Security Principles to Know and Consider

This chapter will introduce the reader to several important principles concerning computer and information system security. These are important to understand when planning and implementing computer security frameworks and controls.

Achieve Cost-Effective Security

The dollars spent for security measures to control or contain losses should never be more than the projected dollar loss if something adverse happened to the information resource. Cost-effective security results when reduction in risk through implementation of safeguards is balanced with costs. The greater the value of information processed, or the more severe the consequences if something happens to it, the greater the need for control measures to protect it.

Maintain Integrity

Integrity of information means you can trust the data and the processes that manipulate it. Not only does this mean that errors and omissions are minimized, but also that the information system is protected from deliberate actions to wrongfully change the data. Information can be said to have integrity when it corresponds to the expectations and assumptions of the users.

Assure Confidentiality

Confidentiality of sensitive data is often a requirement of organization's and individual's computer systems. Privacy requirements for personal information is dictated by statute, while confidentiality of other information is determined by the nature of that information, e.g., information submitted by bidders in procurement actions. The impact of wrongful disclosure must be considered in understanding confidentiality requirements.

Recoverability

An important design consideration is the ability to easily recover from troublesome events, whether minor problems or major disruptions of the system. From a design point of view, systems should be designed to easily recover from minor problems, and to be either transportable to another backup computer system or replaced by manual processes in case of major disruption or loss of computer facility.

Access Decisions

Decisions must be made regarding access to the system and the information it contains. For example, many individuals require the ability to access and view data, but not the ability to change or delete data. Even when computer systems have been designed to provide the ability to narrowly designate access authorities, a knowledgeable and responsible official must actually make those access decisions. The care that is taken in this process is a major determining factor of the level of security and control present in the system. If sensitive data is being transmitted over unprotected lines, it can be intercepted or passive eavesdropping can occur. Encrypting the files will make the data unintelligible and port protection devices will protect the files from unauthorized access, if warranted.

Protecting Against Malicious Software and Hardware

The recent occurrences of destructive computer viruses point to the need to ensure that agencies do not allow unauthorized software to be introduced to their computer environments. Unauthorized hardware can also contain hidden vulnerabilities. Management should adopt a strong policy against unauthorized hardware/software, inform personnel about the risks and consequences of unauthorized additions to computer systems, and develop a monitoring process to detect violations of the policy.

Data Security

Management must ensure that appropriate security mechanisms are in place that allow responsible officials to designate access to data according to individual computer users' specific needs. Security mechanisms should be sufficient to implement individual authentication of system users, allow authorization to specific information and transaction authorities, maintain audit trails as specified by the responsible official, and encrypt sensitive files if required by user management.

The Concept Of Least Privilege

Least privilege is a basic tenet of computer security that means users should be given only those rights required to do their job. Malicious code runs in the security context of the user launching the code. The more privileges the user has, the more damage the code can do. Recommendations pertaining to the least privilege principle include:

• Keep the number of administrative accounts to a minimum
• Administrators should use a regular account as much as possible instead of logging in as administrator or root to perform routine activities such as reading mail
• Set resource permissions properly. Tighten the permissions on tools that an attacker might use once he has gained a foothold on the system, e.g., explorer.exe, regedit.exe, poledit.exe, taskman.exe, at.exe, cacls.exe, cmd.exe, finger.exe, ftp.exe, nbstat.exe, net.exe, net1.exe, netsh.exe, rcp.exe, regedt32.exe, regini.exe, regsvr32.exe, rexec.exe, rsh.exe, runas.exe, runonce.exe, svrmgr.exe, sysedit.exe, telnet.exe, tftp.exe, tracert.exe, usrmgr.exe,wscript.exe, and xcopy.exe.
• Unix tools or utilities that should be restricted are debuggers, compilers, and scripting languages such as gcc, perl, etc.
• The least privilege concept also applies to server applications. Where possible, run services and applications under a non-privileged account.

Monitoring and Review

Another aspect of information resource protection to be considered is the need for ongoing management monitoring and review. To be effective, a security program must be a continuous effort. Ideally, ongoing processes should be adapted to include information protection checkpoints and reviews. Information resource protection should be a key consideration in all major computer system initiatives.

Personnel Management

Managers must be aware that information security is more a people issue than a technical issue. Personnel are a vital link in the protection of information resources, as information is gathered by people, entered into information resource systems by people, and ultimately used by people. Security issues should be addressed with regard to:

• People who use computer systems and store information in the course of their normal job responsibilities;

• People who design, program, test, and implement critical or sensitive systems; and

• People who operate computer facilities that process critical or sensitive data

Personnel Security

From the point of hire, individuals who will have routine access to sensitive information resources should be subject to special security procedures. More extensive background or reference checks may be appropriate for such positions, and security responsibilities should be explicitly covered in employee orientations. Position descriptions and performance evaluations should also explicitly reference unusual responsibilities affecting the security of information resources.

Individuals in sensitive positions should be subject to job rotation, and work flow should be designed in such a way as to provide as much separation of sensitive functions as possible. Upon decision to terminate or notice of resignation, expedited termination or rotation to less sensitive duties for the remainder of employment is a reasonable precaution.

Training

Most information resource security problems involve people. Problems can usually be identified in their earliest stages by people who are attuned to the importance of information protection issues. A strong training program will yield large benefits in prevention and early detection of problems and losses. To be most effective, training should be tailored to the particular audience being addressed, e.g., executives and policy makers; program and functional managers; IRM security and audit: ADP management and operations; end users.

Most employees want to do the right thing, once policy and expectations are clearly communicated. Internal policies can be enforced when staff have been made aware of their individual responsibilities. All people who access an organization's computer systems should be aware of their responsibilities, as well as obligations. Disciplinary actions and legal penalties should be communicated.

Security Attributes

There are some common security attributes that should be present in any system that processes valuable personal or sensitive information. System designs should include mechanisms to enforce the following security attributes.

Identification and Authentication of Users - Each user of a computer system should have a unique identification on the system, such as an account number or other user identification code. There must also be a means of verifying that the individual claiming that identity (e.g., by typing in that identifying code at a terminal) is really the authorized individual and not an imposter. The most common means of authentication is by a secret password, known only to the authorized user.

Authorization Capability Enforcing the Principle of Least Possible Privilege - Beyond ensuring that only authorized individuals can access the system, it is also necessary to limit the users access to information and transaction capabilities. Each person should be limited to only the information and transaction authority that is required by their job responsibilities. This concept, known as the principle of least possible privilege, is a long-standing control practice. There should be a way to easily assign each user just the specific access authorities needed.

Individual Accountability - From both a control and legal point of view, it is necessary to maintain records of the activities performed by each computer user. The requirements for automated audit trails should be developed when a system is designed. The information to be recorded depends on what is significant about each particular system. To be able to hold individuals accountable for their actions, there must be a positive means of uniquely identifying each computer user and a routinely maintained record of each user's activities.

Audit Mechanisms - Audit mechanisms detect unusual events and bring them to the attention of management. This commonly occurs by violation reporting or by an immediate warning to the computer system operator. The type of alarm generated depends on the seriousness of the event.

A common technique to detect access attempts by unauthorized individuals is to count attempts. The security monitoring functions of the system can automatically keep track of unsuccessful attempts to gain access and generate an alarm if the attempts reach an unacceptable number.