Embed Size (px)
Citation preview
Computers & Security, 10 (1991) 199-203
How to Begin Dealing .with Computer Security Belden Menkus P.0. Box 129, Hilbboro, m37342, U.S.A.
1. Introduction
WF en first given the respon-
sibility for computer security within an organization, a person may feel intimidated. Moreover, these feelings are reinforced if the technologists appear disdainful and overbear- ing or the data processing staff members demonstrate a reluc- tance to allow what they see as outsiders to be involved in any aspect of what they do.
Although a person with new responsibilities in this area may have incomplete knowledge, the beginning of efforts to deal with significant computer security issues need not wait until that person is a superior technologist. Of course, one who has this responsibility will need even- tually to acquire a thorough grounding in the operation of access control sofhvare, data
0 199 1, Belden Menkus. All rights reserved.
encryption, computer fraud detection and prevention, and computer systems controls’. However, less complicated things can be done to improve the security of both an organization’s central data processing facilities and its numerous microcom- puters.
2. Limitations To Be Resolved
It is not always feasible to do some of the things that improve the security of a central comput- ing site before it is occupied by the data processing equipment and the people who work with it. There may be obstacles to effect- ing improvements beforehand if the facility is operating in leased space or the organization has entered into a so-called out- sourcing arrangement.
Outsourcin~ involves, in effect, the sale of an organization’s computing hardware and soft-
ware, as well as its data proces-
sing staff, to a third party specialist organization that, in
turn, will sell various computing services back to the original owner. Some provisions in contracts for such arrangements may limit the organization’s efforts to assure that its informa- tion resources are protected adequately. The information systems auditor and the person responsible for computer secur- ity should join the organization’s legal counsel to remove any such limitations from the outsourcing contract.
Where an organization elects to maintain a central data proces- sing site in leased space, other types of restrictions may prevail. For instance, the terms of the lease contract may prohibit permanent alterations in the nature and location of such things as plumbing lines, heating and air conditioning conduits, fire walls, and the electrical
0167-4048/91/$3.50 0 1991, Elsevier Science Publishers Ltd. 199
B. MenkuslHow to Begin with Computer Security
service for the space. (If the contract does not preclude such changes, it may require that the site be returned to its original condition when the occupancy ends.) Also, the essential semi- public nature of the leased space occupied by the data processing facility may make it difficult to control access to the arca effec- tively. For instance, maintenance, cleaning and security forces working for the building’s management-and not under the organization’s direct control- may require almost unlimited access to the space being used for computing. (In many instances, all three of these groups may be working under separate contracts with the building’s manage- ment.) Here, too, the lease contract may need to be modi- fied.
3. Where To Begin
A thorough review of the physi- cal security aspects of a data pro- cessing site is a good place to start. (The organization’s infor- mation systems auditor can help with this examination. This person already may be familiar with a number of security prob- lems that need prompt resolu- tion). This review should include a careful study of the work prac- tices of those who are employed in the data processing facility. This review should not be limited to just the standard work day, but should encompass all of the time in which the facility is active.
While this review is being com- pleted there are a number of initiatives to consider. At least three of them involve:
(1) Tightening the controls over trash collection and removal within the building generally- particularly on those floors in which microcomputers are in use. (This action should be accompanied by extending the organization’s regular fured asset accounting system to encompass microcomputers and the printers and other equipment used with them.) At a minimum this effort should include inventorying these units and marking them distinctively with unique serial number identification tags as the organization’s property. In many organizations literally thousands of these units exist without having been subjected to conventional asset controls. An aggregate investment of millions of dollars often is at risk’.
The reason for these actions is that a preferred method for stealing these devices-or the printers and equipment used with them-is based on manipu- lating the building’s trash collec- tion and removal process. The microcomputer or other unit is wrapped in a large plastic trash bag and placed in the bottom of a trash container. Regular trash is put over the wrapped parcel and the container is removed in the ordinary way from the building. Most security officers will not examine the contents of all trash
containers routinely before they are removed.
(2) Restricting access to postage meters, facsimile devices, copiers, mail chutes and similar equip- ment at night and on weekends and holidays. Some business spies, masquerading as legitimate building cleaners or messengers, routinely copy microcomputer diskettes containing sensitive, confidential or proprietary data and mail them to their principals using the mailing facilities of the organization whose information security is being compromised. In some instances, these people will copy such files and even transmit them by facsimile. In connection with this, the existing controls over the routine iden- tification and circulation of building cleaners, messengers and others should be reviewed. Most security officers-and other employees-will not challenge such people routinely to identify themselves or keep them under surveillance while they are on the premises.
(3) Insisting, in areas that are prone to possible earthquake damage, that the casters on com- putin used or data storage, document B
devices, including those
printing and the like, be removed or chocked routinely. There were numerous reports after the 1989 San Francisco earthquake of unchecked devices rolling across the floor of data processin facilities and crashing through L eir walls.
200
Computers and Security, Vol. 70, No. 3
4. Limiting Accessibility
The space occupied by the data processing activity can be made into a limited access area. This space should be made as incon- spicuous as possible. Door and direction signs (including those on the directories in the build- ing’s lobby and on the appro- priate floors) that identify this site should be removed. Any identification of the space’s loca- tion in the building also should be removed from the organiza- tion’s telephone directory, Receptionists should be advised not to direct casual enquirers to data processing locations.
In addition, any existing controls over access to data procesing space should be improved. For instance, the physical security review mentioned earlier should determine whether maintenance people, vendor representatives and others routinely are allowed to enter the area and to circulate within it without being under the continual direct observation of a computer facility employee. This review also should verify that the integrity of the mechan- ism that controls access to the area is not being compromised. For example, workers in some computer facilities circumvent the locking mechanism by covering the strike in it with an adhesive tape such as duct tape or masking tape. (Their purported reason for this practice is that doing so makes it easier for them to come and go from the area!).
5. Air Conditioning And Plumbing
The normal operation of main- frame and mini computer hard- ware generates a significant amount of heat, though not as much in terms of the equipment mass involved as was true even 10 years ago. A buildup of heat eventually can damage the equipment itself and the plastic based magnetic media that it uses to store data. Eliminating this heat buildup necessitates the installation of an air condition- ing system that operates the year round and encompasses the entire space in which computing is done. (Usually this system shares its air distribution con- duiting with the building heating system.) The naturaljre breaks provided where the building’s flooring meets its exterior walls must be breached to accommo- date any air distribution system. Should a fire occur, the path that has been provided for efficient air circulation tends to expedite the spread of the conflagration. This exposure in the space occupied by the organization’s data processing activities can be reduced by using a suitable alternative substitute for conven- tional fire walls whose installa- tion does not impede materially the normal operation of the building’s air conditioning and heating system.
The installation of an effective air conditioning and heating system in the data processing area exposes the computing
equipment to potential serious damage from possible rupture of service lines. Should this occur, water and ethylene glycol refrigerants may flood the com- puting area and severely damage both the equipment and the magnetic media.
Additional exposure to possible water damage may stem from a rupture of any sanitary water lines that pass through the floor, ceiling or walls of the area occupied by the computing facil- ity. A further exposure to water damage may result from a pos- sible malfunction of a sprinkler fire extinguishing system that may have been installed in this space. These systems increasingly will become an issue in compu- ter facility ‘fire protection during the balance of this decade. Local fire code authorities can be expected to insist upon their installation in such sites as the use of Halon 130 1 for fire sup- pression in computer facilities and similar sensitive occupancies is eliminated under legal mandate.
Water sprinkler fire extinguishing systems initially were developed for installation in so-called high- piled warehousing space-and are more appropriate, in most instances, for use in such an environment than in one occu- pied by the operation of complex electronic equipment. Most water sprinkler fire extinguishing systems are not as free from operational failure as the indus- trial groups that encourage the
201
B. MenkuslHow to Begin with Computer Security
use of such equipment would have one believe. Admittedly, in most instances, the presence of such a system is preferable to having no fire protection system of any sort installed. However, that fact does not eliminate the need to be concerned about pos- sible damage that may result from the malfunction of such a system.
Leaks in water sprinkler fire extinguishing systems can stem from such things as environ- mental damage or the deteriora- tion of the lines and nozzles from the accumulation of natur- ally occurring chemical salts in the water used in the system. Conventional approaches to supervising the operation of such a system typically will not identify this sort of damage or deterioration until the sprinkler system itself malfunctions and significant flooding already has begun. The system that monitors the building’s security and physi- cal environment should be extended to include the ethylene glycol supplies and the various water lines. In addition, the physical security review mentioned earlier should assure that the under floor space in the computing facility has adequate drainage. And the services of a professional building damage cleaner should be engaged on an on-call basis.
6. Microcomputers
Introducing highly powerful and relatively compact microcompu-
ters-and the printers, modems and other devices associated with their use-into most organiza- tions has created a separate set of computer security concerns. As suggested earlier, these devices easily are stolen and should be subjected to conventional fixed asset controls. In addition, to avoid making it easy to remove them without authorization, these devices should not be placed in so-called open oflce working environments, which effectively have no inherent limits upon the circulation of individuals within them. (In some instances, employees may steal circuit boards and other microcomputer components for use in their own devices.) Requiring that the doors to offices in which microcomputers are used are locked routinely whenever they are unoccupied, even during the lunch hour or overnight and on weekends, can reduce the possibility of theft. Bolting and locking this equip- ment onto the work surfaces on which it normally is used can reduce this possibility further. (A number of locking devices designed for securing microcom- puters and the devices used with them are available.)j
Most microcomputers will be used in ordinary office space that has not been conditioned for their use. To compensate for one aspect of this, additional electri- cal power supply protection may be called for since microcompu- ters are more susceptible to fluc- tuations in the quality of that
supply than data entry terminals or most conventional pieces of office equipment are. Routine installation of surge suppressors and constant voltage regulators between microcomputers and their electrical power outlets can help prevent damage to micro- computers, programs, and data. And, in some instances it may be advisable also to install a small uninterruptible electricalpower supply or UPS. Similar in func- tion to the reserve power sup- plies widely used in some central data processing sites, this smaller size UPS also can eliminate the effect of fluctuations in the power supply and provide a short-term power reserve when- ever the regular building supply is interrupted.
Another.problem associated with introducing microcomputers and the equipment related to their use into office space stems from the common inadequacy of the fire protection provided in such an environment. The furnishings in most offices include numerous highly flammable and toxic substances. And, individual offices rarely are equipped with either smoke or combustion detectors or even water sprinkler fire extinguishing systems. However, most of the micro- computer fires reported thus far have been limited to the interior of the unit and have not spread to the surrounding work area. Installation of a portable CO, or dry chemical fire extinguisher in the area in which the microcom- puter routinely is used can help
202
Computers and Security, Vol. 70, No. 3
address these problems. Employ- ees who are expected to use fire extinguishers should be trained to operate them. They should become acquainted with the loud noise of activation so that they will not be frightened by it when they are called upon to act in an emergency. They should demonstrate their ability to extinguish an actual fire effectively.
7. Other Concerns
Fire in a central data processing site poses a number of special detection and suppression prob- lems, which have been discussed in detail elsewhere4. Exposure associated with these problems can be reduced by certain changes in furnishing this site. (These remedies also can be applied in offices in which microcomputers are used.) Among these are the replace- ment of existing wall and floor coverings with flame resistant finishes; the installation of ceiling tiles and ductwork that has been certified as having flame spread, fuel contribution and smoke development ratings of not more
than 25; the addition of glass dif- fusers-or plastic ones with a flame spread rating of 25 or less-on individual lighting ftxtures; and the installation of fluorescent light fixture ballasts that do not melt when over- loaded and that do not drip hot plastic when they fail.
Even after accomplishing all of these improvements in the organization’s efforts to protect its computing resources, the person responsible for an organi- zation’s computer security still will have much more to do in preparing to handle the impact of computer related disasters and to deal with all of the other information security issues referred to at the beginning of this discussion. But, a good beginning will have been made in getting the organization’s computer security under control.
Notes
‘For a comprehensive introduction to information systems controls see: Conrrol Objectives: Controls In A Computer Environment: Objectives, Guidelines, and Audit Procedures. Belden Me&s and Zella G. Ruthberg, editors. April 1990. The EDP Auditors Foundation, P.O. Box
88 180, Carol Stream, IL 60 188-O 180, U.S.A. Cost $49.95; payment in U.S. funds. ‘The growing use of small, compara- tively expensive, highly portable, and easily stolen and resold so-called laptop microcomputers will intensify the prob- lem of preventing the theft of this type of equipment. Both the exposure and the difficulty associated with theft preven- tion are comparable to that long asso- ciated with portable audio-visual and other portable electronic equipment. Once they have been marked physically as a unit of the organization’s property there appears to be no other effective way to secure laptop microcomputers against theft. The London Sunday Times reported on 6 January that a laptop microcomputer apparently containing extremely sensitive Middle East military data had been stolen some time earlier from a vehicle being used by a senior British Royal Air Force staff officer. jA number of things, such as maintain- ing cleanliness and avoiding the accumulation of undischarged static electricity in the areas in which micro- computers are used, affect the reliability of their operation and, ultimately, the security of the data that they process. However, in most organizations the resolution of these matters will lie beyond the authority of the person responsible for computer security. %ee It’s Time To Rethink Data Processing Fire Protection and Computer-Related Fire Problems Revisited both by Belden Menkus in Computers GSecurity in August and November 1989, respec- tively. Together these constitute a monograph on the subject.
203
