- Email: [email protected]
Microcomputers: Out of control?
and can be used to determine the likely exposure of new systems, before they become operational. It is a simple and practical approach. On the debit side, the method could fail, so far as covert risks are concerned, unless the headings of risk are broken down an analysed very carefully. It is also important, in assessing probabilities of loss, to look at controls in user departments and to the accounting and budgetary structure and controls generally. The fact that controls over program development are weak and may allow easy methods of program manipulation is not necessarily a risk, if the application concerned is tightly controlled by the user or an outsider. The payroll file ultimately has to be reconciled against bank accounts and internal controls in the customer's bank; it may be more difficult to commit fraud in the system than at first seems the case. Providing the risks assessment is taken in this broad, companywide context, there are few problems with Courtney's method and it is recommended to any computer user as a good starting point in developing a security programme.
MICROCOMPUTERS: OUT OF CONTROL?
Classified information stored on ordinaq cassettes
A recent issue of the Wall Street Journal featured a large "ad" for the Radio Shack TRS-80 Microcomputer. The ad announced that sales had exceeded 100,000 units and that Radio Shack was passing on the cost savings of volume production to its customers. The price of the Level 1 unit which includes 4K of memory, a CRT display and a cassette recorder has been cut by $100 to $499. The Level II unit which provides a more advanced Basic interpreter and 16K of memory has been cut in price from $988 to $849. Does this development have any security implications? At first glance one might think not. But consider the following. Internal auditors for one of the armed forces of the United States recently discovered that two civil servants had purchased TRS-80 computers with their own funds and then brought the computers into their office to help them in their work. All well and good, you say, and shows commendable zeal. Indeed it does. The difficulty is that the two individuals are engaged in highly classified work. Because of what they saw as shortcomings of the in-house computer system - poor turn-around and restrictive security measures - they had found it much more convenient to do highly sensitive data analyses with their personal computers. Consequently, national security information had moved from closely controlled documents to ordinary cassettes. One can hardly imagine a more attractive vehicle for theft of data. Having copied the target information onto a cassette, a thief could disassemble the cassette and remove the tape. By wrapping the tape in plastic film such as Saran Wrap, it could easily be concealed in the mouth if security checks were so rigorous that more conventional hiding places seemed too risky. Notice that it is not necessary for the information thief to use any exotic equipment, a miniature camera or the like to copy the information, Instead, he or even seem to be engaged in a doubtful activity. is simply exploiting a resourceful fellow who has shown remarkable initiative in carrying out his duties. Interestingly, the auditors were not sure exactly how to respond to their discovery. Onr? doubts that they would have been uncertain about how to respond to the discovery of an unauthorized Xerox
10
Voll No11 COMPUTEBF~~D&SECURITTBVLtgFQI
Need for careful thought on security irripZications of
microcomputers
Physica theft of hardware
VuZnerabiZity of information in stand-alone computers
We machine, a "spy" camera or a shortware radio transmitter. suspect that very little thought has been given to the security implications of the widespread use of mini- and microcomputers by The basic advantage of miniauditors and security managers. facility out to the user, computers, moving the data processing also has the potential of creating a host of security exposures. To begin with one must now maintain an appropriate level of physical security at a host of locations instead of a single, It is true that the well-defined data processing facility. amount of equipment exposed to physical damage is much less at a a disaster that destroys minicomputer installation. Consequently, a minicomputer does not disrupt any other data processing functions except to the extent that the flow of data from the destroyed facility ceases. Note, however, that there are two new physical The first has to do with the security problems to be solved. grcwth of personal computing. The new minicomputer may very well circuit board or chip that a include exactly the component, computer hobbiest employee needs to complete his personal computer. Recent news reports suggest that the theft of minicomputer parts serious (and, indeed, entire systems) will become an increasingly security problem. The losses will be measured in terms of both to work the cost to replace the missing item, and the disruption flow as well. Second, information is subject to theft wherever it is exposed. The fact that only a tiny amount of information is exposed at a given location is not material if the information is highly sensitive and access controls are weak or nonexistent at the point of exposure. a stand-alone computer system which Likewise, is unattended in an office area at night and over the weekend, is probably far more exposed to program tampering than a large-scale computer which has close controls over access to the load library and source code library. Much of the security of on-line applications depends on the use of a password system. Typically, each operator is given a password which allows file access and transaction authority appropriate to the duties of the operator. The Accounts Receivable clerk Only a supervisor can cannot access the Accounts Payable system. authorize a customer refund and so forth. In a large-scale computer centre, passwords are usually administered by a data security officer and the password file can be closely guarded. In the case of a stand-alone minicomputer, administration and protection of the password system may be much less effective. Thus, while on paper minicomputer access controls may seem to be much the same, it seems likely that the embezzler will have a much easier time breaking into a minicomputer. It may be as simple as watching the other three operators for a day or two to learn their passwords. It has been reported that several banks have located international funds tranfer minicomputers in the middle of large computer rooms. Typically several hundred people will be authorized to enter such a computer room. Since log-on codes and authentication keys are available by performing a simple "core dump" to tape, and such systems are only supervised during business hours, it seems only a matter of time before one of these minicomputers is compromised. The resulting losses will likely far exceed the amount stolen by Stanley Mark Rifkin. Without
doubt,
the
introduction
of minicomputers
COHPUTEB~~ld~3DdcSECDBITYBmJlETlAl Voll Noll
and disbursed
data processing is creating a host of new security requirements which must be faced squarely if major losses are to be avoided. The discovery of the personal computers in the high-security environment serves to dramatize the seriousness of the problem. In effect, the data security officer must concern himself not only with control over the authorized computers that are company property and (one hopes) are reported to him prior to installation, but must also give thought to personal computers introduced into the business office by the zealous (and potentially larcenous) employee. As the technology of computing advances over the next few years and the boundary between commercial and personal computers becomes less and less distinct, we predict that the minicomputer will supplant the wire tap as the industrial spy's best friend.
TALKINGTo THE BOSS: IMPROVING THE DATA LINKS BETWEEN DP MANAGERS AND TOP EXECUTIVES
Jack Stone, a leading American Training Consultant with wide experience in data processing, has prepared a very interesting paper on 'Training the Top Executive'. Stone argues that in many companies there is a communications schism between the senior data processing manager and his non-technical boss. He states: As is the case for any conscientious executive who finds an unwanted inheritance of the MIS (Management Information Systems) Department, a proper training programme is of paramount importance. To delay or ignore such a programme - which, difficult though it is to comprehend, is nearly always what happens - simply extends the time during which the executive has limited effectiveness in making the proper decisions for the department. To implement an ineffective programme may even be counterproductive, first, with respect to intensifying negative feelings towards the MIS organisation, and second, with regard to the quality of the decisions. In far too many organizations, the lack of understanding of MIS activities by the top executives has led to seriously bad decisions; and in certain cases, when the top people become severely frustrated, decisions have been made which have even been destructive. The inter-relationships among the DP'ers and the executives in this training situation are very complex. Here we have this incongruity: the director, MIS, reports to the executive suite on his needs, which usually relate to more, bigger or faster machines to handle the heavy backlog of work. The director They ask why. responds with such jargon as: "The MVS overhead for the particular To increase performjobstreams that we have is unduly excessive. ance, we must extend main storage, and acquire a faster CPU. But by this time the audience is glassy-eyed, Furthermore . ..” bored and not too sympathetic with those "technicians" who talk The director, trying to be in highly specialized terminology. is forced to simplify the world of responsive to questioning, data processing and his years and years of experience so that the uninitiated executives can make intelligent decisions unknowing, on his behalf.
Executives often ignorant of DP problems
12
Communications difficulties usually start with the first face-toface meeting between the executive group and the MIS director, Fram the outset, the director and deteriorate rapidly from there. suspects that abysmal ignorance of the DP business faces him on He says to himself, "Another turkey! the other side of the table. Why should we be talking at all? Or why shouldn't I have the executive's job? After all, this business is very dependent on MIS, and he doesn't have the vaguest notion as to what we do, not even the basics of data processing."
MICROCOMPUTERS: OUT OF CONTROL?
Classified information stored on ordinaq cassettes
A recent issue of the Wall Street Journal featured a large "ad" for the Radio Shack TRS-80 Microcomputer. The ad announced that sales had exceeded 100,000 units and that Radio Shack was passing on the cost savings of volume production to its customers. The price of the Level 1 unit which includes 4K of memory, a CRT display and a cassette recorder has been cut by $100 to $499. The Level II unit which provides a more advanced Basic interpreter and 16K of memory has been cut in price from $988 to $849. Does this development have any security implications? At first glance one might think not. But consider the following. Internal auditors for one of the armed forces of the United States recently discovered that two civil servants had purchased TRS-80 computers with their own funds and then brought the computers into their office to help them in their work. All well and good, you say, and shows commendable zeal. Indeed it does. The difficulty is that the two individuals are engaged in highly classified work. Because of what they saw as shortcomings of the in-house computer system - poor turn-around and restrictive security measures - they had found it much more convenient to do highly sensitive data analyses with their personal computers. Consequently, national security information had moved from closely controlled documents to ordinary cassettes. One can hardly imagine a more attractive vehicle for theft of data. Having copied the target information onto a cassette, a thief could disassemble the cassette and remove the tape. By wrapping the tape in plastic film such as Saran Wrap, it could easily be concealed in the mouth if security checks were so rigorous that more conventional hiding places seemed too risky. Notice that it is not necessary for the information thief to use any exotic equipment, a miniature camera or the like to copy the information, Instead, he or even seem to be engaged in a doubtful activity. is simply exploiting a resourceful fellow who has shown remarkable initiative in carrying out his duties. Interestingly, the auditors were not sure exactly how to respond to their discovery. Onr? doubts that they would have been uncertain about how to respond to the discovery of an unauthorized Xerox
10
Voll No11 COMPUTEBF~~D&SECURITTBVLtgFQI
Need for careful thought on security irripZications of
microcomputers
Physica theft of hardware
VuZnerabiZity of information in stand-alone computers
We machine, a "spy" camera or a shortware radio transmitter. suspect that very little thought has been given to the security implications of the widespread use of mini- and microcomputers by The basic advantage of miniauditors and security managers. facility out to the user, computers, moving the data processing also has the potential of creating a host of security exposures. To begin with one must now maintain an appropriate level of physical security at a host of locations instead of a single, It is true that the well-defined data processing facility. amount of equipment exposed to physical damage is much less at a a disaster that destroys minicomputer installation. Consequently, a minicomputer does not disrupt any other data processing functions except to the extent that the flow of data from the destroyed facility ceases. Note, however, that there are two new physical The first has to do with the security problems to be solved. grcwth of personal computing. The new minicomputer may very well circuit board or chip that a include exactly the component, computer hobbiest employee needs to complete his personal computer. Recent news reports suggest that the theft of minicomputer parts serious (and, indeed, entire systems) will become an increasingly security problem. The losses will be measured in terms of both to work the cost to replace the missing item, and the disruption flow as well. Second, information is subject to theft wherever it is exposed. The fact that only a tiny amount of information is exposed at a given location is not material if the information is highly sensitive and access controls are weak or nonexistent at the point of exposure. a stand-alone computer system which Likewise, is unattended in an office area at night and over the weekend, is probably far more exposed to program tampering than a large-scale computer which has close controls over access to the load library and source code library. Much of the security of on-line applications depends on the use of a password system. Typically, each operator is given a password which allows file access and transaction authority appropriate to the duties of the operator. The Accounts Receivable clerk Only a supervisor can cannot access the Accounts Payable system. authorize a customer refund and so forth. In a large-scale computer centre, passwords are usually administered by a data security officer and the password file can be closely guarded. In the case of a stand-alone minicomputer, administration and protection of the password system may be much less effective. Thus, while on paper minicomputer access controls may seem to be much the same, it seems likely that the embezzler will have a much easier time breaking into a minicomputer. It may be as simple as watching the other three operators for a day or two to learn their passwords. It has been reported that several banks have located international funds tranfer minicomputers in the middle of large computer rooms. Typically several hundred people will be authorized to enter such a computer room. Since log-on codes and authentication keys are available by performing a simple "core dump" to tape, and such systems are only supervised during business hours, it seems only a matter of time before one of these minicomputers is compromised. The resulting losses will likely far exceed the amount stolen by Stanley Mark Rifkin. Without
doubt,
the
introduction
of minicomputers
COHPUTEB~~ld~3DdcSECDBITYBmJlETlAl Voll Noll
and disbursed
data processing is creating a host of new security requirements which must be faced squarely if major losses are to be avoided. The discovery of the personal computers in the high-security environment serves to dramatize the seriousness of the problem. In effect, the data security officer must concern himself not only with control over the authorized computers that are company property and (one hopes) are reported to him prior to installation, but must also give thought to personal computers introduced into the business office by the zealous (and potentially larcenous) employee. As the technology of computing advances over the next few years and the boundary between commercial and personal computers becomes less and less distinct, we predict that the minicomputer will supplant the wire tap as the industrial spy's best friend.
TALKINGTo THE BOSS: IMPROVING THE DATA LINKS BETWEEN DP MANAGERS AND TOP EXECUTIVES
Jack Stone, a leading American Training Consultant with wide experience in data processing, has prepared a very interesting paper on 'Training the Top Executive'. Stone argues that in many companies there is a communications schism between the senior data processing manager and his non-technical boss. He states: As is the case for any conscientious executive who finds an unwanted inheritance of the MIS (Management Information Systems) Department, a proper training programme is of paramount importance. To delay or ignore such a programme - which, difficult though it is to comprehend, is nearly always what happens - simply extends the time during which the executive has limited effectiveness in making the proper decisions for the department. To implement an ineffective programme may even be counterproductive, first, with respect to intensifying negative feelings towards the MIS organisation, and second, with regard to the quality of the decisions. In far too many organizations, the lack of understanding of MIS activities by the top executives has led to seriously bad decisions; and in certain cases, when the top people become severely frustrated, decisions have been made which have even been destructive. The inter-relationships among the DP'ers and the executives in this training situation are very complex. Here we have this incongruity: the director, MIS, reports to the executive suite on his needs, which usually relate to more, bigger or faster machines to handle the heavy backlog of work. The director They ask why. responds with such jargon as: "The MVS overhead for the particular To increase performjobstreams that we have is unduly excessive. ance, we must extend main storage, and acquire a faster CPU. But by this time the audience is glassy-eyed, Furthermore . ..” bored and not too sympathetic with those "technicians" who talk The director, trying to be in highly specialized terminology. is forced to simplify the world of responsive to questioning, data processing and his years and years of experience so that the uninitiated executives can make intelligent decisions unknowing, on his behalf.
Executives often ignorant of DP problems
12
Communications difficulties usually start with the first face-toface meeting between the executive group and the MIS director, Fram the outset, the director and deteriorate rapidly from there. suspects that abysmal ignorance of the DP business faces him on He says to himself, "Another turkey! the other side of the table. Why should we be talking at all? Or why shouldn't I have the executive's job? After all, this business is very dependent on MIS, and he doesn't have the vaguest notion as to what we do, not even the basics of data processing."