                 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                 %%               N.I.A.                %%
                 %%     Network Information Access      %%
                 %%              10MAR90                %%
                 %%            Lord Kalkin              %%
                 %%              FILE #7                %%
                 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

:_Computers: Crime, Fraud, Waste Part 3
:_Written/Typed/Edited By: Lord Kalkin
:_Information Security
                         PHYSICAL SECURITY
   

          Traditional Security: Locks, Fences, and Guards

        Physical security once meant keeping a computer and its 
information from physical harm by surronding the computer facility with 
locks, fences, and guards.  But physical security has changed to 
accomodate the realities of today's computer enviroment -- an enviroment 
that is often a typical office setting with many small computers, word 
processors, and portable terminals.

        Physical security is concerned with controls that protect 
against natural disasters ( e.g., fires, flood, or earthquakes ), and 
accidents.  Physical security controls regulate the enviroment 
surrounding the computer, the data input, and the information products.  
In addition to the site where the computer equipment is housed, the 
enviroment includes program libraries, logs, records, magnetic media, 
backup storage areas, and utility rooms.

        Whether physical security controls are called enviromental 
controls, installation controls, or technical controls, they must be 
responsive to today's enviroment and they must be cost-effective.  For 
exapmle, installing costly fire suppression may be essential to protect 
a large computer that process sensitive data but may not be justifiable 
to protect a single microcomputer.

CRIMES, ABUSES, AND WASTE

        Computers have been shot, stabbed, stolen, and intentionally 
electrically shorted out.  Disks and tapes have been destroyed by 
spilled beverages, and computers have been harmed by water leaks.  
Computers have been seriously damaged by temperature extremes, fire, 
electric power surges, natural disasters, and a host of accidents.  
Information has been intercepted, stolen, sold, and used for the 
personal gain of an individual or for the benefit of a company.

        - Small computers are an especially attractive target for thieves.
        - During a fire, disks stored in nonfireproof cabinets and 
          floppy disks left next to computer terminals were destroyed by 
          a sprinkler system.  Thousands of dollars were spent 
          reconstructing the information they contained.

        But accidents and ordinary contaminants are propably the major 
cause of damage to computers and realted equipment.

        COMPUTER GERMS:

                SPILLS, SMOKE, AND CRUMBS
                HEAT AND HUMIDITY

        CLUES

                The following clues can help indicate physical security 
vulnerabilities:

        1. Smoking, eating, and drinking are permitted in the computer 
           work area.
        2. Computer equipment is left unattended in unlocked rooms or is 
           otherwise unsecured.
        3. There is no fire alert or fire protection system.
        4. Disks are left in desk drawers; there are no backups of disks
        5. Strangers are not questioned about being in the computer area.
        6. An inventory of computer equipment or software in 
           nonexistant, incomplete, never updated, or not verified after 
           it is completed. Inventory shortages occur frequently.
        7. Printouts, microfiche, or disks containing sensitive data are 
           discarded as normal trash.
        8. Locks which secure computer equipment or provide access to 
           computer equipment are never changed.
        9. No assessment is made of the computer site, i.e., how 
           vulnerable is it to access by unauthorized persons, to fire 
           or water damage, or to other disasters.

     "THIS PRINTOUT IS WORTH $$$$$!!!  IT WILL GET ME INTO THE SYSTEM."

PHYSICAL SECURITY CONTROLS

        1. Prevent intentional damage, unauthorized use, or theft.

        Small computers can be locked or bolted to work stations and 
access to them limited by computer equipment cover locks.  Lock offices 
where they are located.  Ensure individuals are responsible and 
accountable for the small computer they use.

        If the information used by a goverment program is processed by a 
major computer facility, check to see how physical access to the 
facility and to related locations are controlled.  Methods such as logs, 
locks, identifiers ( such as badges ), and guards may be appropriate.

        The input of sensitive information requires proper handling of 
source documents.  Proper handling means giving the same security 
considerations to these documents whether they provide input to 
automated or nonautomated systems.  Consideratiosn may involve securing 
the area, logging the documents, ensuring that only appropiate cleared 
persons see these documents, and using burn abgs or other approved 
disposal methods.

        Carefully consider computer location.  Is it too accessible to 
unauthorized persons or susceptible to hazards?

      Alert Staff:

        Be aware of common access-gaining schemes, such as 
        "piggy-backing," where an authorized worker is followed into 
        the computer area by a stranger carrying an armload of 
        computer printouts or by persons claiming to be maintenance 
        workers.

        Know persons with authorized access to the computer area and 
        challenge strangers.

      Many people believe that locked and guarded doors provide total 
physical protection.  But electromagnatic emissions from other computers 
can be intercepted and automated information read.  Recommended 
protections (e.g., equipment modification and shielding ) must take into 
the account the level of security required by the automated information 
and the fact that such an interception is rare, but mare occur.

        An inexpensive precautionary measure is making sure that 
        telephone and computer transmission lines are not labled as to 
        their function and that their location is secured.  In a network 
        system, dedicated transmission lines -- which preform no other 
        function -- may be required.  In an increasing number of 
        situations, dedicating a small computer to a single application  
        may be the most cost-effective protection device.

        Each of the four technologies used to transmit automated 
information can be intercepted: cable ( wiretapping ), microwave ( 
interception ), satellite ( satellite recieving atenna), and radio 
frequency ( interception ).

        Protection technologies which may be called for include 
        encryption of information, dedicated lines, security modems, and 
        the alteration of voice communications by scrambling the single, 
        converting it to digital form, and using encryption.

2. Enviromental hazards can wreck havok with large and small computers 
   alike.

        Take measures to prevent, detect, and minimize the effects of 
harxards such as fire, water damage, air contaminants, excessive heat, 
and electricity blowouts.

        Protect against fire damage with regulary tested fire alert 
systems, and fire suspression devices.  Protect small computers with 
covers to prevent damage from sprinkler systems.  Do not store 
combustibles in the area.

        Static electricuty can erase memory in small computers.  
Antistatic pads and sprays can help control this.  Users can be reminded 
to discharge static electricity by touching a grounded object.

        Power surges can erase memory, alter programs, and destroy 
microcircuits.  An uniterrupted power source allows enough time to shut 
down a computer without losing data.  Prevent momentary power surges 
from damaging computers by using voltage regulators.  In a thunderstorm, 
unprotected small computers can be turned off and unplugged.

        Excessive heat can be controlled by air-conditioning systems and 
fans, and by ensuring that air can circulate freely.  A common problem 
is stacking peripheral equipment or blocking air vents on terminals or 
small computers.

        Air filters can remove airborne contaminants that harm equipment 
and disks.  Consider banning smoking near small computers.

        Locate computers away from potential water hazards, such as 
plumbing pipes, areas known to flood, or even sprinkler systems if other 
fire protection devices are available.

        Keep food, beverages, and ashtrays away from the computer.

        Keep equipment in good working order.  Monitor and record 
hardware maintainence.  This provides both an audit trail of persons who 
have had access to system and a record of contract fulfillment.  
Remember that maintainence personnel must carry proper identification.

3. Protect and secure storage media ( source documents, tapes, 
cartridges, disks, printouts ).

        -- Maintain, control, and audit storage media inventories.
        -- Educate users to the proper methods for erasing or destroying 
           storage media.
        -- Label storage media to reflect the sensitivity level of the 
           information they contain.
        -- Destroy storage media in accordance with the agancy's 
           security provisions.
        -- Ensure that access for storing, transmitting, marking, 
           handling, and destroying storage media is granted only to 
           authorized persons.
        -- Plubicize procedures and policies to staff.

        Consider posting the following reminders -- Disks are Fragile 
and Good Management Practices Provide Protection -- Where everyone can 
see them.

                    -=-  Disks are Fragile  -=-

        -- Store in protective jakets.
        -- Don't write on jackets.
        -- Protect from bending.
        -- Don't touch disks directly
        -- Insert carefully into the computer.
        -- Protect from coffee and soda spills.
        -- Maintain acceptable tempuratures (50C-125C)
        -- Prevent erasures by keeping disks away from magnetic sources 
           such as radios and telephones.
        -- Store in areas, such as metal cabinets, protected from fire 
           and water damage.
        -- Handle disks in accord with their sensitivity marking.
                                                            

        -=- Good Management Practices Provide Protection -=-

        -- Lock disks and tapes when not in use.
        -- Use a filing system to keep track of disks and tapes.
        -- Don't lend storage media with sensitive information to 
           unauthorized persons.
        -- Return damaged or defective disks with sensitive information 
           only after degaussing or after a similar procedure.
        -- Dispose of disks with sensitive information by degaussing, 
           shredding, and following agency security procedres.
        -- Dispose of printouts and printer ribbons with sensitve 
           information by following agency security procedures.
        -- Secure printouts of passwords and other access information.

4. be sure that adequate plans are made for contingencies.  Remember 
that the intent of contegency plans is to ensure that users can continue 
to preform essential functions in the event that information technology 
support is interrupted.  End users of information technology 
applications, as well as computer installations that process these 
applications, are required to hove contingency plans.

        Contingency plans must be written, tested, and regularly 
communicated to staff.

        Contingency plans must take into account backup operations, 
i.e., how information will be processed when the usual computers cannot 
be used, and the recovery of any information which is lost or destroyed.

        With small computers and word processors especially, the 
contigency plans should address selected equipment breakdowns, such as a 
single printer servicing many stations.

        Procedures and equipment should be adequate for handling 
emergency situations ( fire, flood, etc. ).

        Store backup materails, including the contingency plan, in a 
secure and safe location away from the computer site.

        Contingecny procedures must be adequate for the security level 
and criticality of the information.

        Know what to do in case of an emergency and be familiar with the 
contingency plan.

        Remember what the contingency plan may be operating at a time of 
great stress and without key personnel.  Training of staff is vital.

                   N.I.A. - Ignorance, There's No Excuse.
                  Founded By: Guardian Of Time/Judge Dredd.

[OTHER WORLD BBS]
