A communication network, including local and wide area networks and distributed processing architectures, enables the transfer of data among users, hosts, applications, and intermediate facilities. During transfer, data is particularly vulnerable to either unintentional or deliberate access or alteration.
Custodians of information should, in cooperation with the owners of the information, establish and maintain security controls to detect unauthorized attempts (successful or otherwise) to access or modify data via a communication network. Each agency having ownership responsibility for automated information should establish follow-up procedures to investigate such incidents once they are reported by the custodian.
STANDARD. Network resources participating in the access of confidential information shall assume the confidentiality level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk.
STANDARD. All network components under state control must be identifiable and restricted to their intended use.
GUIDELINES.
1. Terminals should be selected with a lock and key option so that access can be controlled by locking the terminal while it is unattended. This is particularly important at locations where access to the network during non-business hours is not tightly controlled.
2. All line junction points (cable and line facilities) should be located in secure areas or under lock and key.
3. Control units, concentrators, multiplexors and front-end processors should be protected from unauthorized physical access. The sophistication and extent of this control will depend on the sensitivity of the systems involved.
4. Procedures should be implemented which ensure that the state's access to data or information is not dependent on any individual. There should be more than one person with authorized access.
5. Techniques to achieve verification include message counts, character counts, error detection and correction (protocols), and dual transmissions.
6. Eliminating removable media, e.g., diskette, capability from Local Area Network workstations reduces vulnerability of LANs to unauthorized copying. This approach requires that workstations be equipped without diskette drives, and that all data and programs be stored on the network.
7. Some types of network protocol analyzers and test equipment are capable of monitoring (and some, of altering) data passed over the network. Use of such equipment should be tightly controlled since they can emulate terminals, monitor and modify sensitive information, or contaminate both encrypted and unencrypted data.
State owned or leased network facilities and host systems are state assets. Their use should be restricted to authorized users and purposes. Where public users are authorized access to networks or host systems, these public users as a class must be clearly identifiable and restricted to only services approved for public functions. State employees who have not been assigned a user identification code and means of authenticating their identity to the system are not distinguishable from public users and should not be afforded broader access.
STANDARD. Owners of distributed information resources served by distributed networks shall prescribe sufficient controls to ensure that access to those resources is restricted to authorized users and uses only. These controls shall selectively limit services based on:
1. user identification and authentication (e.g., password, smart card/token) or,
2. designation of other users, including the public where authorized, as a class (e.g., public access through dial-up or public switched networks), for the duration of a session, or
3. physical access controls.
GUIDELINES.
1. For distributed processing systems and local area networks, authorization at network entry should be made on the basis of valid user identification code and authentication (e.g., password, smart card/token) and should be provided under the framework of network services and controlled by the network management program.
2. Network access should be controlled as close to the physical point of network entry as possible.
3. Connections between users on a network should be authorized by the host or the network node security manager program, as appropriate.
4. The designated manager of a host independent network serves the dual role as owner of the network system and as custodian of data under another's ownership while the data is being transported by the network.
5. The host security management program should maintain current user application activity authorizations through which each request must pass before a connection is made or a session is initiated.
6. All unauthorized attempts (successful or otherwise) to access or modify data through a communication network should be promptly investigated.
7. If unauthorized access or modification of data occurs, the agency should promptly review its existing security system, including its internal policies and procedures. Appropriate corrective actions should be planned for and established to minimize or eliminate the possibility of reoccurrence. Employees may need to be reminded of existing or revised procedures.
STANDARD. Network access to an application containing confidential or sensitive data, and data sharing between applications, shall be as authorized by the application owners and shall require authentication.
GUIDELINES.
1. The owner of applications containing non-critical or non-sensitive data should likewise establish criteria for access and user validation, particularly on systems authorized for public use.
2. Additional protection, such as might be applicable to especially sensitive data, is afforded by a two-person password procedure; each person's password validates user authorization for either host or application access, exclusively. Neither person alone can gain combined host application access.
State programs and supporting computer applications frequently undergo modifications that may affect an existing security system. To ensure that security issues are considered when changes do occur, system documentation should address the impact modifications may have on the existing security system. Agency security policies and procedures should ensure that the security system and its supporting documentation are periodically reviewed and, if need be, corrective action is planned for and implemented.
The agency's internal security policies and procedures should be reviewed as part of the agency's risk analysis process. Modifications should be made to accommodate changes in its network and communications technology.
Assurances that program operations are not interrupted or deterred are primary goals of a security system. To meet these objectives, each agency should establish security controls that enable prompt identification of computing or network problems. An effective security awareness program should detect security and performance abnormalities in the network, computing system, or output and notify the appropriate personnel.
An agency that is dependent on the services of a communication network in the performance of its mission critical functions could be severely affected by the unavailability of such services. Loss of a communication network may result in hours of unproductive time and in some cases the public's health, safety, or welfare may be endangered.
STANDARD. If the agency utilizes a communication network to process critical applications or functions, it shall, as part of its contingency plan, provide for an alternate means of accomplishing its program objectives in case the system or its communication network becomes unavailable. Alternative procedures shall be established that enable agency personnel to continue critical day-to-day governmental operations in spite of the loss of the communication network.
Risk analysis is a means of assessing the vulnerabilities associated with an agency's information assets, including its data, applications, and communication networks. To conduct a thorough analysis, the agency should develop an understanding of the relationship between its program operations and the automated information systems that provide information and technical support services. This understanding assists in making sufficient preparations for, and designing and implementing an appropriate security system. Additionally, the risk analysis process provides the basis for justifying expenditures for security equipment, software, personnel, and services.
The following paragraphs identify vulnerabilities or risks that are common to a great many automated systems that use a communication network. Each should be considered during the agency's risk analysis process. For additional information about risk analysis, refer to the applicable section within this publication.
An unauthorized user or intruder may attempt to gain access to a communication network. Frequently, entry is gained through a dial-up port on a communication network. Without knowledge of passwords or user identifications, unauthorized users or intruders often rely on techniques or devices intended to identify that information. Often, an intruder attempts to "crack" the system "just to see if it can be done." Whatever the motivation, once an intruder is successful, the individual has an opportunity to obtain, modify, destroy, or disclose information.
Agency management should establish a security system that manages passwords and eliminates or minimizes the likelihood that they will be compromised. Additionally, the security system should include network detection methods and controls that minimize or prevent intrusion. Otherwise, unauthorized users or intruders will be successful at gaining access.
Wiretapping can be accomplished with a modest knowledge of communication systems. Wiretapping devices can be installed and left unattended for a significant amount of time to record all the activity on a circuit. Unguarded cable or circuits are potential targets for wiretapping. If a circuit is tapped, the passwords, user identification code, or data that pass through it are easily recorded. The possibility then exists that passwords or user identification codes may be decrypted and used to intrude into the computing system.
Microwave technology is uniquely susceptible to passive intrusion. Information transmitted through a communication network may be routed through a microwave link either on the earth's surface or via satellite. Additionally, computers and video display terminals emit radio frequency signals that can be intercepted and recorded. The technology necessary to record or capture a radio frequency signal is inexpensive and does not necessitate a great deal of expertise.
Authentication is vital to the security of an automated information system that functions in a communication environment. Authentication techniques function to control access to the assets of a data processing system. They are employed to validate information or the identities of users, terminals, computers, and peripheral devices within a data processing system.
For example, passwords function as authentication mechanisms. Presumably, knowing the secret password authenticates the identity of a user and allows him or her access to a system. Unless the authentication is successful, it precludes the receipt of information.
Devices such as smart cards and smart tokens strengthen the authentication mechanism by requiring that a user possess the card/token, in addition to a password, before they can be authenticated.
Message authentication is another validation mechanism. This technology enables users, devices, and processing functions to verify that received information is genuine.
Refer to the applicable sections within this publication for additional information relative to data protection techniques such as passwords and message authentication.
Passwords are pre-stored combinations of characters used by the host computer to authenticate the identity of an individual. Based on the password, the computing system can restrict or grant specific privileges.
If password control is implemented, the computing system will require the user to enter a password when logging on to the system. A comparison is then made to passwords that are held by the computing system. If the password is correct, the system will allow the user access. The system will allow access to other than the authorized user if the password has been compromised. Passwords are effective only if they remain confidential or secret.
Refer to the applicable section within this publication for additional information about passwords.
The most cost-effective means of protecting the confidentiality of information against disclosure during transfer is through the use of a properly implemented and validated encryption methodology. Properly implemented, an encryption system virtually eliminates risks of disclosure of sensitive information at network nodes and facilities that are not under state control, such as the public switched network. Encryption also protects against undetected modification of data and thus enhances integrity as well as confidentiality. Depending on the value of information to an unauthorized recipient, interception or modification of unencrypted information must be recognized as a significant threat.
Security through encryption depends upon both of the following:
1. proper use of an approved encryption methodology, and
2. only the intended recipients holding the encryption key-variable (key) for that data set or transmission.
GUIDELINES.
1. In making the determination to use data and file encryption, the following risks should be reviewed for relevancy:
a. Personal injury or loss of life,
b. Loss of state funds,
c. Violation of individual expectations of privacy,
d. Violation of state or federal law,
e. Civil liability on the part of the state,
f. Compromise of state legal, investigative, regulatory, fiduciary, or educational efforts,
g. Loss of business opportunities for affected persons, and
h. Undue advantage to any person in state competitive business relations.
2. The need for encryption should be determined on the basis of risk analysis.
3. Interception of unencrypted information may not be readily detectable. It should be assumed that unencrypted information is available to any determined intruder.
4. Proprietary encryption algorithms do not conform to the DES (FIPS PUB 46-1) standard and therefore do not conform to these standards.
5. When encrypted data is transferred between agencies, the respective Information Resource Managers should devise a mutually agreeable procedure for secure key management. In the case of conflict, the data owner agency should establish the criteria.
6. Keys should be communicated separately from the encrypted information, preferably through different channels.
7. Passwords and dial-up terminal identifiers should be encrypted during transmission and in storage. They should be encrypted during session logon if the information to be exchanged requires encryption.
8. Encryption and decryption devices should be located as near the using devices (connected terminals and processors) as possible to minimize the need for other safeguards on the unencrypted segments of the link.
9. Sensitive or critical information should be stored in encrypted form if physical controls are not sufficient. Volumes or files where all sensitive information is encrypted may be controlled as though the information is not sensitive as long as encryption keys are appropriately controlled.
10. Security through encryption may be enhanced by requiring that two trusted individuals control the key; each having custody of half the key.
11. FIPS PUB 81 describes four different modes for using the DES algorithm.
12. Information concerning encryption devices that have been tested and validated by the National Institute of Science and Technology may be obtained from NIST, Gaithersburg, MD 20899.
Systems accessible from dial-up terminals are particularly vulnerable to unauthorized access since the call can be initiated from virtually any telephone instrument. Official users of dial-up facilities must be distinguishable from public users if they are to be given access rights greater than those given public users.
STANDARD. For services other than those authorized for the public, users of dial-up terminals shall be positively and uniquely identifiable and their identity authenticated (e.g., by password) to the systems being accessed.
GUIDELINES. For dial-up services other than those authorized for public use, the following should be considered:
1. Dial-up numbers should be unlisted and changed periodically.
2. At a minimum, dial-up facilities should be provided with either,
a. an automatic hang-up and call-back feature, with call-back to only pre-authorized numbers, or
b. authentication systems that employ smart card/token authentication.
3. A port protection device (PPD) connected to communications ports of a host computer is typically capable of providing:
a. authentication and access control decisions,
b. automatic hang-up and call-back to originator, and
c. attack signalling and event logging.
4. Security may be enhanced by instituting a two-person password procedure. One person's password gains access to the host and the other person's password gains access to the application. Under this procedure, neither acting alone can gain access to the application through dial-up.
5. A high level of dial-up security combines the call-back feature with either password authentication (an encryption key entered by the individual or smart card/token authentication) and terminal identification (an encryption key embedded in the hardware), with all data exchanged online being encrypted.
GUIDELINES. For dial-up facilities authorized for public use:
1. Systems which allow public access to the host computer require strengthened security at the operating system and application to reduce the likelihood of public intrusion into non-public applications. Such systems also should have the capability to monitor activity levels to ensure public usage does not unacceptably degrade system responsiveness for official functions.
2. Systems which identify public users on the basis of communications port usage provide only minimal security since they are highly vulnerable to mistakes through erroneous hardware connections.
STANDARD. Communication system identification screens shall include the following warning statements:
1. Unauthorized Use is Prohibited;
2. Usage May be Subject to Security Testing and Monitoring; and
3. Abuse is subject to criminal prosecution.
GUIDELINES.
1. The system identification screen should be implemented so that it cannot be bypassed by a user.
2. The system identification screen should remain on display for a sufficient amount of time for the message to be read.
3. If the communication system cannot display a system identification screen with an appropriate warning message, the message should be included on a printed label affixed to each video display terminal.