Human Factors in Security - Essay Example

Human Factors in Security 1. Introduction Security is a continuous process and cannot be implemented out of a box. It is a combination of software, hardware and procedures. Information Security Policy alone would not ensure ‘Security’ unless the personnel of the organization understand its weakness and consciously undertake steps based on the guidelines. It only takes a single lapse to put the classified data and information resources at risk. Thus, the sensitive data may be acquired unlawfully, damaged, or modified because personnel have either become complacent or are assuming new responsibilities without specific security awareness. Therefore, efficient security indoctrination measures must be planned and applied to manage all risks associated with Information and Communication Technologies. Managers at all levels have to ensure that, the indoctrination of AAN personnel commences on induction and continues throughout the progression of their career. 2. The Report In the following paragraph a brief report is presented by AAN managers in order to raise a winning bid for a huge contract. 2.1 Highly Secretive Organizations AAN Limited is involved in designing hundreds of small electrical products and consists of highly professional manpower. Over the last 3 years, the company has been exploring the Asian markets. In order to make a successful bid for winning a huge contract for Indian government, the company is required to change its overall structure and working environment. In order to gain the optimum confidence level of Indian government, AAN Limited is going to change itself into a highly secretive organization. It means the company has to create a highly secured and protective environment to keep all of its business projects confidential not only from external factors but also from any unauthorized persons even belong to AAN. On the contrary, a constricted deliberation related to security devices as a whole may initiate a counterfeit confidence in the system (Turn & Ware, 1975). A cultural shift surrounded by in-depth awareness of information security is needed to win the desired contract. AAN can execute this project through its short and long term strategic objectives. This can be achieved by close coordination of planning, communication, peer review, and documentation (Kevin, Gene, & George, 2004) (a) Establishment of Department of Information Security Management at headquarters level and IT Centre at section levels (b) Formulation of information security doctrine (c) Designation of IT Officers at section level (d) Provision of information security awareness to all personnel (e) Ensure the use of only officially procured and registered hardware and software (f) All hardware and media is to bear appropriate security marking (g) Ensure that no unauthorized hardware is used 2.2 Human Factors in Security 2.2.1 Roles and Responsibilities Roles and responsibilities of all personnel with respect to information security have been clearly defined by all stakeholders. The word ‘security’ means the controlling methods by which a computer, some other devices, or information contained in them are modified (Miller, 1971). Every entity of AAN whether it is a mere user of information security assets or it may be entrusted with the responsibilities of administering and managing the resources of AAN, have a clearly defined role and task regarding information security. Mangers at all levels, while defining the organization’s role and task, specifically incorporate the role and responsibility concerning information security. AAN headquarters takes special measures either to recruit new personnel or shifting of employees from one section to other. A through security cleared reports of all newly recruited personnel are obtained from local police. The security department of AAN also carries out a comprehensive clearance of new staff. A special emphasis is made on those personnel who are posted on posts holding sensitive and secret data. Only those employees are posted on such posts who meet the following criteria. (a) Security cleared by civil police and security department of AAN (b) Sound knowledge of information technology and information security (c) Satisfactory track record of loyalty and at least 10 years service in AAN 2.2.2 Information Security Awareness, Education and Training In AAN, strategically it is incumbent upon all managers to arrange for information security awareness, education and training of all personnel under their supervision. Help in this regard is taken from Department of Information Security Management (ISM) of AAN, located at headquarters. In addition, ISM plans, organizes, and conducts regular courses, seminars and workshops for information security awareness of all stakeholders. A dedicated portal is maintained by the ISM with up-to-date information about the latest security news, tips and alerts. Key staff of AAN is directed to regularly visit this portal and familiarize themselves of the information contained therein. 2.2.3 Disciplinary Process Violations of any of the clause mentioned and directed by higher authorities of AAN are considered as a security incident and are dealt with in accordance with Incident Handling Management System. Necessary disciplinary process is initiated against the defaulters in accordance with the rules and regulations of AAN. 2.2.4 Termination of Access Rights Upon relinquishment of responsibilities of any user, manager, administrator, owner or custodian of any assets due to any reason, the individual have to return all information security assets in his or her use. The immediate boss of the individual is responsible to arrange for immediate removal of his or her access rights from all information security assets so that any possible leakage or theft of any information may be avoided. 2.2.5 Use of Social Networking Sites The use of social networking sites through AAN computers is strictly forbidden for all personnel irrespective of their status in company. Social networking sites like Facebook, Twitter, Hi-fi, Skype etc are even prohibited to be used by mean of AAN computers for any matter. The sharing of any confidential information through internet medium can be a serious lapse on the part of information security (Whitman & Mattord, 2009). AAN managers are directed to repeat these instructions time to time to develop a lapse free environment in their sections. The detailed instructions for the use of internet are disseminated to all sections separately and discussed below in the section of technical security. 2.3 Technical Security Issues Background Description Solution Password Security The objective when choosing a password, is to make it as difficult as possible for a hacker (or even a colleague), to guess. Using only the standard English alphabet and numerals, a non-case-sensitive password of 6-characters offers over 2 million possible combinations. In case-sensitive password applications ‘a’ is not the same as ‘A’, which doubles the number of available characters. Thus, making that same 6 character password case-sensitive, and allowing the shifted version of the numerical keys increases the number of combinations to 140 million. Each additional character increases the number of combinations exponentially, so a 7-character, case-sensitive password would offer over a billion combinations. (a) On AAN secure LAN, the computers must have a minimum of 8 characters length Password and changes should be made by an expiry period of every 30 days. (b) All default guest and administrative accounts are removed or disabled (Peltier, 2002) (c) No information system is allowed a ‘user’ to remain on-line for trying all possible combinations of passwords. A lockout is activated after a predetermined number of maximum five failed attempts or a fixed amount of time of 45 seconds. Network Security The foundation for the development and implementation of secure practices within AAN Network System requires an understanding of personnel; not only for the individual policies but also of the circumstances in which such compliance is expected in their daily activities (http://security.practitioner.com). Knowing the policies is only part of the equation; AAN personnel know how they should comply, from a procedural perspective also. (a) No PC is ever connected to internet having company’s official data or access to its Intranet. Any observance of its violation is reported immediately to respective Information Security Officer. (b) Any System or Network level monitoring through active or passive means is prohibited. Its violation may constitute a Critical Security Incident. (c) AAN uses only those Hardware and Software which are authorized by department of ISM. Its breach could be a Security Incident. (d) If a machine is shared by more than one user on AAN Network System, then IT officer is responsible to ensure that every user has a unique User ID and everyone logs-in with his/her own User ID (Popek, 1974). Use of Internet There are security risks associated with browsing the Internet. A hacker can intrude into the Users’ PC through Internet easily and consequently extract information from victim’s PC or any PC connected to it through LAN. Likewise, if a hacked PC is connected to Internet and also having connectivity to other AAN PCs’ through Intranet, an Intruder can access the service PCs by obtaining information through Cookies and Mobile Codes. (a) Transmission / Storage of AAN official data through internet / eMail are prohibited beacuse all public eMail systems like Yahoo, Gmail, and Hotmail etc are monitored by local / foreign security agencies and are also vulnerable to hacking. (b) Unless explicitly cleared by directors of respective units, official information is not to be communicated on the internet. (c) AAN officials are warned regarding participation in online interaction (discussion forums, text/ audio/video, ICQ, mIRC, MSN, Yahoo messenger etc). Maintaining of even unofficial information online should be exercised with caution. (f) Peer to Peer (P2P) software is the hackers’ paradise for foot printing the victim’s PCs, therefore their use is discouraged. (g) In offices, the internet PC are preferably not be installed with Microsoft Office so as to alleviate the possibility of personnel using it for official purposes. Data Storage / Access Devices Security Data storage / Access devices can contain precious information. Their small size and large data storage capacities can lead to disaster in the event of their theft or loss and would constitute a Major Security Incident. To limit unauthorized access to AAN’s information resources, a mechanism of record keeping is defined below. (a) Lifted Items. These items include Hard Disks or CDs / DVDs Drives, USB Flash disks, Laptops, Notebooks, Palmtops, PDAs, Wi-Fi / Bluetooth devices, iPODs, Memory Sticks, Digital Cameras, Switches, Routers or any other hardware capable of storing information. In AAN, the devices in this category are required to be registered and disposed off by the IT officer who first seeks permission in writing from his director. (b) Consumable Items. These devices include CDs, DVDs disks, Floppy disks, printer cartridges or any other similar media. Section IT officers are responsible for the registration and disposing off these devices with prior permission of their respective section directors. (c) Printer’s rollers drums can reveal their contents for subsequent prints therefore, consumables related to printing, e.g. cartridges, ribbons and rollers are locally destroyed and burnt. Managing Mail AAN has its own intranet through which the company executes its routine proceedings. However, emailing of confidential data even on this secure network is also a sensitive issue. (a) No eMail attachments having “.exe, .bat, .vbs, .api” or any other file of executable nature shall be exchanged between users of non Secure LAN. If required, local IT officer is to be approached. (b) No user shall exchange classified or sensitive data over AAN’s eMail system. (c) In case of postings, the ‘Designation Based’ eMail account password is passed by the predecessor to the successor and an entry to this effect is made along with handing / taking of classified documents. The successor changes the password on first usage. (d) A suitable encryption mechanism is employed i.e. messages/exchange of any information is encrypted through suitable software. Viruses and Malicious Code Malicious software like Viruses, Worms, Trojans and Spyware etc are a threat to security and authenticity of data. (a) Preferably, all PCs are part of AAN Network System. The Operating System (OS) security patches are automatically updated along with the Antivirus definitions. (b) For Non-Secure / Isolated LANs and Standalone PCs, Users and IT officers are responsible to ensure that, if antivirus definitions are older than 30 days then latest versions should be downloaded from AAN Intranet to keep the PCs updated. (c) Always backup data and save data on a drive other than ‘C: /’ drive, even during routine working. Do not create / copy / save data folders / documents directly over ‘Desktop’ or in ‘My Documents’, instead designate a data drive other than C drive. (d) Virus functions of ‘Real Time Protection’ and ‘Auto Scan on Access’ are kept enabled. If these functions were off due to any reason then, any file obtained from external source is scanned for antivirus before first use. (e) In AAN, downloading and installation of any software or antivirus from Internet is prohibited. Backup and Restoration Procedure With today's technology it is simple to share information with many people, both intentionally and unintentionally. This raises the problem of data ownership and data custodians, i.e. who is entitled to modify and delete specific data. The data may be deleted by an unauthorized person, intentionally or mistakenly deleted by an authorized user or lost is natural disasters. Therefore, the Administrators would be required to do elaborate document management to ensure the integrity of data (Merkow, 2007) (a) All users are advised to keep a backup of their data and store it at a safe and secure location. (b) Data Administrators define specific Backup and Restoration procedures through respective SOPs; as applicable to their software environment considering the life and frequency of their data. As a general rule, the restoration of data must be taken place at least every four months on a separate machine. (c) The Data Backup and Restoration procedures should be accountable and auditable. Incident Reporting An Information Security incident can be defined as any occurrence which could be a security violation, or in itself; it may not necessarily compromise the security of information but could lead to such a situation. An example is a multiple login failure on a single user account, leading to that account being locked out. (a) Reporting abnormal behavior or security breaches on the network is the responsibility of every person and can be raised by any person who has observed violation of security policies. (b) Computer Security Incidents are investigated by the directors of the respective sections or as directed by AAN Headquarters. (c) In case of a major or critical security lapse, the hardware / PCs should be left in the same state unless directed by investigating team or AAN Headquarters. (d) If system is known to be breached, it would not be brought online until sanitized by administrator / IT Officers. 2.4 Physical Security Issues Background Description Solution Physical Security Perimeter Unauthorized access to the information of any nature is discouraged at each level in AAN. Lesser the chance of access, lesser the chance of leakage or theft of information. (a) To prevent unauthorized physical access, damage, interference and environmental contamination to the AAN information security premises and information processing facilities, areas are physically secured by multiple security perimeters/ barriers (such as solid walls, wires, iron bars etc). (b) There must be no gap or loophole in the security barriers or access control mechanisms where a break-in could easily occur. Unoccupied critical areas must have an intrusion alarm system where possible. Doors and windows must be locked when unattended. Moreover ‘caution boards’ and security cameras must be placed at restricted areas and entry points. (c) Respective owners/custodians/users will be responsible for the physical security of their assets. Physical Entry Controls Researchers have considered it as one of the most vulnerable threats to any lapses with respect to information security (Kiountouzis & Kokolakis, 1996) All Data/ Communication/ Network Centers must be physically guarded by trained security guards. Access to sites and buildings must be restricted to authorized personnel only. Protecting against External and Environmental Threats Measures and procedures for physical protection of information security infrastructure against damage from external and environmental threats is also a crucial issue which is to be defined and disseminated to all concerned by the information security domain specialists (http://wps.prenhall.com) (a) Hazardous or combustible materials, bulk supplies such as stationery, fallback equipment and back-up media must be placed at a safe distance to avoid damage from a disaster affecting the sensitive area. Appropriate fire fighting equipment must be provided and suitably placed. Emergency procedures must be defined by every unit/ section. (b) Requisite training of personnel is the responsibility of respective unit director; however, steps for enhancing the information security awareness within AAN would be taken up by the department of ISM. For this purpose, regular courses, workshops and seminars must be arranged. Equipment Siting All information security equipment of AAN must be sited to reduce the risks from environmental hazards and opportunities for unauthorized access. (a) AAN information security processing devices/machines, handling sensitive data must be positioned and the viewing angle restricted to reduce the risk of information being viewed or destroyed by unauthorized persons. (b) Equipment processing sensitive information should be protected to minimize the risk of information leakage due to electromagnetic emissions. (c) Equipment requiring special protection must be isolated from the other equipment. Support Utilities The serviceability and continuous presence of various support utilities like electricity, ventilation, and cooling/heating is mandatory for the smooth functioning of AAN Network System. (a) All support utilities for information security assets, such as electricity, earthing, heating/ventilation, and air conditioning must be in accordance with the recommended manufacturer’s specifications. (b) Lightning protection filters must be fitted to all incoming power and communications lines. (c) Users must ensure that support utilities are regularly inspected and logs of such actions are maintained. (d) An alarm system to detect malfunctions in the supporting utilities must be installed wherever possible/practical. For critical assets multiple feeds must be arranged to avoid a single point of failure in the support utilities. (e) A suitable electrical supply with adequate earthing must be provided that conforms to the equipment manufacturer’s specifications. An uninterrupted power supply (UPS) and backup-generator is recommended for equipment supporting critical operations. Cabling Security Cabling security is also a sensitive issue in terms of information security management (Julia, 2001). Power and communications cabling carrying data or supporting information services must be protected from interception or damage. (a) Cabling must be underground, concealed or conduit based as applicable. The use of fiber optic cabling, and electromagnetic shielding to protect the cables must be adopted. (b) Routes through public areas must be avoided as far as possible and alternative routings and/or transmission media with appropriate security must be arranged to handle failure. (c) Power cables must be segregated from communications cables to prevent interference. Clearly identifiable cable markings, tagging and documented patch list should be used to minimize handling errors. Switch rooms, control rooms, patch panels, cable rooms, termination points etc must be locked/ protected/ monitored at all times. Security of Equipment Off-premises Special security must be applied for off-site equipment maintenance/ installation/repair etc. (a) All equipment sent outside must be tagged with security instructions and must be properly sealed/ protected/ packed. (b) Equipment and media taken off the premises should not be left unattended in public places. (c) Portable computers should be carried as hand luggage and disguised where possible when traveling. (d) Detailed procedures for security of equipment off-premises must be defined by the respective domain specialists. Secure Disposal or Reuse of Equipment While disposing off ICT equipment, it must be ensured that any sensitive information contained therein is destroyed, deleted/shredded or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function. Since information can be obtained from such old or broken or unserviceable equipment, therefore careful disposing off such equipment is very critical. (a) On reuse of system after repair, it must be adequately tested for any undesirable functionality by respective IT Centre or electronic unit. (b) No information security device/ equipment should be functioning with default settings. (c) State must be compared before and after repair/ maintenance of any equipment and changes observed must be logged. Logging procedures for this purpose must be defined by the domain specialists. References accessed 02 November, 2011 accessed on 01 November, 2011 Julia, A. H. (2001). The CERT Guide to System and Network Security Practices. Boston, MA: Addison-Wesley Kevin, B., Gene, K., & George, S. (2004). Information Technology Process Institute Kiountouzis, E. A. and Kokolakis, S. A. (1996). Information systems security: facing the information society of the 21st century, London: Chapman & Hall Merkow, M. (2007). Information Security: Principles and Practices, Pearson Education India, Miller, A. (1971). The Assault on Privacy. Ann Arbor, Mich.: Univ. of Mich. Press, 1971 Peltier, T.R. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications Popek, G. (1974). A principle of kernel design, NCC, AFIPS Conf. Proc., vol. 43, pp. 977-978 Saltzer, J. H. and Kaashoek, M.F. (2009). Principles of Computer System Design: An Introduction. Morgan Kaufman Turn, R. and Ware, W. (1975). Privacy and security in computer systems, I-A1 Amer. Scientist, Vol 63, pp. 196-203 Whitman, M. E. & Mattord, H. J. (2009). Hands-On Information Security Lab Manual, 3rd ed. Course Technology, Boston, MA William, S. (2008). Computer Security: Principles and Practice, Pearson Education India Read More