Protecting Your System: Physical Security
Physical security refers to the protection of building sites and equipment (and all information and software contained therein) from theft, vandalism, natural disaster, manmade catastrophes, and accidental damage (e.g., from electrical surges, extreme temperatures, and spilled coffee). It requires solid building construction, suitable emergency preparedness, reliable power supplies, adequate climate control, and appropriate protection from intruders. Most people think about locks, bars, alarms, and uniformed guards when they think about physical security. While these countermeasures are by no means the only precautions that need to be considered when trying to secure an information system, they are a perfectly logical place to begin. Physical security is a vital part of any security plan and is fundamental to all security efforts. Without it, information security, software security, user access security, and network security are considerably more difficult, if not impossible, to initiate.
Physical security requires that building sites be safeguarded in a way that minimizes the risk of resource theft and destruction. To accomplish this, decision-makers must be concerned about building construction, room assignments, emergency procedures, regulations governing equipment placement and use, power supplies, product handling, and relationships with outside contractors and agencies.
Well-conceived plans to secure a building can be initiated without adding undue burden on your staff. After all, if they require access, they will receive it-as long as they are aware of, and abide by, the organization's stated security policies and guidelines. The only way to ensure this is to demand that before any person is given access to your system, they have first signed and returned a valid security agreement (see Appendix D for a sample security agreement). This necessary security policy is too important to permit exceptions.
Physical Threats (Examples)
Examples of physical threats include:
- natural events (e.g., floods, earthquakes, and tornados)
- other environmental conditions (e.g., extreme temperatures, high humidity, heavy rains, and lightning)
- intentional acts of destruction (e.g., theft, vandalism, and arson)
- unintentionally destructive acts (e.g., spilled drinks, overloaded electrical outlets, and bad plumbing)
Physical Security Countermeasures
The following countermeasures address physical security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in the physical security of your system.
Countermeasures come in a variety of sizes, shapes, and levels of complexity. This resource describes a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included. If after your risk assessment, your security team determines that your organization requires cutting-edge countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a technical consultant.
Create a Secure Environment: Building and Room Construction:
- Don't arouse unnecessary interest in your critical facilities: A secure room should have "low" visibility (e.g., there should not be signs in front of the building and scattered throughout the hallways announcing "expensive equipment and sensitive information this way").
- Maximize structural protection: A secure room should have full height walls and fireproof ceilings.
- Minimize external access (doors): A secure room should only have one or two doors-they should be solid, fireproof, lockable, and observable by assigned security staff. Doors to a secure room should never be propped open.
- Minimize external access (windows): A secure room should not have excessively large windows. All windows should have locks.
- Maintain locking devices responsibly: Locking doors and windows can be an effective security strategy as long as appropriate authorities maintain the keys and combinations responsibly. If there is a breach, each compromised lock should be changed.
- Investigate options other than traditional keyhole locks for securing areas as is reasonable: Based on the findings from your risk assessment, consider alternative physical security strategies such as window bars, anti-theft cabling (i.e., an alarm sounds when any piece of equipment is disconnected from the system), magnetic key cards, and motion detectors.
- Be prepared for fire emergencies: In an ideal world, a secure room should be protected from fire by an automatic fire-fighting system. Note that water can damage electronic equipment, so carbon dioxide systems or halogen agents are recommended. If implemented, staff members must be trained to use gas masks and other protective equipment. Manual fire fighting equipment (i.e., fire extinguishers) should also be readily available and staff should be properly trained in their use.
- Maintain a reasonable climate within the room: A good rule of thumb is that if people are comfortable, then equipment is usually comfortable-but even if people have gone home for the night, room temperature and humidity cannot be allowed to reach extremes (i.e., it should be kept between 50 and 80 degrees Fahrenheit and 20 and 80 percent humidity). Note that it's not freezing temperatures that damage disks, but the condensation that forms when they thaw out.
- Be particularly careful with non-essential materials in a secure computer room: Technically, this guideline should read "no eating, drinking, or smoking near computers," but it is probably impossible to convince staff members to practice such a regulation. Other non-essential materials that can cause problems in a secure environment and, therefore, should be eliminated include curtains, reams of paper, and other flammables.
(some bullets adapted from Information Security Modules)
Determining countermeasures often requires creativity: don't limit yourself to only the ?traditional? solutions.
Select only those countermeasures that meet perceived needs as identified during risk assessment and support security policy.
Don't say it if you don't mean it
Instituting policies that you don't enforce makes users wonder whether you're serious about other rules as well.
- Keep critical systems separate from general systems: Prioritize equipment based on its criticality and its role in processing sensitive information. Store it in secured areas based on those priorities.
- House computer equipment wisely: As stated, equipment should not be able to be seen or reached from window and door openings, nor should it be housed near radiators, heating vents, air conditioners, or other ductwork. Workstations that do not routinely display sensitive information should always be stored in open, visible spaces to prevent covert use.
- Protect cabling, plugs, and other wires from foot traffic: Tripping over loose wires is dangerous to both personnel and equipment.
- Keep a record of your equipment: Maintain up-to-date logs of equipment manufacturers, models, and serial numbers in a secure location. Be sure to include a list of all attached peripheral equipment. Consider videotaping the equipment (including close-up shots) as well. Such clear evidence of ownership can be helpful when dealing with insurance companies.
- Maintain and repair equipment: Have plans in place for emergency repair of critical equipment. Either have a technician on staff who is trained to do repairs or make arrangements with someone who has ready access to the site when repair work is needed. If funds allow, consider setting up maintenance contracts for your critical equipment. Local computer suppliers often offer service contracts for equipment they sell, and many workstation and mainframe vendors also provide such services. Once you've set up the contract, be sure that contact information is kept readily available. Technical support telephone numbers, maintenance contract numbers, customer identification numbers, equipment serial numbers, and mail-in information should be posted or kept in a logbook near the system for easy reference. Remember that computer repair technicians may be in a position to access your confidential information, so make sure that they know and follow your policies regarding outside employees and contractors who access your system.
- Identify your equipment as yours in an overt way: Mark your equipment in an obvious, permanent, and easily identifiable way. Use bright (even fluorescent) paint on keyboards, monitor backs and sides, and computer bodies. It may decrease the resale value of the components, but thieves cannot remove these types of identifiers as easily as they can adhesive labels.
- Identify your equipment as yours in a covert way: Label the inside of equipment with the organization's name and contact information to serve as powerful evidence of ownership.
- Make unauthorized tampering with equipment difficult: Replace regular body case screws with Allen-type screws or comparable devices that require a special tool (e.g., an Allen wrench) to open them.
- Limit and monitor access to equipment areas: Keep an up-to-date list of personnel authorized to access sensitive areas. Never allow equipment to be moved or serviced unless the task is preauthorized and the service personnel can produce an authentic work order and verify their identity. Require picture or other forms of identification if necessary. Logs of all such activity should be maintained. Staff should be trained to always err on the cautious side (and the organization must support such caution even when it proves to be inconvenient).
(adapted from Network Security Secrets)
While the X-ray conveyor belt is the preferred way of transporting a laptop through airport security (compared to subjecting the computer to the magnetic fields of walk-through or wand scanners), it is also a prime place for theft. Thieves love to ?inadvertently? pick up the wrong bag and disappear while passengers are fumbling through their pockets to find the loose coins that keep setting off the metal detectors. Use the X-ray conveyor belt, but never take your eyes off your laptop!
Attend to Portable Equipment and Computers:
- Never leave a laptop computer unattended: Small, expensive things can disappear very quickly-even more quickly from public places and vehicles!
- Store laptop computers wisely: Secure laptops in a hotel safe rather than a hotel room, in a hotel room rather than a car trunk, and in a car trunk rather than the back seat.
- Stow laptop computers appropriately: Just because a car trunk is safer than its back seat doesn't mean that an unsecured tire jack won't damage the laptop when you hit a bump in the road. Even if the machine isn't stolen, it can be ruined. Stow the laptop and its battery safely!
- Don't leave a laptop computer in a car trunk overnight or for long periods of time: In cold weather, condensation can form and damage the machine. In warm weather, high temperatures (amplified by the confined space) can also damage hard drives.
(adapted from Network Security Secrets)
Regulate Power Supplies:
- Be prepared for fluctuations in the electrical power supply: Do so by (1) plugging all electrical equipment into surge suppressors or electrical power filters; and (2) using Uninterruptible Power Sources (UPSs) to serve as auxiliary electrical supplies to critical equipment in the event of power outages.
- Protect power supplies from environmental threats: Consider having a professional electrician design your electrical system to better withstand fires, floods, and other disasters.
- Select outlet use carefully: Although little thought generally goes into plugging equipment into an outlet, machines that draw heavily from a power source can affect, and be affected by, other equipment that draws energy from the same outlet.
- Guard against the negative effects of static electricity in the office place: Install anti-static carpeting and anti-static pads, use antistatic sprays, and encourage staff to refrain from touching metal and other static-causing agents before using computer equipment.
- Keep photocopiers, fax machines, and scanners in public view: These types of equipment are very powerful tools for disseminating information-so powerful, in fact, that their use must be monitored.
- Assign printers to users with similar security clearances: You don't want employees looking at sensitive financial information (e.g., staff salaries) or confidential student information (e.g., individual records) while they are waiting for their documents to print. It is better to dedicate a printer to the Director of Finance than to have sensitive data scattered around a general use printer. Don't hesitate to put printers in locked rooms if that is what the situation demands.
- Label printed information appropriately: Confidential printouts should be clearly identified as such.
- Demand suitable security procedures of common carriers when shipping/receiving confidential information: Mail, delivery, messenger, and courier services should be required to meet your organization's security standards when handling your confidential information.
- Dispose of confidential waste adequately: Print copies of confidential information should not be placed in common dumpsters unless shredded.
Protecting Your System: Information Security
One of an organization's most valuable assets is its information. Local, state, and federal laws require that certain types of information (e.g., individual student records) be protected from unauthorized release (see Appendix B for a FERPA Fact Sheet). This facet of information security is often referred to as protecting confidentiality. While confidentiality is sometimes mandated by law, common sense and good practice suggest that even non-confidential information in a system should be protected as well-not necessarily from unauthorized release as much as from unauthorized modification and unacceptable influences on its accessibility.
Components of Information Security:
(see also Information Security Modules)
Perhaps more than any other aspect of system security, protecting information requires specific procedural and behavioral activities. Information security requires that data files be properly created, labeled, stored, and backed up. If you consider the number of files that each employee uses, these tasks clearly constitute a significant undertaking.
Information Threats (Examples)
A threat is any action, actor, or event that contributes to risk. Examples of information threats include:
- natural events (e.g., lightning strikes, and aging and dirty media)
- intentional acts of destruction (e.g., hacking and viruses)
- unintentionally destructive acts (e.g., accidental downloading of computer viruses, programming errors, and unwise use of magnetic materials in the office)
Electronic exchange of confidential data, such as individual student records, requires the use of secure communications methods such as data encryption, virtual private networks (VPNs), and leased lines. Hardware-based encryption can be integrated into firewalls to create VPN tunnels over the public WAN. The movement of any private data over the public network requires at least 128-bit encryption. Examples of encryption algorithms include DSA, RSA, 3DES, IDEA, etc. Internet Protocol Security (IPSec) is an industry-defined set of standards that verifies, authenticates, and optionally encrypts data at the IP packet level. Secure sockets layer (SSL) can use various ciphers,
including RSA, DES, 3DES, MD5, RC4, etc.
Information Security Countermeasures
The following countermeasures address information security concerns that could affect your site(s). These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in your system's information security.
Transmit Information Securely (including e-mail):
- Use e-mail only for routine office communication: Never send sensitive information as e-mail. If e-mail absolutely must be used, encrypt the file and send it as an attachment rather than in the text of the e-mail message.
- Encrypt everything before it leaves your workstation: Even your password needs to be encrypted before leaving the workstation on its way to the network server-otherwise it could be intercepted as it travels network connections.
- Physically protect your data encryption devices and keys: Store them away from the computer but remember where you put them. Use the same common-sense principles of protection you should be giving your bankcard's personal identification number.
- Inform staff that all messages sent with or over the organization's computers belong to the organization: This is a nice way of saying that everything in the office is subject to monitoring.
- Use dial-up communication only when necessary: Do so only after the line has been evaluated for security. Do not publicly list dial-up communication telephone numbers.
- Confirm that outside networks satisfy your security requirements: Install automatic terminal identification, dial-back, and encryption features (technical schemes that protect transmissions to and from off-site users).
RSA public key cryptography, named for inventors Rivest, Shamir, and Adleman, is widely used for authentication and encryption of data. An education agency can apply for a Digital Signature Standard (DSS) for the authentication of electronic documents, or a general digital certificate through a Certificate Authority website such as VeriSign ®. This can be accomplished by submitting information about the agency and its web server via an encrypted Certificate Signing Request (CSR).
Once the Certificate Authority confirms that the agency is legitimate, it uses the CSR file to generate and validate certificates for the applying agency. The Certificate Authority will then issue the agency a server certificate to be installed on the agency's web server. People who want to access this secure web server must have the Certificate Authority's root certificate installed on their own browser (VeriSign® is preinstalled on most browsers) before secure information can be exchanged.
Digital certificates are used by the SSL (Secure Sockets Layer) security protocol to encrypt, decrypt, and authenticate data. The certificate contains the owner's organization name and other specific information that allows recipients of the certificate to identify the certificate's owner. The certificate also contains a public key used to encrypt the message being transported across the Internet. During each user's SSL secured session with the secure server, the user's root certificate creates a unique public key for the browser to encrypt and decrypt messages sent to and from the server. Public keys are discarded once a transaction ends. Messages sent from and received by the secure server are encrypted and decrypted using the server's private key.
A public (or shared) key algorithm can be easily utilized to encrypt data files for exchange. This method requires the use of a software package, such as Pretty Good Privacy (PGP), to generate an encryption key pair. The private key is kept within the agency; the other key is given to the party to be granted access. Whenever a key is "compromised" or needs to be changed, the software can create new keys.
- Verify the receiver's authenticity before sending information anywhere: Ensure that users on the receiving end are who they represent themselves to be by verifying:
- something they should know- a password or encryption key; this is the least expensive measure but also the least secure
- something they should have- an electronic keycard or smart card, for example
- something they are- biometrics like fingerprinting, voice recognition, and retinal scans; these strategies are more expensive but also more secure
- Consider setting up pre-arranged transmission times with regular information trading partners: If you know to expect transmissions from your trading partners at specific times and suddenly find yourself receiving a message at a different time, you'll know to scrutinize that message more closely. Is it really your trading partner sending the message? Why has the pre-arranged time been ignored? Has the message been intercepted and consequently knocked off schedule?
- Maintain security when shipping and receiving materials: When sending sensitive information through the mail, or by messenger or courier, require that all outside service providers meet or exceed your security requirements.
Present Information for Use in a Secure and Protected Way:
- Practice "views" and "table-design" applications: A "view" selects only certain fields within a table of information for display, based on the user's access rights. For example, although a school record system may contain a range of information about each student, food services staff can view only information related to their work and special education staff can view only information related to their work. This type of system maintains information much more securely than traditional paper systems, while at the same time increasing statistical utility and accountability options.
- Use "key identifiers" to link segregated information: If record information is maintained in a segregated manner (e.g., testing files are kept in a different database than special education files) for security purposes, a common file identifier (e.g., a Social Security Number) can be used to match records without unnecessarily divulging the identity of individuals and compromising confidentiality.
Back up Information Appropriately:
- Back up not only information, but also the programs you use to access information: Back up operating system utilities so that you retain access to them even if your hard drive goes down. Also maintain current copies of critical application software and documentation as securely as if they were sensitive data. Caution: Some proprietary software providers may limit an organization's legal right to make copies of programs, but most allow for responsible backup procedures. Check with your software provider.
- Consider using backup software that includes an encryption option when backing up sensitive information: Encryption provides additional security that is well worth the extra effort, since it ensures that even if unauthorized users access your backup files, they still can't break confidentiality without also having access to your encryption key. If you adopt this recommendation, be sure to change your encryption key regularly.
- Verify that your backups are written to the disk or tape accurately: Choose a backup program that has a verification feature.
- Rotate backup tapes: Although backup tapes are usually quite reliable, they tend to lose data over time when under constant use. Retire tapes after two to three months of regular use (i.e., about 60 uses) to a backup activity that requires less regular use (e.g., program backups). Also note that routine tape drive cleaning can result in longer tape life.
- Maintain a log of all backup dates, locations, and responsible personnel: Accountability is an excellent motivator for getting things done properly. Remember to store the logs securely.
- Avoid over-backing up: Too many backup files can confuse users and thereby increase the possibility of exposing sensitive information. Clear hard drives, servers, and other storage media that contain old backup files to save space once you have properly secured (and verified) the last complete and partial backup.
- Test your backup system: This point has been made numerous times throughout the document, but it truly cannot be overemphasized!
- Consider creating a clustered server environment (i.e., a group of servers clustered together and used to back up the data in various ways).
- Load-balancing environments are clusters of servers arranged to share the load of user demand.
- Hot standby environments rely upon an identical server attached directly to the primary network server in order to immediately assume user demand in the event of a primary server failure.
- Cold-standby environments also consist of a secondary server to which data are frequently updated. In this case, however, the secondary server must be manually put into operation upon a failure of the primary server. One advantage of this option is that it removes the need to maintain identical servers with interlocking hardware.
Store Information Properly:
- Apply recommended storage principles to both original and backup files alike: Backup files require the same levels of security as do the original files (i.e., if an original file is confidential, so is its backup).
- Clearly label disks, tapes, containers, cabinets, and other storage devices: Contents and sensitivity should be prominently marked so that there is less chance of mistaken identity.
- Segregate sensitive information: Never store sensitive information in such a way that it commingles with other data on CDs or other removable data storage media.
- Restrict handling of sensitive information to authorized personnel: Information, programs, and other data should be entered into, or exported from, the system only through acceptable channels and by staff with appropriate clearance.
- Write-protect important files: Write-protection limits accidental or malicious modification of files. Note that while write-protection is effective against some viruses, it is by no means adequate virus protection in itself.
- Communicate clearly and immediately about security concerns: Train staff to promptly notify the system administrator/security manager when data are, or are suspected of being, lost or damaged.
- Create a media library if possible: Storing backups and sensitive material in a single location allows for security to be concentrated (and perhaps even intensified). Note, however, that an on-site media library is not a substitute for off-site backup protection.
- Practice RAID (Redundant Array of Independent Disks) to allow data to be stored in different places on multiple hard drives: When using RAID, the following steps should be taken:
- Data files should be stored on separate logical drives consisting of a RAID-5 (stripped set) array of physical devices.
- Transaction logs should be stored on, at least, a RAID-1 array (mirrored).
- Applications should be installed on either a mirror set (RAID-1) or stripped set (RAID-5) and should be backed up when installed, changed, or updated.
- Operating systems (OS) should be installed on, at least, a RAID-1 array and be backed up when they are changed.
- OS, applications, and data should be stored on separate physical and logical drives (e.g., mirror set 0 to contain the system, mirror or stripped set 1 to contain applications, stripped set 2 to contain data).
- Consistent backups of data off site should be maintained.
- Robust network-attached storage (RAID-5) or storage area networks to maintain online or backup data should be used.
- Clustered server architecture should be considered if the information stored is "mission critical."
Dispose of Information in a Timely and Thorough Manner:
- Institute a specific information retention and disposal policy as determined by the organization's needs and legal requirements: All data have a finite life cycle. Consult local, federal, and state regulations for guidance before implementing the following:
- Establish a realistic retention policy.
- Mark files to indicate the contents, their expected life cycle, and appropriate destruction dates.
- Do not simply erase or reformat media, but overwrite it with random binary code. Sophisticated users can still access information even after it has been erased or reformatted, whereas overwriting actually replaces the discarded information.
- Consider degaussing (a technique to erase information on a magnetic media by introducing it to a stronger magnetic field) as an erasure option.
- Burn, shred, or otherwise physically destroy storage media (e.g., paper) that cannot be effectively overwritten or degaussed.
- Clean CDs, tapes, disks, and hard drives that have stored sensitive data before reassigning them: Never share disks that have held sensitive data unless they have been properly cleaned. Also remember to clean magnetic storage media before returning it to a vendor for trade-ins or disposal.
Protecting Your System: Software Security
Saying that software is an integral part of your computer system is like saying that the steering wheel is an integral part of an automobile. It's an understatement if ever there was one. All the technological and mechanical muscle in the world is virtually useless without a way of controlling it-and software is precisely the means by which users control what they are doing on a computer system. Application software affects all areas of computing. It defines the concepts of word processing and spreadsheets, and allows for e-mail and other forms of electronic communication that have recently become so prevalent. Its security, therefore, is essential to the overall security of your information and system.
Because certain aspects of software security can become quite technical, administrators should work closely with technical staff throughout the policy-development process. Software security requires policies on software management, acquisition and development, and pre-implementation training. Unlike many personnel aspects of system security, appropriate software use requires that products and equipment match in a range of technical specifications. Policy-makers should, therefore, pay close attention to the advice of technical staff when considering software issues and generating policy. Software users (virtually anyone who turns on a computer) should also be surveyed about the types of software required to perform their jobs, the ways in which those pieces of software are used, and the kinds and amount of training that are necessary to properly prepare staff to meet their job requirements.
Software Threats (Examples)
Examples of software threats include:
- natural events (e.g., aging and dirty media)
- intentional acts of destruction (e.g., hacking, creation of computer viruses, and copyright infringement)
- unintentionally destructive acts (e.g., accidental downloading of computer viruses, losing instructions, and programming errors)
Because certain aspects of software security can become quite technical, administrators should work closely with technical staff throughout the policy-development process.
Software Security Countermeasures
The following countermeasures address software security concerns that could affect your site(s). These strategies are recommended when risk assessment identifies or confirms the need to counter potential breaches in the security of your software system.
The operating system (OS) is the underlying computer system on which application programs run. Choosing an OS is a critical decision that directly affects the security measures an agency must take. Some OSs are easy to use but less secure. Others are more complicated to maintain but when properly configured are virtually impenetrable. Whatever the choice, the system must be ?hardened? (i.e., secured) by removing unneeded functions, restricting access, and tracking changes and processes.
The foundation of OS security is based on limiting access to network resources, such as centralized applications, files, directories, network printers, and other such components. Thus, staff should have network access only for the specific tasks related to their work. An appropriate policy for OS security is a baseline denial of access to all components by all personnel, with explicit access privileges granted on a case-by-case basis. User login credentials are used to identify user role(s) and can ?describe? the user's access parameters to the OS.
Secure the Operating System (OS):
- Disable guest accounts: All users must be individually distinguishable.
- Change default passwords: Otherwise, any person who has ever worked with the operating system will know to try "administrator", "default", and "guest" in order to access the system.
- Mandate frequent user password updating: Note, however, that mandated activities only work when they are enforced (i.e., there must be consequences for non-compliance).
- Deny access by default: In other words, your standard is that all users must prove that they deserve access to the system-which shouldn't be a problem for authorized users.
- Restrict off-hour access: Why permit continuous or irregular access to staff who work a normal forty hour week?
- Control system access based on groups, profiles, and policies: Doing so simplifies administration and allows administrators to assign users into the smallest possible groups, thereby eliminating unnecessary access to system resources.
- Establish separate administrator login procedures: Require administrator access through a login mechanism that is different than the normal user login routine.
- Allow only needed services and protocols to run on the network: Not every type of technology needs to run on an education organization system. Those that aren't necessary for achieving the organization's mission don't belong on the organization's equipment.
- Establish a firewall: Integrate TACACS+ or RADIUS authentication into the agency's firewall to avoid unauthorized Internet access. Also, enable firewall, virus, intruder detection, and network monitoring software.
Coordinate (and Centralize) Software Management:
- Centrally control all critical system software: (1) Know what programs are being added, deleted, and changed in your system; (2) control all additions, deletions, and modifications; and (3) take all necessary steps to ensure that new and old software work together appropriately (i.e., that they interface).
- Initiate formal testing and certification procedures for new/modified software: Require that any new or modified software be tested rigorously and certified as fully operational before releasing it for general use.
- Maintain a secure location for critical backup copies: Backups of any and all software, databases, and information that serve critical functions should reside in a secure location, ideally off-site, and be readily accessible as needed. Backups require the same level of protection as master files (i.e., if the files are designated as sensitive, treat the backups as sensitive as well). Periodically check that backups function as expected so that there aren't surprises if and when they are really needed.
- Secure master copies of software and associated documentation: If master copies and/or their instructions are lost, an entire system can be put in jeopardy. But while documentation must be protected, it must also be kept available to users who have legitimate questions about proper use of the software.
- Never lend or give proprietary software to unlicensed users: By definition, "proprietary software" means that it isn't yours to give away-someone else makes their living by selling it.
- Tolerate nothing but licensed and organizationally approved software on workplace equipment: Games are fun and software from home can sometimes be useful, but they have no place on organizational equipment unless explicitly authorized.
- Monitor software use (and hard drive inventories) to counter possible copyright infringement: Unlicensed software on organizational equipment puts the entire organization at risk for fines and other penalties stemming from copyright violations. Software inventories should include the name of the manufacturer, version number, assigned computer (as applicable), and function.
- Permit only authorized personnel to install software: In this way you know exactly what software is being introduced to your system and that it is being installed properly.
- Train staff on software use and security policies: The best designed software for manipulating information is useless if staff are unable to use it properly.
Regulate Software Acquisition and Development:
- Define security needs before purchasing or developing new software: After identifying your needs through a risk assessment, the findings should be used as the criteria by which you select appropriate software products.
- Conduct design reviews throughout the development process: Continued feedback from anticipated users during development ensures that the product will satisfy functional specifications and security requirements.
- Require written authorization before anyone tampers with software: Any modification of software requires a paper trail of what, why, and under whose auspices code was altered.
- Modify archived copies of software (not the copy that is up and running on the system): By doing so, you can be sure that you are not putting active applications and files at risk. Once the modified copy passes testing and is certified as operational, then and only then should it be loaded onto the system for use with "live" data.
- Require that all software developed or modified by a programmer be reviewed by a second, independent programmer: This review should verify that all code is appropriate and correct.
- Maintain master files of all developed software independent of the programmer: Software belongs to the organization, not the programmer. By controlling all original copies, the organization clearly guarantees this ownership.
- Require documentation for all new or revised programming: Requisite documentation includes the name of the developer, the name of the programming language, the development date, the revision number, and the location of the master copy (i.e., the source code).
- Verify authenticity of public programs: If software downloaded from the Internet must be used with sensitive information, check for a digital signature to verify its authenticity.
(some bullets adapted from Census Handbook for Information Technology Security)
Thoroughly Test Newly Acquired and Developed Software:
- Specifically search for common types of computer viruses: Have technical staff members check for common viruses such as Trojan Horses and worms.
- Verify that all software user functions are working properly before putting the software into operation: Check that new software meets anticipated user needs, current system requirements, and all organizational security standards. This recommendation is also applicable when upgrading software.
- Back up old files before installing new software and software upgrades: Don't risk the latest copies of your files/records until you're certain that your new versions are up and running properly.
- Never test application software with "live" data: Don't risk losing real information if the software doesn't pass the test. Instead, verify software integrity with dummy files and/or copies of non-sensitive files.
- Test on independent machines: Initial software testing should never occur on computers that are connected to the system. By maintaining a separate test environment, the entire system is not at risk if the software malfunctions.
- Run existing and upgraded versions of software in parallel during final testing phases: By running the old software at the same time as the new and improved software, you can verify that the new versions generate the same or better results than the existing system.
Because new products are bound to have their share of kinks, the ?cutting edge? of software is often referred to only half-jokingly as its ?bleeding edge.? Bleeding edge software should be avoided for mission-critical activities.
Avoid the ?ohnosecond??that fraction of a second in which computer users realize that they have just made a huge mistake with their data.
?adapted from The Electronic Traveller by Elizabeth P. Crowe
Protecting Your System: User Access Security
User access security refers to the collective procedures by which authorized users access a computer system and unauthorized users are kept from doing so. To make this distinction a little more realistic, however, understand that user access security limits even authorized users to those parts of the system that they are explicitly permitted to use (which, in turn, is based on their "need-to-know"). After all, there is no reason for someone in food services or staff payroll to be given clearance to confidential student testing data.
A person with a “need-to-know” has been designated by school officials as having a legitimate educational or professional interest in accessing a record. Never include the word “Welcome” as a part of the login process—it can be argued that it implies that whoever is reading the word is, by definition, invited to access the system.
An excellent way of properly informing users of monitoring activities is through the opening screen that is presented to them. By reading a warning like the one that follows, users explicitly accept both the conditions of monitoring and punishment when they proceed to the next screen. Thus, the first screen any user sees when logging into a secure computer system should be something to the following effect:
W A R N I N G !
This is a restricted network. Use of this network, its equipment, and resources is monitored at all times and requires explicit permission from the network administrator. If you do not have this permission in writing, you are violating the regulations of this network and can and will be prosecuted to the full extent of the law. By continuing into this system, you are acknowledging that you are aware of and agree to these terms.
User access security demands that all persons (or systems) who engage network resources be required to identify themselves and prove that they are, in fact, who they claim to be. Subsequently, user access is limited to those files that are absolutely needed to meet the requirements of the job, and no more. To accomplish this, decision-makers must establish policies regulating user account systems, user authentication practices, login procedures, physical security requirements, and remote access mechanisms.
User Access Threats (Examples)
Examples of user access threats include:
- intentional acts (e.g., shared user accounts, hacking, and user spoofing or impersonating)
- unintentional acts (e.g., delayed termination of inactive accounts, unprotected passwords, and mismanaged remote access equipment)
User Access Security Countermeasures
The following countermeasures address user access security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to counter potential user access breaches in your security system.
Trust simply is not an acceptable security strategy.
Implement a Program in Which Every User Accesses the System by Means of an Individual Account:
- Limit user access to only those files they need to do their jobs: Providing access that is not needed greatly contributes to risk without a corresponding increase in benefit. Why bother?
- Avoid shared accounts: Individual activity cannot be differentiated unless there are individual accounts.
- Secure the user account name list: Because of its importance to system security, the user account list should be confidential and never made public. Give strong consideration to storing it as an encrypted file.
- Monitor account activities: Keep a record of all system use (many systems perform this function through an audit trail feature).
- Terminate dormant accounts after a pre-set period of inactivity (e.g., 30 days): Legitimate users can always reapply and reestablish their accounts.
Require Users to "Authenticate" Themselves in Order to Access Their Accounts (i.e., make sure that they prove that they are who they are representing themselves to be):
- Select an authentication system: The right choice for an authentication system depends on the needs of the organization and its system, and should be based on the findings of a risk assessment. Note that the following options progress from least secure to most secure, as well as (not surprisingly), least expensive to most expensive:
- something the user knows (e.g., a password)
- something the user has (e.g., an electronic key card)
- something the user is (e.g., biometrics-finger printing, voice recognition, and hand geometry)
A Special Note on Passwords
Because passwords are the most common method of user authentication, they deserve special attention:
- Require that passwords be at least six characters in length (although eight to ten are preferable).
- Prohibit the use of passwords that are words, names, dates, or other commonly expected formats.
- Forbid the use of passwords that reflect or identify the account owner (e.g., no birth dates, initials, or names of pets).
- Require a mix of characters, including symbols (i.e., letters/numbers/symbols and upper/lower case if the system is case sensitive).
One way to effectively create apparently random passwords that can be memorized easily is to use the first letter of each word in a favorite quote, capitalize every other letter, and add a number and symbol. For example, “I pledge allegiance to the flag of the…” becomes the password “IpAtTfOt3*.”
- Require the system administrator to change all pre-set passwords that are built into software (e.g., "supervisor", "demo", and "root").
- Systematically require passwords to be changed at pre-set intervals (e.g., once per month).
- Maintain zero-tolerance for password sharing.
- Forbid unsecured storage of personal passwords (e.g., they should not be written on a Post-ItT note and taped to the side of a monitor).
- Never send a password as a part of an e-mail message.
- Warn users not to type their password when someone may be watching.
- Mask (or otherwise obscure) password display on the monitor as users type it in.
- Remind users that it is easy to change passwords if they think that theirs may have been compromised.
- Maintain an encrypted history of passwords to make sure that users are not simply recycling old passwords when they should be changing them.
- Monitor the workplace to ensure that all regulations are being followed.
- Provide a password help system for users who may have forgotten their password.
Recognize that there are tradeoffs associated with making passwords more difficult to remember than a pet’s name or a person’s initials (e.g., staff are more likely to forget or
write down password reminders).
Establish Standard Account and Authentication Procedures (known as login procedures):
- Limit users to acceptable login times: There is no reason for an average day-shift employee to be able to access the system in the middle of the night.
- Limit users to acceptable login locations: There is no reason for an average employee with a computer on his or her desk to access the system from his or her supervisor's desk.
- Set reasonable limits to the number of allowable login attempts: Enable the system to assume that anyone who can't enter a password correctly after three attempts may, in fact, not be who they say they are. Allow users more than one or two attempts or else they might make mistakes simply because they are worried about getting shut out. After three incorrect attempts, the account should be suspended (to prevent an intruder from simply calling back and trying three more times). Legitimate users can always have their accounts reopened by contacting the security manager.
- Require staff to log off the system and turn off the computer: The last important step of logging on properly is logging off properly. Users should log off every time they leave their workstations (e.g., for lunch, breaks, and meetings). After all, an unauthorized user has free reign to an authorized user's access when a computer is left unattended and logged into the system.
Some intruders may employ “password dictionaries” that, quite literally, try to match passwords one word at a time for thousands or even millions of attempts!
Recognize that Routine Physical Security Plays an Important Role in User Access Management:
- Protect every access node in the system: An "access node" is a point on a network through which you can access the system. If even one such point is left unsecured, then the entire system is at risk. A good example of frequently forgotten access nodes are modular network plugs that are often built into conference rooms (into which portable computers can be plugged). If unauthorized users can get to such a node with a laptop, they are in position to attack the system.
- Protect cables and wires as if they were access nodes: If a sophisticated intruder can access a span of cable that is used as a connector between pieces of equipment, he or she may be able to access the entire system. Physically accessing the wiring is referred to as "tapping the line." High-end equipment can monitor electrical emanations (known as Radio Frequency Interference) from wiring without even physically touching the cable.
- Disconnect floppy drives from servers: A sophisticated intruder can boot-up (the technical term for "starting the system") from an external disk drive.
- Install screen savers (with mandatory locking features): Prevent information from being read by anyone who happens to be walking past the display monitor.
Pay Particular Attention to Remote Access Systems (i.e., when someone, including an authorized user, accesses your system from off-site via a modem):
- Consider requiring pre-approval for remote access privileges: An identified subset of employees is more manageable to monitor than any random person who calls into the system.
- Remind staff that remote access is particularly subject to monitoring activities: Increased risk requires increased vigilance.
- Set modems to answer only after several rings: An authorized user will know that he has dialed a "slow" modem and will therefore be willing to wait. A random-dialer looking to bump into modems may not be so patient.
- Use a "call back" communication strategy with remote access users: Once users call in and properly identify themselves, the connection is dropped and the system then calls back the authorized users at a pre-approved access location.
- Use software that requires "message authentication" in addition to "user authentication": Even if a user can provide the right password, each message sent and received must have its delivery verified to ensure that an unauthorized user didn't interrupt the transmission.
- Never transmit sensitive information over public telephone lines unless the transmission has first been encrypted: Unless a line can be verified as secure, it must be considered to be susceptible to tampering.
- Investigate security features of external networks to which the system connects: The Internet and other networks are not just things your staff can access and browse-they are two-way lines of communication. If security cannot be verified, then additional precautions must be taken (e.g., gateways and firewalls).
- Install firewalls on your system at external access points: A firewall is by far the most common way to secure the connection between your network and outside networks. It works by allowing only trusted (authenticated) messages to pass into your internal network from the outside. See Network (Internet) Security for more information.
- Never list access procedures publicly: Why advertise what authorized users should already know?
- Disable modems when not in use: No need to provide a viable line of access to and from the system unless it's necessary.
- Never leave a modem on automatic answer mode: Such a practice opens the door to unauthorized and unsupervised system access.
- Permit modem use only from secure locations: Never allow a modem to be connected to a system machine that is not itself protected by a firewall or gateway.
- Grant Internet access only to those users who need it: A student might need the Internet for legitimate learning purposes, but a staff assistant may not.
- Remind students and staff that the Internet (and all system activity for that matter) is for approved use only: There are countless Internet sites and activities that have no positive influence on the education environment. They have no place on the system.
- Require all users to sign Appropriate Use Agreements before receiving access to the system: Signed Security Agreements verify that users have been informed of their responsibilities and understand that they will be held accountable for their actions.
Don’t feel that you need to understand how all security technology operates. Know what needs to be in place, and then trust your technical staff to make it work properly.
Protecting Your System: Network (Internet) Security
Interest in the development of school websites continues to grow as more students, teachers, and community members become technology-literate. The community wants to know what is going on in its schools, and parents want to keep track of the academic progress of their children. Thus, it may not be surprising that network security, especially as it relates to the biggest network of all, the Internet, has emerged as one of today's highest-profile information security issues. Education institutions must weigh the costs and benefits of opening a connection between their private networks (with their trusted users) and the unknown users and networks that compose the Internet.
Be realistic! Recognize that as beneficial as the Internet can be for gathering resources, not everyone on it has your best interests in mind. When you don’t know who is accessing your network, you also don’t know their intentions or level of technical expertise—thus, choosing to connect to the Internet has a significant effect on your risk assessment.
Connecting to the Internet doesn't necessarily raise its own security policy issues as much as it focuses attention on the necessity of implementing security strategies properly. Internet security goals fall within three major domains. The first centers on protecting your networks, information, and other assets from outside users who enter your network from the Internet. The second deals with safeguarding information as it is being transmitted over the Internet. And, finally, the last deals with maintaining network reliability.
See Appendix C for guidance concerning what information should and should not be posted to the Internet on, for example, a school's webpage.
If your brand-name operating systems, hardware, or software have any known security weakness built in, someone on the Internet will know about it. The Computer Emergency Response Team (CERT) Website and comparable sites monitor weaknesses in computer software and post corrections. You should watch these sites?after all, hackers do.
Network Threats (Examples)
Examples of network threats include:
- intentional acts of destruction (e.g., address spoofing and masquerading)
- unintentionally destructive acts (e.g., accidental downloading of computer viruses and improper release of information)
Network Security Countermeasures
Because the Internet is relatively new, it isn't surprising that its standards and conventions are still being established and agreed upon. Consequently, it also shouldn't be surprising that existing mechanisms for governing information exchanges are varied, not uniformly implemented, and, in many cases, not interoperable. Thus, it is only fair to admit that although the following countermeasures will greatly increase Internet security, more sophisticated and robust solutions remain on the horizon.
One basic step an organization can take toward maintaining a secure and reliable network is to hire and support a qualified individual to serve as the network administrator. Network administration is not a task for the high school teacher/technology coordinator who has a host of other responsibilities to deal with each day. Many organizations, however, cannot afford to hire an experienced network administrator for each school and often do rely on faculty for this position. If a teacher/coordinator is to be responsible for a school network, the organization must recognize that the balance of the person's workload should reflect these added responsibilities and that adequate training and professional development must be priorities. The responsibilities of a network administrator are, for the most part, very technical in nature. This reinforces the point that training is critical for anyone with the responsibility of running a network.
Support Your Network Administrator:
- Assign one individual to be responsible for network administration (and one individual as his/her backup).
- Limit access to network equipment console screens by login credentials (either on the piece of network equipment or using an authentication server).
- Regulate access to Telnet sessions on network equipment through access lists and/or authorized workstations where only authorized users have access.
- Limit protocols running on the network equipment.
- Configure login banners to warn intruders of possible prosecution.
- Use firewalls to prevent unauthorized access between external and internal systems.
- Use unroutable IP addressing schemes within the internal network [Class A - 10.0.0.0-10.255.255.255 (10/8 prefix), Class B - 172.16.0.0-172.31.255.255 (172.16/12 prefix), Class C - 192.168.0.0-192.168.255.255 (192.168/16 prefix)].
- Utilize intrusion detection systems (IDS).
- Inspect, analyze, and maintain router audit logs.
- Provide ingress and egress access control list (ACL) filtering to prevent IP spoofing.
- Eliminate unauthorized network resource use by:
- monitoring network traffic and bandwidth usage and protocols to ensure adequate bandwidth for applications
- removing the ability to download unauthorized files
- restricting remote network access to authorized individuals via dial-up connections, virtual private networks (VPN), and Point-to-Point Protocol (PPP)
- implementing a multiple-authentication policy for authorized users (or by integrating transactions through an authentication server)
- eliminating any "back-door" types of equipment (e.g., user modems installed on desktops)
- maintaining proper encryption of remote connections to ensure confidentiality
- using virtual private networks (VPN) technology with proper encryption to gain connectivity through the public networks such as the Internet
Ensure Network Reliability:
- Design redundant network architecture: Where it is possible, consider introducing planned redundancy to both local area network (LAN) and wide area network (WAN) architectures during the design phase. The organization should select redundant service providers that use separate infrastructures. Some specific redundancies that can be built into the network apply to:
- the local loop for WAN connectivity
- switch management modules with redundant connections
- power sources for network equipment backed up by monitored UPS systems
- power supplies in network equipment
- network administration (supervisor) modules in network equipment
- cabling, as required in conduits, ducts, or poles
Protect Your Network from Outsiders:
- Isolate your network through the use of a firewall: Installing a firewall enables the organization to decide which types of messages should be allowed into the system from external sources (e.g., "nothing with identifiable virus coding" or "nothing with decryptor coding structures"). The actual installation and operation of the complex features requires expert technical assistance, but policy-makers can make informed decisions about product features all the same. (See Figure 5.1)
- Install an Intrusion Detection System (IDS): Your IDS should enable port monitoring outside the agency's firewall, review intrusion detection system log files daily, and configure blocking on the router (e.g., "black hole routing" of unwanted data) to head off severe hacking attempts. Also, upon detection of an intruder, the IDS should automatically contact the organization that owns the address of the attacking IP address. Tools such as nslookup, tracerroute, and the following websites can help identify the owners of the IP address space from which an attack originated: http://www.arin.net, http://www.netsol.com/cgi-bin/whois/whois, and http://www.internic.org/whois.html.
- Locate equipment and information that is intended for external users outside of the firewall: If an organization's web server is intended to provide information and services to the public, it should not be located on the private side of the firewall. Nor should it be able to access confidential information that resides inside the firewall. This way, if the public web server should ever be compromised, confidential information is still protected.
Protect Transmissions Sent over the Internet:
- Use Secure Sockets Layer (SSL) Servers to secure financial and information transactions made with a web browser: In a secure web session, your browser generates a random encryption key and sends it to the website host to be matched with its public encryption key. Your browser and the website then encrypt and decrypt all transmissions.
- Authenticate messages through the use of digital signatures: A digital signature amounts to a "fingerprint" of a message. It depicts the message such that if the message were to be altered in any way, the "fingerprint" would reflect it-thus making it possible to detect counterfeits. The converse, of course, is that if the "fingerprint" does not change during transmission, you can be confident that the message was not altered.
- Authenticate messages through the use of time stamps or sequence numbers: Another way to recognize when messages have been modified is to challenge the "freshness" of the message. This is done by embedding time stamps, sequence numbers, or random numbers in the message to indicate precisely when and in what order the message was sent. If a received message's time and sequence are not consistent, you will be alerted that the transmission may have been tampered with.
- Authenticate message "receivers" through the use of digital certificates: By requiring an authentication agent or digital certificate, you force the person on the other end of the transmission to prove his or her identity. In the digital world, trusted third parties can serve as certificate authorities-entities that verify who a user is. In this way, digital certificates are analogous to a state-issued driver's license. If you trust the party that issues the certificate (e.g., the state or the certificate authority), then you don't need to try to verify who the user is yourself.
- Encrypt all messages sent over the Internet: As more and more messages are sent over larger and larger networks, information becomes increasingly vulnerable to assault. Encryption has become a leading tool to combat this vulnerability. Like other countermeasures, it can be very effective if used properly and regularly.
A Special Note on Wireless Networks
Wireless communication is a rapidly evolving technology that is becoming increasingly prevalent in everyday life. The built-in security for wireless computer networks, however, is relatively weak. Technology coordinators need to pay particular attention to secure these networks properly, and the network administrator must keep up-to-date on emerging methods for securing wireless networks. Some security measures to consider when planning a wireless network include:
- Shut off the service set identifier (SSID) broadcasting and use an SSID that does not identify the agency by name.
- Select a hardware vendor and software revision that has addressed the problem of randomization of initialization vectors (IVS).
- Utilize applications like airsnort or bsd-airtools, which will be less likely to crack the agency's wired equivalent privacy (WEP) keys.
- Use 128-bit WEP and change WEP keys regularly. Select a vendor that provides a tool to rotate the agency's WEP keys.
- Disallow access to resources at the first router hop other than the organization's VPN server, which ensures that the only host available to the wireless segment is the VPN server until a tunnel is established.
- Place wireless access points on a dedicated virtual local area network (VLAN) and do not mix wired and wireless clients on the same LAN segment.
- Implement a policy that limits the amount of connectivity a wireless client has to the agency's network before assessing whether students, faculty, and staff need more access than TCP/80 (i.e., transmission control protocol/80), TCP/443, etc.
- Utilize personal firewalls on the agency's workstations.
- Disable automatic IP address assignment (DCHP).
Alexander, M. (1996). The Underground Guide to Computer Security. Reading, MA: Addison-Wesley Publishing Company.
Cobb, S. (1996). The NCSA Guide to PC and LAN Security. New York, NY: McGraw-Hill, Inc.
Idaho State University, Department of Computer Information Systems. (1988). Information Security Modules. Unpublished presentations from a U.S. Department of Defense-sponsored workshop.
National Security Agency, Information Systems Security Organization. Computer Security in a Networked Society (Training Brief). Presented at the National Center for Education Statistics' Summer Data Conference, July 1996.
Strang, D. and Moon, S. (1993). Network Security Secrets. San Mateo, CA: IDG Books Worldwide, Inc.
U.S. Bureau of the Census. (1996). Handbook for Information Technology Security. Unpublished internal use document.
U.S. Department of Commerce. (1975). Computer Security Guidelines for Implementing the Privacy Act of 1974. Washington, DC: Government Printing Office.