)t in NTIS.
         ..

-------
  The  Co'rmittut' on  intognt/ and  Management
  Improvement .CIMI?  ceveloped this leaflet for ail
  EPA employees who tJrpend on microcomputer^
  to  perform their jobs-   As a  foiiowup to CIMI
  Computer Advisory 89  ' -June 1989) this leafle:
  addresses threats and vulnerabilities  ins/oivinci
  microcomDuie"  seeunv will-  emphasi.s on  tht-
  individual's  increasircj  role  "i   safeguarding
  microcompute-  equipment   'he   A:;ency  has
  spent millions of dona's on computer hardware1
  to  enable employee?.   10  work  effiuentiy  and
  effectively, and eac'i 01 us iini- i lesponsibility tc
  protect these investments  Thi.- guidelines in  'his
  leaflet should ie useful \n ihis effort,  Dut are nol
  intended  to  oe  ail  inclusive-  Specific  loca
  conditions or changing  tecin^logy may warrant
  additional security measures
-'{John C Martin
  Chairman, Committee on Integrity
      and Management improvement
  Environments Protection Agency
  Background

  EPA uses thousands of microcomputers to track
  various   types;   of  data   More  and   more
  microcomputers/terminals are  either networked
  together  or connected  to a mainframe sharing
  data,   information,  software,   and  operating
  systems, all capable of accessing vast quantities
  of  data  As a  result  of this  ease  of  access,
  threats and vulnerabilities to compute* resources
  are increasing  EPA, like other  Federal agencies,
  is  concerned  about unauthorized  and illegal
  activities,  e g , unauthorized access to  privacy.
  proprietary, or other sensitive records; use of
  computers for  personal use;  and  inadvertent
  errors  and omissions. All of  these  activities
  revolve    around   the   accountability   and
  responsibility of the individual user

-------
Computer ;; :rn*  :>-,^,--  -onf .  '.'
While deliberate computer crime is a significant
concern,  wasteful   and   abusive   practices,
accidents, and errors Dy  individual users are
even      more     prevalent      Nationally
employee-committed cnine waste, and  abuse
account for an estimated 7<- to 80 percent of the
annual loss related to computers. These factors
underscore the seriousness of computer-related
losses.   They  also  <;xpMc-  why  additional
regulations and legislation »ro being developed
to ensure that adequate safeguards are provided
and that actions are  \,>.<«?r> to  prevent further
unauthorized activity

Computer Security  Threats and
Vulnerabilities

Computer  security   has  many  threats  and
vulnerabilities  involving  the individual user.  A
threat is any activity, deliberate or  unintentional,
with  the  potential  for  causing  harm  to  an
automated information  system  Power surges
are greater hazards to a personal computer (PC)
than to a computer tf'rnmai  Programs, data
files, or Random Access Mtinory  contents can
be  damaged  or   an   entire   disk  rendered
unreadable. Protecting powei  lines is essential
for critical PC  systems' operations

Threats may be intentional 01 accidental acts  of
behavior that  can cause  harm to  automated
information systems, eg.,  improper handling  of
source documents, tapes, disks, and printouts,
data alteration: operator error; and disgruntled
employee access.  Generally  threats  originate
from personnel who come in contact  with the
system on a daily basis  Threats are frequently
man-made and  disgu-sed as computer  codes
embedded in computer programs (also known as
"viruses") or implanted into computer systems by
hackers, who  are capable of either  destroying  or
denying  service ot  computer assets  such  as
data, hardware, software, and communications
In almost all  instances, the individual user  is
responsible for the computer related threat which

-------
data,   and  .  •  ^"vcai!o;is   rogtjifi^r  these
threats ana  vV'^ ,'abWies can ;'Tipact  .vompiner
resources thr,--, ,-

    DestructiOJ!  —  '.;ompuier  equipment  01
    program software IP totally lost or damaged,

    Disclosure -•   sensiiive  d-ita  :>r ;»?.'spri?j
    intornation protected ny th«-i Privacy  Act  is
    divulged tc an jnai'tho-ved -ecipionf;
               '  •- a ptogram application or
                fjet;o(ues altered u dan'aged
    aue to >npi,,' er-or or unauthon?ec ackers;

    Denial of  fJej-vice  -- assets  e>ist  but
    cannc't be accessed or usec !or a oerod ot
    time, -ino

    Misappropriation  —  assets   an'   used
    dishonestly or illegal!1,

Ihe following  sections  address some  major
types    of    c'omp'jter    security     related
vulnerabilities/threats  and ihe potential impact
on    compute''   resources    Recommended
safeguards conuo <,, and counttKmeasLres are
listed tor eacn security t/ce

General

hegaraiess  of the  nature ot  the  thieat  or
vulnerability, certain standard security measures
should always be followed  These include

        limiting access to authorized user 5;

        keeping  all  software and equipment in
        secured/ socked facilities;

        guarding against power surges  b/ using
        protective   devices   such   as  surge
        suppret>sorr. and

-------
       developing  ^nd  -mpiementincj  policies
       and   procedures  tegardmq   proper
       operating  practices   and  preventive
       maintenance

Software Security

Software security is the prevention of deliberate
or  inadvertent  unauthorized  manipulation  of
computer proqrams Threats and vulnerabilities
entail program errors, unauthorized automated
routines,   and  inadequacies/flaws  in  system
software  which are sometimes obtained through
"bulletin boards," enabling unauthorized access
to hardware, data or programs.

Probably one of the most dangerous threats that
has  surfaced  m recent years  is the "virus" A
computer virus is a  program  that  contains
instruction  codes to  attack  ("infect")  other
software  programs by modifying tnem to include
a copy of itself  With this "infection" capability
viruses can spread from program  to program
computer to computer and network to network,
corrupting programs and data  Microcomputers,
mainframes  and worldwide computer networks
are al! being infected Because a virus can carry
other program codes along with it, the nature ot
the damage  it can do  is limited only by the
creativity  of  the attacker.  Viruses can  even
reinfect programs that have been  cleaned up,
thus  surviving  many  generations  of  program
changes   Even  the  most  thoroughly  verified
program  can become infected again  A single
programmer with a PC  can cause  computer
problems  anywhere,  anytime   Examples   of
viruses are.

    Trap  Door — a  set  of instruction codes
    embedded in a computer operating system
    that permits access while bypassing security
    controls

    Trojan Horse — an unauthorized individual
    who  gains  entry into  a computer  system
    through  hidden codes,  also  capable   of
    disguising  its format, putting up messages.

-------
sorrv-.
                                      •   ;; -a  "rc.jan
                                       •-  ol  these
                             •-..  -   ,.-/.'•,iec< t'mi


                               ".  ".  i/Oi. 'i-g  ;,op es
                              •!•;•  «!•:•:if on  tloppy


                             ,:; .  -,:•"    t Ttvvi :e  {C


                             ',..'   ••   .n,-P,-ii..'.ry o!
                         i''!;s  p'ogfi/n?  Md remote
           fa?;1 ;  •  u'-'cse0  .;"c   ptoct'dures ior
          •.,• ,;KV. .r .1 jiiwanisd :-i ouraatiidtilos1
            'i,*   ;. L  -r ''i-viiv  -evci c-' trie  .lata
            -- ,    li'ip-;     ,r:r»    mark    tne   f'le

-------
               := <: v"ott?<"   iaD>s   TO   prevent
               ,fv"jHts  IMP  bemg  overwritten
        make  backup  copies  and  store  in  a
        secure piace

        use automatic backup features built into
        software programs,

        use a software management tool that
        allows  auincuzed   users   access  to
        modify cod*1

        the    IAN    Administrator    should
        periodically   run  a   virus  detection
        software package to detect viruses; and

        report  anything  unusual or out  of the
        ordinary as soon -ii> possible

Hardware Security

Hardware (.physical) security involves protecting
and   controlling    electric,   electronic,   and
mechanical equipment usea for processing data,
e.g     PC's     monitors   data    terminals,
minicomputers,   etc.   The  scope  of  physical
security has broadened  in  an effort to  restrict
access to autnon/ea users to prevent untrained
ot  malicious  individuals from  damaging  or
making inappropriate use of computer resources

Recommended  safeguards  to  ensure physical
secunty are'

        restrict modifications and maintenance
       to authonzeovpraperiy trained personnel,

        ensure employees know who is cleared
       for access  and  can  identify them on
        sight,

       question strangers,

       prohibit smoking, drinking, and eating in
       the   immediate   vicinity   of    the
       microcomputer equipment,

-------
       assure  thai  there  ^ a  nre  urtedio-
       system   within  the   roorrs  wi~ere
       microcomputer equipment is used

       develop  and  maintain an  inveniorv of
       hardware;

       restrict  access to  a PC  or workstation
       when  it  is  unattended  by requiring  a
       password  to  be   entered  when  first
       powering up the system; and

       restrict access to a PC or workstation by
       using  a  screen saver that requires  a
       password  to  be  entered  to exit  the
       screen saver

Information Security

Information    security    revolves     around
safeguarding the processes of data origination,
input, processing, and output The purpose is to
ensure that adequate controls are maintained to
assure the accuracy and integrity of information,
and  that  it  is  protected   from  unauthorized
access, destruction, modification, and disclosure.

Computer-related tneft, fraud, and abuse involve
such  activities  as  data  diddling —  changing
information at the time of input into the computer
or during output (forging documenls, exchanging
valid disks,  or falsifying data upon input);  and
browsing  — looking  in  others' files  without
authorization, searching through trash containers
to find passwords to gain  access  to  computer
files, and literally looking over one's shoulder.

Theft of information  in the  microcomputer area
commonly  involves copying or using soltware
programs for personal and/or personal business
use

To ensure data integrity:

       use  software, hardware, and procedural
       controls to restrict access to on-line  files
       to authorized users;

       develop,  document,  and   implement
       procedures   for identifying,  correcting,

-------
        lalvi  tno  .  if- •,  ,j secur? ••vr'tior,
        floppv Jni'c  r.'v'air.ir.g
Also, USeii- 1^
a file with sne
does no i  pre
erased da^a
utility progra:
and/or  overw
alternative is ;
the di
Personnel Security

People are trie tn-.si ^enous threat it cotupuieri
and automated   ntorrna.iGP   (he ijrnntont'or.ai
errors people conicut -iccur snoio tu-quently divi
cause more costu o.if" igo tnan  :•'"• dt=iiL)»!iatt
acts  of  saoc'^gc.   '.jnwutingly  L^-'J..^-    ntc
incorrect  data in\ *n.-  -,-mputt'r or  -T'^-'io .,..iv
alter data  It ss  h-ux.;;,/'1 1 Jo rerre-i^.D-. •  'h,?' .ii
security  measore*- ar*-  v_ji ,r..-it;S;- i, j-f---.  <*'i
have iegstimaie di.-r~
-------
information SSCJ-M. i".M.nror  euts ai d are awa^e
of their responstt Mies  7 He primary mission is
establishing   anr   naintaiping   an   ethical,
technically proficient, informed, and irusted work
force.

Thefts which  occur are  generally  intentional;
however,  thefts can occur unintentionally, e.g.,
when an employee copies licensed software to
use  on his/her home  computer and does  not
realize it is  a  violation. Employees need to be
aware that this is a serious copyright violation
and  could result  in a  $100,000 fine. Common
abuses include  using  computers  for personal
business;  browsing through records; preparing
personal-use software programs;  and creating
team  rosters,  scores,   and  handicaps  for
sports-related  interests. Abuses such as these
are a violation of  the Standaids of Conduct and
can result in Disciplinary action. Federal property
(including  property leased by the  Government)
cannot be used tor other than official business.

Studies have  revealed   that  the  majority  of
computer violations are carried out by authorized
users, not outsiders it is believed that a well-
trained  employee  is one  of the most effective
safeguards  against a  threat or vulnerability to
personnel security.

It  is  estimated that 50  to  80 percent of  the
problems  incurred with automated systems  are
due   to  lack  of  employee   training   and
development  of  skills  To  ensure  adequate
personnel security:

        alert employees  to the  organization's
        information security  policies arid  the
        individual's own  responsibilities within
        the  agency through  information  security
        training;

        publicize    procedures   for  reporting
        security violations and irregularities;

        inform staff that unauthorized duplication
        and use of licensed software violates the
        law,
10

-------
       incioctnn it*?  .  ".  employees on  then
       ethical respon''.*»!iM ,,

       require personnel to sign a statement
       that  they understand their information
       security
       maintain     close    and     effective
       communications with your staff; and

       incorporate     computer     security
       compliance   into  job   performance
       standards

Microcomputer Security Reminders

Maintaining Your Disks

Computer disks  are  fragile  and  should  be
safeguarded as follows  1) store in  protective
jackets 2) protect from bending; 3) do not touch
window area  of disks  4) prevent erasures by
keeping disks away from magnetic sources such
as radios and telephones, 5)  store  in secure
containers,  such  as metal cabinets  protected
from fire and water damage, and 6) handle disks
according 'o thesr sec-.;nty markings

Eight Common Don'ts

       Don't smoke or have food or beverages
       near the computer

       Don't   leave  the computer   on   and
       unattended

       Don't  use the  computer for  personal
       business.

       Don't  have  automated  information in
       only one place — back it up.

       Don't  copy licensed software  packages
       and don't use copies someone else has
       made

       Don't treat al! automated information the
       same. Know what needs to be secured
       and do what needs to be done
                                        11

-------
  Conclusion
  Mt-.'Cx.-i.-rr. ..,•;•,'. ^'c.;,.i< stodge
  CSp-rH,'>!',:.V    • !",     "Vr 0 A ^ir    ,,!!;.'.    >OVr,»,'d'H
  conMgus.'iLii.'v  ,ti u ite .luiinv to  .>rcrn nuiale
  tO( i'K,:'f  '«»,'-
  dot' ''S>-:  rii'UsK
  at); ;.'. '.- Tt,-  .-
.U.S. Environmental  Protcciio.i  Are
 Region 5, Library' (PL-12J)
 77 West Jackson Boulevard,  12'ii
 Chicago, IL  60504-3590
  12

-------