A Draft Security Policy This draft policy is provided as a model for your organization's consideration and adoption. It was prepared by the National Computer Security Association. We would appreciate your comments or revisions to it. You may write us at Suite 309, 4401-A Connecticut Av NW, Washington, DC 20008. Or you may call our BBS at 202-364-1304. Or you may call voice at 202-364-8252. BASIC REQUIREMENTS Each of the six basic requirements defined below are used by DoD in evaluating system security, and are appropriate throughout all computer systems, regardless of their actual security requirements. Security Policy There must be an explicit and well-defined security policy enforced by the system. Given identified subjects and objects, there must be a set of rules that are used by the system to determine whether a given subject can be permitted to gain access to a specific object. Computer systems of interest must enforce a mandatory security policy that can effectively implement access rules for handling sensitive information. These rules include requirements such as: <169>No person lacking proper personnel security clearance shall obtain access to classified information.<170> In addition, discretionary security controls are required to ensure that only selected users or groups of users may obtain access to data <197> for instance, based on a need-to-know basis. Marking Access control labels must be associated with objects. In order to control access to information stored in a computer, according to the rules of a mandatory security policy, it must be possible to mark every object with a label that reliably identifies the object's sensitivity level and/or the modes of access accorded those subjects who may potentially access the object. Identification Individual subjects must be identified. Each access to information must be mediated based on who is accessing the information and what classes of information they are authorized to deal with. This identification and authorization information must be securely maintained by the computer system and be associated with every active element that performs some security-relevant action in the system. Accountability Audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party. A trusted system must be able to record the occurrences of security-relevant events in an audit log. The capability to select the audit events to be recorded is necessary to minimize the expense of auditing and to allow efficient analysis. Audit data must be protected from modification and unauthorized destruction to permit detection and after-the-fact investigations of security violations. Assurance The computer system must contain hardware/software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the policy, marking, identification, and accountability requirements described above. In order to assure that the four requirements are enforced by a computer system, there must be some identified and unified collection of hardware and software controls that perform these functions. These mechanisms are typically embedded in the operating system of mainframes, or a combination of operating system features and added application software on LANs, and are designed to carry out the assigned tasks in a secure manner. The basis for trusting such system mechanisms in their operational setting must be clearly documented such that it is possible to independently examine the evidence to evaluate their sufficiency. Continuous Protection The trusted mechanisms that enforce these basic requirements must be continuously protected against tampering and/or unauthorized changes. No computer system can be considered truly secure if the basic hardware and software mechanisms that enforce the security policy are themselves subject to unauthorized modification or subversion. The continuous protection requirement has direct implications throughout the computer system's lifecycle. IMPLEMENTATION CONCERNS Creating a security policy is fairly simple. You can copy the material that follows, for instance, and get the chief to sign it. Implementing a security policy is more difficult. * The organizations with the most success in implementing security policies with PC users are those who get away from a project orientation and somehow convince all staff that security is an ongoing business function. While seemingly everyone concerned with security agree that a policy is important, not everyone agrees that it should be agency-wide. For example, NASA's Richard W. Carr believes that a standard approach like the NSA's C2 level of safeguarding is not cost-effective. Because so much of NASA's scientific data is made public, Carr has opted for local approaches to safeguarding information, rather than an agency-wide approach. HARDWARE CONCERNS Before reviewing sophisticated data security issues, it is necessary to consider the basic physical protection of the equipment itself. Access Access to micros should be physically limited to authorized users. Untrained or malicious individuals could damage or make inappropriate use of the equipment or the accessible data. At some organizations, such as GTE, the entire microcomputer is kept in a locked room. If users are reluctant to do this when they are finished with it, then they are provided with an external hard disk that can be locked up. * Do not permit users to leave workstations or micros unattended, particularly if they are tied to a network. * Install timelocks that activate after an interval of no keyboard activity, and require password to resume entry. * Change all passwords immediately whenever an employee leaves the organization. * Change passwords routinely - perhaps every other month - of all employees. Theft Personal computers and their component parts are high-value items. Secure the rooms where the hardware is located, or install lockdown systems securing the equipment to a table or desk. Environmental Damage Electrical Power Computers are sensitive to the quality of electrical power. Use surge protectors. Also, micros should be powered from a source isolated from heavy appliances or office equipment. Smoking, Eating, and Drinking Smoke can damage disks. Food and ashes that are dropped in the keyboard can work down into the mechanism and cause malfunctions. Smoking, eating, and drinking should be prohibited in the vicinity of computers. Static Electricity Static electricity can badly damage a computer. This danger can be minimized through the use of anti-static sprays, carpets, or pads. Magnetic Media Protection Particular attention should be given to the protection of magnetic media, as it is the primary means of data storage. Floppy Disks Floppy disks should be handled with care. * Always store in the protective jacket. * Protect from bending or similar handling. * Maintain an acceptable temperature range (50-125 degrees F.) * Avoid contact with magnetic fields, such as telephone handsets. * Do not write on the diskette, either directly or through the jacket or sleeve. Hard Disks Rough handling of hard disks may damage the device. Take care not to jostle the unit unnecessarily. Never power off the system without performing the recommended shutdown procedures. Media Declassification or Destruction Magnetic media, such as disks and tapes, that contain sensitive or classified information should not be put in regular waste containers. They should be cleared by degaussing and reused, or rendered useless by shredding or burning. Defective or damaged magnetic storage media that have been used in a sensitive environment should not be returned to the vendor unless they have been degaussed. This is required since many <169>ERASE<170> commands do not actually erase the file. The DoD-approved erasure method requires three overwrites of the file: first overwriting with <169>1"s, then <170>0"s, and then random bits. Each overwrite should be verified by visually inspecting the file contents, using some low-level facility. Electromagnetic Emanations All electronic equipment emanates electromagnetic signals. Emanations produced by computers, terminals, and communication lines can be detected and translated into readable form by monitoring devices. Secure measures intended to combat these radio frequency emissions are known as <169>TEMPEST<170> controls. TEMPEST-certified equipment is available, and used regularly by government organizations and contractors processing classified data. Hardware Modifications Hardware modifications should be strictly controlled. Uncontrolled or poorly considered hardware modifications can adversely affect the operation of the computer. For example, any modifications to TEMPEST-approved devices may invalidate their emanation-shielding ability. The configuration of any hardware systems used for sensitive processing should be very carefully monitored. Such devices should be sealed to prevent tampering, and modifications made only by trusted, qualified personnel. Trusted, Authorized Technicians Advanced microelectronic techniques make computers vulnerable to <169>bugging.<170> A transmitter chip can be installed by a hostile technician under the guise of a system repair or upgrade. Therefore, the user should be certain that the technician performing maintenance is both authorized and qualified. Also, circuit boards or components removed in the course of any maintenance at a classified facility should not leave without qualified technical review. DATA CONCERNS Classification Classify your information. IBM uses five classes of data, from unclassified, with no restrictions, to <169>registered IBM confidential<170>, available only to employees with a predetermined need to know. If your organization has an approved classification system, use it. If not, develop one. Labeling Sensitive or classified information resources must be clearly labeled as such. These <169>resources<170> include both the hardware and the storage media. External Classification Labels on Micros Micros should have external classification labels indicating the highest sensitivity of data processed on the device. Avoid using hard disk systems for sensitive processing, as the data stored on a hard disk cannot be reliably removed except by degaussing the entire disk surface. Also, it is very difficult to ascertain that sensitive information has not been stored on the disk. Consequently, hard disk systems must be labeled to indicate the highest level of data sensitivity to which they have ever been exposed. Floppy Disk Labels Label all floppy disks to indicate the type and sensitivity of data on the disk. A floppy must be considered to assume the sensitivity level of the device in which it is inserted. For example, a hard disk that has some sensitive data must always be considered to be a sensitive device, and any floppy disk inserted into any machine connected (directly or through cabling) to such a hard disk must assume that level of sensitivity. Conversely, if the floppy were more sensitive than the hard disk, the hard disk now assumes the higher sensitivity of the floppy. Files Files stored on a hard disk containing any sensitive files must be handled as carefully as the most sensitive information stored on the system. On such a system, even files that are assumed to be not sensitive cannot be readily confirmed as such. Visual inspection of a file's printed image does not really confirm what is physically stored in the file space. Sensitive files, if they must be stored on hard disks, should be handled very carefully. One means of emphasizing which files are sensitive is to store them in a separated disk partition. However, such methods, no matter how carefully controlled, do not ensure data integrity. Encryption Data encryption provides a partial solution to the problem of labeling as well as providing access control. Encryption is a technique for rendering information unintelligible to those who don't have access to the tools necessary to see it. Hardware implementations of encryption can provide a higher degree of security, since software-based implementations are susceptible to penetration by interlopers. However, take steps to ensure the integrity of the device. Sensitive equipment should be sealed and the internal configuration audited. Securing Data Media Lock Floppy Disks Diskettes should be locked in a secure container. Be sure that the keys are unique and not interchangeable with the keys to other locks. Use Removable Hard Disk Systems When feasible, use removable hard disk systems instead of fixed disk storage. At a minimum, keep hard disk systems in a secure area. Also, consider installing power-on locks that restrict access to the machine to individuals with lock keys. Again, the keys should be unique. Backup Make backup copies of all important software and data files. Clearing Memory Clear the micro's memory between users. Turning most micros off for 10 seconds is usually enough to accomplish this. Data Transmission Microcomputers can enable users to transfer data to or from a mainframe. Transferring sensitive data should be carefully controlled and monitored. The micro user is responsible for ensuring that sensitive or classified information is transferred only to other computers designated for sensitive data. The micro user is also responsible for the data transferred from mainframe to micro. Note that such transmissions may include information which the user may not have perceived as being transferred. SOFTWARE CONCERNS Software Vulnerabilities The lack of micro hardware security engenders software insecurity. Because modifications cannot be prevented, critical software, including operating system routines, can be modified or destroyed. For example, encryption schemes implemented in software can be forced to reveal their decryption key. Operating System Weaknesses Unlike many mainframe computer operating systems, most micro operating systems have not been developed for security considerations. User Identification and Authentication User identification is the process by which an individual identifies himself to the system as a valid user. Authentication is the procedure by which the user establishes that he is indeed that user, and has a right to use the system. During the login process, the user enters name or account number (identification) and password (authentication). * Add password systems - software or hardware - to micros. * Do not permit employees to use inappropriate passwords that are easy to guess (first name, spouse's name, pet's name, birthday, etc.) * Authentication (and, for multi-user micros and LANs, identification) should occur whenever the system is powered up or rebooted. Software Attacks - Trapdoors/Trojan Horses/Viruses Don't use any software that is not a <169>known quantity<170>. Isolate and test new software on a test system, where Trojan horses and viruses can do little damage. Consider a policy which prohibits users from bringing unapproved software into the building. (Rockwell International has had such a written policy since 1988.) If a user must bring in software, consider requiring that it be tested by your virus test group first. Follow the advice in the chapter on viruses. Communication Attacks Information transmitted over unprotected communications lines can be intercepted by someone masquerading as you, actively receiving your information, or through passive eavesdropping. Therefore, sensitive information should be protected during transmission. Masquerading can be thwarted through the use of dial-back. Dial-back is an interactive security measure that works like this: The answering modem requests the identification of the caller, then disconnects. If the caller's ID matches an authorized ID in the answering system's user directory, the answering system will call back the originating system at a prearranged number. The effectiveness of dial-back as a security measure is questionable due to digital PBXs (private branch exchange telephone systems) and convenience features like call forwarding. Also, various methods of call-back protection have been broken by hackers. Encryption is one sure method of transmission protection. Encryption can be adapted as a means of remote user authentication. A user key, entered at the keyboard, authenticates the user. A second encryption key can be stored in encrypted form in the calling system firmware that authenticates the calling system as an approved communication endpoint. When dial-back is used in conjunction with two-key encryption, data access can be restricted to authorized users (with the user key) with authorized systems (those whose modems have the correct second key), located at authorized locations (those with phone numbers listed in the answering system's phone directory). Remote connections to other systems make micros susceptible to remote attacks. A micro connected to a network, for example, may be subjected to attack by other network users. The attacker could transmit control characters that affect the interrupt logic of the micro in such a way as to permit him to obtain full access to the micro and its peripherals, even if he is incapable of passing the system's login challenge. The attacker could use other techniques to examine the user's communication package for dial-up phone numbers, access codes, passwords, etc. HUMAN CONCERNS To create computer security, four basic changes must occur in the organization: * senior management must provide strong, overt support of the program. They must require personal accountability in their subordinates, and they must set good examples. * employees must be educated. Employees would support security programs much more if they understood the need and the methods, and felt that they were part of the program. Educate and involve them. * all members of the organization must participate in the program. Because information is handled by all employees, all must understand the value of their contribution to security, and the value of the information they access. * staff effort must be rewarded. Be sure to reward those who provide suggestions for improving security, who comply with security policy, and who contribute in other ways. The <169>human factors<170> in computer security are probably far more important than the hardware or software you throw at the problem. Perhaps security would be improved with some world-wide attitude change, too. Ken Thompson, one of the co-developers of UNIX, writes <169>It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution... There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison... The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile.<170> Downloaded From P-80 International Information Systems 304-744-2253