INFORMATION SECURITY FOR MANAGERS

Transcription

1 INFORMATION SECURITY FOR MANAGERS

2 INFORMATION SECURITY FOR MANAGERS William Caelli Dennis Longley Michael Shain M stockton press

3 Macmillan Publishers Ltd, 1989 Softcover reprint of the hardcover 1st edition All rights reserved. No part of the publication may be reproduced or transmitted, in any form or by any means, without permission. Published in the United States and Canada by STOCKTON PRESS East 26th Street, New York, N.Y Library of Congress Cataloging-in-Publication Data Caelli, William. Information security for managers/by William Caelli, Dennis Longley, and Michel Shain. p.cm. Includes index. ISBN : $ Electronic data processing departments - Security measures. 2. Computers- Access control. I. Longley, Dennis. II. Shain, Michael. III. Title. HF C '78 - dc CIP Published in the United Kingdom by MACMILLAN PUBLISHERS LTD (Journals Division), 1989 Distributed by Globe Book Services Ltd Brunei Road, Houndmills Basingstoke, Hants RG21 2XS British Library Cataloguing in Publication Data Caelli, Bill Information security for managers. 1. Computer systems. Security measures. Management aspects I. Title II. Longley, Denis III. Shain, Michael 658.4'78 ISBN ISBN (ebook) DOI /

4 Introduction How seriously should management take information security? Until recently only a few managers fully appreciated how their day-to-day business administration was dependent on the availability and integrity of their data processing services. Several things are changing this, including the growing recognition of information as an asset, and the continuing development of information technology and its application in a business context. But at the same time the existence of information technology is providing new weapons for those intent on causing damage or criminal gain. Automation of clerical processes makes information systems more vulnerable, because they no longer require the prudent manual checks and balances which were once an unspoken part of the job. When combined with the pressures of cost of implementation and timescale, this has meant that few, if any, security controls have been built into systems from the outset. It may be realised only when it is too late that protective controls have been sacrificed; security vulnerabilities are invisible until an incident occurs. Thus, as information systems have become more valuable to their users they have also become more vulnerable to attack. They have consequently become more attractive targets for criminal and terrorist groups, holding the possibility of high rewards for minimal effort, and with little chance of detection until it is too late. A single, compromised password can lead to fraud involving electronic funds transfer (EFT), or to the exposure of corporate secrets through industrial espionage. All managers have to deal with risk as a natural part of business life. No one can absolutely guarantee that a mishap will not occur in his or her department. However, the wise manager can strive to be fully acquainted with the nature of the risk, develop an organisational structure, and invest time and money to minimise the chance

5 Introduction of an unwanted incident and reduce the effect of any damage. The purpose of this book is to enable the manager to become aware of the information security risk and the methods of counterattack. In this way and through the development of a management structure and a set of counter-measures to deter attack and initiate recovery procedures, he or she can take a more aggressive, pro active stance in the face of deliberate threats. As we shall see many times in this book, good information security depends first and foremost upon good management. In many cases substantial increases in security can be achieved by improved management practices; on the other hand the effectiveness of sophisticated gadgetry, software, and crytographic system,s can easily be nullified by bad management. 'Computers don't steal, people do', is a wise maxim. Security is a "people" issue and effective security has to be pervasive. To reach such an objective demands a corporate policy that calls for commitment from staff and management, and needs to be integrated into both management and system structures. Once implemented it has to be constantly maintained and monitored for effectiveness. This book is designed as a work of reference. The first chapter provides the foundation upon which subsequent sections are built, but the authors do not expect the work to be read in sequence, from cover to cover, as a novel. Hence the question and answer format has been chosen - the reader can examine the list of questions at the beginning of the book and select the ones that seem most relevant. Often asking the right question is half way to finding the right answer, and through extensive use of cross-referencing, the reader is able to place the question in its relevant context. Acknowledgement The authors would like to thank the following: Chris Reed of Queen Mary College, London University, for advice on copyright, Robin Moses, formerly of CCTA, now of BIS Applied Systems for help on risk analysis, Stuart Dresner for advice on privacy legislation and John Foster of GE Information Services for help with insurance issues.

6 Contents 1 Data Security 1 D. Longley 1.1 Overview Security Policy and Organizational Structure Personnel and Responsibilities Data Ownership and Data Handling Responsibilities Access Control and Cryptographic Controls Information Flow Control Security of Stored Data Monitoring and Audit Trails Military and Commercial Security 77 2 Computer Security Risk Analysis and Management 81 M. Shain and A. Anderson 2.1 Overview Risk Analysis and Management: an Overview Conventional Computer Security Risk Analysis and Management Courtney Technique of Risk Analysis CRAMM Risk Analysis Conclusions Countermeasures 118 M. Shain 3.1 Overview Physical Security Access Control Personal Computer Security Contingency Planning Insurance 185

7 Contents 4 Communications Security W. Caelli 4.1 Overview 4.2 Network Security 4.3 Security on IBM Systems 4.4 OSI Security Financial and Banking Networks W. Caelli 5.1 Overview Identity and Authentication of the User: Plastic Cards Identity and Authentication of the User: PINs Privacy, Integrity, and Authenticity of Financial Messages Financial Network Security Office Automation Security W. Caelli 6.1 Overview 6.2 Communications and Logical Security 6.3 Physical Security of Office Systems 6.4 Procedural and Personnel Security Security and the Law 283 D. Longley 7.1 Overview Data Protection Legal Protection of Information Assets Computer Crime Law and Personnel 331 Appendix A Security Models 339 A.1 Bell-La Padula Model 339 A.2 Orange Book 340 A.3 RACF 342 Appendix 8 Cryptography 343 B.l Data Encryption Standard 343 B.2 DES Modes of Operation Cipher Block Chaining 352 B.3 DES Modes of Operation Cipher Feedback 354 B.4 DES Modes of Implementation Output Feedback 355

8 Contents B.5 Public Key Cryptography B.6 Public Key Cryptography RSA B.7 Stream Cipher B.8 Message Authentication B.9 Key Notarization Appendix C Access Control C.l Password C.2 PIN Management and Security Appendix D Communications Security D.1 Electronic Listening Device D.2 Telephone Intrusion D.3 Port Protection Device D.4 X Appendix E Appendix F Glossary Data Protection Laws at a Glance List of Questions