Commonsense computer security

March 7991 Computer Fraud & Security Bulletin

Apricot Computers is launching a security software pack for its LANstation series of

network workstations, Qi range of desktop micros and FTserver range of Unix and network

servers. The system covers system access control, user configuration, network and

resource access, temporary access protection, automatic audit trails and data block encryption.

For more information contact James Blackledge on +44 (0)21 456 4040.

THE CORPORATE SECURITY POLICY

Commonsense computer security

Squadron Leader M. R. Smith MBE BSc RAF

The computer is here to stay, that there can be no doubt. The IT revolution is already affecting

business, the economy, society and our everyday lives every bit as much as the

agricultural and industrial revolutions did in their time. We have still to realize the full potential of

these new tools at our disposal, and as we bring them to bear with increasing accuracy and

effectiveness they will change and then must eventually control our lives. If there is any doubt as to this phenomenal rate of growth in IT technology and influence, cast your mind back

only say, five years and reflect on how much progress has been seen in that short span of

time. And the next five?

As this reliance on IT spreads so too does

the potential for loss, corruption or compromise of data, from whatever cause. As more businesses become ‘computerized’ and thus

dependent on the machine, the greater the

chance of some going to the wall if that technology fails them in any way. It is the task of the computer security fraternity to highlight to this growing population of computer users the dangers which are associated with this apparent panacea for all their problems and offer practical and cost-effective defences and counter-measures. Unless we try we shall be

failing in this, our primary function. Unless we succeed there is little point in us turning up for

the game.

My aim here is to describe what I believe to

be the true nature of computer security -that it

is a people problem, not a machine problem. I

will stress the importance of the involvement of

senior management in both defining the

corporate computer security policy and

assigning the responsibilities for its

implementation. I shall then outline how, once

you have initiated a computer security effort, you

can keep people interested, motivated and

trained. I would stress that the views I am about

to express are my own and do not necessarily

reflect those of any organization with which I am

associated. I also intend, deliberately, to be

provocative and controversial in the hope of

stimulating a continuing debate on this important

topic.

The true nature of computer security

There remains widespread ignorance of computer security - both the problems and workable solutions. Little new thought is

emerging except an obscure and continuing

distillation of the technical solution. Truly original initiatives are rare. Even obvious things like

disaster recovery and contingency plans are frequently overlooked or given lip service at best.

The available literature about computer security is still limited, difficult to read except to those experts who know the subject anyway and

arguably do not need it, and unattractive to the non-experts who need more than anyone to

grasp the essentials of the problems and answers. Such awareness amongst the general public about computer security is virtually nil; the

only exposure they get at present is to the monumentally superficial scare stores in the

popular press and TV about viruses and hacking, both relatively minor problems compared with the scale of our unpreparedness as a whole.

But coupled with this ignorance is a growing sense of alarm. A MORI poll for Securicor Consultancy Ltd (23 Jan-2 Feb 90) of 200

01991 Elsevier Science Publishers Ltd

Computer Fraud & Security Bulletin March 1991

business managers from all sectors of industry

showed clearly that, above all else, managers

are most concerned about the security of their

computer data. This ccncern is based not on

reported cases or past incidents (14%) but on fears for the future (90%). A third of senior

managers felt the risk to their computer data had

increased over the past 5 years, and by a factor of 50%, and a similar number thought that computer security will increase in importance

over the next 5 years. We therefore have the classic conflict - stress and anxiety, but ignorance of the ways of reducing the fear. The normal defensive mechanism also shows itself

- the head in the sand - with 88% of senior

managers professing themselves “very” or “fairly” satisfied with existing measures to control the risk.

The technology is moving away from the mainframe to distributed resources, taking

computing from the IT experts and putting massive power on the desks of workers and

managers, most of who still belong to the generations who missed out on IT training. The

increasing networking of systems within, even between organizations, even nations and continents, itself creates a whole new and vast

range of vulnerabilities. In another survey, this

time by Price Waterhouse, IT directors were

questioned about their security problems, and nearly half (46%) identified increasing interconnectivity of systems as the biggest

barrier to overcoming security risks. A third

(34%) saw low staff awareness as their greatest problem. We have introduced computing power

of awesome magnitudes into the informal office,

linked it directly to unknown and possibly hostile

outsiders, and handed over its control to staff whose depth of understanding may often be

limited to the whereabouts of the on/off switch

and a passing affinity with the logon/off

procedures.

The dangers and the need for sound computer security have never been greater and they are increasing all the time. The cures are simple and available, and quite often in place but

ignored or not understood or not used to full effect. So why is the child failing to thrive? There

are possibly many reasons; the two greatest seem to be who and how.

Who is involved?

The dominant members of the current

computer security world, coming as they do from

the computing specialization, display an almost religious belief in the merits of hardware and software security. Traditional security amended

and applied to the computing environment is ignored, not understood, dismissed as unimportant or, worst of all, deliberately rejected. Computer security is viewed by them entirely as

a machine problem, with the answers lying within those machines. The rest is dismissed as the ‘environment’, somebody else’s problem. It is

easy to understand how this has come to pass.

Any expert in whatever field will be as much

limited by this knowledge as aided by it. The mother is the last person in the world to see little Johnny or little Clara’s faults, it takes a kind friend

to tell her. Even then she will find it hard to accept

the faults pointed out to her. It is thus with the computer security world, dominated as it is by the

computer specialist with deep knowledge of the

machine, and complete faith in its ability to cure any minor ills from within, from its own immune system. Their blindness, compounded or indeed

caused by ignorance of security, must lie at the

root of our problems today. Computer security is

a combination of computers and security; it is, to

distort a famous saying, too important to be left just to the computer experts.

But that said, I am not being critical. Why

should the computer expert be expected to be

conversant with the intricacies of the art of

security, as much these days a specialization as any other? Every man to his trade, they say.

But security is the other part of computer security; it is vital and only healthy that the expert security view is included in the deliberations.

Computer security cannot be, nor must we let it be, dealt with solely by the computer people, yet this is what is happening now.

Computer security is a people problem, not a machine one. There are far more road

01991 Elsevier Science Publishers Ltd


accidents caused by bad drivers than by unsafe cars. Pilot error accounts for more aircraft

crashes than any other factor. Most computer insecurities and disasters are caused by the users, not the machine; computers do not commit crime, only people; accidents do not just

happen, they are caused.

Computer staff by their nature, training and

work are logical, intelligent, mathematical, clinical. Theirtool is a machine, their involvement is mainly with that machine. Their contact with

the human element is limited, their abilities at

man-management not necessarily finely honed.

The business manager, in contrast, and his

personnel staff and security officer are used to dealing with people-this is their tool in trade - and are thus better qualified to tackle the people problem which is computer security. Again, why

should we expect the computer staff to be familiar with management, training and supervision of other computer staff when this is not their specialization or role? Yet, again this is

what is happening now.

How are we doing it?

And the ‘How’ question? The offerings on the table at the moment, driven as they are by the technicians without recourse to the man-managers and security staffs, are centred around the software and hardware. We are tending to ignore the other traditional elements of security essential for any rounded and effective defence in depth. Instead, magic pills

are being put forward which can never be satisfactory in isolation. Furthermore, software security must be reaching the economic limits; the packages offered with most large systems

these days already provide excellent,

sophisticated and (for most people) entirely adequate access control, audit and separation facilities and little is to be gained from further

enhancement, The experts and peddlers of computer wares are beginning to over-refine and

over-complicate the produce to outdo their rivals, outpricing themselves in the process.

Computer security - how should it be solved and by whom ?

I suggest that we have painted ourselves into the corner; the technical path we have so far

chosen to follow has narrowed and we are nearing its natural end. The time has come for us to review our way ahead. No fault is to be

attributed for the story so far. It was natural and

has served us well. But we must return to basics, to first principles. We must recognize the significance of defining security policies. How important to us is our computer? What are the

threats? What effort is reasonable to protect the electronic data? What can be easily achieved?

How exactly are we to defend ourselves, and with what and in what way? What risks can we

afford to take, and which must we not ignore? How can we train and motivate our staff?

Security measures must be chosen which are the most cost-effective, simple and reliable. They should, whenever possible, be traditional and non-technical, fit into the existing practices

and morals of the organization, and exclude the

fancy or the innovative or the unprovable. The

computer staff must talk to the security staff, and

both groups must explain the dangers to

convince and cajole management into committing the necessary resources and

manpower into the company’s computer security effort. There is an overall package to be

considered here. Computer security cannot be shoe-homed into a convenient black box labelled ‘Solution’. It has to be worked at, and by everyone.

This, then, is the true nature of computer security. It is a people problem, not a machine

problem. Fresh thoughts are needed. Security

staff, personnel staff and management need to be brought into the equation far more, and

computer staff must learn to accept advice and

help from such apparent outsiders. Computer

security is not a machine problem. Computer security is a people problem. Computer security must cease trying to cure itself from within. Look

now to the user; there is no such thing as a insecure computer, only insecure people.

Of 991 Elsevier Science Publishers Ltd


Computer security is not a difficult problem. It need not be expensive, it is not complicated

and it is certainly not impossible. It is within the grasp of every organization to achieve satisfactory computer security with a reasonable effort, using familiar techniques at an affordable cost. That this is not happening throughout the worlds of commerce, industry and government is not yet the direct fault of the computer security industry; but it will be judged as our failing if we

do not now see to it that everything possible is done to bring this to pass.

The importance of senior management involvement

The key figure in any policy decision - company, technical, security or whatever - is the boss. It is he or she who dictates the direction the organization is to take, how the goals are to be achieved, and what care and insurance - what security - is to be taken. This is true too of computer security, more so considering its novelty. The computing function within any organization is becoming so fundamental to company survival and growth that computer security is no longer an issue which may be delegated to security or computer staffs. Ultimate responsibility for computer security must now be with senior management. Computer security

policy must be defined by those at the very top of the pile. Of course, the routine administration of computer security, the devising of procedures, the enforcement of the regulations and the planning for future enhancements should, indeed have to be delegated to lower levels within the organization. But top management must recognize the threats to computers and their weaknesses and vulnerabilities, and take the initiative. Without such interest at the highest levels, security can never be effective and it will be relegated to a second class role it does not

deserve.

This, then, is my second major point. Computer security is a people problem and the most important person of all is the boss. Once the boss is committed and knows what to do the rest of it will follow easily. Until then, computer security within an organization will never, ever be

effective. People believe that baby servicemen are born with an in-built sense of security

awareness, but this is not so. It comes about as a result of a continual and extensive security education campaign waged from the day they join the service. Security is a principle of war, and

it thus receives the backing of the highest levels of command. Once any other organization recognizes that security is a principle of business, then that business too will provide itself with the security it needs and deserves. There is no simple or cheap alternative, security is a form of insurance. Pay the premiums, or suffer the consequences.

Computer security policies

I mentioned the importance of defining a computer policy. My next major assertion is that, until everyone knows the overall aim of the exercise and the outline plan of action, nothing useful can be done towards building up computer security practices. Until the general knows the battle plan, his troops can never hope to win the war. A computer security policy is the foundation stone of effective computer security practices.

The company should already have clear polices about the nature of its business (the business policy), how and with what resources it is to achieve its aims (the technical policy), and how it intends to protect both its assets and its continuing ability to function (the security policy). Such company policies should be formal, documented, and agreed by senior management. Within each there may be further policies; within the security policy, for example, there could be described the company’s physical, personnel, and document security policies. Now too, there should be a clear statement of company computer security policy.

The computer security policy comprises those rules, regulations and practices which make up the way in which a particular computer’s data is to be protected from loss, corruption or unavailability. It must address all forms of that data and all aspects of its control, and will not necessarily be limited to the immediate environs and operations of the computer. More sensitive or valuable information will clearly attract more security effort, but the policy should not be limited

10 01991 Elsevier Science Publishers Ltd


to such data. The policy will define all the countermeasures that management intends to be used, and in what way and to what extent. The policy will describe the threats to the system and list those countermeasures chosen from the shopping list of possible defences.

There is no set or recommended format for the computer security policy; it will be organization and system specific. No two companies, no two computer installations, will ever be the same, and the security policy must uniquely interpret the threats and countermeasures appropriate for a given system, in a given role, in a given place, and operated by nominated staff. Whatever, though;

l It must always be written in clear, concise and comprehensible terms, defining its aims, and describing the principles and methods of accomplishing those standards of data safety, security and integrity set by the

company. It must be well documented and authoritative, issued on behalf of and carrying the signature of the highest levels of management.

l It should be drawn up by those charged with the use, operation and security of the installation. It is these staff who will have the most intimate knowledge of and skills upon the computer to be protected. They will have to make the policy come to life, and so their

support is vital.

l It must achieve a level of security at least

equal to, but not necessarily greater than, the security of similar information held in traditional form. It must be positive, and not rely upon a potential attacker’s lack of knowledge as a defence. It must be as simple as possible. It must be reliable at all times, and it must be comprehensive, addressing all the computer system’s assets and all aspects of its work.

l It should fit in with the corporate way of life, and must take into account the aims, morals and methods of the organization. It is no use whatsoever to introduce rules which go entirely against the grain, and which then will

be totally ignored by the people who will have to operate and enforce them, or which simply will not work or stop the organization working. As an extreme example - any computer can be made more secure by turning it off, but this ultimate security measure does little to improve the business.

It must not be set in concrete. There has to be flexibility to allow constraints or business needs to override if necessary the security features. It must be regularly reviewed and updated to meet any changes to the threats, weaknesses, vulnerabilities or uses of the system. This task must be assigned to a named individual. No computer will remain static in its form or role; the very qualities of computers cause dynamic change, and it is only right that this is so. The policy can quickly become out of date. Staff must be told of any changes to the policy, and how such changes will effect them.

It must include only feasible objectives. Unrealistic or unattainable demands bring the policy into disrepute and disuse.

Adequate resources must be provided for it but at the same time it must remain cost-effective.

It must allow for the worst case.

Finally, and perhaps most importantly, it must provide for adequate training of all staff concerned with computer operations. The best laid plans will be of no value if the staff are either unaware of them or not taught how to enforce and work with them.

Allocation of duties

Another vital link in the chain-it is important to allocate computer security tasks within an organization. A fundamental principle of any security policy is that responsibilities must be clearly stated. Unless you give a security job to someone - by name and appointment - it simply will not get done, there is always something more important to do. Just as important, though, is that everyone can then be

01991 Elsevier Science Publishers Ltd 11


held to account for their actions or omissions, not simply to serve blame when things go wrong but also to protect those who have completed their part satisfactorily only to be let down by another’s carelessness or dishonesty.

The security function within any organization must have a clear reporting chain, to allow rapid communications about incidents or emergencies, and to make clear who is responsible to whom. That chain must include a

direct link to the very highest levels of the organization, to be involved at the discretion of the security manager and to ensure his ultimate independence. Control of the security function will fall within normal company arrangements but the security manager must be able to disregard these constraints when he feels it necessary in the interest of security. The security chief must be a trusted ally of top management, and be able to communicate freely with them, and vice versa. In turn, however, he must use the privilege sensibly and sparingly.

Let me now describe a typical distribution and allocation of computer security responsibilities.

a. installation Manager. The computer installation manager is the key person at any installation, and with him lies

responsibility for all aspects of that installation’s operations, including its security. He is the captain of the ship, who must ensure the safety and security of all

parts of his system so that the data is protected from the threats directed against it.

b. The lnstalla tion Security Officer. T h e Installation Manager should appoint a member of his staff as the Installation Security Officer, and should delegate to him the daily administration of the computer security regulations. In this way the Installation Manager can still monitor the security of his system but be relieved of the time consuming and routine security workload. If this is not done, especially on a larger installation, then it is inevitable that

the security measures will be neglected as tasks of seemingly greater priority bombard the busy Installation Manager. The Installation Security Officer is the Installation Manager’s leg-man for enforcing and monitoring on a daily basis the security measures at the installation. In traditional terms, the Installation Security Officer should be the ‘ village policeman’ of the installation, and a good one.

C. Computer Users. Under the direction of the Installation Security Officer, all system

users have a responsibility to their system’s security, safety, and integrity. Their role is perhaps the most important, because of numbers alone-the Security Officer is but

one man, but with all users briefed and conscientious about their security duties there will then be many pairs of eyes and ears looking out for dangers to the data and the system. In particular, each user must:

Be fully familiar with the rules and regulations. For security practices to be totally effective, every user must know what to do, how to do it, any why he is doing it.

Properly classify all data according to its sensitivity and/or value, and clearly

mark it. The user is both the biggest creator of data, and the greatest threat to any installation no matter its size and importance. Ironically, at the same time the user can be the greatest asset to the computer’s security.

Report to once to the Installation Security Officer any security breaches or incidents which come to light, or any other matter which might have a security significance. The users can be the greatest aid to the Security Officer, and with them on his side he can achieve much better security. But to do this involves much hard work in educating the staff members, gaining their trust, and convincing them of the necessity and importance of computer security



e.

f.

9.

h.

measures for the well-being and safety of their own and the company’s future.

The Departmental Security Officer. In

charge of the various Installation Security Officers at a site or within a department will be the Departmental Security Officer.

The Corporate Security Officer. The Corporate Security Officer will have responsibility for the security of all the computer systems within the organization.

Network Security Officer. Where a computer network exists, the responsibility for the overall security of that network, like all security responsibilities, must be assigned to a named individual, the Network Security Officer, Independent elements of that network will have their own Installation Security Officers, whoshould be accountable to the Network Security Officer for the security of their terminals and data links.

Management. As I said earlier, the top

levels of management have overall responsibility of all aspects of computer security, particularly its policy.

A word about an employee’s contract of employment. At the time of employment there is an ideal opportunity to enforce contractual arrangements in order to protect corporate information, to legislate for damage containment in the event that the employee subsequently lets you down. The proper use of contract law in

contracts of employment has several advantages. Making any sort of contract concentrates the minds of everyone concerned; both sides realize that the matter is serious, and it sets the professional climate in which you intend to operate. Also, the contract will define exactly what is considered as important and thus what it is that requires protection - such things

as copyrights, patents, designs and design rights, client lists, and other confidential, valuable or sensitive information. The do’s and don’ts of the organization can be clearly explained. Finally, the contract anticipates

trouble and prepares for the worst. These advantages apply to all contracts, but it is perhaps especially important to establish the game plan for computer staff, where they will be invested with considerable trust and when their actions, correct or otherwise, may have a significant and disproportionate effect on the fortunes of the organization.

But contracts, like all other aspects of security are not entirely without drawbacks and weaknesses; they do not provide complete protection. Breaches of contract can be difficult to prove, there may then follow a long wait before the case can be brought to court, and then there may be a further delay before any damages are received - all this assuming the court understands the nature of the offence! Furthermore, there may be adverse publicity associated with any case, and all these factors may combine to cost more than the original breach of contract. But there is no doubt that contracts are for the best. The contract of employment should, at the very least, explain clearly the security responsibilities of the employees, and to whom, and for whom, that employee is answerable. It should explain the disciplinary process for breaches of security, and when and for what it will be invoked. It should make clear any confidentiality clauses and competition constraints which become applicable should the employee leave the company. The contract should be signed by both parties.

Training and awareness

A man’s daughter came home from school and informed him that her class had received a sex education lesson from the biology teacher. This is awareness. The next day she came home from school and informed him that she had been kissed for the first time by a boy. This is training.

This is my final major point. By applying considerable time and effort to a comprehensive and wide ranging computer training and awareness campaign the resulting improvement

in computer security will far outweigh any initial costs. Training and awareness are the fuel and



water which will make your computer security plans work. You must instruct and guide all members of staff in the ways of achieving those standards of computer security dictated by the highest levels of company management. Each person in the chain of command must be aware of, and trained to comply with, his or her individual responsibility towards computer security. All should be working in harmony with one another.

Any training scheme to be devised to improve computer security standards and awareness has to be able to provide the differing skills required by the wide range of persons involved - the users, the operators, the computer-illiterate supervisors, the specialist security staff if you are fortunate enough to have them, and of course the senior levels of management. How and who you should teach is beyond the scope of this short article. Whatever

you put together, though, must be comprehensive and flexible. It must be relevant, it must be interesting and it must not be too difficult to grasp. The training awareness campaign may comprise formal courses, special interest sessions, local initiatives, seminars, or conferences. Do anything you have to, anyway you have to in order to succeed, in order to get

the message across. Anything goes, no matter how outrageous and flamboyant. The stakes are high in computer security. Training and awareness are the keys which will release a tremendous resource-the people. Harness the skills and vigilance of your workforce, and you have as many security officers. Leave them in ignorance and they become the greatest threat.

Awareness and training are a continuing overhead. But the effort to communicate and maintain a security culture within an organization should never be relaxed, nor should the methods be allowed to become stale. A good training and awareness campaign, though, will produce an increase in computer security standards far grater than its costs and is one of the most cost-effective ways of improving the security and safety of a computer installation. In effect, it

harnesses the eyes, the ears and the support of all the employees.

Conclusions

Let me summarize my main points:

a.

b.

C.

d.

e.

Computer security is a people problem. Computer security is not a machine problem.

The most important person of all is the boss. Once he is committed to computer security the rest will follow easily.

A computer security policy is the foundation stone of any effective computer security practices. Without a policy, success is almost impossible. Any such policy must employ defence in depth.

Next, it is vital to allocate a computer security responsibility - to someone identified by name and appointment, and in writing - or that responsibility will not be discharged.

Finally, training and awareness are the fuel and water which will make computer security plans work. Without them, computer security can never be successful. With them, you will achieve a massive improvement in standards at little or no cost.

Computers are here to stay, and their numbers will continue to escalate at an everincreasing rate. The trends are towards smaller systems of awe-inspiring power, more distribution of resources, the taking of computing to the desks of the lowliest workers, networking and OSSEA. The need for computer security must also continue to grow, but I believe the technical solution will become increasingly difficult and cumbersome to both achieve and enforce. Involving staff at all levels and making them carry out their personal responsibilities towards computer security will, I think, be the area of most importance and reward.

I believe that raising awareness and educating a wide audience in the basics of computer security will achieve, pound for pound, a far more profound and longer-lasting result than any technical solution could every hope to


March 199 1 Computer Fraud & Security Bulletin

achieve. Computer security is a people problem. Computer security has a people solution. Let us now discover it.

(This article is based on ‘Commonsense

Computer Securiv by Martin R. Smith. The views expressed in the article are those of the author and do not necessarily reflect those of any organization with which he is associated.)

SUPPLIER’S VIEW

Computer media - cleaning up the weak link

Alan Malcolm,

Computer-Link (UK) Ltd.

Throughout business and industry, computers are now employed to perform tasks which mere mortals would find difficult, if not impossible. It would probably take an economically unsupportable army of personnel to perform the same functions as can be achieved by today’s PC. Computer-aided design, engineering, security production manufacturing, process engineering, are just a few of the area in which computers are now commonplace.

Computer tapes or cartridges are often used to run programs which have themselves been developed at great cost to a company by software specialists. To protect their investment

and their industrial knowledge, a company’s databanks are usually well protected, either through back-up records, adequate data protection storage facilities or ideally both, as

belt and braces support. The organization may well, therefore, feel secure in the knowledge that its secrets remain guarded from unwelcome attention. Despite the consistent play-down of its frequency and etfects, industrial espionage is a growth area, the ramifications of which can be dire for a company which has poured money into project development.

One hears from time to time of occasions when military or government data is accidentally discovered by members of the public. When the facts are reported to the national press much is quite rightly made of the blunders which led to such important material being exposed to such risks. Not too long ago quantities of computer tapes from government departments were found dumped, literally, by the side of the road. Is it improbable for a company’s own commercial information to be accidentally made available to anybody who should pick it up?

The answer has to be no. Operating tapes used in industry, instrumentation tapes, are commonly discarded when new programs are introduced. It is a fact that very often such material is simply dumped without any attempt being made to wipe out the magnetic information already held on it. It can be argued that because such material has been superseded it is no longer of any value. But how many programs are complete re-writes of previous versions and how many are merely updates and modifications. This being the case much information on tapes marked obsolete can still be of considerable value to competitors.

Other forms of magnetic media also pose substantial security risks. Consider the security surveillance system which utilizes video tape. When such tapes are no longer required, possibly through deteriorating in use, are they electronically and magnetically cleaned prior to their disposal? Or are they simply thrown out? It would be a true irony if the very material used

initially for security were to be in itself a breach of that security.

We live, today, in a throwaway world and

therefore, it does not seem strange to us that when items reach the end of a useful life, we merely throw them away. However with magnetic media this simply cannot be done.

The disposal of computer media which holds information of a personal nature poses problems other than that of security. The number of organizations which hold lists of addresses, details of personnel, companies with whom they


Date post:	19-Nov-2016
Category:	Documents
Upload:	mr-smith
View:	213 times
Download:	0 times

Commonsense computer security

Documents