INFORMATION SECURITY FOR MANAGERS INFORMATION SECURITY FOR MANAGERS William Caelli Dennis Longley Michael Shain M stockton press © Macmillan Publishers Ltd, 1989 Softcover reprint of the hardcover 1st edition 1989 978-0-333-46203-4 All rights reserved. No part of the publication may be reproduced or transmitted, in any form or by any means, without permission. Published in the United States and Canada by STOCKTON PRESS 1989 15 East 26th Street, New York, N.Y. 10010. Library of Congress Cataloging-in-Publication Data Caelli, William. Information security for managers/by William Caelli, Dennis Longley, and Michel Shain. p.cm. Includes index. ISBN 978-0-935859-73-7: $100.00 1. Electronic data processing departments - Security measures. 2. Computers-Access control. I. Longley, Dennis. II. Shain, Michael. III. Title. HF5548.37.C34 1989 658.4'78 - dc20 89-4614 CIP Published in the United Kingdom by MACMILLAN PUBLISHERS LTD (Journals Division), 1989 Distributed by Globe Book Services Ltd Brunei Road, Houndmills Basingstoke, Hants RG21 2XS British Library Cataloguing in Publication Data Caelli, Bill Information security for managers. 1. Computer systems. Security measures. Management aspects I. Title II. Longley, Denis III. Shain, Michael 658.4'78 ISBN 978-1-349-10139-9 ISBN 978-1-349-10137-5 (eBook) DOI 10.1007/978-1-349-10137-5 Introduction How seriously should management take information security? Until recently only a few managers fully appreciated how their day-to-day business administration was dependent on the availability and in- tegrity of their data processing services. Several things are changing this, including the growing recognition of information as an asset, and the continuing development of information technology and its application in a business context. But at the same time the existence of information technology is providing new weapons for those intent on causing damage or criminal gain. Automation of clerical processes makes information systems more vulnerable, because they no longer require the prudent manual checks and balances which were once an unspoken part of the job. When combined with the pressures of cost of implementation and timescale, this has meant that few, if any, security controls have been built into systems from the outset. It may be realised only when it is too late that protective controls have been sacrificed; security vulnerabilities are invisible until an incident occurs. Thus, as information systems have become more valuable to their users they have also become more vulnerable to attack. They have consequently become more attractive targets for criminal and terrorist groups, holding the possibility of high rewards for minimal effort, and with little chance of detection until it is too late. A single, compromised password can lead to fraud involving electronic funds transfer (EFT), or to the exposure of corporate secrets through in- dustrial espionage. All managers have to deal with risk as a natural part of business life. No one can absolutely guarantee that a mishap will not occur in his or her department. However, the wise manager can strive to be fully acquainted with the nature of the risk, develop an organisa- tional structure, and invest time and money to minimise the chance Introduction of an unwanted incident and reduce the effect of any damage. The purpose of this book is to enable the manager to become aware of the information security risk and the methods of counter- attack. In this way and through the development of a management structure and a set of counter-measures to deter attack and initiate recovery procedures, he or she can take a more aggressive, pro active stance in the face of deliberate threats. As we shall see many times in this book, good information security depends first and fore- most upon good management. In many cases substantial increases in security can be achieved by improved management practices; on the other hand the effectiveness of sophisticated gadgetry, software, and crytographic system,s can easily be nullified by bad management. 'Computers don't steal, people do', is a wise maxim. Security is a "people" issue and effective security has to be pervasive. To reach such an objective demands a corporate policy that calls for commit- ment from staff and management, and needs to be integrated into both management and system structures. Once implemented it has to be constantly maintained and monitored for effectiveness. This book is designed as a work of reference. The first chapter provides the foundation upon which subsequent sections are built, but the authors do not expect the work to be read in sequence, from cover to cover, as a novel. Hence the question and answer for- mat has been chosen - the reader can examine the list of questions at the beginning of the book and select the ones that seem most re- levant. Often asking the right question is half way to finding the right answer, and through extensive use of cross-referencing, the reader is able to place the question in its relevant context. Acknowledgement The authors would like to thank the following: Chris Reed of Queen Mary College, London University, for advice on copyright, Robin Moses, formerly of CCTA, now of BIS Applied Systems for help on risk analysis, Stuart Dresner for advice on privacy legislation and John Foster of GE Information Services for help with insurance issues. Contents 1 Data Security 1 D. Longley 1.1 Overview 1 1.2 Security Policy and Organizational Structure 13 1.3 Personnel and Responsibilities 16 1.4 Data Ownership and Data Handling Responsibilities 24 1.5 Access Control and Cryptographic Controls 27 1.6 Information Flow Control 53 1.7 Security of Stored Data 58 1.8 Monitoring and Audit Trails 59 1.9 Military and Commercial Security 77 2 Computer Security Risk Analysis and Management 81 M. Shain and A. Anderson 2.1 Overview 81 2.2 Risk Analysis and Management: an Overview 82 2.3 Conventional Computer Security Risk Analysis and Management 89 2.4 Courtney Technique of Risk Analysis 95 2.5 CRAMM Risk Analysis 110 2.6 Conclusions 116 3 Countermeasures 118 M. Shain 3.1 Overview 118 3.2 Physical Security 119 3.3 Access Control 130 3.4 Personal Computer Security 158 3.5 Contingency Planning 172 3.6 Insurance 185 Contents 4 Communications Security 193 W. Caelli 4.1 Overview 193 4.2 Network Security 197 4.3 Security on IBM Systems 208 4.4 OSI Security 212 5 Financial and Banking Networks 225 W. Caelli 5.1 Overview 225 5.2 Identity and Authentication of the User: Plastic Cards 228 5.3 Identity and Authentication of the User: PINs 238 5.4 Privacy, Integrity, and Authenticity of Financial Messages 247 5.5 Financial Network Security. 251 6 Office Automation Security 258 W. Caelli 6.1 Overview 258 6.2 Communications and Logical Security 261 6.3 Physical Security of Office Systems 269 6.4 Procedural and Personnel Security 274 7 Security and the Law 283 D. Longley 7.1 Overview 283 7.2 Data Protection 289 7.3 Legal Protection of Information Assets 310 7.4 Computer Crime 320 7.5 Law and Personnel 331 Appendix A Security Models 339 A.1 Bell-La Padula Model 339 A.2 Orange Book 340 A.3 RACF 342 Appendix 8 Cryptography 343 B.l Data Encryption Standard 343 B.2 DES Modes of Operation Cipher Block Chaining 352 B.3 DES Modes of Operation Cipher Feedback 354 B.4 DES Modes of Implementation Output Feedback 355 Contents B.5 Public Key Cryptography 356 B.6 Public Key Cryptography RSA 359 B.7 Stream Cipher 362 B.8 Message Authentication 362 B.9 Key Notarization 366 Appendix C Access Control 368 C.l Password 368 C.2 PIN Management and Security 369 Appendix D Communications Security 375 D .1 Electronic Listening Device 375 D.2 Telephone Intrusion 376 D.3 Port Protection Device 377 D.4 X.400 377 Appendix E Data Protection Laws at a Glance 380 Appendix F List of Questions 383 Glossary 393 1 Data Security D. Longley 1.1 Overview 1.1.1 Data security awareness among management Data security is defined as: • the protection of data from accidental or malicious modification, destruction, or disclosure (FIPS); • the science and study of methods of protecting data in computer and communications systems against unauthorized disclosure, transfer, delay, modifications, or destruction, whether accidental or intentional. To put it rather more concisely, data security means providing the users of your data with the data that you intend them to have, and with that data only, at the time that you mean them to have it. Managerial interest in data security has often been triggered by media reports of hacker exploits, massive frauds in banking net- works, warnings on the spread of computer viruses, proposed changes in legislation affecting the use and misuse of computers, etc. It can be extremely difficult for management to judge the implica- tions of data and computer security in the context of their own organizations. In some cases the warnings about failures in data and computer security emanate from bodies with a vested interest in sell- ing equipment or providing services geared to security. On the other hand, there will be reassurances from data processing managers that security has always been taken very seriously, and that there is no danger to the organization's computing systems. Comfort is also drawn from the Twenty Year Rule: 'Anything that has not happened in the last twenty years is unlikely to occur in the future'.