Skip Navigation
small NCES header image
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10
Table of Contents Glossary of Terms
    CHAPTER 8
Protecting Your System:
User Access Security
 
 
Illustration of the Cover of Safeguarding Your Technology
   
CHAPTER 8 IN A NUTSHELL:

Introduction to User Access Security
Commonly Asked Questions
Policy Issues
User Access Security Countermeasures
User Access Security Checklist


A person with a "need-to-know" has been designated by school officials as having a legitimate educational or professional interest in accessing a record.


 


Introduction to User Access Security

User access security refers to the collective procedures by which authorized users access a computer system and unauthorized users are kept from doing so. To make this distinction a little more realistic, however, understand that user access security limits even authorized users to those parts of the system that they are explicitly permitted to use (which, in turn, is based on their "need-to-know"). After all, there is no reason for someone in Staff Payroll to be given clearance to confidential student records.

   


It Really Happens!

Kim approached Fred cautiously. As the security manager, she knew how important it was to gather information completely before jumping to conclusions. "Fred, my review of our computer logs shows that you have been logging in and looking at confidential student information. I couldn't understand why someone in Food Services would need to be browsing through individual student test scores, so I thought I'd come by and ask you."

Fred looked up at Kim as he if was surprised to be entertaining such a question. "Are you forgetting that I'm authorized to access student records?"

"You're authorized to access specific elements that relate to a student's free- and reduced-price lunch eligibility," Kim clarified. "That's the limit of your need-to-know."

"I didn't know that my access was limited," Fred asserted honestly. "I figured that if my password got me into a file, it was fair game."

Kim paused, realizing that it might be reasonable for Fred to have assumed that he was allowed to read a file if his password gave him access. "Hmm, I see your point, Fred, but in truth you shouldn't be accessing student record information that isn't related to your legitimate educational duties. I'm not going to make a big deal of it this time, but from now on, limit your browsing to the free- and reduced-price lunch information. In the meantime, I'm going to send a memo out to staff reminding them what need-to-know really means."

"And you might want to reconsider how our password system works," Fred added. "It would have been very clear to me that I had no business in a file if my password wouldn't get me in."


An organization cannot monitor user activity unless that user grants implicit or explicit permission to do so!



   
While there is no question that an organization has the right to protect its computing and information resources through user access security activities, users (whether authorized or not) have rights as well. Reasonable efforts must be made to inform all users, even uninvited hackers, that the system is being monitored and that unauthorized activity will be punished and/or prosecuted as deemed appropriate. If such an effort is not made, the organization may actually be invading the privacy rights of its intruders!

An excellent way of properly informing users of monitoring activities is through the opening screen that is presented to them. By reading a warning like the one that follows, users explicitly accept both the conditions of monitoring and punishment when they proceed to the next screen. Thus, the first screen any user sees when logging into a secure computer system should be something to the following effect:


Never include the word "Welcome" as a part of the log-in process--it can be argued that it implies that whoever is reading the word is, by definition, invited to access the system.

 


W A R N I N G !
This is a restricted network. Use of this network, its equipment, and resources is monitored at all times and requires explicit permission from the network administrator. If you do not have this permission in writing, you are violating the regulations of this network and can and will be prosecuted to the full extent of the law. By continuing into this system, you are acknowledging that you are aware of and agree to these terms.
     
    back to topback to home page
     
Commonly Asked Questions   Commonly Asked Questions

Q. Is it possible to have a secure system if you have employees who telecommute or work otherwise non-traditional schedules?
A. Yes. While particular countermeasures might need to be adjusted to accommodate non-traditional schedules (e.g., the practice of limiting users to acceptable log-in times and locations), a system with telecommuters, frequent travelers, and other remote access users can still be secure. Doing so may require policy-makers to think more creatively, but each security guideline needs to be customized to meet the organization's needs anyway (see Chapter 2).

read closely! (icon)

 

Q. Is the use of passwords an effective strategy for securing a system?
A. Just because password systems are the most prevalent authentication strategy currently being practiced doesn't mean that they have become any less effective. In fact, the reason for their popularity is precisely because they can be so useful in restricting system access. The major concern about password systems is not their technical integrity, but the degree to which (like many strategies) they rely upon proper implementation by users. While there are certainly more expensive and even effective ways of restricting user access, if risk analysis determines that a password system meets organizational needs and is most cost-effective, you can feel confident about password protection as long as users are implementing the system properly--which, in turn, demands appropriate staff training (see Chapter 10).

Trust just simply is not an acceptable security strategy

 

Q. Are all of these precautions necessary if an organization trusts its staff?
A. Absolutely. While the vast majority of system users are probably trustworthy, it doesn't mean that they're above having occasional computing accidents. After all, most system problems are the result of human mistake. By instituting security procedures, the organization protects not only the system and its information, but also each user who could at some point unintentionally damage a valued file. By knowing that "their" information is maintained in a secure fashion, employees will feel more comfortable and confident about their computing activities.

   

Initiating security procedures also benefits users by:

1) Helping them to protect their own files

2) Decreasing the likelihood of their improperly releasing confidential information

3) Educating them about what is and is not considered to be appropriate behavior

     
    back to topback to home page
     

Guidelines for security policy development can be found in Chapter 3

  Policy Issues

User access security demands that all persons (or systems) who engage network resources be required to identify themselves and prove that they are, in fact, who they claim to be. Users are subsequently limited to access to those files that they absolutely need to meet their job requirements, and no more. To accomplish this, decision-makers must establish policies regulating user account systems, user authentication practices, log-in procedures, physical security requirements, and remote access mechanisms.


As discussed more completely in Chapter 2, a threat is any action, actor, or event that contributes to risk

 

User Access Threats (Examples)

Examples of user access threats include:
  • Intentional acts (e.g., shared user accounts, hacking, and user spoofing or impersonating)

  • Unintentional acts (e.g., delayed termination of inactive accounts, unprotected passwords, and mismanaged remote access equipment)
     
    back to topback to home page
   


User Access Security Countermeasures

The following countermeasures address user access security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to counter potential user access breaches in your security system.

excerpt icon
  Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps hire a reliable technical consultant.
                             something you should do (icon)

Select only those countermeasures that meet perceived needs as identified during risk assessment (Chapter 2) or support policy (Chapter 3).

  Implement a Program in Which Every User Accesses the System by Means of an Individual Account:
  • Limit user access to only those files they need to do their jobs: Providing access that is not needed greatly contributes to risk without a corresponding increase in benefit. Why bother?

  • Avoid shared accounts: Individual activity cannot be differentiated unless there are individual accounts.

  • Secure the user account name list: Because of its importance to system security, the user account list should be considered to be confidential and should never be made public. Give b consideration to storing it as an encrypted file.

  • Monitor account activities: Keep a record of all system use (many systems perform this function through an audit trail feature).

  • Terminate dormant accounts after a pre-set period of inactivity (e.g., 30 days): Legitimate users can always reapply and reestablish their accounts.

                             something you should do (icon)

See Chapter 9 for guidelines for authenticating messages transmitted over outside networks.

  Countermeasures like biometrics are probably beyond the realm of possibility (and necessity) in most, if not all, education organizations.

 
Require Users to "Authenticate" Themselves in Order to Access Their Accounts (i.e., make sure that they prove that they are who they are representing themselves to be):
  • Select an authentication system: The right choice for an authentication system depends on the needs of the organization and its system, and should be based on the findings of a risk assessment (see Chapter 2). Note that the following options progress from least secure to most secure, as well as (not surprisingly), least expensive to most expensive:

    1. Something the user knows (e.g., a password--see below)

    2. Something the user has (e.g., an electronic key card)

    3. Something the user is (e.g., biometrics--finger printing, voice recognition, and hand geometry)

There are tradeoffs associated with making passwords more difficult to remember than a pet's name or a person's initials (e.g., staff are more likely to write down password reminders). The costs and benefits of these tradeoffs should be considered in the organization's risk assessment (see Chapter 2).
 

   

Passwords

Because passwords are the most common method of user authentication, they deserve special attention.

Password selection:

something you should do (icon)
  • Require that passwords be at least six characters in length (although eight to ten are preferable).
  • Prohibit the use of passwords that are words, names, dates, or other commonly expected formats.
  • Forbid the use of passwords that reflect or identify the account owner (e.g., no birthdates, initials, or names of pets).
  • Require a mix of characters (i.e., letters/numbers and upper/lower case if the system is case sensitive).

One way to effectively create apparently random passwords that can be memorized easily is to use the first letter of each word in a favorite quote, capitalize every other letter, and add a number. For example, Longfellow's "One if by land, two if by sea" (from Paul Revere's Ride) becomes the password "oIbLtIbS3".23

Password maintenance:

something you should do (icon)
  • Require the system administrator to change all pre-set passwords that are built into software (e.g., supervisor, demo, and root).
  • Systematically require passwords to be changed at pre-set intervals (e.g., once per month).
  • Maintain zero-tolerance for password sharing.
  • Forbid unsecured storage of personal passwords (e.g., they should not be written on a Post-It™ note and taped to the side of a monitor).
  • Never send a password as a part of an e-mail message.
  • Warn users not to type their password when someone may be watching.
  • Mask (or otherwise obscure) password display on the monitor when users type it in.
  • Remind users that it is easy to change passwords if they think that theirs may have been compromised.
  • Maintain an encrypted history of passwords to make sure that users are not simply recycling old passwords when they should be changing them.
  • Monitor the workplace to ensure that all regulations are being followed.
 

The security manager must be open to the concerns of system users. Security is a two-way street on which both users and security personnel have legitimate needs.

 


It Really Happens!

Principal Mullins was a stickler for rules, but he was also serious about getting the job done. When, two weeks after school had already begun, he learned that none of his three new teachers had yet received accounts on the computer network from central office, he was incensed. They had enough to worry about without being hampered by being kept off-line. He called in his assistant, "I don't care whether security policy prohibits password sharing or not, these people need to get on the system. Let them use my password to log on--it's 'A4a6dc', got that? Make sure that they have access to everything they need to do their jobs!"

Three weeks passed before the system administrator e-mailed Principal Mullins about apparent misuse of his password: "System logs show almost daily incidents when more than one person at a time is trying to log on to the system with your password. Please change the password immediately and let me know if you have any idea about who is misusing it."

Principal Mullins knew that he had not only been risking trouble with the system administrator but also truly jeopardizing system security. Despite his initial (and legitimate) anger about his teachers being unable to access the system, he did not feel good about circumventing agreed-upon policy. Unfortunately, when central office was so unresponsive to the needs of his teachers and school, he felt that he had been left with very few options. He replied to the system administrator: "My three new teachers are using the password since they have yet to be assigned their own network accounts. We are not looking to break good rules, only to do our jobs--please allow us to do so. Find a way to get new staff access to the system in a timely manner and we will surely respect and abide by security policy." Principal Mullins could only hope that the system administrator would understand his position, and that system security had not been violated.

                            something you should do (icon)


Remember to customize countermeasures to meet organizational and user needs.


Some intruders employ "password dictionaries" that, quite literally, try to match passwords one word at a time for thousands and thousands of attempts!

  Establish Standard Account and Authentication Procedures (known as log-in procedures):
  • Limit users to acceptable log-in times: There is no reason for an average day-shift employee to be able to access the system in the middle of the night.

  • Limit users to acceptable log-in locations: There is no reason for an average employee with a terminal on his or her desk to access the system from his or her supervisor's desk.

  • Set reasonable limits to the number of allowable log-in attempts: Enable the system to assume that anyone who can't enter a password correctly after three attempts may, in fact, not be who they say they are. Allow users more than one or two attempts or else they might make mistakes simply because they are worried about getting shut out. After three incorrect attempts, the account should be suspended (to prevent an intruder from simply calling back and trying three more times). Legitimate users can always have their accounts reopened by contacting the security manager.

  • Require staff to log off the system and turn off the computer: The last important step of logging on properly is logging off properly. Users should be required to log off every time they leave their workstations (e.g., for lunch, breaks, and meetings). After all, an unauthorized user has free reign to an authorized user's access when a computer is left unattended and logged into the system.

something you should do (icon)
 
Recognize that Routine Physical Security Plays an Important Role in User Access Management (see also Chapter 5):
  • Protect every access node in the system: An "access node" is a point on a network through which you can access the system. If even one such point is left unsecured, then the entire system is at risk. A good example of frequently forgotten access nodes are modular network plugs that are often built into conference rooms (into which portable computers can be plugged). If unauthorized users can get to such a node with a laptop, they are in position to attack the system.

  • Protect cables and wires as if they were access nodes: If a sophisticated intruder can access a span of cable that is used as a connector between pieces of equipment, he or she may be able to access the entire system. Physically accessing the wiring is referred to as "tapping the line." High-end equipment can monitor electrical emanations (known as Radio Frequency Interference) from wiring without even physically touching the cable.

  • Disconnect floppy drives from servers: A sophisticated intruder can boot-up (the technical term for "starting the system") from an external disk drive.

  • Install screen savers (with mandatory locking features): Prevent information from being read by anyone who happens to be walking past the display monitor.
     
                           something you should do (icon)

See Chapter 9 for more information about securing connections to outside networks, including the Internet.

  Pay Particular Attention to Remote Access Systems (i.e., when someone, including an authorized user, accesses your system from off-site via a modem):
  • Consider requiring pre-approval for remote access privileges: An identified subset of employees to monitor is more manageable than every random person who calls into the system.

  • Remind staff that remote access is particularly subject to monitoring activities: Increased risk requires increased vigilance.

  • Set modems to answer only after several rings: An authorized user will know that he has dialed a "slow" modem and will therefore be willing to wait. A random-dialer looking to bump into modems may be less likely to be so patient.

  • Use a "call back" communication strategy with remote access users: Once users call in and properly identify themselves, the connection is dropped and the system then calls back the authorized users at a pre-approved access location.

  • Use software that requires "message authentication" in addition to "user authentication": Even if a user can provide the right password, each message sent and received must have its delivery verified to ensure that an unauthorized user didn't interrupt the transmission.

  • Never transmit sensitive information over public telephone lines unless the transmission has first been encrypted: Unless a line can be verified as secure, it must be considered to be susceptible to tampering.

  • Investigate security features of external networks to which the system connects: The Internet and other networks are not just things your staff can access and browse--they are two-way lines of communication. If security cannot be verified, then additional precautions must be taken (e.g., gateways and firewalls).

  • Install firewalls on your system at external access points: A firewall is by far the most common way to secure the connection between your network and outside networks. It works by allowing only trusted (authenticated) messages to pass into your internal network from the outside (see also Chapter 9).
     
excerpt icon
  School officials allow the use of calculators in the classroom without necessarily understanding how the transistors process mathematical calculations. So, too, can they make informed decisions about highly technical security options like firewalls without having to become experts on installing and operating associated software and hardware.
   
  • Never list dial-in communication numbers publicly: Why advertise what authorized users should already know?

  • Disable modems when not in use: No need to provide a viable line of access to and from the system unless it's necessary.

  • Never leave a modem on automatic answer mode: Such a practice opens the door to unauthorized and unsupervised system access.

  • Permit modem use only from secure locations: Never allow a modem to be connected to a system machine that is not itself protected by a firewall or gateway.

  • Grant Internet access only to those employees who need it to perform their jobs: A student might need the Internet for legitimate learning purposes, but a staff assistant probably does not.

  • Remind students and staff that the Internet (and all system activity for that matter) is for approved use only: There are countless Internet sites and activities that have no positive influence on the education environment. They have no place on the system.

  • Require all users to sign Appropriate Use Agreements before receiving access to the system: Signed Security Agreements (see Chapter 3) verify that users have been informed of their responsibilities and understand that they will be held accountable for their actions.
     
    back to topback to home page
     
   

User Access Security Checklist

While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations.  They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization.  Other chapters in this document also address ways to customize policy to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.

   
 
Security Checklist for Chapter 8

The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.
   
Check Points
for User Access Security
Design an Appropriate Opening Screen That Users Must Visit Before Accessing the System      Click here
  1. Is the opening screen clear and specific about the organization's expectations of the user?
     Click here
  1. Does the opening screen require the user to accept the conditions of monitoring and punishment before proceeding?
     Click here
Implement a User Account System      Click here
  1. Is file access limited to that information users need to do their jobs?
     Click here
  1. Are shared accounts explicitly prohibited?
     Click here
  1. Is the list of user accounts and names maintained securely?
     Click here
  1. Is account activity properly monitored?
     Click here
  1. Are dormant accounts terminated after pre-set periods of inactivity?
     Click here
Require Users to Authenticate Themselves      Click here
  1. Has an appropriate authentication system been selected based on risk assessment findings?
     Click here
  1. Are passwords required to be at least six characters in length?
     Click here
  1. Are names, dates, and other commonly anticipated password formats disallowed?
     Click here
  1. Are passwords that reflect or identify the user forbidden (e.g., initials and pet names)?
     Click here
  1. Is a mix of letters and numbers, and upper and lower cases required?
     Click here
  1. Is the use of non-words and random characters encouraged?
     Click here
  1. Has the system administrator changed all pre-set and packaged passwords?
     Click here
  1. Are passwords required to be changed at regular intervals?
     Click here
  1. Is password sharing expressly forbidden?
     Click here
  1. Are password reminders stored securely by personnel?
     Click here
  1. Have users been warned to never send their password as a part of an e-mail message?
     Click here
  1. Have users been warned not to type in their passwords when someone may be watching?
     Click here
  1. Are password characters masked on display screens?
     Click here
  1. Have users been told that they can, and should, change their password if they think it might be compromised?
     Click here
  1. Is a history of user passwords maintained securely and reviewed routinely to ensure that users are not recycling passwords?
     Click here
  1. Is the workplace appropriately monitored for adherence to security regulations?
     Click here
Establish Standard Log-in Procedures      Click here
  1. Is each user limited to acceptable times for logging into the system?
     Click here
  1. Is each user limited to acceptable places for logging into the system?
     Click here
  1. Is there a limit to the number of times a user can attempt to log in incorrectly?
     Click here
  1. Do staff know to log off and turn off computers?
     Click here
Recognize the Importance of Physical Security      Click here
  1. Have all system access points (nodes) been secured?
     Click here
  1. Has all cabling and wiring been secured?
     Click here
  1. Have floppy drives been disconnected from servers?
     Click here
  1. Are lockable screen savers installed and in use?
     Click here
Pay Attention to Remote Access (and Modem Use)      Click here
  1. Is pre-approval required for remote access capabilities?
     Click here
  1. Are staff aware that remote access is monitored? Is it?
     Click here
  1. Are modems set to answer only after several rings?
     Click here
  1. Is a call-back system in place?
     Click here
  1. Is message authentication required in addition to user authentication?
     Click here
  1. Is sensitive information prohibited from being transmitted over public lines unless the files are first encrypted?
     Click here
  1. Is the organization aware of security features used by outside networks to which it connects? Are they acceptable?
     Click here
  1. Are firewalls in use as needed?
     Click here
  1. Are dial-in communication numbers protected from outsiders?
     Click here
  1. Are modems disabled when not in use?
     Click here
  1. Are modems always kept off automatic answer modes?
     Click here
  1. Are modems only installed on computers in secure locations?
     Click here
  1. Is Internet access granted to only those users who need it?
     Click here
  1. Have all users been reminded that system use is only for approved activities?
     Click here
  1. Are users required to sign Appropriate Use Agreements (see Chapter 3) before receiving access to the system?
     Click here
   

Quote- We have met the enemy and he is us. (Pogo (Walt Kelly))

back to topback to home page
back to previous chapternext chapter

Would you like to help us improve our products and website by taking a short survey?

YES, I would like to take the survey

or

No Thanks

The survey consists of a few short questions and takes less than one minute to complete.
National Center for Education Statistics - http://nces.ed.gov
U.S. Department of Education