Personnel Security policy (IT Security Cookbook)
Users are not allowed to: share accounts or passwords with friends or relatives, run password checkers on system password files, run network sniffers, break into other accounts, disrupt service, abuse system resources, misuse email, examine other users files unless asked to do so by the file owner, download PC binaries, copy unlicenced software or allow other users to copy unlicenced software.
The combination of username and password define the identity of users on a system. Adopting a good personal password policy is the most important barrier to unauthorised access in current systems.
- mixture of numbers, capital letters, small letters, punctuation.
- easy to remember (don't need to write it down).
- easy to type quickly (difficult for an observer).
- choose a line or two of a poem, song etc. and use just the first letters.
- join two small words with a strange character.
- invent an acronym.
- name of your spouse, parent, colleague, friend, pet, towns, months, days.
- number of car/motorbike registration, telephone.
- common dictionary words (French, German, English, Italian..).
- a series of identical numbers/letters.
- Obvious keyboard sequences.
- Any of the above in inverse or with a number before or after.
- Don't write it down, or disclose via email (class 21)).
- Default passwords should not be used (class 2).
- Don't give your password to others (class 2).
- If passwords are disclosed on a system, change them immediately.
- Avoid sharing the administrator (or root) password. Use user groups or utilities such a su instead.
- If possible synchronisation of user passwords across platforms is to be striven for. The user will probably choose better passwords if he only has to remember one single password. See also the «Security Mechanisms» chapter for a discussion of single signon.
- Inform users in detail of cracking dangers/successes. A well educated user is the best way to ensure good choice of passwords.
- All vendor defined default passwords must be changed before the system is used.
- Passwords should be stored in encrypted form. The encryption should be strong, resisting brute force decryption for at weeks on a powerful workstation.
- Passwords should not be displayed when being entered, neither should a «*» be shown for each character.
- A user should not be able to read other users (encrypted) passwords (from the password file).
- Embedding of clear-text passwords into software should be avoided at all costs. Embedded encrypted passwords are also to be avoided where possible.
- A password minimum age, maximum age, minimum length & history list should be specified. E.g.
- Minimum age = 2 days, Maximum age = 6 months, Minimum length = 6 characters (class 1).
- Minimum age = 2 days, Maximum age = 30 days, Minimum length = 6 characters (class 2).
- Password history: the use of the last 5 passwords should be prohibited (class 3).
- The allowed password content should be specified. The system should check the password content according to these rules, before accepting the password. E.g. see section bad examples above (class 2).
- Users should not be able to change other user's passwords, but the account operator can change user passwords.
- When special application accounts (e.g. oracle under UNIX), their passwords should be blocked to prevent interactive logon.
- Force change of password on first login, if possible (class 2).
- Consider the use of stronger authentication (e.g. smart tokens, Chip Cards, biometrics etc.)(class 4).
- If possible provide automatic password generation (to help the user) (class 3).
- A password checker should regularly ( once per week) check for weak passwords (class 3).
3.General Software Policy
Public domain software may be used on class 1 & 2 systems with a TCB (i.e. not DOS/Windows), if the system administrator responsible for the installation is convinced of the integrity of the author / sources. Public domain software on class 3 systems is to be avoided. However, when necessary, it is only allowed after either a review of the source code, or (if the source is too big) after the software is in general use for at least a year on comparable systems in many other (well known and trusted) companies and the software has been rigorously tested in a protected environment. Unlicensed software should not be used. Games are allowed on the system, if the system administrator can ensure that they will not use more that 5% (for example) of resources (disk/memory/CPU) and they are not abused. Unix: set-user-id (SUID) and set-group-id (SGID) scripts are not allowed on the system. Use tainted perl or compiled programs instead.
1. Confidential information:
- Confidential data transmitted over public networks shall be encrypted.
2.Connection to networks:
- A User may not connect a machine to any network except the corporate LAN.
- Access to external (public & private) networks shall occur over a Firewall. All Firewalls shall be installed and maintained by corporate security.
- Users may not have modems on their machines.
- Dial-in access to the corporate LAN is allowed for certain users. All Dial-in access shall occur via secured Servers with one-time-password mechanisms.
- Users should be aware that conventional email systems often guarantee neither privacy or proof of origin or receipt. In many systems the system administrator can read all email. Class 2 data may be sent internally within the company without encryption. Class 3 should be encrypted.
- Class 4 data may not be transmitted via email.
- Only Class 1 data and information specifically allowed for projects with external entities may be emailed outside the company.
- Users should be aware of the risks of opening documents with macros, postscript files, and installing programs received via email.
Connection to the Internet is almost inevitable in today's commercial environment, especially for research departments. Due to it's lack of structure & controls, the Internet offers many risks such as:
- Disclosure of confidential information.
- The corporate network may be penetrated by hackers from the Internet.
- Information may be changed or deleted.
- Access to systems could be denied due to system overload.
If users are to be allowed Internet access, they must be aware of the risks involved and the corporate policy as regards Internet usage ⇒ A specific Internet policy should exist, be well known and be enforced.
- All outgoing access to the Internet must go over approved company gateways which have been certified as conforming to the corporate security policy.
- Who is allowed standard (WWW) Internet access? (e.g. administrators, research units)
- Who is allowed Internet email access? (e.g. everyone!)
- When is access not allowed? (e.g. not from class 3 servers).
- What Internet client software are allowed (e.g. corporate standards)?
- What may Internet clients not be used for? (e.g. Pornographic material, downloading dangerous or unlicensed software, excessive private use etc.)
- Who may provide Internet services? Under what conditions (e.g. approved Firewall policy, only publicly classified information may be published).
6.Laptops and portable computers
Portable computers allow personnel to be more productive while «on the road». They offer flexibility as to where one can access information. From the security point of view they can create risks of information disclosure, theft and perhaps offer an unauthorised point of access to the corporate network. The mobile computing population is on the increase, so a special policy is necessary.
Some issues are:
- Educate users as to the risks of Laptop usage.
- Password protection in office applications such as Winword is not a protection against the informed attacker.
- Removable hard disks allow the user to easily protect the most important component by putting it in his pocket. On the other hand, it makes it easier to steal information.
Possible policies are:
- Have laptops prepared and installed by professional IT staff. Have knowledgeable staff who can offer sound advice on the choice of laptop model.
- If possible install a file encryption program which provides strong encryption2) and is easy to use. A disk encryption program is also an alternative, but may require more administrative overhead and affect performance and compatibility.
- Consider using an operating system (such as UNIX or NT) where a normal user does not have full access to the system.
- Users are responsible for their Laptops outside the corporate buildings.
- Automatic screen locking mechanisms and boot passwords should be used where possible. Boot passwords offer a protection against the curious, but not a informed attacker.
- An active virus scanner must be installed (provide it free of charge to all corporate users).
- Carry Laptops as hand baggage on public transport.
- Class 3 data should not be transported on laptops unless it is encrypted.
- Switch off the computer when not in use.
- Never store passwords on the Laptop which allow access to corporate network systems.
- Do not transmit class 3 data across insecure networks (such as Internet, Mobile-GSM, Infrared etc.) unless encrypted.
- Dial-in access to the corporate network should be specified in the Network access policy.
- Turn off modems when not in use.