%%               N.I.A.                %%
                 %%     Network Information Access      %%
                 %%              10MAR90                %%
                 %%            Lord Kalkin              %%
                 %%              FILE #7                %%

:_Computers: Crime, Fraud, Waste Part 3
:_Written/Typed/Edited By: Lord Kalkin
:_Information Security
                         PHYSICAL SECURITY

          Traditional Security: Locks, Fences, and Guards

        Physical security once meant keeping a computer and its
information from physical harm by surronding the computer facility with
locks, fences, and guards.  But physical security has changed to
accomodate the realities of today's computer enviroment -- an enviroment
that is often a typical office setting with many small computers, word
processors, and portable terminals.

        Physical security is concerned with controls that protect
against natural disasters ( e.g., fires, flood, or earthquakes ), and
accidents.  Physical security controls regulate the enviroment
surrounding the computer, the data input, and the information products.
In addition to the site where the computer equipment is housed, the
enviroment includes program libraries, logs, records, magnetic media,
backup storage areas, and utility rooms.

        Whether physical security controls are called enviromental
controls, installation controls, or technical controls, they must be
responsive to today's enviroment and they must be cost-effective.  For
exapmle, installing costly fire suppression may be essential to protect
a large computer that process sensitive data but may not be justifiable
to protect a single microcomputer.


        Computers have been shot, stabbed, stolen, and intentionally
electrically shorted out.  Disks and tapes have been destroyed by
spilled beverages, and computers have been harmed by water leaks.
Computers have been seriously damaged by temperature extremes, fire,
electric power surges, natural disasters, and a host of accidents.
Information has been intercepted, stolen, sold, and used for the
personal gain of an individual or for the benefit of a company.

        - Small computers are an especially attractive target for thieves.
        - During a fire, disks stored in nonfireproof cabinets and
          floppy disks left next to computer terminals were destroyed by
          a sprinkler system.  Thousands of dollars were spent
          reconstructing the information they contained.

        But accidents and ordinary contaminants are propably the major
cause of damage to computers and realted equipment.


                SPILLS, SMOKE, AND CRUMBS
                HEAT AND HUMIDITY


                The following clues can help indicate physical security

        1. Smoking, eating, and drinking are permitted in the computer
           work area.
        2. Computer equipment is left unattended in unlocked rooms or is
           otherwise unsecured.
        3. There is no fire alert or fire protection system.
        4. Disks are left in desk drawers; there are no backups of disks
        5. Strangers are not questioned about being in the computer area.
        6. An inventory of computer equipment or software in
           nonexistant, incomplete, never updated, or not verified after
           it is completed. Inventory shortages occur frequently.
        7. Printouts, microfiche, or disks containing sensitive data are
           discarded as normal trash.
        8. Locks which secure computer equipment or provide access to
           computer equipment are never changed.
        9. No assessment is made of the computer site, i.e., how
           vulnerable is it to access by unauthorized persons, to fire
           or water damage, or to other disasters.



        1. Prevent intentional damage, unauthorized use, or theft.

        Small computers can be locked or bolted to work stations and
access to them limited by computer equipment cover locks.  Lock offices
where they are located.  Ensure individuals are responsible and
accountable for the small computer they use.

        If the information used by a goverment program is processed by a
major computer facility, check to see how physical access to the
facility and to related locations are controlled.  Methods such as logs,
locks, identifiers ( such as badges ), and guards may be appropriate.

        The input of sensitive information requires proper handling of
source documents.  Proper handling means giving the same security
considerations to these documents whether they provide input to
automated or nonautomated systems.  Consideratiosn may involve securing
the area, logging the documents, ensuring that only appropiate cleared
persons see these documents, and using burn abgs or other approved
disposal methods.

        Carefully consider computer location.  Is it too accessible to
unauthorized persons or susceptible to hazards?

      Alert Staff:

        Be aware of common access-gaining schemes, such as
        "piggy-backing," where an authorized worker is followed into
        the computer area by a stranger carrying an armload of
        computer printouts or by persons claiming to be maintenance

        Know persons with authorized access to the computer area and
        challenge strangers.

      Many people believe that locked and guarded doors provide total
physical protection.  But electromagnatic emissions from other computers
can be intercepted and automated information read.  Recommended
protections (e.g., equipment modification and shielding ) must take into
the account the level of security required by the automated information
and the fact that such an interception is rare, but mare occur.

        An inexpensive precautionary measure is making sure that
        telephone and computer transmission lines are not labled as to
        their function and that their location is secured.  In a network
        system, dedicated transmission lines -- which preform no other
        function -- may be required.  In an increasing number of
        situations, dedicating a small computer to a single application
        may be the most cost-effective protection device.

        Each of the four technologies used to transmit automated
information can be intercepted: cable ( wiretapping ), microwave (
interception ), satellite ( satellite recieving atenna), and radio
frequency ( interception ).

        Protection technologies which may be called for include
        encryption of information, dedicated lines, security modems, and
        the alteration of voice communications by scrambling the single,
        converting it to digital form, and using encryption.

2. Enviromental hazards can wreck havok with large and small computers

        Take measures to prevent, detect, and minimize the effects of
harxards such as fire, water damage, air contaminants, excessive heat,
and electricity blowouts.

        Protect against fire damage with regulary tested fire alert
systems, and fire suspression devices.  Protect small computers with
covers to prevent damage from sprinkler systems.  Do not store
combustibles in the area.

        Static electricuty can erase memory in small computers.
Antistatic pads and sprays can help control this.  Users can be reminded
to discharge static electricity by touching a grounded object.

        Power surges can erase memory, alter programs, and destroy
microcircuits.  An uniterrupted power source allows enough time to shut
down a computer without losing data.  Prevent momentary power surges
from damaging computers by using voltage regulators.  In a thunderstorm,
unprotected small computers can be turned off and unplugged.

        Excessive heat can be controlled by air-conditioning systems and
fans, and by ensuring that air can circulate freely.  A common problem
is stacking peripheral equipment or blocking air vents on terminals or
small computers.

        Air filters can remove airborne contaminants that harm equipment
and disks.  Consider banning smoking near small computers.

        Locate computers away from potential water hazards, such as
plumbing pipes, areas known to flood, or even sprinkler systems if other
fire protection devices are available.

        Keep food, beverages, and ashtrays away from the computer.

        Keep equipment in good working order.  Monitor and record
hardware maintainence.  This provides both an audit trail of persons who
have had access to system and a record of contract fulfillment.
Remember that maintainence personnel must carry proper identification.

3. Protect and secure storage media ( source documents, tapes,
cartridges, disks, printouts ).

        -- Maintain, control, and audit storage media inventories.
        -- Educate users to the proper methods for erasing or destroying
           storage media.
        -- Label storage media to reflect the sensitivity level of the
           information they contain.
        -- Destroy storage media in accordance with the agancy's
           security provisions.
        -- Ensure that access for storing, transmitting, marking,
           handling, and destroying storage media is granted only to
           authorized persons.
        -- Plubicize procedures and policies to staff.

        Consider posting the following reminders -- Disks are Fragile
and Good Management Practices Provide Protection -- Where everyone can
see them.

                    -=-  Disks are Fragile  -=-

        -- Store in protective jakets.
        -- Don't write on jackets.
        -- Protect from bending.
        -- Don't touch disks directly
        -- Insert carefully into the computer.
        -- Protect from coffee and soda spills.
        -- Maintain acceptable tempuratures (50C-125C)
        -- Prevent erasures by keeping disks away from magnetic sources
           such as radios and telephones.
        -- Store in areas, such as metal cabinets, protected from fire
           and water damage.
        -- Handle disks in accord with their sensitivity marking.

        -=- Good Management Practices Provide Protection -=-

        -- Lock disks and tapes when not in use.
        -- Use a filing system to keep track of disks and tapes.
        -- Don't lend storage media with sensitive information to
           unauthorized persons.
        -- Return damaged or defective disks with sensitive information
           only after degaussing or after a similar procedure.
        -- Dispose of disks with sensitive information by degaussing,
           shredding, and following agency security procedres.
        -- Dispose of printouts and printer ribbons with sensitve
           information by following agency security procedures.
        -- Secure printouts of passwords and other access information.

4. be sure that adequate plans are made for contingencies.  Remember
that the intent of contegency plans is to ensure that users can continue
to preform essential functions in the event that information technology
support is interrupted.  End users of information technology
applications, as well as computer installations that process these
applications, are required to hove contingency plans.

        Contingency plans must be written, tested, and regularly
communicated to staff.

        Contingency plans must take into account backup operations,
i.e., how information will be processed when the usual computers cannot
be used, and the recovery of any information which is lost or destroyed.

        With small computers and word processors especially, the
contigency plans should address selected equipment breakdowns, such as a
single printer servicing many stations.

        Procedures and equipment should be adequate for handling
emergency situations ( fire, flood, etc. ).

        Store backup materails, including the contingency plan, in a
secure and safe location away from the computer site.

        Contingecny procedures must be adequate for the security level
and criticality of the information.

        Know what to do in case of an emergency and be familiar with the
contingency plan.

        Remember what the contingency plan may be operating at a time of
great stress and without key personnel.  Training of staff is vital.

                   N.I.A. - Ignorance, There's No Excuse.
                  Founded By: Guardian Of Time/Judge Dredd.