%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% N.I.A. %% %% Network Information Access %% %% 10MAR90 %% %% Lord Kalkin %% %% FILE #7 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% :_Computers: Crime, Fraud, Waste Part 3 :_Written/Typed/Edited By: Lord Kalkin :_Information Security PHYSICAL SECURITY Traditional Security: Locks, Fences, and Guards Physical security once meant keeping a computer and its information from physical harm by surronding the computer facility with locks, fences, and guards. But physical security has changed to accomodate the realities of today's computer enviroment -- an enviroment that is often a typical office setting with many small computers, word processors, and portable terminals. Physical security is concerned with controls that protect against natural disasters ( e.g., fires, flood, or earthquakes ), and accidents. Physical security controls regulate the enviroment surrounding the computer, the data input, and the information products. In addition to the site where the computer equipment is housed, the enviroment includes program libraries, logs, records, magnetic media, backup storage areas, and utility rooms. Whether physical security controls are called enviromental controls, installation controls, or technical controls, they must be responsive to today's enviroment and they must be cost-effective. For exapmle, installing costly fire suppression may be essential to protect a large computer that process sensitive data but may not be justifiable to protect a single microcomputer. CRIMES, ABUSES, AND WASTE Computers have been shot, stabbed, stolen, and intentionally electrically shorted out. Disks and tapes have been destroyed by spilled beverages, and computers have been harmed by water leaks. Computers have been seriously damaged by temperature extremes, fire, electric power surges, natural disasters, and a host of accidents. Information has been intercepted, stolen, sold, and used for the personal gain of an individual or for the benefit of a company. - Small computers are an especially attractive target for thieves. - During a fire, disks stored in nonfireproof cabinets and floppy disks left next to computer terminals were destroyed by a sprinkler system. Thousands of dollars were spent reconstructing the information they contained. But accidents and ordinary contaminants are propably the major cause of damage to computers and realted equipment. COMPUTER GERMS: SPILLS, SMOKE, AND CRUMBS HEAT AND HUMIDITY CLUES The following clues can help indicate physical security vulnerabilities: 1. Smoking, eating, and drinking are permitted in the computer work area. 2. Computer equipment is left unattended in unlocked rooms or is otherwise unsecured. 3. There is no fire alert or fire protection system. 4. Disks are left in desk drawers; there are no backups of disks 5. Strangers are not questioned about being in the computer area. 6. An inventory of computer equipment or software in nonexistant, incomplete, never updated, or not verified after it is completed. Inventory shortages occur frequently. 7. Printouts, microfiche, or disks containing sensitive data are discarded as normal trash. 8. Locks which secure computer equipment or provide access to computer equipment are never changed. 9. No assessment is made of the computer site, i.e., how vulnerable is it to access by unauthorized persons, to fire or water damage, or to other disasters. "THIS PRINTOUT IS WORTH $$$$$!!! IT WILL GET ME INTO THE SYSTEM." PHYSICAL SECURITY CONTROLS 1. Prevent intentional damage, unauthorized use, or theft. Small computers can be locked or bolted to work stations and access to them limited by computer equipment cover locks. Lock offices where they are located. Ensure individuals are responsible and accountable for the small computer they use. If the information used by a goverment program is processed by a major computer facility, check to see how physical access to the facility and to related locations are controlled. Methods such as logs, locks, identifiers ( such as badges ), and guards may be appropriate. The input of sensitive information requires proper handling of source documents. Proper handling means giving the same security considerations to these documents whether they provide input to automated or nonautomated systems. Consideratiosn may involve securing the area, logging the documents, ensuring that only appropiate cleared persons see these documents, and using burn abgs or other approved disposal methods. Carefully consider computer location. Is it too accessible to unauthorized persons or susceptible to hazards? Alert Staff: Be aware of common access-gaining schemes, such as "piggy-backing," where an authorized worker is followed into the computer area by a stranger carrying an armload of computer printouts or by persons claiming to be maintenance workers. Know persons with authorized access to the computer area and challenge strangers. Many people believe that locked and guarded doors provide total physical protection. But electromagnatic emissions from other computers can be intercepted and automated information read. Recommended protections (e.g., equipment modification and shielding ) must take into the account the level of security required by the automated information and the fact that such an interception is rare, but mare occur. An inexpensive precautionary measure is making sure that telephone and computer transmission lines are not labled as to their function and that their location is secured. In a network system, dedicated transmission lines -- which preform no other function -- may be required. In an increasing number of situations, dedicating a small computer to a single application may be the most cost-effective protection device. Each of the four technologies used to transmit automated information can be intercepted: cable ( wiretapping ), microwave ( interception ), satellite ( satellite recieving atenna), and radio frequency ( interception ). Protection technologies which may be called for include encryption of information, dedicated lines, security modems, and the alteration of voice communications by scrambling the single, converting it to digital form, and using encryption. 2. Enviromental hazards can wreck havok with large and small computers alike. Take measures to prevent, detect, and minimize the effects of harxards such as fire, water damage, air contaminants, excessive heat, and electricity blowouts. Protect against fire damage with regulary tested fire alert systems, and fire suspression devices. Protect small computers with covers to prevent damage from sprinkler systems. Do not store combustibles in the area. Static electricuty can erase memory in small computers. Antistatic pads and sprays can help control this. Users can be reminded to discharge static electricity by touching a grounded object. Power surges can erase memory, alter programs, and destroy microcircuits. An uniterrupted power source allows enough time to shut down a computer without losing data. Prevent momentary power surges from damaging computers by using voltage regulators. In a thunderstorm, unprotected small computers can be turned off and unplugged. Excessive heat can be controlled by air-conditioning systems and fans, and by ensuring that air can circulate freely. A common problem is stacking peripheral equipment or blocking air vents on terminals or small computers. Air filters can remove airborne contaminants that harm equipment and disks. Consider banning smoking near small computers. Locate computers away from potential water hazards, such as plumbing pipes, areas known to flood, or even sprinkler systems if other fire protection devices are available. Keep food, beverages, and ashtrays away from the computer. Keep equipment in good working order. Monitor and record hardware maintainence. This provides both an audit trail of persons who have had access to system and a record of contract fulfillment. Remember that maintainence personnel must carry proper identification. 3. Protect and secure storage media ( source documents, tapes, cartridges, disks, printouts ). -- Maintain, control, and audit storage media inventories. -- Educate users to the proper methods for erasing or destroying storage media. -- Label storage media to reflect the sensitivity level of the information they contain. -- Destroy storage media in accordance with the agancy's security provisions. -- Ensure that access for storing, transmitting, marking, handling, and destroying storage media is granted only to authorized persons. -- Plubicize procedures and policies to staff. Consider posting the following reminders -- Disks are Fragile and Good Management Practices Provide Protection -- Where everyone can see them. -=- Disks are Fragile -=- -- Store in protective jakets. -- Don't write on jackets. -- Protect from bending. -- Don't touch disks directly -- Insert carefully into the computer. -- Protect from coffee and soda spills. -- Maintain acceptable tempuratures (50C-125C) -- Prevent erasures by keeping disks away from magnetic sources such as radios and telephones. -- Store in areas, such as metal cabinets, protected from fire and water damage. -- Handle disks in accord with their sensitivity marking. -=- Good Management Practices Provide Protection -=- -- Lock disks and tapes when not in use. -- Use a filing system to keep track of disks and tapes. -- Don't lend storage media with sensitive information to unauthorized persons. -- Return damaged or defective disks with sensitive information only after degaussing or after a similar procedure. -- Dispose of disks with sensitive information by degaussing, shredding, and following agency security procedres. -- Dispose of printouts and printer ribbons with sensitve information by following agency security procedures. -- Secure printouts of passwords and other access information. 4. be sure that adequate plans are made for contingencies. Remember that the intent of contegency plans is to ensure that users can continue to preform essential functions in the event that information technology support is interrupted. End users of information technology applications, as well as computer installations that process these applications, are required to hove contingency plans. Contingency plans must be written, tested, and regularly communicated to staff. Contingency plans must take into account backup operations, i.e., how information will be processed when the usual computers cannot be used, and the recovery of any information which is lost or destroyed. With small computers and word processors especially, the contigency plans should address selected equipment breakdowns, such as a single printer servicing many stations. Procedures and equipment should be adequate for handling emergency situations ( fire, flood, etc. ). Store backup materails, including the contingency plan, in a secure and safe location away from the computer site. Contingecny procedures must be adequate for the security level and criticality of the information. Know what to do in case of an emergency and be familiar with the contingency plan. Remember what the contingency plan may be operating at a time of great stress and without key personnel. Training of staff is vital. N.I.A. - Ignorance, There's No Excuse. Founded By: Guardian Of Time/Judge Dredd. [OTHER WORLD BBS]