This action might not be possible to undo. Are you sure you want to continue?
Analysis and Implementation
MG - 1
The author would like to thank the U.S. National Institute of Standards and Technology (NIST) for their support in providing electronic copies of FIPS 191 "Guideline for the Analysis of Local Area Network Security" and "Priorities for LAN Security: A Case Study of a Federal Agency's LAN Security"; some of the information included in this guide was extracted from these documents.
Points of Contact
For technical information on network security please contact Marc Laroche, tel. (613) 991-7531, Fax (613) 991-7455, e-mail MLaroche@cse.dnd.ca. For additional copies of the document, please contact the ITS Publications Section at (613) 991-7514/7468 or CSE’s WWW site at the following address: http://WWW.cse.dnd.ca.
© 1995 Government of Canada, Communications Security Establishment (CSE) P.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4 This publication may be reproduced verbatim, in its entirety, without charge, for educational and personal purposes only. However, written permission from CSE is required for use of the material in edited or excerpted form, or for any commercial purpose.
To be effective, network security must be planned and managed properly. In these days of budget cuts and funding restrictions, it is more important than ever to implement security solutions specifically tailored to satisfy the identified requirements for security. This document includes a methodology to determine network security requirements. Other ones also exist that may be more appropriate for certain organizations. In any case, the methodology employed should permit the organization to identify the threats to their network, the likelihood of occurrence, the impacts for the organization should the threats materialize and the vulnerabilities of the network that can be exploited, in order to obtain a measure of risks associated with the network. Once the risks are known and measured, appropriate security solutions can be applied to reduce the risks to acceptable levels. Security solutions offer network protection for confidentiality, integrity, availability and/or accountability purposes. Organization should look at the solution's effectiveness to satisfy specific requirements; this is required to determine if the implementation of the solution reduces the previously identified risks to an acceptable level for the organization. The effectiveness of the proposed solution depends on its implementation, (e.g. encryption at the application layer vs network layer), its design, the degree of difficulty required to circumvent it, and the level of trust associated with it (e.g. is the product evaluated?). Often, there is more than one solution available. The solution selection should follow an iterative process by which the residual risk associated with the solution, the minimum acceptable risk for the organization and the cost of the solution are looked at. Once all the security solutions are effectively implemented, it is time to restart the process again to find out if there are new threats out-there and new vulnerabilities that could be exploited.
. . . . . . . . . . . . . . .2 Failure Tolerance . . . . . . . . 2. . . . . . . . . . .3 Network Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . .6 Measuring the Risk . . . . 1 1 DEFINING THE REQUIREMENTS FOR NETWORK SECURITY . . . .1 Containment . . . . . . .5 Present Network Vulnerabilities and Safeguards . . . . .2.4 Accountability . . . . . . . . . . . . . . . . . . . . .1. . . . . . . . . . . .2 Data integrity . . . . . . . . . . . . . . . . . . . . .1. . . . . . . . . .2 Identifying and Valuing Assets . . . . . . . . . . . . . . . . . . . . . . . . . .3 Providing availability . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . 12 1. . . . . . . . . . . . . . . . . . .2. 12 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1. . . . . . . . . . . . . .1. . . . . . . . . . . . . . . .5 Providing confidentiality . . . . . . 2. . . . . . . . . . . . . . . 3 1. iii 25 26 26 26 27 28 29 29 30 30 30 32 33 33 33 34 35 35 36 37 38 38 39 41 42 . .1 Key management issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Audit . . . . . . . . . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . .1. . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. .4. . . . . . . . . . . . . . . . . . .3 Non-repudiation . . . . . . . . . . . 2 1. . . . . . . 2. 22 1. i Summary . . .3. . . . . . . . . . . .1 Encryption key management . . . . . . . . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . . .2. . . . 2. . . .1. . . . . . . . . . .1 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . 7 1. 2. . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . . . . 2. . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . .2 Integrity . . . . . . . . . . . . . . . . . . . . 3 1. 2. . . . . . . . . . . . . . . . . . . . . . . . 2. . .2. . . . . . . . . . . . . . . . . . . . . . 14 1. . . . . . .4 Exposure Ratings . . . . . . .TABLE OF CONTENTS Acknowledgements . . . . . . .3 Availability . .2 Threat and Risk Assessment . . . . . . . . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. .3 Encryption . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . 2. . . .4. . . . . . .1 User ID/Password for authentication . . . . . . . . . . . . . . . vi INTRODUCTION . . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . .3. . . . . . . . . . . . .2. . . . . . .1. . . . . . . . . . . . . . . . . . .1 Confidentiality via access control . . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . 3 1. . . .1. . . . . . . . . . . . . . . . . . . . . . . . . 5 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Points of Contact . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . .1 Defining the Network Protection Boundary and Scope . . . . . . . . . . . . . . . . . .1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Likelihood of Occurrence of Threats . . . . .2 Other Authentication Mechanisms . . . . . . . . . . . . .1 Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . .4. . . . . 2. . . . 2. . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . . . . . . . .7 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Location of integrity services in layered communications . . . . .2 Estimation of the Potential Impacts . . . . . . . 2. . . . . . .2. . . . . . . . . . 23 2 SATISFYING THE REQUIREMENTS FOR NETWORK SECURITY . . . . . . . . . . . . . . . . . ii List of Abbreviations . . . . . . . . . . . . .1 System integrity . . . . . . . . . . . . . . . . . . . . . . . .2 Location of encryption services in layered communications . . . . . . . . . . .4 Object reuse and covert channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Communication devices to increase traffic confidentiality . . . . . . 19 1. . . . . . . . . . . . .1 Confidentiality . . . .1. . . . . . . . . . . . . . . . . . . . .2.1 Preparation . . . . .3 Providing integrity . . . . . . . . .2. . . . . . . . .
. . . . . . . . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 iv . . 93 GLOSSARY . . . . . . . . . . . . . . . . . 46 APPENDIX B – PRACTICAL EXAMPLE: ASSESSING AND IMPLEMENTING NETWORK SECURITY . . . . . . . . . . . . . . . .6 Selection of Appropriate Security Mechanisms . . . . . . . . 2. . . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Providing Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 BIBLIOGRAPHY . . . . .5 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . 90 APPENDIX F – TRAINING AND AWARENESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 APPENDIX C – EXAMPLE NETWORK SECURITY POLICY . . . . . . . . .7 Assurance . . . . . . 43 43 44 45 APPENDIX A – SUGGESTED READINGS . . . . . . . . . . . . . . . . . . . . . . . . . 81 APPENDIX D – PERSONAL COMPUTER CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 APPENDIX E – CONTINGENCY PLANNING FOR NETWORKS . . . . . . . . 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . 19 Examples of security solutions in a specific environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Table VII – Integrity Mechanisms and Services . . . . . . . . . . . . . . . . . . . . 15 Table V – Risk Measures Based on Exposure Ratings. . . . .LIST OF TABLES Table I – Typical Network Assets . . . . . 77 LIST OF FIGURES Figure 1 – Figure 2 – Figure 3 – Figure 4 – Figure 5 – Figure 6 – A Process . . . . . . . . . . . . . . . . . . 37 Table XI – Accountability Services and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Table III – Exposure Rating Based on Likelihood of Occurrence and Level of Impact 13 Table IV – Network Vulnerabilities . 54 Table B-II – Present Risks. Vulnerability Levels and Present Safeguard Effectiveness . . . . . 14 Situation where an asset is highly at risk . . . . . 43 Table B-I – Exposure Ratings of the Organisation Data Asset to Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proposed Solutions and Residual Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Table X – Availability Services and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Table IX – Failure Tolerance Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 The use of security solutions reduces the risk . . . . . . . . 6 High Exposure versus Low Exposure . . . . . . . . . . . . . . . . . . . . . 21 Table VI – Confidentiality Mechanisms and Services . . . . . . . . . . . . . . 33 Table VIII – Quotas for Availability of Resources . . . . . . . . . . . 4 Table II – Threats to Networks . . . . . . . 23 Diagram of the example network . . . . . . . . . . . . . . . . . . . . . . 52 v . .
LIST OF ABBREVIATIONS ACL CC CRC CSE CTCPEC DES DOS DSA EKMS EMC EMI FIPS GoC GSP GTRAIT I&A LAN MAC NCSC NDS NIST OSI PC PCMCIA RAM RCMP RSA SoS TCP/IP TCSEC TRA TSR UPS Access Control List Cryptographic Checksums Cyclic Redundancy Check Communications Security Establishment Canadian Trusted Computer Product Evaluation Criteria Data Encryption Standard Disk Operating System Digital Signature Algorithm Electronic Key Management Systems Electromagnetic Compatibility Electromagnetic Interference Federal Information Processing Standards Government of Canada Government Security Policy Guide Threat and Risk Assessment for Information Technology Identification and Authentication Local Area Network Message Authentication Code National Computer Security Centre NetWare Directory Services National Institute of Standards and Technology Open Systems Interconnection Personal Computer PC Memory Card International Association Random Access Memory Royal Canadian Mounted Police Rivest Shamir Alderman Statement of Sensitivity Transmission Control Protocol/Internet Protocol Trusted Computer System Evaluation Criteria (orange book) Threat and Risk assessment Terminate and Stay Resident Uninterruptible Power Supply vi .
Security services and mechanisms are then described to inform the reader on how solutions can be applied to satisfy security needs. network managers and network administrators who are responsible to assess and satisfy network security requirements in their organization. procedures and guidance provided in this document should not be considered as mandatory to satisfy the security requirements of a network. the physical location of the networks.INTRODUCTION Even though networks all have the same purpose of sharing data and resources between the users. etc. it proposes a methodology that can be applied to identify network areas requiring protection throughout the entire life cycle of the network. Thus. firewalls. references for further readings on specific areas such as threat and risk assessment (TRA). are given at section 5. This guide is particularly addressed to decision makers. Determining the appropriate controls and procedures to use in any network environment is the responsibility of those in each organization charged with providing adequate network protection. encryption. Finally. The mechanisms. the implementation of network security solutions without first understanding the specific need for such countermeasures and the benefit to the network will result in ineffective spending for security. For this reason. Since the various concepts presented in this document are generally high level and easy to assimilate. a practical example is presented to illustrate the concepts previously described. the environment and the configuration make each of them unique. It is comprised of three main sections. The reader should keep in mind that this guide offers suggestions only and that the services listed here should be considered as potential solutions. First. 1 . the protocols implemented. there cannot be a universal security solution that is suitable to satisfy the security requirements of each individual network. The outcome of this process might be used to gain senior management commitment and support for network security. and not required solutions. Internet. Security solutions must be specifically tailored for each particular network. In other words. a weak definition of the network security requirements will most certainly result in non cost-effective security solutions. the services available.
what are the valuable assets that require protection on the network? What are the threats to the network? How is the network vulnerable? What are the risks for threats to cause harm to the network considering the network vulnerabilities and the resulting impacts of the harm? What are the acceptable risks? Finding answers to these questions might take several days or weeks depending on the complexity of the network. the impact for the organization should the threats materialize and the likelihood of the threat occurrences.1 DEFINING THE REQUIREMENTS FOR NETWORK SECURITY The first question to be asked when time comes to discuss network security is: Why is security needed on the network? Most certainly. Planning security on a network can be conducted in four steps: a. managing the risks and establishing a network security policy. Once the requirements for network security are clearly defined. Risk Assessment: considering the assets' exposure ratings to threats. It is not only a responsibility of network administrators or security officers. The network administrators and managers should never proceed with security implementation before planning is completed. it should never be by-passed. other considerations must be raised to answer that question. Network Security Policy: Preparing a network security policy which identifies the steps that should be taken to diminish the risks to acceptable levels. network security is required to enforce the organizational security policy on the network. Security planning is the foundation on which the implementation of security mechanisms sits. However. every hour spent in planning network security is an investment for an organization. Security planning should be initiated and approved by the organization's upper management and should constantly remain in harmony with the organizational security policy. inventory and valuation of assets and sensitivity assessment of the information residing and travelling over the network. In fact. Threat Assessment and Exposure to Threats: determining the threats to each network asset. Planning network security permits to extend the organizational security requirements to the network. c. b. Preparation: definition of the network security boundary and scope. and might be perceived not being useful and time consuming. Planning security includes assessing the threats and risks. protects and distributes resources to achieve the organization's security objectives. For example. network vulnerabilities and present safeguard effectiveness are analysed to determine the risk associated with each asset/threat/impact scenario. it becomes a lot easier to implement security mechanisms and/or procedures that will efficiently satisfy the requirements. and the implementation should always be done in accordance with the network security policy. An important point to mention is that the outcomes of these activities should always be in accordance with the existing organizational security policy which regulates how the organization manages. The outcomes of this process are exposure ratings for each asset/threat/impact scenarios. d. 2 .
1.1. Placing the boundary around a part of the network controlled elsewhere may result in cooperation problems that may lead to inaccurate results. The scope of the security requirement definition effort must also be defined. Defining and valuing assets may allow the organization to initially decide those areas that can be considered less important and those areas that should be flagged as a high priority. Secret and Confidential) or designated 3 .e. the focus on data communications. the server function. classified (Top Secret. The boundary may include the network as a whole or parts of the network. This step gives the first indication of those areas where focus should be placed. etc. The valuation of information (or data) type of asset cannot be done effectively before a statement of sensitivity (SoS) is prepared. some areas may be considered at a higher or broader level. and the scope may define a consistent level of detail throughout the LAN. However. significant information processed on the network. or updates or upgrades to network software or applications may influence the scope. One of the implicit outcomes of this process is that a detailed configuration of the network. an organization may decide to place the boundary around those areas that it controls and to define the scope to consider all areas within the boundary.1 Preparation 1. This configuration should indicate the hardware incorporated. For networks that produce large amounts of information that cannot be reasonably analysed. and certain applications might be narrower. This problem stresses the need for cooperation among those involved with the ownership and management of the different parts of the network. the addition of external connections. i. while other areas may be treated in depth and with a narrow focus. the software applications. major software applications used. the boundary may be the LAN as a whole. A SoS defines the sensitivity of the information within the network. such as the data communications components.g. as well as the applications and information processed on it. Changes in the network configuration.1. as well as how that information flows through the network. For smaller networks. All parts of the network have value although some assets are definitely more valuable than others. Factors that determine the boundary may be based on network ownership.1 Defining the Network Protection Boundary and Scope The purpose of this process is to determine how much of the network and in how much detail the security requirement definition should entail. as well as its uses is produced. For larger networks. external connections.2 Identifying and Valuing Assets Asset valuation identifies and assigns value to the assets of the network. management or control. an isolated Local Area Network (LAN). The degree of knowledge of the network configuration will depend on the defined boundary and scope. e. The scope distinguishes the different areas of the network (within the boundary) and the different levels of detail used during the security requirement definition process. The boundary defines those parts of the network that must be considered. initial screening may need to be done. For example. 1.
etc. valuing assets is one of the most subjective of the processes. Assigning values to these rankings (3=high. medium and low. network configuration and settings. as well as the types of users who access the data should be identified. spreadsheet.). communication devices. client station operating systems. but also the effects on the organization if the asset is disclosed. modified. the value of the asset can be represented in terms of the potential loss. cables. client stations. etc. and 1=low) may assist in the definition of security requirements process. This loss can be based on the replacement value. This ranking not only represents the replacement cost of the asset. Table I –Typical Network Assets Areas Hardware Software (or Services) Assets Servers. and the consequence to the organization. If it is the case.. the Government Security Policy [GSP] and the RCMP Guide Threat and Risk Assessment for Information Technology [GTRAIT] provide valuable information that may be very helpful for preparing a SoS. the relative values of the assets become more important than placing the "correct" value on them. Personal processed data. modem). Table I lists some assets that should be included. etc.. backup .(Protected C. One of the simplest valuing techniques to indicate the loss of an asset is to use a qualitative ranking of high. audit trail. Network operating systems. A SoS can already be included in the organizational security policy or may need to be prepared. software under development. stored and processed on the network should be included as well as the sensitivity of the data. Data Organization data: Network data: User data: Database. The location of the software on the network and from where it is commonly accessed should be identified. For example. 4 . software. the immediate impact of the loss. communications devices (router. etc. etc. maintenance. bridge. user owned files. to define assets in terms of a hierarchy of importance or criticality. However. tools (management. It may also define the sensitivity requirements of supporting assets such as hardware. word processing. if asset valuation is done with the goal of the process in mind. peripheral devices. Indications of where the data is accessed. hub. applications. destroyed or misused in any other way. 2=medium. e-mail. The importance of all the data processed and communicated through the network. gateway. Users access privileges. that is. interfaces. fibres. B or A). Because the value of an asset should be based on more than just the replacement cost. Different methods can be used to identify and value assets. users password.
easily used. If the methodology is too complicated to use. network vulnerabilities and present safeguards. Those responsible within the organization should adopt the risk assessment approach that provides a technique that is understandable.2 Threat and Risk Assessment The next step in the process of planning network security is to identify any potential threats that may target the identified assets. commonly called security solutions. this consists of a TRA. impact level and likelihood. ! Measuring the risks using exposure rating. TRAs are conducted to determine the appropriate level of protection required for a network. There are many TRA methodologies that an organization may use but in any case. their likelihood of occurrence. and then to estimate the risk of the threats to cause harm to the network and the organization. what the network consists of and what areas of the network need to be protected. if it requires input data that is too detailed. the methodology will not be useful and will not lead to effective network security. safeguards or countermeasures. and potential harm that might be caused to the assets as well as resulting impacts for the organization. and produces results that helps the organization to effectively secure its networks. One of the most important considerations in choosing a methodology or technique is that the results obtained from the TRA be useful in providing efficient and effective network security. and ! Selecting cost effective security solutions that reduce the risk at an acceptable level. if the methodology does not allow for reasonable granularity in its definition of variables such as asset. the outcome of the TRA process should always be recommendations of appropriate and cost effective security mechanisms. ! Analysing network vulnerabilities and present safeguards. products or procedures for the network.After the assets are determined and valued. or if it produces results that are too intricate to infer what the risk to the network actually is. On the other hand. Any TRA methodology adopted by an organization should include the following activities: ! Estimating threats to network assets. 1. the organization should have a reasonably correct view of the network configuration. the results produced may be too simple and may not reflect the true risk to the network. 5 .
This document was issued as a guideline and not a standard. serious or less serious) and (4) vulnerabilities and present safeguards. modification. [GTRAIT] is in accordance with [GSP] and may be used to proceed with a 7 . (3) the consequences (destruction. (2) their likelihood based on the frequency of occurrence. It describes how an estimate of risk could be obtained by estimating. disclosure or unavailability) of a threat occurrence and resulting impacts (exceptionally grave. for each asset of a network: (1) the threats. th e R oy al C an ad ia n M ou nt ed Po lic e (R C M P) pu bli sh ed [GTRAIT] which described a quantitative method for performing risk analysis.Figure 1 ) TRA Process In N ov e m be r 19 94 .
Threats exist because of the very existence of the network and the environment in which it operates. it can cause harm to a network in various forms. there are no agreed upon methods for representing the necessary variables to perform a risk analysis.2. means. Automated risk analysis tools are available that are tailored specifically to the network environment and using them can bring many benefits to the TRA process. While most depend on a loss variable and a likelihood or probability variable. the presence of a threat does not mean that it will necessarily cause actual harm.1 Threat Assessment Anything that has the potential to cause "bad" or "undesirable" happenings to network assets should be identified as a threat. it must be effective in helping to implement effective network security and thus reduce the risk to the network. The underlying question in determining if a tool will be effective for a particular environment should be. Some require a manual process. Because of this lack of consistent agreement with the risk community. Whatever TRA method is chosen by an organization. There are many techniques available to calculate risk. However. accidental or intentional. coupled with the proprietary nature of the tools. While there exists a proposed standard framework [KAT] for risk analysis that provides vendors with some guidance in developing these tools. However there is a concern in using automated risk analysis tools.TRA of a network. the manner in which these variables are represented and the calculations that are used on these variables is not always made available to the user. "What is the automated risk analysis tool measuring. and not because of any specific weakness. it is based on [GTRAIT]. This disadvantage is compounded because there is currently no standard method or agreed upon approach for performing risk analysis. and are the results produced by it useful for providing appropriate network security?" Other methodologies and approaches are available. however organisations may choose other methodologies and techniques if they find them to be more appropriate and effective. On the other hand. A threat can be human or environmental. others are implemented in software. 1. then the tool may prove to be quite adequate. The TRA methodology presented in this guide is illustrated at figure 1. and there are no agreed upon methods for calculating risk using these variables. determining the effectiveness of any particular method may be difficult. if the methodology used by the tool is understood and deemed acceptable for the user. and natural or fabricated. and direct impacts of the threat on the network if it is 8 . Identifying threats requires one to look for all the possible threat occurrence possibilities including the origin.
The more significant long-term consequences of the threat being realized are the result of violation of privacy. The impact of the threat. Although accidental threats are not target-directed. ! Deceptive actions on the network . Likelihood of threat occurrence will be discussed in section 1. This can also be performed on data as it moves through the network. or that alter the network equipment and/or data in an accidental or unauthorized deliberate manner. ! Disruption of network functions (unavailability of data or services) . it may eventually result in one or several of the impacts listed bellow. which can result in unauthorized access to the network resources. Attributes of interest should be considered while identifying deliberate threats. These attributes include the motivation. ! Unauthorized modification to data and/or software . loss of human life.results from events occurring on the network for which the actual individual (or process) triggering the event can not be accounted for. function or value. in such a way that network resources including services become permanently unavailable. civil law suits.results from threats that temporarily or permanently block network resources from being fully available in a timely manner.results from an individual modifying network data and/or software in an unauthorized or accidental manner. loss of proprietary technology. denial of services. a link cannot be made between the actual human identity and the action. major embarrassment for the organization. interest. etc. they are significant threats to network today since they can occur at any time anywhere on a network. Accidental threats such as user or administrative errors can result in unauthorized access to a network as well as network disruption or loss of services and operations. The threats normally fall into one of the following broad categories: natural.realized. potentially results in the following: ! Unauthorized access to the network . unauthorized disclosure or modification or sensitive data. They occur randomly and are completely independent of the network's purpose. They are a critical input for the assessment of deliberate threat likelihood of occurrence.results from an individual accessing or reading information (resident on the network or as it moves through the network) and possibly revealing the information in an accidental or unauthorized intentional manner. Deliberate threats are premeditated and target-directed. etc. In other words.results from an unauthorized individual gaining access to the network or gaining access to network resources in an unauthorized manner. ! Unauthorized disclosure of information . Their occurrence is materialised through manmade active or passive attacks. resources and capabilities of the threat. A natural threat occurrence normally results in an interruption or disruption of network operation. fines.2. which usually points to the immediate near-term problems. accidental or deliberate. opportunity. Even though this situation does not cause actual harm to a network.2. 9 . loss of trust. Natural threats exist because of the environment in which the network operates.
electromagnetic pulse fires electromagnetic perturbations Immediate Impact on Networks Disruption of network functions. This table contains threat events that have taken place in the past and thus that could be of concern to the protection of a network. unauthorized modification to data. misuse of equipment. input errors improper configuration or setup.e. i. including denial of service disease. it may not always be possible or wise to depend on past experience to identify threats. the TRA practitioners should not consider the identification of network threats activity as being static. User experience and network management experience are other sources of information that can be very helpful to identify threats. fires landslides. drive formatting. one-time-only. Large amounts of information on various threats and vulnerabilities exist. information deletion Disruption of network functions Unauthorized modification to data Unauthorized access to network. disruption of network functions and/or deceptive actions on the network Administrator error 10 . extreme temperature due to damage to building. Table II provides a list of general threats and their immediate effects on networks. floods severe snow and thunder storms Astrophysical phenomena Biological phenomena Direct Threat to Networks power outage.Since both threats and technology are dynamic in nature. including loss or degradation of communications (particularly for wireless links) Disruption of network functions. It does not consist of an exhaustive list but can be used as a starting point for the identification of threats to network assets. Table II – Threats to Networks Natural Threats Origin Earthquake. In fact. death of critical personnel Accidental Threats User error file deletion. Section 5 References and Further Reading of this document as well as some risk management methodologies provide additional information on potential threats. including loss or degradation of communications and destruction of equipment and/or data Disruption of network functions. mostly resulting in: unauthorized disclosure of information. this activity should be conducted periodically to inform the decision maker of any changes in regard to the actual threats to the network.
logic bombs. explosion. . air pollution. logic bombs. same as above password cracking. piggybacking. contractors. Trojan Horse. vandals malicious employees (users. virus. physical damage Unauthorized disclosure of information.. possibly resulting in: unauthorized modification to data. and Unauthorized access to network.. masquerading. managers. Random Access Memory (RAM) chips. unauthorized modification to data. wiretapping or eavesdropping. virus. use of an old account/password. communication devices. backup tapes. and Unauthorized modification of data. forgery. spoofing.. masquerading. fire. chemical spill. disk drives.. Trojan Horse. access control). disruption of network functions. certainly resulting also in unauthorized disclosure of information. password cracking. maintainers. jamming. masquerading. possibly resulting in: unauthorized disclosure of information. Industrial accident Disruption of network functions Destruction of equipment and/or data Deliberate threats foreign governments password cracking. logic bombs. support equipment (e. Disruption of network functions. gas leak. disruption of network functions. masquerading. ..) 11 . possibly resulting in: unauthorized disclosure of information. coffee spill. physical damage use of an old account or password. logic bombs. wiretapping or eavesdropping. Trojan Horse. including computers. password cracking or capturing.. and Unauthorized disclosure of information. unauthorized modification to data. disruption of network functions. and/or deceptive actions on the network. or other. and Unauthorized access to network. client stations. etc.g. spoofing. piggybacking. All the impacts listed in this table are possible . Unauthorized modification to data. and/or deceptive actions on the network. spoofing. tape back-up. piggybacking. printers. forgery. wiretapping or eavesdropping. jamming. password cracking or capturing. Trojan horse. public utility interruption Immediate Impact on Networks Disruption of network functions including the destruction of equipment and/or data. hackers news media thieves organized crime Unauthorized access to network.. spoofing. eavesdropping and possibly others equipment stealing. and/or deceptive actions on the network. and Unauthorized access to network. print servers. Same as above Unauthorized disclosure of information. cryptanalysis attack.Origin Equipment failure Direct Threat to Networks technical problems with file servers. Disruption of network functions.
particular attention should be paid to detailing the ways that these threats could occur. terrorists password cracking. The threats discussed in this section may be used as a starting point. the attachment of unauthorized equipment to the network. and/or deceptive actions on the network. Trojan Horse. possibly resulting in: unauthorized disclosure of information. in the end. physical damage The degree to which threats are considered will depend on the previously defined boundary and scope. produce security solution recommendations that will also be high level. These specifics provide more information in determining network vulnerabilities and will provide more information for proposing security solutions. such as the disclosure of organization owned data. disruption of network functions. methods of attack that result in unauthorized access may be from a login session playback. virus. For example a high level analysis may indicate that the consequence due to loss of data confidentiality through disclosure of information on the network is too great a risk. A high level analysis may point to threats in general terms and a more focused analysis may tie a threat to a specific component or usage of the network. For example. and/or unauthorized modification to data. Threats should be identified for all the assets listed and new threats should be addressed when they are encountered. wiretapping or eavesdropping Immediate Impact on Networks Unauthorized disclosure of information. logic bombs. password cracking. possibly resulting in: unauthorized modification to data. For more focused assessments.e. wiretapping or eavesdropping. Disruption of network functions. This is acceptable if the definition of the network security requirements was scope at a high level. estimating the direct threats to networks listed in Table II. and Unauthorized access to network.Origin industry Direct Threat to Networks password cracking. bombs. More than likely. password cracking. A more narrowly focused analysis may indicate that the consequence due to disclosure of the organization data captured and read through network transmission is too great a risk. and Unauthorized access to network. 12 . jamming. etc. with other sources included where appropriate. spoofing. the generality of the threats produced in the high level analysis. will. i. The more narrowly focused assessment will help to specifically identify requirements for network security and thus to find security solutions that will precisely reduce a given risk.
1. or may wish to apply likelihood at a very fine granularity. The occurrence of a threat can result in more than one impact on an asset and. The risk assessment methodology chosen by the organization should provide the technique used to measure likelihood.). 2=medium likelihood. Some information on traditional threats (mostly natural threats) does exist and may aid in determining likelihood. One of the simplest methods to measure the likelihood of a threat can be to normalize the likelihood as a value that ranges from 1 to 3 (3=high likelihood. or 1: no history). Experience regarding the technical aspects of the network and knowledge of operational aspects of the organization may be valuable to decide likelihood measures of accidental and deliberate threats.2.2.1. e. and 1=low likelihood). the TRA team should determine the potential immediate impact on the asset that would result from a threat occurrence. flooding. resources (platform for gathering information) and capability (technical expertise) of deliberate threats. Assigning likelihood measures can also be a subjective process. This likelihood measure may coincide with past history (3: significant history. may be useful.. fire. . it may also be based on threat attributes such as motivation. 13 . 1. etc. intent (malicious). or error rates of accidental threats. opportunity. A typical example to illustrate impacts and impact levels would be a virus (threat) corrupting a data file (asset). what is the likelihood that a particular threat occurrence results in the impact?). this threat occurrence could result in unauthorized modification of data (first impact) which could be a very grave impact for the organization (level of first impact: high). or deceptive actions on the network. including the possible impact level on the network and/or the organization should the threats materialize. An impact level (or injury level) has to be estimated for each possible impact. a likelihood measure needs to be associated with each asset/threat/impact scenario (i. disruption of network functions or unavailability which includes denial of service and destruction of equipment and/or data.3 Likelihood of Occurrence of Threats After threats and impact levels have been identified. or on mixed threat attributes and past history.2 Estimation of the Potential Impacts Once threats are identified for an asset. The likelihood of threats occurrence and the resulting impact levels need to be assessed in order to obtain an estimate of the risk associated with each asset/threat pair. Threat attributes include the motivation (collecting information. etc. the impacts normally consist of unauthorized disclosure of information. for each individual asset. opportunity (physical or logical access). for example statistics on power outage. This data is very important to rate the assets exposure level to threats. 2: some history. medium or low. as mentioned in section 1. and disruption of network functions (second impact) which can be estimated as a serious (level of second impact: medium)..e. One may wish to examine likelihood in terms of a broad scale such as high.2. unauthorized modification to data.g. a 1 to 10 scale.. challenge.
impacts.e. The exposure ratings will next be used with the analysis results of the network vulnerabilities and present safeguards to obtain measures of risks. i. exposure ratings and risk measures be listed in a summary table to facilitate access to it. Instead. threats. thus it is not a risk level. It is recommended that the TRA data.4 Exposure Ratings After resulting impact levels and likelihood of occurrences are estimated. an exposure rating of each network asset to threats can be measured.1.2. it is a measure that permits an organization to determine to which threat scenarios their network is the most exposed to. lists of assets. Table III – Exposure Rating Based on Likelihood of Occurrence and Level of Impact Likelihood of a threat occurrence High Medium Low Level of impact resulting from a threat occurrence High 9 7 4 Medium 8 6 2 Low 5 3 1 14 . [GTRAIT] suggests to calculate the exposure rating using a table similar to Table III where impact level takes precedence over likelihood. The exposure rating does not consider network vulnerabilities or present safeguards. likelihood.
a network or one of its component that tends to facilitate the occurrence of a threat. should be identified and listed. depending on the types of threats.5 Present Network Vulnerabilities and Safeguards The adequate identification of present vulnerabilities and present safeguards is essential to correctly assess the level of risk associated with each scenario. network vulnerabilities should be identified and analysed separately for each asset/threat/impact/exposure rating group. Since the various assets of a network are vulnerable in different ways. Completeness and level of detail included in the vulnerability assessment will affect the levels of uncertainty and confidence than can be placed in the risk assessment. the vulnerabilities are grouped in terms of resulting effects on the 15 . Every vulnerability associated with the network. Once exposure ratings are calculated.Figure 2 ) High Exposure versus Low Exposure 1. technical or non-technical. considering the asset level of exposure and network vulnerabilities. A network vulnerability can be defined as a characteristic of. The present safeguards should also be identified to determine if the current level of protection is appropriate. or weakness in. Typical network vulnerabilities are listed in Table IV. In this table which is not meant to be a complete list.2. the decision makers should identify the network vulnerabilities through which the identified threats may harm the network.
user profiles. e.e. because privilege settings are too permissive. etc. including passwords.g. Passwords and I&A information travel in the clear over the network Lack of access control mechanism and/or physical security on the network client stations Poor physical security on network devices Lack of or improper use of access privileges. Unknown users get access to system files.g. no session unique time-stamped data. A valid user. network configuration. i. Sensitive information is read using a network analyser or "sniffer". An unauthorized user modifies the network configuration by accessing a network server console. Printers are placed in high traffic areas. password guessing or cracking. e.network if the vulnerability is exploited and for each of the listed vulnerabilities. sensitive data. 16 . Printed sensitive information is read by unauthorized individuals. e. Unauthorized Disclosure of Information The data travels in unencrypted form throughout the network. network administrator or auditor.g. Passwords are compromised or obtained by unauthorized individuals. Table IV – Network Vulnerabilities Vulnerability Unauthorized Access to Network Lack of or insufficient identification and authentication (I&A) scheme Poor password choices or management Passwords are shared between users or stored in a batch file on client stations Login attempts are not restricted. The information required to gain access to the network. Login session I&A information is recorded using a network analyser or "sniffer" and replayed later by an individual to login to the network in an unauthorized way. Possible Scenarios The I&A scheme does not include real-time verification. is captured using a network analyser or "sniffer". A Trojan Horse is installed on a client station that transparently captures the user ID and password as the information is typed. user files. print queues. Sensitive data is read by unauthorized individuals from exposed monitors. etc. Passwords are guessed or cracked. gets access to information or network resources for which he or she is not authorized. The client station monitors are viewable in high traffic areas. An intruder finds a valid user password by successive login attempts. simple scenarios briefly describe how the vulnerabilities can be exploited. The administrator's computer is possibly the target. default permission settings are too permissive. user's privileges are improperly set by the administrator.
A faulty file server hardisk causes files corruption. Unauthorized Modification to Data and/or Software No virus protection tools are implemented A virus is introduced on the network via a contaminated file (imported by a user). write permission is granted to users who only require read access. Sensitive information is encrypted using a weak encryption algorithm. Data and/or software backup copies are stored on open areas. An individual modifies network system files for his or her own benefit e. e. Possible Scenarios Sensitive information is obtained by gaining physical access to file servers and/or client stations.bat) is modified to disable a security mechanism or setting that was initially called during the boot or network connection sequence. Lack or improper settings of file access privileges.g. config. an individual or organization successfully crack the encryption scheme and obtain the sensitive information.Vulnerability Information is stored in unencrypted form on the network. The sensitivity of the information being valued higher than the cost of breaking the encrypted code. Unauthorized but valid users get access to sensitive information. getting the system administrator's password. Hardware failure The integrity of the client station system files is not verified. A virus on a client station can use the network to infect other stations. etc.g.g. A valid user accidentally modify data corrupting the corporate database and spreadsheet. An individual modifies network system files for his or her own benefit e. 17 . Sensitive information stored on a backup media is disclosed. resulting in file server and client station corruption. gaining access to unauthorized information. A client station's start-up file (e. The client station start-up files's integrity is not verified. getting the system administrator's password. Lack or improper settings of file access privileges. A system file is modified or changed to load and execute a Trojan Horse that captures sensitive information. The network system files' integrity is not verified. gaining access to unauthorized information.g.sys) or network start-up file (startnet. etc.
Critical network components are stolen. printers. An individual swamps the network with huge volume of traffic. router. etc. Improper preventive maintenance of network hardware Inability to detect unusual traffic pattern Unexpected hardware failures occur.g. print servers.) completely shuts down the network. A communication connection is accidentally broken. modifies its content and resent it later. server.Vulnerability Lack of authentication code or digital signature on messages travelling over the network.g. file servers. An unhappy employee damages communications links. etc. bridge. e. gateway or hub) prevent user access to certain portions of a network Improper physical security of the network hardware. Communications equipment failure (router. cable. An individual capture a message as it travels over the network. the network entirely or partially shuts down. 18 . An individual fills up a server's disk space in a relatively short term. A drink e. coffee or juice is accidentally spilled on a file server. Configuration of a network that allows for a single point of failure. The failure of only one component in a network (e. time stamp.g. Disruption of Network Functions (Unavailability) Lack of uninterruptable power supply (UPS) Inability to handle hardware failure. Possible Scenarios An individual capture a message as it travels over the network. Problems occur with a file server hardisk controller. e. causing denial of service to valid users. Improper physical protection of the network wire or fibre. resulting in a system crash. An unhappy employee vandalizes critical network components. Lack of real-time verification. Because of a power failure.g. modifies its content and resent it. of the data travelling over the network. making the information that resides on the server unavailable.
a user modifies user profiles acting as a network administrator. thus. payment transfer. the threat of compromise of information may be too great not to have file level protection. modifying router or hub configurations. a portion of the network resources becomes unaccessible. logical and physical access control. An individual sends a message to a destination by masquerading as a different sender or machine.g. etc. without being identified.Vulnerability Improper network configuration and/or management. e.g. A valid user acts on the network using another user's identity. In this example. mechanism or procedure can be a safeguard if it consists of measures which will prevent or reduce the likelihood of threats to exploit network vulnerabilities. a network operating system may provide access control to the directory level. procedural. causing denial of service to valid users.g. Files containing sensitive information are copied and/or deleted. it can be considered as a vulnerability. rather than the file level. the originator of this action cannot be identified. e. etc. reconfiguring addresses on client stations. An individual receives a message by masquerading as the legitimate recipient. Present safeguards should be identified for each asset/threat/impact scenario. Safeguards normally provide functionality in at least one of the following areas: ! Confidentiality ! Integrity Protection against threats having the potential to cause unauthorized disclosure of information. Unauthorized changes are made to hardware components. purchase order. Lack of auditing mechanism. e. which causes disruption of network functions. Possible Scenarios The system administrator accidentally deletes a user that has unique access privileges on some network resources. leave authorization. the lack of granularity in the access control could be considered a vulnerability. Deceptive Actions on the Network Lack or improper authentication mechanism. Lack of digital signature on messages travelling over the network. These controls may be technical. A service. For example. Existing network security safeguards should also be analysed to determine if they are currently providing adequate protection against specific threats. Protection against threats having the potential to cause unauthorized 19 . etc. encryption. For some users. An unknown individual or process swamps the network with huge volume of traffic. If a control is not providing adequate protection. A message could consist of an e-mail. etc.
modification to system configuration or data, e.g. checksums, tamper evident seal, digital signature, etc. ! Availability Protection against threats having the potential to cause disruption of network functions including denial of service, theft of equipment and/or data, destruction of equipment and/or data and equipment failure, e.g. backup, hot standby equipment, preventive maintenance, quotas on use of network resources, etc. Protection against threats having the potential to cause deceptive actions on the network by authenticating users and monitoring their actions, e.g. auditing, digital signature, authentication, etc.
! Physical Security/ Physical protection of the network and its resources from Access control unauthorized access. Since chapter 3 specifically discusses safeguard technology and implementation of network security, the reader should consult chapter 3 for information on this subject. Once appropriate network vulnerabilities and safeguards are identified, the effectiveness of the present safeguards need to be assessed in order to get an estimate of the risk level associated with each asset/threat/impact/exposure/vulnerabilities/present safeguards scenarios. The importance of measuring the safeguards effectiveness will be discussed in the next section "Measuring the Risk". 1.2.6 Measuring the Risk The risk can be defined as a measure indicating the likelihood and consequences of threat events or acts that could cause a compromise of network assets, considering the vulnerabilities of the network and effectiveness of present safeguards. The outcome of this process should indicate to the organization the degree of risk associated with the defined assets. This outcome is important because it is the basis for making safeguard selection, if required, and risk mitigation decisions. To determine each risk level, the exposure ratings, vulnerability levels and effectiveness measures of present safeguards are combined. The exposure ratings (ranging from 9 - extremely high to 1 - extremely low) were defined in section 1.2.4; they represent a measure of the likelihood
of a threat to occur combined with a degree of potential damage for the network and/or the organization should the threat materialize. The vulnerability levels are a representation of the network weakness by which the threats can materialize. The vulnerability levels can be rated at high (level 3), medium (level 2) or low (level 1); each level corresponds to different scale of weakness. For example, if users of a network are allowed to connect modems to their computer (client station) to access bulletin boards and to remotely connect to the network through their computer, the vulnerability of the network for unauthorized access would be certainly high. On the other hand, if the network external connections are all controlled through a dedicated gateway, the vulnerability of the network for unauthorized access may be reduce to medium or even low. The effectiveness of the identified present safeguards should next be determined. The safeguard effectiveness is a measure of the effect that a safeguard has on the probability of a threat to exploit network vulnerabilities and on the resulting impacts should the threat materialize. Many factors should be looked at to determine the effectiveness of the safeguards; these factors include the vulnerabilities addressed, correctness, strength, dependency on other safeguards, user acceptability, human intervention, etc. The effectiveness of the safeguards can be rated at high (level 3) if the probability of network vulnerabilities to be exploited is highly reduced, medium (level 2) if the probability is moderately reduced or low (level 1) if the probability is slightly reduced. For example, the effectiveness of an approved encryption product used on a network for the protection against unauthorized disclosure of information would probably be high. In comparison, logical access control at the file directory level may consist of a security solution providing low effectiveness against attacks which would result in unauthorized disclosure of information. Security solutions are presented in Chapter 3 with examples of threats that they can counter, and indications of their effectiveness to protect a network against the threats. At this point, the decision maker should have all the information required to determine the risk associated which each of the threat scenarios. There are many ways to measure and represent risk. Depending on the particular methodology or approach, the measure Figure 4 ) Examples of security solutions could be defined in qualitative terms, in a specific environment quantitative terms, a combination of these, or others. The risk measurement process should be consistent with (and more than likely defined by) the risk assessment methodology being used by the organization. An easy approach is to qualitatively determine the risk as high, medium or low, taking into considerations the exposure rating and network vulnerability and present safeguards effectiveness levels. The levels of risk are in this case normalized (i.e. low, medium and high) and can be used to compare risks associated with each threat. The disadvantage of having few levels of risk is that the criticality of the components used to determine the risk measure must be factored to determine priorities. For example, a risk measure that was
derived from high exposure, high vulnerability and high present safeguard effectiveness may result in the same risk measure as one that resulted from a low exposure, low vulnerability and low safeguard effectiveness. In these cases, the decision maker needs to decide which risk measure to consider more critical, even though the risk measures may be equal. In this case, it may be decided that the risk measure derived from the high exposure is more critical than the risk measure derived from the low exposure. A more granular method would be to rate the risk on a 5-point scale. A 5-point scale risk measure can be established using Table V where vulnerability takes precedence over safeguard effectiveness, thus offering a more conservative measure of risk. Even though a more granular rating approach may help to categorise the risks and set priorities, it is not recommended that more than five levels of risk be used since too many levels makes the decision process between the levels very difficult and often without justification. Table V – Risk Measures Based on Exposure Ratings, Vulnerability Levels and Present Safeguard Effectiveness Vulnerability Level Safeguard Effectiveness Exposure Rating
9 8 7 6 5 4 3 2 1 5 5 5 5 5 5 4 4 3 5 5 5 5 5 4 4 3 3 5 5 5 4 4 3 3 2 2 3 3 3 2 2 2 1 1 1 5 5 5 5 5 5 4 3 2 5 5 5 4 4 4 3 2 2 5 5 4 3 3 2 2 1 1 2 2 2 2 1 1 1 1 1 5 5 5 4 4 4 3 2 1 5 5 4 3 3 3 2 1 1 5 4 3 2 2 1 1 1 1 2 2 1 1 1 1 1 1 1
Non e (0)
Low (1) Med (2) High (3) Non e (0)
Low (1) Med (2) High (3) Non e (0)
Low (1) Med (2) High (3)
5 = High Risk 4 = Moderately High Risk 3 = Medium Risk 2 = Low Risk 1 = Very Low Risk Vulnerability Level: 3 - High, 2 - Medium and 1 - Low. Safeguard Effectiveness: . . . . . . . . . . . . . . . . . . . . 3 - High, 2 - Medium, 1 - Low and 0 - No safeguard.
What ever methodology is used to rate the risk, the most important aspects of the measure is that the representation be understandable and meaningful to those who need to select security solutions and make risk mitigation decisions.
(i. This process should include an activity that compares the current risk measure (i.7 Risk Mitigation The purpose of this process is to reduce the identified risks to acceptable levels. This can be done by selecting appropriate security solutions that are applied against specific risks. If the risk acceptance results indicates that a threat scenario is acceptable. it may be realized that the currently offered solutions are very costly and cannot be easily implemented into the current configuration and network software. in conjunction with the realities of operation requirements. In most cases the need for a specific service should be readily apparent. This may force the organization into either expending the resources to reduce the risk. When the properties of the candidate security solutions are known. Assets that have adequate protection will not surface as contributing to the risk of the network whereas those assets that have weaker protection do surface as needing attention.. existing mechanisms are adequate) then there is no need to apply 23 Figure 5 . the possibility of using encryption to reduce the risk of unauthorized disclosure of information could be examined and then rejected because this mechanism does not comply with the organization policy and/or it reduces the network performance to an unacceptable level. Initially. exposure ratings and related risks for each asset of the network. safety and reliability requirements. However after reviewing the available safeguards. the organization needs to order the different risk levels that were determined during the risk assessment. or deciding through risk acceptance that the risk will have to be accepted because it is currently too costly to mitigate. The relationship between risk acceptance and the selection of security solutions can be iterative. an assessment of the current security situation for the network can be determined. the organization can determine if the acceptable risk is reached. While acceptable effective security and cost considerations are important factors. there may be other factors to consider such as: organizational policy. The final decision to apply safeguards must be determined by senior management and the management responsible for the operation of the network.The use of security solutions reduces the risk . the new risk value obtained after a security solution has been taken into consideration) with acceptance criteria and results in a determination of whether the current risk level is acceptable. a decision can be made to accept a higher risk to reflect the known properties of the safeguards or another solution might be looked for. there may be risks that are determined to be too high. Along with this. if it is not. legislation and regulation. the organization needs to decide the amount of residual risk that it will be willing to accept after the selected security solutions are implemented.2. budget and resources.e. performance requirements.With a list of potential threats. and technical requirements.e. For example. For example. 1.
1). protection requirements and responsibilities. training. If this is not the case. i. A network security policy is a concise statement of top management's position on information values. security officers. its physical and logical perimeters. There are also many other sources that can be consulted to obtain information on network security solutions and techniques. and what parts. personal identification token. The risk associated with each network asset should now be reduced to an acceptable level or eliminated.3 Network Security Policy Once the risks to the network and specific security requirements are identified and understood. the residual risks should be reassessed. etc. The policy should be created by a team of individuals that may include top management. mandatory/discretionary access control . The network security policy should be issued by the appropriate level of organizational management. to extend the organizational security policy to the network.password. see section 5 References and Further Reading for more detail. When a risk is not acceptable. Network security mechanisms and implementation of safeguards in a network are discussed in Section 3. ! assets and information value Management's position on the value of network assets and information treated on the network. ! requirements for security procedures and mechanisms Procedures and mechanisms that shall be implemented on the network to reduce the identified risks at an acceptable level (e.. by using a token based mechanism. the person in the organization to whom employees covered by this policy ultimately report. a network security policy must be defined.additional mechanisms to the service that already exists. and organizational commitment. 1. mechanisms that could potentially reduce or eliminate the vulnerability or improve the safeguard effectiveness and thus reduce the risk of the threat could be numerous.e.g. After all security solutions are implemented. audit. are exempted. and network management. Choosing the candidate mechanisms is a subjective process that will vary from one networkimplementation to another. As a minimum. The purpose of this section is to highlight the issues that should be considered in developing a network security policy. 24 . The network security policy is also used to describe the system to be protected. For example the vulnerability of using weak passwords could be reduced by using a one time only password generator mechanism. the adopted network security policy should include the following: ! applicability and objective The objectives and goals of the network and what constitutes the network environment. then the decisions made in the previous steps should be reconsidered to determine what the proper protection should be. if any. backup. as defined during the preparation process (see section 2.
digital signature1. The example network security policy presented in Appendix C defines responsibilities for functional managers (who may have primary responsibility). i. and for the network itself. those persons within the organization given access to the information by those with primary responsibility. For example. stored and transmitted on the network. Primary responsibility may be with the data owner. It may be more reasonable to merely state that virus detection software should exist on network client stations. Secondary responsibility may then be with the users and end users. ! commitment The organization's commitment to protecting information and the network. requiring that a specific virus detection package be used and including the name of the package in the policy may be too specific.) ! responsibilities Technical and managerial responsibilities of the individuals involved in the protection of the network and/or in the protection of the information that is stored and/or travels over the network. virus scan. The network security policy should clearly define the role of the individuals involved in the operation of the network. and local administrators (who are responsible for maintaining security in their part of the network environment). network administrator(s). network auditor(s). the manager of the organizational component that creates the data. 1 Network security procedures and mechanisms are discussed in Section 2. and let network security officer or administrator specify the product. The network security policy should be written such that modifications are rarely required. considering the rapid pace that virus software packages are developed. etc. processes it.. etc. servers. users (who may have secondary responsibility). network managers (who are responsible for implementing and maintaining network security and availability). 25 . i. etc. Local administrators are usually responsible for groups of users and specific network components such as servers and client stations. The network security policy should clearly define and establish responsibility for the protection of information that is processed.e.e.encryption. The need for changes may indicate that it is too specific. maintenance staff and users. these individuals may consist of the network manager(s).
it is important to mention that connecting a network to another one introduces new threats and vulnerabilities that usually cannot be all countered by security solutions. Organizations should remember that even though firewalls can highly reduce the risk of unauthorized access to a network. The connection should be done only once the new risks are known and accepted. to an acceptable level. firewalls and the Internet. connection interfaces etc. data communication specialists must be involved to determine the vulnerabilities of such and such communication protocols. where the connections can be examined and evaluated. the security solutions for a network must be selected to address the issues specified in the network security policy. The only 100% assurance solution for network interconnection is to have no connection. They can operate as packet filtering routers. See Section (Suggested Readings) for more information on network interconnection. Often.2 SATISFYING THE REQUIREMENTS FOR NETWORK SECURITY The requirements for network protection and protection of the information that is stored and/or travels through the network may be satisfied with the implementation of security services. application gateways or both simultaneously which is more effective. The following services will be discussed in this section: a) b) c) d) e) data and information confidentiality system and data integrity availability accountability physical security Network interconnection. especially with the Internet. e. However. the l&A service helps reduce the risk of the unauthorized network access threat. It is important to note that security solutions should not be implemented until a comprehensive network security policy is defined and documented. procedures and other controls that are implemented on a network to help reduce the risks. connecting to the Internet. For example. The security solutions are the collection of mechanisms. 26 . Organizations that decide to connect their network to another one should perform a TRA before establishing the connection. Measuring the new risks is not necessarily easy. mechanisms or procedures known as security solutions or safeguards. is not specifically discussed in this document.g. In fact. they do not provide 100% assurance that they will not be circumvented. The Firewalls implement a network access policy by forcing Internet connections to pass through them. Firewalls often consist of an effective solution to decrease the risks of interconnecting networks.
Confidentiality services also include object reuse and covert channel protection services. They deal also with TEMPEST technology which prevents unauthorized individuals or systems from intercepting and compromising electromagnetic emanations coming from the network components. TEMPEST equipment is normally used to secure top secret information and extremely sensitive designated information based on a TRA.1 Confidentiality via access control It is possible to protect information or data from unauthorized disclosure by mediating access to it. Thus. Iocked room or safe.e.2 Communication devices to increase traffic confidentiality Ethernet networking technology dominates the market.2. Traffic from one 27 . each client station and server is isolated from all others. The use of access controls for confidentiality purposes relies on and cannot be effective without proper l&A of the users. I&A is discussed in section 2. the data travelling on the network can be monitored by any individual who has physical access to a network communication cable or wire. e. the information or data can still be captured and read as it travels on the network. or discretionary mediation if the ACLs can be changed over time at the discretion of authorized general users. 2. Confidentiality services provide mandatory mediation if the network ACLs are fixed by the administrator and cannot be changed over time by general users. but can also rely on encryption to provide further confidentiality protection.g. 2. all the client stations.4. these should be kept in a secure location. ACLs do not provide protection against unauthorized traffic disclosure. Most of today's networks offer this service which is generally implemented with access control lists (ACL). 1.1 Confidentiality Confidentiality services should be used when the privacy of information is necessary. The ACLs are used to maintain a list of individuals or groups of individuals (or processes) that are authorized to access specific files or file directories. which are briefly r resented in section 2. In any case. These devices can provide data confidentiality as they control how and where the data travels on the network. the implementation of ACLs to provide confidentiality requires accurate and careful management of the ACLs and also physical access protection of the media in which the sensitive information or data is stored. for example. Local Area Networks (LANs). As a front line protection. Hubs can be used in subnetworks. since network data resides in file servers.e. In addition.1 .1. servers and other network resources. Limited confidentiality can be provided by the use of special communication devices such as hubs or routers. A secure hub centralizes all the subnetwork (or LAN) connections to form a star topology. i. these services may incorporate mechanisms associated with the access control service. Since every node has a unique connection to a central hub. to prevent the data from being broadcasted to all nodes. From a traffic confidentiality view point.1.4. eg. i. this technology represents a vulnerability since the data travelling on an ethernet network is broadcasted to all nodes of the network.
to convert the information back to its original form. For most organizations. it is possible to control unauthorized access to network traffic as it is moved through the network. The DES is a symmetric key algorithm which requires the same key to be used for encryption and decryption. The two keys are related but have the property 28 . The U. Thus. An individual monitoring the traffic on any client station cable on a cable or wire would capture only the data or information travelling between the client node and the secure hub. encryption can be utilized to reduce the risk of someone capturing and reading data in transit by making the information unreadable to those who may capture it. all communications between any two points are confined to a single path instead of being broadcasted through the whole subnetwork. The same key is used to encrypt and decrypt data. Asymmetric or public key cryptography is a form of cryptography which makes use of two keys: a public key and a private key. cipher text. For others that cannot accept this vulnerability. firmware or some combination. software. using secure routers or hubs. B or C). For example. These mechanisms do not provide complete traffic confidentiality services since information and data circulating on the network can still be monitored and captured. Organizations should consult CSE when selecting such products.3 Encryption To a large degree. Encrypting information converts data to an unintelligible form. network confidentiality services can be provided through the use of encryption. Secure routers are mostly utilized to restrict certain data. the use of the Data Encryption Standard (DES) is approved for the Government of Canada (GoC). Sensitive information can be stored in the encrypted. For encryption of designated information (Protected A. Cryptography can be categorized as either symmetric (secret) key or asymmetric (public) key. this is a realized and accepted problem. the data coming from file server A in subnetwork 1 is filtered by a secure router to prevent it from being transmitted in subnetwork 2. form. Symmetric or secret key cryptography is based on the use of a single cryptographic key shared between two parties . 2.S. the file may be accessed but the information is still protected for confidentiality by being in encrypted form. Care should be taken when selecting particular encryption products. decryption must be performed.node to another must pass through the secure hub. the decision of using encryption should depend on a TRA. based on its origin or destination address.1. This key is kept secret by the two parties. In this way if the access control service is circumvented. only the authorized user who has the correct key can decrypt the message once it is received. In any cases. in view of the varying degree of protection they offer. or application from passing beyond certain subnetworks. Federal Information Processing Standards Publication (FIPS) 46-2 provides for the implementation of the DES algorithm in hardware. As discussed in the previous section. The use of encryption may be critical on client stations that do not provide an access control service as a front line protection.
each party has its own public/private key pair. An example for providing confidentiality is as follows: two users. The public key can be known by anyone.. Asymmetric encryption technology is also used in conjunction with a hash function to produce digital signatures that provides integrity and non-repudiation services. symmetric encryption offers generally higher throughput 2. etc. This will be discussed in Sections 2. symmetric encryption is normally utilized to encrypt the actual data or information that requires confidentiality whereas asymmetric encryption technology is used for the secure distribution of symmetric keys whose confidentiality must be preserved.that. the private key is kept secret. 2. and maintain the confidentiality of that information. 29 2 . i. it is crucial that proper key management be put in place to support the encryption.) distribution of the keys to appropriate users or systems. The confidentiality of the information is maintained since only Jeff can decrypt the information using his private key. personal taken management services and more.1. However.e.3. it is deemed from a computational point of view. an encryption system has no benefit when keys are compromised. modification and/or substitution.2 and 2. the encryption speed (throughput) of DES is approximately 100 Mbits/sec. Since asymmetric encryption technology is less performant than symmetric. compared to 50-100 kbits/sec for RSA (512-modulus). wish to exchange sensitive information. digital signature and key certificate management services. CSE is presently developing and designing designated and classified electronic key management systems (EKMS) to support the protection of information in Canadian government communication and information processing systems. protection of the keys against disclosure. Scott and Jeff. nonrepudiation services. Scott can encrypt the information with Jeff's public key. When the decision of using encryption technologies in a network is made.3.4. In a public key cryptosystem. infeasible to derive the private key. and in electronic commerce applications. and key distributions which can also include archiving. These key management systems will provide various services to its GOC clients including confidentiality. directory services. Iengths. given the public key. the use of asymmetric encryption for confidentiality purposes such as Rivest Shamir Alderman (RSA) and Digital Signature Algorithm (DSA) is approved by CSE on a case-by-case basis. The EKMS for designated and classified information should start their operations in 1997 and 1999 respectively.1 Encryption key management Any encryption system relies on proper key management to be effective. For hardware implementations.g. There is currently no public-key encryption algorithm specifically approved for confidentiality in Canada. privilege management services. randomness. Proper key management includes the generation of cryptographic keys that have specific properties (e.
3. physical layer) enciphers information transmitted on a network connection cable or wire. i. Since encryption/decryption occurs at each end of a communication path. The encapsulated data coming from the upper layers being encrypted. Encryption at lower layer (e. this type of implementation is called end-to-end encryption. 30 . the confidentiality of upper layer protocol headers (Transport. These mechanisms that normally come with the network operating system include overwriting deleted files. which leaves the origin and destination addresses in the clear. In other words. there is no "best" location. X. encryption modem. this type of implementation is called point-to-point encryption.g. constant traffic flow can be generated on protected links to avoid the disclosure of information linked with the amount of traffic.2 Location of encryption services in layered communications The fact that network communication normally operates in layered architectures (e. the threats to be countered.g. can be better achieved in hardware than software. Open Systems Interconnection (OSI)) makes it possible to place the encryption services at various locations in the communication stack. LAN interfaces. This normally software implemented approach is particularly suitable for electronic mail applications to protect the content of messages against unauthorized disclosure. Presentation or TCP) is protected. Since the network layer normally corresponds to standardized physical interface points (e. It makes encryption operate independently and transparently to the applications. it is also effective for encryption of other application specific data residing on site or travelling across the network. network layer) can be done in hardware or software. Each location offers advantages and disadvantages.4 Object reuse and covert channel Some confidentiality services might be required to eliminate information that remains in a shared network resource such as server memory or storage media. this preserves the capability of transmitting data through multiple relay systems to reach destination. application layer. T1 encryptor) normally consist of hardware. Since confidentiality protection is provided on a link-by-link basis.e. Link encryption devices (e. overwriting memory blocs before they are reassigned. meaning that the data must be decrypted at end of each communication link before it can be processed. They can also be used to revoke previous authorization to network resources before the resources are reassigned to a user or process. Transmission Control Protocol/lnternet Protocol (TCP/IP). However. in fact.g. independently and transparently to all higher communication protocols.e. When an encryption service is located at upper layers.1. etc. the protection of security critical data such as cryptographic keys.g. Also.g. e. They can easily be found and inserted at common standardized physical interface points. Hardware implementation usually offer a higher level of trust in that the integrity of the device functionality can normally be better preserved. The choice of the location should be driven by the security requirements.25) it is relatively easy to find security products that operate at this level. Implementing encryption in the middle of the communication stack (i.2. the communication protocol headers are not protected.1. 2. Traffic flow confidentiality can also be provided point-to-point encryption.
If covert channels are a concern for a network.1 System integrity Physical integrity mechanisms are usually an easy and low cost solution to protect the system integrity of a network when physical access is an issue. hard coating.Covert channels are among the least known network vulnerabilities. a covert channel consists of a hidden communication path that by-passes the security safeguards in place. protection against covert channel will not be discussed in detail. bleeding paint.5 Providing confidentiality The types of security mechanisms that could be implemented to provide confidentiality services are summarized in Table Vl below. 2. The most basic component of a covert channel is its medium. monitoring and eliminating the processes that use a covert channel. pad locks alarm. restrict (tamper resistant) or respond (tamper response) to physical access to network resources. 2. introducing noise to reduce the useable bandwidth.2 Integrity The purpose of the network integrity services is to ensure that the network resources operate correctly and that the data travelling through the network or stored on the network is unaltered. Even less understood by all but a handful of security experts are the mechanisms to eliminate or reduced covert channels on a network. seals armoured case. These mechanisms can indicate (tamper evident). etc. 2. and more. the voltage on a wire. the polarity of a region on a disk. Techniques to eliminate or reduce the efficiency of covert channels include limiting access to the channel. encrypting data. the stability state of a memory cell. These services provide protection against deliberate or inadvertent unauthorized modification of network functionality (system integrity) and information (data integrity).g.1. Some examples of these mechanisms include the following: Tamper evident: Tamper resistant: Tamper response: break-away labels. hard coating encapsulation. locked rooms. The main characteristic of a medium is that it must have at least one property whose condition is variable e. zeroization. Because of its complexity. visual indication. audit entry 31 . through which information data can be transferred.2. However. In other words. one should know that a covert channel is a means of transferring information from one individual or process to another without confidentiality mediation. Information can be conveyed by the covert channel by changing the condition of the medium. a covert channel analysis should be conducted by technical experts to identify all covert channels.
//: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. Procedure or Technique Attacks or Exploitable Vulnerabilities: Lack of access mediation to data Lack of physical security Wire tapping Network analyser Exposed monitors and printers Object reuse EMC */ EMI ** Exploitation of a covert channel Trojan horse File access control Physical access control to network resources Encryption with proper key management Overwriting mechanism TEMPEST equipment Rules and procedures Secure hubs and routers Virus/TSR scan /// / /// / / // / / / /// /// /// /// // / // / /// / / /// / / / /// / / // / / / / / //1 ///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. the damage to the network operation caused by an inadvertent action would be potentially more important. Self-testing services are normally implemented separately in 32 .Table Vl .Confidentiality Mechanisms and Services Protection Mechanism. Normally. 1 : The Trojan Horse will be detected it if consists of a Terminate and Stay Resident (TSR). /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability. * ** Electromagnetic Compatibility (EMC) Electromagnetic Interference (EMI) A good protection against the threat of accidental unauthorized actions being taken or to limit the effects of such actions if one does occur is to force network managers to access the network through distinct separated roles on a least privileges basis. A rollback mechanism can be implemented to undo the last actions or the last series of action and return the network to a known previous state when self-testing fails. Some self-tests are automatically initiated by the network during normal operation whereas others must be launched by an administrator or operator. auditor and operator roles could limit potential damage to only the portion of the network to which a particular administrator is authorized. automated testing initiated by the network increases the network system's integrity as human error is reduced. Their purpose is to determine if the network and/or network resources operate correctly. creating separate administrator. For example. Self-testing services on a network provide a means of validating the correct network operation. if these three roles were combined.
2.3. communication devices. then the data is considered authentic. 33 . A digital signature.2 Data integrity The data integrity services help to protect data and software residing on client workstations. data modification. the digest of a piece of information (which can be a file. The unauthorized modification can be intentional or accidental. If the two CCs are equal. The inadvertent modification of data caused by noise. then it is possible to detect deleted or missing data. The use of checksums provide a modification detection capability. and security functions.g. the receiver has confidence that the information was signed using the private key of the originator and that it had not been altered after it was signed. but unauthorized. 4 3 If sequence numbers are used. is normally handled through lower communication protocol.2. These services can be provided by the use of cryptographic checksums3 (CC) and very granular access control and privilege mechanisms. file servers. The software aspects of system integrity can be addressed by many of the data integrity strategies discussed below. the most critical network components that may require these services are network servers. encrypted cyclic redundancy check (CRC) and seals. provides two distinct services: non-repudiation and message integrity. It can protect against both accidental and intentional. The more granular the access control or privilege mechanism. and other network components from unauthorized modification. Using a public key system. not only digital signatures provide data integrity Other terminologies for CC include Message Authentication Code (MAC). the less likely an unauthorized or accidental modification can occur Contrary to access control. as long as it is not completely deleted4. A CC is initially calculated by applying a cryptographic algorithm with a secret key to data or a digest of the data. therefore.various network components. Otherwise. e-mail message or other data) is generated and is then electronically signed (encrypted) by applying the originator's private key. The signature can be verified using the public key of the originator. The data is later verified by applying the cryptographic algorithm and the same secret key to the data or data digest to produce another CC. deleted or added to in any manner during transmission. the data integrity services provide a means to verify if the data is altered. The initial CC is retained.. an unauthorized modification is assumed. A digital signature can be generated using asymmetric cryptography technology. Most of the security techniques available today cannot prevent the modification of data as it travels through a network and can only detect the modification of the data. Because private keys are known only to their owner. Any party trying to modify the data without knowing the key would normally not be capable to calculate the appropriate CC corresponding to the altered data. network operating systems. e. The resulting digital signature and information can then be stored or transmitted. bad connection etc. If the signature verifies properly. it may be also possible to verify the originator of the information to a third party. The use of digital signatures (which can be seen as a specific type of CC) can also be used to detect the modification of data or messages. this CC is then compared to the initial CC. Ethernet 802.
it is crucial that the keys be generated with specific properties.2 Location of integrity services in layered communications As discussed in section 2. 2.Integrity Mechanisms and Services Mechanism.18.104.22.168.3.1 Key management issues CC depends upon cryptographic keys. be distributed safely and be terminated effectively. not information. This type of implementation may be particularly effective in situations where the information has to travel through untrusted sites.3.3 Providing integrity The types of security mechanisms that could be implemented to provide integrity services are summarized in Table Vll below.2.2. this data can be transmitted over the network or can reside locally. 2. Procedure or Technique Lack of access mediation to data File access control Physical access control to network resources /// / / / / /// // / Lack of physical security Attacks or Exploitable Vulnerabilities: Network analyser Virus Hardware failure Software failure Lack of separated roles Human error 5 The lowest layers of communication stacks usually manipulate all the data as “bits”.services. Nonrepudiation services are discussed in section 2. 34 .2.1. 2. integrity services are normally not available at lower layers where information is not recognized5. However. the CC service can be implemented at various layers of the network communication architecture.2 for encryption services. Implementations at upper layer of the stack permit to apply integrity on application specific data.3. they also lay the foundation for non-repudiation. Table Vll . the use of CC is probably useless.1. As mentioned in section 2. Integrity services can also be implemented in mid-layer mainly for integrity protection of data as it travels over the network. Without proper key management.
The availability services are more than backups.Mechanism. these services can be categorized in two main groups.e. /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability. we find the containment services. The availability services which guarantee that the network functionality is preserved when hardware or software failures occur are combined in a second group which we can call "Failure Tolerance". those that are required to prevent individuals.3 Availability The availability services ensure that the network resources and data are accessible to all users as expected. bandwidth etc. from over utilizing network resources such as disk space. CC or digital signature using a CSE approved algorithm. 2. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. Procedure or Technique Lack of access mediation to data Encryption6 with proper key management and data backups Rules and procedures Rollback Virus/TSR scan Self-testing / / / / /// /// Lack of physical security Attacks or Exploitable Vulnerabilities: Network analyser Virus Hardware failure Software failure Lack of separated roles Human error /// /// /// /// /// // // // / // /// /// // /// /// / ///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. In some applications. they exist to specifically thwart network denial of service attacks or events. memory. 36 . doing data backups on a regular basis is probably not enough. malicious or not. In organizations where disruptions of network functionality can cause severe harm. in such a way that the resources become unavailable for other users. 6 Encryption here refers to data encryption. In fact. i. In the first one.
Table VIII .g. limit on the network traffic generated). Thus. The most common method of containment is the use of mechanisms implementing quotas. restrictions as to the maximum amount of any given network resource that user can obtain. The main idea regarding the fault tolerance services is that they exist to 37 .2 Failure Tolerance Failure tolerance services allow networks to preserve the availability of their resources after component failures. All the network resources protected by quotas are monitored to ensure that the threshold limiting the use of the resources is not exceeded. Quotas place upon a user. e. Maximum user data output allowed per session (i. Maximum logon attempts and/or the maximum amount of time before a logon attempt is logged out.1 Containment Containment services are utilized to restrict access or use of a network resource to a certain level to prevent users to hoard network resources in such a way that the same resources become unavailable to other users. Maximum on-line session time and/or maximum system errors allowed per session. access to a network resource can be denied to certain users to make the resource more available to higher priority users. As an absolute limit. in the network operating system. Maximum memory allowed per given user or process.e.3.3. they can consist of stand-alone system or sub-system. an administrator could define prioritized users or groups of users whose allocated network resources quotas inflate under particular circumstances. These services are crucial to maintain network functionality and are often neglected. Maximum CPU allowed per given user or process. CPU Time Data Output Logon Session Quotas may change dynamically in order for the network to adapt to different operational requirements. They provide a network with the capability of withstanding component failures. or in hardware. a network could enter a state where only highest priority users would have access to certain network resources at the expense of other users.Quotas for Availability of Resources QUOTA Maximum Disk Maximum Memory DESCRIPTION Maximum disk space allowed. 2. They can be implemented in software. continuing operation while specific components are replaced and/or recovering after a service discontinuity.2. For example. Table VIII lists possible network resources against which quotas can be applied.
preserve network functionality.3. The back-ups should be stored at a different location to prevent a situation where both the server and back-up are destroyed.3 Providing availability The types of security mechanisms that could be implemented to provide availability services are summarized in Table X below. authorized individuals can use these keys to decrypt data in case the original keys are lost. Data stored in a server is backed-up and can be recovered. communication devices Service Uninterruptable Power Supply (UPS) Description Provides electrical power to the system when normal power is cut off. The data stored on a server is replicated. client stations. A copy of the encryption keys is securely stored. A module in a piece of hardware is duplicated. damaged or not accessible. Provides an alternate communication link when the main link is cut off.Failure Tolerance Services Component Servers. Network Back-up administrator account Server Dual Synchronized hardisks Server Data Back-up Hardware component (computer or communication device) Hot stand-by module Communications Back-up link Cryptographic system Key archiving/back-up 2. Provide the capability to manage the network when the administrator cannot perform his/her duties. the alternate hardisk takes over when the main one fails. 38 . Table IX lists the most common failure tolerance services used today: Table IX . the alternate module takes over when the main one fails.
the services are used for user l&A purposes.g. and can be seen as an access control mechanism to the network. such activities include user logon. password change. file delete. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability.Availability Services and Mechanisms Protection Mechanism. 39 . 2. account Virus/TSR scan /// /// ///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. First. coffee splill) Destruction of data (e. etc. Networks utilize these services for non-repudiation purposes. they ensure that only recognized users access the network and or its protected resources. These are the auditing services. The accountability services operate in three different ways. disk format) Attacks or Exploitable Vulnerabilities: Sabotage Nonavailability of key personnel Hardware failure Software failure Communication failure Trojan horse or virus Access control to data Physical access control to network resources Back-up of data Rules and procedures Back-up communication links Hot standby module // // // // // / /// // / / / / /// // // // // / / /// // /// (for H/W) /// (for S/W) /// (for comm devices) Back-up admin. delete.Table X . /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability.4 Accountability The purpose of the accountability services is to attribute the responsibility for an action to the proper individual. they provide means to prove the origin of a message to the recipient and/or a proof of delivery to the sender of a message. In this case. They also monitor and log activities occurring on the network in general or on specific entities. Procedure or Technique Accidental physical destruction (e. Finally.g.
40 . such as a fingerprint (See section 2. the Internet is probably the best example of what an uncontrolled network looks like.2.1. A requirement specifying the need for authentication should exist in each network security policy. User ID/password mechanisms. the proper management or password creation. something that only the user knows. the TRA determines that user ID/password systems are acceptable. Password checker software is available and can be useful to determine whether a new password is considered easy-to-guess. This can become a serious problem since many networks have uncontrolled connections links. without being authenticated.2 below).1. the less risk in someone masquerading as the legitimate user. Authentication provides the basis for the effectiveness of other controls used on the network. The authentication is done by having the user supply something that only the user has. Password generators that produce passwords consisting of pronounceable syllables have more potential of being remembered than generators that produce purely random characters. If. such as a password. password systems can be effective if managed properly. Proper password selection (striking a balance between being easy-to-remember for the user but difficult-to-guess for everyone else) has always been an issue. Users tend to create passwords that are easy to remember and hence easy to guess. such as a token. especially those that transmit the password in the clear (in an unencrypted form) are susceptible to being monitored and captured.1 Identification and Authentication The first step toward securing the resources of a network is the ability to verify the identities of users.4. On the other hand users that must use passwords generated from random characters. and thus unacceptable.4. The more of these types that the user has to supply. most likely in an area easy accessible in the work area. the network cannot trust the validity that the user is in fact. The access control mechanism permits access to network resources based on the same userid. but unfortunately seldom are. are also difficult to be remembered by users. the l&A mechanism uses a userid/password scheme. Both these controls are only effective under the assumption that the requester of a network service is the valid user assigned to that specific userid. and/or something that makes the user unique.4.1 User ID/Password for authentication On most networks. For example. The process of verifying a user's identity is referred to as authentication. Normally. However. who the user claims to be. particularly the Internet. the auditing mechanism provides usage information based on the userid. expiration and destruction become all the more important. should examine all the implications before doing so. while difficult to guess. or may be explicitly stated in a network specific policy that states that all users must be uniquely identified and authenticated. The need for multiple passwords makes the problem even worse. after considering all authentication options. 2. storage. The requirement may be directed implicitly in a program level policy stressing the need to effectively control access to information and network resources. Authentication which relies solely on passwords has often failed to provide adequate protection for a number of reasons. This forces the user to write the password down. Organizations that are considering connecting their network to outside networks.
2.1).1.g. Change default passwords (e. This technology offers less vulnerabilities then the previously described 41 . Prevent passwords from travelling over the network in the clear. on the vulnerabilities linked with userid/password authentication. cannot be re-used for unauthorized authentication to avoid replay attacks. 12) 13) Avoid the practice of keeping passwords in batch files (for automatic password entry). Ensure that typed-in passwords are not displayed on monitors. They shall not be written down. Examples of more robust authentication technologies are described as follow: a) one-time password This mechanism relies on the fact that unique one-time passwords are generated at each user authentication.2 Other Authentication Mechanisms Because of the vulnerabilities that still exist with the use of a userid/password scheme. Passwords should be remembered. Passwords shall not be shared. use of numeric or other characters.4. The passwords are normally generated by a special device similar to a smart-card or a credit card size calculator which can be considered as "something you have" (see section 2. Limit the number of unsuccessful login attempts.The following consists of measures to help reduce the vulnerabilities associated with userid/password authentication mechanisms: 1) 2) 3) 4) 5) 6) 7) 8) 9) Educate users. Impose a time delay between login attempts. including administrators. Ensure that passwords are changed on a regular basis: Allocate passwords to individual users. encrypted or not. at systems installations) as soon as possible. The end-user enters the password displayed by the device to gain access to the host site.4. and Ensure proper and safe storage of the passwords. and avoidance of "easy to guess passwords" or passwords included in site specific dictionaries. 10) 11 ) Ensure that any form of password information transmitted across the network. Impose password restrictions in regards to minimum lengths. more robust mechanisms are often recommended.
Once both sites are mutually authenticated. particularly in regards to password guessing. Then challenge-response takes place between the host end the end-user/smart card. consideration should be given to the algorithm employed. In addition of reducing the vulnerabilities previously mentioned for one-time password and challenge-response technologies. which then generates a response based on the entered challenge. However. disclosure of password and replay attack. A end user sends his/her identity to a remote host. The session hijack vulnerability is not reduced with the use of this mechanism. this mechanism also provides protection against hijacking attacks and confidentiality protection of the data transmitted during the sessions. smart cards can be used to store sensitive data such as private keys and passwords. the vulnerability of an intruder hijacking the session once the authentication is successfully completed remains. the host transmits a challenge consisting of numbers and/or characters down to the user. In this scheme. This technology is particularly effective for remote access to networks through modems or authentication on a network remote site through untrusted paths or relays. however. However. b) Challenge-response A challenge-response scheme can be described as follow. use of keys and randomness of the challenge. The main advantage of this mechanism over the one-time password scheme is that synchronization between remote sites is not required. encryption and challengeresponse algorithms strength and the proper management of the smart cards among users.userid/password scheme.g. Since today's smart cards do not have the necessary throughput to encrypt messages. the encryption must be performed outside of the card. The user enters the challenge into a device similar to the one described above for one-time password generator. or be used as tokens. When selecting such a product. 42 c) Smart Card . Based on the user identity. the strength of the challenge-response scheme relies on the algorithm used to convert the challenge into a response. a PC Memory Card International Card (PCMCIA) device) to insert into a device-reader. The end-user forwards the response to the host to gain access to the system. a session encryption key is shared between the parties to encrypt future data transmitted during the session. A very effective mechanism for user authentication and establishment of a secure session is the use of challengeresponse followed by data encryption. the user first needs a smart card or similar token (e. The level of trust associated with this scheme highly relies on the effectiveness of key management.
and location of last successful login. An intruder that can access the modem may gain network access by successfully guessing a user password. retinal scan. fingerprint. Locking mechanisms for network devices. Remote access to networks through dial-in modems usually requires that careful attention be paid at the connection level. However. the log should indicate who was logged on to the system and at what time. Normally. the use of biometrics information in a network environment can be considered as using special unique passwords. etc. Thus. Mechanisms that provide a user with his or her account usage information may alert the user that the account was used in an abnormal manner (e. when an intruder breaks into the system. The alarm.g. For example.) have specific type of auditing service. the detected event should be traceable throughout the system. workstations. this technology is particularly suitable and recommended in physical access control or local authentication applications. the vulnerabilities of sending biometric information across the network are similar to those related to sending passwords. 2. Depending on the level of details contained in the audit trail. multiple login failures). These locks allow users to remain logged into the network and leave their work areas (for an acceptable short period of time ) without exposing an entry point into the network. The availability of modem use to legitimate users may also become an issue if an intruder is allowed continual access to the modem. etc. time. file servers. could consist of a message displayed at the security officer's console and/or closing all access to certain network resources 43 . These users accessing a network remotely should be authenticated before they can even have access to the network login script. However. This is the strongest way to ensure that individuals are indeed who they say they are. It should also indicate sensitive files and programs that were successfully accessed in this time period. the use of biometrics authentication techniques for remote logins does not offer much benefits.2 Audit The detection of the occurrence of a threat and its origin are usually the main purposes of the audit services.. for example.) permits to add "something you are" to the authentication process. in most respects.. Real-time monitoring services include probes attached to the network (or sometimes communications devices) that raise an alarm as soon as they detect the occurrence of a threat. voice.4.g. all sensitive files that had failed accesses. the detection of threat events does not occur in real time unless some type of real-time monitoring capability is utilized. or PCs that require user authentication to unlock can be useful to users who must leave their work areas frequently. It may be appropriate that some areas of the network (workstations. For this reason. etc. These mechanisms include notifications such as date. all programs that had attempted executions. and number of previous login failures.d) biometrics The use of biometrics (e.
Tools should also provide the capability of sorting audit entries by categories (user entries. etc. A monitoring capability can also be used to detect network availability problems as they develop. managers and events involved. The network security policy should state the actions to be taken when the audit data files reach their maximum capacity e.4. not logging in further event occurrences (which is not very secure). auditors) should be permitted to use the audit tools.. This service is particularly important in electronic mail (e-mail) and electronic commerce applications (EAA). then the auditor should be notified when the audit data files are approaching maximum capacity in order for manual maintenance to be performed as required. set options. However. This can be done by an audit mechanism that uses the log file as input and processes the file into meaningful information regarding system usage and security. a sending entity cannot deny having sent a message (non-repudiation with proof of origin) and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery). Only authorized users (e.g. accumulation. shutting-down the network and/or network resources. Access to the audit data should be strictly restricted to auditors and the integrity of the data should be preserved. Due to their volume and complexity. It involves the generation. When nonrepudiation services are employed for example. file system entries). If the audit data is stored on a limited capacity medium. In any case. it can be very difficult to analyse and effectively utilize the audit data files and/or audit reports. administrators. The audit services should include tools that condense and organize the audit data to allow for ease of study. The choice of the physical medium used for the storage of audit data.g. Having distinct individuals responsible for network auditing helps to implement an impartial/unbiased auditing policy across the network which is independent of the users. etc. or select events to be recorded. physical location. a compromise must be done between accountability and availability . normally hardisk. date/time. the auditors should be different from the network administrators. there is always a trade-off between the number of events audited (on which depends the size of the audit files and the amount of information to search) and the level of difficulty and complexity to analyse the audit data. Any forwarding of audit data (e.3 Non-repudiation Non-repudiation is the security service by which the entities involved in a communication cannot deny having participated. normally. efficient and easy to use tools must be available to the auditors. 2.Another function of the audit services is to provide network administrators with statistics indicating that the network and its resources are functioning properly. and the required audit granularity. In order for auditing data to be useful. Considerations should also be given to planning an archive for audit data. retrieval and interpretation of evidence that a particular party processed a particular item. Non-repudiation must be provided through the use of public/private key cryptographic techniques using digital signatures. Where digital signatures are used for non-repudiation 44 .g. diskette or print-out. Preferably. for off-line processing) must be accomplished in a manner which will ensure the integrity (and confidentiality if required) of the audit data. should take into consideration the operational usage or performance load. the choice for auditors and the selection of events to be audited have to be based on the TRA and be in accordance with the network security policy.
it is crucial that the private keys be protected against duplication and disclosure. Trust in the non-repudiation services is not achievable without secure protection of the signing private keys.2. See Section 3.purposes.2 Data Integrity for a description and use of digital signatures. 45 .
theft and modification. and especially availability. physical security services apply for all of the aforementioned security service classes. confidentiality. In fact. and other similar measures to control access to network resources.4. /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability. Normally. facilities. integrity. equipment. alarms. guards.4 Providing Accountability Table Xl lists various security solutions that could be implemented to provide accountability services. 2. Means to provide physical security include locks. material and documents.2. Table Xl . accountability. badges. and to safeguard them against damage. procedure or technique Password cracking/ disclosure Lack of or weak auditing Attacks or Exploitable Vulnerabilities: Attack on the audit trail ID forgery (masquerade attack) Unauthorized action on the network Session hi-jack Password-only authentication One time only password or challenge response Smart card and encryption Physical access control to network resources Well managed network auditing Physical and logical protection of the audit trail Rules and procedures Digital signature // / /// / /// / / /// / // / /// /// / /// // / // /// /// /// ///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. Minimum physical security measures should exist in any network. all the network servers and communication devices should be located in physically controlled areas. They can not be related to a security service per se.Accountability Services and Mechanisms Protection mechanism. access to these resources should be limited to the only few people 46 .5 Physical Security Physical security consists of the measures designed to prevent unauthorized physical access to network resources. For example.e. i.
If sensitive information is saved on client stations. Finally. A virus can propagate on every computer attached on the network to reformat any single hardisk or destroy boot partitions. Since most of data storage is accomplished via magnetic media. 47 . Computers need also to be protected against theft. pads or antistatic sprays helps to control static electricity which can damage computer components and affect the availability and integrity of a network. in a safe. In another network for which the nonavailability of information would cause only minor disturbance in a department. controllers. a network from which the unauthorized disclosure of information would cause major embarrassment to the government might require to spend many thousands of dollars for the procurement of an encryption system with appropriate key management to reduce the residual risks at the minimal acceptable level. including theft of computer components such as hardisk.involved in network management and maintenance. A Trojan Horse can be used to capture user passwords or retrieve sensitive information. power surges or lightning. e. Restricting physical access to computers reduces the risk of theft resulting in disruption of network functions and/or unavailability of services. For example. to reduce the risk to an acceptable level for the organization while maintaining an equilibrium state between the money invested for security solutions and the residual risks. special care means common-sense handling such as not bending the media. 2. etc. Such media includes diskettes. or the same individual to modify the network configuration by changing server or communication device settings. Also. modify or destroy sensitive information like an audit trail for example. it is preferable that the stations' hardisk be removable in order to store the sensitive media at a secure location when the system is left unattended. In this case. the residual risks would be much lower than the maximum risk acceptance level. physical access to the client network stations should be restricted to those individuals who require access to them to handle their job. and keeping an inventory detailing each computer and its configuration. In addition. Network stations can be protected by securing the rooms where they are located or by using computer access control products. Natural phenomena should also be taken into consideration. special care must be provided to these media. media on which designated (protected B and above) or classified information is saved should be stored at a secure location. the procurement of a sophisticated real-time back-up and UPS systems would probably not be justified since the investment for the system procurement would be very high in comparison with the residual risks. It is easy for a malicious individual to install on a client station a Trojan Horse or virus that will cause major harm to the network. In this case. back-up tapes and hardisks (removable). Network stations are the most common network entry point for malicious acts or human errors. The use of special carpets. storage within acceptable temperature and humidity.g. etc. RAM chips.6 Selection of Appropriate Security Mechanisms The purpose of implementing security solutions is. for each asset. leaving the media away from magnetic fields. surge protectors and power filters should be used to reduce the risks associated with unstable power. This reduces the risk of an unauthorized individual to read.
These improved controls will usually reduce the risk of the threat by some degree. particular circumstances might force an organization to accept additional residual risks because available security solutions are too costly. For example. the level of assurance associated with each product should be taken into consideration.6. The evaluation ratings differ depending on the evaluation criteria used during the evaluation. at various levels. 2. CSE and National Institute of Standards and Technology (NIST) accredited labs can perform validations of cryptographic modules used in encryption products for protection of designated information. Sometimes. and National Security Agency (NSA) or National Computer Security Centre (NCSC) in the U.S. 48 . the level of assurance of an encryption product will be higher if it employs a validated cryptographic module. funding and implementation of a more advanced authentication mechanism can occur. Federal Information Processing Standard (FIPS) 140-1 publication. Normally. until such time that more thorough improvements are planned and implemented. Before an organization's upper management can make such decision. the risk assessment associated with the concerned assets should be thoroughly redone to precisely evaluate the additional residual risks in terms of potential impact for the organization. Using more robust passwords is a measure that can be quickly implemented to increase the security of the network at minimal cost for the organization. and level of trust (assurance). Concurrently. Although reviewed products do not receive ratings since their design is not verified (product reviews are done in absence of design details). The product evaluations are performed by qualified evaluators against an objective evaluation criteria such as the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC). the DoD Trusted Computer System Evaluation Criteria (Orange Book or TCSEC)) or the newly released Common Criteria for Information Technology Security Evaluation (CC). the planning. that a product design is adequate and appropriate. the process of selecting security solutions may uncover some vulnerabilities that can be corrected by improving network management and operational controls immediately. or to allocate additional funding if additional risks are not acceptable to the organization.As mentioned in section 2. validated or reviewed by impartial organizations such as the Communications Security Establishment (CSE) in Canada. and that the product operates as intended. Evaluated (or endorsed) products receive a rating relative to functionality. Since internal testing is normally done in absence of standardized security evaluation or testing criteria.S. strength of mechanism. they provide information concerning the functionality of a product and the accuracy of the user documentation. Assurance ensures. products can be evaluated. Product assurance can be obtained through two principal means.2. increasing the length and composition of the password for authentication may be one way to reduce the threat to guessing passwords. Finally. CSE performs product reviews which consist of testing a product to verify that the implemented security mechanisms operate as claimed by the vendor. First. The cryptographic module validations are processed using the U.7 Assurance Because selecting a security solution normally forces the implementer to choose between several security products. Security products can also be tested internally to verify their functionality and to assess the level of difficulty required to disable their ability to protect the network.
49 .the decision makers must be careful for not being mislead by an impression of trust instead of real assurance.
306 pages. Repelling the Wily Hacker.APPENDIX A—SUGGESTED READINGS  CHESWICK. December 1994.  Communications Security Establishment. Prentice Hall.  STALLINGS. William. and BELLOVIN.  National Institute of Standards and Technology. Network and Internetwork Security . 462 pages. September 1995. Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls (NIST Special Publication 800-10). 1995. 43 pages. Steven M. An Introduction to Internet and Internet Security. 1994. Massachusetts.Principles and Practice.. Firewalls and Internet Security. William R. 70 pages. 50 . Reading. Addison-Wesley Publishing Company.
Based on the methodology outlined in Chapter 2.x1 network consisting of 10 servers and 250 client station PCs. only one asset will be looked at. the network security boundary and scope are defined and an inventory of assets is performed. Step 2 . Security services and mechanisms are recommended for countering the vulnerabilities and threats that are found. Where risks is deemed too high.Define the network and identify assets In this step.x (with NetWare Directory Services . 2 Define the Network and Identify Assets 2.NDS). Each server runs NetWare 4. select safeguards and estimate the residual risks. 1. It is believed that the risk based approach described in this example can be applied to other networks to derive other network specific requirements for security. an hypothetical network is partially assessed to determine the risks associated with a network asset. services. and thus decreasing the risks to acceptable levels. In this example.1 Approach The methodology used in this example to assess the risks consists of the two following phases: Step 1 . This step normally assesses each identified network assets for potential threats and measure an exposure rating of the assets to the threats based on likelihood of threat occurrence and resulting impacts.APPENDIX B – PRACTICAL EXAMPLE: ASSESSING AND IMPLEMENTING NETWORK SECURITY 1 Introduction The purpose of this example is to illustrate the concepts discussed in this document. The objective of this step is to identify the assets that need protection on the network. appropriate solutions are proposed to reduce the risk to an acceptable level. Mention of specific products names is for description purposes only and does not constitute CSE's endorsement or recommendation for use. 1 49 .Assess Risks for every assets. and other resources is presented. We assume that a SoS of the information residing and travelling over the network already exist. The network configuration including the network devices. Vulnerabilities and effectiveness of the present safeguard found in the network are also assessed to measure a risk factor associated with each asset/threat/impact scenarios.1 The Network Configuration and Management The network is a multi-server Novell 4.
and that single login gives users access to every resources on the entire network regardless of the servers involved. Though not explicitly stated. Some printers are located in open areas. and backup of the file servers. configuration.x. users do not have to login to each file server. an internal UPS unit. serial communication card(s). A. The files can be stored in the users' private file area or a shared network file area. Logical access control is set up to protect the information stored on the server disks. and providing network-wide services such as electronic mail. and fax and modem pool services. Two network administrators take care of administrative functions such as user administration. and network services of the network is provided by the network managers. C. Network Print Services This service allows users to print documents on a network printer physically connected to a network server or a dedicated network printer connected to a user's PC. Network Application Software This service provides users the capability to access applications software stored on a network server to free up disk spaces on users' PCs. Network Connections to Various Servers With Novell 4. B. The servers are spread over five centres. Instead. 2. ethernet card(s). the network services provided for users are described. ACLs and attributes. and connected via routers and frame relay services between the centres.2 The Network Capabilities In the discussion that follows. A division in the organization manages the network. local file services. much of the information is also supplemented by documents. a tape backup unit. The information on the layout. users login once to the network. Access to network resources are controlled by Novell security features using rights. 50 . its configuration. and network printer(s). it should be noted that the I&A of a user is a prerequisite before any of the services can be rendered to the user. D.has one or more hard disk(s). The print job outputs can be directed to any printers of the network. The agency network operates over twisted pairs and fibre optic cables. Network File Services This service provides network users the capability to store their own Disk Operating System (DOS) files on the network server disk. The division is responsible for the physical network.
Users can mark events on the calendar and coordinate meeting schedules with fellow workers. while others may look at the events and schedules but can not modify them. 51 . Electronic Mail One of the most frequently used network services is the capability of exchanging electronic mail. Proper access control is essential so that only legitimate users in the workgroup can modify the events and schedules. Network Access Through PC Dial-in This service allows users to access the network from a standalone PC that is equipped with a modem and the necessary software. The service is convenient for users who may be away from their offices but need to access the network from a PC not physically linked to the network. If the document contains sensitive information it should not be faxed.E. H. Electronic Calendaring Electronic calendaring provides an integrated scheduling tool for a workgroup. G. F. Network FAX Capability This service allows network users to send a copy of a document stored either on the user's PC or on the server disk to any standard FAX machine. This is done using Novell software and an off-the-shelf commercial email software package.
video cards. Computers . network interface cards). Modems. 52 . hardisks. Novell operation. Computers . Computer parts (RAM chips. Cables and fibres. maintenance and administration files. NetWare operating system files.routers.PCs. Printers.M P M Site 1 P P M Site 2 Site 3 P Frame Relay Site 4 : Server : Client Station P M : Printer : Modem : Router : Bridge P P Site 5 M P M M P M Figure 6 ) Diagram of the example network 2.3 Network Assets The network assets that will eventually require protection include the followings: a) b) c) d) e) f) g) h) i) Computers .servers.
In a real-life situation. etc.network configuration and settings files on servers. etc. only the risks on the organization data asset will be addressed to illustrate the concepts previously described in this document. UPS devices.1 Threat Assessment and Exposure Rating to the Threats We assume that all the possible threats to the organization data assets have been looked at and that only some would be analysed further since the probability of the other threats to occur was considered extremely low. the organization data residing on each particular network servers could consist of distinct assets.network and PC start-up files on client stations (PCs). 53 .audit trails. would be required. etc. 3. User data . working hours. and User data . Network data . Network data . spreadsheet files.. User data . the organization data is represented as being one asset. The threats that will be examined are the followings: a) Fire. that is stored in a database.). In this example.j) k) l) m) n) o) p) q) r) s) t) u) v) Client station DOS. For example. 3 Risk Assessment of the Network A complete TRA of the network described in this example would probably consist of a long and detailed process. word processing files. e-mail messages files and electronic calendering files. additional information such as physical location of the network components.Personnel processed data residing on PCs. We assume that a SoS has already been done within the organization. Since the intent of this document is to focus on practical network security in general and not on TRAs. Organization data including database files. Backup tape drives. Primers. maintenance procedures. ministers. Network data . security clearance. Most of the designated information consists of personal data on Canadian citizens including high profile individuals such as MPs. b) User error. Applications software files. To proceed with the TRA. Network data . there could be more assets listed and they could be identified at a finer level of granularity.Personnel processed data residing on servers non-shared directories. The results of this assessment have demonstrated that approximately 75% of the organization data is designated Protected B and the remaining 25% is Protected A and unclassified.Personnel processed data residing on servers shared directories. Backup tapes. users background (technical knowledge.users profile files.
Hackers . The likelihood of occurrence combines both the probability of a threat to occur and the probability of an impact to occur should the threat materialize. Foreign government . The outcomes of this process are exposure ratings of the organization data asset to each threats. Vandals . obtained from Table III. by denial of service or destruction of data. the potential resulting impacts (unauthorized disclosure. and Malicious employee . Equipment failure.eavesdropping. These are listed in Table B-I. Table B-I ) Exposure Ratings of the Organization Data Asset to Threats Threat Likelihood Level of impact Exposure Rating Threat of fire on the organization data resulting in: Disruption Low High 4 Threat of user errors on the organization data resulting in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive actions Medium Medium High Medium 7 6 Low Low Medium Medium 2 2 54 . and/or deceptive actions on the network) are determined.Trojan Horse. unauthorized modification. disruption of network functions.c) d) e) f) g) h) Administrator error. deceptive actions on the organization data are actions for which no or wrong individuals can be accounted for. In this case. Then. for example.virus. the threat likelihood of occurrence and impact level (high. For each threat.password capturing or cracking. medium or low) are assessed for each threat/impact scenarios. the disruption of network functions impact represents the non-availability of the organization data caused.
Threat Likelihood Level of impact Exposure Rating Threat of administrator errors on the organization data resulting in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive actions Medium High 7 Medium High 7 Medium Low High Medium 7 2 Threat of equipment failure on the organization data resulting in: Unauthorized Modification Disruption Low High 4 Medium Medium 6 Threat of hackers using password cracking or capturing technique resulting for the organization data in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive actions Medium Medium High Medium High High High High 7 7 9 7 Threat of foreign government using eavesdropping technique for the organization data resulting in: Unauthorized Disclosure Medium Medium 6 55 .
When the risk is assessed at medium (3) or higher. making the data to become unavailable to users.2 Risk assessment of the network Now that the exposure ratings of our asset have been measured. In case of a fire. potential solutions that would reduce the risk at an acceptable level are described.2.Threat Likelihood Level of impact Exposure Rating Threat of vandals using virus for the organization data resulting in: Unauthorized Modification Disruption High Medium High High 9 7 Threat of malicious employee using Trojan Horse for the organization data resulting in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive Actions Low Medium Medium Medium Medium High High High 2 7 7 7 3. add. 3. We assume that the maximum risk measure acceptable to the organization is low risk (2).1 Disruption A. It enables other network services to enforce user access control and provides dynamic naming consistency over the network.2. or modify information.x network is provided by the Network Directory Services (NDS).1 Threat of Fire resulting in: 3.1. 56 . NDS enforces also network security and authenticates all requests to access. organization data could be damaged or destroyed by water. Vulnerabilities Sprinkler: Sprinklers in ceilings for fire-fighting are located in every room of the buildings. The security in a Novell 4. the primary network vulnerabilities and present safeguard effectiveness will be analysed in order to obtain risk measures for each threat scenarios. as well as security procedures already implemented on the network. The present safeguards that are presented consist of the Novell security features. NDS is a distributed directory service that maintains the names and attributes of all critical network resources. including locations where servers are installed.
Potential Solutions A low cost solution could consist of performing daily backups of the file servers (after working hours) and to update the off-site backups at least once a week. thus. which is an acceptable risk. humidity and extreme temperature. The implementation of two solutions (backup plus another one) would reduce the risk to very low (1). B. Sprinkler: Even though the data recorded during a month period could potentially be lost. on Friday afternoons. The organization data is estimated to be highly vulnerable (3) to fire which would result in its destruction or non-availability. Relocating the servers to areas not covered by sprinklers. humidity and extreme temperature. some data could be recovered from backups. In case of a fire. Risk Using Table V. this would be a typical example of a non costeffective security solution. The cost of these solutions could be higher than the aforementioned daily backup solution. and one backup copy of each server per month is sent out for off-site storage.Storage Media: The storage media on which the organization data resides are very sensitive to dust. thus reducing the availability of the organization data. which is NOT ACCEPTABLE. 57 . This would consist of a highly effective solution. Computer equipment: Networks consist of computer equipment that is very sensitive to dust. at high cost. C. D. performing modifications to the sprinkler system or installing protection covers over the servers could consist of other solutions. reducing also the risk measure from 3 to 2. vulnerability level 3 and safeguard effectiveness of 2 (3:2). chances are that some equipment would cease functioning. which is less than the minimal acceptable risk. this safeguard is estimated to be moderately efficient (2) to provide availability services. reducing the risk measure from 3 to 2. In case of a fire. the vulnerability level would probably decrease to 2. In these cases. with an exposure rating of 4. chances are that the organization data would be partially or totally lost. Present Safeguards Weekly backups: Backups are done once a week. the risk is measured at medium (3).
Risk Using Table V. The network is estimated to be highly vulnerable (3) to users errors which would result in unauthorized disclosure of information. The installation of a FAX encryptor between the FAX device and the telephone line would decrease the vulnerability level 58 . C. D. vulnerability level 3 and safeguard effectiveness of 1 (3:1). Vulnerabilities Human Errors: The organization data privacy (confidentiality) mainly relies on users' reliability. which is NOT ACCEPTABLE. the risk is measured at high (5). Network FAX capability: Users have the capability of sending a copy of a document stored on the user's client station or on a server disk to any FAX machine inside and outside of the organization. The present safeguard is estimated to be lowly effective (1). This solution would reduce the risk to very low (1). B.2. No auditing of FAXed information. which varies between individuals. the price to pay is a degradation of productivity and efficiency.2. The network has no control on the information transmitted by FAX. Present Safeguards File ACLs: Access to any files stored on a network server is mediated by the Novell NetWare operating system and NDS using ACLs.2. Policy statement disallowing the transmission by FAX of sensitive information. Even though this is a no cost solution in terms of money. Potential Solutions A easy solution would be to remove the FAX capability from the network. 8 or 9). It is assumed that the ACLs are configured correctly so that a user cannot access a file for which he/she is not authorized.3. Nothing prevents the transmission by FAX of sensitive information or FAXs transmitted to wrong numbers. with an exposure rating of 7.2 Threat of User Error resulting in: 3. an acceptable risk measure cannot be obtained without reducing the network vulnerability level.1 Unauthorized Disclosure of Organization Data A. With a high exposure rating (7.
2. Human Errors: The integrity of the organization data mainly relies on users' accuracy.2. The network can efficiently limit the areas where user errors can happen. thus reducing the risk measure from 5 to 2. These safeguard are estimated to be moderately efficient (2). enforced by network ACLs. which provides the auditors with the capability to identify the originator of an error for correction of the error. The network is estimated to be highly vulnerable (3) to users errors which would result in unauthorized modification of information. that give FAX access to only few individuals whose responsibility would be to receive the documents to be FAXed from users. etc. even though nothing can provide 100% protection against human errors. This would be a low cost solution considering that only a few FAX encryptor units would need to be purchased. 59 . Weekly backups: Same as 3. Backed up data and auditing information are also available if required.and increase the safeguard effectiveness by offering protection of the information from unauthorized disclosure to individuals different from the intent destination. B. and then to transmit by FAX. Vulnerabilities Lack of Validation Mechanism: The applications on the network do not check for human errors.2. 9-digit SIN. It is assumed that the ACLs are configured correctly so that a user cannot modify by mistake a file for which he/she is not authorized. Present Safeguards File ACLs: Access to any network files is mediated by the Novell NetWare operating system and NDS using ACLs. the most common destinations of the FAXs transmitted from the network are already part of the secure FAX government network and thus use FAX encryptors for misrouting protection. This solution could also include procedures. Auditing: Access to the designated organization data is audited. verifies the content to make sure that there is no sensitive information released. which varies between individuals.2 Unauthorized Modification of Organization Data A. 3.1 B.1. This solution would decrease the vulnerability level to 2 while increasing the safeguard effectiveness to 3. Entered data is not validated to detect obvious errors such as a 8-digit phone number. if possible. This solution would prevent the unauthorized disclosure of information through the transmission of FAXs to wrong numbers.
generate excessive traffic. with an exposure rating of 7. delete files.3 Disruption A. Potential Solutions A solution in this case would be to implement a validation mechanism for any organization data entered by the users. However. NetWare Undelete: This Novell feature can be used to undelete a file erased by mistake. B. and even though a file was deleted. D.C. The network can efficiently limit the areas where user errors can happen. The network is considered to be moderately vulnerable (2) to users errors which would result in the unavailability of the organization data. Risk Using Table V. This could be a low cost solution if it is implemented with a new application. chocks. vulnerability level 3 and safeguard effectiveness of 2 (3:2). which is NOT ACCEPTABLE. type and spelling of entered data is accurate before it is saved.2. the cost could be moderate. fill-up server disk space.1. that the size.2. 3. Present Safeguards File ACL: In order to be an effective safeguard.2. This solution could reduce the vulnerability level from 3 to 2 while increasing the safeguard effectiveness from 2 to 3 resulting in a new risk measure of 2. mechanisms are in place to potentially recover the information lost. the ACLs must be configured correctly so that a user cannot delete a file for which he/she is not authorized.1 B. for example. etc. This mechanism would verify. inadvertent shut down. Weekly backups: Same as 3. Location of File Servers: Some file servers are located in open areas which make them vulnerable to coffee spills. the traffic generated by each user is not monitored to detect unusual 60 . Otherwise. a user could store data at an improper location on the network. etc. the risk is measured at high (5). Vulnerabilities Human Errors: For example. Computer Enclosures: All the computers used as file servers in the network are inclosed in a metal case.
with an exposure rating of 2. Auditing: Access to the organization is audited. Vulnerabilities The network users are human and thus human errors are expected. B. These safeguard are estimated to be highly effective (3). C.activity. The network is estimated to be moderately vulnerable (2) to user errors which would result in deceptive actions on the organization data. users are responsible for their acts on the network.2.3 Threat of Administrator Error resulting in: 3. These safeguards are estimated to be moderately efficient (2). vulnerability level 2 and safeguard effectiveness of 3 (2:3).2. Vulnerabilities Accuracy of network configuration and setting of parameters highly relies on the administrator's competency. vulnerability level 2 and safeguard effectiveness of 2 (2:2). Present Safeguards I&A: Every users must be identified and authenticated by the network before any access to network resources can be granted. C. etc.3. 61 . 3. the risk is measured at very low (1). based on I&A information. with an exposure rating of 2.2. Risk Using Table V. Procedures: Organization data shall not reside on a shared directory.2.4 Deceptive actions A. Risk Using Table V. the risk is measured at very low (1). Network resources are shared.1 Unauthorized Disclosure of Organization Data A. but would become highly efficient with improved backup procedures and contingency planning. 3.
which increases the probability of errors. the risk is measured at high (5). Administrator training: The administrators are well trained to accurately manage the network. thus improving the effectiveness of the safeguards already in place to high (3). features exist to detect errors which will eventually be corrected to prevent unauthorized disclosure of information. 62 . In addition. Potential Solutions A solution to reduce the risk measure could be to share the responsibility of administrating the network with an additional qualified individual. Conversely. this safeguard reduces the consequences of unauthorized disclosure of information within the organization. Minimum Enhanced Reliability check is done on all the employees of the organization. with an exposure rating of 7. This solution may be costly. Efficient management of service requests by Novell NetWare. Auditing: Any administrator's actions on the network are audited by an independent auditor. This would also give each administrator more time to verify and monitor the rights granted to users. vulnerability level 3 and safeguard effectiveness of 2 (3:2).The administrators who represent a single point of failure are presently overloaded. thus reducing the probability of errors and the vulnerability level to medium (2). C. B. The network is considered to be highly vulnerable (3) to unauthorized disclosure of organization data caused by administrator's errors. Present Safeguards Effective Rights: The administrators can verify the effective access rights of any network user to the data stored on the network using the Novell "Effective Rights" feature. he/she can also verify which users have access to the organization data and with which privileges. which is NOT ACCEPTABLE. the impact of unauthorized disclosure of information to employees is reduced by the level of trust provided by the user security clearances. These safeguard are estimated to be moderately efficient (2). However. The network cannot entirely prevent administrator's errors. D. the risk level would be reduced from 5 to 2. This would reduce the work load of each administrator at a decent level. Risk Using Table V. Consequently.
user profiles.3.1 B. D.2 A.1 A. the risk is measured at high (5). 3.2. vulnerability level 3 and safeguard effectiveness of 2 (3:2). However. This solution could reduce the vulnerability to 2 and increase the safeguard effectiveness to 3. B. plus Weekly backups. C.2 Unauthorized Modification of Organization Data A. thus reducing the risk level from 5 to 2. 63 . which is NOT ACCEPTABLE. The network is considered to be highly vulnerable (3) to administrator errors which would result in the unavailability of information. Vulnerabilities Same as 3.3 Disruption A.22.214.171.124. These safeguards are estimated to be moderately efficient (2).2.4. Present Safeguards Same as 3. ACLs. with an exposure rating of 7. The administrator has full access on the organization data. Risk Using Table V. The network cannot entirely prevent administrator's errors. etc. Vulnerabilities Same as 3. features exist to detect administrator errors which could eventually result in unauthorized modification of the organization data and the original data can be recovered from backup if required.4. The network is considered to be highly vulnerable (3) to administrator errors which would result in the unauthorized modification of information.2.2. Potential Solutions Sharing the responsibility of administrating the network between three qualified individuals instead of two would also be effective in this area.
Potential Solutions Performing daily backups of the file servers. plus NetWare Undelete.4. 3.B. The network cannot entirely prevent administrator's errors.3. This would reduce the risk measure from 5 to 3. plus I & A. features exist to prevent situations where the data becomes unavailable to authorized users for a long period of time. Present Safeguards Same as 3. vulnerability level 3 and safeguard effectiveness of 2 (3:2).1 A. 64 . as described in 3.2.2. Present Safeguards Same as 3.2. with the implementation of daily backup procedures would decrease the vulnerability level to 2.1. However. with an exposure rating of 7. C. at low cost. Risk Using Table V.4 Deceptive Actions A. the risk is measured at high (5). The addition of a network administrator as previously mentioned. could increase the effectiveness of the safeguards in place to high.4. These safeguards are estimated to be moderately efficient (2). These safeguards are estimated to be highly efficient (3) to prevent deceptive actions on the organization data caused by administrator errors. which is still an unacceptable risk. thus reducing the risk measure to 2.2. B.2 B. D. The network is considered to be moderately vulnerable (2) to administrator errors which would result in deceptive actions on the organization data.2.2 A.. which is NOT ACCEPTABLE.4. Vulnerabilities Same as 3.
These safeguard are estimated to be highly efficient (3).4. with an exposure rating of 2.4 Threat of Equipment Failure resulting in: 3. No alternate communication links. Many single points of failure. Risk Using Table V. The network can efficiently prevent data corruption caused by equipment failure. Weekly backups. Vulnerabilities Some network components (servers and communication devices) are exposed to humidity and temperature variations.2. each on a separate disk channel of each servers. The network is considered to be highly vulnerable (3) to equipment failures which would result in the corruption of information.C. C. with an exposure rating of 4. Disk-Duplexing: Novell feature that copies data onto two hardisks.1 Unauthorized Modification (corruption) of Organization Data A. the risk is measured as low (2). Present Safeguards Maintenance Contract. vulnerability level 2 and safeguard effectiveness of 3 (2:3). 3. Risk Using Table V. 65 . B.2. Hot Fix: Novell feature that prevents data from being written on bad disk sectors. vulnerability level 3 and safeguard effectiveness of 3 (3:3). the risk is measured to be very low (1).
the risk is measured at moderately high (4). 66 .2. The network is considered to be highly vulnerable (3) to equipment failures which would result in the unavailability of information. Passwords for access to client stations and access to network are sent in the clear over the public telephone system. thus reducing the risk from 4 to 2. 3.2. these safeguard are estimated to be moderately efficient (2).2 Disruption A. vulnerability level 3 and safeguard effectiveness of 2 (3:2). Risk Using Table V with an exposure rating of 6.1 Unauthorized Disclosure of Organization Data A. Vulnerabilities Uncontrolled connections of modems on client stations.1 A. Since the network offers some protection against the unavailability of data caused by equipment failure. C. Present Safeguards Same as 3. plus Organization data is concentrated on specific servers (depending on the applications) which represent single points of failure. D. New backup procedures would not improve enough the safeguards effectiveness to reduce the risk at an acceptable level. Vulnerabilities Same as 126.96.36.199. Potential Solutions An application that replicates and distribute the organization data on the network in combination with the implementation of alternate communication links within the network would eliminate or reduce single point of failure.5. which is NOT ACCEPTABLE.5 Threat of Hackers Cracking or Capturing Passwords Resulting in: 3.2. No password strength verification.4.4.1 B. This solution would decrease the vulnerability level to low (1). B.2.
the safeguards effectiveness is considered low (1). D. the vulnerability level must be reduced. the risk is measured as high (5). vulnerability level 3 and safeguard effectiveness of 1 (3:1). maximum login attempts set to 3 and user accounts disabled after 3 login attempts. C.The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network resulting in unauthorized disclosure of information. Auditing (for intrusion detection). authentication token. Potential Solution To obtain an acceptable measure of risk. etc. a hacker cracking or capturing a user password would gain access only to the files authorised for that user. for example. Once a user is identified and authenticated. It is extremely difficult to protect a network that has several uncontrolled external connections. ACLs allow users access to certain files only. External connections could be provided via a secure gateway which establishes encrypted sessions with remote users. one time only generated password. e. Procedures are in place to oblige users to enter 2 passwords to remotely login to the network via a modem and a client station. B.e. the vulnerability level would be reduced by disallowing any modem connections to client stations. which is NOT ACCEPTABLE. Remote access to routers is disabled. 67 . At remote sites. In this case. i. Risk Using Table V. the system remains highly vulnerable to hackers capturing passwords as they travel on the telephone system or cracking modem passwords. a public/private key scheme or other strong authentication mechanism. especially when passwords are transmitted in the clear. Users would have first to authenticate to the gateway using. however.g. reuse of previous passwords not allowed. encryption/decryption would preferably be done on hardware. Minimum password length for the administrator is set to 10. For this reason. traffic encryption could start to prevent the user network login password from travelling over the telephone system in the clear. The present safeguards provide good protection against login password cracking attacks at the network level. Present Safeguards Novell login security features which includes minimum password length set to 8. one for access to the client station and one for access to the network. with an exposure rating of 7.
backups are performed only once a week and nothing ensures that the backed up information is not corrupted.2. the vulnerability level would decrease to 1 while the safeguard effectiveness would inflate to 3 (because of the additional remote access protection). Potential Solutions Performing daily backups would certainly increase the safeguard effectiveness to 2 and possibly 3. For this reason.5. Vulnerabilities Same as 3. C. the safeguards effectiveness is considered low (1). thus reducing the risk measure to 2. plus Weekly backups. B. Risk Using Table V. Even though the original information could possibly be recovered from backup. the risk is measured as high (5). Assuming that this medium cost solution is implemented with proper key management. D.2. The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network resulting in unauthorized modification of information.2. in-line stand alone box. the network remains so vulnerable that even highly effective security solution cannot reduce the risk at an acceptable level. For the same reasons than those mentioned in section 3.2 Unauthorized Modification of Organization Data A.i.5.1 B. off-line PCMCIA card. thus reducing the risk measure to 2.e. the network remains highly vulnerable to hackers capturing passwords as they travel on the telephone system.5. which is NOT ACCEPTABLE. modem encryptor.1 A. 3. Present Safeguards Same as 3.1. vulnerability level 3 and safeguard effectiveness of 1 (3:1). improve the safeguard effectiveness to 3.5. computer board or smart card. The previously described secure gateway with encryption solution would here also be effective enough to decrease the vulnerability level to 2.2. However. 68 . with an exposure rating of 7.
Thus. plus Novell Undelete As previously mentioned. vulnerability level 3 and safeguard effectiveness of 2 (3:2).4 Deceptive Actions on Organization Data The deceptive actions resulting from a hacker gaining access to the network using a valid user ID and password include sending e-mails. with an exposure rating of 9.5.1 A.5.2. it could be recovered from backup or possibly by using the undelete feature. 69 . C.5.2. D. plus Backups are done only once a week. would reduce the risk measure to low (2). etc. 3.2. Risk Using Table V.2 B.1 D. setting up meetings/appointments.2. No monitoring and no quotas on traffic and use of resources. Vulnerabilities Same as 3. which is NOT ACCEPTABLE. the network remains highly vulnerable to hackers capturing passwords as they travel on the telephone system. B. the effectiveness of the safeguards in place are considered medium (2). The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network later resulting in the unavailability of information.5. Potential Solution The secure gateway solution described in section 3.2. Many single points of failure. Present Safeguards Same as 3. However. Should the organization data be destroyed by deletion of files or reformatting of hardisk.5. these services are not designed to provide effective availability.3 Disruption A. the risk is measured as high (5). using the valid user's identity.3.
1 B. all kinds of deception actions can occur. D.2.2. Ethernet topologies are used (data is broadcasted on network segments). which is NOT ACCEPTABLE. Most of the printers are located in open areas and some are very close to windows. 70 .2. Once hackers gain access to a network using a valid user's ID and password. For this reason. Vulnerabilities Data travels in the clear on the network and the public telephone network.1 A.1. with an exposure rating of 7. Risk Using Table V.2.6 Threat of Foreign Governments Eavesdropping the Network Resulting in: 3. The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network resulting in deceptive actions on the organization data. would reduce the risk measure to low (2). For the same reasons than those mentioned in section 3.5. Some monitors are located just beside windows. Potential Solutions The secure gateway solution described in section 3.6. No tempest or low emanation equipment is used. B.5. the network remains highly vulnerable to hackers capturing passwords as they travel on the telephone system. Vulnerabilities Same as 3. the safeguards effectiveness is considered low (1). vulnerability level 3 and safeguard effectiveness of 1 (3:1).2. Present Safeguards Same as 3. Some connections are made with unshielded twisted-pair cables. 3. the risk is measured as high (5).5.2.5.A.1 D.1 Unauthorized Disclosure of Organization Data A. C.
Numerous uncontrolled external network connections via client stations. a solution could consist of a mix of procedures and mechanisms. the safeguard effectiveness would increase from 1 to 2. the vulnerability level would decrease from 3 to 2. Risk Using Table V with an exposure rating of 6. a procedure could be put in place to prevent monitors from being read through the windows. thus reducing the risk measure to medium (3).2. and desks. It could be determined that only tempest equipment would have the capability of reducing the risk measure to low. 71 . These safeguards do not provide effective protection against eavesdropping. this can be achieved by relocating or reorienting computers and monitors. by the highest authority. the risk is measured as high (5). The network printing services could be reset to oblige users to print on specific printers. Fibre optics is used at some locations. in this case. 3.7 Threat of Vandals Introducing a Virus on the Network Resulting in: 3.1 Unauthorized Modification of Organization Data A. Potential Solutions With an exposure rating of 6. With this medium cost solution. in accordance with GSP. must include tempest equipment. a medium risk might be acceptable. For example. which is NOT ACCEPTABLE. and ethernet cards accordingly. In addition. wire taping or reading of information from windows. including outside lines and frame relay connections.7. Encryption with proper key management could be put in place on all external connections. D. this solution being very costly. C. in this case. The safeguard effectiveness is considered to be low (1).2. Vulnerabilities No virus scan or virus detection tool are implemented. For this scenario. vulnerability level 3 and safeguard effectiveness of 1 (3:1). an acceptable risk measure will be difficult to obtain without a highly effective security solution which. Network startup files are stored on each client stations. twisted-pair cables could be replaced by fibre optics. Present Safeguards Physical access control is in place at each location.The network is considered to be highly vulnerable (3) to eavesdropping which would result in the unauthorized disclosure of information. B.
1 B. Vulnerabilities Same as 3. Risk Using Table V. The network is considered to be highly vulnerable (3) to virus attacks resulting in the unavailability of the organization data.7. D. with an exposure rating of 9. The present safeguards are lowly effective (1) to protect the network against virus corrupting data. Procedures stating that floppy diskettes external to the network should not be used on client stations.7.1 A. B. Potential Solutions Same as 3.2 Disruption A. Weekly backups. Present Safeguards Novell access control features which provide protection against unauthorized access to the network.2.2.5. Controlling external connection lines through the use of a secure gateway instead of using uncontrolled modems on the client stations could reduce the network vulnerability level for virus infection from 3 to 2. even though original data could possibly be recovered from backups. thus reducing the risk level to low (2). 72 .2. 3. The addition of up-to-date and effective virus detection software running on every client stations and every file servers on the network combined with daily backup procedures would certainly increase the safeguard effectiveness from 1 to 3. C. The network cannot efficiently limit the areas where virus can be introduced and transmitted over the network. the risk is measured as high (5) which is NOT ACCEPTABLE.The network is considered to be highly vulnerable (3) to virus attacks resulting in the unauthorized modification of information. vulnerability level 3 and safeguard effectiveness of 1 (3:1).
1 B. vulnerability level 3 and safeguard effectiveness of 1 (3:1). which is NOT ACCEPTABLE. even though data can potentially be recovered from backups if required. Access to user accounts is limited by client stations address (Novell feature). Present Safeguards Minimum reliability checks is done on all the employees of the organization.1 Unauthorized Disclosure of Information A. deleted or modified.B. the risk is measured as high (5).2. however. Computer equipment is located in open areas.2. ACLs are set in such a way that all the executables stored on the network can only be executed. Present Safeguards Same as 3.2. The present safeguards are lowly effective (1) to protect the network against virus disrupting the network or deleting files in such a way that the organization data becomes unavailable. D. The network is considered to be highly vulnerable (3) to Trojan Horse attacks resulting in the unauthorized disclosure of information.7.8. i.1. When users are away from their computers. Risk Using Table V with an exposure rating of 7. they cannot be copied. Vulnerabilities No protection against unhappy valid users who are touched by lay-offs and/or salary cuts (many employees have high technical skills that can be used against computers). Potential Solutions The risk measure can be reduced to low (2) by using the same solution as the one described in 3. they tend to leave them still logged in to the network.7. the majority of employees are allowed to read most of the organization data. 73 . Auditing of access to data. C. Client stations are not password protected at boot time. 3. B.2.e.8 Threat of Malicious Employees Using a Trojan Horse Resulting in: 3.
2. with an exposure rating of 2. Present Safeguards Same as 3. The same product could also 74 . This could be achieved by installing a piece of hardware that will force users to identify and authenticate themselves before the computer can boot. The present safeguards are lowly effective (1) to protect the network against the intrusion of Trojan Horse which would result in the unauthorized modification of organization data. Vulnerabilities Same as 3. the backups might also contain corrupted data. mainly because there is a certain level of trust given by the reliability check that employees would not act maliciously to obtain information that they can be authorised to obtain. vulnerability level 2 and safeguard effectiveness of 1 (2:1). which is NOT ACCEPTABLE. i. 3. plus Novell NCP Packet Signature. Risk Using Table V.2.The present safeguards are moderately effective (2) to protect the network against the intrusion of Trojan Horse resulting in unauthorized access to organization data. Weekly backups. this mechanism ensures that the data is not modified as it travels over the network. Potential Solutions With an exposure rating of 7.1 A. with an exposure rating of 7.2 Unauthorized Modification of Information A. C.8. the risk is measured as high (5). The easiest way to decrease the network vulnerability for this Trojan Horse threat is certainly to control access to every client stations. Once the Trojan Horse is discovered. D. A Trojan Horse would certainly operate at the client stations to modify the data after it is entered by a user and before it is transmitted over the network.8. before packet signature occurs. an acceptable risk cannot be obtained without reducing the vulnerability level.8. The network is considered to be highly vulnerable (3) to Trojan Horse attacks resulting in the unauthorized modification of information.2.1 B. B. the risk is measured at low (2). Risk Using Table V.e. C. vulnerability level 3 and safeguard effectiveness of 1 (3:1).
8. 3.3 Disruption A.4 Deceptive Actions on Organization Data Deceptive actions would result from a malicious employee installing a Trojan horses to capture user or administrator passwords.2. Present Safeguards Same as 3. encrypted checksum or signature). etc. make meeting appointments. Potential Solutions The solution described in section 3. A Trojan Horse would operate at the client stations to degrade the network performance and possibly filters out some data before it reaches the user.8. The network is considered to be highly vulnerable (3) to Trojan Horse attacks resulting in the unavailability of information. vulnerability level 3 and safeguard effectiveness of 1 (3:1). FAXs.1 B except that auditing would probably not help. the risk is measured at high (5).8. With this medium cost solution. the vulnerability level would decrease from 3 to 2. Risk Using Table V. The present safeguards are lowly effective (1) to protect the network against the intrusion of Trojan Horse resulting in the unavailability of organization data. 3.8. there is no mechanism to detect a Trojan Horse or prevent it from harming the network. with an exposure rating of 7.1 A. which is NOT ACCEPTABLE.8.2. the safeguards would become highly effective (3).2 would also be effective here to reduce the risk measure to low (2). C. Vulnerabilities Same as 3. Although destroyed information could possibly be recovered from backups. the malicious employee would send e-mail messages. B. 75 . including interrupt routines. which would be highly effective to protect the network against the intrusion of a Trojan Horse. against modification (by access mediation. D.protect the start-up files (computer booting and network connection) and system files. Using another valid user's ID and password.2. thus reducing the risk measure to an acceptable level of 2.2.2.
A. a well defined set of security procedures.2.8. in that case.8. Present Safeguards Same as 3. 76 . cost effective security services and mechanisms that are appropriate to reduce the risks associated with the organization data are recommended.1 A.2.8. the services and mechanisms that are recommended for the network and the residual risks remaining after these new safeguards are implemented. It is quite possible that several mechanisms be used to counter a single threat. C. The network is considered to be highly vulnerable (3) to Trojan Horse used to capture passwords. multiple mechanisms are listed. with an exposure rating of 7. A Trojan Horse would transparently capture the user password entered at his/her client station. 3.3 Selection of Solutions and Residual Risks Based on the performed risk analysis. The malicious individual would later use the captured password to login as a different user and cause deceptive actions to occur. Vulnerabilities Same as 3. It should be noted that a clearly stated security policy. D. B.2 would also be effective here to reduce the risk measure to low (2).2. the risk is measured at high (5). vulnerability level 3 and safeguard effectiveness of 1 (3:1). together with adequate user training are essential for achieving and maintaining a secure network environment. The present safeguards are lowly effective (1) to protect the network against the intrusion of Trojan Horse. Risk Using Table V.1 B except that auditing would not help. There is no mechanism in place to detect a Trojan Horse or prevent it from harming the network. Potential Solutions The solution described in section 3. which is NOT ACCEPTABLE. Table B-2 shows the present risks.
a) Additional network administration staff. b) Daily backups Not required 2 unauthorized modification disruption deceptive actions 5 5 1 2 2 1 Threat of Equipment Failure Resulting in: unauthorized disclosure unauthorized modification 0 2 Not required. a) Additional network administration staff. b) New procedures are implemented to constantly verify user access rights on network resources and data. Not required. the administration of the network would be shared between three qualified individuals instead of only two. join the government secure FAX network b) Access Control on FAX services c) Information is monitored before being FAXed a) Data entry validation Not required Not required 2 unauthorized modification disruption deceptive actions 5 1 1 2 1 1 Threat of Administrator Errors Resulting in: unauthorized disclosure 5 a) Additional network administration staff.Table B-II ) Present Risks. Proposed Solutions and Residual Risks Threat Scenario Threat of Fire Resulting in: unauthorized disclosure unauthorized modification disruption 0 0 3 Not required Not required a) Daily backups b) Off-site storage of one backup per week 0 0 2 Present Risk Security Solution Residual Risk Threat of User Errors Resulting in: unauthorized disclosure 5 a) Secure FAX. 0 2 77 .
depending on the selected products unauthorized modification disruption deceptive action 5 5 5 2 2 2 78 . d) Strong I&A at the gateway level using smart card technology. This is later referred as the "new application". a) Secure gateway a) Secure gateway a) Secure gateway 2 to 1.Threat Scenario disruption Present Risk 4 Security Solution a) Elimination of single points of failure by implementing a new application that will duplicate and replicate the organization data across the network and installing alternate connections between the servers. e) DES encryption of traffic between gateway and remote sites. b) Continuous scanning of the organization telephone lines to make sure that modems are not connected. c) Gateway for remote access to network. Residual Risk 2 Threat of Hackers (Cracking or Capturing Passwords) Resulting in: unauthorized disclosure 5 a) Banning of modem connection to client stations. All of these are later referred as "secure gateway".
b) Access control to the start-up and system files Same as above. Same as above.Threat Scenario Present Risk Security Solution Residual Risk Threat of Foreign Governments (Eavesdropping) Resulting in: unauthorized disclosure 5 a) Procedures enforcing the installation of the client station monitors in such a way that the displayed data cannot be read through the windows. 79 . b) Virus detection Not required 0 2 disruption deceptive actions 5 0 2 0 Threat of Malicious Employees (Trojan Horse) Resulting in: unauthorized disclosure unauthorized modification 2 Not required. 3 unauthorized modification disruption deceptive actions 0 0 0 0 0 0 Threat of Vandals (Virus) Resulting in: unauthorized disclosure unauthorized modification 0 5 Not required. c) In-line DES traffic encryption on every network interconnections through the public telephone system. 3 = medium risk 4 = moderately high risk 2 5 2 disruption deceptive actions 5 5 2 2 5 = high 0 = minimal risk 1 = very low risk 2 = low risk risk The risk values and security solutions identified in Table B-2 apply to the organization data asset and the specific identified threats only. c) Daily backups. Not required. Not required. a) Secure gateway. (The risk will be reduced to 1 once access control to PCs is implemented). a) Access control to client stations by the use of a hardware product. a) Secure gateway b) Implementation of a virus detection utility that will continuously scan for virus at the client station and server levels. b) Traffic encryption between gateway and remote sites. Not required. A complete network TRA would require to examine every possible threats to every network assets.
C. depending on the environment. Unauthorized server access can cause potentially high damage. These other vulnerabilities include the followings: A. or the access control mechanism lacks granularity. all server consoles should always be password protected. Access to Network Resources Although one of the advantages of using a network is that many network resources can be shared among users. Poor physical control of network devices Although networks are generally located in guarded buildings. Low assurance level Use of non evaluated products. this does not imply that security is always tight.Other vulnerabilities that could have an impact on the risk measures might also be required to be considered. however. The servers might be placed in rooms that are locked at night. but not locked at all times because users desire easy accessibility to the network printers connected to the server. culture of the organization or granularity level of the threat and risk vulnerabilities. Unauthorized access to network resources usually results from the fact that the access rights are not properly assigned. B. including network operating system. 80 . provide low level of trust that the product cannot be circumvented. not all resources need to be made available to every user.
This policy statement has two purposes. facilities. hardware. Ensure individual accountability for data. software. Network resources include data. information. availability and confidentiality of data residing and travelling across the network so that the security policy implemented within the organization can be extended to the network. This environment increases security risk and requires more stringent protection mechanisms than would be needed for a standalone microcomputer (PC) operation. The size and complexity of the network within the organization has increased and now processes large quantity of designated information. including all employees and contractors utilizing the network. and for the security of the network itself. information. It applies equally to servers. The policy is applicable to all those associated with the network. etc. Ensure that security is cost-effective based on a cost versus risk ratio. The second is to assign specific responsibilities for the provision of data and information security.. Ensure that appropriate support for the security of data in each functional area is provided for. Because of this specific security measures and procedures must be implemented to protect the information being processed on the network. and other computing resources to which individuals have access. criticality. peripheral equipment. and telecommunications. 3 Goals The goals of this network security policy are to ensure the integrity. 2 Scope All automated information assets and services that are utilized by the network are covered by this policy. client stations (PCs) within the network environment. The network facilitates sharing of information and programs by multiple users. 81 .APPENDIX C – EXAMPLE NETWORK SECURITY POLICY 1 Background The information residing on the network is mission critical. This first is to emphasize for all employees the importance of security in the organization network environment and their role in maintaining that security. These expanding security requirements in the computing environment are recognized by this policy which addresses the use of the organization network. Specifically the goals are as follows: ! ! ! ! Ensure that the network environment has appropriate security commensurate with sensitivity. or that is necessary to meet with applicable mandates.
They are responsible for using the network in accordance with the network security policy.employees who are involved with the daily management and operations of the network. Local Administrators (LA) . Ensure that employees are provided sufficient guidance for the discharge of responsibilities regarding automated information security.are any employees who have access to the network. are applied and adhered to. 1. Detailed responsibilities are presented in Section 5. They are responsible for ensuring the continued operation of the network. 4.! ! Ensure auditibility of the network environment. The Network Management Division is responsible for implementing appropriate network security measures in order to comply with the network security policy. mandates.those employees who have a program or functional responsibility (not in the area of computer security) within the organization. 82 . and for reporting to management any suspected breach of security.employees who are responsible for ensuring that end users have access to needed network resources. Ensure that all critical functions of the network have appropriate contingency plans or disaster recovery plans to provide continuity of operation. LAN Management Division (LM) . etc. End Users (U) . 2. and interacting with each employee on security issues. ! ! 4 Responsibilities The following groups are responsible for implementing and maintaining security goals set forth in this policy. assuring that each person has a copy or access to a copy. 3.2 of this appendix. Responsibilities for Ensuring Network Security. All users are responsible for complying with security policy established by those with the primary responsibility for the security of the data. Functional Management is responsible for informing staff about this policy. Ensure that all applicable federal department and organizational policies. Functional Management (FM) . Local administrators are responsible for ensuring that the security of their respective network resources and users is in accordance with the network security policy.
GP5. All software changes and backups on the servers will be the responsibility of the Network Management Division. Each user must be assigned a unique network user ID and initial password (or other identification information and authentication data). The access to every network client station including the access to the start-up system and network files shall be controlled and monitored by an off-the-shelf hardware product. GP4. users must ensure that their software is properly licensed and safe. including the installation and location of equipment. The organization data shall be duplicated and replicated across the network to eliminate single points of failure. 83 . software. and for following all policies and procedures associated with the use of the computer and the security product. Users must not share their assigned user IDs and passwords and must not enter their passwords via a batch file. GP7.5. GP6. The local administrators may fill this role. Enforcement The failure to comply with this policy may expose information to unacceptable risks resulting in the loss of confidentiality. all security mechanisms of the network must be under the exclusive control of the local administrator and the relevant personnel of the Network Management Division.1 General Policies for the LAN GP1. availability or accountability while stored. In order to prevent the spread of malicious software and to help enforce program license agreements. Client stations and file servers will be scanned to detect virus and illegitimate TSR programs. The Monday's backups will be stored off-site. GP2. processed or transmitted on the network. GP3. In order to prevent unauthorized access to data. Violations of standards. and other resources residing on the network. procedures or guidelines in support of this policy will be brought to the attention of management for action and could result in disciplinary action up to and including termination of employment. 5. Every PC should have an "owner" or "system manager" who is responsible for the maintenance and security of the computer. The backups will be done on a daily basis. only after the proper documentation has been completed. These individuals should be trained and given guidance so that they can adequately follow all policies and procedures. integrity.
GP16. GP11. The administrator password length shall not be less that 10 character long. Specifically users are responsible for the following: U1. and other applicable laws. users must be authenticated to the secure gateway before login to the network. Computer security training should be implemented into existing training programs such as orientation programs for new employees. For remote access to the network. Every user account including administrators' shall be disabled for a period of 48 hours after three consecutive unsuccessful login attempts.1 Users Users are expected to be knowledgeable about and adhere to network security policies. 5. GP12. User accounts must be suspended after a 60-day consecutive period of non-use. GP13. Responsible for understanding and respecting relevant laws.2 Specific Responsibilities for Ensuring Network Security 5. network policies and procedures. Authentication tokens are required to access the gateway. 84 . Employees responsible for the management. and training courses involved with information technology systems equipment and software packages. Remote access to the network shall be done through a secure gateway. Use of network hardware such as traffic monitors/recorders and routers must be authorized and monitored by the Network Management Division. Security reports must be generated and reviewed on a daily basis. GP9. GP15. Data travelling between the secure gateway and remote sites shall be encrypted. Department policies and procedures. GP10. operations and use of the network must receive training in computer security awareness and acceptable computer practices. Each telephone line within the organization will be monitored by the Network Management Division to detect modems or non-authorized electronic devices. The length of the user passwords shall not be less than 8 character long.GP8. Connection of modems on client stations is prohibited. mandates and procedures. policies. and other applicable security policies and associated practices for the network. Users must be authenticated to the network before accessing network resources.2. GP14.
Do not write passwords down. U6. Follow site procedures for security of sensitive data as well as for the network itself. Help to protect the property of other individuals. detection. U4. or disclose them to others. and the vulnerabilities that are exploited by malicious software and unauthorized users. and removal of malicious software. U2. U9. read or transfer information in an unauthorized manner: do not intentionally deny others authorized access to or use of network resources and information. Responsible for ensuring that backups of the data and software on their own workstation's fixed disk drive are performed.2. Responsible for being familiar with how malicious software operates. U5. U5. Do not share accounts. Use file protection mechanisms to maintain appropriate file access control. 85 . accounts) left unprotected. Responsible for not exploiting system weaknesses. U2. Responsible for employing available security mechanisms for protecting the confidentiality and integrity of their own information when required. U3. Responsible for advising others who fail to properly employ available security mechanisms. Provide the correct identity and authentication information when requested and not attempt to assume another party's identity. U10. U8. Responsible for knowing how to monitor specific systems and software to detect signs of abnormal activity. methods by which it is introduced and spread.1. Responsible for utilizing the technical controls that have been made available to protect systems from malicious software. Select and maintain good passwords. U5.g. U7. Responsible for knowing and following appropriate policies and procedures for the prevention. Do not intentionally modify. destroy. and what to do or whom to contact for more information. Responsible for notifying the local administrator or management if a security violation or failure is observed or detected. files. Notify them of resources (e.U2.2.1.
network management is responsible for the following: 86 . a copy of the security policy and site handbook (if any) prior to establishing an account for the user. 5. Responsible for informing the local administrators and the Network Management Division of the change in status of any employee who utilizes the network. and to control access and protect network physical facilities. assessing the vulnerabilities. Responsible for ensuring that all personnel within the operating unit are made aware of this policy and responsible for incorporating it into computer security briefings and training programs. to archive critical programs and data. and remains. Responsible for ensuring that users understand the nature of malicious software. They are ultimately responsible for ensuring that information and communications security is.2. 5. Responsible for implementing effective risk management in order to provide a basis for the formulation of a meaningful policy. U12.U11. at a minimum. FM4. Responsible for ensuring that each user receive. FM4.2 Functional Managers Functional managers (and higher-level management) are responsible for the development and implementation of effective security policies that reflect specific network objectives.3 Network Management Division The Network Management Division (or designated personnel) is expected to enforce (to the extent possible) local security policies as they relate to technical controls in hardware and software. Risk management requires identifying the assets to be protected. analyzing risk of exploitation. FM3.2. how it is generally spread. and implementing cost-effective safeguards. a highly visible and critical objective of day-to-day operations. Specifically. Specifically functional managers are responsible for the following: FM1. Responsible for scanning diskettes and any piece of software before they are copied to a client station or file server hardisk. FM2. This status change includes a position change or a termination of employment within the organization. Responsible for implementing a security awareness program for users to ensure knowledge of the site security policy and expected practices. Responsible for knowing and utilizing contingency procedures for containing and recovering from potential incidents. FM5. and the technical controls to use for protection.
NM4. NM8. Responsible for securing the network environment within the site and interfaces to outside networks.2. Responsible for identifying and recommending software packages for the detection and removal of malicious software. NM13. Responsible for developing procedures that allow users to report computer viruses and other incidents and then responsible for notifying potentially affected parties of the possible threat. NM10. NM11. assist other local administrators in responding to security violations. NM12.1. informing local users and advising management of changes or new developments. NM7. Responsible for responding to emergency events in a timely and effective manner. Responsible for backing up all data and software of the network servers on a daily basis. Responsible for advising management on the workability of the existing policies and any technical considerations that might lead to improved practices. detection. and removal of malicious software consistent with the guidelines contained herein. Cooperate with local administrators in locating violators and assist in enforcement efforts. Privacy of users should always be a major consideration. Responsible for promptly notifying the appropriate security or incident response 87 . Responsible for employing generally approved and available auditing tools to aid in the detection of security violations. NM2. Notify local administrators if a penetration is in progress. Responsible for remaining informed on outside policies and recommended practices and when appropriate. NM4. NM3. NM6. NM9. NM4. NM5. Responsible for developing appropriate procedures and issuing instructions for the prevention. Responsible for judiciously exercising the extraordinary powers and privileges that are inherent in their duties.NM1. Responsible for conducting timely audits of network logs and access to information. Responsible for rigorously applying available security mechanisms for enforcement of local security policies.
2. Responsible for providing assistance in determining the source of malicious 88 LA2. LA6. Responsible for maintaining and protecting network software and relevant files using available security mechanisms and procedures. When appropriate. LA7. NM16. Responsible for scanning the network servers with anti-virus software at regular intervals to assure no virus becomes resident on the network servers. Responsible for promptly notifying the appropriate security or incident response personnel of all computer security incidents. on their assigned resources and users.2. LA4. Responsible for providing assistance for the removal of malicious software.1. Responsible for monitoring all security-related events and the following-up on any actual or suspected violations where appropriate. Cooperate with other local administrators and the Network Management Division in finding violators and assisting in enforcement efforts. assist other local administrators in responding to security violations. .4 Local Administrators Local administrators (or designated personnel) are expected to utilize. LA6. NM15. Specifically local administrators are responsible for the following: LA1. the available network security services and mechanisms to support and enforce applicable security policies and procedures. programs and functions. 5. LA6.personnel of all computer security incidents including malicious software. Responsible for providing assistance in determining the source of malicious software and the extent of contamination. including malicious software. Responsible for conducting periodic reviews to ensure that proper security procedures are followed. LA3. Responsible for managing users' access privileges to data. LA5. Notify the Network Management Division if a penetration is in progress. including those designed to protect against malicious software and unauthorized modems. NM14. responsible for notifying and coordinating with the Network Management Division the monitoring or investigation of security-relevant events. Responsible for assigning a unique USERID and initial password (or other identification information or authentication data) to each user only after proper documentation has been completed.
Responsible for verifying the strength of users passwords. 89 . LA8.software and the extent of contamination.
and to recover from those problems.e. what is normal or abnormal activity.APPENDIX D – PERSONAL COMPUTER (PC) CONSIDERATIONS Personal computers typically do not provide technical controls for user authentication. Because of the dependence on user involvement. and must practice their management as a part of their general computing. Users should be shown via illustrated example what can happen if they do not follow the policies. thus this poses some problems and places even more emphasis on user education and involvement in virus prevention. However. An example where users share infected software and then spread the software throughout an organization would serve to effectively illustrate the point. or memory protection that differentiates between system memory and memory used for user applications. Another effective method for increasing user cooperation is to create a list of effective PC management practices specific to each personal computing environment. and would serve as a convenient checklist that users could reference as necessary. (It is not suggested that an organization actually enact this example. Virus prevention in the PC environment must rely on continual user awareness to adequately detect potential threats and then to contain and recover from the damage. PC users need to understand some of the technical aspects of their computers in order to detect security problems. access control. PC users are in essence PC managers. unauthorized users and related threats. merely illustrate it). Because the lack of controls and the resultant freedom with which users can share and modify software. personal computers are more prone to attack by viruses.. thus making the purpose of the policy more clear and more likely to be followed. policies for network environments (and thus PC usage) are more difficult to implement than in a multi-user computer environment. thus a user needs to be aware at all times of the computer's performance. Not all PC users are technically oriented. 90 . Ultimately. Personal computers generally do not contain auditing features. emphasizing these policies as part of a user education program will help to ingrain them in users' behaviour. i. Creating such a list would save users the problem of determining how best to enact the policies.
2. (2) back-up operations. but the resources to alert and inform the users if necessary. Contingency plans in a network environment should be developed so that any network security incident can be handled in a timely manner. Recovery plans are made to permit smooth. Priority should be given to those applications. and (3) recovery. services. In a network environment the concept of a computer security incident can be extended to all areas of the network (hardware. that are deemed critical to the functioning of the organization. software. 1.APPENDIX E – CONTINGENCY PLANNING FOR NETWORKS A computer security incident is any adverse event whereby some aspect of computer security could be threatened: loss of data confidentiality. Back-up operation procedures should ensure that these critical services and applications are available to users. loss of data or system integrity. It requires not only the capability to react to incidents. etc. data. The purpose of incident response is to mitigate the potentially serious effects of a severe network security-related problem. 3. transmissions. Supporting documents should be developed and maintained that will minimize the time required for recovery.) including the network itself. with as minimal an impact as possible on the ability of the organization to process and transmit data. etc. A contingency plan should consider (1) incident response. or disruption or denial of availability. It requires the cooperation of all users to ensure that incidents are reported and resolved and that future incidents are prevented. rapid restoration of the network environment following interruption of network usage. Back-up Operations plans are prepared to ensure that essential tasks (as identified by a risk analysis) can be completed subsequent to disruption of the network environment and continuing until the network is sufficiently restored. 91 .
Recognize the network as a valuable resource to the organization and the need for protecting that resource.). may not be effective if they are used improperly. 2. 3. Understand how to use the incident response capability effectively. personnel. Understand how the security services and mechanisms work. 4. Understand how the network operates in all aspects. Ability to recognize normal operating behaviour versus abnormal operating behaviour. etc. It also directs attention on the need for effective incident response. etc. and (3) understanding how to use the incident response procedures. Management and Administration 1. Recognize the importance of providing for adequate protection (through funding. Ability to recognize improper use of the security mechanisms by users. training in certain areas of network operation and use should be received by network users. Understand network management and network administration's roles in implementing the security policy into the network. Recognize the importance of the network security policy and how this policy drives the decisions made regarding network security.APPENDIX F – TRAINING AND AWARENESS To maintain security in a network environment. The training area for all users focuses on (1) recognizing the user role in the security policy and the responsibilities assigned there. The training area for functional managers focuses on (1) the need to understand the importance of the security policy and (2) how that policy needs to be implemented into the network for it to be effective. Training areas that should be considered are listed below for functional managers. (2) using the security services and mechanisms effectively to maintain security. Specifically these areas are discussed . Security mechanisms. procedures. 2. network managers and general users. Functional 1. Recognize the importance of determining adequate security for different types of information that the functional manager owns (or has responsibility for). The training area for network managers and administrators focuses on the need to understand how security is provided for operationally on the network. 1. 92 .
etc. Recognize normal client station or PC behaviour versus abnormal behaviour. 93 . Network Users 1. Understand how to use the incident response capability. how to report and incident. Understand how to use the security services and mechanisms provided by the network to maintain the security of the network and protect critical information. 2. Understand why maintaining network security is important. Understand the security policy and the user responsibilities dictated there. 3. 4.3.
1) Communications Security Establishment, Canadian Dictionary of Information Technology Security, version 1.1, Ottawa, 1989, 70 pages. 2) Communications Security Establishment, Product Review: Novell NetWare 4.01, version 1.2, Ottawa, November 1994, 35 pages. 3) Communications Security Establishment, The Canadian Trusted Computer Product Evaluation Criteria, version 3.0e, Ottawa, January 1993, 208 pages. 4) Communications Security Establishment, Trusted Systems Environment Guideline, Ottawa, December 1992, 34 pages. 5) FORD, Warwick, Computer Communications Security - Principles, Standard Protocols and Techniques, Englewood Cliffs, NJ, Prentice Hall, 1994, 494 pages. 6) National Institute of Standards and Technology, Chang, Shu-jen H., Priorities for LAN Security - A Case Study of a Federal Agency's LAN Security, Gaithersburg, Maryland, 1994, 10 pages. 7) National Institute of Standards and Technology, Guideline for the Analysis of Local Area Network Security (FIPS 191), Gaithersburg, Maryland, November 1994, 54 pages. 8) National Institute of Standards and Technology, Security Requirements for Cryptographic Modules (FIPS 140-1), Washington, January 1994, 39 pages. 9) Royal Canadian Mounted Police, Guide to Threat and Risk Assessment for Information Technology, Ottawa, November 1994, 26 pages. 10) STEVEN, L. and SIMON, Alan R., Network Security, Shaffer, AP Professional, Cambridge, MA, 1994, 318 pages. 11) Treasury Board of Canada, Government Security Policy, Treasury Board Manual, Ottawa, June 1994, 131 pages.
Accreditation: Formal declaration by the responsible management approving the operation of an automated system in a particular security mode using a particular set of safeguards. Accreditation is the official authorization by management for the operation of the system, and acceptance by that management of the associated residual risks. Accreditation is based on the certification process as well as other management considerations. A list of entities, together with their access rights, which are authorized to have access to a resource. An asset is a component or part of a network to which the department directly assigns a value to represent the level of importance to the "business" or operations/operational mission of the department, and therefore warrants an appropriate level of protection. The degree of confidence that a safeguard correctly implements the system specific security policy. The act of aggressively trying to bypass security controls on a network (or other automated information system). The fact that an attack is made does not mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of the safeguards in place. Independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures. A set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to relate records and reports and/or backward from records and reports to their component source transaction. The process of positively validating a claimed identity. The accessibility of systems, programs, services and information to authorized users when needed and without undue delay. 95
Access Control List:
An examination by qualified personnel of an information technology system's implemented security solutions against the system's security requirements. A value calculated from a bloc of data, used to detect unauthorized modification and/or errors in stored and transmitted data. A violation of the security policy of a system such that an unauthorized disclosure, destruction, modification or interruption of information and/or service might have occurred.. The quality or condition of being sensitive to disclosure. The process of developing a plan to restore information technology operations in the event of a disruption. A communication channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy. The discipline that threats the principles, means, and methods for making plain information unintelligible. It also means reconverting the unintelligible information into intelligible form. The prevention of authorized access to resources or the delaying of time-critical operations.
Confidentiality: Contingency Planning:
Denial of Service:
Designated Information: In formation related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act. Digital Signature: A cryptographic transformation of data which, when appended to a data unit, provides the services of origin authentication, data integrity, and signer non-repudiation. The transformation of readable data into an unreadable stream of characters using a reversible coding process. Direct effect of a threat occurrence on a network. The quality or condition of being accurate or complete. Deliberate perturbation of a communication path. 96
Impact: Integrity: Jamming:
An approved minimum security measure which. A procedure to remove or destroy data recorded on magnetic storage media by writing patterns of data over or on top of the data stored on the media. checks for particular states of the system which. replacement. and destruction of keys that control encryption or authentication processes. will prevent or reduce the risk A violation of controls of a particular network such that assets are unduly exposed. An evaluation. A resident computer program which. dissemination. storage. The gaining of unauthorized access to a network or system via another user's legitimate connection.Key Management: Manual and electronic procedures for the generation. Logical Bomb: Masquerading: Motivation: Overwrite: Password: Penetration: Piggy Back: Residual Risk: Resources: Risk: Risk Assessment: Safeguard: Security Breach: 97 . when correctly employed. money. Knowledge of a valid user ID and its associated password is considered proof of authorization to access networks or systems. The equipment. The successful unauthorized access to a network or system. people. of the chance of vulnerabilities being exploited. based on the effectiveness of existing or proposed security safeguards. etc. triggers the perpetration of an unauthorized act. knowledge. A protected/private character string used to authenticate an identity. The portion of risk that remains after security measures have been applied. Something that induces a threat to intentionally act against a system. available to a threat to initiate an attack. when executed. A measure indicating the likelihood and consequence of events or acts exploiting vulnerabilities resulting in a compromise of network asset(s). An attempt to gain access to a system or service by posing as an unauthorized user. when satisfied.
deliberate or accidental. Value is therefore not necessarily an objective term. Target: Threat: The objective of a hostile threat agent. assets or services. A computer program with an apparently or actually useful function that contains hidden additional functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. Threat Assessment: Trojan Horse: Value: Virus: Vulnerability: Wiretapping: 99 . Security Policy: Spoofing: Statement of Sensitivity: A description of the confidentiality. Any potential event or act that could cause one or more of the following to occur: unauthorized disclosure. and practices that regulate how an organization manages. The deliberate act of inducing a user or a resource into taking an incorrect action. mechanisms. removal. integrity or availability (SOS) requirements associated with the information or assets stored or processed in or transmitted by a network. protects. A threat may be natural. A measure or statement of the utility of an asset or information. destruction. A characteristic of the system which allows a successful threat event to occur.Security Features: The security relevant functions. a trigger component and a self-propagating component. The set of laws. or (alternatively) the cost if it is compromised. based on the needs and situation of the organization. likelihood and consequence of acts or events that could place sensitive information and assets at risk. Utility and cost are contextually dependent. An evaluation of the nature. A self-propagating Trojan horse composed of three parts: a mission component. and distribute sensitive information. rules. modification or interruption of sensitive information. The value can be stated in quantitative or qualitative terms. The monitoring and/or recording of data which is being transmitted over a communication link. and characteristics of network hardware or software.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.