- Email: [email protected]
Information systems security: A managerial perspective
Information Systems Security: A Managerial Perspective
Information security has bmn recog&ed as drte &the major issues af importance in the management of organizational information systems. Losses resulting from computer abuse and errors ~8 substantial, and information systems managers continue to cite security rend control as a key management iwue. This paper presents the various dimensions of the problem, suggests specific steps that can be taken to improve tha management of information security, and points to several research directions.
The rapid progress
in ~on~puterand ~mmuu~~atious te~hno~ogjes in the
fasttwo decades
has rendered most organizations vulnerable to misuse or abuse of computer-based information systems QS).” While information systems provide opportunities to improve an organization’s func'~Hrruv, N. AND NEUMANN,% (1990).Frim tioning and enhance its products or services, they can &XI expose cipkr?sof information systems for manageorganizations to significant risks as organizations become increasingly men/. Dubuque, Iowa: Wm. C. Brown (3rd dependent on information resources.* Therefore, important concerns edn). WISBMAN, c. (1988). Strutegic Irrjbr’motion Sjstems. Homewoad, IL: Irwin. that accompany the use of information technology arc how much ‘XXUKC>vrrs, 1. (1984). Management of corn-security is needed to protect computing facilities and information putw operaricms. Englewood Cliffs, NJ: resources and how to obtain this level of security.” Prentice-WalI. WETHERBF, 3.c. JBRANCHEAU, 1. AND Evidence for the ~n~~~~ta~~~~of IS security is provided by the <1%?7). Key issuesin jff~ormatjon systems. %I.5 ~~~~~~~~~,I I jx-n. I ) , pp. 13-45.CAR- frequency with which security and control are cited as a key manageKOLl”,.;.?a.frw). cnrtrpz4atetswwity. Bos- ment issue by IS rnanag~~s.~~Sptague and ~~~~nrljn further suggest that hm, MA: Butrerworths fkd edn). security and integrity are one of the six hjgh-priority concerns of IS %Al.l., I... AND HARRIS, R. (1982). .%J~fS managers in the future.” mcmhers: A membership analysis. MIS Information security can be viewed from two aspects: technological G)it~rk?+‘, 6 (No. I), pp. 19-38. HFNJON, r>,~. (1983). A field study of end user and managerial. While much attention is given to the technological computing: Findings and issues, Mf$ isues, only little attention is given, both in literature and the real world, &uurtrrly, 7 (No. 4), pp. 35-45. DICKSON, O.w., L.~lTHEISER,R.L., NECHIS, M. ANI? to the managerial side,” WE'THRKIZE, J.C-.(1984). Key information The purpose of this paper is to review the managerial aspects of systems issues for the 1980s. MIS Qwmrinformation security, and to point to practical recommendations in these aspects. The f&owing sections provide a brief overview of IS security, discuss the di~~~~ltje~ of managing ~nformatjon security, and address the i,ssues of attack and defence. managerial issues ~~n~er~ing 1S security are then defined and some basic recommendations are drawn. ‘The paper concludes with a summary of managemen~~s role in IS security. Xrtformation cystems manugrmenl in pr& tiw. Enalewood Cliffs, NJ: Prenticc”.Hsll,
What is information
security?
Information security is concerned with the protection of computing _L . facilities from deliberate or accidental threats that may exploit vulnerabilities of a computing system. ’ The target of a crime involving computers may be any portion of a computing facility: hardware,
/nformation
systems
security
software, data or communication networks. The multiplicity of targets makes information security difficult. There is a scarcity of reliable information about the amount of computer crime occurring and the nature and severity of the crimes. The available evidence suggests significant losses8 although the full extent is unknown. A number of organizations have compiled evidence about the nature and scope of computer crime. Highlights of some of these studies are reported below. The purpose of these examples is not to examine specific cases in depth, but rather to convey some idea of the volume, variety and scope of known computer crime. *
e
e
continued from page 105 WILKES. M.V. (1990). Conmuter security in the husks world.‘Communications ofthe ACM, 33 (No. 4), pp. 399401. 7PFLEEGER, C.P. (1989). &WUity in COmpUting. Englewood Cliffs, NJ: Prentice-Hall. ‘ALAW, M. AND WEISS, I. (1985). Managing the risks associated with end-user computing. Jotirnal of ~anagemerlt I~f~rmatjo~ Systems, 2 (No. 3), pp. 5-20. American Bar Association (1984). Report on computer crime. American Bar Association, Section on Criminal Justice, Pamphlet, Washington, DC. NYCUM, S.H. AND PARKER, D.B. (1986). Prosecutorial experience with state computer crime laws in the United States. In: Security and protection in information systems (A. drissonanche, ed.). Elsevier. pp. 307-319. 90’~~~~~~~~~, J. (1986). Computer crime is usually an inside job. Digital Review, 21 July. 10~~~~~~~~~, M. (1989). Morris indicted in Internet virus affair. Co~~~uter~~r~d, 31 July, p. 8. “PARKER, D.B. (1986). Consequential loss from cornouter crime. in: Securily and protection in’information systems (A G&sonanche. ed.). Elsevier. DD. 375-380. ‘“US kon&ess, Offick’ of Technology Assessment (1986). Federal government information technology: Management, secur;ty and congression% oversight. OTA-CIT297, IJS Government Printing Office, Washington, DC. ‘3American Bar Association, 0~. cit., Ref. 8.
106
0
O’Donoghue studied 184 Forbes 500 Corporations.’ Of these, 56 per cent reported that a major computer crime had been detected during the previous 12 months, for an average loss of $11 800 per incident. In November 1988, a virus spread through a Department of Defense (DOD) communications network (Internet) linking computers located in military complexes and university campuses.” The virus entered an estimated 6000 computer systems. Although the virus did not destroy data on the computers’ data files, it did take up memory space and, by reproducing itself over and over, slowed down processing on the computers. The damage was estimated to be about $100 million. IBM reported an $11 million loss in December 1987, when a West German student’s Christmas message to a friend (attached to a virus) unintentionally swamped IBM’s international network. The infected message created an ‘electronic chain letter’ that virtually shutdown the network. While some experts (e.g., Parker”) feel that it is impossible to assess the amount and damage of computer crimes, other experts argue that it is possible to develop usable data on computer crime. One estimate suggests that out of 1406 cases tracked there is an average loss of $500 000 per case.”
In January 1984, a published study included a forecast of spending on information security. This forecast projected an increase in spending from an estimated $3.51 billion in 1987 to a projected $11.83 billion in 1995.13 Despite the importance of the topic, information security is still considered by many executives as a ‘necessary evil’ that should be the concern of computer scientists rather than of managers. This attitude developed in part because of the difficulties in managing information security.
Difficulties in managing information
security
The management of information security is arduous and is increasing in complexity. Some major factors that have a significant impact on the problem are:
l 0
e e
e
e
l
Content; Lack of control; Opportunities; Detection and prosecution; Magnitude and complexity; Difficulty in defence; and Assessment of costs and benefits.
J.L.
WILSON et
at.
Content Information security encompasses four major assets of computing resources: hardware, software, data and communication networks.14 In planning for the security of these resources, one can identify dozens of security issues ranging from computer viruses and software piracy to theft of hardware equipment. Lack of control Information assets are controlled by many individuals. Nolan indicated that in 1980 only 36 per cent of the average organization’s information processing budget was under the control of the chief information officer (CIO). l5 This lack of control poses significant difficulties in securing the computing resources. The opportunities Rapidly changing computing environments present many new opportunities for computer criminals. ih Furthermore, the public portion of communication networks (such as telephone lines) is very vulnerable. For example, wire tapping is a simple and inexpensive undertaking; even fibre optics lines can now be tapped. It is simply impossible or too expensive to protect against all the threats.” Detection and prosecution Most computer crimes are probably undetected. Furthermore, detected computer crimes often go unprosecuted and only a very small proportion of those that are prosecuted receive guilty verdicts. For example, in the O’Donoghue study,‘* about 30 per cent of computer crime was untraceable. Magnitude and complexity The security problem can be developed on a fairly large scale. The widespread use of distributed computing and communication networks allows intruders to break into remote systems and remain undetected. Difficulties in defence Even with the technically best countermeasures designed to reduce system vulnerability, an intruder has an advantage: most organizations simply cannot afford to protect against allpossible threats. Moreover, in some instances, the technology may not even be available for protection. Assessment of costs and benefits
“‘Up.cit., Ref. 7. ?NOLAN, R. (1982). Managing information systems by committee. Harvard Business Review, 60 (No. 4), pp. 72-79. “ATKINS, w. (1985). Jesse James at the terminal. Harvard Business Review, 63 (No. 4), pp. 82-87.
‘?Op. cit., Ref. 7. 180p.cit., Ref. 9. *‘Op. cit., Ref. 11.
It is very difficult, not only to detect computer crime, but also to assess the damage that results from such crimes. There are many intangibles. The subsequent costs of a computer crime can be very complicated to assess, especially in advance. l9 Therefore, it is difficult to conduct a risk analysis in order to justify security investments in information systems.
Threats and attacks The threats A threat is a circumstance that has the potential to cause loss or harm to 107
hformation
systems security
resources, such as hardware, software, data or communication networks.*O Threats exhibit varying degrees of detectability and controllability. Fire is an example of a threat which is easily detectable and controllable while natural disasters such as earthquakes or floods are difficult to control and detected only when they occur. Threats to computing resources may impact assets in four ways: computing
0 0 @ e
Destruction: the asset is not reparable or recoverable. Modification: altering an asset by changing its representation or adding more to the representation. Disclosure: information is accessed by or released to someone lacking a need-to-know. Denial of services: resources are unavailable to authorized users.
The threats associated with a computer environment include those that are commonly associated with general protection of property, as well as problems peculiar to computers and information systems. The two major categories are environmental threats and human threats. ~nvirun~e~tal threats represent non-deliberate, accidental threats to computing facilities that include earthquakes, hurricanes and storms, lightning strikes and floods. These risks are considered as acts of God and beyond human control. They also include, however, man-made accidental hazards, incIuding urban unrest and hazardous industries, which increase the vulnerability of a computing facility. Environmental threats are the most visible and tangible threats, which can also be most devastating.
Humun threats can originate from outsiders (37 per cent according to O’Donoghue”), who penetrate a computer system through communication networks, or from insidrr.~ (63 per cent), who are authorized to use the computer system:
e e
O~~ider~: ‘Hacker’ is the term used to describe outside people who penetrate a computer system. A ‘Cracker’ is a malicious hacker and is comprised mostly of juvenile delinquents, who are a serious nuisance for business.22 Insiders: Like other types of white-collar crime, attacks from insiders are frequently not reported to law enforcement authorities. Consequently, attacks from insiders have received considerably less public attention than have attacks from hackers.*’ Threats from insiders, authorized to use the computer system, can be categorized as mistakes, dishonest employees with self-serving goals, loss or disruption to computer systems from any cause, and disgruntled employees who commit damaging acts without economic or other self-serving goals.24
The attackers -“Op. cit., Ref. 7. “‘Op. cit., Ref. 9. Z2~~~.~~~~~, J. (1986). Computer crime: The who, what, where, when, why and how. Data Processing and Communications Securiry, 10 (No. l), pp. 19-23. 230p. cit., Ref. 12. 241bid. “Op. cit.. Ref. 22.
108
There is fairly rapid growth in malicious acts against computer-based information systems and in computer-related crimes. However, only few computer criminals are being caught and prosecuted. Information systems can be attacked at any time by many potential attackers. Based on a literature search, Bolognaz5 made an attempt to compile an attacker’s profile, as depicted in Figure 1. Computer criminats tend to be relatively honest and in positions of
J.L. WILSON et al.
Sex: Male Age: 19-30 Race: White Criminal Record: None Position: In data processing or accounting
IQ: High, bright and creative Appearance: Outwardly self-confident, eager and energetic Approuc~ to work: Adventurous, willing to accept technical
challenge, and highly motivated
Figure 1. The profile of a typical computer
criminal
trust. Most of them do not consider their acts to be truly crimes. The intruders are relatively young, bright, eager and highly motivated. Most intruders are male while women have tended to be accomplices. While a typical attacker comes from an IS-related position, many other computer criminals who have been caught have had no formal or extensive computer training. This profile results in many potential criminals, which makes protecting against them difficult.” The motivation. according to Bologna,” can be classified in one of the following categories: a
Economic:
Need for money because of reasons that may include high living, expensive tastes, gambling, family sickness or drug abuse. Ideological: It is fashionable to be anti-establishment, so deceiving the establishment is a fair game because the establishment is deceiving everyone else. Egocentric: Beating the system is fun, challenging and adventurous. Egocentricity seems to be the most distinguishing motive of computer criminals. They often commit their crimes to show how smart they are and how easily controfs can be compromised by a truly dedicated and knowfedgeable worker. Psychological: Let’s get even with the employer, because the employee feels exploited by their cold, indifferent and impersonal employer.
The attack methods
260[~. cit., Ref. 11. ‘?Op. cit., Ref. 22. 28COHEN, F. (1987). Computer viruses: Theory and experiments. Proceedings uf
the 7th National Computer Security Conference. Washington, DC, pp. 22@225.
Input tampering and programming techniques are two basic approaches most commonly used, independently or jointly, by the criminals to deliberately attack computer systems. Input ia~zperi~g is the approach most often used by insiders. It involves entering false, fabricated or fraudulent data into the computer. In programming fechniques, the criminal modifies a computer program directly or indirectly. This is where programming skills and knowledge of the defence systems are essential. While programming fraud enjoys the greater publicity, its rate of prevalence is much lower than that of input tampering. The most publicized attack method in recent years is the use of malicious code, to include viruses, worms and Trojan horses. A virus is a program that can destroy or alter data and programs by direct modification of their images on disc (or other secondary storage)? The 109
lnfor~ation
systems
security
virus received its name from its ability to attach itself to other computer programs (distribution) and execute when the host program executes. It then searches for other programs to infect. With the infection property, a virus can spread throughout a computer system in one company or in several organizations. Viruses spread by causing secret programming instructions to be propagated into other programs. The infected programs are then repeatedly transmitted from one computer to the next throughout the communication network, or are carried by hand on diskettes from one computer to the next.” A worm is a self contained program that copies itself from one host environment to another and then causes itself to be executed in the new environment.“’ Unlike viruses, worms do not attach themselves to programs but execute as autonomous processes. Most worms exist and thrive within computer networks. They exploit holes or management oversights in a network to crawl from system to system in order to carry out their mission: destroy data, steal information or wreak other kinds of havoc.“’ Another attack method is the ZYo#n horse. The Trojan horse is a program that looks as if it is legitimate and indeed it will behave as such, doing whatever it is expected to do. However, when the program is triggered, it will do other things of which a user is not aware. Thus, the legitimate software is acting as a Trojan horse. After doing the dirty work, most Trojan horses will erase all traces of themselves from the computer memory to defeat subsequent investigation.“’
Countermeasures
and defence methods
Defence methods, or countermeasures, consist of actions, procedures, techniques, devices or other measures that are used to reduce the strength of the threats. Such methods include administrative, procedural and technical mechanisms which are explicitly concerned with protection of info~ation and information systems. Typical categories of defence methods against threats are: : :
0 * 0 0 ‘“Op.
cit., Ref. 7.
‘“CLYDE,
R.A.
(1991).
Network
worms.
Proceedings of the 8th Annual Conference for Information Security Professi~nal.~. San Diego,
“DRAPER,
s.
hackers:
(1984).
Troian
horses
33WALL.S,
and
C~mmunEcations of the
ACM, 27 (No. 11). ho. 1085-1089. ROLL., op. iit., Ref: 3.. .
CAR-
J. AND TURBAN, E. (1990). A methodology for selecting controls for information computer-based systems. Working Paper, School of Business, University of Southern California.
110
These categories can be viewed as layers of security barriers. Like an onion, good security is composed of layers wrapped on layers of defence barriers.‘3
CA, pp. Cll-C18.
“‘Ibid. trusty
Organizational control; Physical security; Logical access controls; Data controls; Communication controls; Application controls; Virus controls; and Control of personnel.
Organizational controls
Organizational controls are policies and guidelines established by the highest levels of management to demonstrate its commitment to the protection of the organization’s information system assets. These controls are strategic in nature, dictating organization-wide policy to impact how an information system will be used. Organizational controls include:
J.L.
WILSON et at.
Policy formulation. Top-management should formulate a written information security charter statement and implement an organizationwide policy to set the ground rules for a detailed security plan. The charter and policy should address information as an organizational asset, provide a mission statement of the information systems security officer and address the responsibilities of this function. Management commitment. The formulation of security policies and procedures should emphasize the commitment of higher level management to security. It also establishes that individuals will be held accountable for security. The designation of a security officer will further provide a central authority for issues dealing with security. Contingency planning. Contingency planning and back-up controls address actions to be taken if processing centres or support facilities were to face a catastrophic event. Management should show active involvement in establishing a contingency plan and allocate sufficient resources to support and carry out this plan. Physical security Physical security is concerned with protecting computer facilities and resources to safeguard their proper functioning and survival. Protecting the physical environment of a computer system is the first line of defence, and probably the easiest one. Protective features in this category include: Environment control. The risks associated with natural and environmental hazards should be minimized, if possible, by avoiding the location of the computing facility in areas with high probability of natural or environmental hazards. If impossible, then proper facility planning to withstand such risks will minimize them. Physical access control. Physicat access controls involve limiting access to system assets such as hardware, storage media and documentation. A fundamental concept in physical security is the placement of computer resources in limited access areas. This approach segregates assets such as computers, peripherals, removable secondary storage media and personnel. The required complexity of physical access controls depends on organizational characteristics, such as size of the organization, importance of the IS resource to the organization and its functioning, and hours of operation at any particular computing facility. Simple measures may be appropriate for small organizations, since an unauthorized individual would be easily recognized. In larger organizations more formalized controls are required. Some methods to restrict access include: @ Limiting the number of entrances and exits to the computing facility; @ Having a receptionist or guard monitor access at the facility entrance; 0 Using badges and colour codes on badges to indicate authorization; 0 Signing passes for taking assets in and out of the facility; and 0 Restricting access to sensitive areas. 111
information
systems security
After working hours physical access can be further restricted since authorized user activity is low. Some heightened measures include locking doors and windows, having adequate night lights, and hiring a security service. Of particular concern are the procedures used by the janitorial services, which are active after hours and require access to perform their functions. Though convenient to the janitors, unlocking several doors provides the opportunity for unauthorized personnel to gain access. The widespread use of microcomputers and end-user computing supported by distributed systems facilitates increased accessibility to computing assets spread over a broad geographic area. Physical controls in these cases strive to alIow authorized personnel access without excessive effort. Thus, additional physical measures, such as securing cables and locks on hardware items, provide added physical security in these cases. Another low cost solution is the installation of push-button combination locks, where the combination would only be given to authorized personnel and changed periodically. Fire profection. Fires in computing centres should be prevented by enforcing strict rules against fire hazards to reduce the fire threat. However, adequate detection and suppression techniques should be implemented to minimize fire damages. Fire detection equipment is reliable, cheap and easy to install. While these devices cannot prevent fires, they can provide timely alert and avoid disasters. Portable fire extinguishers can also serve as a first line of defence in keeping small fires from spreading. Clearly labelled and visible extinguishers should be placed in computer rooms, tape and disc storage areas, and any other auxiliary machine rooms within the facility. However, only CO2 extinguishers should be used since dry powder extinguishers are totally unacceptable for computing equipment. Automatic fire suppression systems, using COZ or Haion, are commercially available but expensive. The economic value of computing equipment at any particular location and its importance to the organization will determine the feasibility of installing dedicated automatic fire suppression systems.
Electrical power control. Electrical power controls protect systems against power cuts and fluctuations in power supply. Some common mechanisms are line conditioners, uninterruptible power supply (UPS) systems, and back-up electric generators. Both line conditioners and UPS systems filter commercial power by absorbing fluctuations and ensuring clean electrical power. UPS will also continue to supply electricity for a short time to safely operate equipment. During this period other backup power sources are invoked or equipment is shut off. Backup electric generators can be used to provide power not only to data processing equipment, but also to other essential services such as lighting and air-conditioning systems. The high cost of installation and maintenance of these countermeasures, particularly for back-up electric generators, must be justified by the degree of dependency of the data-processing operations. Logical access control Mechanisms providing logical access control focus on granting access permission to computing facilities. Logical access control mechanisms are hardware or software driven and usually focus on user identification
112
J.L.
WILSON
et al.
and authentication. User identification is the process by which an individual identifies himself or herself to a computer-based information system as a valid user. User authentication is the procedure by which a user establishes that he or she is indeed that user, and has the right to use the system or portions of it. Logical access control mechanisms also limit authorized users access to only those resources required to accomplish assigned job functions. Implementation of logical access controls requires invoking good administrative procedures. These procedures must first identify the resources to be protected. They must identify each individual in the organization with a unique user identifier. Lastly, they must provide an authentication capability to verify that a user is really who he or she claims to be. Authentication mechanisms are divided into three categories: @ What the user knows, such as a password or an encryption key; e What the user has - such as a token or a smart card; 0 Or something about the user - such as fingerprints, signatures or retinal scans. These categories are practically carried out as passwords or alternative authentication schemes. Pu.sswovds are the most common mechanism used today.a4 Traditional password mechanisms fall into two categories: user-generated or system-generated. In a large number of computer systems, passwords are the first line of defence against unauthorized persons trying to gain access to computer resources. Sometimes it might be the only line of defence. As such, it is imperative that this defence be as formidable as possible. Passwords are considered to be of limited usefulness as protection devices because of the relatively small number of characters they contain. However, despite horror stories associated with passwords’ use, researchers are in agreement that passwords can provide ample security if managed and handled properly.“”
%XIKAN, M. AND HAGA, W.J. (1990). Password security: An exploratory study. NPS Technical Reoort fNPS-54-90-011). Naval Postgraduate ‘School, Monterey, dk. 3S~~~~~~, B. (1988). Understanding the use of passwords. Computers and Security,
7 (No. 2),
pp. 132-236. MORRIS, K.
THOMPSON,
K.
(1979). Password
security:
AND
A case history. Communications of the A CM, 22 (No. ll), pp. 594-597. ‘%p. cit., Ref. 28.
Alternative azfthe~t~cat~orz schemes include tokens, smart cards and biometric devices. An example of a token is a bank ATM card. It requires a user to insert the card into a ‘card reader’ which reads data stored on the card’s ‘magnetic tape’ and then demands a second identifier: the user’s memorized personal identification number (PIN) to verify access. The ATM card along with the PIN ensures that the user is authenticated properly. Smart cards are microprocessor-based, credit card-size devices, with a numeric keypad and LCD screen. Most commercially available products operate in a challenge/response strategy: when a user logs on to a computing facility and enters a password or PIN, the computer responds with a numerical ‘challenge’ consisting of one or more digits. The user keys this challenge into the card, which performs a calculation using an internally stored algorithm and displays a ‘response’. The response is entered to the host computer and checked for correctness. A user is authenticated only after both the password and the response to the challenge have been validated. Biometric devices make use of a person’s biometric data, such as fingerprints or retinas of an eye, for authentication purposes.“6 Biometric devices which have been successfully applied in commercially
113
Information
systems security
available products include: retina and iris pattern scanners, voice verification, fingerprints and hand-geometry scanners. Other biometric devices examine facial images, signature dynamics and typing rhythms. However, these devices are complex, implying large data transfers between user and host. Protecting these data between reading device and host is correspondingly more difficult. The comparisons arc automated but statistical, opening the system to problems with Type I errors {admitting the wrong user) and Type II errors (excluding the right user). In addition they are costly to implement. Due to these characteristics, biometric devices are recommended only for organizations with highly sensitive data. Data controls Data security is concerned with protecting data from accidental or intentional disclosure to unauthorized persons or from unauthorized modification or destructionSS7 Data security functions are implemented through operating systems features (e.g., encryption schemes), security access control programs which limit the use of the data to authorized users, database products which monitor completeness and integrity, back-up~recovery procedures that serve as an integral part of a contingency plan, and external control procedures. Two basic principles should be reflected in data security: * *
~~nimaZ privilege. Only information a user needs to carry out an assigned task should be made available to them. Minimal exposure. Once a user gains access to sensitive information, they have the responsibility of protecting it by making sure only people whose duties require it obtain knowledge of this information while it is being processed, stored or in transit.“s
A communication network may be secured against outside threats by using a communication access control to guard against unauthorized dial-in attempts, system and encryption methods and electronic emanation controls to prevent wiretapping. Communication access control. Many companies require ‘dialing-in’ users to identify themselves with an assigned PIN or a unique password. An access control system authenticates the user’s PIN or password. Further protected communication systems proceed one step further to ensure that calls are accepted only from known telephone numbers: they break the original connection and call back the user at the number where that user is expected to be. Such systems restrict incoming calls from direct access to the computer system and grant access only through call-backs.
%3M Corporation (1987). Good security practices for information systems netwnrks. Irving, NY: IBM Corporation. %ARDINER
AND
TURBAN,
op.
Cit.,
Ref. 6.
G.C., %AI..PER, S.D., DAVIS, Q’NE~l-e DUNNE, R. AND PFAU, P.R. (1985). f?kWd-
of EDP auditing. Boston, MA: Warren. Gorham and Lament.
Message encryption. Message encryption or scrambling is used to prevent data theft by wiretapping. Encrypting data may be accomplished by installing scrambling devices at both ends of the communication connection, or by installing an algorithm within a computer program. Scrambling the transmitted data makes it uninterpretable to a wiretapper.
book
114
Electronic erna~~tj~~ control. Electronic
emanations
are signals trans-
J.L. WILSON et al.
mitted as radiation through the air and conductors. Emanations security controls are measures designed to deny unauthorized access to information that might be derived from intercept and analysis of compromising emanations. Two traditional approaches are taken to prevent disclosure through emanations. The first employs shielding system components or entire computing facilities to trap signals. The second is the modification of emitted signals such as the addition of spurious signals. Through shielding or modification of the emanations, adversaries are prevented from intercepting and interpreting electromagnetic emanations from computers, communications devices, and other electronic equipment. Application controls Traditional accounting controls should be included in the design of application systems, One well-known principle is separation of duties ensuring that no employee performs all steps in a single transaction. Such a practice is a deterrent to crime, because the transaction is subject to separate, independent checks for accuracy and possible fraud. Security can also be improved by occasionally rotating the duties and responsibilities of employees.40 Similar controls may be imposed on the use of many application systems. Virus controls A number of different controls and precautions should be implemented to prevent malicious code penetration or detect those that exist:4’ Prevention: Know the origin of all software and refrain from using software from unknown sources. Use a memory-resident virus immune program to alert against virus presence. Test all new software using an anti-virus program and isolate new software until it is tested. Restrict access to programs and data on a need-to-know basis. Forbid employees to install unauthorized software on office computers or take office software home for use. ~e~~c~jo~~ Use an anti-virus program periodically to check all software for reinfection. Watch for changes in a systems’ operation. Monitor modification dates of programs and files, look for changes in volume labels and try to check the length of programs to detect changes. Control of personnel Personnel internal to the organization have been identified as the greatest risk group to an information system. Management control of personnel is concerned with the appropriate selection, screening and supervision of employees.
4t)HUSSAIN,
Managing
D.
AND
HUSSAIN.
computer
K.M.
resources.
(1988). Home-
wood, 11: Irwin. 41~0~~~, C.L. (1987). Taxonomy of computer virus defense mechanisms. Proceed-
ings of the 10th National Computer Security Conference. Washington, DC, pp. 220-
Selection and screening. It is essential for employees who have access to information and computing resources to perform with competence, loyalty and integrity; however, such traits often cannot be readily determined in prospective employees except by a skilled interviewer. Therefore, a thorough pre-employment screening of applicants is necessary for applicants who will have access to computer systems.42
225. 42KN0’lTS, R. AND RICHARDS, 7. (1989). Computer security: Who’s minding the store? The Academy of Management Ex-
ecutive, If (No. l), pp. 6S66.
Retention. Once hired, personnel should be aware of the value of system assets. The value of information assets is rarely appreciated until it is corrupted or otherwise no longer accessible. To help protect these 115
fnfofnxition
sysfems
security
assets, new employees should be indoctrinated into their responsibilities and sign a non-disclosure agreement. The security policy of the organization, and consequences for violation, should be explained. Compliance with IS asset protection responsibilities must be mandatory, and should be considered a condition of continued employment. Formal security awareness programs should also be periodically administered to user managers and employees to remind them of the organization’s security policy, procedures and standards. The establishn~ent of an employee code of conduct can clearly delineate expected employee responsibility. Termination. When empIoyees leave the organization, their accesses to the computer system should be revoked. Unfortunately, user managers frequently overlook this procedure through complacency, forgetfulness or other reasons.43
The managerial
issues -
a framework
Realizing the threats, vulner~~biiities and available defence mechanisms, managerial issues of jnforrnat~~~~ security can be organized along the four classical phases of the process of managcmcnt: planning, organizing, directing and controi. Each of these phases encompasses a number of topics. This arrangement can be used as a framework for developing an information security management programme. A brief discussion of topics for each phase follows, Planning ‘fo minimize the risks to an organization’s information systems, an IS security plan must be formulated and endorsed by the highest levels of management.~4 The formulation of an IS security plan requires a systematic study of the organization’s IS assets, and a listing of potential threats and proposed countermeasures.“’ This process usually consists of the foIlowing six steps: 0 a 0 0 * a
Identify IS assets; Assess threats and risks; Analyse vulnerabilities; Evaluate existing and potential countermeasures; Evaluate current security level; and Formulate a security plan.
The end-product, the IS security plan, is a written document that summarizes the assets, identifies the threats and yul~~~rab~litics of the information systems and addresses IS security needs. J30p. cit.,Ref. 40. J4tARKOLt,
J.M.
AND
WU.
0.1..
(1983).
Methodology for security analysis of data processing systems. Computers & Security:y, 2 (Ph. l), pp. 24-34. Op. cif., Refs 7 and
37. %ISXIER, R.P.(1984). security. Englewood
Organizing The organization phase aims at implementing the IS security plan. Based on this plan, a company needs to organize its IS security. This includes:
fflformarion systms
Cliffs: NJ: Prentice-
0
Hall. ZVIRAN, hl., HOGE, J.C. ANU MICUCCI, V.A.(1989). SPAN - A DSS for security
0
plan analysis, Ctimputers & Security, 9 (No. 21, pp. 1.53-160. 09. cit., Ref. 2.
@
Development of security policy involving procedures and standards; Selection and training of security administrators; Selection and implementation of security products and techniques, etc.
J.L.
WILSON et ai.
In many companies the responsibility for security is fragmented. The remedy is to appoint a high-level security manager with the authority to act for the entire organization for all security-related issues. There are sound technical and practical reasons for placing the IS security manager in the IS department. 4kThe security manager is responsible for carrying out the organization’s security plan, including the development and implementation of all required procedures and standards to execute the plan.
This phase involves leading and managing security administrators, and conducting user and management awareness programmes to gain support and increase motivation for security. The direction phase is also a responsibility of the organization’s line managers, who should be familiar with the organization’s security policy. Line managers are responsible for protecting all resources allocated to them and for ensuring that employees are aware of and abide by the established security policy and procedures and standards.“7
The control phase focuses on: 0
Monitoring the effectiveness of security procedures, standards and controls; e Administering security products, procedures and services; @ Investigating security breaches; e Participating in security reviews of application development efforts; l Internal and external auditing; and 0 Consulting. Some specific responsibilities of the audit functions include monitoring all responsible areas to ensure adherence to the security policy, auditing all critical operating system and application resources, and monitoring access controls established by the security administrators.
Risk analysis and some basic recommendations
“‘BUSS,
M.U.J.
AND
SALERNO,
L.M.
Common sense and computer Harvard Business Review, 62 112-121. l?Op. cit., Ref. 37.
(1984). security. (No. 2),
The future of IS security lies in the level of management awareness of the vulnerability of the organization’s information systems and the implications of security problems once they develop. Thus, a first step towards a secured information system is gaining top management’s recognition of the importance of the IS security issue. While top management support is critical in emphasizing the importance and increasing the awareness of the IS security issue, practical guidance to obtaining security is needed. This is done through formulating an IS security policy and developing a comprehensive IS security plan. The decisions involved in establishing an IS security plan are subjective and unstructured. The crucial elements of risk and vulnerability assessment are subject to personal perceptions of threats to information resources, the impact of realized threats, and the probability of their occurrence. Although such a process calls for a systematic study of all IS assets and corresponding security characteristics, the results might be limited to the knowledge of a specific decision maker. Moreover, since
117
information
systems
security
decision makers may place emphasis in different areas, the outcomes may vary from one decision maker to another. A decision support tool can, therefore, provide significant guidance to reduce the risks associated with inadequate security measures.48 Installation of security measures is based on a balance between the cost of security and the need to reduce or eliminate threats, or expected loss. Risk management techniques help organizations to identify threats and select cost-effective security measures.4y Computer-based software packages provide a method for assessing threats and risks and deciding which to accept, reduce, or eliminate. Their major value is in providing a structure for ranking exposures that can be incorporated into an action plan.50 Some software packages go beyond this objective and provide a comprehensive decision aid for the entire task of IS security planning. Computer-based IS security analysis products fall into two categories: qualitative and quantitative.“’ Quantitative packages direct a user in assessing the value of the IS resources and estimating threat frequencies. They then evaluate the threats as loss exposures or annualized loss expectancy (ALE), expressed in monetary values. Calculations are usually obtained by multiplying the replacement cost of an asset by the estimated threat frequency. Since the end-product of quantitative packages is more exact, their implementation requires more time and effort than the qualitative approach. Qualitative security analysis packages use a risk scale, either alphabetical, numerical or verbal, for each threat/vulnerability/asset combination. These scales allow decision makers to assess the impact of existing vulnerabilities and the appropriateness of various countermeasures against the identified threats. The following are examples of available products for risk assessment and security planning:
0
‘*Op.
cit.,
(CARK~LL
Refs AND
3
(CARROLL),
7 and
44
wu).
4Q0n. cit.. Refs 12 and 45 (ZVIRAN et al.). 50~&~~~; R. (1986). Expert systems fbr risk analysis and crisis management. In: Security and protection in information systems (A. Grissonanche, ed.). Elsevier. pp. 401-409. WOOD. cc. (1988). A context for information systems security planning. Computers & Security, 7 (No. 3), pp. 455465. “Datapro (1990). Risk analysis software. Datupro Reports on Informat~5~ Security, pp. 151-160. POWELL, K. (1988). SOftWXe program defines SBA’s security needs. Government Security News, 7 (No. 24). pp. 97-98. TOMKINS, F.G. (1989). How t0 select a risk analysis software package. Datupro Reports on Information Security, p$?. 101-107. Datapro, op. cit., Ref. 51. 53T~~~~~~, op. cit., Ref. 51. 54Datapro, op. cit., Ref. 51. 55~~~~~~ et al., op. cit., Ref. 45. 56Datapro, op. cit., Ref. 51.
118
l
0
0
The Buddy System,52 which employs a qualitative methodology to determine the level of vulnerability in 14 areas and provides a final risk analysis report with conclusions and recommendations. CAS (Computer Aided Security) expert system for managing computer security. 53 It consists of a semi-structured approach to assess risks and applies the appropriate countermeasures to achieve IS security. CRAMM is a menu-driven, knowledge-based, risk-assessment tool and management methodology software support tool.“” Menus take the user through three stages of risk assessment using qualitative means. Once a risk is identified, appropriate countermeasures are recommended from a library of over 1000 countermeasures. SPAN is a qualitative decision support system for the security planning processs5 It attempts to reduce the gap between the perceptions of threats and vuinerabilities and their reality by using an internal database with a broad knowledge base of threats, vulnerabilities and applicable countermeasures for each category of IS assets. It systematically guides a decision maker through each planning step, ensuring that all activities receive adequate attention. Risk Watch supports quantitative and qualitative risk assessments. 5h Online screens are used to key in asset information and customize threats data. The system matches the user’s data against its expert knowledge and identifies weaknesses in the security plan, what safeguards should be implemented, and how much each safeguard will save the organization.
J.L. WILSON et ai.
Another recommendation pertains to the implementation of the IS security plan. Planning for IS security is just a means and not an end. After the plan is concluded and approved, an organization needs to allocate the necessary resources to ensure implementation. Moreover, frequent changes in an organization’s computing resources and architecture, as well as its personnel, suggest that the IS security plan needs to be periodically evaluated and revised.
Conclusion As organizations become more dependent on the smooth functioning of their IS resources, an increasing amount of attention should be given to the security of these resources. As a result, many organizations need to prepare and implement adequate security measures to protect IS resources. Technological developments and changes in the business environment have induced important changes in the nature of computer-related crime. These changes, in turn, impose a requirement on top management, as well as on IS management, to recognize the threats to their computing resources and establish a security policy and an IS security plan. In an effort to minimize the risks associated with the threats to an organization’s computer-based information system, a set of countermeasures should be installed. Countermeasures may be conceptualized as performing three basic functions: prevention, detection and correction of threats. A particular countermeasure may exhibit more than one of the three basic functions, as it may also protect more than one type of asset against more than one type of threat. Each organization must assess its particular security needs and install a practical mix of countermeasures to minimize the threats to its computing facilities.
119
Information security has bmn recog&ed as drte &the major issues af importance in the management of organizational information systems. Losses resulting from computer abuse and errors ~8 substantial, and information systems managers continue to cite security rend control as a key management iwue. This paper presents the various dimensions of the problem, suggests specific steps that can be taken to improve tha management of information security, and points to several research directions.
The rapid progress
in ~on~puterand ~mmuu~~atious te~hno~ogjes in the
fasttwo decades
has rendered most organizations vulnerable to misuse or abuse of computer-based information systems QS).” While information systems provide opportunities to improve an organization’s func'~Hrruv, N. AND NEUMANN,% (1990).Frim tioning and enhance its products or services, they can &XI expose cipkr?sof information systems for manageorganizations to significant risks as organizations become increasingly men/. Dubuque, Iowa: Wm. C. Brown (3rd dependent on information resources.* Therefore, important concerns edn). WISBMAN, c. (1988). Strutegic Irrjbr’motion Sjstems. Homewoad, IL: Irwin. that accompany the use of information technology arc how much ‘XXUKC>vrrs, 1. (1984). Management of corn-security is needed to protect computing facilities and information putw operaricms. Englewood Cliffs, NJ: resources and how to obtain this level of security.” Prentice-WalI. WETHERBF, 3.c. JBRANCHEAU, 1. AND Evidence for the ~n~~~~ta~~~~of IS security is provided by the <1%?7). Key issuesin jff~ormatjon systems. %I.5 ~~~~~~~~~,I I jx-n. I ) , pp. 13-45.CAR- frequency with which security and control are cited as a key manageKOLl”,.;.?a.frw). cnrtrpz4atetswwity. Bos- ment issue by IS rnanag~~s.~~Sptague and ~~~~nrljn further suggest that hm, MA: Butrerworths fkd edn). security and integrity are one of the six hjgh-priority concerns of IS %Al.l., I... AND HARRIS, R. (1982). .%J~fS managers in the future.” mcmhers: A membership analysis. MIS Information security can be viewed from two aspects: technological G)it~rk?+‘, 6 (No. I), pp. 19-38. HFNJON, r>,~. (1983). A field study of end user and managerial. While much attention is given to the technological computing: Findings and issues, Mf$ isues, only little attention is given, both in literature and the real world, &uurtrrly, 7 (No. 4), pp. 35-45. DICKSON, O.w., L.~lTHEISER,R.L., NECHIS, M. ANI? to the managerial side,” WE'THRKIZE, J.C-.(1984). Key information The purpose of this paper is to review the managerial aspects of systems issues for the 1980s. MIS Qwmrinformation security, and to point to practical recommendations in these aspects. The f&owing sections provide a brief overview of IS security, discuss the di~~~~ltje~ of managing ~nformatjon security, and address the i,ssues of attack and defence. managerial issues ~~n~er~ing 1S security are then defined and some basic recommendations are drawn. ‘The paper concludes with a summary of managemen~~s role in IS security. Xrtformation cystems manugrmenl in pr& tiw. Enalewood Cliffs, NJ: Prenticc”.Hsll,
What is information
security?
Information security is concerned with the protection of computing _L . facilities from deliberate or accidental threats that may exploit vulnerabilities of a computing system. ’ The target of a crime involving computers may be any portion of a computing facility: hardware,
/nformation
systems
security
software, data or communication networks. The multiplicity of targets makes information security difficult. There is a scarcity of reliable information about the amount of computer crime occurring and the nature and severity of the crimes. The available evidence suggests significant losses8 although the full extent is unknown. A number of organizations have compiled evidence about the nature and scope of computer crime. Highlights of some of these studies are reported below. The purpose of these examples is not to examine specific cases in depth, but rather to convey some idea of the volume, variety and scope of known computer crime. *
e
e
continued from page 105 WILKES. M.V. (1990). Conmuter security in the husks world.‘Communications ofthe ACM, 33 (No. 4), pp. 399401. 7PFLEEGER, C.P. (1989). &WUity in COmpUting. Englewood Cliffs, NJ: Prentice-Hall. ‘ALAW, M. AND WEISS, I. (1985). Managing the risks associated with end-user computing. Jotirnal of ~anagemerlt I~f~rmatjo~ Systems, 2 (No. 3), pp. 5-20. American Bar Association (1984). Report on computer crime. American Bar Association, Section on Criminal Justice, Pamphlet, Washington, DC. NYCUM, S.H. AND PARKER, D.B. (1986). Prosecutorial experience with state computer crime laws in the United States. In: Security and protection in information systems (A. drissonanche, ed.). Elsevier. pp. 307-319. 90’~~~~~~~~~, J. (1986). Computer crime is usually an inside job. Digital Review, 21 July. 10~~~~~~~~~, M. (1989). Morris indicted in Internet virus affair. Co~~~uter~~r~d, 31 July, p. 8. “PARKER, D.B. (1986). Consequential loss from cornouter crime. in: Securily and protection in’information systems (A G&sonanche. ed.). Elsevier. DD. 375-380. ‘“US kon&ess, Offick’ of Technology Assessment (1986). Federal government information technology: Management, secur;ty and congression% oversight. OTA-CIT297, IJS Government Printing Office, Washington, DC. ‘3American Bar Association, 0~. cit., Ref. 8.
106
0
O’Donoghue studied 184 Forbes 500 Corporations.’ Of these, 56 per cent reported that a major computer crime had been detected during the previous 12 months, for an average loss of $11 800 per incident. In November 1988, a virus spread through a Department of Defense (DOD) communications network (Internet) linking computers located in military complexes and university campuses.” The virus entered an estimated 6000 computer systems. Although the virus did not destroy data on the computers’ data files, it did take up memory space and, by reproducing itself over and over, slowed down processing on the computers. The damage was estimated to be about $100 million. IBM reported an $11 million loss in December 1987, when a West German student’s Christmas message to a friend (attached to a virus) unintentionally swamped IBM’s international network. The infected message created an ‘electronic chain letter’ that virtually shutdown the network. While some experts (e.g., Parker”) feel that it is impossible to assess the amount and damage of computer crimes, other experts argue that it is possible to develop usable data on computer crime. One estimate suggests that out of 1406 cases tracked there is an average loss of $500 000 per case.”
In January 1984, a published study included a forecast of spending on information security. This forecast projected an increase in spending from an estimated $3.51 billion in 1987 to a projected $11.83 billion in 1995.13 Despite the importance of the topic, information security is still considered by many executives as a ‘necessary evil’ that should be the concern of computer scientists rather than of managers. This attitude developed in part because of the difficulties in managing information security.
Difficulties in managing information
security
The management of information security is arduous and is increasing in complexity. Some major factors that have a significant impact on the problem are:
l 0
e e
e
e
l
Content; Lack of control; Opportunities; Detection and prosecution; Magnitude and complexity; Difficulty in defence; and Assessment of costs and benefits.
J.L.
WILSON et
at.
Content Information security encompasses four major assets of computing resources: hardware, software, data and communication networks.14 In planning for the security of these resources, one can identify dozens of security issues ranging from computer viruses and software piracy to theft of hardware equipment. Lack of control Information assets are controlled by many individuals. Nolan indicated that in 1980 only 36 per cent of the average organization’s information processing budget was under the control of the chief information officer (CIO). l5 This lack of control poses significant difficulties in securing the computing resources. The opportunities Rapidly changing computing environments present many new opportunities for computer criminals. ih Furthermore, the public portion of communication networks (such as telephone lines) is very vulnerable. For example, wire tapping is a simple and inexpensive undertaking; even fibre optics lines can now be tapped. It is simply impossible or too expensive to protect against all the threats.” Detection and prosecution Most computer crimes are probably undetected. Furthermore, detected computer crimes often go unprosecuted and only a very small proportion of those that are prosecuted receive guilty verdicts. For example, in the O’Donoghue study,‘* about 30 per cent of computer crime was untraceable. Magnitude and complexity The security problem can be developed on a fairly large scale. The widespread use of distributed computing and communication networks allows intruders to break into remote systems and remain undetected. Difficulties in defence Even with the technically best countermeasures designed to reduce system vulnerability, an intruder has an advantage: most organizations simply cannot afford to protect against allpossible threats. Moreover, in some instances, the technology may not even be available for protection. Assessment of costs and benefits
“‘Up.cit., Ref. 7. ?NOLAN, R. (1982). Managing information systems by committee. Harvard Business Review, 60 (No. 4), pp. 72-79. “ATKINS, w. (1985). Jesse James at the terminal. Harvard Business Review, 63 (No. 4), pp. 82-87.
‘?Op. cit., Ref. 7. 180p.cit., Ref. 9. *‘Op. cit., Ref. 11.
It is very difficult, not only to detect computer crime, but also to assess the damage that results from such crimes. There are many intangibles. The subsequent costs of a computer crime can be very complicated to assess, especially in advance. l9 Therefore, it is difficult to conduct a risk analysis in order to justify security investments in information systems.
Threats and attacks The threats A threat is a circumstance that has the potential to cause loss or harm to 107
hformation
systems security
resources, such as hardware, software, data or communication networks.*O Threats exhibit varying degrees of detectability and controllability. Fire is an example of a threat which is easily detectable and controllable while natural disasters such as earthquakes or floods are difficult to control and detected only when they occur. Threats to computing resources may impact assets in four ways: computing
0 0 @ e
Destruction: the asset is not reparable or recoverable. Modification: altering an asset by changing its representation or adding more to the representation. Disclosure: information is accessed by or released to someone lacking a need-to-know. Denial of services: resources are unavailable to authorized users.
The threats associated with a computer environment include those that are commonly associated with general protection of property, as well as problems peculiar to computers and information systems. The two major categories are environmental threats and human threats. ~nvirun~e~tal threats represent non-deliberate, accidental threats to computing facilities that include earthquakes, hurricanes and storms, lightning strikes and floods. These risks are considered as acts of God and beyond human control. They also include, however, man-made accidental hazards, incIuding urban unrest and hazardous industries, which increase the vulnerability of a computing facility. Environmental threats are the most visible and tangible threats, which can also be most devastating.
Humun threats can originate from outsiders (37 per cent according to O’Donoghue”), who penetrate a computer system through communication networks, or from insidrr.~ (63 per cent), who are authorized to use the computer system:
e e
O~~ider~: ‘Hacker’ is the term used to describe outside people who penetrate a computer system. A ‘Cracker’ is a malicious hacker and is comprised mostly of juvenile delinquents, who are a serious nuisance for business.22 Insiders: Like other types of white-collar crime, attacks from insiders are frequently not reported to law enforcement authorities. Consequently, attacks from insiders have received considerably less public attention than have attacks from hackers.*’ Threats from insiders, authorized to use the computer system, can be categorized as mistakes, dishonest employees with self-serving goals, loss or disruption to computer systems from any cause, and disgruntled employees who commit damaging acts without economic or other self-serving goals.24
The attackers -“Op. cit., Ref. 7. “‘Op. cit., Ref. 9. Z2~~~.~~~~~, J. (1986). Computer crime: The who, what, where, when, why and how. Data Processing and Communications Securiry, 10 (No. l), pp. 19-23. 230p. cit., Ref. 12. 241bid. “Op. cit.. Ref. 22.
108
There is fairly rapid growth in malicious acts against computer-based information systems and in computer-related crimes. However, only few computer criminals are being caught and prosecuted. Information systems can be attacked at any time by many potential attackers. Based on a literature search, Bolognaz5 made an attempt to compile an attacker’s profile, as depicted in Figure 1. Computer criminats tend to be relatively honest and in positions of
J.L. WILSON et al.
Sex: Male Age: 19-30 Race: White Criminal Record: None Position: In data processing or accounting
IQ: High, bright and creative Appearance: Outwardly self-confident, eager and energetic Approuc~ to work: Adventurous, willing to accept technical
challenge, and highly motivated
Figure 1. The profile of a typical computer
criminal
trust. Most of them do not consider their acts to be truly crimes. The intruders are relatively young, bright, eager and highly motivated. Most intruders are male while women have tended to be accomplices. While a typical attacker comes from an IS-related position, many other computer criminals who have been caught have had no formal or extensive computer training. This profile results in many potential criminals, which makes protecting against them difficult.” The motivation. according to Bologna,” can be classified in one of the following categories: a
Economic:
Need for money because of reasons that may include high living, expensive tastes, gambling, family sickness or drug abuse. Ideological: It is fashionable to be anti-establishment, so deceiving the establishment is a fair game because the establishment is deceiving everyone else. Egocentric: Beating the system is fun, challenging and adventurous. Egocentricity seems to be the most distinguishing motive of computer criminals. They often commit their crimes to show how smart they are and how easily controfs can be compromised by a truly dedicated and knowfedgeable worker. Psychological: Let’s get even with the employer, because the employee feels exploited by their cold, indifferent and impersonal employer.
The attack methods
260[~. cit., Ref. 11. ‘?Op. cit., Ref. 22. 28COHEN, F. (1987). Computer viruses: Theory and experiments. Proceedings uf
the 7th National Computer Security Conference. Washington, DC, pp. 22@225.
Input tampering and programming techniques are two basic approaches most commonly used, independently or jointly, by the criminals to deliberately attack computer systems. Input ia~zperi~g is the approach most often used by insiders. It involves entering false, fabricated or fraudulent data into the computer. In programming fechniques, the criminal modifies a computer program directly or indirectly. This is where programming skills and knowledge of the defence systems are essential. While programming fraud enjoys the greater publicity, its rate of prevalence is much lower than that of input tampering. The most publicized attack method in recent years is the use of malicious code, to include viruses, worms and Trojan horses. A virus is a program that can destroy or alter data and programs by direct modification of their images on disc (or other secondary storage)? The 109
lnfor~ation
systems
security
virus received its name from its ability to attach itself to other computer programs (distribution) and execute when the host program executes. It then searches for other programs to infect. With the infection property, a virus can spread throughout a computer system in one company or in several organizations. Viruses spread by causing secret programming instructions to be propagated into other programs. The infected programs are then repeatedly transmitted from one computer to the next throughout the communication network, or are carried by hand on diskettes from one computer to the next.” A worm is a self contained program that copies itself from one host environment to another and then causes itself to be executed in the new environment.“’ Unlike viruses, worms do not attach themselves to programs but execute as autonomous processes. Most worms exist and thrive within computer networks. They exploit holes or management oversights in a network to crawl from system to system in order to carry out their mission: destroy data, steal information or wreak other kinds of havoc.“’ Another attack method is the ZYo#n horse. The Trojan horse is a program that looks as if it is legitimate and indeed it will behave as such, doing whatever it is expected to do. However, when the program is triggered, it will do other things of which a user is not aware. Thus, the legitimate software is acting as a Trojan horse. After doing the dirty work, most Trojan horses will erase all traces of themselves from the computer memory to defeat subsequent investigation.“’
Countermeasures
and defence methods
Defence methods, or countermeasures, consist of actions, procedures, techniques, devices or other measures that are used to reduce the strength of the threats. Such methods include administrative, procedural and technical mechanisms which are explicitly concerned with protection of info~ation and information systems. Typical categories of defence methods against threats are: : :
0 * 0 0 ‘“Op.
cit., Ref. 7.
‘“CLYDE,
R.A.
(1991).
Network
worms.
Proceedings of the 8th Annual Conference for Information Security Professi~nal.~. San Diego,
“DRAPER,
s.
hackers:
(1984).
Troian
horses
33WALL.S,
and
C~mmunEcations of the
ACM, 27 (No. 11). ho. 1085-1089. ROLL., op. iit., Ref: 3.. .
CAR-
J. AND TURBAN, E. (1990). A methodology for selecting controls for information computer-based systems. Working Paper, School of Business, University of Southern California.
110
These categories can be viewed as layers of security barriers. Like an onion, good security is composed of layers wrapped on layers of defence barriers.‘3
CA, pp. Cll-C18.
“‘Ibid. trusty
Organizational control; Physical security; Logical access controls; Data controls; Communication controls; Application controls; Virus controls; and Control of personnel.
Organizational controls
Organizational controls are policies and guidelines established by the highest levels of management to demonstrate its commitment to the protection of the organization’s information system assets. These controls are strategic in nature, dictating organization-wide policy to impact how an information system will be used. Organizational controls include:
J.L.
WILSON et at.
Policy formulation. Top-management should formulate a written information security charter statement and implement an organizationwide policy to set the ground rules for a detailed security plan. The charter and policy should address information as an organizational asset, provide a mission statement of the information systems security officer and address the responsibilities of this function. Management commitment. The formulation of security policies and procedures should emphasize the commitment of higher level management to security. It also establishes that individuals will be held accountable for security. The designation of a security officer will further provide a central authority for issues dealing with security. Contingency planning. Contingency planning and back-up controls address actions to be taken if processing centres or support facilities were to face a catastrophic event. Management should show active involvement in establishing a contingency plan and allocate sufficient resources to support and carry out this plan. Physical security Physical security is concerned with protecting computer facilities and resources to safeguard their proper functioning and survival. Protecting the physical environment of a computer system is the first line of defence, and probably the easiest one. Protective features in this category include: Environment control. The risks associated with natural and environmental hazards should be minimized, if possible, by avoiding the location of the computing facility in areas with high probability of natural or environmental hazards. If impossible, then proper facility planning to withstand such risks will minimize them. Physical access control. Physicat access controls involve limiting access to system assets such as hardware, storage media and documentation. A fundamental concept in physical security is the placement of computer resources in limited access areas. This approach segregates assets such as computers, peripherals, removable secondary storage media and personnel. The required complexity of physical access controls depends on organizational characteristics, such as size of the organization, importance of the IS resource to the organization and its functioning, and hours of operation at any particular computing facility. Simple measures may be appropriate for small organizations, since an unauthorized individual would be easily recognized. In larger organizations more formalized controls are required. Some methods to restrict access include: @ Limiting the number of entrances and exits to the computing facility; @ Having a receptionist or guard monitor access at the facility entrance; 0 Using badges and colour codes on badges to indicate authorization; 0 Signing passes for taking assets in and out of the facility; and 0 Restricting access to sensitive areas. 111
information
systems security
After working hours physical access can be further restricted since authorized user activity is low. Some heightened measures include locking doors and windows, having adequate night lights, and hiring a security service. Of particular concern are the procedures used by the janitorial services, which are active after hours and require access to perform their functions. Though convenient to the janitors, unlocking several doors provides the opportunity for unauthorized personnel to gain access. The widespread use of microcomputers and end-user computing supported by distributed systems facilitates increased accessibility to computing assets spread over a broad geographic area. Physical controls in these cases strive to alIow authorized personnel access without excessive effort. Thus, additional physical measures, such as securing cables and locks on hardware items, provide added physical security in these cases. Another low cost solution is the installation of push-button combination locks, where the combination would only be given to authorized personnel and changed periodically. Fire profection. Fires in computing centres should be prevented by enforcing strict rules against fire hazards to reduce the fire threat. However, adequate detection and suppression techniques should be implemented to minimize fire damages. Fire detection equipment is reliable, cheap and easy to install. While these devices cannot prevent fires, they can provide timely alert and avoid disasters. Portable fire extinguishers can also serve as a first line of defence in keeping small fires from spreading. Clearly labelled and visible extinguishers should be placed in computer rooms, tape and disc storage areas, and any other auxiliary machine rooms within the facility. However, only CO2 extinguishers should be used since dry powder extinguishers are totally unacceptable for computing equipment. Automatic fire suppression systems, using COZ or Haion, are commercially available but expensive. The economic value of computing equipment at any particular location and its importance to the organization will determine the feasibility of installing dedicated automatic fire suppression systems.
Electrical power control. Electrical power controls protect systems against power cuts and fluctuations in power supply. Some common mechanisms are line conditioners, uninterruptible power supply (UPS) systems, and back-up electric generators. Both line conditioners and UPS systems filter commercial power by absorbing fluctuations and ensuring clean electrical power. UPS will also continue to supply electricity for a short time to safely operate equipment. During this period other backup power sources are invoked or equipment is shut off. Backup electric generators can be used to provide power not only to data processing equipment, but also to other essential services such as lighting and air-conditioning systems. The high cost of installation and maintenance of these countermeasures, particularly for back-up electric generators, must be justified by the degree of dependency of the data-processing operations. Logical access control Mechanisms providing logical access control focus on granting access permission to computing facilities. Logical access control mechanisms are hardware or software driven and usually focus on user identification
112
J.L.
WILSON
et al.
and authentication. User identification is the process by which an individual identifies himself or herself to a computer-based information system as a valid user. User authentication is the procedure by which a user establishes that he or she is indeed that user, and has the right to use the system or portions of it. Logical access control mechanisms also limit authorized users access to only those resources required to accomplish assigned job functions. Implementation of logical access controls requires invoking good administrative procedures. These procedures must first identify the resources to be protected. They must identify each individual in the organization with a unique user identifier. Lastly, they must provide an authentication capability to verify that a user is really who he or she claims to be. Authentication mechanisms are divided into three categories: @ What the user knows, such as a password or an encryption key; e What the user has - such as a token or a smart card; 0 Or something about the user - such as fingerprints, signatures or retinal scans. These categories are practically carried out as passwords or alternative authentication schemes. Pu.sswovds are the most common mechanism used today.a4 Traditional password mechanisms fall into two categories: user-generated or system-generated. In a large number of computer systems, passwords are the first line of defence against unauthorized persons trying to gain access to computer resources. Sometimes it might be the only line of defence. As such, it is imperative that this defence be as formidable as possible. Passwords are considered to be of limited usefulness as protection devices because of the relatively small number of characters they contain. However, despite horror stories associated with passwords’ use, researchers are in agreement that passwords can provide ample security if managed and handled properly.“”
%XIKAN, M. AND HAGA, W.J. (1990). Password security: An exploratory study. NPS Technical Reoort fNPS-54-90-011). Naval Postgraduate ‘School, Monterey, dk. 3S~~~~~~, B. (1988). Understanding the use of passwords. Computers and Security,
7 (No. 2),
pp. 132-236. MORRIS, K.
THOMPSON,
K.
(1979). Password
security:
AND
A case history. Communications of the A CM, 22 (No. ll), pp. 594-597. ‘%p. cit., Ref. 28.
Alternative azfthe~t~cat~orz schemes include tokens, smart cards and biometric devices. An example of a token is a bank ATM card. It requires a user to insert the card into a ‘card reader’ which reads data stored on the card’s ‘magnetic tape’ and then demands a second identifier: the user’s memorized personal identification number (PIN) to verify access. The ATM card along with the PIN ensures that the user is authenticated properly. Smart cards are microprocessor-based, credit card-size devices, with a numeric keypad and LCD screen. Most commercially available products operate in a challenge/response strategy: when a user logs on to a computing facility and enters a password or PIN, the computer responds with a numerical ‘challenge’ consisting of one or more digits. The user keys this challenge into the card, which performs a calculation using an internally stored algorithm and displays a ‘response’. The response is entered to the host computer and checked for correctness. A user is authenticated only after both the password and the response to the challenge have been validated. Biometric devices make use of a person’s biometric data, such as fingerprints or retinas of an eye, for authentication purposes.“6 Biometric devices which have been successfully applied in commercially
113
Information
systems security
available products include: retina and iris pattern scanners, voice verification, fingerprints and hand-geometry scanners. Other biometric devices examine facial images, signature dynamics and typing rhythms. However, these devices are complex, implying large data transfers between user and host. Protecting these data between reading device and host is correspondingly more difficult. The comparisons arc automated but statistical, opening the system to problems with Type I errors {admitting the wrong user) and Type II errors (excluding the right user). In addition they are costly to implement. Due to these characteristics, biometric devices are recommended only for organizations with highly sensitive data. Data controls Data security is concerned with protecting data from accidental or intentional disclosure to unauthorized persons or from unauthorized modification or destructionSS7 Data security functions are implemented through operating systems features (e.g., encryption schemes), security access control programs which limit the use of the data to authorized users, database products which monitor completeness and integrity, back-up~recovery procedures that serve as an integral part of a contingency plan, and external control procedures. Two basic principles should be reflected in data security: * *
~~nimaZ privilege. Only information a user needs to carry out an assigned task should be made available to them. Minimal exposure. Once a user gains access to sensitive information, they have the responsibility of protecting it by making sure only people whose duties require it obtain knowledge of this information while it is being processed, stored or in transit.“s
A communication network may be secured against outside threats by using a communication access control to guard against unauthorized dial-in attempts, system and encryption methods and electronic emanation controls to prevent wiretapping. Communication access control. Many companies require ‘dialing-in’ users to identify themselves with an assigned PIN or a unique password. An access control system authenticates the user’s PIN or password. Further protected communication systems proceed one step further to ensure that calls are accepted only from known telephone numbers: they break the original connection and call back the user at the number where that user is expected to be. Such systems restrict incoming calls from direct access to the computer system and grant access only through call-backs.
%3M Corporation (1987). Good security practices for information systems netwnrks. Irving, NY: IBM Corporation. %ARDINER
AND
TURBAN,
op.
Cit.,
Ref. 6.
G.C., %AI..PER, S.D., DAVIS, Q’NE~l-e DUNNE, R. AND PFAU, P.R. (1985). f?kWd-
of EDP auditing. Boston, MA: Warren. Gorham and Lament.
Message encryption. Message encryption or scrambling is used to prevent data theft by wiretapping. Encrypting data may be accomplished by installing scrambling devices at both ends of the communication connection, or by installing an algorithm within a computer program. Scrambling the transmitted data makes it uninterpretable to a wiretapper.
book
114
Electronic erna~~tj~~ control. Electronic
emanations
are signals trans-
J.L. WILSON et al.
mitted as radiation through the air and conductors. Emanations security controls are measures designed to deny unauthorized access to information that might be derived from intercept and analysis of compromising emanations. Two traditional approaches are taken to prevent disclosure through emanations. The first employs shielding system components or entire computing facilities to trap signals. The second is the modification of emitted signals such as the addition of spurious signals. Through shielding or modification of the emanations, adversaries are prevented from intercepting and interpreting electromagnetic emanations from computers, communications devices, and other electronic equipment. Application controls Traditional accounting controls should be included in the design of application systems, One well-known principle is separation of duties ensuring that no employee performs all steps in a single transaction. Such a practice is a deterrent to crime, because the transaction is subject to separate, independent checks for accuracy and possible fraud. Security can also be improved by occasionally rotating the duties and responsibilities of employees.40 Similar controls may be imposed on the use of many application systems. Virus controls A number of different controls and precautions should be implemented to prevent malicious code penetration or detect those that exist:4’ Prevention: Know the origin of all software and refrain from using software from unknown sources. Use a memory-resident virus immune program to alert against virus presence. Test all new software using an anti-virus program and isolate new software until it is tested. Restrict access to programs and data on a need-to-know basis. Forbid employees to install unauthorized software on office computers or take office software home for use. ~e~~c~jo~~ Use an anti-virus program periodically to check all software for reinfection. Watch for changes in a systems’ operation. Monitor modification dates of programs and files, look for changes in volume labels and try to check the length of programs to detect changes. Control of personnel Personnel internal to the organization have been identified as the greatest risk group to an information system. Management control of personnel is concerned with the appropriate selection, screening and supervision of employees.
4t)HUSSAIN,
Managing
D.
AND
HUSSAIN.
computer
K.M.
resources.
(1988). Home-
wood, 11: Irwin. 41~0~~~, C.L. (1987). Taxonomy of computer virus defense mechanisms. Proceed-
ings of the 10th National Computer Security Conference. Washington, DC, pp. 220-
Selection and screening. It is essential for employees who have access to information and computing resources to perform with competence, loyalty and integrity; however, such traits often cannot be readily determined in prospective employees except by a skilled interviewer. Therefore, a thorough pre-employment screening of applicants is necessary for applicants who will have access to computer systems.42
225. 42KN0’lTS, R. AND RICHARDS, 7. (1989). Computer security: Who’s minding the store? The Academy of Management Ex-
ecutive, If (No. l), pp. 6S66.
Retention. Once hired, personnel should be aware of the value of system assets. The value of information assets is rarely appreciated until it is corrupted or otherwise no longer accessible. To help protect these 115
fnfofnxition
sysfems
security
assets, new employees should be indoctrinated into their responsibilities and sign a non-disclosure agreement. The security policy of the organization, and consequences for violation, should be explained. Compliance with IS asset protection responsibilities must be mandatory, and should be considered a condition of continued employment. Formal security awareness programs should also be periodically administered to user managers and employees to remind them of the organization’s security policy, procedures and standards. The establishn~ent of an employee code of conduct can clearly delineate expected employee responsibility. Termination. When empIoyees leave the organization, their accesses to the computer system should be revoked. Unfortunately, user managers frequently overlook this procedure through complacency, forgetfulness or other reasons.43
The managerial
issues -
a framework
Realizing the threats, vulner~~biiities and available defence mechanisms, managerial issues of jnforrnat~~~~ security can be organized along the four classical phases of the process of managcmcnt: planning, organizing, directing and controi. Each of these phases encompasses a number of topics. This arrangement can be used as a framework for developing an information security management programme. A brief discussion of topics for each phase follows, Planning ‘fo minimize the risks to an organization’s information systems, an IS security plan must be formulated and endorsed by the highest levels of management.~4 The formulation of an IS security plan requires a systematic study of the organization’s IS assets, and a listing of potential threats and proposed countermeasures.“’ This process usually consists of the foIlowing six steps: 0 a 0 0 * a
Identify IS assets; Assess threats and risks; Analyse vulnerabilities; Evaluate existing and potential countermeasures; Evaluate current security level; and Formulate a security plan.
The end-product, the IS security plan, is a written document that summarizes the assets, identifies the threats and yul~~~rab~litics of the information systems and addresses IS security needs. J30p. cit.,Ref. 40. J4tARKOLt,
J.M.
AND
WU.
0.1..
(1983).
Methodology for security analysis of data processing systems. Computers & Security:y, 2 (Ph. l), pp. 24-34. Op. cif., Refs 7 and
37. %ISXIER, R.P.(1984). security. Englewood
Organizing The organization phase aims at implementing the IS security plan. Based on this plan, a company needs to organize its IS security. This includes:
fflformarion systms
Cliffs: NJ: Prentice-
0
Hall. ZVIRAN, hl., HOGE, J.C. ANU MICUCCI, V.A.(1989). SPAN - A DSS for security
0
plan analysis, Ctimputers & Security, 9 (No. 21, pp. 1.53-160. 09. cit., Ref. 2.
@
Development of security policy involving procedures and standards; Selection and training of security administrators; Selection and implementation of security products and techniques, etc.
J.L.
WILSON et ai.
In many companies the responsibility for security is fragmented. The remedy is to appoint a high-level security manager with the authority to act for the entire organization for all security-related issues. There are sound technical and practical reasons for placing the IS security manager in the IS department. 4kThe security manager is responsible for carrying out the organization’s security plan, including the development and implementation of all required procedures and standards to execute the plan.
This phase involves leading and managing security administrators, and conducting user and management awareness programmes to gain support and increase motivation for security. The direction phase is also a responsibility of the organization’s line managers, who should be familiar with the organization’s security policy. Line managers are responsible for protecting all resources allocated to them and for ensuring that employees are aware of and abide by the established security policy and procedures and standards.“7
The control phase focuses on: 0
Monitoring the effectiveness of security procedures, standards and controls; e Administering security products, procedures and services; @ Investigating security breaches; e Participating in security reviews of application development efforts; l Internal and external auditing; and 0 Consulting. Some specific responsibilities of the audit functions include monitoring all responsible areas to ensure adherence to the security policy, auditing all critical operating system and application resources, and monitoring access controls established by the security administrators.
Risk analysis and some basic recommendations
“‘BUSS,
M.U.J.
AND
SALERNO,
L.M.
Common sense and computer Harvard Business Review, 62 112-121. l?Op. cit., Ref. 37.
(1984). security. (No. 2),
The future of IS security lies in the level of management awareness of the vulnerability of the organization’s information systems and the implications of security problems once they develop. Thus, a first step towards a secured information system is gaining top management’s recognition of the importance of the IS security issue. While top management support is critical in emphasizing the importance and increasing the awareness of the IS security issue, practical guidance to obtaining security is needed. This is done through formulating an IS security policy and developing a comprehensive IS security plan. The decisions involved in establishing an IS security plan are subjective and unstructured. The crucial elements of risk and vulnerability assessment are subject to personal perceptions of threats to information resources, the impact of realized threats, and the probability of their occurrence. Although such a process calls for a systematic study of all IS assets and corresponding security characteristics, the results might be limited to the knowledge of a specific decision maker. Moreover, since
117
information
systems
security
decision makers may place emphasis in different areas, the outcomes may vary from one decision maker to another. A decision support tool can, therefore, provide significant guidance to reduce the risks associated with inadequate security measures.48 Installation of security measures is based on a balance between the cost of security and the need to reduce or eliminate threats, or expected loss. Risk management techniques help organizations to identify threats and select cost-effective security measures.4y Computer-based software packages provide a method for assessing threats and risks and deciding which to accept, reduce, or eliminate. Their major value is in providing a structure for ranking exposures that can be incorporated into an action plan.50 Some software packages go beyond this objective and provide a comprehensive decision aid for the entire task of IS security planning. Computer-based IS security analysis products fall into two categories: qualitative and quantitative.“’ Quantitative packages direct a user in assessing the value of the IS resources and estimating threat frequencies. They then evaluate the threats as loss exposures or annualized loss expectancy (ALE), expressed in monetary values. Calculations are usually obtained by multiplying the replacement cost of an asset by the estimated threat frequency. Since the end-product of quantitative packages is more exact, their implementation requires more time and effort than the qualitative approach. Qualitative security analysis packages use a risk scale, either alphabetical, numerical or verbal, for each threat/vulnerability/asset combination. These scales allow decision makers to assess the impact of existing vulnerabilities and the appropriateness of various countermeasures against the identified threats. The following are examples of available products for risk assessment and security planning:
0
‘*Op.
cit.,
(CARK~LL
Refs AND
3
(CARROLL),
7 and
44
wu).
4Q0n. cit.. Refs 12 and 45 (ZVIRAN et al.). 50~&~~~; R. (1986). Expert systems fbr risk analysis and crisis management. In: Security and protection in information systems (A. Grissonanche, ed.). Elsevier. pp. 401-409. WOOD. cc. (1988). A context for information systems security planning. Computers & Security, 7 (No. 3), pp. 455465. “Datapro (1990). Risk analysis software. Datupro Reports on Informat~5~ Security, pp. 151-160. POWELL, K. (1988). SOftWXe program defines SBA’s security needs. Government Security News, 7 (No. 24). pp. 97-98. TOMKINS, F.G. (1989). How t0 select a risk analysis software package. Datupro Reports on Information Security, p$?. 101-107. Datapro, op. cit., Ref. 51. 53T~~~~~~, op. cit., Ref. 51. 54Datapro, op. cit., Ref. 51. 55~~~~~~ et al., op. cit., Ref. 45. 56Datapro, op. cit., Ref. 51.
118
l
0
0
The Buddy System,52 which employs a qualitative methodology to determine the level of vulnerability in 14 areas and provides a final risk analysis report with conclusions and recommendations. CAS (Computer Aided Security) expert system for managing computer security. 53 It consists of a semi-structured approach to assess risks and applies the appropriate countermeasures to achieve IS security. CRAMM is a menu-driven, knowledge-based, risk-assessment tool and management methodology software support tool.“” Menus take the user through three stages of risk assessment using qualitative means. Once a risk is identified, appropriate countermeasures are recommended from a library of over 1000 countermeasures. SPAN is a qualitative decision support system for the security planning processs5 It attempts to reduce the gap between the perceptions of threats and vuinerabilities and their reality by using an internal database with a broad knowledge base of threats, vulnerabilities and applicable countermeasures for each category of IS assets. It systematically guides a decision maker through each planning step, ensuring that all activities receive adequate attention. Risk Watch supports quantitative and qualitative risk assessments. 5h Online screens are used to key in asset information and customize threats data. The system matches the user’s data against its expert knowledge and identifies weaknesses in the security plan, what safeguards should be implemented, and how much each safeguard will save the organization.
J.L. WILSON et ai.
Another recommendation pertains to the implementation of the IS security plan. Planning for IS security is just a means and not an end. After the plan is concluded and approved, an organization needs to allocate the necessary resources to ensure implementation. Moreover, frequent changes in an organization’s computing resources and architecture, as well as its personnel, suggest that the IS security plan needs to be periodically evaluated and revised.
Conclusion As organizations become more dependent on the smooth functioning of their IS resources, an increasing amount of attention should be given to the security of these resources. As a result, many organizations need to prepare and implement adequate security measures to protect IS resources. Technological developments and changes in the business environment have induced important changes in the nature of computer-related crime. These changes, in turn, impose a requirement on top management, as well as on IS management, to recognize the threats to their computing resources and establish a security policy and an IS security plan. In an effort to minimize the risks associated with the threats to an organization’s computer-based information system, a set of countermeasures should be installed. Countermeasures may be conceptualized as performing three basic functions: prevention, detection and correction of threats. A particular countermeasure may exhibit more than one of the three basic functions, as it may also protect more than one type of asset against more than one type of threat. Each organization must assess its particular security needs and install a practical mix of countermeasures to minimize the threats to its computing facilities.
119