- Email: [email protected]
Security in computer installations
systems Securityin computer installations by JULIA VAN DUYN
T
0 ensure total security against computer crime and computer abuse, DP installations need hardware and software security measures. This is particularly important for online systems and data communications, which are more vulnerable than systems enclosed within the computer department. Such security measures include access controls, audit trail devices and encryption systems. There are several areas where hardware can be made more secure from outside elements.
Electric power and terminals Since computer operations are totally dependent on constant and clean electric power, it is imperative to use reliable methods to protect it from manmade or natural disasters. Transistorized, uninterruptible power supply (UPS) systems, can provide up to 30-35 minutes of power in case of power anomalies such as brownouts, electrical noises and voltage sags and spikes. As a followup, an offsite backup power service, can ensure uninterrupted computer operations for days or even weeks, in the case of fire, flood, bombing or any other destructive influence. After electric power terminals, whether local or remote, standalone or mainframe-connected, are the most vulnerable devices in today’s online computer systems. About 99% of computer-related fraud, embezzlement, theft (of proprietary software, trade secrets, and the like) are perpetrated via terminals. There are various methods available for protecting terminals. For example, the terminal lock-and-key is
~0127 no 6
july/august 1985
0011-684X/85/060019-04$03.00
@ 1985 Butterworth
the simplest to use but the easiest to break into. The user inserts his/her key into the lock, turns the key, and the terminal is ready for use. The magnetic strip card is more expensive than lock-and-key, but much more effective. The user inserts the card into a terminal-connected magnetic card reader and the encoded (identification) ID is verified by a control file. If the verification is positive, the terminal is switched on. If the verification is .negative, the terminal remains shut off. Fingerprint and palm prints are perhaps even more effective than the previous two devices. Here, the user places his or her finger or palm on a hand-shaped electronic device attached to the terminal. The sensors read the finger or palm print which is then matched and verified by a control file. Again, if the verification is positive, the terminal is switched on. If the verification is negative, the terminal remains shut off. Signature analysis and voice print are two of the latest devices. Using the first method, either the complete signature or the signature initiation impulse time on a terminal-attached pad is compared and verified by a control file. By the second method, the person speaks certain words into a terminal-attached microphone. The electronically-converted voice message is matched and verified by a control file. A positive verification in either case switches the terminal on; a negative verification leaves the terminal in a shut off.
Data encryption At present,
& Co (Publishers)
Ltd.
the only known
practical
19
(includes 6 bits for error detection)
(_
Plaintext)--
64 bits
64 bits
Figure I. The private key approach means of deterring possible theft of data and information transmitted over various data communications lines is date encryption via cipher systems. In its simplest form, a cipher system is the precise process which scrambles or encrypts data and information so that a particular transaction, message, file, or program becomes unintelligible to the unauthorized person. Subsequently, it allows the authorized person to unscramble or decrypt the data back into something intelligible. A cipher system consists of:
an encryptor (hardware), a cryptographic algorithm (software), a definitive set of computational procedures which resolves a problem or performs a mathematical transformation within a finite number of structured steps, a key or keys (software) to convert plaintext (the original intelligible text) into an unintelligible sequence of numbers or symbols, called ciphertext and back into plaintext.
64 bits
data encryption standard (DES) with its algorithm. The secret key encrypts the data and/or information before it is sent over a public channel such as cable, microwave, fibre optics or satellite. The same secret key is then relayed to the authorized receiver over a secured channel such as private telephone line or bonded courier. Subsequently, the receiver can decrypt the data with the secret key see (Figure 1). Most EFT (electronic funds transfer), ATM (automatic teller machine), and other highly sensitive computer systems use DES, because it uses an efficient block encryption to transform a stream of input bits of fixedlength plaintext into a stream of output bits of different but still fixedlength ciphertext. Also, through the DES algorithm there are 72 quadrillion possible keys (possible combination of secret parameters). Public Key Encryption (PKE) PKE
is also called
the
public
key
approach and differs from DES in the algorithm(s) it uses. Furthermore, PKE requires two separate keys. Each user has an encryption key which is placed in the public domain, plus a decryption key which is kept secret. The public key can be used by anyone to encrypt another person’s data. However, only the person to whom the secret key of the particular user has been communicated can convert the ciphertext (encrypted data) into plaintext (decrypted data). An example of PKE is the key management system which uses the RSA algorithm, named after its inventors Rivest, Shamir and Adleman. In the key management system, a certain number of users communicate with each other. Each user defines his/ her own public and secret key. The public keys of these users are stored at a system node (key distribution centre), while the secret keys are kept confidential by the users. Thus, when user A wants to communicate with user B, for example, he relays his own and user B’s public key to the system node. The system node authenticates both keys via protocols. If the verification is positive, the system node relays that fact to user A and B. In the meantime, users A and B send their secret keys to each other over a secured channel. Thus, as soon as users A and B get the ‘green light’ from the system node, they can engage in a meaningful communication (see Figure 2).
f-
Further, a ‘key’ is a specific combination or pattern of characters or bits which serves as a secret parameter used in a given algorithm. There are two types of encryption/cipher systems. Data encryption standard (DES) DES, also called the private key approach, is a cipher system which uses a single secret conversion key
Figure 2. The public key approach -
public key encyption (PKE)
*Protocols are a predetermined set of conventions covenng the format and timing of messages between two communtcatmgprocesses 20
data processing
systems for an overview of the RACF environment.) IDS, unlike RACF and other access control software systems, will accept any ID and password. However, if the ID and/or password is invalid, a message alerts the computer security officer/administrator to the security violation. Moreover, IDS identifies the terminal from which the unauthorized access is attempted. The unique part of this security system is that via its online subsystem (which provides simulation menus), it goes along with the intruder as if the ID and/or password were valid. Figure 3. The IBM
resource access control facility (RACF),
The EDP auditor A fundamental deterrent against software security breach is the presence of an internal EDP auditor plus the periodic visits of an external EDP auditor. This is because the internal EDP auditor’s responsibilities usually include monitoring the adequacy and effectiveness of controls in computer systems and reviewing and appraising DP applications and corporate security policy control procedures. He/she also evaluates systems documentation and assists the external EDP auditor and preparing management reports. The external EDP auditor’s responsibility, on the other hand, is to check periodically for any weaknesses in system operations, paying special attention to financial systems.
Software protection
packages
There are many excellent software monitoring system packages on the market, such as ACF 2, developed by SKK, Inc. and marketed by Cambridge Syst.ems Group; Resource Access Control Facility (RACF), developed by IBM; Top Secret, developed by CGA Software Products Group, Inc. (marketed in the UK by Topdata), and Intruder Detection
~0127 no 6
julyiaugust 1985
runs on IBM mainframes
System (IDS), developed by Michael Blank. IBM’s RACF, one of the wellknown software security systems, provides access control by: identifying and verifying system users when they log on, 0 allowing access to system resources only to users who are authorized to do so.
l
RACF also monitors the system environment by logging authorized and unauthorized attempts and actual accesses to sensitive data or information, and alerting proper personnel about access violations via security reports. RACF performs its major functions by building ‘profiles’ about who is allowed to use what and how in the system management database (DBMS) based on information input into RACF at the time it is implemented. These profiles, which reside on the RACF dataset, contain descriptions of each user (who), each resource within the system (what) and the attributes and level of authorization (how), as given to RACF by the database administrator. RACF uses these profiles for its user identification and athentication, and authorization checking and logging. (see Figure 3
Figure 4a. Online IDS -- intruder
surveillance subsystem Thus IDS ascertains the intruder’s intent and provides the organization with the necessary evidence to be able to prosecute the electronic invader. Moreover, its batch subsystem collects all information as to which files and records the person is trying to access and produces two reports:
21
Table 1. Applications
l
l
controls
violations report, the security which summarizes the events, the security incident report, which gives full details of each event.
(See Figure 4 for an overview of IDS .) ~LqEq
Passwords for access authorization levels should be allocated on a ‘needto-know’ basis. Passwords can be kept in the computer system - preferably in the data dictionary/directory subsystem in a password file. The password file can be one-way encrypted and it can allow the user to change his/her password at any time. system Better yet, the computer should create the password at random, change it at a predetermined interval and send it in a sealed envelope or through secured electronic mail to the appropriate user.
l
l
l
,_~.-I_____,
I
Figure 4b. IDS -
intruder detection systa n
Password security For organizations without software security systems, an encoded password is the first line of defence against unauthorized access, especially in online systems.
22
Applications
controls
Applications controls designed into individual programs is another critical crime countermeasure. software Typical applications controls include: l
l
Input controls, which ensure that each transaction is entered correctly and only once, and that only authorized transactions get into the system. Processing controls, which verify that the transactions entered into
the system are processed against the proper files, that each component of each transaction is valid and that any invalid transaction rejected by the system is re-entered correctly. (The only exception to this should be if it is a proven duplicate transaction.) Change controls, which safeguard the integrity of the system and maintain standard procedures for system and program modifications. Change controk, which ensure that reliance can be placed in the system before it becomes operational. Output controls, which authenticate the previous controls by repeating the functions of input and processing controls. Such repetitive activities help to ensure that only authorized and correct transactions are processed.
~,, GC Table 1 for an itemized list of activities for each of the above activities 0 ’ Department of Computer Science, California s tate University, 6000 J Street, Sacremento, CA 95819, USA.
data processing
T
0 ensure total security against computer crime and computer abuse, DP installations need hardware and software security measures. This is particularly important for online systems and data communications, which are more vulnerable than systems enclosed within the computer department. Such security measures include access controls, audit trail devices and encryption systems. There are several areas where hardware can be made more secure from outside elements.
Electric power and terminals Since computer operations are totally dependent on constant and clean electric power, it is imperative to use reliable methods to protect it from manmade or natural disasters. Transistorized, uninterruptible power supply (UPS) systems, can provide up to 30-35 minutes of power in case of power anomalies such as brownouts, electrical noises and voltage sags and spikes. As a followup, an offsite backup power service, can ensure uninterrupted computer operations for days or even weeks, in the case of fire, flood, bombing or any other destructive influence. After electric power terminals, whether local or remote, standalone or mainframe-connected, are the most vulnerable devices in today’s online computer systems. About 99% of computer-related fraud, embezzlement, theft (of proprietary software, trade secrets, and the like) are perpetrated via terminals. There are various methods available for protecting terminals. For example, the terminal lock-and-key is
~0127 no 6
july/august 1985
0011-684X/85/060019-04$03.00
@ 1985 Butterworth
the simplest to use but the easiest to break into. The user inserts his/her key into the lock, turns the key, and the terminal is ready for use. The magnetic strip card is more expensive than lock-and-key, but much more effective. The user inserts the card into a terminal-connected magnetic card reader and the encoded (identification) ID is verified by a control file. If the verification is positive, the terminal is switched on. If the verification is .negative, the terminal remains shut off. Fingerprint and palm prints are perhaps even more effective than the previous two devices. Here, the user places his or her finger or palm on a hand-shaped electronic device attached to the terminal. The sensors read the finger or palm print which is then matched and verified by a control file. Again, if the verification is positive, the terminal is switched on. If the verification is negative, the terminal remains shut off. Signature analysis and voice print are two of the latest devices. Using the first method, either the complete signature or the signature initiation impulse time on a terminal-attached pad is compared and verified by a control file. By the second method, the person speaks certain words into a terminal-attached microphone. The electronically-converted voice message is matched and verified by a control file. A positive verification in either case switches the terminal on; a negative verification leaves the terminal in a shut off.
Data encryption At present,
& Co (Publishers)
Ltd.
the only known
practical
19
(includes 6 bits for error detection)
(_
Plaintext)--
64 bits
64 bits
Figure I. The private key approach means of deterring possible theft of data and information transmitted over various data communications lines is date encryption via cipher systems. In its simplest form, a cipher system is the precise process which scrambles or encrypts data and information so that a particular transaction, message, file, or program becomes unintelligible to the unauthorized person. Subsequently, it allows the authorized person to unscramble or decrypt the data back into something intelligible. A cipher system consists of:
an encryptor (hardware), a cryptographic algorithm (software), a definitive set of computational procedures which resolves a problem or performs a mathematical transformation within a finite number of structured steps, a key or keys (software) to convert plaintext (the original intelligible text) into an unintelligible sequence of numbers or symbols, called ciphertext and back into plaintext.
64 bits
data encryption standard (DES) with its algorithm. The secret key encrypts the data and/or information before it is sent over a public channel such as cable, microwave, fibre optics or satellite. The same secret key is then relayed to the authorized receiver over a secured channel such as private telephone line or bonded courier. Subsequently, the receiver can decrypt the data with the secret key see (Figure 1). Most EFT (electronic funds transfer), ATM (automatic teller machine), and other highly sensitive computer systems use DES, because it uses an efficient block encryption to transform a stream of input bits of fixedlength plaintext into a stream of output bits of different but still fixedlength ciphertext. Also, through the DES algorithm there are 72 quadrillion possible keys (possible combination of secret parameters). Public Key Encryption (PKE) PKE
is also called
the
public
key
approach and differs from DES in the algorithm(s) it uses. Furthermore, PKE requires two separate keys. Each user has an encryption key which is placed in the public domain, plus a decryption key which is kept secret. The public key can be used by anyone to encrypt another person’s data. However, only the person to whom the secret key of the particular user has been communicated can convert the ciphertext (encrypted data) into plaintext (decrypted data). An example of PKE is the key management system which uses the RSA algorithm, named after its inventors Rivest, Shamir and Adleman. In the key management system, a certain number of users communicate with each other. Each user defines his/ her own public and secret key. The public keys of these users are stored at a system node (key distribution centre), while the secret keys are kept confidential by the users. Thus, when user A wants to communicate with user B, for example, he relays his own and user B’s public key to the system node. The system node authenticates both keys via protocols. If the verification is positive, the system node relays that fact to user A and B. In the meantime, users A and B send their secret keys to each other over a secured channel. Thus, as soon as users A and B get the ‘green light’ from the system node, they can engage in a meaningful communication (see Figure 2).
f-
Further, a ‘key’ is a specific combination or pattern of characters or bits which serves as a secret parameter used in a given algorithm. There are two types of encryption/cipher systems. Data encryption standard (DES) DES, also called the private key approach, is a cipher system which uses a single secret conversion key
Figure 2. The public key approach -
public key encyption (PKE)
*Protocols are a predetermined set of conventions covenng the format and timing of messages between two communtcatmgprocesses 20
data processing
systems for an overview of the RACF environment.) IDS, unlike RACF and other access control software systems, will accept any ID and password. However, if the ID and/or password is invalid, a message alerts the computer security officer/administrator to the security violation. Moreover, IDS identifies the terminal from which the unauthorized access is attempted. The unique part of this security system is that via its online subsystem (which provides simulation menus), it goes along with the intruder as if the ID and/or password were valid. Figure 3. The IBM
resource access control facility (RACF),
The EDP auditor A fundamental deterrent against software security breach is the presence of an internal EDP auditor plus the periodic visits of an external EDP auditor. This is because the internal EDP auditor’s responsibilities usually include monitoring the adequacy and effectiveness of controls in computer systems and reviewing and appraising DP applications and corporate security policy control procedures. He/she also evaluates systems documentation and assists the external EDP auditor and preparing management reports. The external EDP auditor’s responsibility, on the other hand, is to check periodically for any weaknesses in system operations, paying special attention to financial systems.
Software protection
packages
There are many excellent software monitoring system packages on the market, such as ACF 2, developed by SKK, Inc. and marketed by Cambridge Syst.ems Group; Resource Access Control Facility (RACF), developed by IBM; Top Secret, developed by CGA Software Products Group, Inc. (marketed in the UK by Topdata), and Intruder Detection
~0127 no 6
julyiaugust 1985
runs on IBM mainframes
System (IDS), developed by Michael Blank. IBM’s RACF, one of the wellknown software security systems, provides access control by: identifying and verifying system users when they log on, 0 allowing access to system resources only to users who are authorized to do so.
l
RACF also monitors the system environment by logging authorized and unauthorized attempts and actual accesses to sensitive data or information, and alerting proper personnel about access violations via security reports. RACF performs its major functions by building ‘profiles’ about who is allowed to use what and how in the system management database (DBMS) based on information input into RACF at the time it is implemented. These profiles, which reside on the RACF dataset, contain descriptions of each user (who), each resource within the system (what) and the attributes and level of authorization (how), as given to RACF by the database administrator. RACF uses these profiles for its user identification and athentication, and authorization checking and logging. (see Figure 3
Figure 4a. Online IDS -- intruder
surveillance subsystem Thus IDS ascertains the intruder’s intent and provides the organization with the necessary evidence to be able to prosecute the electronic invader. Moreover, its batch subsystem collects all information as to which files and records the person is trying to access and produces two reports:
21
Table 1. Applications
l
l
controls
violations report, the security which summarizes the events, the security incident report, which gives full details of each event.
(See Figure 4 for an overview of IDS .) ~LqEq
Passwords for access authorization levels should be allocated on a ‘needto-know’ basis. Passwords can be kept in the computer system - preferably in the data dictionary/directory subsystem in a password file. The password file can be one-way encrypted and it can allow the user to change his/her password at any time. system Better yet, the computer should create the password at random, change it at a predetermined interval and send it in a sealed envelope or through secured electronic mail to the appropriate user.
l
l
l
,_~.-I_____,
I
Figure 4b. IDS -
intruder detection systa n
Password security For organizations without software security systems, an encoded password is the first line of defence against unauthorized access, especially in online systems.
22
Applications
controls
Applications controls designed into individual programs is another critical crime countermeasure. software Typical applications controls include: l
l
Input controls, which ensure that each transaction is entered correctly and only once, and that only authorized transactions get into the system. Processing controls, which verify that the transactions entered into
the system are processed against the proper files, that each component of each transaction is valid and that any invalid transaction rejected by the system is re-entered correctly. (The only exception to this should be if it is a proven duplicate transaction.) Change controls, which safeguard the integrity of the system and maintain standard procedures for system and program modifications. Change controk, which ensure that reliance can be placed in the system before it becomes operational. Output controls, which authenticate the previous controls by repeating the functions of input and processing controls. Such repetitive activities help to ensure that only authorized and correct transactions are processed.
~,, GC Table 1 for an itemized list of activities for each of the above activities 0 ’ Department of Computer Science, California s tate University, 6000 J Street, Sacremento, CA 95819, USA.
data processing