Personal Computers (PCs) are often sited in open plan offices and, as such, are accessible by many people. In general, PCs and their peripherals can be removed more easily than other types of computer. Due to these two facts, PCs are more vulnerable than equipment housed in purpose built accommodation, for example dedicated computer centres, and so require additional provisions for their protection.
The following threats are more likely:
PC users should pay careful attention to the environment of the machine:
There are dangers in using PCs outside BT premises, for example, on trains or at home. These threats include the increased possibility of theft, the likelihood of onlookers and potential damage by extending access to inexperienced users. An unprotected communications link may also present a security risk. Managers must consider carefully whether the risks involved are justified.
Privacy marked or commercially sensitive information shall not be processed on portable computers anywhere other than BT premises unless the computer or the information stored therein is adequately protected.
Fundamental to good security is control. Control of access and resources can only be achieved by co-ordination. For this reason it is important to distinguish between the person responsible for a personal computer (PC) and those that use it. Although the actual assignment of responsibilities for personal computers is a local management issue, the following issues shall be addressed by the person nominated as responsible for the PC:
The responsibilities of the users must include:
Every personal computer shall have a named individual who is responsible for controlling its use.
The owner must maintain a list of sensitive data in a secure place, in addition to the list of applications. The degree of compromise should local data be lost must be known.
Any user who stores sensitive data on servers used by the PC must never assume that backups are being done. It is incumbent upon the user to verify the server conditions.
Many PCs are sited in open-plan offices and there may be no particular physical security measures to restrict access to the processor, network features or peripherals. For this reason, care needs to be exercised over the use of the PC and access to the data. The criteria for choosing suitable controls should be the sensitivity of the data processed, and the physical environment (who may have physical access to the PC).
To assess the sensitivity of the data it is necessary to consider the effect of a loss of confidentiality (to competitors, to the press, to other employees etc.); the effect of inaccurate data or incomplete data, and the effect if data on the PC were unavailable. The implications of the Data Protection Act and other legislation and regulatory issues should also be considered.
The security principles to be borne in mind are:
While it is not always practicable for PCs to be locked in a room if they operated unattended, access to their contents must be restricted. Without adequate protection, the PC, the data it is processing, and networks to which it may be connected are at risk not only from unauthorised access but also accidental or deliberate corruption.
An unprotected and unattended PC is vulnerable to being used to run unauthorised software, for example games, which may carry a computer virus. Some security can be achieved by:
A PC may have a key lock built into it. Some of these locks give a degree of security by disabling the processor power unit. Others may simply disable the screen or keyboard.
There is also a (somewhat limited) range of external locks for most PCs. These locks can be fitted over the mains and auxiliary power switches to the processor thus preventing unauthorised operation of the computer and providing safeguards against theft of hard disks, plug-in cards and the system unit.
Lockable devices may also be fitted over, or into, the floppy disk unit so guarding against loading of unauthorised software.
There are numerous proprietary packages available which control access to the PC operating system and disk storage by means of a user ID and password system. Some of these packages depend on the installation of a plug-in card within the PC, others are totally software-controlled. In some cases encryption of files on the hard disk is an option, however the following points must be considered before using this facility:
Files resident on fixed disks are particularly vulnerable. Unless an encryption system approved by the Director of Security and Investigation is used or the PC is protected by other suitable means, sensitive data must not be stored on non-removable disks.
Many application programs used on personal computers use the (often larger and faster) non-removable disk to temporarily store user data automatically, even if the file being edited is being held on removable media After processing, the temporary files are deleted from the disk; the data, however, remains intact until the space it is occupying is ovenvritten by another file. Many word-processing packages and similar programs produce back-up files and these also need to be erased.
PCs on which has been loaded unknown or unauthorised software are particularly vulnerable to attack by a Trojan Horse which may copy software or sensitive data in a way that is unobserved and unknown by the usual PC user. Trojan Horse software is often distributed by means of a computer virus.
Files deleted from disks, for example with the DOS DELETE command can be easily recovered as only the directory entry is amended to indicate the disk space is free for reuse; the data remains intact on the disk until it is overwritten. To completely delete a file it must be erased by overwriting it with zeros or a random data pattern. For increased privacy, this may need to be performed several times in succession. There are third-party programs available to do this.
Files stored on file servers, such Novell's Network Operating System (NOS), when deleted, are actually moved to a 'deleted' directory, still accessible by system administrators. These files are not fully deleted until the Deleted directory space is exhausted. Administrators should set up procedures for the automatic deletion of these files. Copies may also exist on backup tapes.
Should a non-removable disk, or a PC containing a non-removable disk, require maintenance, special precautions may be necessary to render unusable any information contained on the disk. If an approved encryption system is used on a non-removable disk, the privacy marking then applies only to the encryption key protecting that information. If the information is very sensitive, it may be appropriate to destroy the disk using destruction procedures approved by the Director of Security and Investigations. See also Software And Data: Disposal Of Media for policies on this subject.
Any personal computer fitted with a non-removable disk and containing privacy marked information shall be handled and stored accordingly. IN CONFIDENCE data shall be protected by an approved software access control and IN STRICTEST CONFIDENCE data protected by a hardware based access control and encryption system approved by the Director of Security and Investigation.
When using a personal computer with a non-removable disk to process sensitive information, even if the data is held on a removable disk, the non-removable disk shall be assumed to contain sensitive information, and be treated appropriately.
All disks and cassettes must be put away when not in use. To guard against extraneous magnetic influences they should be stored away from any electrical equipment. Any removable media which contain sensitive information should be clearly labelled with the appropriate privacy marking. If sensitive information is being held they must be locked away in a suitable cabinet or drawer appropriate to its privacy marking. Lockable plastic disk cases by themselves are not sufficient protection.
CSM Policy 7.17: MARKING OF MEDIA applies.
Random Access Memory (RAM) is the PC's working memory. It holds the programs currently running and the data currently being processed. Frequently-accessed data on a floppy or non-removable disk may be loaded into RAM to improve access time. When the PC is powered off, RAM is normally erased. On some PCs, however, data in RAM is saved when the power is turned off, and can be reloaded when the power is turned on again.
Some multitasking Operating Systems (OSs), such as UNIX in all its variants, OS/2 and Microsoft Windows manage virtual memory areas on a per process basis. When free memory becomes low on such systems, parts of memory are written out to a special disk area managed by the OS. The data remains on disk and can be accessed by persons familiar with the OS.
Some OSs also generate memory dumps when the system malfunctions, at which point some, if not all, of memory is written out to disk before the system goes down. It may, under certain circumstances, be advantageous to make this information available to vendor representatives to help debug the problem, but the security implications associated with doing this must be assessed.
If sensitive data is held on a PC and the operating system uses virtual memory, or RAM, is saved when the PC is powered off, then the person responsible must protect the PC in accordance with Policies 5.3 and 5.4.
Where there is a possibility that an unauthorised person may have gained access to an unattended Personal Computer, it shall be switched off to clear volatile memory.
PCs containing non-volatile memory shall be protected as though they contained a non-removable disk.
Where resources such as printers are shared, or several are available, special precautions should be effected to ensure privacy marked material is not seen by, or delivered to an inappropriate person.
Printout should always have the appropriate privacy marking clearly displayed at the top and bottom of each page and handled in accordance with the appropriate rules in the Information Security Code. Partial printouts, perhaps resulting from failures or aborted print runs, should be disposed of in accordance with their intended privacy marking. Note that many printers contain a memory which holds information used for printing. In the event of failure during a print this information may remain in memory until the printer is powered off.
Because some personal computers (and dumb terminals) offer the facility to take a printed copy of the contents of the screen (for example, screen dumps or print screen), each screen displayed should contain the sensitivity marking for that information.
It should be noted that most laser printers hold a copy of the last printed page on the laser printer drum and that it is a relatively easy task to read this page of information directly from the drum.Therefore, whenever particularly sensitive information is printed on is type of device, the user should consider printing a full page of non-sensitive text in order to overwrite the previous page.
A Procedure shall be prepared and implemented when a shared or networked printer is used for producing privacy marked material.
Printing over networked printers introduces additional possibilities for the compromise of sensitive information. The network, comprising both the hardware and software, maintains buffers for information to be printed. In some cases the data remains in the buffers after printing has occurred. The buffers may be accessed by unauthorised users or by mistake and data compromised. Sensitive information should only be printed to approved print locations where an analysis has been done on the security risks.
Only legitimate (licensed) authorised copies of software from reputable sources supplied by a secure distribution mechanism should be used on PCs.
Any software from colleges etc, legitimately used by BT students, for instance, should be checked for hazardous code before loading as this is a potential source of viruses or untrustworthy software.
Computer games are recognised as a source of computer viruses and their use is explicitly forbidden.
Public domain and other untrustworthy software shall not be held or used on BT's personal computers. Exemptions to this policy may only be granted by the Director of Security and Investigation if there is a proven operational need.
Games shall not be used on BT's personal computers. Games must not be loaded onto BT's personal computers except where they come as part of a legitimate business sofhvare package and there is no facility for not installing the games. Exemptions to this policy may only be granted by the Director of Security and Investigation if there is a proven business need.
PCs are capable of connection by means of modem cards and interface cards to the PSTN, Local Area Networks and other computers by various means. The connection of a PC to a network introduces additional threats to both the PC and, in some instances, the network. Although the chapter on Networks and Communications covers this topic in depth, this section considers the subject in the context of personal computers.
In general communication sessions controlled externally to the PC from the public network should be avoided. Where network access is unavoidable, strict controls should be applied.
Most PCs are capable of emulating various types of terminal, either by the use of sohware packages or the installation of an extension board. When used in this mode the PC appears to the mainframe processor as if it were the appropriate terminal type but it also retains the capabilities of a PC. As a consequence of the above, three major threats to security arise as follows:
Fixed mode (dumb) terminals can only interrogate and search authorised transactions at a rate which is limited by the human operator. The results would normally have to be transcribed from the VDU or printed on a slave printer. A PC, on the other hand, could be programmed to carry out a range of interrogations, examine the resultant responses and store the details of any transactions which satisfy predetermined criteria.
Once a procedure is established this exchange can take place at speeds which are limited only by the speed of the communications interface and a great deal of information could be sifted in a short period. When used legitimately this is considered to be a authorised use of PC power. However the security of the system may rely to some extent on the (perhaps limited) rate at which information can be extracted.
Suitably equipped PCs could connect to a mainframe computer and a public access or BT-private network at the same time. Although the capability may seem attractive to the PC user, the administrator of the mainframe computer might view the potentially increased user community that may gain access to his system with some trepidation. It could be the view that, if incorrectly managed, such a PC could act as a switch or slave processor in order to connect the two. Thus an unanticipated method of communication could be established which would allow remote access from an unauthorised location and so constitute a breach of security particularly if the PC were left on all day.
Similar concerns might be raised if the PC were to be simultaneously connected to two networks, for example, the PSTN and a BT internal network.
It will be frequently both convenient and operationally legitimate to substitute a PC for a terminal device in order to limit the items installed on the desk-top and to streamline procedures. In recognition however of the risks to security, any proposal to substitute a PC for a terminal device must have the approval of the appropriate network or systems administration. They, in turn, must satisfy themselves with regard to the additional risks which might arise as a consequence of either enhanced interrogation or extended communication.
A PC shall be used as a terminal for a BT system if, and only if, the use of a PC has been permitted in the Security Policy Document of that system.
A PC shall not be connected to more than one system at a time unless approval has been granted by the administrators of those systems.
The business is dependent for its functions on information of which a greater amount is being stored and processed on PCs. There is now, therefore, a business imperative to ensure that information on PCs is available when the business needs it. PC users should evaluate the needs of the business process supported by information on PCs, and ensure that these requirements can be met, even if there is a computer or disk failure.
Mistakes are made and machines can fail, either potentially leading to corruption of data or software. Measures must be taken so that when corruption does occur, service can be restored with the minimum of inconvenience and cost to the business. The following are measures can be taken to reduce the impact of such a failure.
Data and/or software should periodically be copied to removable media for one of several reasons:
Data held on non-removable disks should be backed-up regularly, perhaps daily or weekly depending on usage and criticality. The backup might be of the whole system or only of those parts that have recently changed - an 'incremental backup'. The copy should be stored either off-site or in a fire resistant cabinet, suitable for its level of sensitivity.
There are four methods by which archive or backup copies of a system can be taken:
File Servers on Local Area Networks pose similar security problems to PCs, due to the fact that they are often sited in open plan offices, are small and are accessible by many people. If privacy marked information is held on a LAN server then precautions must be taken to safeguard that data.
File servers shall be protected in accordance with the sensitivity of the information they contain, either through physical access controls, or through logical controls. Policies 4.6 and 5.3 refer.