Developing a Security Policy for Computer Mediated Environments

By Dave Paulsen

dave@reststop.net

Copyright© 1997, Dave Paulsen

Introduction

Security on any computer system, whether networked or standalone, will be rendered useless without the two most common security problems being addressed first. These are misconfiguration of software and hardware, and poor administrative practices and policies. If these two issues are properly handled, then, and only then, can the issues of data and communications integrity be addressed and dealt with.

In the real and imperfect world populated by humans, the pragmatic approach to protecting yourself in Computer Mediated Environments (CME) means taking some personal responsibility just like in the rest of the world. It is, ultimately, your responsibility to ensure certain safeguards on your information. Since there are already laws to protect the feeble-minded, I'll assume you're willing to put forth the effort and thought necessary to exercise some basically common-sense precautions.

Password Policy

Just as you wouldn't give out the access code to your bank ATM card, or choose a code like "CASH", the passwords you use in CMEs should be protected and created with the same care. Choose a password that will not be susceptible to a dictionary attack i.e., common words, and that does not pertain to any of your easily obtainable public information, such as the name of your spouse, children, or the street you live on. Adding a non-alphabetic character to your password such as a number or a punctuation symbol is also effective in keeping your password from being guessed or matched.

For a corporate password policy, require passwords to be a minimum of six characters (some security experts recommend eight) and contain at least one (or two) of the following: a capital letter, a numeral, or a punctuation symbol. Require all resources to be password protected, and ensure that the default administrator password is changed in all installed applications and devices. Do not allow terminals or workstations to remain logged in as Administrator, and perform the majority of administrative functions as a trusted user with administrative rights.

Secure Communications

Secure transaction concerns revolve around the message and file transfer methods used for correspondence, documents, data, and authentication.

With electronic data communications that are transferred over open networks, the major security concerns are those dealing with data integrity. What's known as the believability factor is the main issue here, and this encompasses the accuracy and non-corruptibility of the data, and that the data was delivered by whom it was purported to be delivered by. The accuracy of the data is really not an issue that can be dealt with through electronic security measures, but the non-corruptibility and authentication of the data and sender can be.

These issues can be solved by using public key encryption. With the sender and receiver each holding half of the key, the data can be encrypted and signed without the possibility of anyone else being able to intercept and change the data without the signature changing and making it impossible to then decrypt the data. With signature encryption (authentication) it is also impossible for anyone else to send data purporting to be from someone else. This ensures non-repudiation, or the ability to prove to a third party that the data or message originated from where it is claimed to have originated.

PGP (Pretty Good Privacy) is a public domain version of public key encryption that is available on all of the commonly available computer platforms, such as UNIX, MS-Windows, Macintosh, and Amiga. There is also a commercially supported version available from PGP Inc. Using public key encryption allows the use of the Internet to send everything from raw data to processed information back and forth securely, which lowers the overall communications costs for all parties concerned (compared to dedicated leased lines or private virtual networks).

The manner in which this work is as follows:
In a standard crypto system messages are encrypted and decrypted with a key that both parties have copies of. This entails a secure means of delivering the keys, and requires that the keys be changed frequently to ensure security. This symmetric cryptosystem works by executing an encryption function (E) that applies the key (K) to the message (M) and turns out unintelligible cyphertext (C). Symbolically this would be written as: C = E(M, K) and the decryption function (D) becomes M = D(C, K). The D and E functions are well known, and the security comes from keeping the key secret.

Public key encryption is an asymmetric cryptosystem. Each person x has a private key, Rx, which only that person knows and they also have a public key, Ux that everyone can know. When a message or data file is encrypted with the public key, only the person who has the private key can decrypt the message. The opposite also holds, i.e. if a message is encrypted with someone's private key, only the public key can decrypt it.

This brings up the concept of a certifying authority - when you get someone's public key, how do you know it is actually theirs? A certifying authority is a trusted third party that digitally signs a message that contains the users name and public key. Since this message was encrypted with the certifying authority's public key, which it is assumed everyone has, the user's authentication is assured.

The way the system would be implemented in practice then is as follows: the sender a encrypts the data with receivers s public key, C = E(M, Us), and signs the message with the senders private key S = E(M, Ra). This fulfills the requirements for data integrity and non-repudiation.

Benefits and strengths of public-key encryption come partially from the concept of public key encryption itself, such as natural support for the authentication to multiple recipients and support for non-repudiation. In addition, public key encryption also provides a solution for digital signatures.

Network Security

When it comes to securing the corporate net there are also methods to secure your internal network from outside intrusion. Since all of these methods decrease the efficiency of the communications channel and increase the processing load of the servers, the pros and cons of their implementation need to be given a close look. The simplest and most effective method is to disable the Internet services that allow remote login. If nothing on the individual computer will accept requests, there is nothing that can be compromised. Next comes packet filtering which can be setup on a per domain or IP address level, but quite frankly is only as effective as a single lock on a door, it only deters the honest.

Group membership and user rights are the most effective means of protecting and authorizing access to resources, from an individual directory share to a complete information service. Groups or domains should be created at a workgroup level or resource type, and individuals should be added to these groups with the appropriate rights (read/write) as necessary. An authentication or membership system is then used to map access rights to resources, and track and log system information.

One thing to bear in mind is that the creation of groups and collections of resources to which users have different levels of read/write rights can lead to a factorial explosion of possibilities which can quickly become unwieldly. An overly complex access control system will leave inadvertant access available while becoming next to impossible to grant certain rights to certain individuals without unneccessary duplication. Keep the number of user groups small, and group resources in a logical manner by either function or group.

A technique that is gaining widespread popularity is the use of firewalls. These computer systems can be used to build security domains within the enterprise and to separate the corporate LAN from the Internet. Expect to spend about 25K, although you can set a firewall up for about 5K. As an extra measure of protection they can help protect from or allow for errors in network system configuration or inattention to administration, but do nothing for the more common methods of password compromise such as social engineering or insider attack. Too often though, firewalls and proxies are installed instead of implementing a sound security policy, and in those cases, only give a false sense of security and become detrimental to communications efficiency.

Policys that can be implemented include disallowing internal workstations to run services, require network logons to all computers, only allow password protected directory shares within workgroups, internal servers should be configured to deny all except for local IP addresses and can be further password protected as necessary, and remove "anonymous", "guest", and/or "everyone" user accounts.

The other thing to consider is the cost involved in protecting resources. It makes little sense to spend tens of thousands of dollars to develop and implement, plus incur the performance penalty, of a security system that protects a one hundred dollar resource.

Conclusion

Many companies are keeping themselves from the Internet, or firewalling themselves off due to FUD about security and productivity. You need to understand that the major difference between internets and intranets is in how much you are willing to cut yourself off from the rest of the business communications that take place. The proper attitude is to embrace the goal of increasing the communications efficiency within your company, with your vendors, and with your customers. Yes, precautions should be taken in certain circumstances for certain types of communication and information. Those unique cases must be dealt with as that, unique, and not the general case.

Implementation and enforcement of a password policy, the intelligent use of groups and access rights, and use of strong encryption for secure data communications and transactions will more than adequately protect you and your resources within CMEs.