)t in NTIS.
..
-------
The Co'rmittut' on intognt/ and Management
Improvement .CIMI? ceveloped this leaflet for ail
EPA employees who tJrpend on microcomputer^
to perform their jobs- As a foiiowup to CIMI
Computer Advisory 89 ' -June 1989) this leafle:
addresses threats and vulnerabilities ins/oivinci
microcomDuie" seeunv will- emphasi.s on tht-
individual's increasircj role "i safeguarding
microcompute- equipment 'he A:;ency has
spent millions of dona's on computer hardware1
to enable employee?. 10 work effiuentiy and
effectively, and eac'i 01 us iini- i lesponsibility tc
protect these investments Thi.- guidelines in 'his
leaflet should ie useful \n ihis effort, Dut are nol
intended to oe ail inclusive- Specific loca
conditions or changing tecin^logy may warrant
additional security measures
-'{John C Martin
Chairman, Committee on Integrity
and Management improvement
Environments Protection Agency
Background
EPA uses thousands of microcomputers to track
various types; of data More and more
microcomputers/terminals are either networked
together or connected to a mainframe sharing
data, information, software, and operating
systems, all capable of accessing vast quantities
of data As a result of this ease of access,
threats and vulnerabilities to compute* resources
are increasing EPA, like other Federal agencies,
is concerned about unauthorized and illegal
activities, e g , unauthorized access to privacy.
proprietary, or other sensitive records; use of
computers for personal use; and inadvertent
errors and omissions. All of these activities
revolve around the accountability and
responsibility of the individual user
-------
Computer ;; :rn* :>-,^,-- -onf . '.'
While deliberate computer crime is a significant
concern, wasteful and abusive practices,
accidents, and errors Dy individual users are
even more prevalent Nationally
employee-committed cnine waste, and abuse
account for an estimated 7<- to 80 percent of the
annual loss related to computers. These factors
underscore the seriousness of computer-related
losses. They also <;xpMc- why additional
regulations and legislation »ro being developed
to ensure that adequate safeguards are provided
and that actions are \,>.<«?r> to prevent further
unauthorized activity
Computer Security Threats and
Vulnerabilities
Computer security has many threats and
vulnerabilities involving the individual user. A
threat is any activity, deliberate or unintentional,
with the potential for causing harm to an
automated information system Power surges
are greater hazards to a personal computer (PC)
than to a computer tf'rnmai Programs, data
files, or Random Access Mtinory contents can
be damaged or an entire disk rendered
unreadable. Protecting powei lines is essential
for critical PC systems' operations
Threats may be intentional 01 accidental acts of
behavior that can cause harm to automated
information systems, eg., improper handling of
source documents, tapes, disks, and printouts,
data alteration: operator error; and disgruntled
employee access. Generally threats originate
from personnel who come in contact with the
system on a daily basis Threats are frequently
man-made and disgu-sed as computer codes
embedded in computer programs (also known as
"viruses") or implanted into computer systems by
hackers, who are capable of either destroying or
denying service ot computer assets such as
data, hardware, software, and communications
In almost all instances, the individual user is
responsible for the computer related threat which
-------
data, and . ^"vcai!o;is rogtjifi^r these
threats ana vV'^ ,'abWies can ;'Tipact .vompiner
resources thr,--, ,-
DestructiOJ! '.;ompuier equipment 01
program software IP totally lost or damaged,
Disclosure - sensiiive d-ita :>r ;»?.'spri?j
intornation protected ny th«-i Privacy Act is
divulged tc an jnai'tho-ved -ecipionf;
' - a ptogram application or
fjet;o(ues altered u dan'aged
aue to >npi,,' er-or or unauthon?ec ackers;
Denial of fJej-vice -- assets e>ist but
cannc't be accessed or usec !or a oerod ot
time, -ino
Misappropriation assets an' used
dishonestly or illegal!1,
Ihe following sections address some major
types of c'omp'jter security related
vulnerabilities/threats and ihe potential impact
on compute'' resources Recommended
safeguards conuo <,, and counttKmeasLres are
listed tor eacn security t/ce
General
hegaraiess of the nature ot the thieat or
vulnerability, certain standard security measures
should always be followed These include
limiting access to authorized user 5;
keeping all software and equipment in
secured/ socked facilities;
guarding against power surges b/ using
protective devices such as surge
suppret>sorr. and
-------
developing ^nd -mpiementincj policies
and procedures tegardmq proper
operating practices and preventive
maintenance
Software Security
Software security is the prevention of deliberate
or inadvertent unauthorized manipulation of
computer proqrams Threats and vulnerabilities
entail program errors, unauthorized automated
routines, and inadequacies/flaws in system
software which are sometimes obtained through
"bulletin boards," enabling unauthorized access
to hardware, data or programs.
Probably one of the most dangerous threats that
has surfaced m recent years is the "virus" A
computer virus is a program that contains
instruction codes to attack ("infect") other
software programs by modifying tnem to include
a copy of itself With this "infection" capability
viruses can spread from program to program
computer to computer and network to network,
corrupting programs and data Microcomputers,
mainframes and worldwide computer networks
are al! being infected Because a virus can carry
other program codes along with it, the nature ot
the damage it can do is limited only by the
creativity of the attacker. Viruses can even
reinfect programs that have been cleaned up,
thus surviving many generations of program
changes Even the most thoroughly verified
program can become infected again A single
programmer with a PC can cause computer
problems anywhere, anytime Examples of
viruses are.
Trap Door a set of instruction codes
embedded in a computer operating system
that permits access while bypassing security
controls
Trojan Horse an unauthorized individual
who gains entry into a computer system
through hidden codes, also capable of
disguising its format, putting up messages.
-------
sorrv-.
;; -a "rc.jan
- ol these
-.. - ,.-/.',iec< t'mi
". ". i/Oi. 'i-g ;,op es
!; «!::if on tloppy
,:; . -,:" t Ttvvi :e {C
',..' .n,-P,-ii..'.ry o!
i''!;s p'ogfi/n? Md remote
fa?;1 ; u'-'cse0 .;"c ptoct'dures ior
., ,;KV. .r .1 jiiwanisd :-i ouraatiidtilos1
'i,* ;. L -r ''i-viiv -evci c-' trie .lata
-- , li'ip-; ,r:r» mark tne f'le
-------
:= <: v"ott?<" iaD>s TO prevent
,fv"jHts IMP bemg overwritten
make backup copies and store in a
secure piace
use automatic backup features built into
software programs,
use a software management tool that
allows auincuzed users access to
modify cod*1
the IAN Administrator should
periodically run a virus detection
software package to detect viruses; and
report anything unusual or out of the
ordinary as soon -ii> possible
Hardware Security
Hardware (.physical) security involves protecting
and controlling electric, electronic, and
mechanical equipment usea for processing data,
e.g PC's monitors data terminals,
minicomputers, etc. The scope of physical
security has broadened in an effort to restrict
access to autnon/ea users to prevent untrained
ot malicious individuals from damaging or
making inappropriate use of computer resources
Recommended safeguards to ensure physical
secunty are'
restrict modifications and maintenance
to authonzeovpraperiy trained personnel,
ensure employees know who is cleared
for access and can identify them on
sight,
question strangers,
prohibit smoking, drinking, and eating in
the immediate vicinity of the
microcomputer equipment,
-------
assure thai there ^ a nre urtedio-
system within the roorrs wi~ere
microcomputer equipment is used
develop and maintain an inveniorv of
hardware;
restrict access to a PC or workstation
when it is unattended by requiring a
password to be entered when first
powering up the system; and
restrict access to a PC or workstation by
using a screen saver that requires a
password to be entered to exit the
screen saver
Information Security
Information security revolves around
safeguarding the processes of data origination,
input, processing, and output The purpose is to
ensure that adequate controls are maintained to
assure the accuracy and integrity of information,
and that it is protected from unauthorized
access, destruction, modification, and disclosure.
Computer-related tneft, fraud, and abuse involve
such activities as data diddling changing
information at the time of input into the computer
or during output (forging documenls, exchanging
valid disks, or falsifying data upon input); and
browsing looking in others' files without
authorization, searching through trash containers
to find passwords to gain access to computer
files, and literally looking over one's shoulder.
Theft of information in the microcomputer area
commonly involves copying or using soltware
programs for personal and/or personal business
use
To ensure data integrity:
use software, hardware, and procedural
controls to restrict access to on-line files
to authorized users;
develop, document, and implement
procedures for identifying, correcting,
-------
lalvi tno . if- , ,j secur? vr'tior,
floppv Jni'c r.'v'air.ir.g
Also, USeii- 1^
a file with sne
does no i pre
erased da^a
utility progra:
and/or overw
alternative is ;
the di
Personnel Security
People are trie tn-.si ^enous threat it cotupuieri
and automated ntorrna.iGP (he ijrnntont'or.ai
errors people conicut -iccur snoio tu-quently divi
cause more costu o.if" igo tnan :'" dt=iiL)»!iatt
acts of saoc'^gc. '.jnwutingly L^-'J..^- ntc
incorrect data in\ *n.- -,-mputt'r or -T'^-'io .,..iv
alter data It ss h-ux.;;,/'1 1 Jo rerre-i^.D-. 'h,?' .ii
security measore*- ar*- v_ji ,r..-it;S;- i, j-f---. <*'i
have iegstimaie di.-r~ ;;'io int-?:i' ,i LH '-,.- .
securstv is tt y:-,,j-'j i -a? r'-rLi^,.fe -:'(..A
-------
information SSCJ-M. i".M.nror euts ai d are awa^e
of their responstt Mies 7 He primary mission is
establishing anr naintaiping an ethical,
technically proficient, informed, and irusted work
force.
Thefts which occur are generally intentional;
however, thefts can occur unintentionally, e.g.,
when an employee copies licensed software to
use on his/her home computer and does not
realize it is a violation. Employees need to be
aware that this is a serious copyright violation
and could result in a $100,000 fine. Common
abuses include using computers for personal
business; browsing through records; preparing
personal-use software programs; and creating
team rosters, scores, and handicaps for
sports-related interests. Abuses such as these
are a violation of the Standaids of Conduct and
can result in Disciplinary action. Federal property
(including property leased by the Government)
cannot be used tor other than official business.
Studies have revealed that the majority of
computer violations are carried out by authorized
users, not outsiders it is believed that a well-
trained employee is one of the most effective
safeguards against a threat or vulnerability to
personnel security.
It is estimated that 50 to 80 percent of the
problems incurred with automated systems are
due to lack of employee training and
development of skills To ensure adequate
personnel security:
alert employees to the organization's
information security policies arid the
individual's own responsibilities within
the agency through information security
training;
publicize procedures for reporting
security violations and irregularities;
inform staff that unauthorized duplication
and use of licensed software violates the
law,
10
-------
incioctnn it*? . ". employees on then
ethical respon''.*»!iM ,,
require personnel to sign a statement
that they understand their information
security
maintain close and effective
communications with your staff; and
incorporate computer security
compliance into job performance
standards
Microcomputer Security Reminders
Maintaining Your Disks
Computer disks are fragile and should be
safeguarded as follows 1) store in protective
jackets 2) protect from bending; 3) do not touch
window area of disks 4) prevent erasures by
keeping disks away from magnetic sources such
as radios and telephones, 5) store in secure
containers, such as metal cabinets protected
from fire and water damage, and 6) handle disks
according 'o thesr sec-.;nty markings
Eight Common Don'ts
Don't smoke or have food or beverages
near the computer
Don't leave the computer on and
unattended
Don't use the computer for personal
business.
Don't have automated information in
only one place back it up.
Don't copy licensed software packages
and don't use copies someone else has
made
Don't treat al! automated information the
same. Know what needs to be secured
and do what needs to be done
11
-------
Conclusion
Mt-.'Cx.-i.-rr. ..,;,'. ^'c.;,.i< stodge
CSp-rH,'>!',:.V !", "Vr 0 A ^ir ,,!!;.'. >OVr,»,'d'H
conMgus.'iLii.'v ,ti u ite .luiinv to .>rcrn nuiale
tO( i'K,:'f '«»,'-
dot' ''S>-: rii'UsK
at); ;.'. '.- Tt,- .-
.U.S. Environmental Protcciio.i Are
Region 5, Library' (PL-12J)
77 West Jackson Boulevard, 12'ii
Chicago, IL 60504-3590
12
------- |