- Email: [email protected]
Agencies ready forces for data security campaign
Abstracts of Recent Articles and Literature
lines are available to help agency managers decide which systems and employees are affected by the Computer Security Act. Officials at a conference on the subject said they will issue general guidelines to help agencies identify sensitive systems and develop security plans and training programs. The congressional Budget Office estimates that as many as 10 000 security plans will be issued. Training poses a resources problem; all employees who operate sensitive federal systems are required to undergo security training, but the law does not appropriate any additional funds. At the conference, all agreed that more emphasis should be placed on changing behavior and not overselling technology and training programs as solutions.
Government Computer News, May 13, 1988, pp. I, 92. Agencies Ready Forces for Data Security Campaign, Robert V. Head. The Computer Security Act spells out what federal agencies must do and exactly when to do it. They must: (1) designate sensitive information by July 1988; (2) develop a security plan within one year; (3) train agency personnel starting in fall 1988. Some important implementation issues raised by the law have yet to be resolved. Which systems must be covered in the plan? NBS' thinking is that generic groups of systems could be covered in a single plan. Another implementation issue concerns the difference between "integrity" and "secrecy." To avoid secrecy while maintaining data integrity, three often contradictory criteria must be juggled: confidentiality, availability and accuracy. Another issue is whether there should be an approved list of hardware and soft-
424
ware products to protect sensitive systems. Government Computer News, May 27, 1988, pp. 27, 31.
From the O.K. Unix System Security Issues, MichaelJ. Knox and Edward D. Bowden. Security limitations of the Unix system are discussed under the headings of files and directories, passwords, networks, and methods used by hackers to gain entry. Ways in which some o f these limitations can be reduced are suggested and the future security outlook for the Unix system is briefly examined. Information Age April, 1988, pp. 67-72. Reliance on Optical Fibres to increase Telecommunication Security, Alan H. Friedberg, Robert M. Harper and MichaelJ. CeruUo. This article describes the basic operation of fibre-optical communication systems. The authors compare telecommunications security in an optical-fibre environment with traditional cable systems. While the use of fibre optics can increase telecommunications security, they are not immune from exposure. The findings include six conclusions regarding fibre optics and security. Information Age, April 1988, pp. 73-78. Security, OSI and Distributed Systems, T. Knowles. The need for security in open systems is examined and the current state of standardization within the ISO and OSI committees is reviewed. OSI security is briefly set into the context of total security. Information Age, April 1988, pp. 79-84. Smart Cards: A N e w Tool for Identification and Access Protection, Rola Krayera. This article
proposes to define an automatic connection protocol to replace the classical connection procedure. This new protocol is based on smart card technology and can be used both for direct and cascade connections. Information Age, April
1988, pp. 85-88. C o m p u t e r Insecurity, Ken McLoed. An illegal breach of computer security is investigated, in which an employee of a large electronics company and his son use their access rights to the company's main computer and their knowledge of proprietary source code to embezzle funds from sales of company electronic scrap. An account is given o f how the hackers are tracked down amidst the alarming inadequacies of the company's computer security system.
Information Age, April 1988, pp. 89-93.
From Australia UFS: User-Friendly Security, Alan R. Krull. Before security can be made friendlier, an organisation must first determine and then articulate its guidelines and policies. Security can be made more, rather than less, user-friendly, and greater effort should go to making compliance more user-friendly. The article gives examples of userfriendly security--manual and computer-driven--which others have in place. User-friendly packaging will make it easier for users to comply. Computer Control
Quarterly, Spring 1988, pp. I-9. The Executives Guide to Workstation Management and Data Security, Mark Goode. One problem resulting from the advent of personal computing has been that the IBM PC product family is
lines are available to help agency managers decide which systems and employees are affected by the Computer Security Act. Officials at a conference on the subject said they will issue general guidelines to help agencies identify sensitive systems and develop security plans and training programs. The congressional Budget Office estimates that as many as 10 000 security plans will be issued. Training poses a resources problem; all employees who operate sensitive federal systems are required to undergo security training, but the law does not appropriate any additional funds. At the conference, all agreed that more emphasis should be placed on changing behavior and not overselling technology and training programs as solutions.
Government Computer News, May 13, 1988, pp. I, 92. Agencies Ready Forces for Data Security Campaign, Robert V. Head. The Computer Security Act spells out what federal agencies must do and exactly when to do it. They must: (1) designate sensitive information by July 1988; (2) develop a security plan within one year; (3) train agency personnel starting in fall 1988. Some important implementation issues raised by the law have yet to be resolved. Which systems must be covered in the plan? NBS' thinking is that generic groups of systems could be covered in a single plan. Another implementation issue concerns the difference between "integrity" and "secrecy." To avoid secrecy while maintaining data integrity, three often contradictory criteria must be juggled: confidentiality, availability and accuracy. Another issue is whether there should be an approved list of hardware and soft-
424
ware products to protect sensitive systems. Government Computer News, May 27, 1988, pp. 27, 31.
From the O.K. Unix System Security Issues, MichaelJ. Knox and Edward D. Bowden. Security limitations of the Unix system are discussed under the headings of files and directories, passwords, networks, and methods used by hackers to gain entry. Ways in which some o f these limitations can be reduced are suggested and the future security outlook for the Unix system is briefly examined. Information Age April, 1988, pp. 67-72. Reliance on Optical Fibres to increase Telecommunication Security, Alan H. Friedberg, Robert M. Harper and MichaelJ. CeruUo. This article describes the basic operation of fibre-optical communication systems. The authors compare telecommunications security in an optical-fibre environment with traditional cable systems. While the use of fibre optics can increase telecommunications security, they are not immune from exposure. The findings include six conclusions regarding fibre optics and security. Information Age, April 1988, pp. 73-78. Security, OSI and Distributed Systems, T. Knowles. The need for security in open systems is examined and the current state of standardization within the ISO and OSI committees is reviewed. OSI security is briefly set into the context of total security. Information Age, April 1988, pp. 79-84. Smart Cards: A N e w Tool for Identification and Access Protection, Rola Krayera. This article
proposes to define an automatic connection protocol to replace the classical connection procedure. This new protocol is based on smart card technology and can be used both for direct and cascade connections. Information Age, April
1988, pp. 85-88. C o m p u t e r Insecurity, Ken McLoed. An illegal breach of computer security is investigated, in which an employee of a large electronics company and his son use their access rights to the company's main computer and their knowledge of proprietary source code to embezzle funds from sales of company electronic scrap. An account is given o f how the hackers are tracked down amidst the alarming inadequacies of the company's computer security system.
Information Age, April 1988, pp. 89-93.
From Australia UFS: User-Friendly Security, Alan R. Krull. Before security can be made friendlier, an organisation must first determine and then articulate its guidelines and policies. Security can be made more, rather than less, user-friendly, and greater effort should go to making compliance more user-friendly. The article gives examples of userfriendly security--manual and computer-driven--which others have in place. User-friendly packaging will make it easier for users to comply. Computer Control
Quarterly, Spring 1988, pp. I-9. The Executives Guide to Workstation Management and Data Security, Mark Goode. One problem resulting from the advent of personal computing has been that the IBM PC product family is