INFORMATION SECURITY FOR MANAGERS
INFORMATION SECURITY FOR MANAGERS William Caelli Dennis Longley Michael Shain M stockton press
Macmillan Publishers Ltd, 1989 Softcover reprint of the hardcover 1st edition 1989 978-0-333-46203-4 All rights reserved. No part of the publication may be reproduced or transmitted, in any form or by any means, without permission. Published in the United States and Canada by STOCKTON PRESS 1989 15 East 26th Street, New York, N.Y. 10010. Library of Congress Cataloging-in-Publication Data Caelli, William. Information security for managers/by William Caelli, Dennis Longley, and Michel Shain. p.cm. Includes index. ISBN 978-0-935859-73-7: $100.00 1. Electronic data processing departments - Security measures. 2. Computers- Access control. I. Longley, Dennis. II. Shain, Michael. III. Title. HF5548.37.C34 1989 658.4'78 - dc20 89-4614 CIP Published in the United Kingdom by MACMILLAN PUBLISHERS LTD (Journals Division), 1989 Distributed by Globe Book Services Ltd Brunei Road, Houndmills Basingstoke, Hants RG21 2XS British Library Cataloguing in Publication Data Caelli, Bill Information security for managers. 1. Computer systems. Security measures. Management aspects I. Title II. Longley, Denis III. Shain, Michael 658.4'78 ISBN 978-1-349-10139-9 ISBN 978-1-349-10137-5 (ebook) DOI 10.1007/978-1-349-10137-5
Introduction How seriously should management take information security? Until recently only a few managers fully appreciated how their day-to-day business administration was dependent on the availability and integrity of their data processing services. Several things are changing this, including the growing recognition of information as an asset, and the continuing development of information technology and its application in a business context. But at the same time the existence of information technology is providing new weapons for those intent on causing damage or criminal gain. Automation of clerical processes makes information systems more vulnerable, because they no longer require the prudent manual checks and balances which were once an unspoken part of the job. When combined with the pressures of cost of implementation and timescale, this has meant that few, if any, security controls have been built into systems from the outset. It may be realised only when it is too late that protective controls have been sacrificed; security vulnerabilities are invisible until an incident occurs. Thus, as information systems have become more valuable to their users they have also become more vulnerable to attack. They have consequently become more attractive targets for criminal and terrorist groups, holding the possibility of high rewards for minimal effort, and with little chance of detection until it is too late. A single, compromised password can lead to fraud involving electronic funds transfer (EFT), or to the exposure of corporate secrets through industrial espionage. All managers have to deal with risk as a natural part of business life. No one can absolutely guarantee that a mishap will not occur in his or her department. However, the wise manager can strive to be fully acquainted with the nature of the risk, develop an organisational structure, and invest time and money to minimise the chance
Introduction of an unwanted incident and reduce the effect of any damage. The purpose of this book is to enable the manager to become aware of the information security risk and the methods of counterattack. In this way and through the development of a management structure and a set of counter-measures to deter attack and initiate recovery procedures, he or she can take a more aggressive, pro active stance in the face of deliberate threats. As we shall see many times in this book, good information security depends first and foremost upon good management. In many cases substantial increases in security can be achieved by improved management practices; on the other hand the effectiveness of sophisticated gadgetry, software, and crytographic system,s can easily be nullified by bad management. 'Computers don't steal, people do', is a wise maxim. Security is a "people" issue and effective security has to be pervasive. To reach such an objective demands a corporate policy that calls for commitment from staff and management, and needs to be integrated into both management and system structures. Once implemented it has to be constantly maintained and monitored for effectiveness. This book is designed as a work of reference. The first chapter provides the foundation upon which subsequent sections are built, but the authors do not expect the work to be read in sequence, from cover to cover, as a novel. Hence the question and answer format has been chosen - the reader can examine the list of questions at the beginning of the book and select the ones that seem most relevant. Often asking the right question is half way to finding the right answer, and through extensive use of cross-referencing, the reader is able to place the question in its relevant context. Acknowledgement The authors would like to thank the following: Chris Reed of Queen Mary College, London University, for advice on copyright, Robin Moses, formerly of CCTA, now of BIS Applied Systems for help on risk analysis, Stuart Dresner for advice on privacy legislation and John Foster of GE Information Services for help with insurance issues.
Contents 1 Data Security 1 D. Longley 1.1 Overview 1 1.2 Security Policy and Organizational Structure 13 1.3 Personnel and Responsibilities 16 1.4 Data Ownership and Data Handling Responsibilities 24 1.5 Access Control and Cryptographic Controls 27 1.6 Information Flow Control 53 1.7 Security of Stored Data 58 1.8 Monitoring and Audit Trails 59 1.9 Military and Commercial Security 77 2 Computer Security Risk Analysis and Management 81 M. Shain and A. Anderson 2.1 Overview 81 2.2 Risk Analysis and Management: an Overview 82 2.3 Conventional Computer Security Risk Analysis and Management 89 2.4 Courtney Technique of Risk Analysis 95 2.5 CRAMM Risk Analysis 110 2.6 Conclusions 116 3 Countermeasures 118 M. Shain 3.1 Overview 118 3.2 Physical Security 119 3.3 Access Control 130 3.4 Personal Computer Security 158 3.5 Contingency Planning 172 3.6 Insurance 185
Contents 4 Communications Security W. Caelli 4.1 Overview 4.2 Network Security 4.3 Security on IBM Systems 4.4 OSI Security 193 193 197 208 212 5 Financial and Banking Networks W. Caelli 5.1 Overview 225 5.2 Identity and Authentication of the User: Plastic Cards 228 5.3 Identity and Authentication of the User: PINs 238 5.4 Privacy, Integrity, and Authenticity of Financial Messages 247 5.5 Financial Network Security. 251 225 6 Office Automation Security W. Caelli 6.1 Overview 6.2 Communications and Logical Security 6.3 Physical Security of Office Systems 6.4 Procedural and Personnel Security 258 258 261 269 274 7 Security and the Law 283 D. Longley 7.1 Overview 283 7.2 Data Protection 289 7.3 Legal Protection of Information Assets 310 7.4 Computer Crime 320 7.5 Law and Personnel 331 Appendix A Security Models 339 A.1 Bell-La Padula Model 339 A.2 Orange Book 340 A.3 RACF 342 Appendix 8 Cryptography 343 B.l Data Encryption Standard 343 B.2 DES Modes of Operation Cipher Block Chaining 352 B.3 DES Modes of Operation Cipher Feedback 354 B.4 DES Modes of Implementation Output Feedback 355
Contents B.5 Public Key Cryptography B.6 Public Key Cryptography RSA B.7 Stream Cipher B.8 Message Authentication B.9 Key Notarization Appendix C Access Control C.l Password C.2 PIN Management and Security Appendix D Communications Security D.1 Electronic Listening Device D.2 Telephone Intrusion D.3 Port Protection Device D.4 X.400 356 359 362 362 366 368 368 369 375 375 376 377 377 Appendix E Appendix F Glossary Data Protection Laws at a Glance List of Questions 380 383 393