NETWORK SECURITY

Analysis and Implementation

January 1996

MG - 1

Acknowledgements
The author would like to thank the U.S. National Institute of Standards and Technology (NIST) for their support in providing electronic copies of FIPS 191 "Guideline for the Analysis of Local Area Network Security" and "Priorities for LAN Security: A Case Study of a Federal Agency's LAN Security"; some of the information included in this guide was extracted from these documents.

Points of Contact
For technical information on network security please contact Marc Laroche, tel. (613) 991-7531, Fax (613) 991-7455, e-mail MLaroche@cse.dnd.ca. For additional copies of the document, please contact the ITS Publications Section at (613) 991-7514/7468 or CSEs WWW site at the following address: http://WWW.cse.dnd.ca.

1995 Government of Canada, Communications Security Establishment (CSE) P.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4 This publication may be reproduced verbatim, in its entirety, without charge, for educational and personal purposes only. However, written permission from CSE is required for use of the material in edited or excerpted form, or for any commercial purpose.

Summary
To be effective, network security must be planned and managed properly. In these days of budget cuts and funding restrictions, it is more important than ever to implement security solutions specifically tailored to satisfy the identified requirements for security. This document includes a methodology to determine network security requirements. Other ones also exist that may be more appropriate for certain organizations. In any case, the methodology employed should permit the organization to identify the threats to their network, the likelihood of occurrence, the impacts for the organization should the threats materialize and the vulnerabilities of the network that can be exploited, in order to obtain a measure of risks associated with the network. Once the risks are known and measured, appropriate security solutions can be applied to reduce the risks to acceptable levels. Security solutions offer network protection for confidentiality, integrity, availability and/or accountability purposes. Organization should look at the solution's effectiveness to satisfy specific requirements; this is required to determine if the implementation of the solution reduces the previously identified risks to an acceptable level for the organization. The effectiveness of the proposed solution depends on its implementation, (e.g. encryption at the application layer vs network layer), its design, the degree of difficulty required to circumvent it, and the level of trust associated with it (e.g. is the product evaluated?). Often, there is more than one solution available. The solution selection should follow an iterative process by which the residual risk associated with the solution, the minimum acceptable risk for the organization and the cost of the solution are looked at. Once all the security solutions are effectively implemented, it is time to restart the process again to find out if there are new threats out-there and new vulnerabilities that could be exploited.

ii

TABLE OF CONTENTS
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Points of Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii List of Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 DEFINING THE REQUIREMENTS FOR NETWORK SECURITY . . . . . . . . . . . . . . . . . . . . 2 1.1 Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1.1 Defining the Network Protection Boundary and Scope . . . . . . . . . . . . . . . 3 1.1.2 Identifying and Valuing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Threat and Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.1 Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2.2 Estimation of the Potential Impacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.2.3 Likelihood of Occurrence of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.2.4 Exposure Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.2.5 Present Network Vulnerabilities and Safeguards . . . . . . . . . . . . . . . . . . . 14 1.2.6 Measuring the Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 1.2.7 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1.3 Network Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2 SATISFYING THE REQUIREMENTS FOR NETWORK SECURITY . . . . . . . . . . . . . . . . . 2.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Confidentiality via access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2 Communication devices to increase traffic confidentiality . . . . . . . . . . . . 2.1.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3.1 Encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3.2 Location of encryption services in layered communications . . . 2.1.4 Object reuse and covert channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.5 Providing confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 System integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Data integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2.1 Key management issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2.2 Location of integrity services in layered communications . . . . . 2.2.3 Providing integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.2 Failure Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.3 Providing availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.1 Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.1.1 User ID/Password for authentication . . . . . . . . . . . . . . . . . . . . . 2.4.1.2 Other Authentication Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 2.4.2 Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.3 Non-repudiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iii

25 26 26 26 27 28 29 29 30 30 30 32 33 33 33 34 35 35 36 37 38 38 39 41 42

2.4.4 Providing Accountability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6 Selection of Appropriate Security Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7 Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43 43 44 45

APPENDIX A SUGGESTED READINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 APPENDIX B PRACTICAL EXAMPLE: ASSESSING AND IMPLEMENTING NETWORK SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 APPENDIX C EXAMPLE NETWORK SECURITY POLICY . . . . . . . . . . . . . . . . . . . . . . . . . 81 APPENDIX D PERSONAL COMPUTER CONSIDERATIONS . . . . . . . . . . . . . . . . . . . . . . 89 APPENDIX E CONTINGENCY PLANNING FOR NETWORKS . . . . . . . . . . . . . . . . . . . . . 90 APPENDIX F TRAINING AND AWARENESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 BIBLIOGRAPHY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

iv

LIST OF TABLES Table I Typical Network Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Table II Threats to Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Table III Exposure Rating Based on Likelihood of Occurrence and Level of Impact 13 Table IV Network Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Table V Risk Measures Based on Exposure Ratings, Vulnerability Levels and Present Safeguard Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Table VI Confidentiality Mechanisms and Services . . . . . . . . . . . . . . . . . . . . . . . . . 31 Table VII Integrity Mechanisms and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Table VIII Quotas for Availability of Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Table IX Failure Tolerance Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Table X Availability Services and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Table XI Accountability Services and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . 43 Table B-I Exposure Ratings of the Organisation Data Asset to Threats . . . . . . . . . 54 Table B-II Present Risks, Proposed Solutions and Residual Risks . . . . . . . . . . . . 77

LIST OF FIGURES Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 A Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 High Exposure versus Low Exposure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Situation where an asset is highly at risk . . . . . . . . . . . . . . . . . . . . . . . . . 19 Examples of security solutions in a specific environment . . . . . . . . . . . . . 20 The use of security solutions reduces the risk . . . . . . . . . . . . . . . . . . . . . 23 Diagram of the example network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

LIST OF ABBREVIATIONS
ACL CC CRC CSE CTCPEC DES DOS DSA EKMS EMC EMI FIPS GoC GSP GTRAIT I&A LAN MAC NCSC NDS NIST OSI PC PCMCIA RAM RCMP RSA SoS TCP/IP TCSEC TRA TSR UPS Access Control List Cryptographic Checksums Cyclic Redundancy Check Communications Security Establishment Canadian Trusted Computer Product Evaluation Criteria Data Encryption Standard Disk Operating System Digital Signature Algorithm Electronic Key Management Systems Electromagnetic Compatibility Electromagnetic Interference Federal Information Processing Standards Government of Canada Government Security Policy Guide Threat and Risk Assessment for Information Technology Identification and Authentication Local Area Network Message Authentication Code National Computer Security Centre NetWare Directory Services National Institute of Standards and Technology Open Systems Interconnection Personal Computer PC Memory Card International Association Random Access Memory Royal Canadian Mounted Police Rivest Shamir Alderman Statement of Sensitivity Transmission Control Protocol/Internet Protocol Trusted Computer System Evaluation Criteria (orange book) Threat and Risk assessment Terminate and Stay Resident Uninterruptible Power Supply

vi

INTRODUCTION
Even though networks all have the same purpose of sharing data and resources between the users, the protocols implemented, the services available, the physical location of the networks, the environment and the configuration make each of them unique. For this reason, there cannot be a universal security solution that is suitable to satisfy the security requirements of each individual network. Security solutions must be specifically tailored for each particular network. Thus, a weak definition of the network security requirements will most certainly result in non cost-effective security solutions. In other words, the implementation of network security solutions without first understanding the specific need for such countermeasures and the benefit to the network will result in ineffective spending for security. This guide is particularly addressed to decision makers, network managers and network administrators who are responsible to assess and satisfy network security requirements in their organization. It is comprised of three main sections. First, it proposes a methodology that can be applied to identify network areas requiring protection throughout the entire life cycle of the network. The outcome of this process might be used to gain senior management commitment and support for network security. Security services and mechanisms are then described to inform the reader on how solutions can be applied to satisfy security needs. Finally, a practical example is presented to illustrate the concepts previously described. Since the various concepts presented in this document are generally high level and easy to assimilate, references for further readings on specific areas such as threat and risk assessment (TRA), encryption, Internet, firewalls, etc. are given at section 5. The mechanisms, procedures and guidance provided in this document should not be considered as mandatory to satisfy the security requirements of a network. The reader should keep in mind that this guide offers suggestions only and that the services listed here should be considered as potential solutions, and not required solutions. Determining the appropriate controls and procedures to use in any network environment is the responsibility of those in each organization charged with providing adequate network protection.

1 DEFINING THE REQUIREMENTS FOR NETWORK SECURITY

The first question to be asked when time comes to discuss network security is: Why is security needed on the network? Most certainly, network security is required to enforce the organizational security policy on the network. However, other considerations must be raised to answer that question. For example, what are the valuable assets that require protection on the network? What are the threats to the network? How is the network vulnerable? What are the risks for threats to cause harm to the network considering the network vulnerabilities and the resulting impacts of the harm? What are the acceptable risks? Finding answers to these questions might take several days or weeks depending on the complexity of the network, and might be perceived not being useful and time consuming. In fact, every hour spent in planning network security is an investment for an organization. Planning security includes assessing the threats and risks, managing the risks and establishing a network security policy. An important point to mention is that the outcomes of these activities should always be in accordance with the existing organizational security policy which regulates how the organization manages, protects and distributes resources to achieve the organization's security objectives. Planning network security permits to extend the organizational security requirements to the network. Once the requirements for network security are clearly defined, it becomes a lot easier to implement security mechanisms and/or procedures that will efficiently satisfy the requirements. Security planning is the foundation on which the implementation of security mechanisms sits; it should never be by-passed. Security planning should be initiated and approved by the organization's upper management and should constantly remain in harmony with the organizational security policy. It is not only a responsibility of network administrators or security officers. The network administrators and managers should never proceed with security implementation before planning is completed, and the implementation should always be done in accordance with the network security policy. Planning security on a network can be conducted in four steps: a. Preparation: definition of the network security boundary and scope, inventory and valuation of assets and sensitivity assessment of the information residing and travelling over the network; b. Threat Assessment and Exposure to Threats: determining the threats to each network asset, the impact for the organization should the threats materialize and the likelihood of the threat occurrences. The outcomes of this process are exposure ratings for each asset/threat/impact scenarios. c. Risk Assessment: considering the assets' exposure ratings to threats, network vulnerabilities and present safeguard effectiveness are analysed to determine the risk associated with each asset/threat/impact scenario. d. Network Security Policy: Preparing a network security policy which identifies the steps that should be taken to diminish the risks to acceptable levels.

1.1 Preparation
1.1.1 Defining the Network Protection Boundary and Scope The purpose of this process is to determine how much of the network and in how much detail the security requirement definition should entail. The boundary defines those parts of the network that must be considered. The boundary may include the network as a whole or parts of the network, such as the data communications components, the server function, the software applications, etc. Factors that determine the boundary may be based on network ownership, management or control. Placing the boundary around a part of the network controlled elsewhere may result in cooperation problems that may lead to inaccurate results. This problem stresses the need for cooperation among those involved with the ownership and management of the different parts of the network, as well as the applications and information processed on it. The scope of the security requirement definition effort must also be defined. The scope distinguishes the different areas of the network (within the boundary) and the different levels of detail used during the security requirement definition process. For example, some areas may be considered at a higher or broader level, while other areas may be treated in depth and with a narrow focus. For smaller networks, e.g. an isolated Local Area Network (LAN), the boundary may be the LAN as a whole, and the scope may define a consistent level of detail throughout the LAN. For larger networks, an organization may decide to place the boundary around those areas that it controls and to define the scope to consider all areas within the boundary. However, the focus on data communications, external connections, and certain applications might be narrower. Changes in the network configuration, the addition of external connections, or updates or upgrades to network software or applications may influence the scope. One of the implicit outcomes of this process is that a detailed configuration of the network, as well as its uses is produced. This configuration should indicate the hardware incorporated, major software applications used, significant information processed on the network, as well as how that information flows through the network. The degree of knowledge of the network configuration will depend on the defined boundary and scope. 1.1.2 Identifying and Valuing Assets Asset valuation identifies and assigns value to the assets of the network. All parts of the network have value although some assets are definitely more valuable than others. This step gives the first indication of those areas where focus should be placed. For networks that produce large amounts of information that cannot be reasonably analysed, initial screening may need to be done. Defining and valuing assets may allow the organization to initially decide those areas that can be considered less important and those areas that should be flagged as a high priority. The valuation of information (or data) type of asset cannot be done effectively before a statement of sensitivity (SoS) is prepared. A SoS defines the sensitivity of the information within the network, i.e. classified (Top Secret, Secret and Confidential) or designated
3

(Protected C, B or A). It may also define the sensitivity requirements of supporting assets such as hardware, software, interfaces, communication devices, etc. A SoS can already be included in the organizational security policy or may need to be prepared. If it is the case, the Government Security Policy [GSP] and the RCMP Guide Threat and Risk Assessment for Information Technology [GTRAIT] provide valuable information that may be very helpful for preparing a SoS. Different methods can be used to identify and value assets. For example, the value of the asset can be represented in terms of the potential loss. This loss can be based on the replacement value, the immediate impact of the loss, and the consequence to the organization. One of the simplest valuing techniques to indicate the loss of an asset is to use a qualitative ranking of high, medium and low. This ranking not only represents the replacement cost of the asset, but also the effects on the organization if the asset is disclosed, modified, destroyed or misused in any other way. Assigning values to these rankings (3=high, 2=medium, and 1=low) may assist in the definition of security requirements process. Because the value of an asset should be based on more than just the replacement cost, valuing assets is one of the most subjective of the processes. However, if asset valuation is done with the goal of the process in mind, that is, to define assets in terms of a hierarchy of importance or criticality, the relative values of the assets become more important than placing the "correct" value on them. Table I lists some assets that should be included. Table I Typical Network Assets
Areas Hardware Software (or Services) Assets Servers, client stations, communications devices (router, bridge, hub, gateway, modem), peripheral devices, cables, fibres, etc. Network operating systems, client station operating systems, applications, tools (management, maintenance, backup ...), software under development, etc. The location of the software on the network and from where it is commonly accessed should be identified. Data Organization data: Network data: User data: Database, spreadsheet, word processing, e-mail, etc. Users access privileges, users password, audit trail, network configuration and settings; Personal processed data, user owned files, etc.

The importance of all the data processed and communicated through the network, as well as the types of users who access the data should be identified. Indications of where the data is accessed, stored and processed on the network should be included as well as the sensitivity of the data.

After the assets are determined and valued, the organization should have a reasonably correct view of the network configuration, what the network consists of and what areas of the network need to be protected. 1.2 Threat and Risk Assessment The next step in the process of planning network security is to identify any potential threats that may target the identified assets, and then to estimate the risk of the threats to cause harm to the network and the organization; this consists of a TRA. There are many TRA methodologies that an organization may use but in any case, the outcome of the TRA process should always be recommendations of appropriate and cost effective security mechanisms, products or procedures for the network, commonly called security solutions, safeguards or countermeasures. TRAs are conducted to determine the appropriate level of protection required for a network. Any TRA methodology adopted by an organization should include the following activities: ! Estimating threats to network assets, their likelihood of occurrence, and potential harm that might be caused to the assets as well as resulting impacts for the organization; ! Analysing network vulnerabilities and present safeguards; ! Measuring the risks using exposure rating, network vulnerabilities and present safeguards; and ! Selecting cost effective security solutions that reduce the risk at an acceptable level. One of the most important considerations in choosing a methodology or technique is that the results obtained from the TRA be useful in providing efficient and effective network security. If the methodology is too complicated to use, if it requires input data that is too detailed, or if it produces results that are too intricate to infer what the risk to the network actually is, the methodology will not be useful and will not lead to effective network security. On the other hand, if the methodology does not allow for reasonable granularity in its definition of variables such as asset, impact level and likelihood, the results produced may be too simple and may not reflect the true risk to the network. Those responsible within the organization should adopt the risk assessment approach that provides a technique that is understandable, easily used, and produces results that helps the organization to effectively secure its networks.

Figure 1 ) TRA Process

In N ov e m be r 19 94 , th e R oy al C an ad ia n M ou nt ed Po lic e (R C M P) pu bli sh ed [GTRAIT] which described a quantitative method for performing risk analysis. This document was issued as a guideline and not a standard. It describes how an estimate of risk could be obtained by estimating, for each asset of a network: (1) the threats, (2) their likelihood based on the frequency of occurrence, (3) the consequences (destruction, modification, disclosure or unavailability) of a threat occurrence and resulting impacts (exceptionally grave, serious or less serious) and (4) vulnerabilities and present safeguards. [GTRAIT] is in accordance with [GSP] and may be used to proceed with a
7

TRA of a network; however organisations may choose other methodologies and techniques if they find them to be more appropriate and effective. The TRA methodology presented in this guide is illustrated at figure 1; it is based on [GTRAIT]. Automated risk analysis tools are available that are tailored specifically to the network environment and using them can bring many benefits to the TRA process. However there is a concern in using automated risk analysis tools. There are many techniques available to calculate risk. While most depend on a loss variable and a likelihood or probability variable, the manner in which these variables are represented and the calculations that are used on these variables is not always made available to the user. This disadvantage is compounded because there is currently no standard method or agreed upon approach for performing risk analysis. While there exists a proposed standard framework [KAT] for risk analysis that provides vendors with some guidance in developing these tools, there are no agreed upon methods for representing the necessary variables to perform a risk analysis, and there are no agreed upon methods for calculating risk using these variables. Because of this lack of consistent agreement with the risk community, coupled with the proprietary nature of the tools, determining the effectiveness of any particular method may be difficult. On the other hand, if the methodology used by the tool is understood and deemed acceptable for the user, then the tool may prove to be quite adequate. The underlying question in determining if a tool will be effective for a particular environment should be, "What is the automated risk analysis tool measuring, and are the results produced by it useful for providing appropriate network security?" Other methodologies and approaches are available. Some require a manual process; others are implemented in software. Whatever TRA method is chosen by an organization, it must be effective in helping to implement effective network security and thus reduce the risk to the network. 1.2.1 Threat Assessment Anything that has the potential to cause "bad" or "undesirable" happenings to network assets should be identified as a threat. A threat can be human or environmental, accidental or intentional, and natural or fabricated; it can cause harm to a network in various forms. Threats exist because of the very existence of the network and the environment in which it operates, and not because of any specific weakness. However, the presence of a threat does not mean that it will necessarily cause actual harm. Identifying threats requires one to look for all the possible threat occurrence possibilities including the origin, means, and direct impacts of the threat on the network if it is

realized. The impact of the threat, which usually points to the immediate near-term problems, potentially results in the following: ! Unauthorized access to the network - results from an unauthorized individual gaining access to the network or gaining access to network resources in an unauthorized manner. Even though this situation does not cause actual harm to a network, it may eventually result in one or several of the impacts listed bellow. ! Unauthorized disclosure of information - results from an individual accessing or reading information (resident on the network or as it moves through the network) and possibly revealing the information in an accidental or unauthorized intentional manner. ! Unauthorized modification to data and/or software - results from an individual modifying network data and/or software in an unauthorized or accidental manner. This can also be performed on data as it moves through the network. ! Disruption of network functions (unavailability of data or services) - results from threats that temporarily or permanently block network resources from being fully available in a timely manner, or that alter the network equipment and/or data in an accidental or unauthorized deliberate manner, in such a way that network resources including services become permanently unavailable. ! Deceptive actions on the network - results from events occurring on the network for which the actual individual (or process) triggering the event can not be accounted for. In other words, a link cannot be made between the actual human identity and the action. The more significant long-term consequences of the threat being realized are the result of violation of privacy, civil law suits, loss of proprietary technology, fines, loss of human life, major embarrassment for the organization, loss of trust, etc. The threats normally fall into one of the following broad categories: natural, accidental or deliberate. Natural threats exist because of the environment in which the network operates. They occur randomly and are completely independent of the network's purpose, function or value. A natural threat occurrence normally results in an interruption or disruption of network operation. Although accidental threats are not target-directed, they are significant threats to network today since they can occur at any time anywhere on a network. Accidental threats such as user or administrative errors can result in unauthorized access to a network as well as network disruption or loss of services and operations. Deliberate threats are premeditated and target-directed. Their occurrence is materialised through manmade active or passive attacks, which can result in unauthorized access to the network resources, unauthorized disclosure or modification or sensitive data, denial of services, etc. Attributes of interest should be considered while identifying deliberate threats. These attributes include the motivation, opportunity, interest, resources and capabilities of the threat. They are a critical input for the assessment of deliberate threat likelihood of occurrence. Likelihood of threat occurrence will be discussed in section 1.2.2.

Since both threats and technology are dynamic in nature, it may not always be possible or wise to depend on past experience to identify threats; the TRA practitioners should not consider the identification of network threats activity as being static, i.e. one-time-only. In fact, this activity should be conducted periodically to inform the decision maker of any changes in regard to the actual threats to the network. Table II provides a list of general threats and their immediate effects on networks. It does not consist of an exhaustive list but can be used as a starting point for the identification of threats to network assets. This table contains threat events that have taken place in the past and thus that could be of concern to the protection of a network. Large amounts of information on various threats and vulnerabilities exist. Section 5 References and Further Reading of this document as well as some risk management methodologies provide additional information on potential threats. User experience and network management experience are other sources of information that can be very helpful to identify threats. Table II Threats to Networks

Natural Threats
Origin Earthquake, fires landslides, floods severe snow and thunder storms Astrophysical phenomena Biological phenomena Direct Threat to Networks power outage, extreme temperature due to damage to building, electromagnetic pulse fires electromagnetic perturbations Immediate Impact on Networks Disruption of network functions, including loss or degradation of communications and destruction of equipment and/or data

Disruption of network functions, including loss or degradation of communications (particularly for wireless links) Disruption of network functions, including denial of service

disease, death of critical personnel

Accidental Threats
User error file deletion, drive formatting, misuse of equipment, input errors improper configuration or setup, information deletion Disruption of network functions Unauthorized modification to data Unauthorized access to network, mostly resulting in: unauthorized disclosure of information, unauthorized modification to data, disruption of network functions and/or deceptive actions on the network

Administrator error

10

Origin Equipment failure

Direct Threat to Networks technical problems with file servers, print servers, communication devices, client stations, support equipment (e.g. tape back-up, access control), coffee spill, or other. gas leak, chemical spill, explosion, fire, air pollution, public utility interruption

Immediate Impact on Networks Disruption of network functions including the destruction of equipment and/or data; and Unauthorized modification of data.

Industrial accident

Disruption of network functions Destruction of equipment and/or data

Deliberate threats
foreign governments password cracking, wiretapping or eavesdropping, spoofing, Trojan Horse, jamming, virus, use of an old account/password, piggybacking, forgery, logic bombs, masquerading, cryptanalysis attack, ... same as above password cracking, eavesdropping and possibly others equipment stealing, including computers, Random Access Memory (RAM) chips, disk drives, printers, backup tapes, etc. password cracking or capturing, wiretapping or eavesdropping, spoofing, Trojan Horse, piggybacking, forgery, logic bombs, masquerading, password cracking, wiretapping or eavesdropping, spoofing, Trojan horse, jamming, virus, logic bombs, masquerading, physical damage use of an old account or password, password cracking or capturing, Trojan Horse, spoofing, logic bombs, piggybacking, masquerading, physical damage Unauthorized disclosure of information; and Unauthorized access to network, possibly resulting in: unauthorized disclosure of information, unauthorized modification to data, disruption of network functions, and/or deceptive actions on the network. Same as above Unauthorized disclosure of information; and Unauthorized access to network, certainly resulting also in unauthorized disclosure of information. Disruption of network functions; and Unauthorized disclosure of information.

hackers news media

thieves

organized crime

Unauthorized access to network, possibly resulting in: unauthorized disclosure of information, unauthorized modification to data, disruption of network functions, and/or deceptive actions on the network. Unauthorized modification to data; Disruption of network functions; and Unauthorized access to network, possibly resulting in: unauthorized modification to data, disruption of network functions, and/or deceptive actions on the network. All the impacts listed in this table are possible ....

vandals

malicious employees (users, maintainers, managers, contractors, ...)

11

Origin industry

Direct Threat to Networks password cracking, wiretapping or eavesdropping

Immediate Impact on Networks Unauthorized disclosure of information; and Unauthorized access to network, possibly resulting in: unauthorized disclosure of information, and/or unauthorized modification to data. Disruption of network functions; and Unauthorized access to network, possibly resulting in: unauthorized modification to data, disruption of network functions, and/or deceptive actions on the network.

terrorists

password cracking, wiretapping or eavesdropping, spoofing, Trojan Horse, jamming, virus, logic bombs, password cracking, bombs, physical damage

The degree to which threats are considered will depend on the previously defined boundary and scope. A high level analysis may point to threats in general terms and a more focused analysis may tie a threat to a specific component or usage of the network. For example a high level analysis may indicate that the consequence due to loss of data confidentiality through disclosure of information on the network is too great a risk. A more narrowly focused analysis may indicate that the consequence due to disclosure of the organization data captured and read through network transmission is too great a risk. More than likely, the generality of the threats produced in the high level analysis, will, in the end, produce security solution recommendations that will also be high level. This is acceptable if the definition of the network security requirements was scope at a high level. The more narrowly focused assessment will help to specifically identify requirements for network security and thus to find security solutions that will precisely reduce a given risk, such as the disclosure of organization owned data. The threats discussed in this section may be used as a starting point, with other sources included where appropriate. Threats should be identified for all the assets listed and new threats should be addressed when they are encountered. For more focused assessments, particular attention should be paid to detailing the ways that these threats could occur, i.e. estimating the direct threats to networks listed in Table II. For example, methods of attack that result in unauthorized access may be from a login session playback, password cracking, the attachment of unauthorized equipment to the network, etc. These specifics provide more information in determining network vulnerabilities and will provide more information for proposing security solutions.

12

1.2.2 Estimation of the Potential Impacts Once threats are identified for an asset, the TRA team should determine the potential immediate impact on the asset that would result from a threat occurrence, including the possible impact level on the network and/or the organization should the threats materialize. The occurrence of a threat can result in more than one impact on an asset and, as mentioned in section 1.2.1, the impacts normally consist of unauthorized disclosure of information, unauthorized modification to data, disruption of network functions or unavailability which includes denial of service and destruction of equipment and/or data, or deceptive actions on the network. An impact level (or injury level) has to be estimated for each possible impact. This data is very important to rate the assets exposure level to threats. A typical example to illustrate impacts and impact levels would be a virus (threat) corrupting a data file (asset); this threat occurrence could result in unauthorized modification of data (first impact) which could be a very grave impact for the organization (level of first impact: high), and disruption of network functions (second impact) which can be estimated as a serious (level of second impact: medium). 1.2.3 Likelihood of Occurrence of Threats After threats and impact levels have been identified, a likelihood measure needs to be associated with each asset/threat/impact scenario (i.e. for each individual asset, what is the likelihood that a particular threat occurrence results in the impact?). The risk assessment methodology chosen by the organization should provide the technique used to measure likelihood. Assigning likelihood measures can also be a subjective process. Some information on traditional threats (mostly natural threats) does exist and may aid in determining likelihood; for example statistics on power outage, fire, flooding, etc. may be useful. Experience regarding the technical aspects of the network and knowledge of operational aspects of the organization may be valuable to decide likelihood measures of accidental and deliberate threats. One may wish to examine likelihood in terms of a broad scale such as high, medium or low, or may wish to apply likelihood at a very fine granularity, e.g. a 1 to 10 scale. One of the simplest methods to measure the likelihood of a threat can be to normalize the likelihood as a value that ranges from 1 to 3 (3=high likelihood, 2=medium likelihood, and 1=low likelihood). This likelihood measure may coincide with past history (3: significant history, 2: some history, or 1: no history); it may also be based on threat attributes such as motivation, opportunity, etc., or on mixed threat attributes and past history. Threat attributes include the motivation (collecting information, challenge, ...), opportunity (physical or logical access), intent (malicious), resources (platform for gathering information) and capability (technical expertise) of deliberate threats, or error rates of accidental threats. The likelihood of threats occurrence and the resulting impact levels need to be assessed in order to obtain an estimate of the risk associated with each asset/threat pair.

13

1.2.4 Exposure Ratings After resulting impact levels and likelihood of occurrences are estimated, an exposure rating of each network asset to threats can be measured. The exposure rating does not consider network vulnerabilities or present safeguards, thus it is not a risk level. Instead, it is a measure that permits an organization to determine to which threat scenarios their network is the most exposed to. [GTRAIT] suggests to calculate the exposure rating using a table similar to Table III where impact level takes precedence over likelihood. It is recommended that the TRA data, i.e. lists of assets, threats, impacts, likelihood, exposure ratings and risk measures be listed in a summary table to facilitate access to it. The exposure ratings will next be used with the analysis results of the network vulnerabilities and present safeguards to obtain measures of risks.

Table III Exposure Rating Based on Likelihood of Occurrence and Level of Impact
Likelihood of a threat occurrence High Medium Low Level of impact resulting from a threat occurrence High 9 7 4 Medium 8 6 2 Low 5 3 1

14

Figure 2 ) High Exposure versus Low Exposure 1.2.5 Present Network Vulnerabilities and Safeguards The adequate identification of present vulnerabilities and present safeguards is essential to correctly assess the level of risk associated with each scenario. Once exposure ratings are calculated, the decision makers should identify the network vulnerabilities through which the identified threats may harm the network. The present safeguards should also be identified to determine if the current level of protection is appropriate, considering the asset level of exposure and network vulnerabilities. A network vulnerability can be defined as a characteristic of, or weakness in, a network or one of its component that tends to facilitate the occurrence of a threat. Every vulnerability associated with the network, technical or non-technical, should be identified and listed. Since the various assets of a network are vulnerable in different ways, depending on the types of threats, network vulnerabilities should be identified and analysed separately for each asset/threat/impact/exposure rating group. Completeness and level of detail included in the vulnerability assessment will affect the levels of uncertainty and confidence than can be placed in the risk assessment. Typical network vulnerabilities are listed in Table IV. In this table which is not meant to be a complete list, the vulnerabilities are grouped in terms of resulting effects on the

15

network if the vulnerability is exploited and for each of the listed vulnerabilities, simple scenarios briefly describe how the vulnerabilities can be exploited.

Table IV Network Vulnerabilities Vulnerability

Unauthorized Access to Network
Lack of or insufficient identification and authentication (I&A) scheme Poor password choices or management Passwords are shared between users or stored in a batch file on client stations Login attempts are not restricted. Unknown users get access to system files, user files, sensitive data, print queues, network configuration, etc. Passwords are guessed or cracked. Passwords are compromised or obtained by unauthorized individuals. An intruder finds a valid user password by successive login attempts, i.e. password guessing or cracking. Login session I&A information is recorded using a network analyser or "sniffer" and replayed later by an individual to login to the network in an unauthorized way. The information required to gain access to the network, including passwords, is captured using a network analyser or "sniffer". A Trojan Horse is installed on a client station that transparently captures the user ID and password as the information is typed. The administrator's computer is possibly the target. An unauthorized user modifies the network configuration by accessing a network server console. A valid user, network administrator or auditor, gets access to information or network resources for which he or she is not authorized, e.g. user profiles, because privilege settings are too permissive.

Possible Scenarios

The I&A scheme does not include real-time verification, e.g. no session unique time-stamped data. Passwords and I&A information travel in the clear over the network Lack of access control mechanism and/or physical security on the network client stations

Poor physical security on network devices

Lack of or improper use of access privileges, e.g. user's privileges are improperly set by the administrator, default permission settings are too permissive, etc.

Unauthorized Disclosure of Information

The data travels in unencrypted form throughout the network. The client station monitors are viewable in high traffic areas. Printers are placed in high traffic areas. Sensitive information is read using a network analyser or "sniffer". Sensitive data is read by unauthorized individuals from exposed monitors. Printed sensitive information is read by unauthorized individuals.

16

Vulnerability
Information is stored in unencrypted form on the network. Lack or improper settings of file access privileges. Data and/or software backup copies are stored on open areas. Sensitive information is encrypted using a weak encryption algorithm.

Possible Scenarios
Sensitive information is obtained by gaining physical access to file servers and/or client stations. Unauthorized but valid users get access to sensitive information. Sensitive information stored on a backup media is disclosed. The sensitivity of the information being valued higher than the cost of breaking the encrypted code, an individual or organization successfully crack the encryption scheme and obtain the sensitive information.

Unauthorized Modification to Data and/or Software

No virus protection tools are implemented A virus is introduced on the network via a contaminated file (imported by a user), resulting in file server and client station corruption. A virus on a client station can use the network to infect other stations. A valid user accidentally modify data corrupting the corporate database and spreadsheet. An individual modifies network system files for his or her own benefit e.g. gaining access to unauthorized information, getting the system administrator's password, etc. Hardware failure The integrity of the client station system files is not verified. The network system files' integrity is not verified. A faulty file server hardisk causes files corruption. A system file is modified or changed to load and execute a Trojan Horse that captures sensitive information. An individual modifies network system files for his or her own benefit e.g. gaining access to unauthorized information, getting the system administrator's password, etc. A client station's start-up file (e.g. config.sys) or network start-up file (startnet.bat) is modified to disable a security mechanism or setting that was initially called during the boot or network connection sequence.

Lack or improper settings of file access privileges, e.g. write permission is granted to users who only require read access.

The client station start-up files's integrity is not verified.

17

Vulnerability
Lack of authentication code or digital signature on messages travelling over the network. Lack of real-time verification, e.g. time stamp, of the data travelling over the network. Disruption of Network Functions (Unavailability) Lack of uninterruptable power supply (UPS) Inability to handle hardware failure.

Possible Scenarios
An individual capture a message as it travels over the network, modifies its content and resent it. An individual capture a message as it travels over the network, modifies its content and resent it later.

Because of a power failure, the network entirely or partially shuts down. Problems occur with a file server hardisk controller, making the information that resides on the server unavailable. Communications equipment failure (router, bridge, gateway or hub) prevent user access to certain portions of a network

Improper physical security of the network hardware.

An unhappy employee vandalizes critical network components, e.g. file servers, print servers, printers, etc. Critical network components are stolen. A drink e.g. coffee or juice is accidentally spilled on a file server.

Improper preventive maintenance of network hardware Inability to detect unusual traffic pattern

Unexpected hardware failures occur. An individual swamps the network with huge volume of traffic, causing denial of service to valid users. An individual fills up a server's disk space in a relatively short term, resulting in a system crash.

Configuration of a network that allows for a single point of failure. Improper physical protection of the network wire or fibre.

The failure of only one component in a network (e.g. server, router, cable, etc.) completely shuts down the network. An unhappy employee damages communications links. A communication connection is accidentally broken.

18

Vulnerability
Improper network configuration and/or management.

Possible Scenarios
The system administrator accidentally deletes a user that has unique access privileges on some network resources; thus, a portion of the network resources becomes unaccessible. Unauthorized changes are made to hardware components, e.g. reconfiguring addresses on client stations, modifying router or hub configurations, etc. which causes disruption of network functions.

Deceptive Actions on the Network

Lack or improper authentication mechanism. A valid user acts on the network using another user's identity, e.g. a user modifies user profiles acting as a network administrator. Files containing sensitive information are copied and/or deleted; the originator of this action cannot be identified. An unknown individual or process swamps the network with huge volume of traffic, causing denial of service to valid users, without being identified. Lack of digital signature on messages travelling over the network. An individual receives a message by masquerading as the legitimate recipient. An individual sends a message to a destination by masquerading as a different sender or machine. A message could consist of an e-mail, purchase order, payment transfer, leave authorization, etc.

Lack of auditing mechanism.

Existing network security safeguards should also be analysed to determine if they are currently providing adequate protection against specific threats. These controls may be technical, procedural, etc. If a control is not providing adequate protection, it can be considered as a vulnerability. For example, a network operating system may provide access control to the directory level, rather than the file level. For some users, the threat of compromise of information may be too great not to have file level protection. In this example, the lack of granularity in the access control could be considered a vulnerability. Present safeguards should be identified for each asset/threat/impact scenario. A service, mechanism or procedure can be a safeguard if it consists of measures which will prevent or reduce the likelihood of threats to exploit network vulnerabilities. Safeguards normally provide functionality in at least one of the following areas: ! Confidentiality ! Integrity Protection against threats having the potential to cause unauthorized disclosure of information, e.g. encryption, logical and physical access control, etc. Protection against threats having the potential to cause unauthorized
19

modification to system configuration or data, e.g. checksums, tamper evident seal, digital signature, etc. ! Availability Protection against threats having the potential to cause disruption of network functions including denial of service, theft of equipment and/or data, destruction of equipment and/or data and equipment failure, e.g. backup, hot standby equipment, preventive maintenance, quotas on use of network resources, etc. Protection against threats having the potential to cause deceptive actions on the network by authenticating users and monitoring their actions, e.g. auditing, digital signature, authentication, etc.

! Accountability

! Physical Security/ Physical protection of the network and its resources from Access control unauthorized access. Since chapter 3 specifically discusses safeguard technology and implementation of network security, the reader should consult chapter 3 for information on this subject. Once appropriate network vulnerabilities and safeguards are identified, the effectiveness of the present safeguards need to be assessed in order to get an estimate of the risk level associated with each asset/threat/impact/exposure/vulnerabilities/present safeguards scenarios. The importance of measuring the safeguards effectiveness will be discussed in the next section "Measuring the Risk". 1.2.6 Measuring the Risk The risk can be defined as a measure indicating the likelihood and consequences of threat events or acts that could cause a compromise of network assets, considering the vulnerabilities of the network and effectiveness of present safeguards. The outcome of this process should indicate to the organization the degree of risk associated with the defined assets. This outcome is important because it is the basis for making safeguard selection, if required, and risk mitigation decisions. To determine each risk level, the exposure ratings, vulnerability levels and effectiveness measures of present safeguards are combined. The exposure ratings (ranging from 9 - extremely high to 1 - extremely low) were defined in section 1.2.4; they represent a measure of the likelihood

20

of a threat to occur combined with a degree of potential damage for the network and/or the organization should the threat materialize. The vulnerability levels are a representation of the network weakness by which the threats can materialize. The vulnerability levels can be rated at high (level 3), medium (level 2) or low (level 1); each level corresponds to different scale of weakness. For example, if users of a network are allowed to connect modems to their computer (client station) to access bulletin boards and to remotely connect to the network through their computer, the vulnerability of the network for unauthorized access would be certainly high. On the other hand, if the network external connections are all controlled through a dedicated gateway, the vulnerability of the network for unauthorized access may be reduce to medium or even low. The effectiveness of the identified present safeguards should next be determined. The safeguard effectiveness is a measure of the effect that a safeguard has on the probability of a threat to exploit network vulnerabilities and on the resulting impacts should the threat materialize. Many factors should be looked at to determine the effectiveness of the safeguards; these factors include the vulnerabilities addressed, correctness, strength, dependency on other safeguards, user acceptability, human intervention, etc. The effectiveness of the safeguards can be rated at high (level 3) if the probability of network vulnerabilities to be exploited is highly reduced, medium (level 2) if the probability is moderately reduced or low (level 1) if the probability is slightly reduced. For example, the effectiveness of an approved encryption product used on a network for the protection against unauthorized disclosure of information would probably be high. In comparison, logical access control at the file directory level may consist of a security solution providing low effectiveness against attacks which would result in unauthorized disclosure of information. Security solutions are presented in Chapter 3 with examples of threats that they can counter, and indications of their effectiveness to protect a network against the threats. At this point, the decision maker should have all the information required to determine the risk associated which each of the threat scenarios. There are many ways to measure and represent risk. Depending on the particular methodology or approach, the measure Figure 4 ) Examples of security solutions could be defined in qualitative terms, in a specific environment quantitative terms, a combination of these, or others. The risk measurement process should be consistent with (and more than likely defined by) the risk assessment methodology being used by the organization. An easy approach is to qualitatively determine the risk as high, medium or low, taking into considerations the exposure rating and network vulnerability and present safeguards effectiveness levels. The levels of risk are in this case normalized (i.e. low, medium and high) and can be used to compare risks associated with each threat. The disadvantage of having few levels of risk is that the criticality of the components used to determine the risk measure must be factored to determine priorities. For example, a risk measure that was
21

derived from high exposure, high vulnerability and high present safeguard effectiveness may result in the same risk measure as one that resulted from a low exposure, low vulnerability and low safeguard effectiveness. In these cases, the decision maker needs to decide which risk measure to consider more critical, even though the risk measures may be equal. In this case, it may be decided that the risk measure derived from the high exposure is more critical than the risk measure derived from the low exposure. A more granular method would be to rate the risk on a 5-point scale. A 5-point scale risk measure can be established using Table V where vulnerability takes precedence over safeguard effectiveness, thus offering a more conservative measure of risk. Even though a more granular rating approach may help to categorise the risks and set priorities, it is not recommended that more than five levels of risk be used since too many levels makes the decision process between the levels very difficult and often without justification. Table V Risk Measures Based on Exposure Ratings, Vulnerability Levels and Present Safeguard Effectiveness Vulnerability Level Safeguard Effectiveness Exposure Rating
9 8 7 6 5 4 3 2 1 5 5 5 5 5 5 4 4 3 5 5 5 5 5 4 4 3 3 5 5 5 4 4 3 3 2 2 3 3 3 2 2 2 1 1 1 5 5 5 5 5 5 4 3 2 5 5 5 4 4 4 3 2 2 5 5 4 3 3 2 2 1 1 2 2 2 2 1 1 1 1 1 5 5 5 4 4 4 3 2 1 5 5 4 3 3 3 2 1 1 5 4 3 2 2 1 1 1 1 2 2 1 1 1 1 1 1 1
Non e (0)

HIGH (3)
Low (1) Med (2) High (3) Non e (0)

MEDIUM (2)
Low (1) Med (2) High (3) Non e (0)

LOW (1)
Low (1) Med (2) High (3)

5 = High Risk 4 = Moderately High Risk 3 = Medium Risk 2 = Low Risk 1 = Very Low Risk Vulnerability Level: 3 - High, 2 - Medium and 1 - Low. Safeguard Effectiveness: . . . . . . . . . . . . . . . . . . . . 3 - High, 2 - Medium, 1 - Low and 0 - No safeguard.

What ever methodology is used to rate the risk, the most important aspects of the measure is that the representation be understandable and meaningful to those who need to select security solutions and make risk mitigation decisions.

22

With a list of potential threats, exposure ratings and related risks for each asset of the network, an assessment of the current security situation for the network can be determined. Assets that have adequate protection will not surface as contributing to the risk of the network whereas those assets that have weaker protection do surface as needing attention. 1.2.7 Risk Mitigation The purpose of this process is to reduce the identified risks to acceptable levels. This can be done by selecting appropriate security solutions that are applied against specific risks. This process should include an activity that compares the current risk measure (i.e. the new risk value obtained after a security solution has been taken into consideration) with acceptance criteria and results in a determination of whether the current risk level is acceptable. While acceptable effective security and cost considerations are important factors, there may be other factors to consider such as: organizational policy, legislation and regulation, safety and reliability requirements, performance requirements, and technical requirements. For example, the possibility of using encryption to reduce the risk of unauthorized disclosure of information could be examined and then rejected because this mechanism does not comply with the organization policy and/or it reduces the network performance to an unacceptable level. The final decision to apply safeguards must be determined by senior management and the management responsible for the operation of the network, in conjunction with the realities of operation requirements. budget and resources. The relationship between risk acceptance and the selection of security solutions can be iterative. Initially, the organization needs to order the different risk levels that were determined during the risk assessment. Along with this, the organization needs to decide the amount of residual risk that it will be willing to accept after the selected security solutions are implemented. When the properties of the candidate security solutions are known, the organization can determine if the acceptable risk is reached; if it is not, a decision can be made to accept a higher risk to reflect the known properties of the safeguards or another solution might be looked for. For example, there may be risks that are determined to be too high. However after reviewing the available safeguards, it may be realized that the currently offered solutions are very costly and cannot be easily implemented into the current configuration and network software. This may force the organization into either expending the resources to reduce the risk, or deciding through risk acceptance that the risk will have to be accepted because it is currently too costly to mitigate.

In most cases the need for a specific service should be readily apparent. If the risk acceptance results indicates that a threat scenario is acceptable, (i.e., existing mechanisms are adequate) then there is no need to apply
23

Figure 5 - The use of security solutions reduces the risk

additional mechanisms to the service that already exists. When a risk is not acceptable, mechanisms that could potentially reduce or eliminate the vulnerability or improve the safeguard effectiveness and thus reduce the risk of the threat could be numerous. For example the vulnerability of using weak passwords could be reduced by using a one time only password generator mechanism, by using a token based mechanism, etc. Choosing the candidate mechanisms is a subjective process that will vary from one networkimplementation to another. After all security solutions are implemented, the residual risks should be reassessed. The risk associated with each network asset should now be reduced to an acceptable level or eliminated. If this is not the case, then the decisions made in the previous steps should be reconsidered to determine what the proper protection should be. Network security mechanisms and implementation of safeguards in a network are discussed in Section 3. There are also many other sources that can be consulted to obtain information on network security solutions and techniques; see section 5 References and Further Reading for more detail. 1.3 Network Security Policy Once the risks to the network and specific security requirements are identified and understood, a network security policy must be defined. A network security policy is a concise statement of top management's position on information values, protection requirements and responsibilities, and organizational commitment. The network security policy is also used to describe the system to be protected, its physical and logical perimeters. The purpose of this section is to highlight the issues that should be considered in developing a network security policy. The network security policy should be issued by the appropriate level of organizational management, i.e., the person in the organization to whom employees covered by this policy ultimately report, to extend the organizational security policy to the network. The policy should be created by a team of individuals that may include top management, security officers, and network management. As a minimum, the adopted network security policy should include the following: ! applicability and objective The objectives and goals of the network and what constitutes the network environment, and what parts, if any, are exempted. ! assets and information value Management's position on the value of network assets and information treated on the network, as defined during the preparation process (see section 2.1). ! requirements for security procedures and mechanisms Procedures and mechanisms that shall be implemented on the network to reduce the identified risks at an acceptable level (e.g. training, mandatory/discretionary access control - password, personal identification token, backup, audit,

24

encryption, virus scan, digital signature1, etc.) ! responsibilities Technical and managerial responsibilities of the individuals involved in the protection of the network and/or in the protection of the information that is stored and/or travels over the network; these individuals may consist of the network manager(s), network administrator(s), network auditor(s), maintenance staff and users. ! commitment The organization's commitment to protecting information and the network. The network security policy should be written such that modifications are rarely required. The need for changes may indicate that it is too specific. For example, requiring that a specific virus detection package be used and including the name of the package in the policy may be too specific, considering the rapid pace that virus software packages are developed. It may be more reasonable to merely state that virus detection software should exist on network client stations, servers, etc. and let network security officer or administrator specify the product. The network security policy should clearly define and establish responsibility for the protection of information that is processed, stored and transmitted on the network, and for the network itself. Primary responsibility may be with the data owner, i.e., the manager of the organizational component that creates the data, processes it, etc. Secondary responsibility may then be with the users and end users, i.e. those persons within the organization given access to the information by those with primary responsibility. The network security policy should clearly define the role of the individuals involved in the operation of the network. The example network security policy presented in Appendix C defines responsibilities for functional managers (who may have primary responsibility), users (who may have secondary responsibility), network managers (who are responsible for implementing and maintaining network security and availability), and local administrators (who are responsible for maintaining security in their part of the network environment). Local administrators are usually responsible for groups of users and specific network components such as servers and client stations.

Network security procedures and mechanisms are discussed in Section 2. 25

2 SATISFYING THE REQUIREMENTS FOR NETWORK SECURITY

The requirements for network protection and protection of the information that is stored and/or travels through the network may be satisfied with the implementation of security services, mechanisms or procedures known as security solutions or safeguards. The security solutions are the collection of mechanisms, procedures and other controls that are implemented on a network to help reduce the risks. For example, the l&A service helps reduce the risk of the unauthorized network access threat. It is important to note that security solutions should not be implemented until a comprehensive network security policy is defined and documented. In fact, the security solutions for a network must be selected to address the issues specified in the network security policy. The following services will be discussed in this section: a) b) c) d) e) data and information confidentiality system and data integrity availability accountability physical security

Network interconnection, e.g. connecting to the Internet, is not specifically discussed in this document. However, it is important to mention that connecting a network to another one introduces new threats and vulnerabilities that usually cannot be all countered by security solutions. Organizations that decide to connect their network to another one should perform a TRA before establishing the connection. The connection should be done only once the new risks are known and accepted. Measuring the new risks is not necessarily easy. Often, data communication specialists must be involved to determine the vulnerabilities of such and such communication protocols, connection interfaces etc. Firewalls often consist of an effective solution to decrease the risks of interconnecting networks, especially with the Internet, to an acceptable level. The Firewalls implement a network access policy by forcing Internet connections to pass through them, where the connections can be examined and evaluated. They can operate as packet filtering routers, application gateways or both simultaneously which is more effective. Organizations should remember that even though firewalls can highly reduce the risk of unauthorized access to a network, they do not provide 100% assurance that they will not be circumvented. The only 100% assurance solution for network interconnection is to have no connection. See Section (Suggested Readings) for more information on network interconnection, firewalls and the Internet.

26

2.1 Confidentiality Confidentiality services should be used when the privacy of information is necessary. As a front line protection, these services may incorporate mechanisms associated with the access control service, but can also rely on encryption to provide further confidentiality protection. They deal also with TEMPEST technology which prevents unauthorized individuals or systems from intercepting and compromising electromagnetic emanations coming from the network components. TEMPEST equipment is normally used to secure top secret information and extremely sensitive designated information based on a TRA. Confidentiality services also include object reuse and covert channel protection services, which are briefly r resented in section 2. 1.4. 2.1.1 Confidentiality via access control It is possible to protect information or data from unauthorized disclosure by mediating access to it. Most of today's networks offer this service which is generally implemented with access control lists (ACL). The ACLs are used to maintain a list of individuals or groups of individuals (or processes) that are authorized to access specific files or file directories. The use of access controls for confidentiality purposes relies on and cannot be effective without proper l&A of the users. I&A is discussed in section 2.4.1 . Confidentiality services provide mandatory mediation if the network ACLs are fixed by the administrator and cannot be changed over time by general users, or discretionary mediation if the ACLs can be changed over time at the discretion of authorized general users. In any case, ACLs do not provide protection against unauthorized traffic disclosure, i.e. the information or data can still be captured and read as it travels on the network. In addition, the implementation of ACLs to provide confidentiality requires accurate and careful management of the ACLs and also physical access protection of the media in which the sensitive information or data is stored; for example, since network data resides in file servers, these should be kept in a secure location, eg. Iocked room or safe. 2.1.2 Communication devices to increase traffic confidentiality Ethernet networking technology dominates the market. From a traffic confidentiality view point, this technology represents a vulnerability since the data travelling on an ethernet network is broadcasted to all nodes of the network, i.e. all the client stations, servers and other network resources. Thus, the data travelling on the network can be monitored by any individual who has physical access to a network communication cable or wire. Limited confidentiality can be provided by the use of special communication devices such as hubs or routers. These devices can provide data confidentiality as they control how and where the data travels on the network. Hubs can be used in subnetworks, e.g. Local Area Networks (LANs), to prevent the data from being broadcasted to all nodes. A secure hub centralizes all the subnetwork (or LAN) connections to form a star topology. Since every node has a unique connection to a central hub, each client station and server is isolated from all others. Traffic from one
27

node to another must pass through the secure hub. Thus, all communications between any two points are confined to a single path instead of being broadcasted through the whole subnetwork. An individual monitoring the traffic on any client station cable on a cable or wire would capture only the data or information travelling between the client node and the secure hub. Secure routers are mostly utilized to restrict certain data, based on its origin or destination address, or application from passing beyond certain subnetworks. For example, the data coming from file server A in subnetwork 1 is filtered by a secure router to prevent it from being transmitted in subnetwork 2. 2.1.3 Encryption To a large degree, network confidentiality services can be provided through the use of encryption. Encrypting information converts data to an unintelligible form; to convert the information back to its original form, decryption must be performed. Sensitive information can be stored in the encrypted, cipher text, form. In this way if the access control service is circumvented, the file may be accessed but the information is still protected for confidentiality by being in encrypted form. The use of encryption may be critical on client stations that do not provide an access control service as a front line protection. As discussed in the previous section, it is possible to control unauthorized access to network traffic as it is moved through the network, using secure routers or hubs. These mechanisms do not provide complete traffic confidentiality services since information and data circulating on the network can still be monitored and captured. For most organizations, this is a realized and accepted problem. For others that cannot accept this vulnerability, encryption can be utilized to reduce the risk of someone capturing and reading data in transit by making the information unreadable to those who may capture it; only the authorized user who has the correct key can decrypt the message once it is received. In any cases, the decision of using encryption should depend on a TRA. Care should be taken when selecting particular encryption products, in view of the varying degree of protection they offer. Organizations should consult CSE when selecting such products. Cryptography can be categorized as either symmetric (secret) key or asymmetric (public) key. Symmetric or secret key cryptography is based on the use of a single cryptographic key shared between two parties . The same key is used to encrypt and decrypt data. This key is kept secret by the two parties. For encryption of designated information (Protected A, B or C), the use of the Data Encryption Standard (DES) is approved for the Government of Canada (GoC). The DES is a symmetric key algorithm which requires the same key to be used for encryption and decryption. The U.S. Federal Information Processing Standards Publication (FIPS) 46-2 provides for the implementation of the DES algorithm in hardware, software, firmware or some combination. Asymmetric or public key cryptography is a form of cryptography which makes use of two keys: a public key and a private key. The two keys are related but have the property

28

that, given the public key, it is deemed from a computational point of view, infeasible to derive the private key. In a public key cryptosystem, each party has its own public/private key pair. The public key can be known by anyone; the private key is kept secret. An example for providing confidentiality is as follows: two users, Scott and Jeff, wish to exchange sensitive information, and maintain the confidentiality of that information. Scott can encrypt the information with Jeff's public key. The confidentiality of the information is maintained since only Jeff can decrypt the information using his private key. There is currently no public-key encryption algorithm specifically approved for confidentiality in Canada. However, the use of asymmetric encryption for confidentiality purposes such as Rivest Shamir Alderman (RSA) and Digital Signature Algorithm (DSA) is approved by CSE on a case-by-case basis. Since asymmetric encryption technology is less performant than symmetric, i.e. symmetric encryption offers generally higher throughput 2, symmetric encryption is normally utilized to encrypt the actual data or information that requires confidentiality whereas asymmetric encryption technology is used for the secure distribution of symmetric keys whose confidentiality must be preserved. Asymmetric encryption technology is also used in conjunction with a hash function to produce digital signatures that provides integrity and non-repudiation services. This will be discussed in Sections 2.2 and 2.4.3. 2.1.3.1 Encryption key management Any encryption system relies on proper key management to be effective. Proper key management includes the generation of cryptographic keys that have specific properties (e.g. Iengths, randomness, etc..) distribution of the keys to appropriate users or systems, protection of the keys against disclosure, modification and/or substitution, and key distributions which can also include archiving. When the decision of using encryption technologies in a network is made, it is crucial that proper key management be put in place to support the encryption; an encryption system has no benefit when keys are compromised. CSE is presently developing and designing designated and classified electronic key management systems (EKMS) to support the protection of information in Canadian government communication and information processing systems, and in electronic commerce applications. These key management systems will provide various services to its GOC clients including confidentiality, digital signature and key certificate management services, directory services, privilege management services, nonrepudiation services, personal taken management services and more. The EKMS for designated and classified information should start their operations in 1997 and 1999 respectively.

For hardware implementations, the encryption speed (throughput) of DES is approximately 100 Mbits/sec, compared to 50-100 kbits/sec for RSA (512-modulus). 29

2.1.3.2 Location of encryption services in layered communications The fact that network communication normally operates in layered architectures (e.g. Transmission Control Protocol/lnternet Protocol (TCP/IP), Open Systems Interconnection (OSI)) makes it possible to place the encryption services at various locations in the communication stack. The choice of the location should be driven by the security requirements, i.e. the threats to be countered. Each location offers advantages and disadvantages; in fact, there is no "best" location. When an encryption service is located at upper layers, e.g. application layer, the communication protocol headers are not protected, which leaves the origin and destination addresses in the clear. However, this preserves the capability of transmitting data through multiple relay systems to reach destination. This normally software implemented approach is particularly suitable for electronic mail applications to protect the content of messages against unauthorized disclosure; it is also effective for encryption of other application specific data residing on site or travelling across the network. Since encryption/decryption occurs at each end of a communication path, this type of implementation is called end-to-end encryption. Implementing encryption in the middle of the communication stack (i.e. network layer) can be done in hardware or software. It makes encryption operate independently and transparently to the applications. The encapsulated data coming from the upper layers being encrypted, the confidentiality of upper layer protocol headers (Transport, Presentation or TCP) is protected. Since the network layer normally corresponds to standardized physical interface points (e.g. LAN interfaces, X.25) it is relatively easy to find security products that operate at this level. Hardware implementation usually offer a higher level of trust in that the integrity of the device functionality can normally be better preserved. Also, the protection of security critical data such as cryptographic keys, can be better achieved in hardware than software. Encryption at lower layer (e.g. physical layer) enciphers information transmitted on a network connection cable or wire, independently and transparently to all higher communication protocols. Since confidentiality protection is provided on a link-by-link basis, meaning that the data must be decrypted at end of each communication link before it can be processed, this type of implementation is called point-to-point encryption. Traffic flow confidentiality can also be provided point-to-point encryption. In other words, constant traffic flow can be generated on protected links to avoid the disclosure of information linked with the amount of traffic. Link encryption devices (e.g. encryption modem, T1 encryptor) normally consist of hardware. They can easily be found and inserted at common standardized physical interface points. 2.1.4 Object reuse and covert channel Some confidentiality services might be required to eliminate information that remains in a shared network resource such as server memory or storage media. They can also be used to revoke previous authorization to network resources before the resources are reassigned to a user or process. These mechanisms that normally come with the network operating system include overwriting deleted files, overwriting memory blocs before they are reassigned, etc.

30

Covert channels are among the least known network vulnerabilities. Even less understood by all but a handful of security experts are the mechanisms to eliminate or reduced covert channels on a network. Because of its complexity, protection against covert channel will not be discussed in detail. However, one should know that a covert channel is a means of transferring information from one individual or process to another without confidentiality mediation. In other words, a covert channel consists of a hidden communication path that by-passes the security safeguards in place, through which information data can be transferred. The most basic component of a covert channel is its medium. The main characteristic of a medium is that it must have at least one property whose condition is variable e.g. the stability state of a memory cell, the voltage on a wire, the polarity of a region on a disk, etc. Information can be conveyed by the covert channel by changing the condition of the medium. Techniques to eliminate or reduce the efficiency of covert channels include limiting access to the channel, introducing noise to reduce the useable bandwidth, encrypting data, monitoring and eliminating the processes that use a covert channel, and more. If covert channels are a concern for a network, a covert channel analysis should be conducted by technical experts to identify all covert channels. 2.1.5 Providing confidentiality The types of security mechanisms that could be implemented to provide confidentiality services are summarized in Table Vl below. 2.2 Integrity The purpose of the network integrity services is to ensure that the network resources operate correctly and that the data travelling through the network or stored on the network is unaltered. These services provide protection against deliberate or inadvertent unauthorized modification of network functionality (system integrity) and information (data integrity). 2.2.1 System integrity Physical integrity mechanisms are usually an easy and low cost solution to protect the system integrity of a network when physical access is an issue. These mechanisms can indicate (tamper evident), restrict (tamper resistant) or respond (tamper response) to physical access to network resources. Some examples of these mechanisms include the following: Tamper evident: Tamper resistant: Tamper response: break-away labels, hard coating, bleeding paint, seals armoured case, locked rooms, hard coating encapsulation, pad locks alarm, visual indication, zeroization, audit entry

31

Table Vl - Confidentiality Mechanisms and Services

Protection Mechanism, Procedure or Technique Attacks or Exploitable Vulnerabilities: Lack of access mediation to data Lack of physical security Wire tapping Network analyser Exposed monitors and printers Object reuse EMC */ EMI ** Exploitation of a covert channel Trojan horse

File access control Physical access control to network resources Encryption with proper key management Overwriting mechanism TEMPEST equipment Rules and procedures Secure hubs and routers Virus/TSR scan

///

///

//

///

///

///

///

//

//

///

///

///

//

//1

///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability. 1 : The Trojan Horse will be detected it if consists of a Terminate and Stay Resident (TSR). * ** Electromagnetic Compatibility (EMC) Electromagnetic Interference (EMI)

A good protection against the threat of accidental unauthorized actions being taken or to limit the effects of such actions if one does occur is to force network managers to access the network through distinct separated roles on a least privileges basis. For example, creating separate administrator, auditor and operator roles could limit potential damage to only the portion of the network to which a particular administrator is authorized; if these three roles were combined, the damage to the network operation caused by an inadvertent action would be potentially more important. Self-testing services on a network provide a means of validating the correct network operation. Their purpose is to determine if the network and/or network resources operate correctly. Some self-tests are automatically initiated by the network during normal operation whereas others must be launched by an administrator or operator. Normally, automated testing initiated by the network increases the network system's integrity as human error is reduced. A rollback mechanism can be implemented to undo the last actions or the last series of action and return the network to a known previous state when self-testing fails. Self-testing services are normally implemented separately in
32

various network components; the most critical network components that may require these services are network servers, network operating systems, communication devices, and security functions. The software aspects of system integrity can be addressed by many of the data integrity strategies discussed below. 2.2.2 Data integrity The data integrity services help to protect data and software residing on client workstations, file servers, and other network components from unauthorized modification. The unauthorized modification can be intentional or accidental. These services can be provided by the use of cryptographic checksums3 (CC) and very granular access control and privilege mechanisms. The more granular the access control or privilege mechanism, the less likely an unauthorized or accidental modification can occur Contrary to access control, the data integrity services provide a means to verify if the data is altered, deleted or added to in any manner during transmission. Most of the security techniques available today cannot prevent the modification of data as it travels through a network and can only detect the modification of the data, as long as it is not completely deleted4. The inadvertent modification of data caused by noise, bad connection etc. is normally handled through lower communication protocol, e.g. Ethernet 802.3. The use of checksums provide a modification detection capability. It can protect against both accidental and intentional, but unauthorized, data modification. A CC is initially calculated by applying a cryptographic algorithm with a secret key to data or a digest of the data. The initial CC is retained. The data is later verified by applying the cryptographic algorithm and the same secret key to the data or data digest to produce another CC; this CC is then compared to the initial CC. If the two CCs are equal, then the data is considered authentic. Otherwise, an unauthorized modification is assumed. Any party trying to modify the data without knowing the key would normally not be capable to calculate the appropriate CC corresponding to the altered data. The use of digital signatures (which can be seen as a specific type of CC) can also be used to detect the modification of data or messages. A digital signature can be generated using asymmetric cryptography technology. Using a public key system, the digest of a piece of information (which can be a file, e-mail message or other data) is generated and is then electronically signed (encrypted) by applying the originator's private key. The resulting digital signature and information can then be stored or transmitted. The signature can be verified using the public key of the originator. If the signature verifies properly, the receiver has confidence that the information was signed using the private key of the originator and that it had not been altered after it was signed. Because private keys are known only to their owner;, it may be also possible to verify the originator of the information to a third party. A digital signature, therefore, provides two distinct services: non-repudiation and message integrity; not only digital signatures provide data integrity
Other terminologies for CC include Message Authentication Code (MAC), encrypted cyclic redundancy check (CRC) and seals.
4 3

If sequence numbers are used, then it is possible to detect deleted or missing data. 33

services, they also lay the foundation for non-repudiation. Nonrepudiation services are discussed in section 2.4.3. 2.2.2.1 Key management issues CC depends upon cryptographic keys. Without proper key management, the use of CC is probably useless. As mentioned in section 2.1.3.1, it is crucial that the keys be generated with specific properties, be distributed safely and be terminated effectively. 2.2.2.2 Location of integrity services in layered communications As discussed in section 2.1.3.2 for encryption services, the CC service can be implemented at various layers of the network communication architecture. However, integrity services are normally not available at lower layers where information is not recognized5. Implementations at upper layer of the stack permit to apply integrity on application specific data; this data can be transmitted over the network or can reside locally. Integrity services can also be implemented in mid-layer mainly for integrity protection of data as it travels over the network. This type of implementation may be particularly effective in situations where the information has to travel through untrusted sites. 2.2.3 Providing integrity The types of security mechanisms that could be implemented to provide integrity services are summarized in Table Vll below. Table Vll - Integrity Mechanisms and Services
Mechanism, Procedure or Technique Lack of access mediation to data File access control Physical access control to network resources /// / / / / /// // / Lack of physical security Attacks or Exploitable Vulnerabilities: Network analyser Virus Hardware failure Software failure Lack of separated roles Human error

The lowest layers of communication stacks usually manipulate all the data as bits, not information. 34

35

Mechanism, Procedure or Technique Lack of access mediation to data Encryption6 with proper key management and data backups Rules and procedures Rollback Virus/TSR scan Self-testing / / / / /// /// Lack of physical security

Attacks or Exploitable Vulnerabilities: Network analyser Virus Hardware failure Software failure Lack of separated roles Human error

///

///

///

///

///

//

//

//

// /// ///

//

///

///

///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability.

2.3 Availability The availability services ensure that the network resources and data are accessible to all users as expected. In some applications, they exist to specifically thwart network denial of service attacks or events. In organizations where disruptions of network functionality can cause severe harm, doing data backups on a regular basis is probably not enough. The availability services are more than backups. In fact, these services can be categorized in two main groups. In the first one, we find the containment services, i.e. those that are required to prevent individuals, malicious or not, from over utilizing network resources such as disk space, memory, bandwidth etc. in such a way that the resources become unavailable for other users. The availability services which guarantee that the network functionality is preserved when hardware or software failures occur are combined in a second group which we can call "Failure Tolerance".

Encryption here refers to data encryption, CC or digital signature using a CSE approved algorithm.

36

2.3.1 Containment Containment services are utilized to restrict access or use of a network resource to a certain level to prevent users to hoard network resources in such a way that the same resources become unavailable to other users. The most common method of containment is the use of mechanisms implementing quotas. Quotas place upon a user, restrictions as to the maximum amount of any given network resource that user can obtain. All the network resources protected by quotas are monitored to ensure that the threshold limiting the use of the resources is not exceeded. Table VIII lists possible network resources against which quotas can be applied. Table VIII - Quotas for Availability of Resources QUOTA
Maximum Disk Maximum Memory

DESCRIPTION
Maximum disk space allowed. Maximum memory allowed per given user or process. Maximum CPU allowed per given user or process. Maximum user data output allowed per session (i.e. limit on the network traffic generated). Maximum logon attempts and/or the maximum amount of time before a logon attempt is logged out. Maximum on-line session time and/or maximum system errors allowed per session.

CPU Time Data Output

Logon

Session

Quotas may change dynamically in order for the network to adapt to different operational requirements. For example, an administrator could define prioritized users or groups of users whose allocated network resources quotas inflate under particular circumstances. Thus, a network could enter a state where only highest priority users would have access to certain network resources at the expense of other users. As an absolute limit, access to a network resource can be denied to certain users to make the resource more available to higher priority users. 2.3.2 Failure Tolerance Failure tolerance services allow networks to preserve the availability of their resources after component failures. They provide a network with the capability of withstanding component failures, continuing operation while specific components are replaced and/or recovering after a service discontinuity. These services are crucial to maintain network functionality and are often neglected. They can be implemented in software, e.g. in the network operating system, or in hardware; they can consist of stand-alone system or sub-system. The main idea regarding the fault tolerance services is that they exist to
37

preserve network functionality. Table IX lists the most common failure tolerance services used today: Table IX - Failure Tolerance Services
Component Servers, client stations, communication devices Service Uninterruptable Power Supply (UPS) Description Provides electrical power to the system when normal power is cut off. Provide the capability to manage the network when the administrator cannot perform his/her duties. The data stored on a server is replicated; the alternate hardisk takes over when the main one fails. Data stored in a server is backed-up and can be recovered. The back-ups should be stored at a different location to prevent a situation where both the server and back-up are destroyed. A module in a piece of hardware is duplicated; the alternate module takes over when the main one fails. Provides an alternate communication link when the main link is cut off. A copy of the encryption keys is securely stored; authorized individuals can use these keys to decrypt data in case the original keys are lost, damaged or not accessible.

Network

Back-up administrator account

Server

Dual Synchronized hardisks

Server

Data Back-up

Hardware component (computer or communication device)

Hot stand-by module

Communications

Back-up link

Cryptographic system

Key archiving/back-up

2.3.3 Providing availability The types of security mechanisms that could be implemented to provide availability services are summarized in Table X below.

38

Table X - Availability Services and Mechanisms

Protection Mechanism, Procedure or Technique Accidental physical destruction (e.g. coffee splill) Destruction of data (e.g. delete, disk format) Attacks or Exploitable Vulnerabilities: Sabotage Nonavailability of key personnel Hardware failure Software failure Communication failure Trojan horse or virus

Access control to data Physical access control to network resources Back-up of data Rules and procedures Back-up communication links Hot standby module // // // //

//

///

//

/// //

//

//

// /

///

//

/// (for H/W)

/// (for S/W)

/// (for comm devices)

Back-up admin. account Virus/TSR scan

///

///

///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability.

2.4 Accountability The purpose of the accountability services is to attribute the responsibility for an action to the proper individual. The accountability services operate in three different ways. First, they ensure that only recognized users access the network and or its protected resources. In this case, the services are used for user l&A purposes, and can be seen as an access control mechanism to the network. They also monitor and log activities occurring on the network in general or on specific entities; such activities include user logon, password change, file delete, etc. These are the auditing services. Finally, they provide means to prove the origin of a message to the recipient and/or a proof of delivery to the sender of a message. Networks utilize these services for non-repudiation purposes.

39

2.4.1 Identification and Authentication The first step toward securing the resources of a network is the ability to verify the identities of users. The process of verifying a user's identity is referred to as authentication. Authentication provides the basis for the effectiveness of other controls used on the network. For example, the auditing mechanism provides usage information based on the userid. The access control mechanism permits access to network resources based on the same userid. Both these controls are only effective under the assumption that the requester of a network service is the valid user assigned to that specific userid. However, the network cannot trust the validity that the user is in fact, who the user claims to be, without being authenticated. The authentication is done by having the user supply something that only the user has, such as a token, something that only the user knows, such as a password, and/or something that makes the user unique, such as a fingerprint (See section 2.4.1.2 below). The more of these types that the user has to supply, the less risk in someone masquerading as the legitimate user. A requirement specifying the need for authentication should exist in each network security policy. The requirement may be directed implicitly in a program level policy stressing the need to effectively control access to information and network resources, or may be explicitly stated in a network specific policy that states that all users must be uniquely identified and authenticated. 2.4.1.1 User ID/Password for authentication On most networks, the l&A mechanism uses a userid/password scheme. Normally, password systems can be effective if managed properly, but unfortunately seldom are. Authentication which relies solely on passwords has often failed to provide adequate protection for a number of reasons. Users tend to create passwords that are easy to remember and hence easy to guess. On the other hand users that must use passwords generated from random characters, while difficult to guess, are also difficult to be remembered by users. This forces the user to write the password down, most likely in an area easy accessible in the work area. The need for multiple passwords makes the problem even worse. Proper password selection (striking a balance between being easy-to-remember for the user but difficult-to-guess for everyone else) has always been an issue. Password generators that produce passwords consisting of pronounceable syllables have more potential of being remembered than generators that produce purely random characters. Password checker software is available and can be useful to determine whether a new password is considered easy-to-guess, and thus unacceptable. User ID/password mechanisms, especially those that transmit the password in the clear (in an unencrypted form) are susceptible to being monitored and captured. This can become a serious problem since many networks have uncontrolled connections links; the Internet is probably the best example of what an uncontrolled network looks like. Organizations that are considering connecting their network to outside networks, particularly the Internet, should examine all the implications before doing so. If, after considering all authentication options, the TRA determines that user ID/password systems are acceptable, the proper management or password creation, storage, expiration and destruction become all the more important.

40

The following consists of measures to help reduce the vulnerabilities associated with userid/password authentication mechanisms: 1) 2) 3) 4) 5) 6) 7) 8) 9) Educate users, including administrators, on the vulnerabilities linked with userid/password authentication; Ensure that passwords are changed on a regular basis: Allocate passwords to individual users. Passwords shall not be shared; Ensure that typed-in passwords are not displayed on monitors; Passwords should be remembered. They shall not be written down; Limit the number of unsuccessful login attempts; Impose a time delay between login attempts; Change default passwords (e.g. at systems installations) as soon as possible; Impose password restrictions in regards to minimum lengths, use of numeric or other characters, and avoidance of "easy to guess passwords" or passwords included in site specific dictionaries; Prevent passwords from travelling over the network in the clear;

10)

11 ) Ensure that any form of password information transmitted across the network, encrypted or not, cannot be re-used for unauthorized authentication to avoid replay attacks; 12) 13) Avoid the practice of keeping passwords in batch files (for automatic password entry); and Ensure proper and safe storage of the passwords.

2.4.1.2 Other Authentication Mechanisms Because of the vulnerabilities that still exist with the use of a userid/password scheme, more robust mechanisms are often recommended. Examples of more robust authentication technologies are described as follow: a) one-time password This mechanism relies on the fact that unique one-time passwords are generated at each user authentication. The passwords are normally generated by a special device similar to a smart-card or a credit card size calculator which can be considered as "something you have" (see section 2.4.1). The end-user enters the password displayed by the device to gain access to the host site. This technology offers less vulnerabilities then the previously described
41

userid/password scheme, particularly in regards to password guessing, disclosure of password and replay attack. However, the vulnerability of an intruder hijacking the session once the authentication is successfully completed remains. b) Challenge-response A challenge-response scheme can be described as follow. A end user sends his/her identity to a remote host. Based on the user identity, the host transmits a challenge consisting of numbers and/or characters down to the user. The user enters the challenge into a device similar to the one described above for one-time password generator, which then generates a response based on the entered challenge. The end-user forwards the response to the host to gain access to the system. The main advantage of this mechanism over the one-time password scheme is that synchronization between remote sites is not required. However, the strength of the challenge-response scheme relies on the algorithm used to convert the challenge into a response. When selecting such a product, consideration should be given to the algorithm employed, use of keys and randomness of the challenge. The session hijack vulnerability is not reduced with the use of this mechanism. A very effective mechanism for user authentication and establishment of a secure session is the use of challengeresponse followed by data encryption. In this scheme, the user first needs a smart card or similar token (e.g. a PC Memory Card International Card (PCMCIA) device) to insert into a device-reader. Then challenge-response takes place between the host end the end-user/smart card. Once both sites are mutually authenticated, a session encryption key is shared between the parties to encrypt future data transmitted during the session. In addition of reducing the vulnerabilities previously mentioned for one-time password and challenge-response technologies, this mechanism also provides protection against hijacking attacks and confidentiality protection of the data transmitted during the sessions. This technology is particularly effective for remote access to networks through modems or authentication on a network remote site through untrusted paths or relays. The level of trust associated with this scheme highly relies on the effectiveness of key management, encryption and challengeresponse algorithms strength and the proper management of the smart cards among users. Since today's smart cards do not have the necessary throughput to encrypt messages, the encryption must be performed outside of the card; however, smart cards can be used to store sensitive data such as private keys and passwords, or be used as tokens.
42

c) Smart Card

d) biometrics

The use of biometrics (e.g. fingerprint, voice, retinal scan, etc...) permits to add "something you are" to the authentication process. This is the strongest way to ensure that individuals are indeed who they say they are. However, in most respects, the use of biometrics information in a network environment can be considered as using special unique passwords. Thus, the vulnerabilities of sending biometric information across the network are similar to those related to sending passwords. For this reason, the use of biometrics authentication techniques for remote logins does not offer much benefits. However, this technology is particularly suitable and recommended in physical access control or local authentication applications.

Remote access to networks through dial-in modems usually requires that careful attention be paid at the connection level. An intruder that can access the modem may gain network access by successfully guessing a user password. The availability of modem use to legitimate users may also become an issue if an intruder is allowed continual access to the modem. These users accessing a network remotely should be authenticated before they can even have access to the network login script. Mechanisms that provide a user with his or her account usage information may alert the user that the account was used in an abnormal manner (e.g. multiple login failures). These mechanisms include notifications such as date, time, and location of last successful login, and number of previous login failures. Locking mechanisms for network devices, workstations, or PCs that require user authentication to unlock can be useful to users who must leave their work areas frequently. These locks allow users to remain logged into the network and leave their work areas (for an acceptable short period of time ) without exposing an entry point into the network. 2.4.2 Audit The detection of the occurrence of a threat and its origin are usually the main purposes of the audit services. Depending on the level of details contained in the audit trail, the detected event should be traceable throughout the system. For example, when an intruder breaks into the system, the log should indicate who was logged on to the system and at what time, all sensitive files that had failed accesses, all programs that had attempted executions, etc. It should also indicate sensitive files and programs that were successfully accessed in this time period. It may be appropriate that some areas of the network (workstations, file servers, etc.) have specific type of auditing service. Normally, the detection of threat events does not occur in real time unless some type of real-time monitoring capability is utilized. Real-time monitoring services include probes attached to the network (or sometimes communications devices) that raise an alarm as soon as they detect the occurrence of a threat. The alarm, for example, could consist of a message displayed at the security officer's console and/or closing all access to certain network resources

43

Another function of the audit services is to provide network administrators with statistics indicating that the network and its resources are functioning properly. This can be done by an audit mechanism that uses the log file as input and processes the file into meaningful information regarding system usage and security. A monitoring capability can also be used to detect network availability problems as they develop. Only authorized users (e.g. auditors) should be permitted to use the audit tools, set options, or select events to be recorded. Preferably, the auditors should be different from the network administrators. Having distinct individuals responsible for network auditing helps to implement an impartial/unbiased auditing policy across the network which is independent of the users, administrators, managers and events involved. Access to the audit data should be strictly restricted to auditors and the integrity of the data should be preserved. Any forwarding of audit data (e.g. for off-line processing) must be accomplished in a manner which will ensure the integrity (and confidentiality if required) of the audit data. In any case, the choice for auditors and the selection of events to be audited have to be based on the TRA and be in accordance with the network security policy. The choice of the physical medium used for the storage of audit data, normally hardisk, diskette or print-out, should take into consideration the operational usage or performance load, and the required audit granularity. If the audit data is stored on a limited capacity medium, then the auditor should be notified when the audit data files are approaching maximum capacity in order for manual maintenance to be performed as required. The network security policy should state the actions to be taken when the audit data files reach their maximum capacity e.g. shutting-down the network and/or network resources, not logging in further event occurrences (which is not very secure), etc.; normally, a compromise must be done between accountability and availability . Considerations should also be given to planning an archive for audit data. Due to their volume and complexity, it can be very difficult to analyse and effectively utilize the audit data files and/or audit reports. The audit services should include tools that condense and organize the audit data to allow for ease of study. Tools should also provide the capability of sorting audit entries by categories (user entries, file system entries), date/time, physical location, etc. In order for auditing data to be useful, efficient and easy to use tools must be available to the auditors. However, there is always a trade-off between the number of events audited (on which depends the size of the audit files and the amount of information to search) and the level of difficulty and complexity to analyse the audit data. 2.4.3 Non-repudiation Non-repudiation is the security service by which the entities involved in a communication cannot deny having participated. It involves the generation, accumulation, retrieval and interpretation of evidence that a particular party processed a particular item. When nonrepudiation services are employed for example, a sending entity cannot deny having sent a message (non-repudiation with proof of origin) and the receiving entity cannot deny having received a message (non-repudiation with proof of delivery). This service is particularly important in electronic mail (e-mail) and electronic commerce applications (EAA). Non-repudiation must be provided through the use of public/private key cryptographic techniques using digital signatures. Where digital signatures are used for non-repudiation
44

purposes, it is crucial that the private keys be protected against duplication and disclosure. Trust in the non-repudiation services is not achievable without secure protection of the signing private keys. See Section 3.2.2 Data Integrity for a description and use of digital signatures.

45

2.4.4 Providing Accountability Table Xl lists various security solutions that could be implemented to provide accountability services. 2.5 Physical Security Physical security consists of the measures designed to prevent unauthorized physical access to network resources, equipment, facilities, material and documents, and to safeguard them against damage, theft and modification. They can not be related to a security service per se. In fact, physical security services apply for all of the aforementioned security service classes, i.e. confidentiality, integrity, accountability, and especially availability. Means to provide physical security include locks, guards, badges, alarms, and other similar measures to control access to network resources. Table Xl - Accountability Services and Mechanisms
Protection mechanism, procedure or technique Password cracking/ disclosure Lack of or weak auditing Attacks or Exploitable Vulnerabilities: Attack on the audit trail ID forgery (masquerade attack) Unauthorized action on the network Session hi-jack

Password-only authentication One time only password or challenge response Smart card and encryption Physical access control to network resources Well managed network auditing Physical and logical protection of the audit trail Rules and procedures Digital signature

//

///

/// / /

/// /

// /

///

///

///

//

/ // /// /// ///

///: The safeguard has a high potential to efficiently counter the threat or reduce the vulnerability. //: The safeguard has potential to efficiently counter the threat or reduce the vulnerability. /: The safeguard has some potential to efficiently counter the threat or reduce the vulnerability.

Minimum physical security measures should exist in any network. For example, all the network servers and communication devices should be located in physically controlled areas. Normally, access to these resources should be limited to the only few people
46

involved in network management and maintenance. This reduces the risk of an unauthorized individual to read, modify or destroy sensitive information like an audit trail for example, or the same individual to modify the network configuration by changing server or communication device settings. Also, physical access to the client network stations should be restricted to those individuals who require access to them to handle their job. Network stations are the most common network entry point for malicious acts or human errors. It is easy for a malicious individual to install on a client station a Trojan Horse or virus that will cause major harm to the network. A Trojan Horse can be used to capture user passwords or retrieve sensitive information. A virus can propagate on every computer attached on the network to reformat any single hardisk or destroy boot partitions. Computers need also to be protected against theft, including theft of computer components such as hardisk, RAM chips, controllers. etc. Restricting physical access to computers reduces the risk of theft resulting in disruption of network functions and/or unavailability of services. Network stations can be protected by securing the rooms where they are located or by using computer access control products, and keeping an inventory detailing each computer and its configuration. Natural phenomena should also be taken into consideration. The use of special carpets, pads or antistatic sprays helps to control static electricity which can damage computer components and affect the availability and integrity of a network. In addition, surge protectors and power filters should be used to reduce the risks associated with unstable power, power surges or lightning. Finally, media on which designated (protected B and above) or classified information is saved should be stored at a secure location, e.g. in a safe. Such media includes diskettes, back-up tapes and hardisks (removable). If sensitive information is saved on client stations, it is preferable that the stations' hardisk be removable in order to store the sensitive media at a secure location when the system is left unattended. Since most of data storage is accomplished via magnetic media, special care must be provided to these media. In this case, special care means common-sense handling such as not bending the media, storage within acceptable temperature and humidity, leaving the media away from magnetic fields, etc. 2.6 Selection of Appropriate Security Mechanisms The purpose of implementing security solutions is, for each asset, to reduce the risk to an acceptable level for the organization while maintaining an equilibrium state between the money invested for security solutions and the residual risks. For example, a network from which the unauthorized disclosure of information would cause major embarrassment to the government might require to spend many thousands of dollars for the procurement of an encryption system with appropriate key management to reduce the residual risks at the minimal acceptable level. In another network for which the nonavailability of information would cause only minor disturbance in a department, the procurement of a sophisticated real-time back-up and UPS systems would probably not be justified since the investment for the system procurement would be very high in comparison with the residual risks. In this case, the residual risks would be much lower than the maximum risk acceptance level.

47

As mentioned in section 2.2.6, particular circumstances might force an organization to accept additional residual risks because available security solutions are too costly, or to allocate additional funding if additional risks are not acceptable to the organization. Before an organization's upper management can make such decision, the risk assessment associated with the concerned assets should be thoroughly redone to precisely evaluate the additional residual risks in terms of potential impact for the organization. Sometimes, the process of selecting security solutions may uncover some vulnerabilities that can be corrected by improving network management and operational controls immediately. These improved controls will usually reduce the risk of the threat by some degree, until such time that more thorough improvements are planned and implemented. For example, increasing the length and composition of the password for authentication may be one way to reduce the threat to guessing passwords. Using more robust passwords is a measure that can be quickly implemented to increase the security of the network at minimal cost for the organization. Concurrently, the planning, funding and implementation of a more advanced authentication mechanism can occur. 2.7 Assurance Because selecting a security solution normally forces the implementer to choose between several security products, the level of assurance associated with each product should be taken into consideration. Assurance ensures, at various levels, that a product design is adequate and appropriate. and that the product operates as intended. Product assurance can be obtained through two principal means. First, products can be evaluated, validated or reviewed by impartial organizations such as the Communications Security Establishment (CSE) in Canada, and National Security Agency (NSA) or National Computer Security Centre (NCSC) in the U.S. The product evaluations are performed by qualified evaluators against an objective evaluation criteria such as the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC), the DoD Trusted Computer System Evaluation Criteria (Orange Book or TCSEC)) or the newly released Common Criteria for Information Technology Security Evaluation (CC). Evaluated (or endorsed) products receive a rating relative to functionality, strength of mechanism, and level of trust (assurance). The evaluation ratings differ depending on the evaluation criteria used during the evaluation. CSE and National Institute of Standards and Technology (NIST) accredited labs can perform validations of cryptographic modules used in encryption products for protection of designated information. The cryptographic module validations are processed using the U.S. Federal Information Processing Standard (FIPS) 140-1 publication. Normally, the level of assurance of an encryption product will be higher if it employs a validated cryptographic module. Finally, CSE performs product reviews which consist of testing a product to verify that the implemented security mechanisms operate as claimed by the vendor. Although reviewed products do not receive ratings since their design is not verified (product reviews are done in absence of design details), they provide information concerning the functionality of a product and the accuracy of the user documentation. Security products can also be tested internally to verify their functionality and to assess the level of difficulty required to disable their ability to protect the network. Since internal testing is normally done in absence of standardized security evaluation or testing criteria,

48

the decision makers must be careful for not being mislead by an impression of trust instead of real assurance.

49

APPENDIX ASUGGESTED READINGS

[1] CHESWICK, William R. and BELLOVIN, Steven M., Firewalls and Internet Security, Repelling the Wily Hacker, Addison-Wesley Publishing Company, Reading, Massachusetts, 1994, 306 pages. [2] Communications Security Establishment, An Introduction to Internet and Internet Security, September 1995, 43 pages. [3] National Institute of Standards and Technology, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls (NIST Special Publication 800-10), December 1994, 70 pages. [4] STALLINGS, William, Network and Internetwork Security - Principles and Practice, Prentice Hall, 1995, 462 pages.

50

APPENDIX B PRACTICAL EXAMPLE: ASSESSING AND IMPLEMENTING NETWORK SECURITY

1 Introduction The purpose of this example is to illustrate the concepts discussed in this document. Based on the methodology outlined in Chapter 2, an hypothetical network is partially assessed to determine the risks associated with a network asset. Security services and mechanisms are recommended for countering the vulnerabilities and threats that are found, and thus decreasing the risks to acceptable levels. It is believed that the risk based approach described in this example can be applied to other networks to derive other network specific requirements for security. 1.1 Approach The methodology used in this example to assess the risks consists of the two following phases: Step 1 - Define the network and identify assets In this step, the network security boundary and scope are defined and an inventory of assets is performed. We assume that a SoS of the information residing and travelling over the network already exist. The network configuration including the network devices, services, and other resources is presented. The objective of this step is to identify the assets that need protection on the network. Step 2 - Assess Risks for every assets, select safeguards and estimate the residual risks. This step normally assesses each identified network assets for potential threats and measure an exposure rating of the assets to the threats based on likelihood of threat occurrence and resulting impacts. Vulnerabilities and effectiveness of the present safeguard found in the network are also assessed to measure a risk factor associated with each asset/threat/impact scenarios. Where risks is deemed too high, appropriate solutions are proposed to reduce the risk to an acceptable level. In this example, only one asset will be looked at. 2 Define the Network and Identify Assets 2.1 The Network Configuration and Management The network is a multi-server Novell 4.x1 network consisting of 10 servers and 250 client station PCs. Each server runs NetWare 4.x (with NetWare Directory Services - NDS),

Mention of specific products names is for description purposes only and does not constitute CSE's endorsement or recommendation for use.

49

has one or more hard disk(s), a tape backup unit, an internal UPS unit, ethernet card(s), serial communication card(s), and network printer(s). The servers are spread over five centres, and connected via routers and frame relay services between the centres. The agency network operates over twisted pairs and fibre optic cables. A division in the organization manages the network. The division is responsible for the physical network, its configuration, and providing network-wide services such as electronic mail, and fax and modem pool services. Two network administrators take care of administrative functions such as user administration, local file services, and backup of the file servers. The information on the layout, configuration, and network services of the network is provided by the network managers, much of the information is also supplemented by documents. 2.2 The Network Capabilities In the discussion that follows, the network services provided for users are described. Though not explicitly stated, it should be noted that the I&A of a user is a prerequisite before any of the services can be rendered to the user. A. Network File Services This service provides network users the capability to store their own Disk Operating System (DOS) files on the network server disk. The files can be stored in the users' private file area or a shared network file area. Logical access control is set up to protect the information stored on the server disks. B. Network Print Services This service allows users to print documents on a network printer physically connected to a network server or a dedicated network printer connected to a user's PC. The print job outputs can be directed to any printers of the network. Some printers are located in open areas. C. Network Application Software This service provides users the capability to access applications software stored on a network server to free up disk spaces on users' PCs. D. Network Connections to Various Servers With Novell 4.x, users do not have to login to each file server. Instead, users login once to the network, and that single login gives users access to every resources on the entire network regardless of the servers involved. Access to network resources are controlled by Novell security features using rights, ACLs and attributes.

50

E. Electronic Mail One of the most frequently used network services is the capability of exchanging electronic mail. This is done using Novell software and an off-the-shelf commercial email software package. F. Network Access Through PC Dial-in This service allows users to access the network from a standalone PC that is equipped with a modem and the necessary software. The service is convenient for users who may be away from their offices but need to access the network from a PC not physically linked to the network. G. Electronic Calendaring Electronic calendaring provides an integrated scheduling tool for a workgroup. Users can mark events on the calendar and coordinate meeting schedules with fellow workers. Proper access control is essential so that only legitimate users in the workgroup can modify the events and schedules, while others may look at the events and schedules but can not modify them. H. Network FAX Capability This service allows network users to send a copy of a document stored either on the user's PC or on the server disk to any standard FAX machine. If the document contains sensitive information it should not be faxed.

51

P
M

Site 1
P

P
M

Site 2 Site 3

Frame Relay

Site 4
: Server : Client Station P M : Printer : Modem : Router : Bridge

P P

Site 5

P
M M

P
M

Figure 6 ) Diagram of the example network

2.3 Network Assets The network assets that will eventually require protection include the followings: a) b) c) d) e) f) g) h) i) Computers - servers; Computers - PCs; Computers - routers; Computer parts (RAM chips, video cards, hardisks, network interface cards); Modems; Printers; Cables and fibres; NetWare operating system files; Novell operation, maintenance and administration files;

52

j) k) l) m) n) o) p) q) r) s) t) u) v)

Client station DOS; Applications software files; Backup tape drives; Backup tapes; UPS devices; Organization data including database files, spreadsheet files, word processing files, e-mail messages files and electronic calendering files. Network data - users profile files; Network data - audit trails; Network data - network configuration and settings files on servers; Network data - network and PC start-up files on client stations (PCs); User data - Personnel processed data residing on servers shared directories; User data - Personnel processed data residing on servers non-shared directories; and User data - Personnel processed data residing on PCs.

We assume that a SoS has already been done within the organization. The results of this assessment have demonstrated that approximately 75% of the organization data is designated Protected B and the remaining 25% is Protected A and unclassified. Most of the designated information consists of personal data on Canadian citizens including high profile individuals such as MPs, ministers, Primers, etc., that is stored in a database. In a real-life situation, there could be more assets listed and they could be identified at a finer level of granularity. For example, the organization data residing on each particular network servers could consist of distinct assets. In this example, the organization data is represented as being one asset. 3 Risk Assessment of the Network A complete TRA of the network described in this example would probably consist of a long and detailed process. To proceed with the TRA, additional information such as physical location of the network components, users background (technical knowledge, working hours, security clearance, etc.), maintenance procedures, etc. would be required. Since the intent of this document is to focus on practical network security in general and not on TRAs, only the risks on the organization data asset will be addressed to illustrate the concepts previously described in this document. 3.1 Threat Assessment and Exposure Rating to the Threats We assume that all the possible threats to the organization data assets have been looked at and that only some would be analysed further since the probability of the other threats to occur was considered extremely low. The threats that will be examined are the followings: a) Fire, b) User error, 53

c) d) e) f) g) h)

Administrator error, Equipment failure, Hackers - password capturing or cracking, Foreign government - eavesdropping, Vandals - virus, and Malicious employee - Trojan Horse.

For each threat, the potential resulting impacts (unauthorized disclosure, unauthorized modification, disruption of network functions, and/or deceptive actions on the network) are determined. In this case, the disruption of network functions impact represents the non-availability of the organization data caused, for example, by denial of service or destruction of data; deceptive actions on the organization data are actions for which no or wrong individuals can be accounted for. Then, the threat likelihood of occurrence and impact level (high, medium or low) are assessed for each threat/impact scenarios. The likelihood of occurrence combines both the probability of a threat to occur and the probability of an impact to occur should the threat materialize. The outcomes of this process are exposure ratings of the organization data asset to each threats, obtained from Table III. These are listed in Table B-I.
Table B-I ) Exposure Ratings of the Organization Data Asset to Threats
Threat Likelihood Level of impact Exposure Rating

Threat of fire on the organization data resulting in: Disruption Low High 4

Threat of user errors on the organization data resulting in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive actions Medium Medium High Medium 7 6

Low Low

Medium Medium

2 2

54

Threat

Likelihood

Level of impact

Exposure Rating

Threat of administrator errors on the organization data resulting in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive actions Medium High 7

Medium

High

Medium Low

High Medium

7 2

Threat of equipment failure on the organization data resulting in: Unauthorized Modification Disruption Low High 4

Medium

Medium

Threat of hackers using password cracking or capturing technique resulting for the organization data in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive actions Medium Medium High Medium High High High High 7 7 9 7

Threat of foreign government using eavesdropping technique for the organization data resulting in: Unauthorized Disclosure Medium Medium 6

55

Threat

Likelihood

Level of impact

Exposure Rating

Threat of vandals using virus for the organization data resulting in: Unauthorized Modification Disruption High Medium High High 9 7

Threat of malicious employee using Trojan Horse for the organization data resulting in: Unauthorized Disclosure Unauthorized Modification Disruption Deceptive Actions Low Medium Medium Medium Medium High High High 2 7 7 7

3.2 Risk assessment of the network Now that the exposure ratings of our asset have been measured, the primary network vulnerabilities and present safeguard effectiveness will be analysed in order to obtain risk measures for each threat scenarios. The present safeguards that are presented consist of the Novell security features, as well as security procedures already implemented on the network. We assume that the maximum risk measure acceptable to the organization is low risk (2). When the risk is assessed at medium (3) or higher, potential solutions that would reduce the risk at an acceptable level are described. The security in a Novell 4.x network is provided by the Network Directory Services (NDS). NDS is a distributed directory service that maintains the names and attributes of all critical network resources. It enables other network services to enforce user access control and provides dynamic naming consistency over the network. NDS enforces also network security and authenticates all requests to access, add, or modify information. 3.2.1 Threat of Fire resulting in: 3.2.1.1 Disruption A. Vulnerabilities Sprinkler: Sprinklers in ceilings for fire-fighting are located in every room of the buildings, including locations where servers are installed. In case of a fire, organization data could be damaged or destroyed by water, making the data to become unavailable to users.

56

Storage Media: The storage media on which the organization data resides are very sensitive to dust, humidity and extreme temperature. In case of a fire, chances are that the organization data would be partially or totally lost. Computer equipment: Networks consist of computer equipment that is very sensitive to dust, humidity and extreme temperature. In case of a fire, chances are that some equipment would cease functioning, thus reducing the availability of the organization data. The organization data is estimated to be highly vulnerable (3) to fire which would result in its destruction or non-availability. B. Present Safeguards Weekly backups: Backups are done once a week, on Friday afternoons, and one backup copy of each server per month is sent out for off-site storage. Sprinkler: Even though the data recorded during a month period could potentially be lost, some data could be recovered from backups; thus, this safeguard is estimated to be moderately efficient (2) to provide availability services. C. Risk Using Table V, with an exposure rating of 4, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured at medium (3), which is NOT ACCEPTABLE. D. Potential Solutions A low cost solution could consist of performing daily backups of the file servers (after working hours) and to update the off-site backups at least once a week. This would consist of a highly effective solution, reducing the risk measure from 3 to 2, which is an acceptable risk. Relocating the servers to areas not covered by sprinklers, performing modifications to the sprinkler system or installing protection covers over the servers could consist of other solutions. In these cases, the vulnerability level would probably decrease to 2, reducing also the risk measure from 3 to 2. The cost of these solutions could be higher than the aforementioned daily backup solution. The implementation of two solutions (backup plus another one) would reduce the risk to very low (1), which is less than the minimal acceptable risk, at high cost; this would be a typical example of a non costeffective security solution.

57

3.2.2 Threat of User Error resulting in: 3.2.2.1 Unauthorized Disclosure of Organization Data A. Vulnerabilities Human Errors: The organization data privacy (confidentiality) mainly relies on users' reliability, which varies between individuals. Network FAX capability: Users have the capability of sending a copy of a document stored on the user's client station or on a server disk to any FAX machine inside and outside of the organization. No auditing of FAXed information. The network is estimated to be highly vulnerable (3) to users errors which would result in unauthorized disclosure of information. B. Present Safeguards File ACLs: Access to any files stored on a network server is mediated by the Novell NetWare operating system and NDS using ACLs. It is assumed that the ACLs are configured correctly so that a user cannot access a file for which he/she is not authorized. Policy statement disallowing the transmission by FAX of sensitive information. The network has no control on the information transmitted by FAX. Nothing prevents the transmission by FAX of sensitive information or FAXs transmitted to wrong numbers. The present safeguard is estimated to be lowly effective (1). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions A easy solution would be to remove the FAX capability from the network. Even though this is a no cost solution in terms of money, the price to pay is a degradation of productivity and efficiency. This solution would reduce the risk to very low (1). With a high exposure rating (7, 8 or 9), an acceptable risk measure cannot be obtained without reducing the network vulnerability level. The installation of a FAX encryptor between the FAX device and the telephone line would decrease the vulnerability level

58

and increase the safeguard effectiveness by offering protection of the information from unauthorized disclosure to individuals different from the intent destination. This would be a low cost solution considering that only a few FAX encryptor units would need to be purchased; the most common destinations of the FAXs transmitted from the network are already part of the secure FAX government network and thus use FAX encryptors for misrouting protection. This solution would prevent the unauthorized disclosure of information through the transmission of FAXs to wrong numbers. This solution could also include procedures, enforced by network ACLs, that give FAX access to only few individuals whose responsibility would be to receive the documents to be FAXed from users, verifies the content to make sure that there is no sensitive information released, and then to transmit by FAX. This solution would decrease the vulnerability level to 2 while increasing the safeguard effectiveness to 3, thus reducing the risk measure from 5 to 2. 3.2.2.2 Unauthorized Modification of Organization Data A. Vulnerabilities Lack of Validation Mechanism: The applications on the network do not check for human errors. Entered data is not validated to detect obvious errors such as a 8-digit phone number, 9-digit SIN, etc. Human Errors: The integrity of the organization data mainly relies on users' accuracy, which varies between individuals. The network is estimated to be highly vulnerable (3) to users errors which would result in unauthorized modification of information. B. Present Safeguards File ACLs: Access to any network files is mediated by the Novell NetWare operating system and NDS using ACLs. It is assumed that the ACLs are configured correctly so that a user cannot modify by mistake a file for which he/she is not authorized. Weekly backups: Same as 3.2.1.1 B. Auditing: Access to the designated organization data is audited, which provides the auditors with the capability to identify the originator of an error for correction of the error, if possible. The network can efficiently limit the areas where user errors can happen, even though nothing can provide 100% protection against human errors. Backed up data and auditing information are also available if required. These safeguard are estimated to be moderately efficient (2).

59

C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions A solution in this case would be to implement a validation mechanism for any organization data entered by the users. This mechanism would verify, for example, that the size, type and spelling of entered data is accurate before it is saved. This solution could reduce the vulnerability level from 3 to 2 while increasing the safeguard effectiveness from 2 to 3 resulting in a new risk measure of 2. This could be a low cost solution if it is implemented with a new application. Otherwise, the cost could be moderate. 3.2.2.3 Disruption A. Vulnerabilities Human Errors: For example, a user could store data at an improper location on the network, generate excessive traffic, delete files, fill-up server disk space, etc. Location of File Servers: Some file servers are located in open areas which make them vulnerable to coffee spills, chocks, inadvertent shut down, etc. The network is considered to be moderately vulnerable (2) to users errors which would result in the unavailability of the organization data. B. Present Safeguards File ACL: In order to be an effective safeguard, the ACLs must be configured correctly so that a user cannot delete a file for which he/she is not authorized. NetWare Undelete: This Novell feature can be used to undelete a file erased by mistake. Computer Enclosures: All the computers used as file servers in the network are inclosed in a metal case. Weekly backups: Same as 3.2.1.1 B. The network can efficiently limit the areas where user errors can happen, and even though a file was deleted, mechanisms are in place to potentially recover the information lost. However, the traffic generated by each user is not monitored to detect unusual

60

activity. These safeguards are estimated to be moderately efficient (2), but would become highly efficient with improved backup procedures and contingency planning. C. Risk Using Table V, with an exposure rating of 2, vulnerability level 2 and safeguard effectiveness of 2 (2:2), the risk is measured at very low (1). 3.2.2.4 Deceptive actions A. Vulnerabilities The network users are human and thus human errors are expected. Network resources are shared. The network is estimated to be moderately vulnerable (2) to user errors which would result in deceptive actions on the organization data. B. Present Safeguards I&A: Every users must be identified and authenticated by the network before any access to network resources can be granted. Auditing: Access to the organization is audited, based on I&A information. Procedures: Organization data shall not reside on a shared directory, users are responsible for their acts on the network, etc. These safeguard are estimated to be highly effective (3). C. Risk Using Table V, with an exposure rating of 2, vulnerability level 2 and safeguard effectiveness of 3 (2:3), the risk is measured at very low (1). 3.2.3 Threat of Administrator Error resulting in: 3.2.3.1 Unauthorized Disclosure of Organization Data A. Vulnerabilities Accuracy of network configuration and setting of parameters highly relies on the administrator's competency.

61

The administrators who represent a single point of failure are presently overloaded, which increases the probability of errors. The network is considered to be highly vulnerable (3) to unauthorized disclosure of organization data caused by administrator's errors. B. Present Safeguards Effective Rights: The administrators can verify the effective access rights of any network user to the data stored on the network using the Novell "Effective Rights" feature. Conversely, he/she can also verify which users have access to the organization data and with which privileges. Administrator training: The administrators are well trained to accurately manage the network. Auditing: Any administrator's actions on the network are audited by an independent auditor. Minimum Enhanced Reliability check is done on all the employees of the organization; this safeguard reduces the consequences of unauthorized disclosure of information within the organization. Efficient management of service requests by Novell NetWare. The network cannot entirely prevent administrator's errors. However, features exist to detect errors which will eventually be corrected to prevent unauthorized disclosure of information. In addition, the impact of unauthorized disclosure of information to employees is reduced by the level of trust provided by the user security clearances. These safeguard are estimated to be moderately efficient (2). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions A solution to reduce the risk measure could be to share the responsibility of administrating the network with an additional qualified individual. This would reduce the work load of each administrator at a decent level, thus reducing the probability of errors and the vulnerability level to medium (2). This would also give each administrator more time to verify and monitor the rights granted to users, thus improving the effectiveness of the safeguards already in place to high (3). Consequently, the risk level would be reduced from 5 to 2. This solution may be costly.

62

3.2.3.2 Unauthorized Modification of Organization Data A. Vulnerabilities Same as 3.2.4.1 A. The administrator has full access on the organization data, user profiles, ACLs, etc. The network is considered to be highly vulnerable (3) to administrator errors which would result in the unauthorized modification of information. B. Present Safeguards Same as 3.2.4.1 B, plus Weekly backups. The network cannot entirely prevent administrator's errors. However, features exist to detect administrator errors which could eventually result in unauthorized modification of the organization data and the original data can be recovered from backup if required. These safeguards are estimated to be moderately efficient (2). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions Sharing the responsibility of administrating the network between three qualified individuals instead of two would also be effective in this area. This solution could reduce the vulnerability to 2 and increase the safeguard effectiveness to 3, thus reducing the risk level from 5 to 2. 3.2.3.3 Disruption A. Vulnerabilities Same as 3.2.4.2 A. The network is considered to be highly vulnerable (3) to administrator errors which would result in the unavailability of information.

63

B. Present Safeguards Same as 3.2.4.2 B., plus NetWare Undelete. The network cannot entirely prevent administrator's errors. However, features exist to prevent situations where the data becomes unavailable to authorized users for a long period of time. These safeguards are estimated to be moderately efficient (2). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions Performing daily backups of the file servers, as described in 3.2.1, could increase the effectiveness of the safeguards in place to high, at low cost. This would reduce the risk measure from 5 to 3, which is still an unacceptable risk. The addition of a network administrator as previously mentioned, with the implementation of daily backup procedures would decrease the vulnerability level to 2, thus reducing the risk measure to 2. 3.2.3.4 Deceptive Actions A. Vulnerabilities Same as 3.2.4.2 A. The network is considered to be moderately vulnerable (2) to administrator errors which would result in deceptive actions on the organization data. B. Present Safeguards Same as 3.2.4.1 A, plus I & A. These safeguards are estimated to be highly efficient (3) to prevent deceptive actions on the organization data caused by administrator errors.

64

C. Risk Using Table V, with an exposure rating of 2, vulnerability level 2 and safeguard effectiveness of 3 (2:3), the risk is measured to be very low (1). 3.2.4 Threat of Equipment Failure resulting in: 3.2.4.1 Unauthorized Modification (corruption) of Organization Data A. Vulnerabilities Some network components (servers and communication devices) are exposed to humidity and temperature variations. No alternate communication links. Many single points of failure. The network is considered to be highly vulnerable (3) to equipment failures which would result in the corruption of information. B. Present Safeguards Maintenance Contract. Disk-Duplexing: Novell feature that copies data onto two hardisks, each on a separate disk channel of each servers. Weekly backups. Hot Fix: Novell feature that prevents data from being written on bad disk sectors. The network can efficiently prevent data corruption caused by equipment failure. These safeguard are estimated to be highly efficient (3). C. Risk Using Table V, with an exposure rating of 4, vulnerability level 3 and safeguard effectiveness of 3 (3:3), the risk is measured as low (2).

65

3.2.4.2 Disruption A. Vulnerabilities Same as 3.2.4.1 A, plus Organization data is concentrated on specific servers (depending on the applications) which represent single points of failure. The network is considered to be highly vulnerable (3) to equipment failures which would result in the unavailability of information. B. Present Safeguards Same as 3.2.4.1 B. Since the network offers some protection against the unavailability of data caused by equipment failure, these safeguard are estimated to be moderately efficient (2). C. Risk Using Table V with an exposure rating of 6, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured at moderately high (4), which is NOT ACCEPTABLE. D. Potential Solutions An application that replicates and distribute the organization data on the network in combination with the implementation of alternate communication links within the network would eliminate or reduce single point of failure. This solution would decrease the vulnerability level to low (1), thus reducing the risk from 4 to 2. New backup procedures would not improve enough the safeguards effectiveness to reduce the risk at an acceptable level. 3.2.5 Threat of Hackers Cracking or Capturing Passwords Resulting in: 3.2.5.1 Unauthorized Disclosure of Organization Data A. Vulnerabilities Uncontrolled connections of modems on client stations. Passwords for access to client stations and access to network are sent in the clear over the public telephone system. No password strength verification.

66

The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network resulting in unauthorized disclosure of information. B. Present Safeguards Novell login security features which includes minimum password length set to 8, reuse of previous passwords not allowed, maximum login attempts set to 3 and user accounts disabled after 3 login attempts. ACLs allow users access to certain files only; a hacker cracking or capturing a user password would gain access only to the files authorised for that user. Auditing (for intrusion detection). Procedures are in place to oblige users to enter 2 passwords to remotely login to the network via a modem and a client station, i.e. one for access to the client station and one for access to the network. Minimum password length for the administrator is set to 10. Remote access to routers is disabled. It is extremely difficult to protect a network that has several uncontrolled external connections, especially when passwords are transmitted in the clear. The present safeguards provide good protection against login password cracking attacks at the network level; however, the system remains highly vulnerable to hackers capturing passwords as they travel on the telephone system or cracking modem passwords. For this reason, the safeguards effectiveness is considered low (1). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solution To obtain an acceptable measure of risk, the vulnerability level must be reduced. In this case, the vulnerability level would be reduced by disallowing any modem connections to client stations. External connections could be provided via a secure gateway which establishes encrypted sessions with remote users. Users would have first to authenticate to the gateway using, for example, a public/private key scheme or other strong authentication mechanism, e.g. authentication token, one time only generated password, etc. Once a user is identified and authenticated, traffic encryption could start to prevent the user network login password from travelling over the telephone system in the clear. At remote sites, encryption/decryption would preferably be done on hardware,

67

i.e. in-line stand alone box, modem encryptor, off-line PCMCIA card, computer board or smart card. Assuming that this medium cost solution is implemented with proper key management, the vulnerability level would decrease to 1 while the safeguard effectiveness would inflate to 3 (because of the additional remote access protection), thus reducing the risk measure to 2. 3.2.5.2 Unauthorized Modification of Organization Data A. Vulnerabilities Same as 3.2.5.1 A. The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network resulting in unauthorized modification of information. B. Present Safeguards Same as 3.2.5.1 B, plus Weekly backups. For the same reasons than those mentioned in section 3.2.5.1, the network remains highly vulnerable to hackers capturing passwords as they travel on the telephone system. Even though the original information could possibly be recovered from backup, backups are performed only once a week and nothing ensures that the backed up information is not corrupted. For this reason, the safeguards effectiveness is considered low (1). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solutions Performing daily backups would certainly increase the safeguard effectiveness to 2 and possibly 3. However, the network remains so vulnerable that even highly effective security solution cannot reduce the risk at an acceptable level. The previously described secure gateway with encryption solution would here also be effective enough to decrease the vulnerability level to 2, improve the safeguard effectiveness to 3, thus reducing the risk measure to 2.

68

3.2.5.3 Disruption A. Vulnerabilities Same as 3.2.5.1 A, plus Backups are done only once a week. No monitoring and no quotas on traffic and use of resources. Many single points of failure. The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network later resulting in the unavailability of information. B. Present Safeguards Same as 3.2.5.2 B, plus Novell Undelete As previously mentioned, the network remains highly vulnerable to hackers capturing passwords as they travel on the telephone system. Should the organization data be destroyed by deletion of files or reformatting of hardisk, it could be recovered from backup or possibly by using the undelete feature. However, these services are not designed to provide effective availability. Thus, the effectiveness of the safeguards in place are considered medium (2). C. Risk Using Table V, with an exposure rating of 9, vulnerability level 3 and safeguard effectiveness of 2 (3:2), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solution The secure gateway solution described in section 3.2.5.1 D. would reduce the risk measure to low (2). 3.2.5.4 Deceptive Actions on Organization Data The deceptive actions resulting from a hacker gaining access to the network using a valid user ID and password include sending e-mails, setting up meetings/appointments, etc. using the valid user's identity.

69

A. Vulnerabilities Same as 3.2.5.1 A. The network is considered to be highly vulnerable (3) to hackers gaining unauthorized access to the network resulting in deceptive actions on the organization data. B. Present Safeguards Same as 3.2.5.1 B. For the same reasons than those mentioned in section 3.2.5.1, the network remains highly vulnerable to hackers capturing passwords as they travel on the telephone system. Once hackers gain access to a network using a valid user's ID and password, all kinds of deception actions can occur. For this reason, the safeguards effectiveness is considered low (1). C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solutions The secure gateway solution described in section 3.2.5.1 D. would reduce the risk measure to low (2). 3.2.6 Threat of Foreign Governments Eavesdropping the Network Resulting in: 3.2.6.1 Unauthorized Disclosure of Organization Data A. Vulnerabilities Data travels in the clear on the network and the public telephone network. Some connections are made with unshielded twisted-pair cables. No tempest or low emanation equipment is used. Some monitors are located just beside windows. Most of the printers are located in open areas and some are very close to windows. Ethernet topologies are used (data is broadcasted on network segments).

70

The network is considered to be highly vulnerable (3) to eavesdropping which would result in the unauthorized disclosure of information. B. Present Safeguards Physical access control is in place at each location. Fibre optics is used at some locations. These safeguards do not provide effective protection against eavesdropping, wire taping or reading of information from windows. The safeguard effectiveness is considered to be low (1). C. Risk Using Table V with an exposure rating of 6, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solutions With an exposure rating of 6, an acceptable risk measure will be difficult to obtain without a highly effective security solution which, in this case, must include tempest equipment. For this scenario, a solution could consist of a mix of procedures and mechanisms. For example, a procedure could be put in place to prevent monitors from being read through the windows; this can be achieved by relocating or reorienting computers and monitors, and desks. The network printing services could be reset to oblige users to print on specific printers. Encryption with proper key management could be put in place on all external connections, including outside lines and frame relay connections. In addition, twisted-pair cables could be replaced by fibre optics, and ethernet cards accordingly. With this medium cost solution, the vulnerability level would decrease from 3 to 2, the safeguard effectiveness would increase from 1 to 2, thus reducing the risk measure to medium (3). It could be determined that only tempest equipment would have the capability of reducing the risk measure to low; this solution being very costly, a medium risk might be acceptable, in this case, by the highest authority, in accordance with GSP. 3.2.7 Threat of Vandals Introducing a Virus on the Network Resulting in: 3.2.7.1 Unauthorized Modification of Organization Data A. Vulnerabilities No virus scan or virus detection tool are implemented. Numerous uncontrolled external network connections via client stations. Network startup files are stored on each client stations. 71

The network is considered to be highly vulnerable (3) to virus attacks resulting in the unauthorized modification of information. B. Present Safeguards Novell access control features which provide protection against unauthorized access to the network. Weekly backups. Procedures stating that floppy diskettes external to the network should not be used on client stations. The network cannot efficiently limit the areas where virus can be introduced and transmitted over the network. The present safeguards are lowly effective (1) to protect the network against virus corrupting data, even though original data could possibly be recovered from backups. C. Risk Using Table V, with an exposure rating of 9, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5) which is NOT ACCEPTABLE. D. Potential Solutions Same as 3.2.5.1 B. Controlling external connection lines through the use of a secure gateway instead of using uncontrolled modems on the client stations could reduce the network vulnerability level for virus infection from 3 to 2. The addition of up-to-date and effective virus detection software running on every client stations and every file servers on the network combined with daily backup procedures would certainly increase the safeguard effectiveness from 1 to 3, thus reducing the risk level to low (2). 3.2.7.2 Disruption A. Vulnerabilities Same as 3.2.7.1 A. The network is considered to be highly vulnerable (3) to virus attacks resulting in the unavailability of the organization data.

72

B. Present Safeguards Same as 3.2.7.1 B. The present safeguards are lowly effective (1) to protect the network against virus disrupting the network or deleting files in such a way that the organization data becomes unavailable, even though data can potentially be recovered from backups if required. C. Risk Using Table V with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solutions The risk measure can be reduced to low (2) by using the same solution as the one described in 3.2.7.1. 3.2.8 Threat of Malicious Employees Using a Trojan Horse Resulting in: 3.2.8.1 Unauthorized Disclosure of Information A. Vulnerabilities No protection against unhappy valid users who are touched by lay-offs and/or salary cuts (many employees have high technical skills that can be used against computers); however, the majority of employees are allowed to read most of the organization data. Computer equipment is located in open areas. Client stations are not password protected at boot time. When users are away from their computers, they tend to leave them still logged in to the network. The network is considered to be highly vulnerable (3) to Trojan Horse attacks resulting in the unauthorized disclosure of information. B. Present Safeguards Minimum reliability checks is done on all the employees of the organization. Auditing of access to data. Access to user accounts is limited by client stations address (Novell feature). ACLs are set in such a way that all the executables stored on the network can only be executed, i.e. they cannot be copied, deleted or modified.

73

The present safeguards are moderately effective (2) to protect the network against the intrusion of Trojan Horse resulting in unauthorized access to organization data, mainly because there is a certain level of trust given by the reliability check that employees would not act maliciously to obtain information that they can be authorised to obtain. C. Risk Using Table V, with an exposure rating of 2, vulnerability level 2 and safeguard effectiveness of 1 (2:1), the risk is measured at low (2). 3.2.8.2 Unauthorized Modification of Information A. Vulnerabilities Same as 3.2.8.1 A. The network is considered to be highly vulnerable (3) to Trojan Horse attacks resulting in the unauthorized modification of information. B. Present Safeguards Same as 3.2.8.1 B, plus Novell NCP Packet Signature; this mechanism ensures that the data is not modified as it travels over the network. Weekly backups. The present safeguards are lowly effective (1) to protect the network against the intrusion of Trojan Horse which would result in the unauthorized modification of organization data. A Trojan Horse would certainly operate at the client stations to modify the data after it is entered by a user and before it is transmitted over the network, i.e. before packet signature occurs. Once the Trojan Horse is discovered, the backups might also contain corrupted data. C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured as high (5), which is NOT ACCEPTABLE. D. Potential Solutions With an exposure rating of 7, an acceptable risk cannot be obtained without reducing the vulnerability level. The easiest way to decrease the network vulnerability for this Trojan Horse threat is certainly to control access to every client stations. This could be achieved by installing a piece of hardware that will force users to identify and authenticate themselves before the computer can boot. The same product could also 74

protect the start-up files (computer booting and network connection) and system files, including interrupt routines, against modification (by access mediation, encrypted checksum or signature), which would be highly effective to protect the network against the intrusion of a Trojan Horse. With this medium cost solution, the vulnerability level would decrease from 3 to 2, the safeguards would become highly effective (3), thus reducing the risk measure to an acceptable level of 2. 3.2.8.3 Disruption A. Vulnerabilities Same as 3.2.8.1 A. The network is considered to be highly vulnerable (3) to Trojan Horse attacks resulting in the unavailability of information. B. Present Safeguards Same as 3.2.8.1 B except that auditing would probably not help. The present safeguards are lowly effective (1) to protect the network against the intrusion of Trojan Horse resulting in the unavailability of organization data. A Trojan Horse would operate at the client stations to degrade the network performance and possibly filters out some data before it reaches the user. Although destroyed information could possibly be recovered from backups, there is no mechanism to detect a Trojan Horse or prevent it from harming the network. C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions The solution described in section 3.2.8.2 would also be effective here to reduce the risk measure to low (2). 3.2.8.4 Deceptive Actions on Organization Data Deceptive actions would result from a malicious employee installing a Trojan horses to capture user or administrator passwords. Using another valid user's ID and password, the malicious employee would send e-mail messages, FAXs, make meeting appointments, etc.

75

A. Vulnerabilities Same as 3.2.8.1 A. The network is considered to be highly vulnerable (3) to Trojan Horse used to capture passwords. B. Present Safeguards Same as 3.2.8.1 B except that auditing would not help. The present safeguards are lowly effective (1) to protect the network against the intrusion of Trojan Horse. A Trojan Horse would transparently capture the user password entered at his/her client station. The malicious individual would later use the captured password to login as a different user and cause deceptive actions to occur. There is no mechanism in place to detect a Trojan Horse or prevent it from harming the network. C. Risk Using Table V, with an exposure rating of 7, vulnerability level 3 and safeguard effectiveness of 1 (3:1), the risk is measured at high (5), which is NOT ACCEPTABLE. D. Potential Solutions The solution described in section 3.2.8.2 would also be effective here to reduce the risk measure to low (2). 3.3 Selection of Solutions and Residual Risks Based on the performed risk analysis, cost effective security services and mechanisms that are appropriate to reduce the risks associated with the organization data are recommended. Table B-2 shows the present risks, the services and mechanisms that are recommended for the network and the residual risks remaining after these new safeguards are implemented. It is quite possible that several mechanisms be used to counter a single threat; in that case, multiple mechanisms are listed. It should be noted that a clearly stated security policy, a well defined set of security procedures, together with adequate user training are essential for achieving and maintaining a secure network environment.

76

Table B-II ) Present Risks, Proposed Solutions and Residual Risks

Threat Scenario Threat of Fire Resulting in: unauthorized disclosure unauthorized modification disruption 0 0 3 Not required Not required a) Daily backups b) Off-site storage of one backup per week 0 0 2 Present Risk Security Solution Residual Risk

Threat of User Errors Resulting in: unauthorized disclosure 5 a) Secure FAX, join the government secure FAX network b) Access Control on FAX services c) Information is monitored before being FAXed a) Data entry validation Not required Not required 2

unauthorized modification disruption deceptive actions

5 1 1

2 1 1

Threat of Administrator Errors Resulting in: unauthorized disclosure 5 a) Additional network administration staff; the administration of the network would be shared between three qualified individuals instead of only two. b) New procedures are implemented to constantly verify user access rights on network resources and data. a) Additional network administration staff. a) Additional network administration staff. b) Daily backups Not required 2

unauthorized modification disruption deceptive actions

5 5 1

2 2 1

Threat of Equipment Failure Resulting in: unauthorized disclosure unauthorized modification 0 2 Not required. Not required. 0 2

77

Threat Scenario disruption

Present Risk 4

Security Solution a) Elimination of single points of failure by implementing a new application that will duplicate and replicate the organization data across the network and installing alternate connections between the servers. This is later referred as the "new application".

Residual Risk 2

Threat of Hackers (Cracking or Capturing Passwords) Resulting in: unauthorized disclosure 5 a) Banning of modem connection to client stations. b) Continuous scanning of the organization telephone lines to make sure that modems are not connected. c) Gateway for remote access to network. d) Strong I&A at the gateway level using smart card technology. e) DES encryption of traffic between gateway and remote sites. All of these are later referred as "secure gateway". a) Secure gateway a) Secure gateway a) Secure gateway 2 to 1, depending on the selected products

unauthorized modification disruption deceptive action

5 5 5

2 2 2

78

Threat Scenario

Present Risk

Security Solution

Residual Risk

Threat of Foreign Governments (Eavesdropping) Resulting in: unauthorized disclosure 5 a) Procedures enforcing the installation of the client station monitors in such a way that the displayed data cannot be read through the windows. b) Traffic encryption between gateway and remote sites. c) In-line DES traffic encryption on every network interconnections through the public telephone system. Not required. Not required. Not required. 3

unauthorized modification disruption deceptive actions

0 0 0

0 0 0

Threat of Vandals (Virus) Resulting in: unauthorized disclosure unauthorized modification 0 5 Not required. a) Secure gateway b) Implementation of a virus detection utility that will continuously scan for virus at the client station and server levels. c) Daily backups. a) Secure gateway. b) Virus detection Not required 0 2

disruption deceptive actions

5 0

2 0

Threat of Malicious Employees (Trojan Horse) Resulting in: unauthorized disclosure unauthorized modification 2 Not required. (The risk will be reduced to 1 once access control to PCs is implemented). a) Access control to client stations by the use of a hardware product. b) Access control to the start-up and system files Same as above. Same as above. 3 = medium risk 4 = moderately high risk 2

disruption deceptive actions

5 5

2 2 5 = high

0 = minimal risk 1 = very low risk 2 = low risk risk

The risk values and security solutions identified in Table B-2 apply to the organization data asset and the specific identified threats only. A complete network TRA would require to examine every possible threats to every network assets. 79

Other vulnerabilities that could have an impact on the risk measures might also be required to be considered, depending on the environment, culture of the organization or granularity level of the threat and risk vulnerabilities. These other vulnerabilities include the followings: A. Low assurance level Use of non evaluated products, including network operating system, provide low level of trust that the product cannot be circumvented. B. Poor physical control of network devices Although networks are generally located in guarded buildings, this does not imply that security is always tight. The servers might be placed in rooms that are locked at night, but not locked at all times because users desire easy accessibility to the network printers connected to the server. Unauthorized server access can cause potentially high damage; however, all server consoles should always be password protected. C. Access to Network Resources Although one of the advantages of using a network is that many network resources can be shared among users, not all resources need to be made available to every user. Unauthorized access to network resources usually results from the fact that the access rights are not properly assigned, or the access control mechanism lacks granularity.

80

APPENDIX C EXAMPLE NETWORK SECURITY POLICY

1 Background The information residing on the network is mission critical. The size and complexity of the network within the organization has increased and now processes large quantity of designated information. Because of this specific security measures and procedures must be implemented to protect the information being processed on the network. The network facilitates sharing of information and programs by multiple users. This environment increases security risk and requires more stringent protection mechanisms than would be needed for a standalone microcomputer (PC) operation. These expanding security requirements in the computing environment are recognized by this policy which addresses the use of the organization network. This policy statement has two purposes. This first is to emphasize for all employees the importance of security in the organization network environment and their role in maintaining that security. The second is to assign specific responsibilities for the provision of data and information security, and for the security of the network itself. 2 Scope All automated information assets and services that are utilized by the network are covered by this policy. It applies equally to servers, peripheral equipment, client stations (PCs) within the network environment. Network resources include data, information, software, hardware, facilities, and telecommunications. The policy is applicable to all those associated with the network, including all employees and contractors utilizing the network. 3 Goals The goals of this network security policy are to ensure the integrity, availability and confidentiality of data residing and travelling across the network so that the security policy implemented within the organization can be extended to the network. Specifically the goals are as follows: ! ! ! ! Ensure that the network environment has appropriate security commensurate with sensitivity, criticality, etc.; Ensure that security is cost-effective based on a cost versus risk ratio, or that is necessary to meet with applicable mandates; Ensure that appropriate support for the security of data in each functional area is provided for; Ensure individual accountability for data, information, and other computing resources to which individuals have access;

81

! !

Ensure auditibility of the network environment; Ensure that employees are provided sufficient guidance for the discharge of responsibilities regarding automated information security; Ensure that all critical functions of the network have appropriate contingency plans or disaster recovery plans to provide continuity of operation; Ensure that all applicable federal department and organizational policies, mandates, etc. are applied and adhered to.

4 Responsibilities The following groups are responsible for implementing and maintaining security goals set forth in this policy. Detailed responsibilities are presented in Section 5.2 of this appendix, Responsibilities for Ensuring Network Security. 1. Functional Management (FM) - those employees who have a program or functional responsibility (not in the area of computer security) within the organization. Functional Management is responsible for informing staff about this policy, assuring that each person has a copy or access to a copy, and interacting with each employee on security issues. 2. LAN Management Division (LM) - employees who are involved with the daily management and operations of the network. They are responsible for ensuring the continued operation of the network. The Network Management Division is responsible for implementing appropriate network security measures in order to comply with the network security policy. 3. Local Administrators (LA) - employees who are responsible for ensuring that end users have access to needed network resources. Local administrators are responsible for ensuring that the security of their respective network resources and users is in accordance with the network security policy. 4. End Users (U) - are any employees who have access to the network. They are responsible for using the network in accordance with the network security policy. All users are responsible for complying with security policy established by those with the primary responsibility for the security of the data, and for reporting to management any suspected breach of security.

82

5. Enforcement The failure to comply with this policy may expose information to unacceptable risks resulting in the loss of confidentiality, integrity, availability or accountability while stored, processed or transmitted on the network. Violations of standards, procedures or guidelines in support of this policy will be brought to the attention of management for action and could result in disciplinary action up to and including termination of employment. 5.1 General Policies for the LAN GP1. The access to every network client station including the access to the start-up system and network files shall be controlled and monitored by an off-the-shelf hardware product. Every PC should have an "owner" or "system manager" who is responsible for the maintenance and security of the computer, and for following all policies and procedures associated with the use of the computer and the security product. The local administrators may fill this role. These individuals should be trained and given guidance so that they can adequately follow all policies and procedures. GP2. In order to prevent unauthorized access to data, software, and other resources residing on the network, all security mechanisms of the network must be under the exclusive control of the local administrator and the relevant personnel of the Network Management Division, including the installation and location of equipment. GP3. In order to prevent the spread of malicious software and to help enforce program license agreements, users must ensure that their software is properly licensed and safe. GP4. Client stations and file servers will be scanned to detect virus and illegitimate TSR programs. GP5. The organization data shall be duplicated and replicated across the network to eliminate single points of failure. GP6. All software changes and backups on the servers will be the responsibility of the Network Management Division. The backups will be done on a daily basis. The Monday's backups will be stored off-site. GP7. Each user must be assigned a unique network user ID and initial password (or other identification information and authentication data), only after the proper documentation has been completed. Users must not share their assigned user IDs and passwords and must not enter their passwords via a batch file.

83

GP8.

The length of the user passwords shall not be less than 8 character long. The administrator password length shall not be less that 10 character long. Every user account including administrators' shall be disabled for a period of 48 hours after three consecutive unsuccessful login attempts. Users must be authenticated to the network before accessing network resources.

GP9.

GP10. User accounts must be suspended after a 60-day consecutive period of non-use. GP11. Use of network hardware such as traffic monitors/recorders and routers must be authorized and monitored by the Network Management Division. GP12. Remote access to the network shall be done through a secure gateway. Data travelling between the secure gateway and remote sites shall be encrypted. GP13. Connection of modems on client stations is prohibited. Each telephone line within the organization will be monitored by the Network Management Division to detect modems or non-authorized electronic devices. GP14. For remote access to the network, users must be authenticated to the secure gateway before login to the network. Authentication tokens are required to access the gateway. GP15. Employees responsible for the management, operations and use of the network must receive training in computer security awareness and acceptable computer practices. Computer security training should be implemented into existing training programs such as orientation programs for new employees, and training courses involved with information technology systems equipment and software packages. GP16. Security reports must be generated and reviewed on a daily basis. 5.2 Specific Responsibilities for Ensuring Network Security 5.2.1 Users Users are expected to be knowledgeable about and adhere to network security policies, and other applicable laws, policies, mandates and procedures. Specifically users are responsible for the following: U1. Responsible for understanding and respecting relevant laws, Department policies and procedures, network policies and procedures, and other applicable security policies and associated practices for the network.

84

U2.

Responsible for employing available security mechanisms for protecting the confidentiality and integrity of their own information when required. U2.1. Follow site procedures for security of sensitive data as well as for the network itself. Use file protection mechanisms to maintain appropriate file access control. Select and maintain good passwords. Do not write passwords down, or disclose them to others. Do not share accounts.

U2.2.

U3.

Responsible for advising others who fail to properly employ available security mechanisms. Help to protect the property of other individuals. Notify them of resources (e.g. files, accounts) left unprotected. Responsible for notifying the local administrator or management if a security violation or failure is observed or detected. Responsible for not exploiting system weaknesses. U5.1. Do not intentionally modify, destroy, read or transfer information in an unauthorized manner: do not intentionally deny others authorized access to or use of network resources and information. Provide the correct identity and authentication information when requested and not attempt to assume another party's identity.

U4.

U5.

U5.2.

U6.

Responsible for ensuring that backups of the data and software on their own workstation's fixed disk drive are performed. Responsible for being familiar with how malicious software operates, methods by which it is introduced and spread, and the vulnerabilities that are exploited by malicious software and unauthorized users. Responsible for knowing and following appropriate policies and procedures for the prevention, detection, and removal of malicious software. Responsible for knowing how to monitor specific systems and software to detect signs of abnormal activity, and what to do or whom to contact for more information. Responsible for utilizing the technical controls that have been made available to protect systems from malicious software.

U7.

U8.

U9.

U10.

85

U11.

Responsible for knowing and utilizing contingency procedures for containing and recovering from potential incidents. Responsible for scanning diskettes and any piece of software before they are copied to a client station or file server hardisk.

U12.

5.2.2 Functional Managers Functional managers (and higher-level management) are responsible for the development and implementation of effective security policies that reflect specific network objectives. They are ultimately responsible for ensuring that information and communications security is, and remains, a highly visible and critical objective of day-to-day operations. Specifically functional managers are responsible for the following: FM1. Responsible for implementing effective risk management in order to provide a basis for the formulation of a meaningful policy. Risk management requires identifying the assets to be protected, assessing the vulnerabilities, analyzing risk of exploitation, and implementing cost-effective safeguards. Responsible for ensuring that each user receive, at a minimum, a copy of the security policy and site handbook (if any) prior to establishing an account for the user. Responsible for implementing a security awareness program for users to ensure knowledge of the site security policy and expected practices. Responsible for ensuring that all personnel within the operating unit are made aware of this policy and responsible for incorporating it into computer security briefings and training programs. Responsible for informing the local administrators and the Network Management Division of the change in status of any employee who utilizes the network. This status change includes a position change or a termination of employment within the organization. Responsible for ensuring that users understand the nature of malicious software, how it is generally spread, and the technical controls to use for protection.

FM2.

FM3.

FM4.

FM4.

FM5.

5.2.3 Network Management Division The Network Management Division (or designated personnel) is expected to enforce (to the extent possible) local security policies as they relate to technical controls in hardware and software, to archive critical programs and data, and to control access and protect network physical facilities. Specifically, network management is responsible for the following:

86

NM1.

Responsible for rigorously applying available security mechanisms for enforcement of local security policies. Responsible for advising management on the workability of the existing policies and any technical considerations that might lead to improved practices. Responsible for securing the network environment within the site and interfaces to outside networks. Responsible for responding to emergency events in a timely and effective manner. NM4.1. Notify local administrators if a penetration is in progress, assist other local administrators in responding to security violations. NM4.2. Cooperate with local administrators in locating violators and assist in enforcement efforts.

NM2.

NM3.

NM4.

NM5.

Responsible for employing generally approved and available auditing tools to aid in the detection of security violations. Responsible for conducting timely audits of network logs and access to information. Responsible for remaining informed on outside policies and recommended practices and when appropriate, informing local users and advising management of changes or new developments. Responsible for judiciously exercising the extraordinary powers and privileges that are inherent in their duties. Privacy of users should always be a major consideration. Responsible for developing appropriate procedures and issuing instructions for the prevention, detection, and removal of malicious software consistent with the guidelines contained herein.

NM6.

NM7.

NM8.

NM9.

NM10. Responsible for backing up all data and software of the network servers on a daily basis. NM11. Responsible for identifying and recommending software packages for the detection and removal of malicious software. NM12. Responsible for developing procedures that allow users to report computer viruses and other incidents and then responsible for notifying potentially affected parties of the possible threat. NM13. Responsible for promptly notifying the appropriate security or incident response 87

personnel of all computer security incidents including malicious software. NM14. Responsible for providing assistance in determining the source of malicious software and the extent of contamination. NM15. Responsible for providing assistance for the removal of malicious software. NM16. Responsible for conducting periodic reviews to ensure that proper security procedures are followed, including those designed to protect against malicious software and unauthorized modems. 5.2.4 Local Administrators Local administrators (or designated personnel) are expected to utilize, on their assigned resources and users, the available network security services and mechanisms to support and enforce applicable security policies and procedures. Specifically local administrators are responsible for the following: LA1. Responsible for managing users' access privileges to data, programs and functions. Responsible for monitoring all security-related events and the following-up on any actual or suspected violations where appropriate. When appropriate, responsible for notifying and coordinating with the Network Management Division the monitoring or investigation of security-relevant events. Responsible for maintaining and protecting network software and relevant files using available security mechanisms and procedures. Responsible for scanning the network servers with anti-virus software at regular intervals to assure no virus becomes resident on the network servers. Responsible for assigning a unique USERID and initial password (or other identification information or authentication data) to each user only after proper documentation has been completed. Responsible for promptly notifying the appropriate security or incident response personnel of all computer security incidents, including malicious software; LA6.1. Notify the Network Management Division if a penetration is in progress, assist other local administrators in responding to security violations. LA6.2. Cooperate with other local administrators and the Network Management Division in finding violators and assisting in enforcement efforts. LA7. Responsible for providing assistance in determining the source of malicious 88

LA2.

LA3.

LA4.

LA5.

LA6.

software and the extent of contamination. LA8. Responsible for verifying the strength of users passwords.

89

APPENDIX D PERSONAL COMPUTER (PC) CONSIDERATIONS

Personal computers typically do not provide technical controls for user authentication, access control, or memory protection that differentiates between system memory and memory used for user applications. Because the lack of controls and the resultant freedom with which users can share and modify software, personal computers are more prone to attack by viruses, unauthorized users and related threats. Virus prevention in the PC environment must rely on continual user awareness to adequately detect potential threats and then to contain and recover from the damage. PC users are in essence PC managers, and must practice their management as a part of their general computing. Personal computers generally do not contain auditing features, thus a user needs to be aware at all times of the computer's performance, i.e., what is normal or abnormal activity. Ultimately, PC users need to understand some of the technical aspects of their computers in order to detect security problems, and to recover from those problems. Not all PC users are technically oriented, thus this poses some problems and places even more emphasis on user education and involvement in virus prevention. Because of the dependence on user involvement, policies for network environments (and thus PC usage) are more difficult to implement than in a multi-user computer environment. However, emphasizing these policies as part of a user education program will help to ingrain them in users' behaviour. Users should be shown via illustrated example what can happen if they do not follow the policies. An example where users share infected software and then spread the software throughout an organization would serve to effectively illustrate the point, thus making the purpose of the policy more clear and more likely to be followed. (It is not suggested that an organization actually enact this example, merely illustrate it). Another effective method for increasing user cooperation is to create a list of effective PC management practices specific to each personal computing environment. Creating such a list would save users the problem of determining how best to enact the policies, and would serve as a convenient checklist that users could reference as necessary.

90

APPENDIX E CONTINGENCY PLANNING FOR NETWORKS

A computer security incident is any adverse event whereby some aspect of computer security could be threatened: loss of data confidentiality, loss of data or system integrity, or disruption or denial of availability. In a network environment the concept of a computer security incident can be extended to all areas of the network (hardware, software, data, transmissions, etc.) including the network itself. Contingency plans in a network environment should be developed so that any network security incident can be handled in a timely manner, with as minimal an impact as possible on the ability of the organization to process and transmit data. A contingency plan should consider (1) incident response, (2) back-up operations, and (3) recovery. 1. The purpose of incident response is to mitigate the potentially serious effects of a severe network security-related problem. It requires not only the capability to react to incidents, but the resources to alert and inform the users if necessary. It requires the cooperation of all users to ensure that incidents are reported and resolved and that future incidents are prevented. 2. Back-up Operations plans are prepared to ensure that essential tasks (as identified by a risk analysis) can be completed subsequent to disruption of the network environment and continuing until the network is sufficiently restored. 3. Recovery plans are made to permit smooth, rapid restoration of the network environment following interruption of network usage. Supporting documents should be developed and maintained that will minimize the time required for recovery. Priority should be given to those applications, services, etc. that are deemed critical to the functioning of the organization. Back-up operation procedures should ensure that these critical services and applications are available to users.

91

APPENDIX F TRAINING AND AWARENESS

To maintain security in a network environment, training in certain areas of network operation and use should be received by network users. Security mechanisms, procedures, etc. may not be effective if they are used improperly. Training areas that should be considered are listed below for functional managers, network managers and general users. The training area for functional managers focuses on (1) the need to understand the importance of the security policy and (2) how that policy needs to be implemented into the network for it to be effective. The training area for network managers and administrators focuses on the need to understand how security is provided for operationally on the network. It also directs attention on the need for effective incident response. The training area for all users focuses on (1) recognizing the user role in the security policy and the responsibilities assigned there, (2) using the security services and mechanisms effectively to maintain security, and (3) understanding how to use the incident response procedures. Specifically these areas are discussed . 1. Functional 1. Recognize the importance of the network security policy and how this policy drives the decisions made regarding network security. Recognize the importance of determining adequate security for different types of information that the functional manager owns (or has responsibility for). Recognize the network as a valuable resource to the organization and the need for protecting that resource. Recognize the importance of providing for adequate protection (through funding, personnel, etc.). 2. Management and Administration 1. Understand how the network operates in all aspects. Ability to recognize normal operating behaviour versus abnormal operating behaviour. 2. Understand network management and network administration's roles in implementing the security policy into the network. 3. Understand how the security services and mechanisms work. Ability to recognize improper use of the security mechanisms by users. 4. Understand how to use the incident response capability effectively.

92

3. Network Users 1. Understand the security policy and the user responsibilities dictated there. Understand why maintaining network security is important. 2. Understand how to use the security services and mechanisms provided by the network to maintain the security of the network and protect critical information. 3. Understand how to use the incident response capability, how to report and incident, etc. 4. Recognize normal client station or PC behaviour versus abnormal behaviour.

93

BIBLIOGRAPHY
1) Communications Security Establishment, Canadian Dictionary of Information Technology Security, version 1.1, Ottawa, 1989, 70 pages. 2) Communications Security Establishment, Product Review: Novell NetWare 4.01, version 1.2, Ottawa, November 1994, 35 pages. 3) Communications Security Establishment, The Canadian Trusted Computer Product Evaluation Criteria, version 3.0e, Ottawa, January 1993, 208 pages. 4) Communications Security Establishment, Trusted Systems Environment Guideline, Ottawa, December 1992, 34 pages. 5) FORD, Warwick, Computer Communications Security - Principles, Standard Protocols and Techniques, Englewood Cliffs, NJ, Prentice Hall, 1994, 494 pages. 6) National Institute of Standards and Technology, Chang, Shu-jen H., Priorities for LAN Security - A Case Study of a Federal Agency's LAN Security, Gaithersburg, Maryland, 1994, 10 pages. 7) National Institute of Standards and Technology, Guideline for the Analysis of Local Area Network Security (FIPS 191), Gaithersburg, Maryland, November 1994, 54 pages. 8) National Institute of Standards and Technology, Security Requirements for Cryptographic Modules (FIPS 140-1), Washington, January 1994, 39 pages. 9) Royal Canadian Mounted Police, Guide to Threat and Risk Assessment for Information Technology, Ottawa, November 1994, 26 pages. 10) STEVEN, L. and SIMON, Alan R., Network Security, Shaffer, AP Professional, Cambridge, MA, 1994, 318 pages. 11) Treasury Board of Canada, Government Security Policy, Treasury Board Manual, Ottawa, June 1994, 131 pages.

94

GLOSSARY
Accreditation: Formal declaration by the responsible management approving the operation of an automated system in a particular security mode using a particular set of safeguards. Accreditation is the official authorization by management for the operation of the system, and acceptance by that management of the associated residual risks. Accreditation is based on the certification process as well as other management considerations. A list of entities, together with their access rights, which are authorized to have access to a resource. An asset is a component or part of a network to which the department directly assigns a value to represent the level of importance to the "business" or operations/operational mission of the department, and therefore warrants an appropriate level of protection. The degree of confidence that a safeguard correctly implements the system specific security policy. The act of aggressively trying to bypass security controls on a network (or other automated information system). The fact that an attack is made does not mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of the safeguards in place. Independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures. A set of records that collectively provide documentary evidence of processing used to aid in tracing from original transactions forward to relate records and reports and/or backward from records and reports to their component source transaction. The process of positively validating a claimed identity. The accessibility of systems, programs, services and information to authorized users when needed and without undue delay. 95

Access Control List:

Asset:

Assurance:

Attack:

Audit:

Audit Trail:

Authentication: Availability:

Certification:

An examination by qualified personnel of an information technology system's implemented security solutions against the system's security requirements. A value calculated from a bloc of data, used to detect unauthorized modification and/or errors in stored and transmitted data. A violation of the security policy of a system such that an unauthorized disclosure, destruction, modification or interruption of information and/or service might have occurred.. The quality or condition of being sensitive to disclosure. The process of developing a plan to restore information technology operations in the event of a disruption. A communication channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy. The discipline that threats the principles, means, and methods for making plain information unintelligible. It also means reconverting the unintelligible information into intelligible form. The prevention of authorized access to resources or the delaying of time-critical operations.

Checksum:

Compromise:

Confidentiality: Contingency Planning:

Covert Channel:

Cryptography:

Denial of Service:

Designated Information: In formation related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act. Digital Signature: A cryptographic transformation of data which, when appended to a data unit, provides the services of origin authentication, data integrity, and signer non-repudiation. The transformation of readable data into an unreadable stream of characters using a reversible coding process. Direct effect of a threat occurrence on a network. The quality or condition of being accurate or complete. Deliberate perturbation of a communication path. 96

Encryption:

Impact: Integrity: Jamming:

Key Management:

Manual and electronic procedures for the generation, dissemination, replacement, storage, and destruction of keys that control encryption or authentication processes. A resident computer program which, when executed, checks for particular states of the system which, when satisfied, triggers the perpetration of an unauthorized act. An attempt to gain access to a system or service by posing as an unauthorized user. Something that induces a threat to intentionally act against a system. A procedure to remove or destroy data recorded on magnetic storage media by writing patterns of data over or on top of the data stored on the media. A protected/private character string used to authenticate an identity. Knowledge of a valid user ID and its associated password is considered proof of authorization to access networks or systems. The successful unauthorized access to a network or system. The gaining of unauthorized access to a network or system via another user's legitimate connection. The portion of risk that remains after security measures have been applied. The equipment, money, people, knowledge, etc. available to a threat to initiate an attack. A measure indicating the likelihood and consequence of events or acts exploiting vulnerabilities resulting in a compromise of network asset(s). An evaluation, based on the effectiveness of existing or proposed security safeguards, of the chance of vulnerabilities being exploited. An approved minimum security measure which, when correctly employed, will prevent or reduce the risk A violation of controls of a particular network such that assets are unduly exposed.

Logical Bomb:

Masquerading:

Motivation:

Overwrite:

Password:

Penetration: Piggy Back:

Residual Risk:

Resources:

Risk:

Risk Assessment:

Safeguard:

Security Breach:

97

98

Security Features:

The security relevant functions, mechanisms, and characteristics of network hardware or software. The set of laws, rules, and practices that regulate how an organization manages, protects, and distribute sensitive information. The deliberate act of inducing a user or a resource into taking an incorrect action.

Security Policy:

Spoofing:

Statement of Sensitivity: A description of the confidentiality, integrity or availability (SOS) requirements associated with the information or assets stored or processed in or transmitted by a network. Target: Threat: The objective of a hostile threat agent. Any potential event or act that could cause one or more of the following to occur: unauthorized disclosure, destruction, removal, modification or interruption of sensitive information, assets or services. A threat may be natural, deliberate or accidental. An evaluation of the nature, likelihood and consequence of acts or events that could place sensitive information and assets at risk. A computer program with an apparently or actually useful function that contains hidden additional functions that surreptitiously exploit the legitimate authorizations of the invoking process to the detriment of security. A measure or statement of the utility of an asset or information, or (alternatively) the cost if it is compromised. The value can be stated in quantitative or qualitative terms. Utility and cost are contextually dependent, based on the needs and situation of the organization. Value is therefore not necessarily an objective term. A self-propagating Trojan horse composed of three parts: a mission component, a trigger component and a self-propagating component. A characteristic of the system which allows a successful threat event to occur. The monitoring and/or recording of data which is being transmitted over a communication link.

Threat Assessment:

Trojan Horse:

Value:

Virus:

Vulnerability:

Wiretapping:

99