How to begin dealing with computer security

How to begin dealing with computer security

Computers & Security, 10 (1991) 199-203 How to Begin Dealing .with Computer Security Belden Menkus P.0. Box 129, Hilbboro, m37342, 1. Introduction e...

511KB Sizes 0 Downloads 116 Views

Computers & Security, 10 (1991) 199-203

How to Begin Dealing .with Computer Security Belden Menkus P.0. Box 129, Hilbboro, m37342,

1. Introduction en first given the responsibility for computer security within an organization, a person may feel intimidated. Moreover, these feelings are reinforced if the technologists appear disdainful and overbearing or the data processing staff members demonstrate a reluctance to allow what they see as outsiders to be involved in any aspect of what they do.

WF

Although a person with new responsibilities in this area may have incomplete knowledge, the beginning of efforts to deal with significant computer security issues need not wait until that person is a superior technologist. Of course, one who has this responsibility will need eventually to acquire a thorough grounding in the operation of access control sofhvare, data

0 199 1,Belden Menkus. All rights reserved.

0167-4048/91/$3.50

U.S.A.

encryption, computer fraud detection and prevention, and computer systems controls’. However, less complicated things can be done to improve the security of both an organization’s central data processing facilities and its numerous microcomputers.

2. Limitations To Be

Resolved It is not always feasible to do some of the things that improve the security of a central computing site before it is occupied by the data processing equipment and the people who work with it. There may be obstacles to effecting improvements beforehand if the facility is operating in leased space or the organization has entered into a so-called outsourcing arrangement. Outsourcin~ involves, in effect, the sale of an organization’s computing hardware and soft-

0 1991, Elsevier Science Publishers Ltd.

ware, as well as its data processing staff, to a third party specialist organization that, in turn, will sell various computing services back to the original owner. Some provisions in contracts for such arrangements may limit the organization’s efforts to assure that its information resources are protected adequately. The information systems auditor and the person responsible for computer security should join the organization’s legal counsel to remove any such limitations from the outsourcing contract.

Where an organization elects to maintain a central data processing site in leased space, other types of restrictions may prevail. For instance, the terms of the lease contract may prohibit permanent alterations in the nature and location of such things as plumbing lines, heating and air conditioning conduits, fire walls, and the electrical

199

B. MenkuslHow to Begin with Computer Security

service for the space. (If the contract does not preclude such changes, it may require that the site be returned to its original condition when the occupancy ends.) Also, the essential semipublic nature of the leased space occupied by the data processing facility may make it difficult to control access to the arca effectively. For instance, maintenance, cleaning and security forces working for the building’s management-and not under the organization’s direct controlmay require almost unlimited access to the space being used for computing. (In many instances, all three of these groups may be working under separate contracts with the building’s management.) Here, too, the lease contract may need to be modified.

3. Where To Begin A thorough review of the physical security aspects of a data processing site is a good place to start. (The organization’s information systems auditor can help with this examination. This person already may be familiar with a number of security problems that need prompt resolution). This review should include a careful study of the work practices of those who are employed in the data processing facility. This review should not be limited to just the standard work day, but should encompass all of the time in which the facility is active.

200

While this review is being completed there are a number of initiatives to consider. At least three of them involve: (1) Tightening the controls over trash collection and removal within the building generallyparticularly on those floors in which microcomputers are in use. (This action should be accompanied by extending the organization’s regular fured asset accounting system to encompass microcomputers and the printers and other equipment used with them.) At a minimum this effort should include inventorying these units and marking them distinctively with unique serial number identification tags as the organization’s property. In many organizations literally thousands of these units exist without having been subjected to conventional asset controls. An aggregate investment of millions of dollars often is at risk’. The reason for these actions is that a preferred method for stealing these devices-or the printers and equipment used with them-is based on manipulating the building’s trash collection and removal process. The microcomputer or other unit is wrapped in a large plastic trash bag and placed in the bottom of a trash container. Regular trash is put over the wrapped parcel and the container is removed in the ordinary way from the building. Most security officers will not examine the contents of all trash

containers routinely before they are removed. (2) Restricting access to postage meters, facsimile devices, copiers, mail chutes and similar equipment at night and on weekends and holidays. Some business spies, masquerading as legitimate building cleaners or messengers, routinely copy microcomputer diskettes containing sensitive, confidential or proprietary data and mail them to their principals using the mailing facilities of the organization whose information security is being compromised. In some instances, these people will copy such files and even transmit them by facsimile. In connection with this, the existing controls over the routine identification and circulation of building cleaners, messengers and others should be reviewed. Most security officers-and other employees-will not challenge such people routinely to identify themselves or keep them under surveillance while they are on the premises. (3) Insisting, in areas that are prone to possible earthquake damage, that the casters on computin devices, including those used Bor data storage, document printing and the like, be removed or chocked routinely. There were numerous reports after the 1989 San Francisco earthquake of unchecked devices rolling across the floor of data processin facilities and crashing through L eir walls.

Computers and Security, Vol. 70, No. 3

4. Limiting Accessibility The space occupied by the data processing activity can be made into a limited access area. This space should be made as inconspicuous as possible. Door and direction signs (including those on the directories in the building’s lobby and on the appropriate floors) that identify this site should be removed. Any identification of the space’s location in the building also should be removed from the organization’s telephone directory, Receptionists should be advised not to direct casual enquirers to data processing locations.

In addition, any existing controls over access to data procesing space should be improved. For instance, the physical security review mentioned earlier should determine whether maintenance people, vendor representatives and others routinely are allowed to enter the area and to circulate within it without being under the continual direct observation of a computer facility employee. This review also should verify that the integrity of the mechanism that controls access to the area is not being compromised. For example, workers in some computer facilities circumvent the locking mechanism by covering the strike in it with an adhesive tape such as duct tape or masking tape. (Their purported reason for this practice is that doing so makes it easier for them to come and go from the area!).

5. Air Conditioning And

Plumbing The normal operation of mainframe and mini computer hardware generates a significant amount of heat, though not as much in terms of the equipment mass involved as was true even 10 years ago. A buildup of heat eventually can damage the equipment itself and the plastic based magnetic media that it uses to store data. Eliminating this heat buildup necessitates the installation of an air conditioning system that operates the year round and encompasses the entire space in which computing is done. (Usually this system shares its air distribution conduiting with the building heating system.) The naturaljre breaks provided where the building’s flooring meets its exterior walls must be breached to accommodate any air distribution system. Should a fire occur, the path that has been provided for efficient air circulation tends to expedite the spread of the conflagration. This exposure in the space occupied by the organization’s data processing activities can be reduced by using a suitable alternative substitute for conventional fire walls whose installation does not impede materially the normal operation of the building’s air conditioning and heating system. The installation of an effective air conditioning and heating system in the data processing area exposes the computing

equipment to potential serious damage from possible rupture of service lines. Should this occur, water and ethylene glycol refrigerants may flood the computing area and severely damage both the equipment and the magnetic media. Additional exposure to possible water damage may stem from a rupture of any sanitary water lines that pass through the floor, ceiling or walls of the area occupied by the computing facility. A further exposure to water damage may result from a possible malfunction of a sprinkler fire extinguishing system that may have been installed in this space. These systems increasingly will become an issue in computer facility ‘fire protection during the balance of this decade. Local fire code authorities can be expected to insist upon their installation in such sites as the use of Halon 130 1 for fire suppression in computer facilities and similar sensitive occupancies is eliminated under legal mandate. Water sprinkler fire extinguishing systems initially were developed for installation in so-called highpiled warehousing space-and are more appropriate, in most instances, for use in such an environment than in one occupied by the operation of complex electronic equipment. Most water sprinkler fire extinguishing systems are not as free from operational failure as the industrial groups that encourage the

201

B. MenkuslHow

to Begin with Computer Security

use of such equipment would have one believe. Admittedly, in most instances, the presence of such a system is preferable to having no fire protection system of any sort installed. However, that fact does not eliminate the need to be concerned about possible damage that may result from the malfunction of such a system. Leaks in water sprinkler fire extinguishing systems can stem from such things as environmental damage or the deterioration of the lines and nozzles from the accumulation of naturally occurring chemical salts in the water used in the system. Conventional approaches to supervising the operation of such a system typically will not identify this sort of damage or deterioration until the sprinkler system itself malfunctions and significant flooding already has begun. The system that monitors the building’s security and physical environment should be extended to include the ethylene glycol supplies and the various water lines. In addition, the physical security review mentioned earlier should assure that the under floor space in the computing facility has adequate drainage. And the services of a professional building damage cleaner should be engaged on an on-call basis. 6. Microcomputers Introducing highly powerful and relatively compact microcompu-

202

ters-and the printers, modems and other devices associated with their use-into most organizations has created a separate set of computer security concerns. As suggested earlier, these devices easily are stolen and should be subjected to conventional fixed asset controls. In addition, to avoid making it easy to remove them without authorization, these devices should not be placed in so-called open oflce working environments, which effectively have no inherent limits upon the circulation of individuals within them. (In some instances, employees may steal circuit boards and other microcomputer components for use in their own devices.) Requiring that the doors to offices in which microcomputers are used are locked routinely whenever they are unoccupied, even during the lunch hour or overnight and on weekends, can reduce the possibility of theft. Bolting and locking this equipment onto the work surfaces on which it normally is used can reduce this possibility further. (A number of locking devices designed for securing microcomputers and the devices used with them are available.)j Most microcomputers will be used in ordinary office space that has not been conditioned for their use. To compensate for one aspect of this, additional electrical power supply protection may be called for since microcomputers are more susceptible to fluctuations in the quality of that

supply than data entry terminals or most conventional pieces of office equipment are. Routine installation of surge suppressors and constant voltage regulators between microcomputers and their electrical power outlets can help prevent damage to microcomputers, programs, and data. And, in some instances it may be advisable also to install a small uninterruptible electricalpower supply or UPS. Similar in function to the reserve power supplies widely used in some central data processing sites, this smaller size UPS also can eliminate the effect of fluctuations in the power supply and provide a short-term power reserve whenever the regular building supply is interrupted. Another.problem associated with introducing microcomputers and the equipment related to their use into office space stems from the common inadequacy of the fire protection provided in such an environment. The furnishings in most offices include numerous highly flammable and toxic substances. And, individual offices rarely are equipped with either smoke or combustion detectors or even water sprinkler fire extinguishing systems. However, most of the microcomputer fires reported thus far have been limited to the interior of the unit and have not spread to the surrounding work area. Installation of a portable CO, or dry chemical fire extinguisher in the area in which the microcomputer routinely is used can help

Computers and Security, Vol. 70, No. 3

address these problems. Employees who are expected to use fire extinguishers should be trained to operate them. They should become acquainted with the loud noise of activation so that they will not be frightened by it when they are called upon to act in an emergency. They should demonstrate their ability to extinguish an actual fire effectively.

7. Other Concerns Fire in a central data processing site poses a number of special detection and suppression problems, which have been discussed in detail elsewhere4. Exposure associated with these problems can be reduced by certain changes in furnishing this site. (These remedies also can be applied in offices in which microcomputers are used.) Among these are the replacement of existing wall and floor coverings with flame resistant finishes; the installation of ceiling tiles and ductwork that has been certified as having flame spread, fuel contribution and smoke development ratings of not more

than 25; the addition of glass diffusers-or plastic ones with a flame spread rating of 25 or less-on individual lighting ftxtures; and the installation of fluorescent light fixture ballasts that do not melt when overloaded and that do not drip hot plastic when they fail. Even after accomplishing all of these improvements in the organization’s efforts to protect its computing resources, the person responsible for an organization’s computer security still will have much more to do in preparing to handle the impact of computer related disasters and to deal with all of the other information security issues referred to at the beginning of this discussion. But, a good beginning will have been made in getting the organization’s computer security under control.

Notes ‘For a comprehensive introduction to information systems controls see: Conrrol Objectives: Controls In A Computer Environment: Objectives, Guidelines, and Audit Procedures. Belden Me&s and Zella G. Ruthberg, editors. April 1990. The EDP Auditors Foundation, P.O. Box

88 180, Carol Stream, IL 60 188-O 180, U.S.A. Cost $49.95; payment in U.S. funds. ‘The growing use of small, comparatively expensive, highly portable, and easily stolen and resold so-called laptop microcomputers will intensify the problem of preventing the theft of this type of equipment. Both the exposure and the difficulty associated with theft prevention are comparable to that long associated with portable audio-visual and other portable electronic equipment. Once they have been marked physically as a unit of the organization’s property there appears to be no other effective way to secure laptop microcomputers against theft. The London Sunday Times reported on 6 January that a laptop microcomputer apparently containing extremely sensitive Middle East military data had been stolen some time earlier from a vehicle being used by a senior British Royal Air Force staff officer. jA number of things, such as maintaining cleanliness and avoiding the accumulation of undischarged static electricity in the areas in which microcomputers are used, affect the reliability of their operation and, ultimately, the security of the data that they process. However, in most organizations the resolution of these matters will lie beyond the authority of the person responsible for computer security. %ee It’s Time To Rethink Data Processing Fire Protection and Computer-Related Fire Problems Revisited both by Belden Menkus in Computers GSecurity in August and November 1989, respectively. Together these constitute a monograph on the subject.

203