- Email: [email protected]
PC security — A model for appropriate defences
July 1993
SILENCE ...because their data has been deleted and there is no back-up!
The games people play All of this increased computing power on desks has not resulted in office workers becoming more productive. PCs have become 'executive toys'. In addition to playing games, office workers are wasting time playing with on-screen graphics, tinkering with layouts, experimenting with fonts and installing/learning the latest go fast version of their software. It has become an international, and expensive, obsession according to recent studies. A recent US report claims that the average PC user wastes 5.1 hours every week. This adds up to 5 billion hours per annum for the United States, or $100 billion at average wages, or 2 % of its GDP. In the US, white-collar productivity increased by only 0.2% a year during the 1980s, despite having the world's highest number of PCs per head of population. Xephon in the UK has estimated that on-screen time wasting accounts for up to 25% of a PC user's time.
Computer Audit Update
PC S E C U R I T Y m A M O D E L FOR APPROPRIATE DEFENCES Peter Smith This article outlines a model which seeks to aid computer auditors to discover the defences required to protect PCs in different scenarios. The model utilizes the micro-economic theories of marginal utility and indifference analysis. There are a vast array of measures that can be used to maintain PC security. These range from making regular back-up copies of data, to pressurizing cable ducting. Applying all possible security measures, in normal circumstances, would effectively ensure that a PC could not be used. This can be i l l u s t r a t e d by the micro-economic theory of marginal utility.
In addition, there are the office gurus - people whose sole purpose in life seems to be to sort out everyone else's PC problems, rather than do the job they were employed for. (Itility
SILENCE ...because office workers are playing games on their PCs!
The need to SHOUT Organizations need to break these silences by shouting loudly. They need to shout about the need for data back-up; the need for off-site data back-up; the need for the disaster recovery plan to include PCs and LANs; the need for computer security to include PCs. Much of the most valuable information in your organization is held on PCs - - start shouting NOW!
©1993 Elsevier Science Publishers Ltd
Number of defences
Figure 1: Marginal utility of defences. The above diagram suggests that, in general terms, the first few defences instigated are very useful in protecting a PC, yet as further defences are employed they become progressively less useful. In the diagram the penultimate bar shows a situation where an additional defence is useless, that is, it has zero utility. The last bar illustrates a situation where the additional defence is actually detrimental, or has negative utility. A diminishing marginal utility of security measures can, therefore, be established.
3
ComputerAudit Update No
DEFENCE
SUMMARY
Control access to PCs
Utilising disk drive locks, keyboard locks etc.
Restrict access to facilities
This can be achieved by using such measures as guards, barred windows, security locks, combination locks, identity, cards and electronic badges. Ensuring that storage media does not leave or enter a secure environment, by using physical searches or electronic detectors. Ensuring that cabling is not t~unpered with, for ex~unple using pressurised ducting, line monitors or hidin~ ductin~. Making it difficult to ste,-d PCs, by bolting/locking them to desks ,and or indelibly markin~ them. Recording all system activity in a file.
Regulate transport
4
July 1993
4
Protect network lines
5
Immobile PCs
6
Create a lo~ file
7
Monitor data files
8
Checksum
9
Vector table monitors
10
Generic monitor
11
Signature detection
12
Encryption of data
13
Hide files
14
D u m m y files
15
Write protect disks/files
16
Redundancy
17
Do not c o p y executable fries
18
D e v e l o p software yourself
19
Use shrink wrapped software
Not buying soflw,'u'e from third p,'uties, only use software developed in house. Only using software that is obtained seeded from reputable sources.
20
Centralise software purchasing
Making the purch~Lsing of software be the responsibility of a single body.
21
Manage public domain and shareware software
22
Do not use n e w programs
23
Decompile new programs
24
Protect boot m e d i u m
Instigating a policy that all software acquisitions should be approved centrally and supplied with full documentation. Not using software unless it has been in the public domain for a period of time. Disassembling new software to look for suspect DOS c~dls. Write protecting system floppies, hard disks ,and servers (if possible).
Using TYPE, DEBUG and COMP to visu,--dlyinspect files. Using a form of monitor that checks the size of blocks in a file. Using it type of monitor that alerts a user to potenti,'dly d,'m~erous c~dls to the interrupts table. Using monitors that seek to interrupt a range of suspect behaviour. Employing a monitor that detects the signature of a m~dicious pro~r,'un. Changing the form of data so that it c~umot be reco~nised. Placing files in an unexpected location, e.g. using SHELL ,and SET COMSPEC comm,mds to hide and rename COMMAND.COM. Used in conjunction with above, placing a decoy copy of a file in ~m obvious location. Utilising write protection tab ,and the ATTRIB cormnand. Duplicating every operation performed on the computer. Only allowing copying of data files, not .COM, .EXE, .BAT or .SYS files.
©1993 Elsevier Science Publishers Ltd
July 1993
ComputerAudit Update
No
DEFENCE
SUMMARY
25 26 27 28
Safeguard master disks Recycle disks Virus free bootin~ Quarantine
Keeping master disks safe, ,and write protected.
29
OS/2
30
Cold boot
31 32 33 34
Switch off idle machines Back-ups Control data access Password protection
35 36
Diskless nodes No hard disks
37
Network compartmentalisation Server protection Monitor trusted systems
38 39 40 41 42
Alternative operating system for servers Segregation Two hard disks
43
CD ROM drive
44
Reinitialise the system
45 46
Reinstall application files Reformat hard disks
47
User Education
48
Damage clauses in contracts of employment Vet personnel
49 50
Disciplinary action against those that misuse PCs
©1993 Elsevier Science Publishers Ltd
Formatting used disks rather than deleting ,all files. Booting from a write protected floppy. Testing new software on a physically and electronicall), isolated machine. Using OS/2 which uses Intel processors in protected mode, unlike MS-DOS. Cold booting rather than warm booting at the be~innin~ of a session. Turning off PCs that ,are not being used. Regularly backing up ,all data. Restricting the dam available to users. Restricting access to individu,'d machines with the use
of passwords. Providing network nodes without floppy disk drives. Used in conjunction with above, providing no disk drives at ,all. Restricting a network's access to other networks. Protecting executable files on a server. Ensuring that trusted clients do not in turn have untrustworthy clients. For ex,'unple using UNIX on servers, ,and MS-DOS on nodes. Separating development and final production software. Storing trusted software should on protected hard disk and non trusted on a second non protected hard disk. Storing files on a CD ROM, thus making them unalterable. Regularly replacing kernel files to ensure their integrity. Regularly replacing application files. Regul,arly reformatting hard disks with a low level format. Making users aware of various security issues such ,as ditta protection ,and computer misuse. Making users legally liable for the integrity of the data they use. Ensuring that personnel ,are not a security risk, prior to employment. Issuing a verbal or written w,'u'ning to employees using unapproved software or copying software or data without authorisation.
5
Computer Audit Update
July 1993
The concept of an ever reducing usefulness or utility of additional defences suggests that only a certain number of defences can be successfully employed to protect a PC. The selection of defences to be used is, therefore, very significant. The first stage in determining the defences which should be employed in an individual company is to draw up a list of all possible defences. An example of such a list is shown on the two previous pages.
defences at differing cost 2 and effectiveness 3. Curve IN 1 represents a situation where a user will only require defences that are either very cheap and relatively effective or very effective and relatively cheap. Curve IN 4, on the other hand, illustrates a situation which necessitates the use of defences with minimal effectiveness and a moderate cost or those with a moderate effectiveness and a high price.
This list then needs to be filtered to eliminate defences that are clearly unnecessary for the organization being investigated. The filters used need, therefore, to be hard issues, that is those that can be determined by an objective test. Suggested filters include:
A PC user rises to higher levels of indifference according to a range of soft issues. These are:
•
•
PC environment (its interconnectivity with other PCs) 1; numberof users.
For example, in the first case pressurized ducting is clearly not required for a standalone PC and in the latter case password protection is not needed for a PC with one user. The next stage in the decision making process is to discover which of the remaining defences should be used. This can be achieved using indifference analysis.
Minimum
Defence effectiveness
!C
Number of defence~
~
IN4
IN2
[NI
Maxmlum
X ~aXlnlum
MJnimunl
Cost of defence
Figure 2: The indifference curve. The above diagram shows various levels at which PC users display indifference toward
6
•
corporate culture;
•
the perceived threat to a PC;
•
the criticality of information available to a PC.
If a corporation's culture is risk averse, the perceived threat to the PC is high, or if the information available to a PC is primary information 4 then u s e r s will a s c e n d to proportionately higher levels of indifference. The highest level of indifference is represented by curve IN 4. This is reached when a user is risk averse, the threat is high, and the information available to the PC is primary information. The opposite extreme is a situation where the threat to a PC is low, the corporate culture is risk seeking and the information available to a PC is not primary (that is support). Then a user will exhibit a very low level of indifference, approximated by curve IN 1. The indifference diagram also shows that as users rise to higher levels of indifference they are forced to employ an ever greater number of defences. This relates back to the initial marginal utility diagram. On the curve IN 1 the utility of additional defences diminishes rapidly and negative utility is very quickly achieved. On curve IN 4, however, the utility of additional defences diminishes gradually and possibly never achieves negative utility. These ideas are shown graphically below.
©1993 Elsevier Science Publishers Ltd
July 1993
Computer Audit Update
l,ow indifference
Utility
Number of defences
High indifference
Utility
Number of defences
Figures 3 and 4: the effects of indifference on the number of defences. The process of selecting defences which satisfy a user with a low level of indifference is relatively simple. The defences chosen, as mentioned before, will be few and either very cheap and relatively effective or very effective and relatively cheap. This will include such m e a s u r e s as t a k i n g r e g u l a r b a c k - u p s , safeguarding master disks, write protecting disks and switching off idle machines. When a user reaches higher levels of indifference, greater numbers of defences are needed which m'~y be of minimal effectiveness and a model'ate cost or of a m o d e r a t e effectiveness and a high price. In this case the additional defences selected will relate to the specific issue or issues that are causing the indifference level to rise. If the issue is concerned with the primary criticality of information, then the additional defences selected need to relate to maintaining the integrity of information, such as e n c r y p t i n g d a t a or e m p l o y i n g n e t w o r k compartmentalization. On the other hand, in a situation where a company has a risk averse culture, the required defences will be oriented
©1993 Elsevier Science Publishers Ltd
around reducing exposure to the unknown, for example centralizing software purchasing or vetting personnel prior to employment. Where there is a high perceived threat to the computing resource, then the defences used need to relate to the type of threat or threats being anticipated. For example, if the anticipated threat is theft, an appropriate defence might be to immobilize PCs. In the case of hacking, defences such as protecting network lines might be considered. Finally, if malicious programs are considered a problem, a pertinent defence may be to use a vector table monitor or virus free booting. In conclusion, this article has shown that as more defences are used to protect a PC they become progressively less useful, and that there even comes a stage where they become detrimental. This is known as a diminishing marginal utility of security measures. In order to select the right defence for a certain company in a given situation, the total set of available defences needs to be filtered using the hard issues of PC environment and the number of users. In~lifference analysis is then used to determine which of this filtered set of defences is actually needed. The level of indifference that a user exhibits is related to a range of soft issues, such as corporate culture, the criticality of information and the perceived threat to the PCs under investigation. Notes
1.
Suggested categories of PC environment are; stand-alone PCs, PCs connected to a data server and PCs connected to a program server.
.
The cost of a defence is taken to include; purchase, implementation and maintenance costs.
.
The effectiveness of a defence includes; ease of use, detrimental effect on the system and ability to protect the system.
4.
Primary information is information that could cause a company to cease production of goods or services if it was altered or destroyed.
7
SILENCE ...because their data has been deleted and there is no back-up!
The games people play All of this increased computing power on desks has not resulted in office workers becoming more productive. PCs have become 'executive toys'. In addition to playing games, office workers are wasting time playing with on-screen graphics, tinkering with layouts, experimenting with fonts and installing/learning the latest go fast version of their software. It has become an international, and expensive, obsession according to recent studies. A recent US report claims that the average PC user wastes 5.1 hours every week. This adds up to 5 billion hours per annum for the United States, or $100 billion at average wages, or 2 % of its GDP. In the US, white-collar productivity increased by only 0.2% a year during the 1980s, despite having the world's highest number of PCs per head of population. Xephon in the UK has estimated that on-screen time wasting accounts for up to 25% of a PC user's time.
Computer Audit Update
PC S E C U R I T Y m A M O D E L FOR APPROPRIATE DEFENCES Peter Smith This article outlines a model which seeks to aid computer auditors to discover the defences required to protect PCs in different scenarios. The model utilizes the micro-economic theories of marginal utility and indifference analysis. There are a vast array of measures that can be used to maintain PC security. These range from making regular back-up copies of data, to pressurizing cable ducting. Applying all possible security measures, in normal circumstances, would effectively ensure that a PC could not be used. This can be i l l u s t r a t e d by the micro-economic theory of marginal utility.
In addition, there are the office gurus - people whose sole purpose in life seems to be to sort out everyone else's PC problems, rather than do the job they were employed for. (Itility
SILENCE ...because office workers are playing games on their PCs!
The need to SHOUT Organizations need to break these silences by shouting loudly. They need to shout about the need for data back-up; the need for off-site data back-up; the need for the disaster recovery plan to include PCs and LANs; the need for computer security to include PCs. Much of the most valuable information in your organization is held on PCs - - start shouting NOW!
©1993 Elsevier Science Publishers Ltd
Number of defences
Figure 1: Marginal utility of defences. The above diagram suggests that, in general terms, the first few defences instigated are very useful in protecting a PC, yet as further defences are employed they become progressively less useful. In the diagram the penultimate bar shows a situation where an additional defence is useless, that is, it has zero utility. The last bar illustrates a situation where the additional defence is actually detrimental, or has negative utility. A diminishing marginal utility of security measures can, therefore, be established.
3
ComputerAudit Update No
DEFENCE
SUMMARY
Control access to PCs
Utilising disk drive locks, keyboard locks etc.
Restrict access to facilities
This can be achieved by using such measures as guards, barred windows, security locks, combination locks, identity, cards and electronic badges. Ensuring that storage media does not leave or enter a secure environment, by using physical searches or electronic detectors. Ensuring that cabling is not t~unpered with, for ex~unple using pressurised ducting, line monitors or hidin~ ductin~. Making it difficult to ste,-d PCs, by bolting/locking them to desks ,and or indelibly markin~ them. Recording all system activity in a file.
Regulate transport
4
July 1993
4
Protect network lines
5
Immobile PCs
6
Create a lo~ file
7
Monitor data files
8
Checksum
9
Vector table monitors
10
Generic monitor
11
Signature detection
12
Encryption of data
13
Hide files
14
D u m m y files
15
Write protect disks/files
16
Redundancy
17
Do not c o p y executable fries
18
D e v e l o p software yourself
19
Use shrink wrapped software
Not buying soflw,'u'e from third p,'uties, only use software developed in house. Only using software that is obtained seeded from reputable sources.
20
Centralise software purchasing
Making the purch~Lsing of software be the responsibility of a single body.
21
Manage public domain and shareware software
22
Do not use n e w programs
23
Decompile new programs
24
Protect boot m e d i u m
Instigating a policy that all software acquisitions should be approved centrally and supplied with full documentation. Not using software unless it has been in the public domain for a period of time. Disassembling new software to look for suspect DOS c~dls. Write protecting system floppies, hard disks ,and servers (if possible).
Using TYPE, DEBUG and COMP to visu,--dlyinspect files. Using a form of monitor that checks the size of blocks in a file. Using it type of monitor that alerts a user to potenti,'dly d,'m~erous c~dls to the interrupts table. Using monitors that seek to interrupt a range of suspect behaviour. Employing a monitor that detects the signature of a m~dicious pro~r,'un. Changing the form of data so that it c~umot be reco~nised. Placing files in an unexpected location, e.g. using SHELL ,and SET COMSPEC comm,mds to hide and rename COMMAND.COM. Used in conjunction with above, placing a decoy copy of a file in ~m obvious location. Utilising write protection tab ,and the ATTRIB cormnand. Duplicating every operation performed on the computer. Only allowing copying of data files, not .COM, .EXE, .BAT or .SYS files.
©1993 Elsevier Science Publishers Ltd
July 1993
ComputerAudit Update
No
DEFENCE
SUMMARY
25 26 27 28
Safeguard master disks Recycle disks Virus free bootin~ Quarantine
Keeping master disks safe, ,and write protected.
29
OS/2
30
Cold boot
31 32 33 34
Switch off idle machines Back-ups Control data access Password protection
35 36
Diskless nodes No hard disks
37
Network compartmentalisation Server protection Monitor trusted systems
38 39 40 41 42
Alternative operating system for servers Segregation Two hard disks
43
CD ROM drive
44
Reinitialise the system
45 46
Reinstall application files Reformat hard disks
47
User Education
48
Damage clauses in contracts of employment Vet personnel
49 50
Disciplinary action against those that misuse PCs
©1993 Elsevier Science Publishers Ltd
Formatting used disks rather than deleting ,all files. Booting from a write protected floppy. Testing new software on a physically and electronicall), isolated machine. Using OS/2 which uses Intel processors in protected mode, unlike MS-DOS. Cold booting rather than warm booting at the be~innin~ of a session. Turning off PCs that ,are not being used. Regularly backing up ,all data. Restricting the dam available to users. Restricting access to individu,'d machines with the use
of passwords. Providing network nodes without floppy disk drives. Used in conjunction with above, providing no disk drives at ,all. Restricting a network's access to other networks. Protecting executable files on a server. Ensuring that trusted clients do not in turn have untrustworthy clients. For ex,'unple using UNIX on servers, ,and MS-DOS on nodes. Separating development and final production software. Storing trusted software should on protected hard disk and non trusted on a second non protected hard disk. Storing files on a CD ROM, thus making them unalterable. Regularly replacing kernel files to ensure their integrity. Regularly replacing application files. Regul,arly reformatting hard disks with a low level format. Making users aware of various security issues such ,as ditta protection ,and computer misuse. Making users legally liable for the integrity of the data they use. Ensuring that personnel ,are not a security risk, prior to employment. Issuing a verbal or written w,'u'ning to employees using unapproved software or copying software or data without authorisation.
5
Computer Audit Update
July 1993
The concept of an ever reducing usefulness or utility of additional defences suggests that only a certain number of defences can be successfully employed to protect a PC. The selection of defences to be used is, therefore, very significant. The first stage in determining the defences which should be employed in an individual company is to draw up a list of all possible defences. An example of such a list is shown on the two previous pages.
defences at differing cost 2 and effectiveness 3. Curve IN 1 represents a situation where a user will only require defences that are either very cheap and relatively effective or very effective and relatively cheap. Curve IN 4, on the other hand, illustrates a situation which necessitates the use of defences with minimal effectiveness and a moderate cost or those with a moderate effectiveness and a high price.
This list then needs to be filtered to eliminate defences that are clearly unnecessary for the organization being investigated. The filters used need, therefore, to be hard issues, that is those that can be determined by an objective test. Suggested filters include:
A PC user rises to higher levels of indifference according to a range of soft issues. These are:
•
•
PC environment (its interconnectivity with other PCs) 1; numberof users.
For example, in the first case pressurized ducting is clearly not required for a standalone PC and in the latter case password protection is not needed for a PC with one user. The next stage in the decision making process is to discover which of the remaining defences should be used. This can be achieved using indifference analysis.
Minimum
Defence effectiveness
!C
Number of defence~
~
IN4
IN2
[NI
Maxmlum
X ~aXlnlum
MJnimunl
Cost of defence
Figure 2: The indifference curve. The above diagram shows various levels at which PC users display indifference toward
6
•
corporate culture;
•
the perceived threat to a PC;
•
the criticality of information available to a PC.
If a corporation's culture is risk averse, the perceived threat to the PC is high, or if the information available to a PC is primary information 4 then u s e r s will a s c e n d to proportionately higher levels of indifference. The highest level of indifference is represented by curve IN 4. This is reached when a user is risk averse, the threat is high, and the information available to the PC is primary information. The opposite extreme is a situation where the threat to a PC is low, the corporate culture is risk seeking and the information available to a PC is not primary (that is support). Then a user will exhibit a very low level of indifference, approximated by curve IN 1. The indifference diagram also shows that as users rise to higher levels of indifference they are forced to employ an ever greater number of defences. This relates back to the initial marginal utility diagram. On the curve IN 1 the utility of additional defences diminishes rapidly and negative utility is very quickly achieved. On curve IN 4, however, the utility of additional defences diminishes gradually and possibly never achieves negative utility. These ideas are shown graphically below.
©1993 Elsevier Science Publishers Ltd
July 1993
Computer Audit Update
l,ow indifference
Utility
Number of defences
High indifference
Utility
Number of defences
Figures 3 and 4: the effects of indifference on the number of defences. The process of selecting defences which satisfy a user with a low level of indifference is relatively simple. The defences chosen, as mentioned before, will be few and either very cheap and relatively effective or very effective and relatively cheap. This will include such m e a s u r e s as t a k i n g r e g u l a r b a c k - u p s , safeguarding master disks, write protecting disks and switching off idle machines. When a user reaches higher levels of indifference, greater numbers of defences are needed which m'~y be of minimal effectiveness and a model'ate cost or of a m o d e r a t e effectiveness and a high price. In this case the additional defences selected will relate to the specific issue or issues that are causing the indifference level to rise. If the issue is concerned with the primary criticality of information, then the additional defences selected need to relate to maintaining the integrity of information, such as e n c r y p t i n g d a t a or e m p l o y i n g n e t w o r k compartmentalization. On the other hand, in a situation where a company has a risk averse culture, the required defences will be oriented
©1993 Elsevier Science Publishers Ltd
around reducing exposure to the unknown, for example centralizing software purchasing or vetting personnel prior to employment. Where there is a high perceived threat to the computing resource, then the defences used need to relate to the type of threat or threats being anticipated. For example, if the anticipated threat is theft, an appropriate defence might be to immobilize PCs. In the case of hacking, defences such as protecting network lines might be considered. Finally, if malicious programs are considered a problem, a pertinent defence may be to use a vector table monitor or virus free booting. In conclusion, this article has shown that as more defences are used to protect a PC they become progressively less useful, and that there even comes a stage where they become detrimental. This is known as a diminishing marginal utility of security measures. In order to select the right defence for a certain company in a given situation, the total set of available defences needs to be filtered using the hard issues of PC environment and the number of users. In~lifference analysis is then used to determine which of this filtered set of defences is actually needed. The level of indifference that a user exhibits is related to a range of soft issues, such as corporate culture, the criticality of information and the perceived threat to the PCs under investigation. Notes
1.
Suggested categories of PC environment are; stand-alone PCs, PCs connected to a data server and PCs connected to a program server.
.
The cost of a defence is taken to include; purchase, implementation and maintenance costs.
.
The effectiveness of a defence includes; ease of use, detrimental effect on the system and ability to protect the system.
4.
Primary information is information that could cause a company to cease production of goods or services if it was altered or destroyed.
7