|
|
|
UNIX UNIX is a popular operating system that is often cited for its vulnerabilities, including its handling of “superusers.” Whoever has access to the superuser password has access to everything on the system. UNIX was not really designed with security in mind. To complicate matters, new features have been added to UNIX over the years, making security even more difficult to control. Perhaps the most problematic features are those relating to networking, which include remote log-on, remote command execution, network file systems, diskless workstations, and E-mail. All of these features have increased the utility and usability of UNIX by untold amounts. However, these same features, along with the widespread connection of UNIX systems to the Internet and other networks, have opened up many new areas of vulnerabilities to unauthorized abuse of the system. Internetworking Internetworking is the connection of the local LAN server to other LAN/WAN servers via various connection devices which consist of routers and gateways. Virtually all organizations with multiple sites or locations use Internetworking technology within their computing environments. E-mail systems could not exist without this interconnectivity. Each additional LAN/WAN interconnection can add outside users and increase the risks to the system. LAN servers and network devices can function as “filters” to control traffic to and from external networks. For example, application gateways may be used to enforce access control policies at network boundaries. The important point is to balance connectivity requirements with security requirements. The effective administration of LANs/WANs requires interorganizational coordination and teamwork. Since networks can cross so many organizational boundaries, integrated security requires the combined efforts of many personnel, including the administrators and technical staff (who support the local servers, networks, and Internetworks), security personnel, users, and management. E-mail is the most popular application supported by Internetworking environments. E-mail messages are somewhat different from other computer applications in that they can involve “store and forward” communications. Messages travel from the sender to the recipient, often from one computer to another over a WAN. When messages are stored in one place and then forwarded to multiple locations, they become vulnerable to interception or can carry viruses and related malicious software. SAFEGUARDS Safeguards preclude or mitigate LAN vulnerabilities and threats, reducing the risk of loss. No set of safeguards can fully eliminate losses, but a well-planned set of cost-effective safeguards can reduce risks to a reasonable level as determined by management. Safeguards are divided into four major groups: general, technical, operational, and virus. Most of these safeguards also apply to applications as well as to LANs and WANs. General Safeguards General safeguards include a broad range of controls that serve to establish a firm foundation for technical and operational safeguards. Strong management commitment and support is required for these safeguards to be effective. General safeguards include, but are not necessarily limited to, the assignment of a LAN/WAN security officer, a security awareness and training program, personnel screening during hiring, separation of duties, and written procedures. Assignment of LAN/WAN security officer The first safeguard in any LAN/WAN security program is to assign the security responsibility to a specific, technically knowledgeable person. This person must then take the necessary steps to assure a viable LAN security program, as outlined in a company policy statement. Also, this policy should require that a responsible owner/security individual be assigned to each application, including E-mail and other LAN applications. Security awareness and training All employees involved with the management, use, design, acquisition, maintenance, or operation of a LAN must be aware of their security responsibilities and trained in how to fulfil them. Technical training is the foundation of security training. These two categories of training are so interrelated that training in security should be a component of each computer systems training class. Proper technical training is considered to be perhaps the single most important safeguard in reducing human errors. Personnel screening Personnel security policies and procedures should be in place and working as part of the process of controlling access to LANs and WANs. Specifically, LAN/WAN management must designate sensitive positions and screen incumbents, which should be described in a company human resource policy manual, for individuals involved in the management, operation, security, programming, or maintenance of systems. Computer security studies have shown that fraud and abuse are often committed by authorized employees. The personnel screening process should also address LAN/WAN repair and maintenance activities, as well as janitorial and building repair crews that may have unattended access to LAN/WAN facilities. Separation of duties People within the organization are the largest category of risk to the LAN and WAN. Separation of duties is a key to internal control and should be, designed to make fraud or abuse difficult without collusion. For example, setting up the LAN security controls, auditing the controls, and management review of the results should be performed by different persons. Written procedures It is human nature for people to perform tasks differently and inconsistently, even if the same person performs the same task. An inconsistent procedure increases the potential for an unauthorized action (accidental or intentional) to take place on a LAN. Written procedures help to establish and enforce consistency in LAN/WAN operations. Procedures should be tailored to specific LANs and addressed to the actual users, to include the “do’s” and “don’t’s” of the main elements of safe computing practices such as access control (e.g., password content), handling of removable disks and CDs, copyright and license restrictions, remote access restrictions, input/output controls, checks for pirated software, courier procedures, and use of laptop computers. Written procedures are also an important element in the training of new employees.
|