ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3 3 Guardian Of Time 3D: 17APR90 :D3 NUP:> DECnet 3 3 Judge Dredd 3 : Guardian Of Time : 3Text File Archives3 @DDDDDDDDBDDDDDDDDDY : File 28 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3 @DDDDDDDDDDDD: COMPUTER SECURITY TECHNIQUES :DDDDDDDDDDDY : Section II - Background : HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< Here is Section II of VI Sections that talks in some detail about Computer Crime, and also sights actual court cases, which may be of some help to you. SECTION II - BACKGROUND $COMPUTER SECURITY BEGINNINGS Although computer security has been an important requirement in the military since computer use began, it has been only explicitly recognized in nonmilitary government and business since the late 1960s. The 1967 American Federation of Information Processing Societies, Spring Joint Computer Conference session, "Security and Privacy in Computer Systems" chaired by Dr. Willis Ware of the Rand Corporation, generated new interest in computer security. Rapid development, stimulated by the privacy issues and notorious computer crimes in the 1970s, has followed. Formalized methods for evaluating the adequacy of security soon followed. On July 27, 1978, the US Office of Management and Budget issued to all agency heads the Transmittal Memorandum No.1 under Circular No.A-71 on Security of Federal Automated Information Systems. This memorandum presents a comprehensive policy regarding establishment of computer security programs in all nondefense computer centers. It contains a procedure for adopting security standards, a requirement for security in all hardware and software procurements, plus guidance on security in all hardware and software procurements, plus guidance on conducting risk analyses, performing security audits, developing contingency plans, and establishing personal security policies. Various roles for the National Bureau of Standards, General Services Administration, and Civil SErvice Commission are specified. This memorandum, a significant milestone for computer security in the federal government, is a well-conceived document worth of general use. $MATURING COMPUTER SECURITY New approaches to reviewing, establishing the needs for, and selecting computer security controls are emerging as concepts of computer security mature. Maturation is evident from the routine acceptance of security and from the type of controls typically used today at the seven sites visited. At present, the computer security field is characterized by: : General management recognition and support. Top management at the sites were interested enough in computer Security to fully cooperate with the project field teams. Corporate and agency policies reflecting top management's concern have been formulated. : Established specialists in the subject area. Full-time security researchers and designers in computer science and technology are developing concepts of trusted computer systems that will be significantly more secure than current computers. Many consultants are active in the field. Computer security job titles and positions have been developed, and hiring by these titles is practiced. : Appointment of full-time or part-time computer security officers in large, well-run computer installations. The larger organization visited had full-time or part-time computer security officers. National conferences on computer and computer security and privacy are currently drawing 700 to 800 computer security-rated specialists and administrators. : Computer security products available at resonable prices. Physical access control systems for computer centers, password access terminal systems, file access control computer programs, file detection and suppression equipment, cryptographic systems, audit program tools and uninterrruptible power supplies for continuous operation of computers are examples of resonable priced products ( see also Section VI). In Addtion, the products' salesmen provide a new source of information and assistance for security practitioners. : A precedent-setting federal standard for cryptographic protection. The first federal information processing standard, the Data Encryption Standard, was approved by the National Bureau of Standards and is used in more than 25 products. : Increasing numbers of effective controls found in well-run computer installations and well-designed systems. Section VI identifies 82 generally used controls based on field investigation of the seven computer sites. : Practice of formal security review methods. Task group reviews of computer centers are becoming more common. The US Office of Management and Budget requires that risk assessments be performed in all federal agency computer centers at least once every 3 years. The National Bureau of Standards has published several reports on conducting risk assessments. : A body of information documenting loss experience. Conference proceedings, books, and trade journals include detailed descriptions of loss cases. Mr. Donn B. Parker at SRI International, Professor Brandt Allen at the University of Virginia, The American Institute Of Certified Public Accountants, Mr. Robert Courtney in New York, and Mr. Jay Bloombecker in Los Angeles have extensive files of reported computer abuse and crime cases. : Laws and regulations requiring security. The Federal and State Privacy Acts, Foreign Corrupt Practices Act, 16 state computer crime statues, and numerous regulations require or directly imply the need for controls. : Special insurance polices. Numerous insurance companies offer policies for protection against data processing business interruption, errors and ommissions, and crime. : Numerous books, journals, news publications, and other writings on the subject. The National Bureau of Standards has published more than 40 computer security reports. The Bureau of Justice Statistics, Department of Justice, has published a series of manuals and guides on privacy and security. At least four monthly commerical newsletters and journals, as well as many books on computer security, are published. : Specialized audit capabilities. The Institute of Internal Auditors published the SRI international Systems Auditability and Control Reports identifying 30 audit techniques and more than 300 controls. EDP auditing has become an accepted specialty in audit, and EDP auditors are certified by the Institute of Internal Auditors and soon also by the EDP Auditors Association. $VULNERABILITIES Admittedly, some potential threats and assets subject to loss are different from one computer center to another depending on organizational characteristics and purposes. Some vulnerabilities of a US Department of Justice computer center will be different than a toy manufacturer's computer center. However, similar problems among even diverse kinds of computer centers can lead to adoption of commonly used controls. The potential threats, the assets at risk, and the vulnerable facilities that are similar among all computer centers include: : Potential Threats - Disgruntled or error-prone employees causing physical destruction and destruction or modification of programs or data. - Natural disaster such as fire, flooding, and loss of power and communications. - Outsiders or employees making unauthorized use of computer services. - Outsiders or employees taking computer programs, data, equipment or supplies. : Assets Subject To Loss - Facilities - Systems equipment - People - Computer programs - Data - Data storage media - Supplies - Services - Documents - Records - Public respect and reputation. : Common Environments at Risk - Computer rooms containing computers and peripheral equipment - Magnetic media (tapes and disks) libraries - Job setup and output distribution stations - Data entry capabilities - Program libraries - Program development offices - Utility rooms - Reception areas - Communications switching panels - Fire detection and suppression equipment - Backup storage - Logs, records, and journals. In addition to the vulnerabilities common to all computer centers, some types of computer centers such as criminal justice operations, research institutes, insurance companies, and banks have environments, applications, and types of data that create similar potential threats and types of asset loss. The vulnerabilities endemic to subsets of similar computer centers lead to the need for selective controls such as separation or deletion of names from personal data, batch check summing of inventory data and possibly data encryption. Some examples of computer applications and associated risks that are not common to all computer centers are as follows: : Processing and storage of personal data - Intentional or accidental disclosure, modification, destruction or use of personal data or records of their use. - Violation of confidentiality rules, personal data regulations, or privacy laws. : Processing and storage of secret data (eg, investigative, intelligence, trade secret, marketing, competitive). - Intentional or accidental disclosure, modification, destruction, or use of trade secret or sensitive data or records. - Violation of rules, regulations, or laws. : Processing and storage of financial data (eg, account balances, negotiable instruments input/output, general ledger, accounts payable/receivable, payroll). - Financial fraud or theft. - Accidental financial loss such as lost interest. - Failure to meet financial report filing dates and other fiduciary obligations. : Process control (eg, controlling manufacturing processes, transportation, meal processing, inventory control, patient monitoring). - Intentional or accidental modification, failure, or destruction of processes. In addition, special or unique problems can arise in a single computer center where new technology is adopted and commonly used controls have not yet emerged. Examples of the new technology include voice data entry, voice ouput, fiber optics communication, satellite data communications, and automated offices. Lastly, several potential sources of unusual threats requiring special controls have been identified: a computer center built over a burning underground coal mine, violent labor strife, a computer center in an airport glide path, rodent or insect infestation, and contract programming performed by prison inmates. $CURRENT SECURITY REVIEW AND CONTROL SELECTION PRACTICES The process of identifying security needs and selecting and justifying controls is called a security review when carried out in an organized set of scheduled and budgeted tasks. It is sometimes incorrectly called an audit. An audit implies independent review by auditors for top management and owners of an enterprise to discover problems and lack of compliance with law, regulations, and policy. The security review method described below is based on identification of assets, potential threats, and lack of controls. A zero-based method, it begins by assuming that potential threats and controls have not been adequately addressed previously. Its purpose is to comprehensively and exhaustively identify problems in the form of specific vulnerabilities, their risk, and compensating controls. This approach is thoroughly justified; losses tend to occur where effective controls are absent. $A COMMONLY RECOMMENDED REVIEW METHOD The usual method of security review often described in the literature and in seminars includes combinations and various oderings of the following steps: (1) Organize a task group to conduct the review; establish plans, assignments, schedules, budgets, and scope; obtain management approval and support of the plan. (2) Identify the assets subject to loss; either determine their value, consequences of loss, and replacement value or rank their importance. (3) Identify potential threats to the identified assets. (4) Identify the controls in place or lack of controls that mitigate or facilitate the potential threats to the assets. (5) Combine associated potential threats, assets subject to loss, and lack of mitigating controls; each triple of items constitutes a vulnerability. (6) Evaluate and rank the vulnerabilities in terms of greatest to least expected potential loss; alternatively quantify risk for all or only the major vulnerabilities in terms of annual frequency of loss and single case loss in dollars to obtain annualized loss exposure. (7) Identify actions and controls that would reduce the risks of losses to acceptably low levels. (8) Recommend an implementation plan to reduce risk to an overall acceptably low level. (9) Carry out the plan and establish ongoing security maintenance and improvements. Several steps may be combined or overlapped for task group operating efficiency. Various methods such as use of questionnaires and loss and frequency data forms or scenarios can aid in accomplishing the tasks and documenting the results. Some steps may involve a high volume of data to warrant use of computer-aided methods. For example, quantified risk assessment requires expected frequency of loss and dollar value of single incident loss from both intentional and accidental modification, destruction, disclosure, use and denial of use (for various periods of time) for all computer-related threats and assets. In practice, however, the formalized review approach is rarely taken, or only severely limited versions are adopted. More likely, only piecemeal discoveries of vulnerabilities and their solutions happen. These events are occasioned by other information processing activities such as audits, loss events, new applications, new or newly enforced requirements, contracting, or budget studies. If a specific study is conducted, often obvious, significant vulnerabilities are identified early and actions taken to reduce their risk even before the final recommendations are made. $SECUIRTY METHODS IN PRACTICE A survey of management practices was conducted at the seven field sites.Managers were asked to describe the process curretnly used to select, justify, and install computer security controls. Both methodology and organizational factors were studied. Three typical case studies for a government agency, a research organization, and a private sector firm are included in Appendix A. None of the organizations studied used a formal cost-benifit or risk analysis to evaluate computer security controls. These techniques, which have been heralded in the literature, were thought to be excesively elaborate and not cost-effective. Quantitative analyses were considered not appropriate because of a lack of valid data. Instead, each site primarily used subjective and somewhat informal piecemeal techniques for assessing the pros and cons of particular computer security controls. These subjective techniques can be described as the exercise of prudent care or subscribing to generally used controls. the words "prudence" and "common sense" were frequently used in describing what went into these subjective assessment approaches. Generally used approaches were defined in terms of the practices of other organizations in similar environments. Management essentially asked, "If another manager were in my place, would he install and operate the proposed control?" Factors considered in answering this questing include: : The controls actually being used by other orgainziations with similar applications and equipment. : Reported loss experience. : The perceived needs of the organization's own operating environment compared to other organizations with similar environments. : The increased level of security to be achieved. : Laws and regulations. Definitions of generally used controls typically consider a wideranging control environment. Policies and professional ethical mores, personnel procedures, and manual procedures can be used to make up for the possible lack of computer-based controls, especially in computer systems where security has not been a design and implementation criterion. Another important factor in the decision to use a particular control was the influence of outside parties. Clients served by the organizations specified requirements that had to be met before certain work could be performed and data could be obtained. these requirements mirrored requirements that in some instances came from within the organization. External and internal auditors were other sources of relevant information. Quantitative information such as the cost to install and operate a control, money to be saved, or the losses to be prevented ( from catastrophes, lawsuits, or public embarrassment ) were rarely considered. Management in most cases did not actively seek information about what is done elsewhere. Although they used this information when made available to them and found it to be of great interest and potentially useful, they did not believe that contacting similar organizations and asking questions were cost-effective. The exception to this occurred when very costly controls, such as vaults or electronic lock access systems, were considered. Management then directed technical personnel to study alternative products and survey users of the products. Sometimes prioritized lists of desirable controls were prepared as wish lilsts that could be reviewed whenever budgets were prepared. The lists were helpful in matching high-priority controls with limited resources. Controls were viewed as necessary resource-consuming items rather than revenue generating or cost-saving items. The time frame was typically 3 to 5 years. The source of the funds to be used for a control largely dictated the approval process; if funds were to come from a government grant, from organizational overhead, or from a client project, then the approval channels were markedly different in each case. The approvoal process also varied depending on the time of year when the need for a control was noticed. If a need was perceived shortly before budgets were prepared, and installation could be delayed until the next fiscal year, then it was included in the budget. If installation of a control could not be delayed until the next fiscal year, then it was included in the budget. If installation of a control could not be delayed until the next fiscal year, special procedures were requried to rearrange currently budgeted funds to obtain additional funds. Documentation of the decision process was often sparce. Purchase requisitions and budgets on the proposed control were sometimes the only formal documents produced. Explicit management approval in these cases was given when these forms were approved. Larger organization werre more liekly to require formal documentation that included proposals, signoff sheets, memos, impact statements, and in rare instances cost-benefit analyses. Systems development and modification methodologies in some cases included requirements for considering computer security. Security was reviewed when a system was designed, redesigned, or modified, but not otherwise. The concern for security was not dealt with in isolation from other activites. Typically, a control that was retroisolation from other activites. Typically, a control that was retrofitted to an existing system was evaluated in the same manner as a control that was originally designed into a system. Both were subject to the system development and modification methodology. Documentation of control decisions and the resulting changes to be made were more extensive whenever a control was going to affect people outside the organization. One organization wrote and maintained a specialized secure operating system; another developed and installed a security program package. For these products, strict requirements for system change justification and documentation existed. $DECISION-MAKING FACTORS Typically, the decision to adopt a control was made by the line managers from the area primarily involved; for example, if an electronic lock access system would restrict the activities of computer operators, then compuer operations management would make the decision. In some instances, security committees that had an advisory role in the decision to adopt computer security controls were formed. These committees were composed of higher level managers who represented the following organizational ares: The legal department, user organizations, applications development, computer operations, and industrial security. These committees monitored legal and regulatory requirements , current events, and the current security systems. In rare cases, the committee had approval authority. When a proposed control affected several parts of the organization in a significant monetary or operational way, then management approval of each of these areas was usually obtained. Approval by industrial security, legal counsel, audit, personnel, users, as well as other departments of a compute center besides the one proposing a control was thus sometimes requred. For example, if a control would increase the rates for computing services charged to users, or if it would change the user's interaction with a computer system, then the users would typically be involved in the decision process. Occasionally, if many areas were involved, then a higher level manager who had each of these areas reporting to him decided whether to adopt a proposed control. The computer service provider may play different roles in the identification and approval of the need for a control. The service provider in some cases was responisble for telling the user what was needed, while in other organizations the user was responisble for telling the service provider what was required. In either case, expertise within the computer sevice provider's organization was relied on. In some organizations, other departments such as audit and legal counsel were supposed to alert involved parties to the need for additional controls, but the approval of the changes still rested with the service provider and the user. Audit departments were seldom involved in the control requirements and specification process. Although many authors of computer security works advocate that auditors be involved in systems design work, this participation did not generally occur. Some say that this sytem is adequate--auditors are not supposed to directly participate, which specification of controls would imply. Auditors were said to only infrequently review computer controls. Others state that auditors should be more active in the review of controls, informing management of the need for improvements. Larger organizations were more likely to have auditing staff involved in these activities. Many installations have noted that finding security experts in the computer field to hire is a problem. In some cases controls were not evaluated or implemented because of the lack of qualified personnel. the shortage of experts in the computer security field is particularly acute. Evidence of the maturing of computer security and the findings from experience about selection of controls provide the background to consider the motivation and need for adopting generally used controls. The next section provides two specific examples of common sources of this motivation and need and how they may be satisfied by generally used controls. This section has described the increased recognition of the ned for security controls and the maturation and status of the process of control selection. a major factor relevant to decision making regarding computer security is the legal framework surrondin data and releated computer violations and liabilities. These issues are addressed in the next section. $EOF [OTHER WORLD BBS]