The Loss Of Data Confidentiality

Published Date: 02 Nov 2017

LAN SECURITY

Introduction

A LAN, or local area network, is a network of computers deployed in a small geographic area such as an office complex, building, or campus.

Local area networks (LANS) have become a major tool for many organizations in meeting data processing and data communication needs. In LAN, computers interconnect to each other to share resources like files, printers and services. LAN’s of various banks, financial institutes, and corporations store a lot of customer information like social security numbers, driver’s license and other sensitive information’s such as purchasing profiles. Over the years, although network security has increased, the frequency of attacks on the network has also increased (vacca).Many organizations use large LANs internally and also connect to public networks, such as the Internet. By doing so, organizations increase their exposure to threats from intruder activity (nist security handbook).In a corporate network LAN’s, securing the data is of paramount importance as the network is constantly under attack from hackers. Apart from the security threats by hackers there is also the threat of espionage by competitive companies. A competitor may hijack the resources such as web services; domain name services leading to Denial of Service.

There are three objectives of the network security

Confidentiality: Only authorized users have access to the network.

Integrity: Data cannot be modified by unauthorized users.

Access: Security must be designed so that authorized users have uninterrupted access to data (vacca).

Threats and Vulnerabilities

A threat can be any person, object, or event that, if realized, could potentially cause damage to the LAN. Threats can be malicious, such as the intentional modification of sensitive information, or can be accidental, such as an error in a calculation, or the accidental deletion of a file. Threats can also be acts of nature, i.e. flooding, wind, lightning, etc.

Vulnerabilities are flaws in a LAN that can be exploited by a threat resulting in loss. For example, unauthorized access (the threat) to the LAN could occur by an outsider guessing an obvious password. The vulnerability exploited is the poor password choice made by a user. Reducing or eliminating the vulnerabilities of the LAN can reduce or eliminate the risk of threats to the LAN. For example, a tool that can help users choose robust passwords may reduce the chance that users will utilize poor passwords, and thus reduce the threat of unauthorized LAN access (FIPS).

This paper discusses the various vulnerabilities of a LAN that an IT manager faces and the how the IT manager can mitigate these vulnerabilities.

Unauthorized LAN Access

A LAN provides designated users with shared access to hardware, software, and data.Unauthorized access to LAN resources is one of the greatest LAN vulnerability.. Unauthorized LAN access occurs when someone, who is not authorized to use the LAN, gains access to the LAN (Fips).This access type can be internal or external(intruder).

Password: Password sharing/capturing/guessing allows an unauthorized user to have the LAN access and privileges of a legitimate user; with the legitimate user's knowledge and acceptance. Unauthorized LAN access can occur by exploiting the password vulnerabilities like poor password management, easy guess password.

Network access: An unauthorized access to network nodes like switches, hubs or routers on LAN can be used by intruder to launch denial of service attacks. A network entry point and exit point are the most vulnerable network element. The most common threats from network are hijacking of resources such as Domain Name Service, antivirus, web services leading to DoS or distributed DoS attacks.(vacca)

Unauthorized access may occur simply because the access rights assigned to the resource are not assigned properly. However, unauthorized access may also occur because the access control mechanism or the privilege mechanism is not granular enough.

Loss of Data Confidentiality

Confidentiality is providing access and disclosure of information only to authorized user and preventing access to unauthorized users. The disclosure of LAN data or software occurs when the data or software is accessed, read and possibly released to an individual who is not authorized for the data results in loss of data confidentiality. The loss of data confidentiality can cause a company not only financial expenses but can also cause it to lose its reputation resulting in loss of customers. Improper access control, lack of data encryption policy and general display of monitors or printouts are some of the vulnerability that an attacker can use to cause to disrupt an Organization’s information systems.

2.1.4 Loss of Data Integrity

When an unauthorized changes are made to data or software it results in loss of data integrity (Fips). Data integrity is critical to any organization that maintains electronic records including: corporations, governmental agencies, non-profit organizations, service groups, medical practices and educational institutions. If the integrity of records is compromised, the impact on the organization could be horrific, resulting in financial records being exposed, the theft of customer or client identities, the exposure of strategic initiatives, loss of business, and even the malicious transfer of funds, all of which are potential outcomes, when an organization’s database technologies are compromised.(Hallman,Stahl and Ahmadov). PCs are especially vulnerable to viruses and related malicious software (e.g., Trojan horse, logic bomb, worm). An executing program, including a virus-infected program, has access to most things in memory or on disk. A PC LAN is also highly vulnerable, because any PC can propagate an infected copy of a program

2.1.5 Disclosure of LAN Traffic

The disclosure of LAN traffic occurs when someone who is unauthorized reads, or otherwise obtains, information as it is moved through the LAN. LAN traffic can be compromised by listening and capturing traffic transmitted over the LAN transport media (tapping into a network cable, listening to traffic transmitted over the air, misusing a provided network connection by attaching an analysis device, etc.) (FIPs). The compromise of LAN traffic can occur by exploiting the following types of vulnerabilities:

inadequate physical protection of LAN devices and medium,

transmitting plaintext data using broadcast protocols,

transmitting plaintext data (unencrypted) over the LAN medium, (FIPS)

Spoofing of LAN Traffic

Data that is transmitted over a LAN should not be altered in an unauthorized manner as a result of that transmission, either by the LAN itself, or by an intruder. LAN users should be able to have a reasonable expectation that the message sent, is received unmodified. A modification occurs when an intentional or unintentional change is made to any part of the message including the contents and addressing information.

Spooling of LAN traffic involves (1) the ability to receive a message by masquerding as the legitimate receiving destination, or (2) masqueriding as the sending machine and sending a message to a destination. To masquerade as a receiving machine, the LAN must he persuaded into believing that the destination address is the legitimate address of the machine. (Receiving LAN traffic can also he done by listening to messages as they are broadcast to all nodes.) Masquerading as the sending machine to deceive a receiver into believing the message was legitimately sent can be done by masquerading the address, or by means of a playback. A playback involves capturing a session between a sender and receiver, and then retransmitting that message (either with the header only, and new message contents, or the whole message). The spoofing of LAN traffic or the modification of LAN traffic can occur by exploiting the following types of vulnerabilities:

Vulnerabilities

transmitting LAN traffic in plaintext,

lack of a date/time stamp (showing sending time and receiving time),

lack of message authentication code mechanism or digital signature,

lack of real-time verification mechanism (to use against playback).

2.1.7 Disruption of LAN Functions

A LAN is a tool, used by an organization, to share information and transmit it from one location to another. A disruption of functionality occurs when the LAN cannnot provide the needed functionality in an acceptable, timely manner. A disruption can interrupt one type of functionality or many. A disruption of LAN functionalities can occur by exploiting the following types of vulnerabilities:

Vulnerabilities

inability to detect unusual traffic patterns (i.e. intentional flooding),

inability to reroute traffic, handle hardware failures, etc,

configuration of LAN that allows for a single point of failure,

unauthorized changes made to hardware components (reconfiguring addresses on workstations, modifying router or hub configurations, etc.), a improper maintenance of LAN hardware,

Improper physical security of LAN hardware. (FIPS)

LAN Security Management

A security service is the collection of mechanisms, procedures and other controls that are implemented to help reduce the risk associated with threat. For example, the identification and authentication service helps reduce the risk of the unauthorized user threat. Some services provide protection from threats, while other services provide for detection of the threat occurrence. An example of this would be a logging or monitoring service. The following services will be discussed in this section:

Identification and authentication - is the security service that helps ensure that the LAN is accessed by only authorized individuals.

Access control - is the security service that helps ensure that LAN resources are being utilized in an authorized manner.

Data and message confidentiality - is the security service that helps ensure that LAN data, software and messages are not disclosed to unauthorized parties.

Data and message integrity - is the security service that helps ensure that LAN data, software and messages are not modified by unauthorized parties.

Non-repudiation - is the security service by which the entities involved in a communication cannot deny having participated. Specifically the sending entity cannot deny having sent a message (non-repudiation with proof of' origin) and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery).

Logging and Monitoring - is the security service by which uses of LAN resources can be traced throughout the LAN.

2.2.1 Identification and Authentication

The first step toward securing the resources of a LAN is the ability to verify the identities of users. The process of verifying a user's identity is referred to as authentication. User identification and authentication (verification) controls are used to verify the identity of a station, originator, or individual prior to allowing access to the system, or specific categories of information within the system. Identification involves the identifier or name by which the user is known to the LAN in some manner. This is usually based on an assigned userid. However the LAN cannot trust the validity that the user is in fact, who the user claims to be, without being authenticated. Authentication is the process of "proving" that the individual is actually the person associated with the identifier The authentication is done by having the user supply something that only the user has, such as a token, something that only the user knows, such as a password, or something that makes the user unique, such as a fingerprint. The more of these that the user has to supply, the less risk in someone masquerading as the legitimate user (FIPS)

A requirement specifying the need for authentication should exist in most LAN policies. The requirement may be directed implicitly in a program level policy stressing the need to effectively control access to information and LAN resources, or may be explicitly stated in a LAN specific policy that states that all users must be uniquely identified and authenticated. (FIPS)

On most LANS, the identification and authentication mechanism is a userid/password scheme.

Passwords are a combination of letters and numbers

(or symbols), preferably six or more characters, that should be known only to the accessor. Passwords and log-on codes should have an expiration feature, should not be reusable, should provide for secrecy (e.g., non-print, non-display feature, encryption), and should limit the number of unsuccessful access attempts. Passwords should conform to a set of rules established by management.

Password-only mechanisms, especially those that transmit the password in the clear (in an unencrypted form) are susceptible to being monitored and captured. This can become a serious problem if the LAN has any uncontrolled connections to outside networks. Agencies that are considering connecting their LANs to outside networks, particularly the Internet, should have proper management of password creation, storage, expiration and destruction become all the more important.

Because of the vulnerabilities that still exist with the use of password-only mechanisms, more robust mechanisms can be used like token-based authentication and the use of biometrics. A smartcard based or token based mechanism requires that a user be in possession of the token and additionally may require the user to know a PIN or password. These devices then perform a challenge/response authentication scheme using realtime parameters. Using realtime parameters helps prevent an intruder from gaining unauthorized access through a login session playback. These devices may also encrypt the authentication session, preventing the compromise of the authentication information through monitoring and capturing (FIPS).

Locking mechanisms for LAN devices, workstations, or PCs that require user authentication to unlock can be useful to users who must leave their work areas frequently. These locks allow users to remain logged into the LAN and leave their work areas (for an acceptable short period of time ) without exposing an entry point into the LAN (FIPS).

2.2.2 Access Control

This service protects against the unauthorized use of LAN resources, and can be provided by the use of access control mechanisms and privilege mechanisms. Access control is the selective restriction of access to a place or other resource. For example, some information must be accessible to all users, some may be needed by several groups or departments, and some should be accessed by only a few individuals. The users must have access to the information they need to do their jobs, it may also be required to deny access to non-job-related information.

Access control can be achieved by using discretionary access control , mandatory access control or role based access control. Discretionary access control is the most common type of access control used by LANS. The basis of this kind of security is that an individual user, or program operating on the user's behalf is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user's control. Discretionary security differs from mandatory security in that it implements the access control decisions of the user. Mandatory controls are driven by the results of a comparison between the user's trust level or clearance and the sensitivity designation of the information (FIPS)

A LAN operating system may implement user profiles, capability lists or access control lists to specify access rights for many individual users and many different groups. Using these mechanisms allows more flexibility in granting different access rights to different users, which may provide more stringent access control for the file (or directory). (These more flexible mechanisms prevent having to give a user more access than necessary, a common problem with the three level approach.) Access control lists assign the access rights of named users and named groups to a file or directory. Capability lists and user profiles assign the files and directories that can he accessed by a named user(FIPS).

These access controls can also be used to restrict usage between servers on the LAN. Many LAN operating systems can restrict the type of traffic sent between servers. There may be no restrictions, which implies that all users may be able to access resources on all servers (depending on the users access rights on a particular server). Some restrictions may be in place that allow only certain types of traffic, for example only electronic mail messages, and further restrictions may allow no exchange of traffic from server to server. The LAN policy should determine what types of information need to be exchanged between servers. Information that is not necessary to be shared between servers should then be restricted (FIPS).

Mechanisms

access control mechanism using access rights (defining owner, group, world permissions),

access control mechanism using access control lists, user profiles, capability lists,

access control using mandatory access control mechanisms (labels),

granular privilege mechanism.

2.2.3 Data and Message Confidentiality

These controls provide protection for data that must be held in confidence and protected from unauthorized disclosure.. As a front line protection, this service may incorporate mechanisms associated with the access control service, but can also rely on encryption to provide further secrecy protection. Encryption is a means of encoding (scrambling) data so that they are unreadable. When the data are received, the reverse scrambling takes place. The scrambling and descrambling requires an encryption capability at either end and a specific key, either hardware or software to code and decode the data. Encryption allows only authorized users to have access to applications and data.

It is very difficult to control unauthorized access to LAN traffic as it is moved through the LAN. For most LAN users, this is a realized and accepted problem. The use of encryption reduces the risk of someone capturing and reading LAN messages in transit by making the message unreadable to those who may capture it. Only the authorized user who has the correct key can decrypt the message once it is received.

A strong policy statement should dictate to users the types of information that a-re deemed sensitive enough to warrant encryption. A program level policy may dictate the broad categories of information that need to be stringently protected, while a system level policy may detail the specific types of information and the specific environments that warrant encryption protection. At whatever level the policy is dictated, the decision to use encryption should be made by the authority within the organization charged with ensuring protection of sensitive information. If a strong policy does not exist that defines what information to encrypt, then the data owner should ultimately make this decision (FIPS).

Mechanisms

file and message encryption technology,

protection for backup copies on tapes, diskettes, etc,

physical protection of physical LAN medium and devices,

use of routers that provide filtering to limit broadcasting (either by blocking or by masking message contents).

Explain some encryption methods public private

2.2.4 Data and Message Integrity

The data and message integrity service helps to protect data and software on workstations, file servers, and other LAN components from unauthorized modification. The unauthorized modification can he intentional or accidental. This service can be provided by the use of cryptographic checksums, and very granular access control and privilege mechanisms. The more granular the access control or privilege mechanism, the less likely an unauthorized or accidental modification can occur.

The data and message integrity service also helps to ensure that a message is not altered, deleted or added to in any manner during transmission. (The inadvertent modification of a message packet is handled through the media access control implemented within the LAN protocol.) Most of the security techniques available today cannot prevent the modification of a message, but they can detect the modifiation of a message (unless the message is deleted altogether).

The use of check-sums provide a modification detection capability. A Message Authentication Code (MAC), a type of cryptographic checksum, can protect against both accidental and intentional, but unauthorized, data modification. A MAC is initially calculated by applying a crvptographic algorithm and a secret value, called the key, to the data. The initial MAC is retained. The data is later verified by applying the cryptographic algorithm and the same secret key to the data to produce another MAC; this MAC is then compared to the initial MAC. If the two MACs are equal, then the data is considered authentic. Otherwise, an unauthorized modification is assumed.

The use of electronic signatures can also be used to detect the modification of data or messages. An electronic signature can be generated using public key or private key cryptography. Using a public key system, documents in a computer system are electronically signed by applying the originator s private key to the document. The resulting digital signature and document can then be stored or transmitted. The signature can be verified using the public key of the originator. If the signature verifies properly, the receiver has confidence that the document was signed using the private key of the originator and that the message had not been altered after it was signed. Because private keys are known only to their owner, it may also possible to verify the originator of the information to a third party. A digital signature, therefore, provides two distinct services: nonrepudiation and message integrity. FIPS PUB 186, Digital Signature Standard, specifies a digital signature algorithm that should he used when message and data integrity are required.

The message authentication code (MAC) described above can also be used to provide an electronic signature capability. The MAC is calculated based on the contents of the message. After transmission another MAC is calculated on the contents of the received message. If the MAC associated with the message that was sent is not the same as the MAC associated with the message that was received, then there is proof that the message received does not exactly match the message sent. A MAC can he used to identify the signer of the information to the receiver. However, the implementations of this technology do not inherently provide nonrepudiation because both the sender of the information and the receiver of the information share the same key. The types of security mechanisms that could be implemented to provide the data and message integrity service are listed below.

Mechanisms

message authentication codes used for software or files,

use of secret key based electronic signature,

use of public key digital signature,

granular privilege mechanism,

appropriate access control settings (i.e. no unnecessary write permissions),

virus detection software,

workstations with no local storage (,to prevent local storage of software and files),

workstations with no diskette drive/tape drive to prevent introduction of suspect software.

use of public key digital signatures.

2.2.5 Non-repudiation

Non-repudiation helps ensure that the entities in a communication cannot deny having participated in all or part of the communication. When a major function of the LAN is electronic mail, this service becomes very important. Non-repudiation with proof of origin gives the receiver some confidence that the message indeed came from the named originator. The nonrepudiation service can be provided through the use of public key cryptographic techniques using digital signatures. See Section 2.2.4 Data and Message Integrity for a description and use of digital signatures. The security mechanism that could be implemented to provide the non- repudiation service is listed below.

Mechanisms

use of public key digital signatures.

2.2.6 Logging and Monitoring

This service performs two functions. The first is the detection of the occurrence of a threat. (However, the detection does not occur in real time unless some type of real-time monitoring capability is utilized.) Depending on the extensiveness of the logging, the detected event should be traceable throughout the system. For example, when an intruder breaks into the system, the log should indicate who was logged on to the system at the time, all sensitive files that had failed accesses, all programs that had attempted executions, etc. It should also indicate sensitive files and programs that were successfully accessed in this time period. It may be appropriate that some areas of the LAN (workstations, fileservers, etc.) have some type of logging service.

The second function of this service is to provide system and network managers with statistics that indicate that systems and the network as a whole are functioning properly. This can be done by an audit mechanism that uses the log file as input and processes the file into meaningful information regarding system usage and security. A monitoring capability can also be used to detect LAN availability problems as they develop. The types of security mechanisms that could be used to provide the logging and monitoring service are listed below.

Mechanisms

logging of I&A information (including source machine, modem, etc.),

logging of changes to access control information,

logging of use of sensitive files,

logging of modifications made to critical software,

utilizing LAN traffic management tools,

use of auditing tools. (FIPS)

Audit Trail Mechanisms. Audit controls provide a system monitoring and recording capability to retain

or reconstruct a chronological record of system activities (e.g., system log files). These audits records help to establish accountability when something happens or is discovered. Audit controls should be implemented as part of a planned LAN security program. LANs have varying audit capabilities, which include:

· Exception logs record information relating to system anomalies such as unsuccessful password or logon attempts, unauthorized transaction attempts, PC/remote dial-in lockouts, and related matters. Exception logs should be reviewed and retained for specified periods.

· Event records identify transactions entering or exiting the system, and journal tapes are a backup of the daily activities.

Assignment of LAN Security Officer. The first safeguard in any LAN security program is to assign

the security responsibility to a specific, technically knowledgeable person. This person must then take the necessary steps to assure a viable LAN security program, as outlined herein and in the AISSP Handbook. Also, the Handbook requires that a responsible owner/security official be assigned to each application, including e-mail and other LAN applications.

Security Awareness and Training. Security training is mandated by the Computer Security Act of 1987. All Federal employees and contractors involved with the management, use, design, acquisition, maintenance or operation of a LAN must be aware of their security responsibilities and trained in how to fulfill them. See the DHHS AIS Security Training and Orientation Program (AIS-STOP) Guide for detailed guidance on security training programs.

Technical training is the foundation of security training. These two categories of training are so interrelated that training in security should be a component of each computer systems training class. Proper technical training is considered to be perhaps the single most important safeguard in reducing human errors -- the mistakes of otherwise well-meaning employees.

Personnel Screening. Personnel security policies and procedures should be in place and working as part of the process of controlling access to LANs. Specifically, LAN management must designate sensitive positions and screen incumbents, following the guidance in DHHS Instruction 731-1, Personnel Manual, Personnel Security/Suitability - Policy and Guidance, August 4, 1988, for individuals involved in the management, operation, security, programming, or maintenance of the system. In the PCIE computer security study, cited earlier in Section 1.1, fraud and abuse was often committed by authorized government/contractor users (not outsiders), and "it was also determined that over one-fifth of them had criminal records prior to being hired."

The personnel screening process should also address LAN repair and maintenance activities, as well as janitorial and building repair crews that may have unattended access to LAN facilities.

Separation of Duties. People within the organization (insider people threats) are the largest category of risk to the LAN. Separation of duties is a key to internal control, designed to make fraud or abuse

difficult without collusion. For example, setting up the LAN security controls, auditing the controls, and management review of the results should be performed by different persons.

Preventive Maintenance. Hardware failure is an ever present threat, since LAN physical components

wear out and break down. Preventive maintenance identifies components nearing the point at which they could fail, allowing for the necessary repair or replacement before operations are affected.

Written Procedures. It is human nature for people to perform tasks differently and inconsistently, even if the same person performs the same task. An inconsistent procedure increases the potential for an unauthorized action (accidental or intentional) to take place on a LAN. Written procedures help to establish and enforce consistency in LAN operations.

Procedures should be tailored to specific LANs and addressed to the actual users, to include the "do's" and "don't's" of the main elements of safe computing practices, such as: access control (e.g., password

content), handling of floppies, copyrights and license restrictions, remote access restrictions, input/output controls, checks for pirated software, courier procedures, and use of lap-top computers.

Operation safeguards are the day-to-day procedures and mechanisms to protect LANs, as basically defined in OMB Bulletin 90-08. These safeguards include:

Backup and Contingency Planning. The goal of an effective backup strategy is to minimize the number

of workdays that can be lost in the event of a disaster (e.g., disk crash, virus, fire). A backup strategy should indicate:

· the type/scope of backup: complete system backups, incremental system backups (changes), file/data backups, and even dual backup disks (disk "mirroring").

· the frequency of the backups: AM/PM, nightly, weekly, monthly.

· the time period for which the backup copies are kept: daily backups may be kept for a week, weekly backups may be kept for a month, monthly backups may be kept for a year.

·

Contingency/Disaster Recovery Planning consists of workable procedures for continuing to perform essential functions in the event that information technology support is interrupted. Application plans should be coordinated with the back-up and recovery plans of any installations and networks used by the application. Appendix E contains a sample contingency plan. Appropriate emergency, backup and contingency plans and procedures should be in place and tested regularly to assure the continuity of support in the event of system failure. These plans should be known to users and coordinated with them.

Offsite storage of critical data, programs, and documentation is important. In the event of a major

disaster such as fire, or even extensive water damage, backups at offsite storage facilities may be the only way to recover important data, software, and documentation. Offsite storage is a mandatory requirement for Level 2 and 3 (and 4) protection requirements.

Physical and Environmental Protection. These are controls used to protect against a wide variety of physical and environmental threats and hazards, including deliberate intrusion, fire, natural hazards, and utility outages or breakdowns. Several areas come within the direct purview of the LAN/security staff, including: adequate surge protection, battery/backup power, room/cabinet locks, and possibly additional air conditioning. Surge protection and backup power will be discussed in more detail.

Surge suppressors that protect stand-alone equipment may actually cause damage to computers and other peripherals in a network. Ordinary surge protectors and uninterruptible power supplies (UPS) can

actually divert dangerous electrical surges into network data lines and damage equipment connected to that network. Power surges are momentary increases in voltage, up to 6,000 volts in 110 volt power systems, making them dangerous to delicate electronic components and data as they search for paths to ground. Ordinary surge protectors simply divert surges from the hot line to the neutral and ground wires, where they are assumed to flow harmlessly to earth. The extract below summarizes this surge protection problem for networks:

Computers interconnected by datalines present a whole new problem because network (and modem) datalines use the powerline ground circuit for signal voltage reference. When a conventional surge protector diverts a surge to ground, the surge directly enters the datalines through the ground reference. As [NIST's Francois] Martzloff explained in "Protecting Computer Systems Against Power Transients," this causes high surge voltages to appear across datalines between computers, and dangerous surge currents to flow in these datalines. Data Communications reported in December 1990 that "Most experts now agree that TVSSs (Transient Voltage Surge Suppressors) based on conventional diversion designs should not be used for networked equipment." LAN Times commented in May 1990 "Surge protectors may contribute to LAN crashes by diverting surge pulses to ground thereby contaminating the reference used by data cabling." This problem was first discovered by a team of NIST researchers led by Martzloff in 1988. To avoid having the ground wire act as a "back door" entry for surges to harm a computer's low-voltage circuitry, network managers should consider power-line protection that:

· Provides low let-through voltage (under 250 volts peak is harmless).

· Does not use the safety ground as a surge sink and preserves it for its role as voltage reference.

· Attentuates the fast rise times of all surges, to avoid stray coupling into computer circuitry.

· Intercepts all surge frequencies, including internally generated high-frequency surges.

The use of an UPS for battery/backup power can make the difference between a "hard or soft crash." "Hard crashes" are the sudden loss of power and the concurrent loss of the system, including all data and work-in-progress in the servers' random-access-memory (RAM). An UPS provides immediate backup power to permit an orderly shutdown or "soft crash" of the LAN, thus saving the data and work-inprogress. The UPS protecting the server should include software to alert the entire network of an imminent shutdown, permitting users to save their data. LAN servers should be protected by UPSes, and UPS surge protectors should avoid the "back door" entry problems described above.

Production and Input/Output Controls. These are controls over the proper handling, processing, storage, and disposal of input and output data and media, including: locked storage of sensitive paper and electronic media, and proper disposal of materials (i.e., erasing/degaussing diskettes/tape and shredding sensitive paper material).

Audit and Variance Detection. These controls allow management to conduct an independent review of system records and activities in order to test for adequacy of system controls, and to detect and react to departures from established policies, rules, and procedures. Variance detection includes the use of system logs and audit trails to check for anomalies in the number of system accesses, types of accesses, or files accessed by users.

Hardware and System Software Maintenance Controls. These controls are used to monitor the installation of and updates to hardware and operating system and other system software to ensure that the software functions as expected and that an historical record is maintained of system changes. They may also be used to ensure that only authorized software is allowed on the system. These controls may include hardware and system software configuration policy that grants managerial approval to modifications, then documents the changes. They may also include virus protection products.

Documentation. These documentation controls are in the form of descriptions of the hardware, software, and policies, standards, and procedures related to LAN security, to include vendor manuals, LAN procedural guidance, and contingency plans for emergency situations. They may also include network diagrams to depict all interconnected LANs/WANs and the safeguards in effect on the network devices.

3.5.4 Virus Safeguards

Virus safeguards include good security practices cited above (e.g., backups, use of only agency approved software, testing of new software). The DHHS AISSP Handbook requires an OPDIV virus prevention

and protection program, including the designation and training of a computer virus specialist (and backup). Each LAN should be part of this program. More stringent policies should be considered, as needed, such as:

· Use of anti-virus software to prevent, detect, and eradicate viruses

· Use of access controls to more carefully limit users

· Review of the security of other LANs before connecting

· Limiting of electronic mail to non-executable files

· Use of call-back systems for dial-in lines

·

Additionally, "Five common-sense tips for safer computing" are provided below:

· If the software allows it, apply write-protect tabs to all program disks before installing new software. If it does not, write protect the disks immediately after installation.

· Do not install software without knowing where it has been.

· Make executable files read-only. It won't prevent virus infections, but it can help contain those that attack executable files (e.g., files that end in ".exe" or ".com"). Designating executable files as read-only is easier and more effective on a network, where system managers control read/write access to files.

· Abolish "SneakerNet." Boot sector viruses are especially pernicious. The most common virus, "Stoned," travels in the boot sector of floppy disks, which are passed from user to user and PC to PC. If an infected floppy disk is left in the A: drive and the user turns on the PC, the virus will spread to the hard disk as quickly as the "non-system disk" error appears onscreen. Transferring data files via networks, E-mail, or direct modem connections will minimize the possibility of spreading boot sector viruses.

· Back-up files. The only way to be sure the files will be around tomorrow is to back them up today.