Types of security threats
Hewlett Packard on the brain (I'll be attending the HP Americas Partner Conference in Las Vegas this June).
The HP website includes a page that discusses various types of security threats, and the measures to take to correct them. Excerpts are below.
Examples of defenses against loss of use include prevention of access, fire prevention and firefighting measures, safeguards against shock and impact in earthquake regions, and storage off site, in antimagnetic containers, of information on magnetic media. Insurance is another form of defense. Although it cannot prevent physical loss, it can mitigate financial loss....
Although wear and tear on equipment certainly is a cause of performance loss, it is a business problem, rather than one of security. System administrators should be aware of it and request the replacement of worn equipment as needed.
In the same sense, loss of performance or data due to incorrect usage also is not a security problem. On the other hand, it is one with which system administrators must be involved. For example, incorrect usage can deny use of the system to other users by tying up too much of the CPU. Solutions include:
Limitations on access by limiting user capabilities, or giving users access only to the resources they need to execute their tasks.
User training....
One type of sabotage involves access to the computer or system by unauthorized persons. For the most part, preventative measures are the same as those described under Prevention of Access....
A type of sabotage much harder to prevent is sabotage from internal sources. Examples include disgruntled employees, and accidental sabotage resulting from the inadvertent introduction of destructive software (Trojan horses, viruses) into the system.
Sabotage by users with otherwise legitimate access to the system can be minimized by enforcing limitations on capabilities and access. System logging facilities can be used to establish strict accountability for all users. Such accountability cannot prevent sabotage, but can aid in identifying the culprit....
Due to the power of the privileged mode capability (PM), System Managers should allocate it only to accounts, groups and users with an imperative need....
Prevention of accidental sabotage from destructive software can be minimized or prevented by education, strict rules against using unauthorized software, and well publicized penalties for doing so. Establishment of accountability can, again, aid in identifying the offender in such incidents....
Total prevention of accidental information disclosure is rarely possible. Employee education and appeals to employees' sense of company or national loyalty can help mitigate the problem, but not prevent it. Another technique is to disseminate vital information strictly on a need-to-know basis.
Deliberate theft of information in physical form, such as on disk, tape, and paper, can be minimized using the same techniques as those for preventing theft of equipment: prevention of access.
Techniques for preventing access include locking desks, cabinets, and files. Store media in locked cabinets rather than open racks, and enforce strict control over the distribution of sensitive documents.
When the information on media is no longer needed, the media is often reused by simply writing over the existing data. Depending on the medium, the data may be readable until it is overwritten, even if the medium have been reformatted. This is an easily overlooked breach of security.
Before returning disk, disk packs, and tapes to reuse, all labels should be removed in order to prevent a thief from easily picking out the tapes that may contain important information. Each disk or tape should be carefuly erased with a degausser type bulk tape eraser.
Techniques for protecting information in the system itself include locking computers, enforcing the use of passwords, prohibiting embedded passwords, and clearing computer screens and screen buffers.
The HP website includes a page that discusses various types of security threats, and the measures to take to correct them. Excerpts are below.
Examples of defenses against loss of use include prevention of access, fire prevention and firefighting measures, safeguards against shock and impact in earthquake regions, and storage off site, in antimagnetic containers, of information on magnetic media. Insurance is another form of defense. Although it cannot prevent physical loss, it can mitigate financial loss....
Although wear and tear on equipment certainly is a cause of performance loss, it is a business problem, rather than one of security. System administrators should be aware of it and request the replacement of worn equipment as needed.
In the same sense, loss of performance or data due to incorrect usage also is not a security problem. On the other hand, it is one with which system administrators must be involved. For example, incorrect usage can deny use of the system to other users by tying up too much of the CPU. Solutions include:
Limitations on access by limiting user capabilities, or giving users access only to the resources they need to execute their tasks.
User training....
One type of sabotage involves access to the computer or system by unauthorized persons. For the most part, preventative measures are the same as those described under Prevention of Access....
A type of sabotage much harder to prevent is sabotage from internal sources. Examples include disgruntled employees, and accidental sabotage resulting from the inadvertent introduction of destructive software (Trojan horses, viruses) into the system.
Sabotage by users with otherwise legitimate access to the system can be minimized by enforcing limitations on capabilities and access. System logging facilities can be used to establish strict accountability for all users. Such accountability cannot prevent sabotage, but can aid in identifying the culprit....
Due to the power of the privileged mode capability (PM), System Managers should allocate it only to accounts, groups and users with an imperative need....
Prevention of accidental sabotage from destructive software can be minimized or prevented by education, strict rules against using unauthorized software, and well publicized penalties for doing so. Establishment of accountability can, again, aid in identifying the offender in such incidents....
Total prevention of accidental information disclosure is rarely possible. Employee education and appeals to employees' sense of company or national loyalty can help mitigate the problem, but not prevent it. Another technique is to disseminate vital information strictly on a need-to-know basis.
Deliberate theft of information in physical form, such as on disk, tape, and paper, can be minimized using the same techniques as those for preventing theft of equipment: prevention of access.
Techniques for preventing access include locking desks, cabinets, and files. Store media in locked cabinets rather than open racks, and enforce strict control over the distribution of sensitive documents.
When the information on media is no longer needed, the media is often reused by simply writing over the existing data. Depending on the medium, the data may be readable until it is overwritten, even if the medium have been reformatted. This is an easily overlooked breach of security.
Before returning disk, disk packs, and tapes to reuse, all labels should be removed in order to prevent a thief from easily picking out the tapes that may contain important information. Each disk or tape should be carefuly erased with a degausser type bulk tape eraser.
Techniques for protecting information in the system itself include locking computers, enforcing the use of passwords, prohibiting embedded passwords, and clearing computer screens and screen buffers.
0 Comments:
Post a Comment
<< Home