows NT, UNIX, NetView and NetPass.
7.1 Local Area Network (LAN) security
Local area networks (LANs) facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. Risks associated with use of LANs include:
- Loss of data and programme integrity through unauthorised changes
- Lack of current data protection through inability to maintain version control
- Exposure to external activity through limited user verification and potential public network access from dial-up connections
- Virus infection
- Improper disclosure of data because of general access rather than need-to-know access provisions
- Violating software licenses by using unlicensed or excessive number of software copies
- Illegal access by impersonating or masquerading as a legitimate LAN user
- Internal user’s sniffing (obtaining seemingly unimportant information from the network that can be used to launch an attack, such as network address information)
- Internal user’s spoofing (reconfiguring a network address to pretend to be a different address)
- Destruction of the logging and auditing data
The LAN security provisions available depend on the software product, product version and implementation. Commonly available network security administrative capabilities include:
- Declaring ownership of programmes, files and storage
- Limiting access to read only
- Implementing record and file locking to prevent simultaneous update to the same record
- Enforcing user ID/password sign-on procedures, including the rules relating to password length, format and change frequency
7.2 Dial-up access controls
It is possible to break LAN security through the dial-in route. Without dial-up access controls, a caller can dial in and try passwords until they gain access. Once in, they can hide pieces of software anywhere, pass through Wide Area Network (WAN) links to other systems and generally cause as much or as little havoc as they like.
7.3 Client/server security
A client/server system typically contains numerous access points. Client/server systems utilize distributed techniques, creating increased risk of access to data and processing. To effectively secure the client/server environment, all access points should be identified. In mainframe-based applications, centralised processing techniques require the user to go through one pre-defined route to access all resources.
- Network monitoring devices may be used to inspect activity from known or unknown users.
- Data encryption techniques can help protect sensitive or proprietary data from unauthorized access.
- Authentication systems may provide environment-wide, logical facilities that can differentiate among users. Another method, system smart cards, uses intelligent handheld devices and encryption techniques to decipher random codes provided by client/ server systems. A smart card displays a temporary password that is provided by an algorithm (step-by-step calculation instructions) on the system and must be re-entered by the user during the login session for access into the client/server system.
7.4 Internet threats
The very nature of the Internet makes it vulnerable to attack. It was originally designed to allow for the freest possible exchange of information, data and files. However, today the freedom carries a price. Hackers and virus-writers try to attack the Internet and computers connected to the Internet and those who want to invade other’s privacy attempt to crack into databases of sensitive information or snoop on information as it travels across Internet routes.
It is, therefore, important in this situation to understand the risks and security factors that are needed to ensure proper controls are in place when a company connects to the Internet. There are several areas of control risks that must be evaluated to determine the adequacy of Internet security controls:
- Corporate Internet policies and procedures
- Firewall standards
- Firewall security
- Data security controls
Internet threats include:
1. Disclosure
It is relatively simple for someone to eavesdrop on a ‘conversation’ taking place over the Internet. Messages and data traversing the Internet can be seen by other machines including e-mail files, passwords and in some cases key-strokes as they are being entered in real time.
2. Masquerade
A common attack is a user pretending to be someone else to gain additional privileges or access to otherwise forbidden data or systems. This can involve a machine being reprogrammed to masquerade as another machine (such as changing its Internet Protocol – IP address). This is referred to as spoofing.
3. Unauthorised access
Many Internet software packages contain vulnerabilities that render systems subject to attack. Additionally, many of these systems are large and difficult to configure, resulting in a large percentage of unauthorized access incidents.
4. Loss of integrity
Just as it is relatively simple to eavesdrop a conversation, so it is also relatively easy to intercept the conversation and change some of the contents or to repeat a message. This could have disastrous effects if, for example, the message was an instruction to a bank to pay money.
5. Denial of service
Denial of service attacks occur when a computer connected to the Internet is inundated (flooded) with data and/or requests that must be serviced. The machine becomes so tied up with dealing with these messages that it becomes useless for any other purpose.
6. Threat of service and resources
Where the Internet is being used as a channel for delivery of a service, unauthorised access to the service is effectively theft. For example, hacking into a subscription-based news service is effectively theft.
The impact of the threats described above,
- Loss of income
- Increased cost of recovery (correcting information and re-establishing services)
- Increased cost of retrospectively securing systems
- Loss of information (critical data, proprietary information, contracts)
- Loss of trade secrets
- Damage to reputation
- Legal and regulatory non-compliance
- Failure to meet contractual commitments
7.5 Encryption
Encryption is the process of converting a plaintext message into a secure coded form of text called cipher text that cannot be understood without converting back via decryption (the reverse process) to plaintext again. This is done via a mathematical function and a special encryption/ decryption password called the key.
Encryption is generally used to:
- Protect data in transit over networks from unauthorised interception and manipulation
- Protect information stored on computers from unauthorised viewing and manipulation
- Deter and detect accidental or intentional alterations of data
- Verify authenticity of a transaction or document
The limitations of encryption are that it can’t prevent loss of data and encryption programs can be compromised. Therefore encryption should be regarded as an essential but incomplete form of access control that should be incorporated into an organization’s overall computer security program.
There are two common encryption or cryptographic systems:
1. Symmetric or private key system
Symmetric cryptosystem use a secret key to encrypt the plaintext to the cipher text. The same key is also used to decrypt the cipher text to the corresponding plaintext. In this case the key is symmetric because the encryption key is the same as the decryption key.
2. Asymmetric or public key system
Asymmetric encryption systems use two keys, which work together as a pair. One key is used to encrypt data, the other is used to decrypt data. Either key can be used to encrypt or decrypt, but once one key has been used to encrypt data, only its partner can be used to decrypt the data (even the key that was used to encrypt the data cannot be used to decrypt it).
Controls for environmental exposures
1. Water detectors – in the computer room, water detectors should be placed under the raised floor and near drain holes, even if the computer room is on a high floor (remember water leaks). When activated, the detectors should produce an audible alarm that can be heard by security and control personnel.
2. Hand-held fire extinguishers – fire extinguishers should be in strategic locations throughout the information system facility. They should be tagged for inspection and inspected at least annually.
3. Manual fire alarms – hand-pull fire alarms should be strategically placed throughout the facility. The resulting audible alarm should be linked to a monitored guard station.
4. Smoke detectors – they supplement not replace fire suppression systems. Smoke detectors should be above and below the ceiling tiles throughout the facility and below the raised computer room floor. They should produce an audible alarm when activated and be linked to a monitored station (preferably by the fire department).
5. Fire suppression system – these systems are designed to activate immediately after detection of high heat typically generated by fire. It should produce an audible alarm when activated. Ideally, the system should automatically trigger other mechanisms to localise the fire. This includes closing fire doors, notifying the fire department, closing off ventilation ducts and shutting down nonessential electrical equipment. Therefore, fire suppression varies but is usually one of the following:
- Water based systems (sprinkler systems) – effective but unpopular because they damage equipment
- Dry-pipe sprinkling – sprinkler systems that do not have water in the pipes until an electronic fire alarm activates the water pumps to send water to the dry pipe system.
- Halon systems – release pressurised halon gases that remove oxygen from the air, thus starving the fire. Halon is popular because it is an inert gas and does not damage equipment.
- Carbon dioxide systems – release pressurised carbon dioxide gas into the area protected to replace the oxygen required for combustion. Unlike halon, however, carbon dioxide is unable to sustain human life and can, therefore, not be set to automatic release.
6. Strategically locating the computer room – to reduce the risk of flooding, the computer room should not be located in the basement. If located in a multi-storey building, studies show that the best location for the computer room to reduce the risk of fire, smoke and water damage is between 3rd, and 6th floor.
7. Regular inspection by fire department – to ensure that all fire detection systems comply with building codes, the fire department should inspect the system and facilities annually.
8. Fireproof walls, floors and ceilings surrounding the computer room – walls surrounding the information processing facility should contain or block fire from spreading. The surrounding walls would have at least a two-hour fire resistance rating.
9. Electrical surge protectors – these electrical devices reduce the risk of damage to equipment due to power spikes. Voltage regulators measure the incoming electrical current and either increase or decrease the charge to ensure a consistent current. Such protectors are typically built into the uninterruptible power supply (UPS) system.
10. Uninterruptible power supply system (UPS)/generator – a UPS system consists of a battery or petrol powered generator that interfaces between the electrical power entering the facility and the electrical power entering the computer. The system typically cleanses the power to ensure wattage into the computer is consistent. Should a power failure occur, the UPS continues providing electrical power from the generator to the computer for a certain length of time.
11. Wiring placed in electrical panels and conduit – electrical fires are always a risk. To reduce the risk of such a fire occurring and spreading, wiring should be placed in fireresistant panels and conduit. This conduit generally lies under the fire-resistant raised computer room floor.
12. Prohibitions against eating, drinking and smoking within the information processing facility – food, drink and tobacco use can cause fires, build-up of contaminants or damage to sensitive equipment especially in case of liquids. They should be prohibited from the information processing facility. This prohibition should be overt, for example, a sign on the entry door.
13. Fire resistant office materials – wastebaskets, curtains, desks, cabinets and other general office materials in the information processing facility should be fire resistant. Cleaning fluids for desktops, console screens and other office furniture/fixtures should not be flammable.
14. Documented and tested emergency evacuation plans – evacuation plans should emphasise human safety, but should not leave information processing facilities physically unsecured. Procedures should exist for a controlled shutdown of the computer in an emergency situation, if time permits.
- Computer ethics
Although ethical decision-making is a thoughtful process, based on one’s own personal fundamental principles, we need codes of ethics and professional conduct for the following reasons:
- Document acceptable professional conduct to:
Establish status of the profession
Educate professionals of their responsibilities to the public
Inform the public of expectations of professionals