Reinforcing Your Network Security: Taking Personal Responsibility

Failing to consider security as part of the ongoing support and operations of computer systems is often the Achilles heel of many organizations. It''s easy to locate examples where organizations undermine expensive security measures because of poor documentation, old user accounts, conflicting software, or poor control of maintenance accounts.

This week''s column here at EC Outlook offers a big picture view of ongoing responsibilities to maintain a secure computer and E-commerce installation. Included here are these considerations:

• Software support
• Configuration management
• Backups
• Media controls
• Documentation
• Maintenance
• Interdependencies

Software Support

Software is the heart of an organization''s computer operations, regardless of the size and complexity of the system. As such, it''s essential that software functions correctly and is protected from corruption. Several elements of control are needed for software support.

The first controls what software is used on what systems. If your users or systems personnel load and execute any software on any system, this can cause systems to become more vulnerable to viruses, unexpected software interactions/conflicts, and to other software that may subvert or bypass security controls.

One method of controlling software is to inspect or test software before it is loaded (i.e., to determine compatibility with custom applications or identify other unforeseen interactions/conflicts). This applies to new software packages, upgrades, off-the-shelf products, or to custom software, as deemed appropriate. In addition to controlling the loading and execution of new software, organizations should be cautious with off the shelf or downloaded system utilities. Some of the system utilities are designed to compromise the integrity of operating systems or breach logical access controls.

Another element of software support is to assure that software is not modified without proper authorizations. This involves protecting all software and backup copies. This is often accomplished using a combination of logical and physical access controls.

Many organizations also include on their agendas a program to help assure that software is properly licensed, as required. For example, an organization may audit systems for illegal copies of copyrighted software. This problem is primarily associated with PCs and LANs, but can apply to any type of system.

Configuration Management

Closely related to software support is configuration management -- the process of keeping track of changes to the system and, if needed, approving them. Configuration management normally addresses hardware, software, networking, and other changes; it can be formal or informal. The primary security goal of configuration management is ensuring that changes to the system do not unintentionally or unknowingly diminish security. Some of the methods discussed under software support, such as inspecting and testing software changes, can be used.

For networked systems, configuration management should include external connections. Is the computer system connected? To what other systems? In turn, to what systems are these systems and organizations connected? Note that the security goal is to know what changes occur -- not to prevent security from being changed. There may be circumstances when security will be reduced. However, the decrease in security levels should be the result of a decision based on all appropriate factors.

A second security goal of configuration management is ensuring that changes to the system are reflected in other documentation, such as the contingency plan. If the change is major, it may be necessary to reanalyze some or all of the security of the system.

Backups

Support and operations personnel -- and sometimes users -- back up software and data. This function is critical to contingency planning. The frequency of backups will depend upon how often data changes and how important those changes are. Also, as a safety measure, it is useful to test that backup copies are actually usable. Finally, backups should be stored securely, as appropriate.

Users of smaller systems are often responsible for their own backups. However, in reality, they do not always perform backups regularly. In some organizations, support personnel are charged with making backups periodically for smaller systems, either automatically (through server software) or manually (by visiting each machine).

Media Controls

Media controls include a variety of measures to provide physical and environmental protection and accountability for tapes, diskettes, CDs, Zip Disks, printouts, and other media. From a security perspective, media controls should be designed to prevent the loss of confidentiality, integrity, or availability of information, including data or software, when stored outside the system. This can include storage of information before it is input to the system and after it is output.

The extent of media control depends upon many factors, including the type of data, the quantity of media, and the nature of the user environment. Physical and environmental protection is used to prevent unauthorized individuals from accessing the media. It also protects against such factors as heat, cold, or harmful magnetic fields. When necessary, logging the use of individual media (e.g., a tape cartridge) provides detailed accountability -- to hold authorized people responsible for their actions.

Marking

Controlling media may require some form of physical labeling. The labels can be used to identify media with special handling instructions, to locate needed information, or to log media (e.g., with serial/control numbers or bar codes) to support accountability. Identification is often by colored labels on diskettes or tapes or banner pages on printouts.

If labeling is used for special handling instructions, it is critical that people are appropriately trained. The marking of PC input and output is generally the responsibility of the user -- not the system support staff. Marking backup diskettes can help prevent them from being accidentally overwritten.

Logging

The logging of media is used to support accountability. Logs can include control numbers (or other tracking data), the times and dates of transfers, names and signatures of individuals involved, and other relevant information. Periodic spot checks or audits may be conducted to determine that no controlled items have been lost and that all are in the custody of individuals named in control logs. Automated media tracking systems may be helpful for maintaining inventories of tape and disk libraries.

Integrity Verification

When electronically stored information is read into a computer system, it may be necessary to determine whether it has been read correctly or subject to any modification. The integrity of electronic information can be verified using error detection and correction or, if intentional modifications are a threat, cryptographic-based technologies.

Physical Access Protection

Media can be stolen, destroyed, replaced with a look-alike copy, or lost. Physical access controls to limit these problems include locked doors, desks, file cabinets, or safes. If the media requires protection at all times, it may be necessary to actually output data to the media in a secure location (e.g., printing to a printer in a locked room instead of to a general-purpose printer in a common area).

Physical protection of media should be extended to backup copies stored offsite. They generally should be accorded an equivalent level of protection to media containing the same information stored onsite. (Equivalent protection does not mean that the security measures need to be exactly the same. The controls at the off-site location are quite likely to be different from the controls at the regular site.)

Environmental Protection

Magnetic media, such as diskettes or magnetic tape, require environmental protection, since they are sensitive to temperature, liquids, magnetism, smoke, and dust. Other media (e.g., paper and optical storage) may have different sensitivities to environmental factors.

Transmittal

Media control may be transferred both within the organization and to outside elements. Possibilities for securing such transmittal include sealed and marked envelopes, authorized messenger or courier, or U.S. certified or registered mail.

Disposition

When media is disposed of, it may be important to ensure that information is not improperly disclosed. This applies both to media that is external to a computer system (such as a diskette) and to media inside a computer system, such as a hard disk. The process of removing information from media is called sanitization.

Three techniques are commonly used for media sanitization:

• Overwriting
• Degaussing
• Destruction

Overwriting is an effective method for clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete command is used). Overwriting requires that the media be in working order.

Degaussing is a method to magnetically erase data from magnetic media. Two types of degausser exist: strong permanent magnets and electric degaussers.

A final method of sanitization is destruction of the media by shredding or burning.

People often throw away old diskettes, believing that erasing the files on the diskette has made the data irretrievable. In reality, however, erasing a file simply removes the pointer to that file. The pointer tells the computer where the file is physically stored. Without this pointer, the files will not appear on a directory listing. This does not mean that the file was removed. Commonly available utility programs can easily retrieve information that is presumed deleted.

Documentation

Although it''s the bane of most developers and IT professionals, documentation of all aspects of computer support and operations is important to ensure continuity and consistency. Formalizing operational practices and procedures with sufficient detail helps to eliminate security lapses and oversights, gives new personnel sufficiently detailed instructions, and provides a quality assurance function to help ensure that operations will be performed correctly and efficiently.

The security of a system also needs to be documented. This includes many types of documentation, such as security plans, contingency plans, risk analyses, and security policies and procedures. Much of this information, particularly risk and threat analyses, has to be protected against unauthorized disclosure. Security documentation also needs to be both current and accessible. Accessibility should take special factors into account (such as the need to find the contingency plan during a disaster).

Security documentation should be designed to fulfill the needs of the different types of people who use it. For this reason, many organizations separate documentation into policy and procedures. A security procedures manual should be written to inform various system users how to do their jobs securely. A security procedures manual for systems operations and support staff may address a wide variety of technical and operational concerns in considerable detail.

Maintenance

System maintenance requires either physical or logical access to the system. Support and operations staff, hardware or software vendors, or third-party service providers may maintain a system. Maintenance may be performed on site, or it may be necessary to move equipment to a repair site. Maintenance may also be performed remotely via communications connections. If someone who does not normally have access to the system performs maintenance, then security vulnerability is introduced.

In some circumstances, it may be necessary to take additional precautions, such as conducting background investigations of service personnel. Supervision of maintenance personnel may prevent some problems, such as "snooping around" the physical area. However, once someone has access to the system, it is very difficult for supervision to prevent damage done through the maintenance process.

Many computer systems provide maintenance accounts. These special log-in accounts are normally pre-configured at the factory with pre-set, widely known passwords. One of the most common methods hackers use to break into systems is through maintenance accounts that still have factory-set or easily guessed passwords. It is critical to change these passwords or otherwise disable the accounts until they are needed. Procedures should be developed to ensure that only authorized maintenance personnel can use these accounts. If the account is to be used remotely, authentication of the maintenance provider can be performed using call-back confirmation. This helps ensure that remote diagnostic activities actually originate from an established telephone number at the vendor''s site. Other techniques can also help, including encryption and decryption of diagnostic communications; strong identification and authentication techniques, such as tokens; and remote disconnect verification.

Larger systems may have diagnostic ports. In addition, manufacturers of larger systems and third-party providers may offer more diagnostic and support services. It is critical to ensure that these ports are only used by authorized personnel and cannot be accessed by hackers.

Interdependencies

Support and operations components coexist in most computer security controls.

• Personnel. Most support and operations staff have special access to the system. Some organizations conduct background checks on individuals filling these positions to screen out possibly untrustworthy individuals.
• Incident Handling. Support and operations may include an organization''s incident handling staff. Even if they are separate organizations, they need to work together to recognize and respond to incidents.
• Contingency Planning. Support and operations normally provides technical input to contingency planning and carries out the activities of making backups, updating documentation, and practicing responding to contingencies.
• Security Awareness, Training, and Education. Support and operations staff should be trained in security procedures and should be aware of the importance of security. In addition, they provide technical expertise needed to teach users how to secure their systems.
• Physical and Environmental. Support and operations staff often control the immediate physical area around the computer system.
• Technical Controls. The technical controls are installed, maintained, and used by support and operations staff. They create the user accounts, add users to access control lists, review audit logs for unusual activity, control bulk encryption over telecommunications links, and perform the countless operational tasks needed to use technical controls effectively. In addition, support and operations staff provide needed input to the selection of controls based on their knowledge of system capabilities and operational constraints.
• Assurance. Support and operations staff ensure that changes to a system do not introduce security vulnerabilities by using assurance methods to evaluate or test the changes and their effect on the system. Operational assurance is normally performed by support and operations staff.