Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: General Information :: itsec.txt

Interpol document: IT Security and Crime Prevention Methods





IT Security and crime prevention methods
Explanations

1.  IT Security: definitions
2.  Information precessing and IT Security
3.  Important IT Security functions
3.1 Information classification
3.2 Documentation
3.3 Administration and personnel
3.4 User identification and authorisation
    Identification - Authorisation
3.5.Logging
3.6.Back-up
3.7.Firewalls
3.8.Intrusion Detection Systems (IDS)
3.9.Incident Handling System
4.  Computer architecture
4.1.Microcomputers (stand-alone)
4.2.Network architectures and mini-computers
4.3.Mainframes
4.4.Hand-held computers
5.  Threats and crime prevention methods
5.1 Architecture-independent threats
    Members of staff - Unauthorised access from external
    sources - Media handling - Malicious program code -
    Electronic emission
5.2.Microcomputer (stand-alone, Personal Computer) systems
5.3.Network architectures and mini-computers systems
5.4.Mainframe-computer systems
6.  IT Security - International Workgroups



Introduction: Goals and objectives
----------------------------------------------------------------

This document gives an introduction to what an investigator
needs to know about Information Technology (IT) security
measures in order to be able to carry out investigations in an
IT environment and to give advice in crime prevention methods.

Information Technology has come to play an important and vital
role in all sectors of society. As a consequence, security has
become an essential component of Information Technology.
However, it is a complex subject and the appropriate measures
will often depend, to a large extent, on the type and location
of the IT equipment.

The potential security threats and risks have to be carefully
assessed in every situation and it is absolutely vital that all
concerned are made aware of the threats and risks that affect
them, and over which they have control. Only then will they
fully understand and apply the appropriate security procedures.

This report attempts to explain the various threats and risks
posed by criminal activity in IT environments and indicate
advice which the police can give about security procedures and
computer crime prevention methods. It is not intended to be a
comprehensive study. Threats to information systems may arise
from intentional or unintentional acts and may come from
internal or external sources. This guide will address only
intentional threats, made with criminal intent, to
confidentiality and integrity. Availability security functions
will only be addressed if they have an effect on confidentiality
and/or integrity. Examples of prevention methods will be given.

The prevention methods in this report can not only be used to
prevent crime in companies and authorities information
technology system, many of these can also be used to protect
private computer systems.



1. IT Security: definitions
----------------------------------------------------------------

CONFIDENTIALITY (Secrecy)

     Information and other resources are only disclosed for
     those 'users' (persons, entities or processes) who are
     authorised to have access to it.

INTEGRITY

     Information and other resources are modified only by
     those 'users' who have the right to do so. The
     accuracy and completeness of the data and information
     is also guaranteed.

AVAILABILITY

     Authorised 'users' can access information and other
     resources when needed.

THREAT

     A 'threat' is a potential undesirable incident.

RISK

     A 'risk' is the estimated probability that a 'threat'
     will be activated.

2. Information processing and IT Security
----------------------------------------------------------------

In order to protect the data held on a computer system, various
steps have to be taken: individual users should only be able to
read the information which is needed to do their job; they
should only be able to modify information which is specifically
their job to modify. Finally, some information should not be
accessible at all for individual users, e.g. the various log
records.

In simple terms, information processing involves the following
types of operation:

   * READ/CREATE/MODIFY/DELETE information
   * TRANSPORT (in one way or another) of information
   * STORE information (on computer 'media' to keep it
     somewhere).

i. READ/CREATE/MODIFY/DELETE

Information is 'Read/Created/Modified/Deleted' by a 'User'. A
'User' is a person or a process (e.g. a computer program).
Authorisation to 'Read' information is a question of
confidentiality while 'Create/Modify/Delete' is primarily a
question of integrity.

ii. TRANSPORT

One of the simplest ways of 'transporting' information is the
internal transport between the keyboard, the memory and the hard
disk in a Personal Computer. Another is the external 'transport'
of a diskette from one place to another. Information can also be
'transported' using a 'Local Area Network' (LAN) and/or a 'Wide
Area Network' (WAN). Insecure 'transport' affects both
confidentiality and integrity.

A special kind of undesirable 'transport' is 'Electronic
Emission' (see below).

iii. STORE information

Once the information has been 'stored' on some kind of media
(diskettes, tapes etc.), it may become the target of
unauthorised activities which will have an effect on the
confidentiality and/or integrity of the information.

3. Important IT Security functions
----------------------------------------------------------------

As well as knowledge of computer architecture, the investigator
also needs to be familiar with a number of important IT Security
functions and organisational matters if s/he is to be able to
give advice on prevention methods and conduct investigations.

Some important functions are:

   * Information classification
   * Documentation rules
   * Administration and personnel
   * User Identification and Authorisation
   * Logging
   * Back-up
   * Firewalls
   * Intrusion Detection System (IDS)
   * Incident Handling (IH)

3.1 Information classification

It is essential to classify the information according to the
appropriate level of availability, e.g. 'open', 'confidential',
'secret' or 'top secret'. Only then will it be possible to apply
the most effective security measures. The classification should
be carried out by the management or by the 'information owner'.

3.2 Documentation

All systems, but especially the 'Identification and
Authorisation system', 'Information Classification system' and
'Application systems', must be fully documented.

IT Security policy and the security rules for the organisation
as well as details of contingency plans in the event of a major
incident should be documented in a 'Security Handbook'. The
chapter on IT Security should have separate sections for each
user category, e.g. 'Management', 'System Administrators', 'End
Users' etc.

Create a checklist with guidelines concerning the actions which
have to be taken in case of an incident (e.g. immediate
reaction, who to contact). See chapter 'Incident Handling'.

3.3 Administration and Personnel

Success in information security work depends first and foremost
on developing good basic working practices and establishing
procedures to ensure that they are maintained. It is also
important to create a security-conscious atmosphere and
establish a disciplined approach.

If confidential information is to be handled, it is essential
that the people chosen for the job are absolutely reliable. They
should be security screened to a level equal to the highest
level of confidential information they are likely to be asked to
work on. Access to information should be restricted to that
which the individual 'needs to know' to do his job. Particularly
sensitive material should be split into sections so that only
authorised staff can handle each section; no member of staff
should have access to all the information.

Furthermore, security measures will only be effective if staff
are properly trained. It is essential that they understand the
problem. This can be achieved with in-house training. The
individual users must be trained how to use the network, how to
handle confidential information, making back-ups etc. Employees
can be taught what to do to counter certain threats, what they
should not do, whom they can call and where they can get help.
It is also very important to encourage employees to report
incidents so that steps can be taken to prevent any further
damage.

New or temporary employees should be given introductory
training, during which data security and data integrity can be
explained. It might also be useful to consider including a
clause on security and confidentiality obligations in employees’
contracts.

(a) Management responsibilities

To achieve functional and cost-effective IT Security, a number
of initial steps must be taken by the management:

Risk analysis What are the threats and what is the risk they
will be activated? Threats and risks, acceptable or
unacceptable, vary between different organisations. It is
important to analyse the risks to make it possible for the
management to form a policy with their security intentions.

Policy There must be an Information Security policy written and
approved by management. No management approved policy = no
resources. It should include the main security targets,
information classification principles, responsible persons, and
principles to reach the targets.

Security plan A plan has to be made to define how the targets
and the intentions in the policy document should be realised. A
priority list must be set up because it may not be possible to
realise everything in the policy at the same time. The plan is a
living document and has to be scrutinised by the IT security
officer.

Security Architecture With the risk analysis, the policy and the
plan as a base, security architecture must be chosen. Stet
Security architecture is a high level description of technical
security functions and organisational needs to fulfil the
security demands.

Implementation With the security architecture as a base,
different security functions and products must be selected to
implement the security architecture.

The main points requiring attention are as follows:

i. All senior management, and not just the computer security
manager, should be sufficiently familiar with the computer
systems in use, to enable them to know what is going on and why.

ii. The role of the system manager is crucial. He must be of the
highest degree of integrity, and sufficiently computer literate
to be able to administer the system in a secure and responsible
manner. The system manager access level should be restricted to
the minimum number of staff required. However it must be
possible for the IT security manager to check on the system
manager’s activities.

iii. The only way of establishing how a problem has occurred,
whether the origin is accidental or deliberate, is to examine
the logging information stored on the computer. (One of the
reasons for restricting privileges is that the logging
information of the system is available at this level). Analysis
of this information should show when, where and how the problem
occurred. In some cases careful examination will also indicate
who was responsible. It is essential therefore that the logging
capabilities of the particular system are fully understood and
utilised. If the logging functions on the system are inadequate,
consideration should be given to acquiring suitable software.

(b) User responsibilities

Users should be given specific guidelines about what they should
do - and more importantly - what they should not do. These
guidelines should be distributed in written form, and signed
for. This will counter the defence that they were unaware of the
contents of the guidelines and at the same time provide the
investigator with written proof. Specimen guidelines are given
below. They are certainly not exhaustive and others can be added
to take account of particular circumstances.

  i. Do not use any computer equipment without permission.
 ii. Do not try to access information unless you know you are
     authorised to do so.
iii. Do not alter any information on a computer system unless
     you know you are authorised to do so. (It is also important
     to provide a clear written statement of what information
     each user is allowed to access, to whom that information
     may be disclosed and what action will be taken if the rules
     are broken.)
 iv. Do not use a company or authority computer for personal
     matters without permission.
  v. Do not leave a working computer unattended, without using
     security options that demand retyping a password (e.g.
     screen saver password).
 vi. Make sure you know what to do in the event of a virus being
     discovered on the system. Use virus protection programs.
vii. Be aware of malicious program code, when loading files,
     mails etc. from the internet or other media.
viii.Keep your password and user-ID confidential.
 ix. Do not allow anyone else to use your password. (If people
     like engineers need access to the system, they should be
     referred to the system manager.)
  x. Do not use anyone else’s password.
 xi. Remember that anything done on the system using your ID and
     password can be your responsibility.

3.4 User Identification and Authorisation

Access to a computer (i.e. a Personal Computer) can be
restricted by means of controls based on various kinds of
'Identification and Authorisation' systems.

Identification is a two step function: (a) to Identify the user
and (b) to Authenticate (validate) the identity (i.e. confirm
that it is true).

The simplest systems rely on passwords only. More sophisticated
systems use cards (e.g. 'SmartCard') and/or 'biometric' methods
in combination with passwords.

3.4.1 Identification

(a) Password systems

These give some measure of protection against casual browsing of
information, but will rarely stop a determined criminal. A
computer password acts like a key to a computer. Allowing
several people to use the same password is like everyone using
the same key.

Passwords should:

  i. Be issued to an individual and kept confidential, they
     should not be shared with anyone. (The golden rule is ONE
     PERSON ONE PASSWORD). Should a temporary user need access
     to a system, it is usually fairly simple to add to the list
     of authorised users; once the temporary user has finished
     his work, his user-ID must be deleted from the system.)
 ii. Be distinct from the user-ID.
iii. Ideally be:
       a. alphanumeric and
       b. at least six characters long.
 iv. Be changed regularly, at least every 30 days. It is
     possible to warn the user automatically when his password
     expires. To ensure that he enters a new one, he will not be
     able to enter the system after the expiration date,
     although he may be allowed a limited number of 'grace'
     log-ins.
  v. Be properly managed. This will involve:
       a. Using a password history list, giving all the
          passwords used in the past year or two. New passwords
          will be checked against the list and not accepted if
          they have already been used.
       b. Making a list of frequently used passwords such as
          names, brands and other words that are easy to guess
          and therefore not suitable as passwords. This list
          will be used in the same way as the history list,
          except that new passwords will not be added; only the
          system manager will be able to change the list. N.B.
          Some systems conform to these standards and generate
          passwords automatically.
 vi. Be removed immediately if an employee leaves the
     organisation or gives notice of leaving.

Last but not least it is important to note that care should be
taken with the password used for remote maintenance. Standard
passwords which are often used to get access to different
systems, for maintenance purposes, should always be avoided.

(b) Other identification systems

The 'password' method is built on something you 'know' and might
be misused by someone getting hold of the password. A system
built on something you 'know' (password, PIN-code etc.) AND
something you 'have' (i.e. authorisation card) is a much
stronger system. Even if someone gets hold of your password it
is useless without the card. Today, the strongest method is
something you 'know', something you 'have' and something you
'are' (biometrics).

There are two main types of card:

  a. Magnetic strip card: As its name suggests, this type of
     card has a magnetic strip containing some confidential
     information to be used together with the holder’s personal
     code;
  b. Chip card: Instead of a magnetic strip, the card has a
     built in microchip. The simplest type contains a memory
     chip (e.g. telephone cards) containing some information but
     has no processing capability. The other, better, type is
     the 'Active' (or 'Smart') Card. It contains a microchip
     with both a memory to store some information and a
     processor. It is often used in combination with
     cryptographic techniques.

Biometric systems make use of specific personal characteristics
(biometrics) of a specific person e.g. fingerprint, voice,
keystroke characteristics or the 'pattern' of the retina.
Biometric systems are still quite expensive (except for the
keystroke system) and not very common.

However, even these sophisticated techniques are not infallible.

3.4.2 Authorisation

After identification and authentication of the user (subject)
there must be a function and set of rules to control what object
(files, devices etc.) each user is allowed to access. This is
the Access Control system.

3.5 Logging

Most computer systems have some kind of log. Even stand-alone
systems sometimes have identification and authorisation systems
(and a log) if different users, with different authorisation
levels, use them and/or when it is desirable to prevent users
from using the disk drive (as an anti-virus measure) or changing
files.

In a multi-user system (client-server-, mini-,
mainframe-systems) there are always logging functions and there
is often more than one kind of log.

The desired level of protection will only be achieved if the
various security measures are properly followed up with a log
that can be analysed as and when necessary. A proper log will
answer the questions:

   * WHO (user)
   * WHEN (time - date)
   * WHERE (place)
   * WHAT (event/activity)
   * ADDITIONAL (Additional information depending on activity)

There are often many different types of logs, e.g.:

   * HISTORY files (e.g. Internet activities)
   * TEMPORARY files
   * SYSTEMS log
   * TRANSACTION log
   * SECURITY SYSTEM log
   * DATABASE log
   * APPLICATION log
   * TECHNICAL log (mainly on mainframes)

Log information is one of the most important items for a
computer crime investigator to look for.

3.6 Back-up

Although modern computer systems are generally very reliable,
breakdowns and failures do occur, and users can make mistakes
that lead to the accidental destruction of information. To guard
against total loss of information under these circumstances, it
is necessary to set up procedures for making regular copies. The
information on the computer system should be copied to some form
of back-up medium. This medium can then be stored in a safe
place until it is needed.

For particularly valuable information several copies should be
made, and each copy stored in a different place and at least in
different buildings, if not different cities.

The frequency with which back-ups are taken should be based on
the frequency with which the information changes, the relative
value of the information, and the problems its loss would cause.
Regular back-up of data and system files are an essential
security measure. When combined with the logging information,
they should provide a comprehensive security information
package. The following guidelines may be of assistance when
making back-ups:

  i. Make sure that regular back-up copies are made of both data
     and system files.
 ii. Back-up cycles should be of sufficient length to be of some
     use in the future. 24-hour overwrite cycles are not
     recommended.
iii. Take a full back-up (both system and data) out of the cycle
     on a regular basis and archive it off site for an extended
     period.
 iv. Back-up tapes/diskettes should be kept in a safe place
     under lock and key and away from the computer and where
     they are secured from fire, flood, magnetic and electric
     fields etc., preferably off site.
  v. Periodically test the back-up to ensure that the
     information can actually be restored in an emergency; do
     not wait for disaster to strike to find the back-up system
     does not work.

Back-ups (including old back-ups) are another important source
of information for an investigator.

3.7 Firewalls

One frequently asked question is 'how to secure the internal
network from an external network such as the Internet?' One
solution is to set up a firewall system.

According to a definition in The Internet Firewall FAQ 'A
firewall is a system or group of systems that enforces an access
control policy between two networks. The actual means by which
this is accomplished varies widely, but in principle, the
firewall can be thought of as a pair of mechanisms: one, which
exists to lock traffic, and the other that exists to permit
traffic. Some firewalls place a greater emphasis on blocking
traffic, while others emphasise permitting traffic. Probably the
most important thing to recognise about a firewall is that it
implements an access control policy. If you don’t have a good
idea what kind of access you want to permit or deny, or you
simply permit someone or some product to configure a firewall
based on what they or it think it should do, then they are
making policy for your organisation as a whole.'

Firewall systems are typically the first line of defence between
an internal network (ex. of companies but also private networks)
and the outside world, especially its connection to the
Internet. It should be configured not only to allow certain
operations to occur (FTP, mail delivery, etc), but to make it
difficult or impossible for an attacker on the outside to use
the firewall to penetrate the internal nets.

There are primarily two types of firewall systems, the
packet-filtering firewall system and the application-level
gateway.

The major difference between the two techniques lies in the flow
of communication. A packet-filter gateway acts as a router
between the two networks; as packets flow from their source to
the destination, the gateway either forwards or blocks the
packets. With application gateways, all packets are addressed to
a user-level application on the gateway that relays the packets
between the two communication points.

Firewall system requirements

Firewall systems must support features that will do the
following:

   * Prevent unauthorised users from accessing the internal
     network.
   * Prevent unwanted IP service requests from being passed
     through it to the internal network.
   * Log its activities.
   * Be easy to administer.
   * Provide alarm mechanisms.
   * Preferably support SNMP.
   * Be configurable at the user, service, and IP host level.

Security Policy

If a firewall system will be deployed to secure the access to
the Internet, the configuration of the firewall system must
reflect the security policy of the organisation. The security
policy must address, at a minimum, the following questions:

     What is the policy on IP Addresses?
     Is the organisation's IP address space a registered IP
     address?
     Who is or will be the organisation's Internet service
     provider?
     What is the Internet service providers security
     policy? Is their network secure?
     Will firewall systems be used to secure the connection
     to the Internet?
     If so, what type of firewall system?
     What is the firewall system architecture?
     All entry and exit points to the Internet need to be
     identified. The firewall network architecture must be
     defined to control authorised inbound and outbound
     connections.
     What is the policy for inbound access to systems?
     Which specific protocols will be allowed to access
     nodes on the internal network?
     What is the policy on outbound access to nodes on the
     Internet?
     Do remote offices or branches connect to the home
     office?
     If so, are remote offices directly connected to the
     Internet or is their access to the Internet through
     the home office?
     If there is a direct connection between the remote
     office and the Internet, verify that if the security
     of the remote office is compromised, the security of
     the corporate network is not compromised.
     Are there external networks that are not trusted?
     Are there external networks that do need access to the
     internal network via the Internet?

3.8 Intrusion Detection Systems (IDS)

Do I need an Intrusion Detection System if I have a Firewall?

Yes, the main purpose with a Firewall is to protect against
unauthorised external attacks but it will normally leave the
network unprotected from internal attacks or intrusions. And,
Firewalls sometimes fail to protect from external intrusions
because:

   * It is hard to configure the Firewall properly
   * Hacker/Crackers can get some packets through most Firewalls
     and Firewalls don’t know what happens once someone gets
     through the Firewall
   * The software contains a software bug (software always has
     bugs)
   * Bad protocols can be blocked by the Firewall but HTTP is
     allowed through and 'hack' in HTTP will pass through
   * The Firewall can only protect against known problems

An intruder is somebody attempting to break into or misuse the
system. Intruders can be divided into two categories:

   * Outsiders Intruders from outside your own network who try
     to attack your system via dial-up lines, Internet, a vendor
     or other 'partner' etc.
   * Insiders Intruders that are authorised to use your internal
     network but are misusing their privileges.

There are different types of IDS. Two main types are:

   * Statistical detection The IDS looks for deviations from
     statistical measures to detect unusual behaviour. A set of
     variables is defined for subject and objects such as
     servers, files, users and other resources. A 'normal' value
     is set for each variable by looking at historical data or
     by setting expected values. When system activities occur
     the list of variables is maintained and updated for each
     subject or object.
   * Pattern (or Signature) matching detection This type of IDS
     compares activities against a collection of known attacks
     or a set of rules. The main idea is to watch for events
     that matches one of the patterns or violates the rules.

Why should I use a Firewall and IDS? Because most attacks come
from inside and every company or organisation needs a well
managed single point of entry as well. In addition, a Firewall
can keep hackers running automated intrusion programs out of the
internal network. Otherwise those programs can detect and
exploit holes in your security architecture. There is a lot of
information explaining different IDS on the Internet.

3.9 Incident Handling System

Even if you have installed a Firewall and an Intrusion Detection
System someone has to take care of an incident when it occurs
(not 'if' it occurs, because it will happen sooner or later). To
be well prepared is the best way to handle an incident. It is
very important to stay calm and not panic when an incident
occurs. It is very valuable to have a special form to register
incidents.

For example the SANS Institute has a step by step method for
incident handling and the latest information can be obtained
from the Internet at address ih@sans.org. Their method has six
stages:

   * preparation
   * detection
   * containment
   * eradication
   * recovery
   * follow-up

Preparation
This stage covers things like policy, management supports,
training and interfaces to law enforcement.

Identification
How to identify an incident, responsible staff, co-ordination
with network suppliers’ etc.

Containment
Create the on-site team to survey the situation. Backup of the
system. Risk determination (to let the system run) etc.

Eradication
Perform vulnerability analysis. Remove the cause of the incident
etc

Recovery
Restore the system. Validate the system etc

Follow-up
Develop a follow-up report.



4. Computer architecture
----------------------------------------------------------------

The main types of computer architecture are indicated below. In
many cases, the specific threats and risks to which a particular
system is exposed will depend on its architecture. However there
are a number of threats which can affect all systems,
irrespective of their architecture.

Main architecture types

   * Microcomputers
   * Network architectures and Mini-computers
   * Mainframes
   * Hand-held computers.

4.1 Microcomputers (stand-alone)

These computers have no facilities for permanent external
communications, apart from links to peripherals (e.g. printer,
scanner, streamer, extra disk drive etc.). Nowadays it is common
to have a modem and a temporary connection to the Internet.

This architecture is easiest to 'protect' but it is also the
architecture where the users are least aware of the possible
threats and risks. If it is connected to the Internet it can be
vulnerable to external attacks if it is not properly configured.
The user is responsible for back-ups, keeping media in a safe
place, protecting data from unauthorised access, etc.

Examples:  Personal Computer (IBM PC-compatible) - Desktop,
           Laptop
           Macintosh, Amiga, etc.



4.2 Network architectures and Mini-computers

A mini-computer is linked to several workstations to serve a
limited number of users. The workstations may consist of just a
keyboard and screen, or microcomputers (so-called 'intelligent'
terminals) may be used. Today, these mini-computers are often
referred to as 'servers' linked to their workstations through a
Local Area Network (LAN). Commonly known as client-server
architecture.

In many organisations the old mainframe architecture is now
being replaced with a number of 'servers' each of which has a
different set of functions. Connections from the LAN to Wide
Area Networks (WAN) are common.

The user is only responsible for backing up the files on the
hard disk on his own workstation (if it has one). One or more
administrators are responsible for all other back-ups, loading
new programs etc. Management of the network is normally left to
a Network Administrator.

Examples:    UNIX-systems, OS/2-servers, and IBM AS400
             Digital Micro VAX, etc.



4.3 Mainframes

Used in big organisations to serve a great number of users
and/or where considerable computing capacity is needed. A
special computer-room with air-conditioning is needed, too. This
is often located in a restricted area of the building and
specialists are required to operate the computer. Network
operators monitor the communication functions and assist users
if there are communication problems. System development and
programming is a task for specialised staff. The user is only
responsible for backing up the files on the hard disk of his
workstation (if it has a disk). Because of the very fast
technical development in the field of client-server it is today
not possible to clearly define the difference between mainframes
and servers.

4.4 Hand-held computers

This type of computer, like personal organisers, is completely
different from the others and is discussed in section 'Technical
devices & communications' in the Interpol Computer Crime Manual.
The most important prevention method is to keep the equipment in
a safe place and away from unauthorised persons.

5. Threats and crime prevention methods
----------------------------------------------------------------

This section gives examples of the threats that may occur. Some
may be encountered in all types of environment, others may only
occur with specific types of computer architecture.

The prevention methods mentioned are only given as examples. The
risk of the threat being activated must be assessed in each
organisation and depends on factors such as the company's
information policy, employees' awareness, etc.

In the following tables, the various threats to which a system
may be exposed are grouped according to where the information is
located in the IT process.

     READ/CREATE/MODIFY/DELETE refers to information (data
     and software) inside the computer system.

     TRANSPORT refers to information (data and software)
     'transported' via a network or on media.

     STORE refers to information (data and software) when
     it is stored on computer media and taken out of the
     computer system. (I.e. back-up tapes/diskettes).

5.1 Architecture-independent threats

There are a number of important 'architecture-independent
security targets':

   * Members of staff, with certain responsibilities, powers,
     information
   * Media handling
   * Malicious programs
   * Electronic Emission

5.1.1 Members of staff

Threat                          Prevention method

Disloyal staff                  See advice given above in
                                'Important IT security
                                functions'.
                                The strongest form of security
                                is often procedural security
                                with attendant staff awareness
                                and responsibility.

Unauthorised access to          Users should be given specific
information by users            written guidelines on what they
                                should and should not do.
                                Guidelines should be signed
                                for.

                                Install an 'Identification and
                                Authorisation' system. Adopt a
                                'two-man rule' for granting
                                privileges.

                                Do not reveal your password for
                                anyone.

                                Keep identification and
                                authorisation cards in a safe
                                place.

                                Regularly check logs.

                                Regularly check that
                                configuration is correct.

                                Install an Intrusion Detection
                                System.

                                See above, chapter 'Important
                                IT security functions'

Unauthorised access to          The same as above and:
information by system
administrators, programmers,    Use separate systems for
etc.                            program development and for
                                'production'.

                                Restrict access to equipment
                                with sensitive information;
                                adopt 'two-man rule'.

                                Restrict use of 'super
                                user'/'root' privileges.

Unauthorised access to          As for other staff and:
information by temporary
staff, e.g. consultants,        Limit their access to the
service engineers etc.          system to the time and day
                                required for the specific task.

                                Do not forget to cancel their
                                access rights and close their
                                temporary accounts.

                                Do not leave communication
                                lines for remote servicing open
                                when not needed.

5.1.2 Unauthorised access from external sources

Threat                   Prevention method

Unauthorised access      Install an 'Identification and
                         Authorisation' system. Adopt a
                         'two-man rule' for granting
                         privileges.

                         Regularly check logs.

                         Regularly check that configuration is
                         correct.Install a Firewall.

                         See above chapter 'Important IT
                         Security functions'

5.1.3 Media handling

Threat                         Prevention method

Total loss of information      Media should be kept in a safe
through theft of media         place under lock and key.

Loss (by copying or transfer)  Encrypt sensitive information.
of information as a result of  Staff handling the media should
unauthorised access to, or     not have access to the
loan of, media                 encryption keys.

                               'Two-man rule' for back-up.

                               'Two-man rule' for access to
                               archives.

Loss (by copying or transfer)  Never send equipment with
of information during          sensitive information on mounted
servicing                      media for servicing.
                               (It is not enough to 'Delete'
                               sensitive information because of
                               'Undelete /unerase'
                               possibilities)

5.1.4. Malicious program code

Threat                       Prevention method

Viruses and other malicious  Install 'Anti-virus software'. See
programs                     Chapter 'Investigations', Section
                             'Malicious program code' in the
                             Interpol Computer Crime Manual.

Programs altered to obtain   Depends on computer architecture.
access to, or manipulate,
information without          Use separate systems for program
authorisation                development and for 'production'.

                             If possible, restrict access to
                             'source code', 'compilers' and
                             'editors' in 'production' system
                             and restrict use or installation
                             of non-standard software packages.

                             An Intrusion Detection System
                             might detect this type of problem.
                             See above chapter 'Important IT
                             Security functions'

5.1.5. Electronic Emission

Threat                           Prevention method

Despite all precautions, it is   Use equipment with no or
still possible for a determined  limited signal leakage
intruder to eavesdrop on         ('tempest') or put the
information by picking up and    equipment in a shielded room.
interpreting electromagnetic     Although effective, those
emissions from the Personal      methods are expensive and are
Computer or workstation. In a    only to be recommended when
manner somewhat similar to the   there is an extremely high
way in which it is possible to   risk. Optical fibres can be
detect the operation of a        used to prevent emission
television receiver and          leakage from the lines running
determine which channel is       between peripherals and the
being watched. This type of      Local Area Network (LAN).
eavesdropping is most likely to
occur when very sensitive        Encryption of the Wide Area
information, such as that of     Network (WAN) will not stop
high commercial value or         electromagnetic emissions but
dealing with matters of          the eavesdropper will not be
national security is involved.   able to use the information
                                 without the encryption key.

5.2 Microcomputer (stand-alone, Personal Computer) systems

Much sensitive information is stored on personal computer
systems. The main risk is unauthorised access to that data, or
that the data may become corrupted or lost.

READ/CREATE/MODIFY/DELETE

Threat                        Prevention method

Corruption of files (program  Keep program diskettes
or data). A major cause of    write-protected at all times.
data loss and corruption is
the introduction of viruses   Do not keep data and software on
to computer systems.          the same diskette. Otherwise, if
                              software becomes corrupted or
                              infected, the data will usually
                              be lost as well.Making files
                              read-only will prevent them from
                              being infected by some viruses,
                              not all of them. All media should
                              be scanned for viruses before
                              use, preferably on a system
                              specially designated for the
                              purpose.

Unauthorised access of        Restrict physical access to the
information stored in the     Personal Computer, by locking the
computer                      door (and the machine if
                              possible) whenever it has to be
                              left unattended. Machines should
                              never be left switched on and
                              running, unless a reliable
                              software protection mechanism has
                              been installed.

Unauthorised use of the       As above.
computer

Malicious programs (i.e.      See Chapter 'Investigations',
viruses)                      Section 'Malicious program code'
                              in the Interpol Computer Crime
                              Manual.

Loss (by copying or           Never send equipment with
transfer) of information      sensitive information on mounted
during servicing              media for servicing.
                              (It is not enough to 'delete'
                              sensitive information because of
                              'undelete/unerase'
                              possibilities).

Theft of the computer         Restrict physical access to the
                              Personal Computer, by locking the
                              door (and the machine if
                              possible) whenever it has to be
                              left unattended.

                              Laptops are particularly at risk
                              when left unattended in hotel
                              rooms etc.

                              Use cryptography to protect
                              information from unauthorised
                              access.

TRANSPORT

Threat                           Prevention method

Loss of confidential or secret   Transport media in sealed
information during transport.    envelopes and/or locked boxes.

Manipulation of media during     As above and electronic seal
transport                        (cryptologic checksum) on
                                 information.

Total loss of media during       Never leave media unattended
transport                        in cars, hotel rooms etc.

STORE

Threat                   Prevention method

Loss (by copying or      Diskettes and other media should be
transfer) of             kept locked up in a safe place when
information              not in use.

Physical loss of         As above and it is advisable to
information              install removable hard disks, which
                         should be kept in a safe place.

Total loss of            Regular back-ups of data and system
information through      files are essential. Together with the
theft of computer        logging information, they will provide
and/or media             a comprehensive security information
                         package. For back-up guidelines, see
                         3.6

Loss (by copying or      See 'Architecture-independent threats'
transfer) of             above.
information as a result
of unauthorised access
to, or loan of, media

5.3 Network architectures and Mini-computer systems

Local Area Network (LAN)

If a Personal Computer is connected to a network, there are two
other possibilities for interfering with data, in addition to
the dangers of physical access to the machine (as mentioned
above).

Firstly, it becomes possible to access the information stored on
the Personal Computer via the network. Care should therefore be
taken to ensure networking software is correctly configured, and
that only that information which is intended to be generally
accessible is stored in directories which can be accessed via a
network.

Secondly, the danger of leaving a Personal Computer unattended
is much greater: not only can the data on the Personal Computer
itself be compromised, but there is also a risk that any data
which the rightful user of the Personal Computer may be able to
access over the network will also be compromised.

In a network environment, especially where sensitive material is
in use, it is essential to keep a central record of activity,
i.e. a log. This should be held on a machine that is known to be
secure, and should contain a record of ALL activity on the
network; there should also be a procedure for examining the log,
so that all suspicious events can be highlighted and
investigated.

Wide Area Network (WAN)

Networks are connected either by cable, by microwave or
satellite. The latter are vulnerable to interception as are any
radio transmissions unless the data is encrypted. The
transmission of electronic signals is governed by standards that
are called 'protocols'. There are many standards, the most
common is the TCP/IP which is the standard packet-switching
protocol used for the Internet. Such connection can be protected
against improper use or interception in various ways. The best
way is to use Identification, Authentication and Cryptography as
well as firewall and Intrusion Detection Systems (IDS).

Costs have also to be considered. Telecommunication companies
can offer the use of dedicated lines - as often used by
financial institutions, which means that these lines are not
available for normal public use and are protected against
intrusion, but they cost substantially more. This also applies
to encryption. There are a number of encryption standards and
devices ranging from small logical keys installed on sending and
receiving equipment to higher levels of coding which use
complicated mathematical cycles and algorithms. The decision to
implement such higher level systems will have to be taken in the
light of the value of transmitted data.

It must also be remembered that encryption is not an infallible
solution and that its use raises various problems, e.g. several
countries are developing, or discussing the development of a
specific law to regulate the use of encryption.

Even when communications are well protected, problems of
unauthorised access can occur if a well-protected system is
linked directly to another that is not protected. Any given
system is only as secure as those to which it is connected.

INTERNET

Victims of Internet attacks are often organisations that did not
bother too much about their security or who trusted some sales
person who said that the Internet connection was absolutely
safe.

A lot of safeguards are mentioned above and they are applicable
for the Internet as well. Some additions are :

   * Do not connect computers or entire networks, which contain
     your critical information (e.g. financial, confidential,
     privacy) to the Internet.
   * If possible restrict the way to the Internet to just one
     single point of connection.
   * Do not store your password or identification number on your
     hard disk, protect it otherwise from unauthorised access.
     Create a password policy (see chapter 3.4.1, identification
     - password systems).
   * Check and update your list of user accounts.
   * Install a firewall system and an IDS.
   * Do not download files or open emails which you do not
     trust.
   * Install an anti-virus-software and update it frequently.
   * Be aware of shared-files which might be accessed of
     unauthorised persons.
   * Be aware of cookies, Java and ActiveX applets etc.
   * Install only minimal options.

THREATS

READ/CREATE/MODIFY/DELETE

Threat                          Prevention method

Manipulations or unauthorised   See chapter 5.2. Microcomputer
access to software or           systems
information in each
workstation (Personal
Computer) in the network

Unauthorised access to          Users should be given specific
information in the 'server' by  written guidelines on what
users                           they are allowed and not
                                allowed to do. Guidelines
                                should be signed for.

                                Install an 'Identification and
                                Authorisation' system. Adopt a
                                'two-man rule' for granting
                                privileges.

                                Regularly check logs.

                                Regularly check that
                                configuration is correct. IDS
                                should be installed.

Unauthorised access to          As above and:
information by system
administrators, programmers’    Use separate systems for
etc.                            program development and for
                                'production'.

                                Restrict access to server;
                                adopt 'two-man rule'.

                                Restrict use of 'super
                                user'/'root' privileges.

Corruption of files (program    All media should be scanned
or data).A major cause of data  for viruses, preferably on a
loss and corruption is the      system specially designated
introduction of viruses to      for the purpose, before use.
computer systems.
                                Erase all unnecessary codes,
                                default and unused procedures.

Total loss of information       Regular back-ups of data and
through 'disk crash' or         system files are essential.
deliberate destroying of files  Together with the logging
                                information, they will provide
                                a comprehensive security
                                information package. For
                                back-up guidelines, see 3.6

Loss (by copying or transfer)   Some mini-server servicing can
of information during           be done 'on-site' but in the
servicing                       case of some hardware problems
                                the equipment will have to be
                                taken away for repair by the
                                service company/vendor.

                                Never send equipment with
                                sensitive information on media
                                for servicing without a
                                verifiable guarantee that the
                                information will be destroyed.
                                (It is not enough to 'delete'
                                the sensitive information
                                because of 'undelete' and
                                'unformatted' possibilities)

                                Remember that after repair,
                                the disk drives could be
                                reused somewhere else and your
                                information might be
                                compromised.

                                If it is decided to replace a
                                disk with sensitive
                                information, destroy it
                                yourself.

Theft of the server             The server should be kept
                                locked up in a safe place.

TRANSPORT in Local Area Network (LAN)

Threat                        Prevention method

Interception of cables        Segmentation of the LAN.

                              Use optical fibres.

                              Regularly inspect LAN.

                              Encrypt LAN.

Interception of networks      Restrict physical access to
components (like 'routers',   components.
'bridges', 'gateways',
'repeaters' etc.)             Regularly check that the
                              configuration of each individual
                              component is correct.

Manipulation of network       As above.
components

Unapproved workstations       The system should be set up in a
                              way that the management must
                              approve the workstations before
                              they can be used.

                              Regularly check that the
                              configuration is correct.

Network administrator         Network Administrators should be
accessing user files          given specific written guidelines
                              on what they should and should
                              not do. Guidelines should be
                              signed for.

                              Restrict use of 'administrator'
                              privileges.

                              Install an 'Identification and
                              Authorisation' system.

                              Adopt a 'two-man rule' for
                              granting privileges.

Access to the LAN from        Provide guidelines for the use of
'outside'                     modems or other connections.

                              IDS and firewall should be used.

                              Regularly check that the
                              configuration is correct.

TRANSPORT in Wide Area Network (WAN)

Threat                           Prevention method

Interception of cables           Communications can be
                                 encrypted, but there may be
                                 legal restrictions.

Interception of radio            As above.
communications

Intruders                        Use special modems at each
('hacking'/'cracking')           end, which recognise each
                                 other’s signals (mutual
                                 signal recognition).

                                 Install an 'Identification
                                 and Authorisation' system.
                                 Adopt a 'two-man rule' for
                                 granting privileges.

                                 IDS and firewall should be
                                 used.

                                 For password rules, see
                                 chapter 3.4., User
                                 Identification and
                                 Authorisation.

TRANSPORT of media

Threat                           Prevention method

Loss of confidential or secret   Transport media in sealed
information during transport     envelopes or locked boxes.
                                 Cryptography should be used.

Manipulation of media during     As above and:
transport
                                 Electronic seal (cryptologic
                                 checksum) on information.

Total loss of media during       Never leave media unattended
transport                        in cars etc.

STORE

Threat                        Prevention method

Loss (by copying or           Media should be kept in a safe
transfer) of information      place under lock and key.

                              'Two-man' rule for access to
                              archives.

Total loss of information     Regular back-ups of data and
through theft of media        system files are essential.
                              Together with the logging
                              information, they will provide a
                              comprehensive security
                              information package. For back-up
                              guidelines, see 3.6.

5.4 Mainframe-computer systems

There is normally some kind of access system to a mainframe via
terminals or a number of LANs with workstations, which will be
subject to the threats mentioned above. In that connection, see
5.1 (Architecture-independent threats), 5.2 (Microcomputer
systems), and 5.3 (Network architectures and Mini-computer
systems), as appropriate.

THREATS

READ/CREATE/MODIFY/DELETE

Threat                          Prevention method

Manipulations or unauthorised   Use separate computers for
access to software              system/program development and
                                'production'.

                                If possible, restrict access to
                                'source code', 'compilers' and
                                'editors' in 'production'
                                system.

Unauthorised access to          Users should be given specific
information                     written guidelines on what they
                                should and should not do.
                                Guidelines should be signed
                                for.

                                Install an 'Identification and
                                Authorisation' system. Adopt a
                                'two-man rule' for granting
                                privileges.

                                IDS and firewall should be
                                used.

                                Regularly check logs.

                                Regularly check that
                                configuration is correct.

Unauthorised access to          As above and:
information by system
administrators, programmers     Separate test/development
etc.                            systems from production
                                systems.

                                Restrict access to the computer
                                room. 'Closed shop' for all
                                other than those working in the
                                computer room.

                                Restrict use of 'super
                                user'/'root' privileges.

                                Cryptography should be used for
                                confidential information.

Corruption of files (program    Use 'checksums' on sensitive
or data) by malicious programs  software to make it possible to
                                control that it has not been
                                changed deliberately.

                                Erase all unnecessary codes,
                                default and unused procedures.

Loss (by copying or transfer)   Servicing of mainframe systems
of information during           is done 'on site'. In the case
servicing                       of hardware problems with disk
                                drives they should be replaced
                                and the faulty ones sent to the
                                vendor for repair, if possible.
                                They can later be used as
                                replacements, perhaps at
                                another site.

                                Never send equipment with
                                sensitive information on media
                                for servicing without a
                                verifiable guarantee that the
                                information will be destroyed.
                                (It is not enough to 'Delete'
                                sensitive information because
                                of 'Undelete' and 'Unformat'
                                possibilities).

                                Cryptography should be used for
                                confidential information.

TRANSPORT in Local Area Network (LAN)

Threat                         Prevention method

Same as above. See 5.3         See 5.3 (Network architectures
(Network Architectures and     and Mini-computer systems)
Mini-computer systems)

TRANSPORT in Wide Area Network (WAN)

Threat                         Prevention method

Same as above. See 5.3         See 5.3 (Network architectures
(Network Architectures and     and Mini-computer systems)
Mini-computer systems)

TRANSPORT of media

Threat                          Prevention method

Loss of confidential or secret  Transport media in sealed
information during transport    envelopes or locked boxes.
                                Cryptography should be used
                                for confidential information.

Manipulation of media during    As above and electronic seal
transport                       (cryptologic checksum) on
                                information.

Total loss of media during      Never leave media unattended
transport                       in cars etc.

STORE

Threat                        Prevention method

Loss (by copying or           Media should be kept in a safe
transfer) of information      place under lock and key.

                              'Two-man rule' for access to
                              archives.

Total loss of information     Regular back-ups of data and
through theft of media        system files are essential.
                              Together with the logging
                              information, they will provide a
                              comprehensive security
                              information package. For back-up
                              guidelines, see 3.6.

6. IT Security - International workgroups
----------------------------------------------------------------

The European Commission has recognised the need for a
comprehensive approach to information system security to protect
the individual, the business community and public
administrations against increasingly sophisticated threats and
combinations of threats.

Consequently, the Commission took the initiative of proposing an
overall 'framework' in which information security problems could
be assessed and an appropriate set of solutions identified and
developed.

The evaluation of the security of information systems has been a
key activity with regard to the implementation of a number of
the action lines. The European criteria ITSEC (IT Security
Evaluation Criteria), and associated methodology (ITSEM), has
been the subject of many of the INFOSEC projects. The art of US
evaluation criteria (TCSEC, Trusted Computer System Evaluation
Criteria) is commonly known as the 'Orange Book'. A new standard
– the CC (Common Criteria) – has been adopted as new
international standard and will replace ITSEC and TCSEC in a
period. However, ITSEC and TCSEC will be used parallel with CC
for some time.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH