RFC 1244
Site Security Handbook
7. References [1] Quarterman, J., "The Matrix: Computer Networks and Conferencing Systems Worldwide", Pg. 278, Digital Press, Bedford, MA, 1990. [2] Brand, R., "Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery", R. Brand, available on-line from: cert.sei.cmu.edu:/pub/info/primer, 8 June 1990. [3] Fites, M., Kratz, P. and A. Brebner, "Control and Security of
Computer Information Systems", Computer Science Press, 1989.
[4] Johnson, D., and J. Podesta, "Formulating a Company Policy on
Access to and Use and Disclosure of Electronic Mail on Company
Computer Systems", Available from: The Electronic Mail
Association (EMA) 1555 Wilson Blvd, Suite 555, Arlington VA
22209, (703) 522-7111, 22 October 1990.
[5] Curry, D., "Improving the Security of Your UNIX System", SRI
International Report ITSTD-721-FR-90-21, April 1990.
[6] Cheswick, B., "The Design of a Secure Internet Gateway",
Proceedings of the Summer Usenix Conference, Anaheim, CA, June
1990.
[7] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part
I -- Message Encipherment and Authentication Procedures", RFC
1113, IAB Privacy Task Force, August 1989.
[8] Kent, S., and J. Linn, "Privacy Enhancement for Internet
Electronic Mail: Part II -- Certificate-Based Key Management",
RFC 1114, IAB Privacy Task Force, August 1989.
[9] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part
III -- Algorithms, Modes, and Identifiers", RFC 1115, IAB Privacy
Task Force, August 1989.
[10] Merkle, R., "A Fast Software One Way Hash Function", Journal of
Cryptology, Vol. 3, No. 1.
[11] Postel, J., "Internet Protocol - DARPA Internet Program Protocol
Specification", RFC 791, DARPA, September 1981.
[12] Postel, J., "Transmission Control Protocol - DARPA Internet
Program Protocol Specification", RFC 793, DARPA, September 1981.
[13] Postel, J., "User Datagram Protocol", RFC 768, USC/Information
Sciences Institute, 28 August 1980.
[14] Mogul, J., "Simple and Flexible Datagram Access Controls for
UNIX-based Gateways", Digital Western Research Laboratory
Research Report 89/4, March 1989.
[15] Bellovin, S., and M. Merritt, "Limitations of the Kerberos
Authentication System", Computer Communications Review, October
1990.
[16] Pfleeger, C., "Security in Computing", Prentice-Hall, Englewood
Cliffs, N.J., 1989.
[17] Parker, D., Swope, S., and B. Baker, "Ethical Conflicts:
Information and Computer Science, Technology and Business", QED
Information Sciences, Inc., Wellesley, MA.
[18] Forester, T., and P. Morrison, "Computer Ethics: Tales and
Ethical Dilemmas in Computing", MIT Press, Cambridge, MA, 1990.
[19] Postel, J., and J. Reynolds, "Telnet Protocol Specification", RFC
854, USC/Information Sciences Institute, May 1983.
[20] Postel, J., and J. Reynolds, "File Transfer Protocol", RFC 959,
USC/Information Sciences Institute, October 1985.
[21] Postel, J., Editor, "IAB Official Protocol Standards", RFC 1200,
IAB, April 1991.
[22] Internet Activities Board, "Ethics and the Internet", RFC 1087,
Internet Activities Board, January 1989.
[23] Pethia, R., Crocker, S., and B. Fraser, "Policy Guidelines for
the Secure Operation of the Internet", CERT, TIS, CERT, RFC in
preparation.
[24] Computer Emergency Response Team (CERT/CC), "Unauthorized
Password Change Requests", CERT Advisory CA-91:03, April 1991.
[25] Computer Emergency Response Team (CERT/CC), "TELNET Breakin
Warning", CERT Advisory CA-89:03, August 1989.
[26] CCITT, Recommendation X.509, "The Directory: Authentication
Framework", Annex C.
[27] Farmer, D., and E. Spafford, "The COPS Security Checker System",
Proceedings of the Summer 1990 USENIX Conference, Anaheim, CA,
Pgs. 165-170, June 1990.
8. Annotated Bibliography
The intent of this annotated bibliography is to offer a
representative collection of resources of information that will help
the user of this handbook. It is meant provide a starting point for
further research in the security area. Included are references to
other sources of information for those who wish to pursue issues of
the computer security environment.
8.1 Computer Law [ABA89] American Bar Association, Section of Science and Technology, "Guide to the Prosecution of Telecommunication Fraud by the Use of Computer Crime Statutes", American Bar Association, 1989. [BENDER] Bender, D., "Computer Law: Evidence and Procedure", M. Bender, New York, NY, 1978-present. Kept up to date with supplements. Years covering 1978-1984 focuses on: Computer law, evidence and procedures. The years 1984 to the current focus on general computer law. Bibliographical references and index included. [BLOOMBECKER] Bloombecker, B., "Spectacular Computer Crimes", Dow Jones- Irwin, Homewood, IL. 1990. [CCH] Commerce Clearing House, "Guide to Computer Law", (Topical Law Reports), Chicago, IL., 1989. Court cases and decisions rendered by federal and state courts throughout the United States on federal and state computer law. Includes Case Table and Topical Index. [CONLY] Conly, C., "Organizing for Computer Crime Investigation and Prosecution", U.S. Dept. of Justice, Office of Justice Programs, Under Contract Number OJP-86-C-002, National Institute of Justice, Washington, DC, July 1989. [FENWICK] Fenwick, W., Chair, "Computer Litigation, 1985: Trial Tactics and Techniques", Litigation Course Handbook Series No. 280, Prepared for distribution at the Computer Litigation, 1985: Trial Tactics and Techniques Program, February-March 1985. [GEMIGNANI] Gemignani, M., "Viruses and Criminal Law", Communications of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989.
[HUBAND] Huband, F., and R. Shelton, Editors, "Protection of Computer Systems and Software: New Approaches for Combating Theft of Software and Unauthorized Intrusion", Papers presented at a workshop sponsored by the National Science Foundation, 1986. [MCEWEN] McEwen, J., "Dedicated Computer Crime Units", Report Contributors: D. Fester and H. Nugent, Prepared for the National Institute of Justice, U.S. Department of Justice, by Institute for Law and Justice, Inc., under contract number OJP-85-C-006, Washington, DC, 1989. [PARKER] Parker, D., "Computer Crime: Criminal Justice Resource Manual", U.S. Dept. of Justice, National Institute of Justice, Office of Justice Programs, Under Contract Number OJP-86-C-002, Washington, D.C., August 1989. [SHAW] Shaw, E., Jr., "Computer Fraud and Abuse Act of 1986, Congressional Record (3 June 1986), Washington, D.C., 3 June 1986. [TRIBLE] Trible, P., "The Computer Fraud and Abuse Act of 1986", U.S. Senate Committee on the Judiciary, 1986. 8.2 Computer Security [CAELLI] Caelli, W., Editor, "Computer Security in the Age of Information", Proceedings of the Fifth IFIP International Conference on Computer Security, IFIP/Sec '88. [CARROLL] Carroll, J., "Computer Security", 2nd Edition, Butterworth Publishers, Stoneham, MA, 1987. [COOPER] Cooper, J., "Computer and Communications Security: Strategies for the 1990s", McGraw-Hill, 1989. [BRAND] Brand, R., "Coping with the Threat of Computer Security Incidents: A Primer from Prevention through Recovery",
R. Brand, 8 June 1990.
As computer security becomes a more important issue in
modern society, it begins to warrant a systematic approach.
The vast majority of the computer security problems and the
costs associated with them can be prevented with simple
inexpensive measures. The most important and cost
effective of these measures are available in the prevention
and planning phases. These methods are presented in this
paper, followed by a simplified guide to incident
handling and recovery. Available on-line from:
cert.sei.cmu.edu:/pub/info/primer.
[CHESWICK]
Cheswick, B., "The Design of a Secure Internet Gateway",
Proceedings of the Summer Usenix Conference, Anaheim, CA,
June 1990.
Brief abstract (slight paraphrase from the original
abstract): AT&T maintains a large internal Internet that
needs to be protected from outside attacks, while
providing useful services between the two.
This paper describes AT&T's Internet gateway. This
gateway passes mail and many of the common Internet
services between AT&T internal machines and the Internet.
This is accomplished without IP connectivity using a pair
of machines: a trusted internal machine and an untrusted
external gateway. These are connected by a private link.
The internal machine provides a few carefully-guarded
services to the external gateway. This configuration
helps protect the internal internet even if the external
machine is fully compromised.
This is a very useful and interesting design. Most
firewall gateway systems rely on a system that, if
compromised, could allow access to the machines behind
the firewall. Also, most firewall systems require users
who want access to Internet services to have accounts on
the firewall machine. AT&T's design allows AT&T internal
internet users access to the standard services of TELNET and
FTP from their own workstations without accounts on
the firewall machine. A very useful paper that shows
how to maintain some of the benefits of Internet
connectivity while still maintaining strong
security.
[CURRY] Curry, D., "Improving the Security of Your UNIX System", SRI International Report ITSTD-721-FR-90-21, April 1990. This paper describes measures that you, as a system administrator can take to make your UNIX system(s) more secure. Oriented primarily at SunOS 4.x, most of the information covered applies equally well to any Berkeley UNIX system with or without NFS and/or Yellow Pages (NIS). Some of the information can also be applied to System V, although this is not a primary focus of the paper. A very useful reference, this is also available on the Internet in various locations, including the directory cert.sei.cmu.edu:/pub/info. [FITES] Fites, M., Kratz, P. and A. Brebner, "Control and Security of Computer Information Systems", Computer Science Press, 1989. This book serves as a good guide to the issues encountered in forming computer security policies and procedures. The book is designed as a textbook for an introductory course in information systems security. The book is divided into five sections: Risk Management (I), Safeguards: security and control measures, organizational and administrative (II), Safeguards: Security and Control Measures, Technical (III), Legal Environment and Professionalism (IV), and CICA Computer Control Guidelines (V). The book is particularly notable for its straight-forward approach to security, emphasizing that common sense is the first consideration in designing a security program. The authors note that there is a tendency to look to more technical solutions to security problems while overlooking organizational controls which are often cheaper and much more effective. 298 pages, including references and index. [GARFINKEL] Garfinkel, S, and E. Spafford, "Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2, May 1991. Approx 450 pages, $29.95. Orders: 1-800-338-6887 (US & Canada), 1-707-829-0515 (Europe), email: nuts@ora.com This is one of the most useful books available on Unix
security. The first part of the book covers standard Unix
and Unix security basics, with particular emphasis on
passwords. The second section covers enforcing security on
the system. Of particular interest to the Internet user are
the sections on network security, which address many
of the common security problems that afflict Internet Unix
users. Four chapters deal with handling security incidents,
and the book concludes with discussions of encryption,
physical security, and useful checklists and lists of
resources. The book lives up to its name; it is filled with
specific references to possible security holes, files to
check, and things to do to improve security. This
book is an excellent complement to this handbook.
[GREENIA90]
Greenia, M., "Computer Security Information Sourcebook",
Lexikon Services, Sacramento, CA, 1989.
A manager's guide to computer security. Contains a
sourcebook of key reference materials including
access control and computer crimes bibliographies.
[HOFFMAN]
Hoffman, L., "Rogue Programs: Viruses, Worms, and
Trojan Horses", Van Nostrand Reinhold, NY, 1990.
(384 pages, includes bibliographical references and index.)
[JOHNSON]
Johnson, D., and J. Podesta, "Formulating A Company Policy
on Access to and Use and Disclosure of Electronic Mail on
Company Computer Systems".
A white paper prepared for the EMA, written by two experts
in privacy law. Gives background on the issues, and presents
some policy options.
Available from: The Electronic Mail Association (EMA)
1555 Wilson Blvd, Suite 555, Arlington, VA, 22209.
(703) 522-7111.
[KENT]
Kent, Stephen, "E-Mail Privacy for the Internet: New Software
and Strict Registration Procedures will be Implemented this
Year", Business Communications Review, Vol. 20, No. 1,
Pg. 55, 1 January 1990.
[LU] Lu, W., and M. Sundareshan, "Secure Communication in Internet Environments: A Hierachical Key Management Scheme for End-to-End Encryption", IEEE Transactions on Communications, Vol. 37, No. 10, Pg. 1014, 1 October 1989. [LU1] Lu, W., and M. Sundareshan, "A Model for Multilevel Security in Computer Networks", IEEE Transactions on Software Engineering, Vol. 16, No. 6, Page 647, 1 June 1990. [NSA] National Security Agency, "Information Systems Security Products and Services Catalog", NSA, Quarterly Publication. NSA's catalogue contains chapter on: Endorsed Cryptographic Products List; NSA Endorsed Data Encryption Standard (DES) Products List; Protected Services List; Evaluated Products List; Preferred Products List; and Endorsed Tools List. The catalogue is available from the Superintendent of Documents, U.S. Government Printing Office, Washington, D.C. One may place telephone orders by calling: (202) 783-3238. [OTA] United States Congress, Office of Technology Assessment, "Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information", OTA-CIT-310, October 1987. This report, prepared for congressional committee considering Federal policy on the protection of electronic information, is interesting because of the issues it raises regarding the impact of technology used to protect information. It also serves as a reasonable introduction to the various encryption and information protection mechanisms. 185 pages. Available from the U.S. Government Printing Office. [PALMER] Palmer, I., and G. Potter, "Computer Security Risk Management", Van Nostrand Reinhold, NY, 1989. [PFLEEGER] Pfleeger, C., "Security in Computing", Prentice-Hall, Englewood Cliffs, NJ, 1989. A general textbook in computer security, this book provides an excellent and very readable introduction to classic computer
security problems and solutions, with a particular emphasis on
encryption. The encryption coverage serves as a good
introduction to the subject. Other topics covered include
building secure programs and systems, security of database,
personal computer security, network and communications
security, physical security, risk analysis and security
planning, and legal and ethical issues. 538 pages including
index and bibliography.
[SHIREY]
Shirey, R., "Defense Data Network Security Architecture",
Computer Communication Review, Vol. 20, No. 2, Page 66,
1 April 1990.
[SPAFFORD]
Spafford, E., Heaphy, K., and D. Ferbrache, "Computer
Viruses: Dealing with Electronic Vandalism and Programmed
Threats", ADAPSO, 1989. (109 pages.)
This is a good general reference on computer viruses and
related concerns. In addition to describing viruses in
some detail, it also covers more general security issues,
legal recourse in case of security problems, and includes
lists of laws, journals focused on computers security,
and other security-related resources.
Available from: ADAPSO, 1300 N. 17th St, Suite 300,
Arlington VA 22209. (703) 522-5055.
[STOLL88]
Stoll, C., "Stalking the Wily Hacker", Communications
of the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM,
New York, NY, May 1988.
This article describes some of the technical means used
to trace the intruder that was later chronicled in
"Cuckoo's Egg" (see below).
[STOLL89]
Stoll, C., "The Cuckoo's Egg", ISBN 00385-24946-2,
Doubleday, 1989.
Clifford Stoll, an astronomer turned UNIX System
Administrator, recounts an exciting, true story of how he
tracked a computer intruder through the maze of American
military and research networks. This book is easy to
understand and can serve as an interesting introduction to
the world of networking. Jon Postel says in a book review,
"[this book] ... is absolutely essential reading for anyone
that uses or operates any computer connected to the Internet
or any other computer network."
[VALLA]
Vallabhaneni, S., "Auditing Computer Security: A Manual with
Case Studies", Wiley, New York, NY, 1989.
8.3 Ethics
[CPSR89]
Computer Professionals for Social Responsibility, "CPSR
Statement on the Computer Virus", CPSR, Communications of the
ACM, Vol. 32, No. 6, Pg. 699, June 1989.
This memo is a statement on the Internet Computer Virus
by the Computer Professionals for Social Responsibility
(CPSR).
[DENNING]
Denning, Peter J., Editor, "Computers Under Attack:
Intruders, Worms, and Viruses", ACM Press, 1990.
A collection of 40 pieces divided into six sections: the
emergence of worldwide computer networks, electronic breakins,
worms, viruses, counterculture (articles examining the world
of the "hacker"), and finally a section discussing social,
legal, and ethical considerations.
A thoughtful collection that addresses the phenomenon of
attacks on computers. This includes a number of previously
published articles and some new ones. The previously
published ones are well chosen, and include some references
that might be otherwise hard to obtain. This book is a key
reference to computer security threats that have generated
much of the concern over computer security in recent years.
[ERMANN]
Ermann, D., Williams, M., and C. Gutierrez, Editors,
"Computers, Ethics, and Society", Oxford University Press,
NY, 1990. (376 pages, includes bibliographical references).
[FORESTER]
Forester, T., and P. Morrison, "Computer Ethics: Tales and
Ethical Dilemmas in Computing", MIT Press, Cambridge, MA,
1990. (192 pages including index.)
From the preface: "The aim of this book is two-fold: (1) to
describe some of the problems created by society by computers,
and (2) to show how these problems present ethical dilemmas
for computers professionals and computer users.
The problems created by computers arise, in turn, from two
main sources: from hardware and software malfunctions and
from misuse by human beings. We argue that computer systems
by their very nature are insecure, unreliable, and
unpredictable -- and that society has yet to come to terms
with the consequences. We also seek to show how society
has become newly vulnerable to human misuse of computers in
the form of computer crime, software theft, hacking, the
creation of viruses, invasions of privacy, and so on."
The eight chapters include "Computer Crime", "Software
Theft", "Hacking and Viruses", "Unreliable Computers",
"The Invasion of Privacy", "AI and Expert Systems",
and "Computerizing the Workplace." Includes extensive
notes on sources and an index.
[GOULD]
Gould, C., Editor, "The Information Web: Ethical and Social
Implications of Computer Networking", Westview Press,
Boulder, CO, 1989.
[IAB89]
Internet Activities Board, "Ethics and the Internet",
RFC 1087, IAB, January 1989. Also appears in the
Communications of the ACM, Vol. 32, No. 6, Pg. 710,
June 1989.
This memo is a statement of policy by the Internet
Activities Board (IAB) concerning the proper use of
the resources of the Internet. Available on-line on
host ftp.nisc.sri.com, directory rfc, filename rfc1087.txt.
Also available on host nis.nsf.net, directory RFC,
filename RFC1087.TXT-1.
[MARTIN]
Martin, M., and R. Schinzinger, "Ethics in Engineering",
McGraw Hill, 2nd Edition, 1989.
[MIT89]
Massachusetts Institute of Technology, "Teaching Students
About Responsible Use of Computers", MIT, 1985-1986. Also
reprinted in the Communications of the ACM, Vol. 32, No. 6,
Pg. 704, Athena Project, MIT, June 1989.
This memo is a statement of policy by the Massachusetts
Institute of Technology (MIT) on the responsible use
of computers.
[NIST]
National Institute of Standards and Technology, "Computer
Viruses and Related Threats: A Management Guide", NIST
Special Publication 500-166, August 1989.
[NSF88]
National Science Foundation, "NSF Poses Code of Networking
Ethics", Communications of the ACM, Vol. 32, No. 6, Pg. 688,
June 1989. Also appears in the minutes of the regular
meeting of the Division Advisory Panel for Networking and
Communications Research and Infrastructure, Dave Farber,
Chair, November 29-30, 1988.
This memo is a statement of policy by the National Science
Foundation (NSF) concerning the ethical use of the Internet.
[PARKER90]
Parker, D., Swope, S., and B. Baker, "Ethical Conflicts:
Information and Computer Science, Technology and Business",
QED Information Sciences, Inc., Wellesley, MA. (245 pages).
Additional publications on Ethics:
The University of New Mexico (UNM)
The UNM has a collection of ethics documents. Included are
legislation from several states and policies from many
institutions.
Access is via FTP, IP address ariel.umn.edu. Look in the
directory /ethics.
8.4 The Internet Worm
[BROCK]
Brock, J., "November 1988 Internet Computer Virus and the
Vulnerability of National Telecommunications Networks to
Computer Viruses", GAO/T-IMTEC-89-10, Washington, DC,
20 July 1989.
Testimonial statement of Jack L. Brock, Director, U. S.
Government Information before the Subcommittee on
Telecommunications and Finance, Committee on Energy and
Commerce, House of Representatives.
[EICHIN89]
Eichin, M., and J. Rochlis, "With Microscope and Tweezers:
An Analysis of the Internet Virus of November 1988",
Massachusetts Institute of Technology, February 1989.
Provides a detailed dissection of the worm program. The
paper discusses the major points of the worm program then
reviews strategies, chronology, lessons and open issues,
Acknowledgments; also included are a detailed appendix
on the worm program subroutine by subroutine, an
appendix on the cast of characters, and a reference section.
[EISENBERG89]
Eisenberg, T., D. Gries, J. Hartmanis, D. Holcomb,
M. Lynn, and T. Santoro, "The Computer Worm", Cornell
University, 6 February 1989.
A Cornell University Report presented to the Provost of the
University on 6 February 1989 on the Internet Worm.
[GAO]
U.S. General Accounting Office, "Computer Security - Virus
Highlights Need for Improved Internet Management", United
States General Accounting Office, Washington, DC, 1989.
This 36 page report (GAO/IMTEC-89-57), by the U.S.
Government Accounting Office, describes the Internet worm
and its effects. It gives a good overview of the various
U.S. agencies involved in the Internet today and their
concerns vis-a-vis computer security and networking.
Available on-line on host nnsc.nsf.net, directory
pub, filename GAO_RPT; and on nis.nsf.net, directory nsfnet,
filename GAO_RPT.TXT.
[REYNOLDS89]
The Helminthiasis of the Internet, RFC 1135,
USC/Information Sciences Institute, Marina del Rey,
CA, December 1989.
This report looks back at the helminthiasis (infestation
with, or disease caused by parasitic worms) of the
Internet that was unleashed the evening of 2 November 1988.
This document provides a glimpse at the infection,its
festering, and cure. The impact of the worm on the Internet
community, ethics statements, the role of the news media,
crime in the computer world, and future prevention is
discussed. A documentation review presents four publications
that describe in detail this particular parasitic computer
program. Reference and bibliography sections are also
included. Available on-line on host ftp.nisc.sri.com
directory rfc, filename rfc1135.txt. Also available on
host nis.nsf.net, directory RFC, filename RFC1135.TXT-1.
[SEELEY89]
Seeley, D., "A Tour of the Worm", Proceedings of 1989
Winter USENIX Conference, Usenix Association, San Diego, CA,
February 1989.
Details are presented as a "walk thru" of this particular
worm program. The paper opened with an abstract,
introduction, detailed chronology of events upon the
discovery of the worm, an overview, the internals of the
worm, personal opinions, and conclusion.
[SPAFFORD88]
Spafford, E., "The Internet Worm Program: An
Analysis", Computer Communication Review, Vol. 19,
No. 1, ACM SIGCOM, January 1989. Also issued as Purdue
CS Technical Report CSD-TR-823, 28 November 1988.
Describes the infection of the Internet as a worm
program that exploited flaws in utility programs in
UNIX based systems. The report gives a detailed
description of the components of the worm program:
data and functions. Spafford focuses his study on two
completely independent reverse-compilations of the
worm and a version disassembled to VAX assembly language.
[SPAFFORD89]
Spafford, G., "An Analysis of the Internet Worm",
Proceedings of the European Software Engineering
Conference 1989, Warwick England, September 1989.
Proceedings published by Springer-Verlag as: Lecture
Notes in Computer Science #387. Also issued
as Purdue Technical Report #CSD-TR-933.
8.5 National Computer Security Center (NCSC)
All NCSC publications, approved for public release, are available
from the NCSC Superintendent of Documents.
NCSC = National Computer Security Center
9800 Savage Road
Ft Meade, MD 20755-6000
CSC = Computer Security Center:
an older name for the NCSC
NTISS = National Telecommunications and
Information Systems Security
NTISS Committee, National Security Agency
Ft Meade, MD 20755-6000
[CSC]
Department of Defense, "Password Management Guideline",
CSC-STD-002-85, 12 April 1985, 31 pages.
The security provided by a password system depends on
the passwords being kept secret at all times. Thus, a
password is vulnerable to compromise whenever it is used,
stored, or even known. In a password-based authentication
mechanism implemented on an ADP system, passwords are
vulnerable to compromise due to five essential aspects
of the password system: 1) a password must be initially
assigned to a user when enrolled on the ADP system;
2) a user's password must be changed periodically;
3) the ADP system must maintain a 'password
database'; 4) users must remember their passwords; and
5) users must enter their passwords into the ADP system at
authentication time. This guideline prescribes steps to be
taken to minimize the vulnerability of passwords in each of
these circumstances.
[NCSC1]
NCSC, "A Guide to Understanding AUDIT in Trusted Systems",
NCSC-TG-001, Version-2, 1 June 1988, 25 pages.
Audit trails are used to detect and deter penetration of
a computer system and to reveal usage that identifies
misuse. At the discretion of the auditor, audit trails
may be limited to specific events or may encompass all of
the activities on a system. Although not required by
the criteria, it should be possible for the target of the
audit mechanism to be either a subject or an object. That
is to say, the audit mechanism should be capable of
monitoring every time John accessed the system as well as
every time the nuclear reactor file was accessed; and
likewise every time John accessed the nuclear reactor
file.
[NCSC2] NCSC, "A Guide to Understanding DISCRETIONARY ACCESS CONTROL in Trusted Systems", NCSC-TG-003, Version-1, 30 September 1987, 29 pages. Discretionary control is the most common type of access control mechanism implemented in computer systems today. The basis of this kind of security is that an individual user, or program operating on the user's behalf, is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user's control. [...] Discretionary controls are not a replacement for mandatory controls. In any environment in which information is protected, discretionary security provides for a finer granularity of control within the overall constraints of the mandatory policy. [NCSC3] NCSC, "A Guide to Understanding CONFIGURATION MANAGEMENT in Trusted Systems", NCSC-TG-006, Version-1, 28 March 1988, 31 pages. Configuration management consists of four separate tasks: identification, control, status accounting, and auditing. For every change that is made to an automated data processing (ADP) system, the design and requirements of the changed version of the system should be identified. The control task of configuration management is performed by subjecting every change to documentation, hardware, and software/firmware to review and approval by an authorized authority. Configuration status accounting is responsible for recording and reporting on the configuration of the product throughout the change. Finally, though the process of a configuration audit, the completed change can be verified to be functionally correct, and for trusted systems, consistent with the security policy of the system. [NTISS] NTISS, "Advisory Memorandum on Office Automation Security Guideline", NTISSAM CONPUSEC/1-87, 16 January 1987, 58 pages. This document provides guidance to users, managers, security officers, and procurement officers of Office Automation Systems. Areas addressed include: physical security, personnel security, procedural security, hardware/software security, emanations security (TEMPEST), and communications
security for stand-alone OA Systems, OA Systems
used as terminals connected to mainframe computer systems,
and OA Systems used as hosts in a Local Area Network (LAN).
Differentiation is made between those Office Automation
Systems equipped with removable storage media only (e.g.,
floppy disks, cassette tapes, removable hard disks) and
those Office Automation Systems equipped with fixed media
(e.g., Winchester disks).
Additional NCSC Publications:
[NCSC4]
National Computer Security Center, "Glossary of Computer
Security Terms", NCSC-TG-004, NCSC, 21 October 1988.
[NCSC5]
National Computer Security Center, "Trusted
Computer System Evaluation Criteria", DoD 5200.28-STD,
CSC-STD-001-83, NCSC, December 1985.
[NCSC7]
National Computer Security Center, "Guidance for
Applying the Department of Defense Trusted Computer System
Evaluation Criteria in Specific Environments",
CSC-STD-003-85, NCSC, 25 June 1985.
[NCSC8]
National Computer Security Center, "Technical Rationale
Behind CSC-STD-003-85: Computer Security Requirements",
CSC-STD-004-85, NCSC, 25 June 85.
[NCSC9]
National Computer Security Center, "Magnetic Remanence
Security Guideline", CSC-STD-005-85, NCSC, 15 November 1985.
This guideline is tagged as a "For Official Use Only"
exemption under Section 6, Public Law 86-36 (50 U.S. Code
402). Distribution authorized of U.S. Government agencies
and their contractors to protect unclassified technical,
operational, or administrative data relating to operations
of the National Security Agency.
[NCSC10]
National Computer Security Center, "Guidelines for Formal
Verification Systems", Shipping list no.: 89-660-P, The
Center, Fort George G. Meade, MD, 1 April 1990.
[NCSC11] National Computer Security Center, "Glossary of Computer Security Terms", Shipping list no.: 89-254-P, The Center, Fort George G. Meade, MD, 21 October 1988. [NCSC12] National Computer Security Center, "Trusted UNIX Working Group (TRUSIX) rationale for selecting access control list features for the UNIX system", Shipping list no.: 90-076-P, The Center, Fort George G. Meade, MD, 1990. [NCSC13] National Computer Security Center, "Trusted Network Interpretation", NCSC-TG-005, NCSC, 31 July 1987. [NCSC14] Tinto, M., "Computer Viruses: Prevention, Detection, and Treatment", National Computer Security Center C1 Technical Report C1-001-89, June 1989. [NCSC15] National Computer Security Conference, "12th National Computer Security Conference: Baltimore Convention Center, Baltimore, MD, 10-13 October, 1989: Information Systems Security, Solutions for Today - Concepts for Tomorrow", National Institute of Standards and National Computer Security Center, 1989. 8.6 Security Checklists [AUCOIN] Aucoin, R., "Computer Viruses: Checklist for Recovery", Computers in Libraries, Vol. 9, No. 2, Pg. 4, 1 February 1989. [WOOD] Wood, C., Banks, W., Guarro, S., Garcia, A., Hampel, V., and H. Sartorio, "Computer Security: A Comprehensive Controls Checklist", John Wiley and Sons, Interscience Publication, 1987. 8.7 Additional Publications Defense Data Network's Network Information Center (DDN NIC) The DDN NIC maintains DDN Security bulletins and DDN Management
bulletins online on the machine: NIC.DDN.MIL. They are available
via anonymous FTP. The DDN Security bulletins are in the
directory: SCC, and the DDN Management bulletins are in the
directory: DDN-NEWS.
For additional information, you may send a message to:
NIC@NIC.DDN.MIL, or call the DDN NIC at: 1-800-235-3155.
[DDN88]
Defense Data Network, "BSD 4.2 and 4.3 Software Problem
Resolution", DDN MGT Bulletin #43, DDN Network Information
Center, 3 November 1988.
A Defense Data Network Management Bulletin announcement
on the 4.2bsd and 4.3bsd software fixes to the Internet
worm.
[DDN89]
DCA DDN Defense Communications System, "DDN Security
Bulletin 03", DDN Security Coordination Center,
17 October 1989.
IEEE Proceedings
[IEEE]
"Proceedings of the IEEE Symposium on Security
and Privacy", published annually.
IEEE Proceedings are available from:
Computer Society of the IEEE
P.O. Box 80452
Worldway Postal Center
Los Angeles, CA 90080
Other Publications:
Computer Law and Tax Report
Computers and Security
Security Management Magazine
Journal of Information Systems Management
Data Processing & Communications Security
SIG Security, Audit & Control Review
9. Acknowledgments Thanks to the SSPHWG's illustrious "Outline Squad", who assembled at USC/Information Sciences Institute on 12-June-90: Ray Bates (ISI), Frank Byrum (DEC), Michael A. Contino (PSU), Dave Dalva (Trusted Information Systems, Inc.), Jim Duncan (Penn State Math Department), Bruce Hamilton (Xerox), Sean Kirkpatrick (Unisys), Tom Longstaff (CIAC/LLNL), Fred Ostapik (SRI/NIC), Keith Pilotti (SAIC), and Bjorn Satdeva (/sys/admin, inc.). Many thanks to Rich Pethia and the Computer Emergency Response Team (CERT); much of the work by Paul Holbrook was done while he was working for CERT. Rich also provided a very thorough review of this document. Thanks also to Jon Postel and USC/Information Sciences Institute for contributing facilities and moral support to this effort. Last, but NOT least, we would like to thank members of the SSPHWG and Friends for their additional contributions: Vint Cerf (CNRI), Dave Grisham (UNM), Nancy Lee Kirkpatrick (Typist Extraordinaire), Chris McDonald (WSMR), H. Craig McKee (Mitre), Gene Spafford (Purdue), and Aileen Yuan (Mitre). 10. Security Considerations If security considerations had not been so widely ignored in the Internet, this memo would not have been possible. 11. Authors' Addresses J. Paul Holbrook CICNet, Inc. 2901 Hubbard Ann Arbor, MI 48105 Phone: (313) 998-7680 EMail: holbrook@cic.net Joyce K. Reynolds University of Southern California Information Sciences Institute 4676 Admiralty Way Marina del Rey, CA 90292 Phone: (213) 822-1511 EMail: JKREY@ISI.EDU