- Email: [email protected]
Securing third party connections
COMPSEC ‘97 Paper Abstracts
relationships, the NTFS file system, auditing using the event log and common configuration errors. Title: Author:
Auditing the IT Security Function Keith Osborne, ICL
As many IT Security functions are relatively new, it may be the first time that a formal audit of the IT Security function has been undertaken. Additionally, there is as yet little published material, either articles or reference guides, on the audit of the IT Security function, so there may be little knowledge or experience on which to proceed. Another complication is that the IT Security function may be staffed by former peer (IT Audit) colleagues, which may give rise to unusual or difficult working relationships. Auditors will have a number of aspects that they will want to examine.The principal interest will be to see whether the IT Security f&&on’s approach is aligned with the five key pointers for effectiveness. From a management perspective, audit will want to determine whether the IT Security function is effectively communicating IT Security policies and requirements to the organization as a whole. On the technical side, audit will be interested in examining the IT Security function’s responsibilities for security products, both hardware and software, and seeing how effectively the function has defined its requirements, evaluated and selected products, and implemented them. As education, training and awareness are important responsibilities of the IT Security function, audit will want to examine the public face of the IT Security function, to see how outward-facing the function is. Finally, as with the other function, audit will be interested in aspects such as internal controls, cost-effectiveness and value-for-money Title: Author:
Key Concerns in a Review of CAACF2/MVS Norman Cracker
IBM mainframe installations started to protect computer data and transactions during the latter part of the 1970s. Since the IBM mainframe operating systems themselves do not incorporate suitable access control facilities several vendors began to market ‘add-on’ packages to provide these.The MVS market leader, in terms of total systems protected, has consistently been
524
CA-ACF2. Part of its popularity has been due to its ability to protect complex environments, providing more powerful facilities and options than the other products.The very complexity which makes it such a powerful solution also makes it difficult to understand, particularly for the EDP Auditor who must be able to both detect potential exposures in the system and recommend ways of operating in a more controlled manner. Based on about 40 CA-ACF2 audits carried out by the author and 18 years experience with the software, this paper will provide pointers to the most common problems found, show how to extract the relevant information from CA-ACF2 and discuss appropriate control measures. The paper will concentrate on CA-ACF2 in the MVS environment, but many of the concerns and techniques will also apply in theVM andVSE environments.
DAY 3: Friday 7th November STREAM 1: Network Security Title: Author:
Penetration Testing Gary Hardy, Zergo
In today’s ever expanding networking environment and growing use of the Internet, organizations are becoming more and more concerned about unauthorized access to corporate data. As a consequence, more and more organizations are using penetration testing techniques to check their network defences. The paper will explain what penetration testing covers, the pros and cons, and how it should be undertaken. Several practical examples will be described. Title: Author:
Securing Third Party Connections Eugene Schultz, SRI
Beginmng in the early 199Os, organizations began connecting to the Internet on a widespread basis. Although many of these organizations were quicker to develop Internet connectivity than to implement suitable security solutions, eventually (and often after costly security incidents have occurred) they installed effective Internet security control solutions such as firewalls to protect their networks. The problem of securing net-
Computers and Security, Vol. 16, No. 6
works against Internet-based security threats has, fortunately, become considerably more manageable, but a new potentially more complex problem has emerged - securing connections from third parties such as business partners and customers. Controlling security in this case is more difficult because many third party entities must for business reasons be trusted to some degree and also because business agreements may not allow the needed amount of traflic restriction for these connections. In addition, it is often difficult to determine how widespread the level of potential and actual access to a third party network itself is - a third party afliliate that needs a connection to another organization’s network may allow unrestricted Internet access, potentially opening the organization’s network to a flood of external attacks.This paper explores the real nature of security threat resulting f?om third party connections and presents several major types of solutions.Although technical solutions are likely to some degree to solve the problem, administrative/managerial solutions comprise the other part of a complete approach to the problem of securing third party connections. Title: Author:
Information Flow within the Globally Connected Environment Sarah Gordon, IBM
Title: Author:
A recent study by RGH Consulting indicates that 75% of CIOs intend to go ahead and do business on the Internet, even though security issues have not been resolved to their satisfaction. The extent to which marketing pressures are dominating security concerns in this area should be cause for great concern among information security practitioners. Meanwhile security, according to another recent study conducted by KPMG Peat Marwick, remains the number one barrier to establishing an Internet electronic commerce presence.This presentation will define the special risks associated with Internet electronic commerce, as well as 17 fundamental controls that can be used to address these risks. Material for this presentation will be extracted from the author’s 1996 book entitled, How to Handle Internet Electronic Commerce Security: Risks, Controls G Product Guide.
STREAM 2 (pm): Information Warfare Title: Author:
One of the principal benefits of Internet connectivity within the corporate environment is the ability to transfer large amounts of information quickly from point to point. This paper will examine some of the benefits and potential dangers about this rapid exchange of data.
STREAM 2 (am): Electronic Commerce Title: Author:
The Strategic Value of Information Business Donn B. Parker, SRI International
in
Your business can be more successful with prudent protection of the information associated with your products and customers in today’s knowledge management. We hate the constraints of information security. We need to determine how little security can achieve prudent due care, not how much we can tolerate. Strategic application of information security is needed.
Essential Controls for Internet Electronic Commerce Charles Cresson Wood, Baseline Software
Information Warfare and Defending the UK Nation State Michael J. Corcoran, Defence Research Agency
This paper addresses the Minimum Essential Defence Information Infrastructure (MEDII) of the National Information Infrastructure (NII). It poses the following questions and hopes to provide a direction to follow in which to seek answers: what is information warfare? Does it really exist? To what is the threat posed? How vulnerable are the targets? Who poses the threat to the MEDII in an information warfare scenario? What counter-measures can be implemented? What is the MOD’S role in this process? Title:
Author:
Penetration Testing and System Audit - Experience Gained and Lessons Learned During the Investigation of Systems Within the United Kingdom Andy Jones, Defence Evaluation and Research Agency
525
relationships, the NTFS file system, auditing using the event log and common configuration errors. Title: Author:
Auditing the IT Security Function Keith Osborne, ICL
As many IT Security functions are relatively new, it may be the first time that a formal audit of the IT Security function has been undertaken. Additionally, there is as yet little published material, either articles or reference guides, on the audit of the IT Security function, so there may be little knowledge or experience on which to proceed. Another complication is that the IT Security function may be staffed by former peer (IT Audit) colleagues, which may give rise to unusual or difficult working relationships. Auditors will have a number of aspects that they will want to examine.The principal interest will be to see whether the IT Security f&&on’s approach is aligned with the five key pointers for effectiveness. From a management perspective, audit will want to determine whether the IT Security function is effectively communicating IT Security policies and requirements to the organization as a whole. On the technical side, audit will be interested in examining the IT Security function’s responsibilities for security products, both hardware and software, and seeing how effectively the function has defined its requirements, evaluated and selected products, and implemented them. As education, training and awareness are important responsibilities of the IT Security function, audit will want to examine the public face of the IT Security function, to see how outward-facing the function is. Finally, as with the other function, audit will be interested in aspects such as internal controls, cost-effectiveness and value-for-money Title: Author:
Key Concerns in a Review of CAACF2/MVS Norman Cracker
IBM mainframe installations started to protect computer data and transactions during the latter part of the 1970s. Since the IBM mainframe operating systems themselves do not incorporate suitable access control facilities several vendors began to market ‘add-on’ packages to provide these.The MVS market leader, in terms of total systems protected, has consistently been
524
CA-ACF2. Part of its popularity has been due to its ability to protect complex environments, providing more powerful facilities and options than the other products.The very complexity which makes it such a powerful solution also makes it difficult to understand, particularly for the EDP Auditor who must be able to both detect potential exposures in the system and recommend ways of operating in a more controlled manner. Based on about 40 CA-ACF2 audits carried out by the author and 18 years experience with the software, this paper will provide pointers to the most common problems found, show how to extract the relevant information from CA-ACF2 and discuss appropriate control measures. The paper will concentrate on CA-ACF2 in the MVS environment, but many of the concerns and techniques will also apply in theVM andVSE environments.
DAY 3: Friday 7th November STREAM 1: Network Security Title: Author:
Penetration Testing Gary Hardy, Zergo
In today’s ever expanding networking environment and growing use of the Internet, organizations are becoming more and more concerned about unauthorized access to corporate data. As a consequence, more and more organizations are using penetration testing techniques to check their network defences. The paper will explain what penetration testing covers, the pros and cons, and how it should be undertaken. Several practical examples will be described. Title: Author:
Securing Third Party Connections Eugene Schultz, SRI
Beginmng in the early 199Os, organizations began connecting to the Internet on a widespread basis. Although many of these organizations were quicker to develop Internet connectivity than to implement suitable security solutions, eventually (and often after costly security incidents have occurred) they installed effective Internet security control solutions such as firewalls to protect their networks. The problem of securing net-
Computers and Security, Vol. 16, No. 6
works against Internet-based security threats has, fortunately, become considerably more manageable, but a new potentially more complex problem has emerged - securing connections from third parties such as business partners and customers. Controlling security in this case is more difficult because many third party entities must for business reasons be trusted to some degree and also because business agreements may not allow the needed amount of traflic restriction for these connections. In addition, it is often difficult to determine how widespread the level of potential and actual access to a third party network itself is - a third party afliliate that needs a connection to another organization’s network may allow unrestricted Internet access, potentially opening the organization’s network to a flood of external attacks.This paper explores the real nature of security threat resulting f?om third party connections and presents several major types of solutions.Although technical solutions are likely to some degree to solve the problem, administrative/managerial solutions comprise the other part of a complete approach to the problem of securing third party connections. Title: Author:
Information Flow within the Globally Connected Environment Sarah Gordon, IBM
Title: Author:
A recent study by RGH Consulting indicates that 75% of CIOs intend to go ahead and do business on the Internet, even though security issues have not been resolved to their satisfaction. The extent to which marketing pressures are dominating security concerns in this area should be cause for great concern among information security practitioners. Meanwhile security, according to another recent study conducted by KPMG Peat Marwick, remains the number one barrier to establishing an Internet electronic commerce presence.This presentation will define the special risks associated with Internet electronic commerce, as well as 17 fundamental controls that can be used to address these risks. Material for this presentation will be extracted from the author’s 1996 book entitled, How to Handle Internet Electronic Commerce Security: Risks, Controls G Product Guide.
STREAM 2 (pm): Information Warfare Title: Author:
One of the principal benefits of Internet connectivity within the corporate environment is the ability to transfer large amounts of information quickly from point to point. This paper will examine some of the benefits and potential dangers about this rapid exchange of data.
STREAM 2 (am): Electronic Commerce Title: Author:
The Strategic Value of Information Business Donn B. Parker, SRI International
in
Your business can be more successful with prudent protection of the information associated with your products and customers in today’s knowledge management. We hate the constraints of information security. We need to determine how little security can achieve prudent due care, not how much we can tolerate. Strategic application of information security is needed.
Essential Controls for Internet Electronic Commerce Charles Cresson Wood, Baseline Software
Information Warfare and Defending the UK Nation State Michael J. Corcoran, Defence Research Agency
This paper addresses the Minimum Essential Defence Information Infrastructure (MEDII) of the National Information Infrastructure (NII). It poses the following questions and hopes to provide a direction to follow in which to seek answers: what is information warfare? Does it really exist? To what is the threat posed? How vulnerable are the targets? Who poses the threat to the MEDII in an information warfare scenario? What counter-measures can be implemented? What is the MOD’S role in this process? Title:
Author:
Penetration Testing and System Audit - Experience Gained and Lessons Learned During the Investigation of Systems Within the United Kingdom Andy Jones, Defence Evaluation and Research Agency
525