Systems Security Basics 3
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY
APPLICATIONS OF CONNECTIVITY
COMMAND AND CONTROL SYSTEMS
PERSONNEL RECORDS SYSTEMS
LOGISTICAL MANAGEMENT SYSTEMS
OFFICE AUTOMATION
DISTRIBUTION/TRANSPORTATION MANAGEMENT SYSTEMS
TELECOMMUTING
FINANCIAL TRANSACTIONS SYSTEMS
PERSONAL INFORMATION SERVICES
VIDEOTEXT
TELECONFERENCING
GOALS
PREVENT, MINIMIZE, DETECT AND RECOVER FORM INTENTIONAL OR
ACCIDENTAL ALTERATION, DISCLOSURE, DESTRUCTION OR DELAY OF
INFORMATION IN A TELEPROCESSING NETWORK
PROTECT HARDWARE AND TRANSMISSION MEDIA (WIRE, FIBER, RF)
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY
VULNERABILITIES
REMOTE SITE PROCESSING
LACK OF EXPERTISE
LACK OF DOCUMENTATION
LACK OF CONTROLS
LACK OF CONCERN
NO ONE RESPONSIBLE
COMMUNICATION LINES, SWITCHING CENTERS AND EQUIPMENT
LACK OF PHYSICAL CONTROL
WIRE TAP PROBLEMS
COPPER WIRE TRANSMISSION
SATELLITE FOOTPRINT AREA
MICROWAVE RADIATION PATTERNS
RADIO
OPTICAL FIBERS
NOISE (UNDESIRED RECEPTION)
EMP
EMI
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY
VULNERABILITIES
COMPROMISING EMANATIONS
SOURCES OF EMANATIONS
I/O DEVICES AND PROCESSORS
COMMUNICATIONS LINES
PROPAGATORS
TELEPHONE WIRES
AIR CONDITIONING DUCTS
WATER PIPES
POWER LINES
CONCRETE REINFORCEMENT RODS
NETWORK CONTROL ISSUES
SPECIALIZED EQUIPMENT
MANY DIFFERENT VENDORS
ALTERNATIVE OR UNKNOWN ROUTING PATHS ON COMMERCIAL
CHANNELS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY
VULNERABILITIES
DESIGN AND PERFORMANCE FACTORS
AVAILABILITY
RELIABILITY
ACCESS CONTROL
AUTHENTIFICATION
ACCOUNTABILITY
ACCURACY
MESSAGE INTEGRITY
MISROUTING
CAPACITY
DELAY
BACKUP
COST
NO ONE RESPONSIBLE FOR A "TOTAL" SYSTEM
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY
SAFEGUARDS
REMOTE PROCESSING CONTROLS
DEVELOP POLICIES FOR TERMINAL USE
RESTRICT USER PERMISSIONS
PROVIDE ADEQUATE PHYSICAL SECURITY AT REMOTE SITES
ASSURE USERS KNOW THE REMOTE RULES
MANDATE LOG-ON ID AND PW
PERFORM PHYSICAL SECURITY CHECKS (EXAMPLE: TRASH)
SUPPRESS PRINTING/DISPLAY OF ID/PW
CONSIDER REMOTE ACCESS CONTROLS
USER FRIENDLY TO MINIMIZE DATA ENTRY ERRORS
PHYSICAL LOCKS ON REMOTE DEVICES
CENTRAL SITE AUDIT OF REMOTE TERMINALS
ASSIGN SECURITY OFFICERS AT REMOTE SITES
RESTRICT ACCESS AT TERMINAL TO SELECT ID/PW
RESTRICT TERMINALS TO PARTICULAR TRANSACTIONS
RANDOMLY TIMED DAILY AUDIT AND REVIEW
ADEQUATE CONTINGENCY PLANS
PERIODIC TESTS OF CONTINGENCY PLANS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY
SAFEGUARDS
ENCRYPTION REQUIREMENTS
DATA ENCRYPTION STANDARD
PUBLIC KEY - PRIVATE KEY ALGORITHM
ALGORITHMIC TRANSFORMATIONS
OTHER MEANS
ENCRYPTION METHODOLOGIES APPLIED:
END-TO-END
LINK-TO-LINK
EMANATION SECURITY (FIPS PUB #39)
TEMPEST
EVALUATING THE NEED FOR TEMPEST
SHIELDING
FILTERS
LOW LEVEL SIGNALING
APPLY PHYSICAL, PERSONNEL AND ADMINISTRATIVE SAFEGUARDS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
DESIGN
A COMMUNICATIONS CHANNEL MODEL
PHYSICAL CONSTRAINTS
ATTENUATION - REDUCES STRENGTH OF RECEIVED SIGNALS
DISTORTION - CHANGES SHAPE OF RECEIVED SIGNALS
NOISE - DISTORTS SHAPE OF RECEIVED SIGNALS
CHANNEL CAPACITY - LIMITS TRANSMITTED INFO OVER TIME
DELAY - REDUCES SPEED AT WHICH DATA IS PROCESSED
DESIGN CONSIDERATIONS
INFO REQUIREMENTS
WHAT KIND OF INFO IS REQUIRED
HOW SENSITIVE OR CRITICAL IS THE INFO
CLASSIFIED
WHAT ARE THE DATA INTEGRITY REQUIREMENTS
INFO TRANSMISSION RATE
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
DESIGN
INFORMATION FLOW
SIMULTANEOUS TRANSMISSION
SINGLE DIRECTION AT ANY ONE TIME
ONE WAY ONLY
CENTRALIZED VERSUS DISTRIBUTED
DETAILED REPORTS VERSUS EXCEPTION ONLY
ANALOG VERSUS DIGITAL
MODULATION CONCEPTS
AMPLITUDE
FREQUENCY
PHASE
CHANNEL CAPACITY
LINE CONDITIONING
BANDWIDTH
DATA TRANSMISSION RATES
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
DESIGN
CHANNEL CONFIGURATION
FULL-DUPLEX
HALF-DUPLEX
SIMPLEX
LINK CONFIGURATION
DIAL-UP
POINT-TO-POINT
MULTIPOINT
LOOP
MODE OF OPERATION
ASYNCHRONOUS
SYNCHRONOUS
MESSAGE FORMATS
CHARACTER, PACKET, MESSAGE
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
DESIGN
CHARACTER CODING SCHEMES
ASCII 7+1
EBCDIC 8 NO PARITY
BCD 6 NO PARITY
FIELD DATA 6+1 CONTROL+I
BAUDOT 5 NO PARITY
TYPES OF MESSAGE TRAFFIC
INTERACTIVE
QUERY/RESPONSE
RECORD COMMUNICATION
BULK TRANSFER
OTHER
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
DESIGN
NETWORK PROTOCOL
NETWORK LOG-ON/LOG-OFF PROCEDURES
MESSAGE ROUTING INDICATORS
MESSAGE START STOP INDICATORS
MESSAGE ACCOUNTABILITY
TRANSACTION LOGS
JOURNAL LOGS
AUTHENTICATION OF USERS
CHANNEL STATUS REPORTED
MESSAGE PRIORITY
ERROR HANDLING PROCEDURES
COMMUNICATIONS EQUIP MAINTENANCE PROCEDURES
SIGNALING SCHEMES
ALTERNATE ROUTING AND BACKUP CIRCUITS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
DESIGN
TELEPROCESSING NETWORK COMPONENT DESCRIPTION
TERMINAL
TERMINAL CONTROL EQUIPMENT
INTERFACE EQUIPMENT
MODEM
DATA CONCENTRATOR
MULTIPLEXER
REPEATER
SWITCHING CENTER
TELECOMMUNICATIONS PROCESSOR
CENTRAL PROCESSORS
CLASSIFICATION OF TP NETWORKS
CENTRALIZED PROCESSING
DISTRIBUTED PROCESSING
HIERARCHIAL
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
NETWORK SECURITY MANAGEMENT
AUTHORITY AND RESPONSIBILITY
CSSO, NSO,TASO INTERACTION AND RESPONSIBILITY
ACCESS CONTROL AND PROCESSING PRIORITIES
STANDARD OPERATING PROCEDURES MUST INCLUDE:
MONITORING AND SURVEILLANCE
MAINTENANCE PROCEDURES
PHYSICAL SECURITY
CONTROL NETWORK DOCUMENTATION
CONTROL NETWORK CONFIGURATION CHANGES
SECURITY AWARENESS TRAINING
BACKUP PLANS
BALANCE SECURITY ACROSS THE NETWORK
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TELEPROCESSING NETWORK SECURITY MANAGEMENT
TELEPROCESSING SECURITY EVALUATION
IDENTIFY SYSTEM VULNERABILITIES
DETERMINE LIKELIHOOD OF THREAT EXPLOITATION
ACCESS COST-BENEFICIAL SAFEGUARDS
IMPLEMENT SECURITY (IF MANAGEMENT SAYS NO -- TOO EXPENSIVE --
THEY ASSUME THE RISK
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
IDENTIFICATION/AUTHENTICATION OF USERS
SOMETHING KNOWN
DIALOGUE
ENCRYPTION/DECRYPTION KEY
TRANSFORMATION (MATH ALGORITHM
PASSWORDS
4-10 ALPHANUMERIC CHARACTERS
AVOID GUESS-ABLE PATTERNS
AVOID ALL SPECIAL CHARACTERS
AVOID COMMON NAMES
AVOID TRITE PHRASES
PERIODIC CHANGE
ONE TIME PASSWORDS
USER OR SYSTEM GENERATED
RANDOM
SPARE SET
TREAT AS CONFIDENTIAL
INITIAL DISTRIBUTION
STORE ENCRYPTED
USE AT EACH ENTRY
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
IDENTIFICATION/AUTHENTICATION OF USERS
TREAT AS CONFIDENTIAL
TRANSMISSION
OWNERSHIP
GROUP
INDIVIDUAL
ONE-WAY ENCRYPTION
PIN = PERSONAL IDENTIFICATION NUMBER
COMBINATIONS OF THE ABOVE
SOMETHING CARRIED
IDENTIFICATION CARD
KEY
BADGE
MAGNETIC CARD
PHYSICAL CHARACTERISTICS
APPEARANCE
VOICE PRINT
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
IDENTIFICATION/AUTHENTICATION OF USERS
PHYSICAL CHARACTERISTICS
SIGNATURE
DYNAMIC
STATIC
FINGERPRINTS
HAND GEOMETRY
EYE RETINA PATTERN
LIP PRINT
EQUIPMENT/LOCATION
TERMINAL IDENTIFICATION
CHANNEL IDENTIFICATION
CALL BACK
CONSIDERATIONS
RE-IDENTIFICATION
ACCESS LIMITATION
TIME PERIOD BETWEEN ATTEMPTS
TERMINAL AND/OR ID DISABLING
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
ACCESS CONTROL MECHANISMS
LIMITATION BASED UPON ACCESS PROFILE
CONSIDER NEED TO KNOW
SET LIMITS
FILES
SOFTWARE UTILITIES
APPLICATION PROGRAMS
SUPERVISOR COMMANDS
HARDWARE
LIMIT ACCESS CAPABILITY
READ
WRITE
CHANGE/MODIFY
EXECUTE
DELETE
OPERATIONAL CONSIDERATIONS
COMPARTMENT OPERATIONS
TIME OF DAY
THREAT MONITORS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
ISOLATION AND CAPABILITY CONTROLS
GENERAL RESTRICTIONS ON APPLICATION PROGRAMS
PREVENT SYSTEM CRASHES
DENY USE OF O/S CRITICAL FUNCTIONS
PREVENT CHANGES TO PRIVILEGE
CONTROLLING USER PRIVILEGE
PRIVILEGE CONTROL MECHANISM
HARDWARE/SOFTWARE IMPLEMENTATIONS
RESOURCE ALLOCATION AND ATTRIBUTE DESCRIPTION
PROGRAM INTERRUPT AND RECOVERY PROCESSING
MEMORY PROTECTION CONCEPTS
READ PROTECTION
WRITE PROTECTION
EXECUTE PROTECTION
NULL ACCESS
MEMORY PROTECTION TECHNIQUES
KEY-LOCK BASE AND BOUNDS
PAGING SEGMENTATION
DOMAIN ISOLATION
READ-ONLY MEMORY ERASURE
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
THREAT MONITORING
AUDIT TRAILS
LOG-ON/LOG-OFF TIME
LOG-ON/LOG-OFF ATTEMPTS
IDENTIFICATION OF USER AND TERMINAL
ACCOUNTING INFORMATION ON RESOURCE UTILIZATION
HARDWARE
SOFTWARE
RECORD/FILE OPEN/CLOSE/USE
FILE NAME
TYPE FILE
ACTIVITY (READ/WRITE/EXECUTE/DELETE/COPY)
ERRONEOUS ATTEMPTS TO USE RESOURCES
METHODS
KEEP ALL SYSTEM USAGE INFORMATION IN ONE FILE
KEEP INDIVIDUAL ACTION CHRONOLOGICALLY IN ONE FILE
AUDIT ONLY LAST ACTION
KEEP USAGE AUDIT LOG
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
THREAT MONITORING
CONSIDERATIONS
DO NOT LET USERS HAVE ACCESS TO AUDIT LOGS
SET UP ROUTINES TO ANALYZE AUDIT LOGS IN PROBLEM AREAS
AUDIT RANDOMLY
NO NOTICE CHECKS
ESTABLISH APPROPRIATE RESPONSES FOR IRREGULARITY
CONTROL ABILITY TO START / STOP LOGGING
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
VIRUS CONTROL
APPLY CHANGE CONTROL (CONFIGURATION MANAGEMENT TO:
PRODUCTION
TESTING
TROUBLESHOOTING
CHANGE TIMING (BASELINING)
ARCHIVING AND BACKUP
DEVELOP DISASTER RECOVERY (CONTINGENCY PLANS) FOR
CRITICAL SYSTEMS
VITAL RECORDS
BACKUPS AND OFF-SITE STORAGE
TESTING
LET SPECIAL POLICIES ADDRESS
ACCESS CONTROL SOFTWARE ACQUISITION
PUBLIC PROGRAMS PIRACY
FLOPPY DISKS NEED FOR ENCRYPTION
USE WRITE PROTECTION BACKUP/RECOVERY
LAN ACCESS WORK AT HOME/GAMES
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
PC ACCESS CONTROL
IS IT NEEDED IN ALL CASES ?
USE A STANDARD PRODUCT
DISTRIBUTED OR CENTRALIZED MANAGEMENT
VIOLATION HANDLING MECHANISMS
ACCESS AUTHORIZATION
PASSWORD MANAGEMENT
AUDITING
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - HARDWARE/SOFTWARE
BUY STANDARD SYSTEMS WITH COMMON O/S AND APPLICATIONS
PURCHASING AS A GATE PREVENTING VARIATION
NETWORK/MODEM CONNECTION AND USE VIA CONTROL GROUP
CENTRALIZED TERMINAL CROSS REFERENCED INVENTORIES
BASELINE THE CUT-IN OF CHANGE, ENHANCED TECHNOLOGY
THE FOREGOING MUST ALLOW RAPID FULFILLMENT OF USER NEEDS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - PUBLIC DOMAIN SOFTWARE
FORBID ALL USE
DOWNLOADING BY TASKED INDIVIDUAL TO A QUARANTINED AREA
PUNISH THOSE WHO CHEAT
WHAT TO DO IF YOU CAN NOT CONTROL USER CONNECTIVITY
IDENTIFY ACCEPTABLE BBS SOURCES FOR DOWNLOAD
IDENTIFY PROGRAMS KNOWN TO BE CORRUPTED
EDUCATE USERS CONCERNING HOW TO CHECK FOR VIRUS
SPOT AUDIT EQUIPMENT TO IDENTIFY AND PURGE VIRUS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - PIRACY
COPY PROTECT YOUR APPLICATIONS TO CAP CORPORATE LIABILITY
CALL FOR PUBLIC IDENTIFICATION AND PUNISHMENT OF OFFENDERS
INVOLVE ALL SOFTWARE - GAMES AND PERSONAL MANAGEMENT TOO
AUDIT USERS FOR UNAUTHORIZED SOFTWARE
SPECIAL EMPHASIS UPON LAN USERS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - FILE ENCRYPTION
IDENTIFY AND SELECT SENSITIVE FILES
SELECT A COMMON SOFTWARE BASED TRANSFORMATION
METHODOLOGY
WEAKNESS IN ADD-ON ENCRYPTION
KEY MANAGEMENT IS CRUCIAL
MOST VIRUS DETECTION IS ASCII STRING MATCHING
16-32 BITS NEEDED TO MINIMIZE FALSE POSITIVE
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - WRITE PROTECTION
FOR EXECUTABLE FILES
FOR CRITICAL DATA FILES
FOR ENTIRE HARD DISK
WHO SHOULD CONTROL PROTECTION
CENTRAL ADMINISTRATOR
INDIVIDUAL USER
OWNER
REMOVAL PROBLEMS
OVERRIDE CAPABILITY
OTHER LEVELS OF ACCESS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - BACK-UPS AND RECOVERY
ABSOLUTELY MANDATORY
MUST BE EASY FOR USER
SPECIFIED INTERVALS
STORAGE - ON-SITE AND OFF-SITE
LINK TO MAINFRAME ?
ELECTRONIC VAULTING ($$$)
BACKUPS COULD BE INFECTED
TESTING NEW APPLICATIONS USING BACKUP FILES
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - LAN ACCESS AND SECURITY
USUALLY AN UNCONTROLLED ENVIRONMENT
WEAK SECURITY IN LAN O/S
GATEWAYS AND BRIDGES ARE OFT-TIMES FORGOTTEN
FOCUS ON SERVERS
FOCUS ON SINGLE ADMINISTRATORS
SECURITY FEATURES ARE TOO COMPLICATED TO BE USED BY PEOPLE
ADD-ON PACKAGED ARE NOT SEAMLESS
USE ID'S AND PASSWORDS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - WORK AT HOME
ACCESS TO COMPUTER BULLETIN BOARDS
TREAT FLOPPIES AS IF THEY ARE CONTAMINATED
ESTABLISH PHYSICAL CONTROLS OVER HOME COMPUTERS
DOWNLOADING SENSITIVE DATA
COMPETITIVE INTELLIGENCE THREATS
LEGAL APPLICABILITY OF CORPORATE SECURITY POLICIES
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SPECIAL POLICIES - NON-BUSINESS USE OF RESOURCES
LEGAL RECOURSE ?
STUDENTS AND OTHER PART TIME WORKERS ?
WHO SUPERVISES ?
SPECIAL POLICIES - BUSINESS USE OF PERSONAL RESOURCES
LAPTOPS / NOTEBOOKS
SOFTWARE
CORPORATE RIGHTS UPON PERSONAL EQUIPMENTS
EMPLOYEE WAIVER OF RIGHTS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
PREVENTING INFECTION - ALL COMPUTER CLASSES
DO NOT USE SOFTWARE OF UNKNOWN ORIGIN
WRITE PROTECT EXECUTABLE FILES
DO NOT SHARE CODE OF ANY TYPE (SOURCE, OBJECT)
KEEP ABREAST OF CORRUPTIVE TECHNOLOGIES
BACKUPS, BACKUPS, BACKUPS AND THEN BACKUP
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
ORGANIZING AND ADMINISTERING
ESTABLISH INTERNAL AND EXTERNAL CONTACTS, COMMUNICATIONS AND
RECOVERY MECHANISMS
DETAIL WORKING RELATIONSHIPS
DEFINE, DESIGN, BUILD TOOLS AND SYSTEMS
ESTABLISH "EVENT" HANDLING PROCEDURES FOR IDENTIFICATION,
CLASSIFICATION AND RESOLUTION
DETERMINE NATURE AND MAGNITUDE OF THREAT
ASSESS VULNERABILITY
GAUGE RESPONSE
HANDLE "SENSITIVE" INFORMATION
PRODUCE GUIDELINES AND LESSONS LEARNED
DEVELOP RESPONSE PACKAGES
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
PREVENTING INFECTION - PERSONAL COMPUTERS
COLD BOOT, IF REQUIRED, ONLY FROM A KNOWN, WRITE-PROTECTED
BOOT DISKETTE
MINIMIZE BOOTING A HD SYSTEM USING A DISKETTE
DO NOT PUT SHAREWARE OR UN-VALIDATED PROGRAMS IN A HD ROOT
DIRECTORY
CONSIDER USE OF REMOVABLE HARD DISKS
NO, NO, NO SHAREWARE IN ANY FILE SERVER DIRECTORY
USE DISK-LESS PC'S (DUMB TERMINALS) IN LAN'S
DO NOT DOWNLOAD FROM BBS
QUARANTINE AND VALIDATE PUBLIC DOMAIN SOFTWARE BEFORE USE
TRANSPORT ONLY NON-EXECUTABLE FILES BETWEEN PC'S
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
DETECTING AN ATTACK - SIGNS OF INFECTION
FILE SIZE INCREASES
CHANGE IN UPDATE TIME STAMP
SAME DATA OF LAST UPDATE
SUDDEN DECREASE OF FREE SPACE
SYSTEM SLOWDOWN WITHOUT REASON
EXCESSIVE OR UNCALLED DISK ACTIVITY AT ODD TIMES
PRINTING PROBLEMS (MACINTOSH SCORES)
SERIES OF RECOVERABLE SYSTEM HITS
"GOTCHA !" MESSAGE
MASSIVE DESTRUCTION
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
DETECTING AN ATTACK - ADVANCED DETECTION
CYCLICAL REDUNDANCY CHECK (CRC)
CALCULATING A CHECKSUM
SAVING AN IMAGE OF SYSTEM INTERRUPT VECTORS
SCANNING FOR ASCII STRINGS
DETECTING AN ATTACK - ADDITIONAL METHODS
COMPARISON AGAINST KNOWN FILES
SELECTIVE DISASSEMBLY
SEARCH FOR TRIGGERS
TEST USING SIGNIFICANT DATES AND CONDITIONS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
RECOVERY
VIRUS RECOVERY TECHNIQUES CALL FOR RESTORATION FROM KNOWN
GOOD BACKUP
UN-RECOVER SEQUENCED FREQUENTLY FAIL
BACKUP IS A PART OF CONTINGENCY PLANNING
ONLY A SUPERB CORRUPT CODE STRING CAN INVALIDATE A BACKUP
BACKUP MAKES BUSINESS SENSE
BACKUPS ARE A PAIN - - -
BACKUPS PREVENT MORE PAIN THAN THEY CAUSE
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
RECOVERY - GUIDELINES
ISOLATE AND COPY THE ATTACKING PROGRAM TO DISKETTE
MAKE SURE ALL AFFECTED UNITS HAVE BEEN PURGED AND TESTED
TREAT UNTESTED CODE AS INFECTED
REBOOT FROM A KNOWN, WRITE PROTECTED TRUSTED COPY OF THE
O/S
SYS THE SYSTEM
SEARCH FOR RESIDUAL INFECTION OR LATE DETONATING COPIES
FOLLOW YOUR CONTINGENCY PLAN RECONSTRUCTING SLOWLY AND
SERIALLY, CHECKING FOR PROBLEMS AFTER EACH OPERATION
EXPECT SECONDARY ATTACKS FROM UNLOCATED CORRUPTION
DESTROY INFECTED FLOPPY DISKS
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
RECOVERY - GUIDELINES
DOCUMENT TIME SPENT AND RECOVERY PROCESS
USE IT TO TRAIN CERT/CIAC STAFFS
DEVELOP IT AS A COST IN CIVIL ACTIONS AGAINST THE
PERPETRATOR
SAFEGUARD LOGS AND OTHER AUDIT TRAILS
MENTALLY EXERCISE YOUR RECOVERY PLAN WITH AFFECTED USERS
BEFORE PHYSICAL IMPLEMENTATION
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
SECURITY AWARENESS PROGRAM - THOUGHTS
IMPOSSIBLE FOR SECURITY FORCES TO WATCH OR MANAGE ALL USERS
RESPONSIBILITY AND ACCOUNTABILITY
AUDIT AND MANAGEMENT
PC AND LAN CULTURE
DANGERS NOT VISUALIZED
EMPHASIS ON PROTECTING "THEM"
SECURITY INVOLVING VIRUS IS NO-GOING AND EVOLVING
COMPUTER SECURITY MAKES GOOD SENSE
...........................................................................................................................................
TARGET GROUPS
SENIOR MANAGEMENT
PC / TERMINAL USERS
LAN WORK STATION USERS
POWER USERS (GET THEM ON YOUR TEAM AS CADRE)
INTERNAL AUDITORS
OPERATIONS / DBMS / SECURITY ADMINISTRATORS
NETWORK CONTROL