computer security.txt

1000 HOWTOs for various needs [WINDOWS]

                                 - 25 -

10.  SUMMARY:  WHAT CAN YOU DO?

There are many aspects to computer security, none of which are totally
within your control, but all of which are reasonably within your control. 
One of the major methods of getting control is to establish an
enforceable security policy AND a disaster recovery plan.  However, it's
almost impossible to establish a plan unless you first know what the
risks are.

WHEN YOU GO BACK TO YOUR OFFICE

Try putting some staff into two teams: "hackers" and "police" (or call
them Blue Jays and Cardinals if you find that offensive).  The role of
the hackers is to try to dream up all the things they could get from or
do to the company (or to a department) by breaking computer security. 
The role of the police is to respond with defenses.    Then switch roles.
List all the ideas, no matter how "far out" they seem, then use this for
the basis of risk analysis and disaster recovery planning.  The only rule
to this game is that no idea is initially rejected.

Now that you have some idea of the value of your data and the risks it is
under, you can begin to work on a "Computer Security Policy" and a
"Disaster Recovery Plan."  While many suggestions have been made on the
previous pages, recognize that not all risks/solutions apply to all
organizations:  you have to make some judgement calls based on your
assessment of the risk.  The judgement is based on how much loss you can 
comfortably sustain, yet remain in business.  The level of security
protection you require may not always be the same.  It may vary with the
value of the hardware, software or data under consideration;  the
security level, therefore, might be stated as "minimal," "discretionary,"
"mandatory," or "verified."  The point is, as long as it's been
considered, you're closer to having a good security system than if you
have no policy or a policy that's based on guesswork.

You may find, after working on this for a while, that you may wish to
develop a separate policy for the selection or development, change,
testing and implementation of software.  This might be stated as simply
as, "No system shall be acquired, developed, changed or implemented
without the prior approval of the Systems Steering Group."  This might
also go on to cover documentation; e.g., "Documentation must be complete
for all systems prior to implementation, and must include sections on
files used, access controls, security considerations and controls
(etc.)."

Some further points for consideration are included in the next section.



















                                 - 26 -

11.  COMPUTER SECURITY POLICY:  POINTS FOR CONSIDERATION

Any policy on computer security must be based on the premise that
information is a valuable asset of the company, just like its premises,
equipment, raw materials, inventory and so on.  More than one company has
gone under because they lost their accounts receivable data in a fire,
flood, or from a simple hard disk failure.  The value of your data should
be subjected to a risk analysis, and all identifiable risks assessed.  It
is not until you identify the risks that you can plan for a disaster
recovery.

Your policy might include some of the many things addressed previously in
this paper:  e.g., storing data only on removable media (diskettes or
tapes), limiting access to bulletin boards, establishing password
controls, rules on physical security, use of immunization software, etc. 
There are, however, some other specific points not previously discussed:

RESPONSIBILITY
Recognize that security is a management issue, not a technological
issue, and that setting policy is the responsibility of senior
management.  They must be 'on board' and understand why a security policy
is needed to make it sensible and effective, and they must give overt
support.

Someone should be in charge of computer and network security.  Without
someone in charge, important security tasks may not get done.  The duties
of the security manager would include responsibility for limiting access
to the network, securing the information that passes over it, overseeing
password systems, and installing security packages that protect computers
from illegal tampering once a user is on the network.  Other duties might
include analyzing the network for security weaknesses and helping users
understand the security strengths and weaknesses of the network.

The amount of time required of the system security specialist may depend
on the size of the organization, and on the number and complexity of the
systems in use or planned.

Having one person in charge is probably the ideal security arrangement.
The security specialist can become aware of all of the issues affecting
computer/network security, can schedule and establish priority for
actions, and can ensure that the actions are taken.

This position in the organization requires some authority and autonomy. 
For instance, security is compromised if the boss shares his/her
password.  The  security specialist needs to be able to change the boss's
password if this happens, and gently but firmly discuss the problems
which could result. 


In many organizations, putting two or more people in charge of something
diffuses responsibility.  Each can think that some security concern was
the responsibility of the other.  If two individuals are charged with
network security, be certain that they work well together, communicate











                                 - 27 -

well, and will each put in their fair share of the analysis and work that
is required for security.

In some organizations, a "communications manager" is responsible for
limiting access to the network (with dialback modems and encryption
devices), while the network manager maintains password systems and
installs security software. 

If someone is in charge of network security and you don't know about it,
then they haven't been very  obvious about it.  They need not be.  But if
it is evident to you that security is lacking, then perhaps the issue of
responsibility should be examined (or re-examined).


BACKUPS
Those who are most zealous about backups are those who've been affected
in the past by a loss of data.  If backups are performed every day, your
computer or network is probably in good shape when the hard disk or file
server goes to heaven.  You will want to verify that this is the case,
since most organizations (and individuals) put this off... and off...
until it's too late.

Backing a system up once a week is not enough, unless the system is
rarely used.  If your last backup was a week ago, and your hard disk or
the hard disk in the file server crashes, all users of the network have
lost one week's work.

This cost is enormous.  If you have 10 users who have lost 30 hours of
work each, if each user is paid $20/hour, and overhead is 100%, then you
have just lost 10 x 30 x 20 x 2 = $12,000.  If you assume that backup
takes one $20 hour with a tape drive, you could back the system up 600
times for $12,000. That's nearly three years, if backups are done five
times a week.  Many hard disks will not run continuously for three years. 
Even if you're a 'stand alone' computer user, your time is valuable.  You
might consider a policy that, if recovery covers a period of more than
'x' days, it must be done on the employee's own time, and all deadlines
must be met - tough, but it get's the point across!

Irregular backups are a sign that backup is not taken as seriously as it
should be.  It is probably wisest to do the arithmetic, comparing the
costs of backup with the costs of losing work for multiple users.  The
cost comparison in the commentary on the second answer doesn't even
consider the possibility of losing irreplaceable files, such as those
containing new accounts receivable entries or new prospects.

Since file backup is a "private" activity, not knowing how often it
occurs  does not mean that it does not occur.  But if you have a security
concern,  you should find out what the correct answer is.  After all, if
you use the network, and it is not backed up frequently, it is your work
that is lost when the hard disk in the server crashes.














                                 - 28 -

BEWARE:  backing up is NOT enough!  You MUST periodically run your
recovery procedure .... how else will you know it will work when you need
it most?


PURCHASING
The policy should state the controls in place for purchase of both
hardware and software, and it should be consistent and centralized. 
Unless you've seen what some software can do to destroy security, or how
difficult it is to interconnect different equipment, this might seem to
destroy some autonomous activities in your organization.  Autonomy be
darned, it's the company that's paying the bill.


MAINTENANCE AGREEMENTS
All warranty registrations must be mailed to the manufacturer, and
records kept of purchase dates, expiry dates and repairs made under the
warranty.  Keeping accurate records has substantiated the complete
replacement of more than one machine.


SOFTWARE LOADING
The checking, copying and loading of software should be the
responsibility of one person or department.  The 'penalty' for loading
illegal/unauthorized software can range from a note in the personnel file
to dismissal, depending on the organization.  The opposite, copying the
organization's software for loading in another location, should also be
covered in the policy, because the company (as the registered owner)
could be party to a lawsuit without the ability to plead ignorance.





EMPLOYMENT TERMINATION
In several organizations, when a person submits their resignation, their
access to the computer system is immediately withdrawn.  This, of course,
requires a close liaison with the personnel department in large
organizations.  Many of these companies feel it's worth the salary cost
to have the person leave the premises immediately (escorted), and simply
pay out their notice period.  If your company adopts such a policy, it
should be made very clear that it is not an indication of trust in the
person, but simply a means to reduce risk to the valuable resources of
hardware, software and data.  It must be administered consistently and
equitably to avoid problems.    There are problems with such a policy,
not the least of which could be someone who gives a very lengthy notice
period simply because they're aware of the policy - but you could
transfer them to a clerical job for the interim (like the mail room) or
to maintenance staff (washroom detail).

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -













                                    - 29 -

12.  TO RUN SCAN (Virus detection software included on this diskette)

SCAN looks for 42 viruses in software files, but not in data files.  I
know it works on Jerusalem-B because I used SCAN to detect that virus on
a machine at work.  This is NOT the latest version of SCAN, but then
again, you're not likely to have the latest viruses (I hope).

If you want to print the documentation, type:  COPY A:SCAN.DOC PRN
If you want to run SCAN, just type:     A:SCAN [drive identifier]
                                 e.g.,  A:SCAN C:


An article from the Washington Post, January 14, 1990, on Computer
Viruses was added to the diskette after this paper was written.

          To read this article, key  TYPE A:ARTICLE|MORE      
          To print the article, key  COPY A:ARTICLE PRN


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


If you have found this presentation useful, either by attending or by
reading or using the information on this diskette, then I am rewarded. 
If you found it useful, please feel free to copy this diskette or its
contents and share it with others - I would ask that you don't change
anything, though.  (It was virus free at the time I made the original
diskette - but if you trust that statement, you might just have made your
first mistake.)  

If you'd like to make suggestions that would improve the information on
this diskette, I would be very happy to hear from you.  I'd also like to
hear from you if you wish to discuss security issues, get a virus
infection or hit by a Trojan Horse, or even just to comment on the
contents of this paper.  My address and phone number are on the first
page of this document.

If you would like to join the National Computer Security Association, a
'form' for application is on the next page.  They provide benefits such
as a Virus Self-Defense Kit that's more sophisticated than the software
on this diskette, newsletters, a virus-free bulletin board with hundreds
of security-related programs, discounts on software, books and
conferences, and advice if you run into trouble.

Happy (and safe) computing!


                         E. A. (Liz) Bedwell



















National Computer Association
Suite 309
4401-A Connecticut Ave. NW
Washington, DC
USA   20008              Phone:    (202) 364-8252




[ ]  I wish to join NCSA.  Cheque enclosed for $45.00 (US funds)

[ ]  I wish to join NCSA.  Please bill me for $45.00 (US funds)


Name:          _____________________________________________________

Organization:  _____________________________________________________

Address:       _____________________________________________________

               _____________________________________________________

City, Prov.:   ____________________________ Postal Code ____________

Phone (with area code):  ___________________________________________


Title or Position, or interest in computer security:

               _____________________________________________________

               _____________________________________________________

.
Downloaded From P-80 International Information Systems 304-744-2253