2 Internet Draft Barbara Fraser
3 Network Working Group SEI/CMU
4 Expires in six months Editor
9 <draft-ietf-ssh-handbook-03.txt>
14 This document is an Internet-Draft. Internet-Drafts are working
15 documents of the Internet Engineering Task Force (IETF), its areas,
16 and its working groups. Note that other groups may also distribute
17 working documents as Internet-Drafts.
19 Internet-Drafts are draft documents valid for a maximum of six months
20 and may be updated, replaced, or obsoleted by other documents at any
21 time. It is inappropriate to use Internet- Drafts as reference
22 material or to cite them other than as ``work in progress.''
24 To learn the current status of any Internet-Draft, please check the
25 ``1id-abstracts.txt'' listing contained in the Internet- Drafts
26 Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
27 munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
28 ftp.isi.edu (US West Coast).
32 1. Introduction.................................................... 2
33 1.1 Purpose of this Work............................................ 2
34 1.2 Audience........................................................ 2
35 1.3 Definitions..................................................... 3
36 1.4 Related Work.................................................... 3
37 1.5 Basic Approach.................................................. 3
38 1.6 Risk Assessment................................................. 4
39 2. Security Policies............................................... 5
40 2.1 What is a Computer Security Policy and Why Have One?............ 5
41 2.2 What Makes a Good Computer Security Policy?..................... 7
42 2.3 Keeping the Policy Flexible..................................... 8
43 3. Architecture.................................................... 9
44 3.1 Objectives...................................................... 9
45 3.2 Network and Service Configuration............................... 11
46 3.3 Firewalls....................................................... 16
47 4. Security Services and Procedures................................ 19
48 4.1 Authentication.................................................. 19
49 4.2 Confidentiality................................................. 22
50 4.3 Integrity....................................................... 23
51 4.4 Authorization................................................... 23
52 4.5 Access.......................................................... 24
53 4.6 Auditing........................................................ 27
54 4.7 Securing Backups................................................ 30
55 5. Security Incident Handling...................................... 30
56 5.1 Preparing and Planning for Incident Handling.................... 32
60 Site Security Working Group [Page 1]
66 Internet Draft Site Security Handbook May 1996
69 5.2 Notification and Points of Contact.............................. 34
70 5.3 Identifying an Incident......................................... 40
71 5.4 Handling an Incident............................................ 42
72 5.5 Aftermath of an Incident........................................ 47
73 5.6 Responsibilities................................................ 48
74 6. Ongoing Activities.............................................. 49
75 7. Tools and Locations............................................. 49
76 8. Mailing Lists and Other Resources............................... 51
77 9. References...................................................... 53
78 10. Annotated Bibliography.......................................... 62
82 This document provides guidance to system and network administrators
83 on how to address security issues within the Internet community. It
84 builds on the foundation provided in RFC 1244 and is the collective
85 work of a number of contributing authors. Those authors include:
86 Jules P. Aronson, Nevil Brownlee, Frank Byrum, Joao Nuno Ferreira,
87 Erik Guttman, Klaus-Peter Kossakowski, Edward.P.Lewis, Gary Malkin,
88 Russ Mundy, Philip J. Nesser, and Michael S. Ramsey.
90 A special thank you goes to Joyce Reynolds, ISI, and Paul Holbrook,
91 CICnet, for their vision, leadership, and effort in the creation of
92 the first version of this handbook. It is the working group's sincere
93 hope that this version will be as helpful to the community as the
96 1.1 Purpose of this Work
98 This handbook is a guide to setting computer security policies and
99 procedures for sites that have systems on the Internet. This guide
100 lists issues and factors that a site must consider when setting their
101 own policies. It makes some recommendations and provides discussions
104 This guide is only a framework for setting security policies and
105 procedures. In order to have an effective set of policies and
106 procedures, a site will have to make many decisions, gain agreement,
107 and then communicate and implement the policies.
111 The audience for this document are system and network administrators,
112 and decision makers (typically "middle management") at sites. For
113 brevity, we will use the term "administrator" throughout this
114 document to refer to system and network administrators.
116 This document is not directed at programmers or those trying to
117 create secure programs or systems. The focus of this document is on
118 the policies and procedures that need to be in place to support any
119 technical security features that a site may be implementing.
121 The primary audience for this work are sites that are members of the
122 Internet community. However, this document should be useful to any
126 Site Security Working Group [Page 2]
132 Internet Draft Site Security Handbook May 1996
135 site that allows communication with other sites. As a general guide
136 to security policies, this document may also be useful to sites with
141 For the purposes of this guide, a "site" is any organization that
142 owns computers or network-related resources. These resources may
143 include host computers that users use, routers, terminal servers,
144 PC's or other devices that have access to the Internet. A site may
145 be an end user of Internet services or a service provider such as a
146 mid-level network. However, most of the focus of this guide is on
147 those end users of Internet services. We assume that the site has
148 the ability to set policies and procedures for itself with the
149 concurrence and support from those who actually own the resources.
151 The "Internet" is that set of networks and machines which use the
152 TCP/IP protocol suite, connect through gateways, and share common
153 name and address spaces [1].
155 The term "administrator" is used to cover all those people who are
156 responsible for the day-to-day operation of system and network
157 resources. This may be a number of individuals or an organization.
159 The term "decision maker" refers to those people at a site who set or
160 approve policy. These are often (but not always) the people who own
165 The IETF Guidelines for Security Incident Response Working Group
166 (GRIP) is developing a document for security incident response teams.
167 That document provides additional guidance to those organizations
168 planning to develop their own computer security incident response
169 team (CSIRT), including a template that is useful to CSIRTs when
170 describing their policies and services.
172 The Site Security Handbook Working Group is working on a User's Guide
173 to Internet Security. It will provide practical guidance to end users
174 to help them protect their information and the resources they use.
178 This guide is written to provide basic guidance in developing a
179 security plan for your site. One generally accepted approach to
180 follow is suggested by Fites, et. al. [ref] and includes the
183 (1) Identify what you are trying to protect
184 (2) Determine what you are trying to protect it from
185 (3) Determine how likely the threats are
186 (4) Implement measures which will protect your assets in a cost-
188 (5) Review the process continuously and make improvements each time
192 Site Security Working Group [Page 3]
198 Internet Draft Site Security Handbook May 1996
204 Most of this document is focused on item 4 above, but the other steps
205 cannot be avoided if an effective plan is to be established at your
206 site. One old truism in security is that the cost of protecting
207 yourself against a threat should be less than the cost of recovering
208 if the threat were to strike you. Without reasonable knowledge of
209 what you are protecting and what the likely threats are, following
210 this rule could be difficult.
214 1.6.1 General Discussion
216 One of the most important reasons for creating a computer security
217 policy is to ensure that efforts spent on security yield cost
218 effective benefits. Although this may seem obvious, it is possible
219 to be mislead about where the effort is needed. As an example, there
220 is a great deal of publicity about intruders on computers systems;
221 yet most surveys of computer security show that, for most
222 organizations, the actual loss from "insiders" is much greater.
224 Risk analysis involves determining what you need to protect, what you
225 need to protect it from, and how to protect it. It is the process of
226 examining all of your risks, then ranking those risks by level of
227 severity. This process involves making cost-effective decisions on
228 what you want to protect. As mentioned above, you should probably
229 not spend more to protect something than it is actually worth.
231 A full treatment of risk analysis is outside the scope of this
232 document. [3, FITES] and [16, PFLEEGER] provide introductions to
233 this topic. However, there are two elements of a risk analysis that
234 will be briefly covered in the next two sections:
236 (1) Identifying the assets
237 (2) Identifying the threats
239 For each asset, the basic goals of security are availability,
240 confidentiality, and integrity. Each threat should be examined with
241 an eye to how the threat could affect these areas.
243 1.6.2 Identifying the Assets
245 One step in a risk analysis is to identify all the things that need
246 to be protected. Some things are obvious, like valuable proprietary
247 information, intellectual property, and all the various pieces of
248 hardware; but, some are overlooked, such as the people who actually
249 use the systems. The essential point is to list all things that could
250 be affected by a security problem.
252 One list of categories is suggested by Pfleeger [16, PFLEEGER, page
253 459]; this list is adapted from that source:
258 Site Security Working Group [Page 4]
264 Internet Draft Site Security Handbook May 1996
267 (1) Hardware: CPUs, boards, keyboards, terminals,
268 workstations, personal computers, printers, disk
269 drives, communication lines, terminal servers, routers.
271 (2) Software: source programs, object programs,
272 utilities, diagnostic programs, operating systems,
273 communication programs.
275 (3) Data: during execution, stored on-line, archived off-line,
276 backups, audit logs, databases, in transit over
279 (4) People: users, administrators.
281 (5) Documentation: on programs, hardware, systems, local
282 administrative procedures.
284 (6) Supplies: paper, forms, ribbons, magnetic media.
286 1.6.3 Identifying the Threats
288 Once the assets requiring protection are identified, it is necessary
289 to identify threats to those assests. The threats can then be
290 examined to determine what potential for loss exists. It helps to
291 consider from what threats you are trying to protect your assets.
292 The following are classic threats that should be considered.
293 Depending on your site, there will be more specific threats that
294 should be identified and addressed.
296 (1) Unauthorized access to resources and/or information
297 (2) Disclosure of information
298 (3) Denial of service
302 2.1 What is a Computer Security Policy and Why Have One?
304 The security-related decisions you make, or fail to make, as network
305 administrator largely determines how secure or insecure your network
306 is, how much functionality your network offers, and how easy your
307 network is to use. However, you cannot make good decisions about
308 security without first determining what your security goals are.
309 Until you determine what your security goals are, you cannot make
310 effective use of any collection of security tools because you simply
311 will not know what to check for and what restrictions to impose.
313 For example, your goals will probably be very different from the
314 goals of a product vendor. Vendors are trying to make configuration
315 and operation of their products as simple as possible, which implies
316 that the default configurations will often be as open (i.e.,
317 insecure) as possible. While this does make it easier to install new
318 products, it also leaves access to those systems, and other systems
319 through them, open to any user who wanders by.
324 Site Security Working Group [Page 5]
330 Internet Draft Site Security Handbook May 1996
333 Your goals will be largely determined by the following key tradeoffs:
335 (1) services offered vs. security provided -
336 Each service offered to users carries its own security risks.
337 For some services the risk outweighs the benefit of the service
338 and the administrator may choose to eliminate the service rather
339 than try to secure it.
341 (2) ease of use vs. security -
342 The easiest system to use would allow access to any user and requi=
344 no passwords; that is, there would be no security. Requiring
345 passwords makes the system a little less convenient, but more secu=
347 Requiring device-generated one-time passwords makes the system eve=
349 more difficult to use, but much more secure.
351 (3) cost of security vs. risk of loss -
352 There are many different costs to security: monetary (i.e., the
353 cost of purchasing security hardware and software like firewalls
354 and one-time password generators), performance (i.e., encryption
355 and decryption take time), and ease of use (as mentioned above).
356 There are also many levels of risk: loss of privacy (i.e., the
357 reading of information by unauthorized individuals), loss of
358 data (i.e., the corruption or erasure of information), and the
359 loss of service (e.g., the filling of data storage space, usage
360 of computational resources, and denial of network access). Each
361 type of cost must be weighed against each type of loss.
364 Your goals should be communicated to all users, operations staff, and
365 managers through a set of security rules, called a "computer security
368 2.1.1 Definition of a Computer Security Policy
370 A computer security policy is a formal statement of the rules by
371 which people who are given access to an organization's technology and
372 information assets must abide.
374 2.1.2 Purposes of a Computer Security Policy
376 The main purpose of a computer security policy is to inform users,
377 staff and managers of their obligatory requirements for protecting
378 technology and information assets. The policy should specify the
379 mechanisms through which these requirements can be met. Another
380 purpose is to provide a baseline from which to acquire, configure and
381 audit computer systems and networks for compliance with the policy.
382 Therefore an attempt to use a set of security tools in the absence of
383 at least an implied security policy is meaningless.
385 An Appropriate Use Policy (AUP) may also be part of a security
386 policy. It should spell out what users may and may not do on the
387 various components of the system, including the type of traffic
388 allowed on the networks. The AUP should be as explicit as possible
389 to avoid ambiguity or misunderstanding. For example, an AUP might
393 Site Security Working Group [Page 6]
399 Internet Draft Site Security Handbook May 1996
402 list any prohibited USENET newsgroups.
404 2.1.3 Who Should be Involved When Forming Policy?
406 In order for a security policy to be appropriate and effective, it
407 needs to have the acceptance and support of all levels of employees
408 within the organization. The following is a list of individuals who
409 should be involved in the creation and review of security policy
412 (1) site security administrator
414 (3) computing center personnel
415 (4) administrators of large user groups within the organization
416 (e.g., business divisions, computer science department within a
418 (5) security incident response team
419 (6) representatives of the user groups affected by the security policy
421 The list of above is representative of many organizations, but is not
422 necessarily comprehensive. The idea is to bring in representation
423 from key stakeholders, management who have budget and policy
424 authority, technical staff who know what can and cannot be supported,
425 and legal counsel who know the legal ramifications of various policy
426 choices. In some organizations, it may be appropriate to include
427 audit personnel. Involving this group is important if resulting
428 policy statements are to reach the broadest possible acceptance.
430 2.2 What Makes a Good Computer Security Policy?
432 The characteristics of a good security policy are:
434 (1) It must be implementable through system administration
435 procedures, publishing of acceptable use guidelines, or other
438 (2) It must be enforcible with security tools, where appropriate,
439 and with sanctions, where actual prevention is not technically
442 (3) It must clearly define the areas of responsibility for the
443 users, staff, and administrators.
445 The components of a good security policy include:
447 (1) Computer Technology Purchasing Guidelines which specify required,
448 or preferred, security features. These should supplement existing
449 purchasing policies and guidelines.
451 (2) A Privacy Policy which defines reasonable expectations of privacy
452 regarding such issues as monitoring of electronic mail, logging of
453 keystrokes, and access to users' files.
455 (3) An Access Policy which defines access rights and privileges to
459 Site Security Working Group [Page 7]
465 Internet Draft Site Security Handbook May 1996
468 protect assets from loss or disclosure by specifying acceptable us=
470 guidelines for users, operations staff, and management. It should
471 provide guidelines for external connections, data communications,
472 connecting devices to a network, and adding new software to
473 systems. It should also specify any required notification message=
475 (e.g., connect messages should provide warnings about authorized
476 usage and line monitoring, and not simply say "Welcome").
478 (4) An Accountability Policy which defines the responsibilities of use=
480 operations staff, and management. It should specify an audit
481 capability, and provide incident handling guidelines (i.e., what t=
483 do and who to contact if a possible intrusion is detected).
485 (5) An Authentication Policy which establishes trust through an effect=
487 password policy, and by setting guidelines for remote location
488 authentication and the use of authentication devices (e.g., one-ti=
490 passwords and the devices that generate them).
492 (6) An Availability statement which sets users' expectations for the
493 availability of resources. It should address redundancy and recov=
495 issues, as well as specify operating hours and maintenance down-ti=
497 periods. It should also include contact information for reporting
498 system and network failures.
500 (7) A Violations Reporting Policy that indicates which types of
501 violations (e.g., privacy and security, internal and external)
502 must be reported and to whom the reports are made. A
503 non-threatening atmosphere and the possibility of anonymous report=
505 will result in a greater probability that a violation will be
506 reported if it is detected.
508 (8) Supporting Information which provides users, staff, and management
509 with contact information for each type of policy violation;
510 guidelines on how to handle outside queries about a security incid=
512 or information which may be considered confidential or proprietary=
514 and cross-references to security procedures and related informatio=
516 such as company policies and regulatory requirements (federal, sta=
520 There may be regulatory requirements that affect some aspects of your
521 security policy (e.g., line monitoring). The creators of the
522 security policy should consider seeking legal assistance in the
523 creation of the policy. At a minimum, the policy should be reviewed
526 Once your computer security policy has been established it should be
527 clearly communicated to users, staff, and management. Having all
528 personnel sign a statement indicating that they have read,
529 understood, and agreed to abide by the policy is an important part of
530 the process. Finally, your policy should be reviewed on a regular
531 basis to see if it is successfully supporting your security needs.
533 2.3 Keeping the Policy Flexible
538 Site Security Working Group [Page 8]
544 Internet Draft Site Security Handbook May 1996
547 In order for a security policy to be viable for the long term, it
548 requires a lot of flexibility. The mechanisms for updating the
549 policy should be clearly spelled out. This includes the process, the
550 people involved, and the people who must sign-off on the changes.
552 It is also important to recognize that there are exceptions to every
553 rule. Whenever possible, the policy should spell out what exceptions
554 to the general policy exist. For example, under what conditions is a
555 system administrator allowed to go through a user's files. Also,
556 there may be some cases when multiple users will have access to the
557 same userid. For example, on systems with a "root" user, multiple
558 system administrators may know the password and use the root account.
560 Another consideration is called the "Garbage Truck Syndrome." This
561 refers to what would happen to a site if a key person was suddenly
562 unavailable for his/her job function (e.g., was suddenly ill or left
563 the company unexpectedly). While the greatest security resides in
564 the minimum dissemination of information, the risk of losing critical
565 information increases when that information is not shared. It is
566 necessary to determine what the proper balance is for your site.
572 3.1.1 Completely defined security plans
574 Defining a comprehensive security plan should be done by all sites.
575 This plan should be at a higher level than the specific policies
576 discussed in section 2. It should be crafted as a framework of broad
577 guidelines into which specific policies will fit.
579 It is important to have this framework in place so that individual
580 policies can be consistant with the overall site security
581 architecture. For example, having a strong policy with regard to
582 Internet access and having weak restrictions on modem usage is
583 inconsistent with an overall philosophy of strong security
584 restrictions on external access.
586 A security policy should contain, at a minimum: a list of services
587 which are currently, or will be, provided; who will have access to
588 those services; how access will be provided; who will administer
589 those services; etc. It is also important to define any limitations
590 on which portions of an organization can provide certain services.
592 Another aspect of the plan should concern incident handling. Chapter
593 5 provides an in-depth discussion of responses to incidents, but it
594 is important to define classes of incidents and define responses to
595 each class of incident. For sites with firewalls, how many attempts
596 to foil the firewall will trigger a response? Are there levels of
597 escallation in both attacks and responses? For sites without
598 firewalls, does a single attempt to connect constitute an incident?
599 How about a systematic scan of machines?
604 Site Security Working Group [Page 9]
610 Internet Draft Site Security Handbook May 1996
613 For sites connected to the Internet, the rampant media glorification
614 of Internet related security incidents can overshadow a (potentially)
615 more serious internal security problem. Likewise, companies who have
616 never been on the Internet before, may have strong, well defined,
617 internal policies but fail to adequately address an external
620 3.1.2 Separation of Services
622 There are many services which a site may wish to provide for its
623 users, some of which may be external. There are a variety of
624 security reasons to attempt to isolate services onto dedicated
625 machines. There are also performance reasons in most cases, but a
626 detailed discussion is beyond to scope of this document.
628 The services which a site may provide will, in most cases, have
629 different levels of access needs and models of trust. Services which
630 are essential to the security or smooth operation of a site would be
631 better off being placed on a dedicated machine with very limited
632 access (see Section 3.1.3 "deny all" model), rather than on a machine
633 which provides a service (or services) which has traditionally been
634 less secure, or requires greater accessability by users who may
635 accidentally suborn security.
637 It is also important to distinguish between machines which operate
638 within different models of trust, i.e., all the machines inside of a
639 firewall and any machines on an exposed network.
641 Some of the services which should be examined for potential
642 separation are outlined in section 3.2.3. It is important to try to
643 understand that security is only as strong as the weakest link in the
644 chain. Several of the most publicized penetrations in recent years
645 has been through the electronic mail systems of machines. The
646 intruders were not trying to steal electronic mail, but they used the
647 vulnerability in that system to gain access to other systems.
649 If possible, each service should be running on a different machine
650 whose only duty is to provide a specific service. This helps to
651 isolate intruders and limit potential harm.
653 3.1.3 Deny all/ Allow all
655 There are two diametrically opposed underlying philosophies which can
656 be adopted in defining a security plan. Both alternatives are
657 legitimate models to adopt, depending on the site and its needs for
660 The first option is to turn off all services and then selectively
661 enable services on a case by case basis, be it at the machine or
662 network level, as they are needed. This model, which will here after
663 be referred to as the "deny all" model, is generally more secure.
664 More work is required to successfully implement a "deny all"
665 configuration and usually a better understanding of services. Only
666 allowing known services allows a better analysis of a particular
670 Site Security Working Group [Page 10]
676 Internet Draft Site Security Handbook May 1996
679 service/protocol and the design of a security mechanism suited to the
680 security level of the site.
682 The other model, which will here after be referred to as the "allow
683 all" model, is much easier to implement, but is generally less secure
684 than the "deny all" model. Simply turn on all services, usually the
685 default at the host level, and allow all protocols to travel across
686 network boundaries, usually the default at the router level. As
687 security holes become apparent, they are patched at either the host
690 Each of these models can be applied to different portions of the
691 site, depending on functionality requirements, administrative
692 control, site policy, etc. For example, the policy may be to use the
693 "allow all" model when setting up workstations for general use, but
694 adopt a "deny all" model when setting up information servers, like an
695 email hub. Likewise, an "allow all" policy may be adopted for
696 traffic between LAN's internal to the site, but a "deny all" policy
697 can be adopted between the site and the Internet.
699 Be careful when mixing philosophies as in the examples above. Many
700 sites adopt the M & M theory of a hard "crunchy" shell and a soft
701 "squishy" middle. They are willing to pay the cost of security for
702 their external traffic and require strong security measures, but are
703 unwilling or unable to provide similar protections internally. This
704 works fine as long as the outer defenses are never breached and the
705 internal users can be trusted. Once the outer shell (firewall) is
706 breached, subverting the internal network is trivial.
708 3.1.4 Identify real needs for services
710 There is a large variety of services which may be provided, both
711 internally and on the Internet at large. Managing security is, in
712 many ways, managing access to services internal to the site and
713 managing how internal users access information at remote sites.
715 Services tend to rush like waves over the Internet. Over the years
716 many sites have established anonymous FTP servers, gopher servers,
717 wais servers, WWW servers, etc. as they became popular, but not
718 particularly needed, at all sites. Evaluate all new services that
719 are established with a skeptical attitude to determine if they are
720 actually needed or just the current fad sweeping the Internet.
722 Bear in mind that security complexity can grow exponentially with the
723 number of services provided. Filtering routers need to be modified
724 to support the new protocols. Some protocols are inherently
725 difficult to filter safely (e.g., RPC and UDP services), thus
726 providing more openings to the internal network. Services provided
727 on the same machine can interact in catastrophic ways. For example,
728 allowing anonymous FTP on the same machine as the WWW server may
729 allow an intruder to place a file in the anonymous FTP area and cause
730 the HTTP server to execute it.
732 3.2 Network and Service Configuration
736 Site Security Working Group [Page 11]
742 Internet Draft Site Security Handbook May 1996
745 3.2.1 Protecting the Infrastructure
747 Many network administrators go to great lengths to protect the hosts
748 on their networks. Few administrators make any effort to protect the
749 networks themselves. There is some rationale to this. For example,
750 it is far easier to protect a host than a network. Also, intruders
751 are likely to be after data on the hosts; damaging the network would
752 not serve their purposes. That said, there are still reasons to
753 protect the networks. For example, an intruder might divert network
754 traffic through an outside host in order to examine the data (i.e.,
755 to search for passwords). Also, infrastructure includes more than
756 the networks and the routers which interconnect them. Infrastructure
757 also includes network management (e.g., SNMP), services (e.g., DNS,
758 NFS, NTP, WWW), and security (i.e., user authentication and access
761 The infrastructure also needs protection against human error. When
762 an administrator misconfigures a host, that host may offer degraded
763 service. This only affects users who require that host and, unless
764 that host is a primary server, the number of affected users will
765 therefore be limited. However, if a router is misconfigured, all
766 users who require the network will be affected. Obviously, this is a
767 far larger number of users than those depending on any one host.
769 3.2.2 Protecting the Network
771 There are several problems to which networks are vulnerable. The
772 classic is a "denial of service" attack. In this case, the network
773 is brought to a state in which it can no longer carry legitimate
774 users' data. There are two common ways this can be done: by
775 attacking the routers and by flooding the network with extraneous
776 traffic. An attack on the router is designed to cause it to stop
777 forwarding packets, or to forward them improperly. The former case
778 may be due to a misconfiguration, the injection of a spurious routing
779 update, or a "flood attack" (i.e., the router is bombarded with
780 unroutable packets, causing its performance to degrade). A flood
781 attack on a network is similar to a flood attack on a router, except
782 that the flood packets are usually broadcast. An ideal flood attack
783 would be the injection of a single packet which exploits some known
784 flaw in the network nodes and causes them to retransmit the packet,
785 or generate error packets, each of which is picked up and repeated by
786 another host. A well chosen attack packet can even generate an
787 exponential explosion of transmissions.
789 Another classic problem is "spoofing." In this case, spurious
790 routing updates are sent to one or more routers causing them to
791 misroute packets. This differs from a denial of service attack only
792 in the purpose behind the spurious route. In denial of service, the
793 object is to make the router unusable; a state which will be quickly
794 detected by network users. In spoofing, the spurious route will
795 cause packets to be routed to a host from which an intruder may
796 monitor the data in the packets. These packets are then re-routed to
797 their correct destinations. However, the intruder may or may not
798 have altered the contents of the packets.
802 Site Security Working Group [Page 12]
808 Internet Draft Site Security Handbook May 1996
811 The solution to most of these problems is to protect the routing
812 update packets sent by the routing protocols in use (e.g., RIP-2,
813 OSPF). There are three levels of protection: clear-text password,
814 cryptographic checksum, and encryption. Passwords offer only minimal
815 protection against intruders who do not have direct access to the
816 physical networks. Passwords also offer some protection against
817 misconfigured routers (i.e, routers which, out of the box, attempt to
818 route packets). The advantage of passwords is that they have a very
819 low overhead, in both bandwidth and CPU consumption. Checksums
820 protect against the injection of spurious packets, even if the
821 intruder has direct access to the physical network. Combined with a
822 sequence number, or other unique identifier, a checksum can also
823 protect again "replay" attacks, wherein an old (but valid at the
824 time) routing update is retransmitted by either an intruder or a
825 misbehaving router. The most security is provided by complete
826 encryption of sequenced, or uniquely identified, routing updates.
827 This prevents an intruder from determining the topology of the
828 network. The disadvantage to encryption is the overhead involved in
829 processing the updates.
831 RIP-2 (RFC 1723) and OSPF (RFC 1583) both support clear-text
832 passwords in their base design specifications. In addition, there
833 are extensions to each base protocol to support MD5 encryption.
835 Unfortunately, there is no adequate protection against a flooding
836 attack, or a misbehaving host or router which is flooding the
837 network. Fortunately, this type of attack is obvious when it occurs
838 and can usually be terminated relatively simply.
840 3.2.3 Protecting the Services
842 There are many types of services and each has its own security
843 requirements. These requirements will vary based on the intended use
844 of the service. For example, a service which should only be usable
845 within a site (e.g., NFS) may require different protection mechanisms
846 than a service provided for external use. It may be sufficient to
847 protect the internal server from external access. However, a WWW
848 server, which provides a home page intended for viewing by users
849 anywhere on the Internet, requires built-in protection. That is, the
850 service/protocol/server must provide whatever security may be
851 required to prevent unauthorized access and modification of the Web
854 Internal services (i.e., services meant to be used only by users
855 within a site) and external services (i.e., services deliberately
856 made available to users outside a site) will, in general, have
857 protection requirements which differ as previously described. It is
858 therefore wise to isolate the internal services to one set of server
859 machines and the external services to another set of server machines.
860 That is, internal and external servers should not be co-located. In
861 fact, many sites go so far as to have one set of subnets (or even
862 different networks) which are accessible from the outside and another
863 set which may be accessed only within the site. Of course, there is
864 usually a firewall which connects these partitions. Great care must
868 Site Security Working Group [Page 13]
874 Internet Draft Site Security Handbook May 1996
877 be taken to ensure that such a firewall is operating properly.
879 One form of external service deserves some special consideration, and
880 that is anonymous, or guest, access. This may be either anonymous
881 FTP or guest (unauthenticated) login. It is extremely important to
882 ensure that anonymous FTP servers and guest login userids are
883 carefully isolated from any hosts and file systems from which outside
884 users should be kept. Another area to which special attention must
885 be paid concerns anonymous, writable access. A site may be legally
886 responsible for the content of publicly available information, so
887 careful monitoring of the information deposited by anonymous users is
890 Now we shall consider some of the most popular services: name
891 service, password/key service, authentication/proxy service,
892 electronic mail, WWW, file transfer, and NFS. Since these are the
893 most frequently used services, they are the most obvious points of
894 attack. Also, a successful attack on one of these services can
895 produce disaster all out of proportion to the innocence of the basic
898 3.2.3.1 Name Servers (DNS and NIS(+))
900 The Internet uses the Domain Name System (DNS) to perform address
901 resolution for host and network names. The Network Information
902 Service (NIS) and NIS+ are not used on the global Internet, but are
903 subject to the same risks as a DNS server. Name-to-address
904 resolution is critical to the secure operation of any network. An
905 attacker who can successfully control or impersonate a DNS server can
906 re-route traffic to subvert security protections. For example,
907 routine traffic can be diverted to a compromised system to be
908 monitored; or, users can be tricked into providing authentication
909 secrets. An organization should create well known, protected sites
910 to act as secondary name servers and protect their DNS masters from
911 denial of service attacks using filtering routers.
913 3.2.3.2 Password/Key Servers (NIS(+) and KDC)
915 Password and key servers generally protect their vital information
916 (i.e., the passwords and keys) with encryption algorithms. However,
917 even a one-way encrypted password can be determined by a dictionary
918 attack (wherein common words are encrypted to see if they match the
919 stored encryption). It is therefore necessary to ensure that these
920 servers are not accessable by hosts which do not plan to use them for
921 the service, and even those hosts should only be able to access the
922 service (i.e., general services, such as Telnet and FTP, should not
923 be allowed by anyone other than administrators).
925 3.2.3.3 Authentication/Proxy Servers (SOCKS, FWTK)
927 A proxy server provides a number of security enhancements. It allows
928 sites to concentrate services through a specific host to allow
929 monitoring, hiding of internal structure, etc. This funnelling of
930 services creates an attractive target for a potential intruder. The
934 Site Security Working Group [Page 14]
940 Internet Draft Site Security Handbook May 1996
943 type of protection required for a proxy server depends greatly on the
944 proxy protocol in use and the services being proxied. The general
945 rule of limiting access only to those hosts which need the services,
946 and limiting access by those hosts to only those services, is a good
949 3.2.3.4 Electronic Mail
951 Electronic mail (email) systems have long been a source for intruder
952 break-ins because email protocols are among the oldest and most
953 widely deployed services. Also, by it's very nature, an email server
954 requires access to the outside world; most email servers accept input
955 from any source. An email server generally consists of two parts: a
956 receiving/sending agent and a processing agent. Since email is
957 delivered to all users, and is usually private, the processing agent
958 typically requires system (root) privileges to deliver the mail.
959 Most email implementations perform both portions of the service,
960 which means the receiving agent also has system privileges. This
961 opens several security holes which this document will not describe.
962 There are some implementations available which allow a separation of
963 the two agents. Such implementations are generally considered more
964 secure, but still require careful installation to avoid creating a
967 3.2.3.5 World Wide Web (WWW)
969 The Web is growing in popularity exponentially because of its ease of
970 use and the powerful abilities to concentrate information services.
971 Most WWW servers take some directions and actions from the persons
972 accessing their services. The most common example is taking a
973 request from a remote user and passing the provided information to a
974 program running on the server to process the request. Some of these
975 programs are not written with security in mind and can create
976 security holes. If a Web server is available to the Internet
977 community, it is especially important that confidential information
978 not be co-located on the same host as the server. In fact, it is
979 recommended that the server have a dedicated host which is not
980 "trusted" by other internal hosts. It may be co-located with an
981 anonymous FTP server, since both protocols share common security
984 3.2.3.6 File Transfer (FTP, TFTP)
986 FTP and TFTP both allow users to receive and send electronic files in
987 a point-to-point manner. However, FTP requires authentication while
988 TFTP requires none. For this reason, TFTP should be avoided as much
991 Improperly configured FTP servers can allow intruders to copy,
992 replace and delete files at will, anywhere on a host, so it is very
993 important to configure this service correctly. Access to encrypted
994 passwords and proprietary data, and the introduction of trojan horses
995 are just a few of the potential security holes that can occur when
996 the service is configured incorrectly. FTP servers should reside on
1000 Site Security Working Group [Page 15]
1006 Internet Draft Site Security Handbook May 1996
1009 their own host, or perhaps be co-located with a Web server, since the
1010 two protocols share common security considerations. As mentioned in
1011 the opening paragraphs of section 3.2.3, services offered internally
1012 to your site should not be co-located with services offered
1013 externally. Each should have its own host.
1015 TFTP does not support the same range of functions and has no security
1016 whatsoever. This service should only be considered for internal use,
1017 and then it should be configured in a restricted way so that the
1018 server only has access to a set of predetermined files (instead of
1019 every world-readable file on the system). Probably the most common
1020 usage of TFTP is for downloading router configuration files to a
1021 router. TFTP should reside on its own host, and should not be
1022 installed on hosts supporting external FTP or Web access.
1026 The Network File Service allows hosts to share common disks. NFS is
1027 most frequently used by diskless hosts who depend on a disk server
1028 for all of their storage needs. Unfortunately, NFS has no built-in
1029 security. It is therefore necessary that the NFS server be
1030 accessable only by those hosts which are using it for service. It is
1031 especially important that external hosts be unable to reach the NFS
1032 host by any means. Ideally, such access attempts would be stopped by
1035 3.2.4 Protecting the Protection
1037 It is amazing how often a site will overlook the most obvious
1038 weakness in its security by leaving the security server itself open
1039 to attack. Based on considerations previously discussed, it should
1040 be clear that: the security server should not be accessible from
1041 off-site; should offer minimum access, except for the authentication
1042 function, to users on-site; and should not be co-located with any
1043 other servers. Further, all access to the node, including access to
1044 the service itself, should be logged to provide a "paper trail" in
1045 the event of a security breach.
1049 One of the most widely deployed and publicized security measures in
1050 use on the Internet is a "firewall." Firewalls have been given the
1051 reputation of a general panacea for many, if not all, of the Internet
1052 security issues. They are not. Firewalls are just another tool in
1053 the quest for system security. They provide a certain level of
1054 protection and are, in general, a way of implementing security policy
1055 at the network level. The level of security that a firewall provides
1056 can vary as much as the level of security on a particular machine.
1057 There are the traditional trade-offs between security, ease of use,
1058 cost, complexity, etc.
1060 A firewall is any one of several mechanisms used to control and watch
1061 access to and from a network for the purpose of protecting it. A
1062 firewall acts as a gateway through which all traffic to and from the
1066 Site Security Working Group [Page 16]
1072 Internet Draft Site Security Handbook May 1996
1075 protected network or machines passes. Firewalls help to place
1076 limitations on the amount and type of communication that takes place
1077 between the protected network and the another network (e.g., the
1078 Internet, or another piece of the site's network).
1080 A firewall is generally a way to build a wall between one part of a
1081 network, a company=D5s internal network, for example, and another part,
1082 the global Internet, for example. The unique feature about this wall
1083 is that there needs to be ways for some traffic with particular
1084 characteristics to pass through carefully monitored doors
1085 ("gateways"). The difficult part is to establish the criteria by
1086 which the packets are allowed or denied access through the doors.
1087 Different books written on firewalls use different terminology to
1088 describe the various forms of firewalls. This can be confusing to
1089 system administrators who are not familiar with firewalls. The thing
1090 to note here is that there is no fixed terminology for the
1091 description of firewalls.
1093 Firewalls are not always, or even typically, a single machine, but in
1094 general are a combination of routers, networks, and host machines, so
1095 for the purposes of this discussion, the term "firewall" can consist
1096 of more than one physical device. Firewalls are typically built
1097 using two different components, filtering routers and proxy servers.
1099 Filtering routers are the easiest component to conceptualize in a
1100 firewall. A router moves data back and forth between two (or more)
1101 different networks. A "normal" router takes a packet from network A
1102 and "routes" it to its destination on network B. A filtering router
1103 does the same thing but decides not only how to route the packet, but
1104 should it route the packet. This is done by installing a series of
1105 filters by which the router decides what to do with any given packet
1108 A discussion concerning capabilities of a particular brand of router,
1109 running a particular software version is outside the scope of this
1110 document. However, when evaluating a router to be used for filtering
1111 packets, the following criteria can be important when implementing a
1112 filtering policy: source and destination IP address, source and
1113 destination TCP port numbers, state of the TCP "ack" bit, UDP source
1114 and destination port numbers, and direction of packet flow (i.e.. A-
1115 >B or B->A). Other information necessary to construct a secure
1116 filtering scheme are whether the router reorders filter instructions
1117 (designed to optimize filters, this can sometimes change the meaning
1118 and cause unintended access), and whether it is possible to apply
1119 filters for inbound and outbound packets on each interface (if the
1120 router filters only outbound packets then the router is "outside" of
1121 its filters and may be more vulnerable to attack). In addition to
1122 the router being vulnerable, this distinction between applying
1123 filters on inbound or outbound packets is especially relevant for
1124 routers with more than 2 interfaces. Other important issues are the
1125 ability to create filters based on IP header options and the fragment
1126 state of a packet. Building a good filter can be very difficult and
1127 requires a good understanding of the type of services (protocols)
1128 that will be filtered.
1132 Site Security Working Group [Page 17]
1138 Internet Draft Site Security Handbook May 1996
1141 For better security, the filters usually restrict access between the
1142 two connected nets to just one host, the bastion host. It is only
1143 possible to access the other network via this bastion host. As only
1144 this host, rather than a few hundred hosts, can get attacked, it is
1145 easier to maintain a certain level of security because only this host
1146 has to be protected very carefully. To make resources available to
1147 legitimate users across this firewall, services have to be forwarded
1148 by the bastion host. Some servers have forwarding built in (like
1149 DNS-servers or SMTP-servers), for other services (e.g., Telnet, FTP,
1150 etc.), proxy servers can be used to allow access to the resources
1151 across the firewall in a secure way.
1153 A proxy server is way to concentrate application services through a
1154 single machine. There is typically a single machine (the bastion
1155 host) that acts as a proxy server for a variety of protocols (Telnet,
1156 SMTP, FTP, HTTP, etc.) but there can be individual machines for each
1157 service. Instead of connecting directly to an external server, the
1158 client connects to the proxy server which in turn initiates a
1159 connection to the requested external server. Depending on the type
1160 of proxy server used, it is possible to configure internal clients to
1161 perform this redirection automatically, without knowledge to the
1162 user, others might require that the user connect directly to the
1163 proxy server and then initiate the connection through a specified
1166 There are significant security benefits which can be derived from
1167 using proxy servers. It is possible to add access control lists to
1168 protocols, requiring users or machines to provide some level of
1169 authentication before access is granted. Smarter proxy servers,
1170 sometimes called Application Layer Gateways (ALGs), can be written
1171 which understand specific protocols and can be configured to block
1172 only subsections of the protocol. For example, an ALG for FTP can
1173 tell the difference between the "put" command and the "get" command;
1174 an organization may wish to allow users to "get" files from the
1175 Internet, but not be able to "put" internal files on a remote server.
1176 By contrast, a filtering router could either block all FTP access, or
1177 none, but not a subset.
1179 Proxy servers can also be configured to encrypt data streams based on
1180 a variety of parameters. An organization might use this feature to
1181 allow encrypted connections between two locations whose sole access
1182 points are on the Internet.
1184 Firewalls are typically thought of as a way to keep intruders out,
1185 but they are also often used as a way to let legitimate users into a
1186 site. There are many examples where a valid user might need to
1187 regularly access the "home" site while on travel to trade shows and
1188 conferences, etc. Access to the Internet is often available but may
1189 be through an untrusted machine or network. A correctly configured
1190 proxy server can allow the correct users into the site while still
1191 denying access to other users.
1193 The current best effort in firewall techniques is found using a
1194 combination of a pair of screening routers with one or more proxy
1198 Site Security Working Group [Page 18]
1204 Internet Draft Site Security Handbook May 1996
1207 servers on a network between the two routers. This setup allows the
1208 external router to block off any attempts to use the underlying IP
1209 layer to break security (IP spoofing, source routing, packet
1210 fragments), while allowing the proxy server to handle potential
1211 security holes in the higher layer protocols. The internal router's
1212 purpose is to block all traffic except to the proxy server. If this
1213 setup is rigidly implemented, a high level of security can be
1216 Most firewalls provide logging which can be tuned to make security
1217 administration of the network more convenient. Logging may be
1218 centralized and the system may be configured to send out alerts for
1219 abnormal conditions. It is important to regularly monitor these logs
1220 for any signs of intrusions or break-in attempts. Since some
1221 intruders will attempt to cover their tracks by editing logs, it is
1222 desirable to protect these logs. A variety of methods is available,
1223 including: write once, read many (WORM) drives; papers logs; and
1224 centralized logging via the "syslog" utility. Another technique is
1225 to use a "fake" serial printer, but have the serial port connected to
1226 an isolated machine or PC which keeps the logs.
1228 Firewalls are available in a wide range of quality and strengths.
1229 Commercial packages start at approximately $10,000US and go up to
1230 over $250,000US. "Home grown" firewalls can be built for smaller
1231 amounts of capital. It should be remembered that the correct setup
1232 of a firewall (commercial or homegrown) requires a significant amount
1233 of skill and knowledge of TCP/IP. Both types require regular
1234 maintenance, installation of software patches and updates, and
1235 regular monitoring. When budgeting for a firewall, these additional
1236 costs should be considered in addition to the cost of the physical
1237 elements of the firewall.
1239 As an aside, building a "home grown" firewall requires a significant
1240 amount of skill and knowledge of TCP/IP. It should not be trivially
1241 attempted because a perceived sense of security is worse in the long
1242 run than knowing that there is no security. As with all security
1243 measures, it is important to decide on the threat, the value of the
1244 assets to be protected, and the costs to implement security.
1246 A final note about firewalls. They can be a great aid when
1247 implementing security for a site and they protect against a large
1248 variety of attacks. But it is important to keep in mind that they
1249 are only one part of the solution. They cannot protect your site
1250 against all types of attack.
1252 4. Security Services and Procedures
1254 This chapter guides the reader through a number of topics that should
1255 be addressed when securing a site. Each section touches on a
1256 security service or capability that may be required to protect the
1257 information and systems at a site. These are presented at a fairly
1258 high-level to introduce the reader to the concepts.
1260 Throughout the chapter, you will find considerable mention of
1264 Site Security Working Group [Page 19]
1270 Internet Draft Site Security Handbook May 1996
1273 cryptography. It is outside the scope of this document to delve into
1274 details concerning cryptography, but the interested reader can obtain
1275 more information from books and articles listed in the reference
1276 section of this document.
1280 For many years, the prescribed method for authenticating users has
1281 been through the use of standard, reusable passwords. Originally,
1282 these passwords were used by users at terminals to authenticate
1283 themselves to a central computer. At the time, there were no
1284 networks (internally or externally), so the risk of disclosure of the
1285 clear text password was minimal. Today, systems are connected
1286 together through local networks, and these local networks are further
1287 connected together and to the Internet. Users are logging in from
1288 all over the globe; their reusable passwords are often transmitted
1289 across those same networks in clear text, ripe for anyone in-between
1290 to capture. And indeed, the CERT Coordination Center and other
1291 response teams are seeing a tremendous number of incidents involving
1292 packet sniffers which are capturing the clear text passwords. To
1293 address this threat, we are including sections on better
1294 technologies, like one-time passwords and Kerberos.
1296 With the advent of newer technologies like one-time passwords (e.g.,
1297 S/Key), PGP, and token-based authentication devices, people are using
1298 password-like strings as secret tokens and pins. We are including a
1299 discussion on these since they are the foundation upon which stronger
1300 authentication techniques are based. If these secret tokens and pins
1301 are not properly selected and protected, the authentication will be
1304 4.1.1 One-Time passwords
1306 As mentioned above, given today's networked environments, it is
1307 recommended that sites concerned about the security and integrity of
1308 their systems and networks consider moving away from standard,
1309 reusable passwords. There have been many incidents involving Trojan
1310 network programs (e.g., telnet and rlogin) and network packet
1311 sniffing programs. These programs capture clear text
1312 hostname/account name/password triplets. Intruders can use the
1313 captured information for subsequent access to those hosts and
1314 accounts. This is possible because 1) the password is used over and
1315 over (hence the term "reusable"), and 2) the password passes across
1316 the network in clear text.
1318 Several authentication techniques have been developed that address
1319 this problem. Among these techniques are challenge-response
1320 technologies that provide passwords that are only used once (commonly
1321 called one-time passwords). This document provides a list of sources
1322 for products that provide this capability. The decision to use a
1323 product is the responsibility of each organization, and each
1324 organization should perform its own evaluation and selection.
1330 Site Security Working Group [Page 20]
1336 Internet Draft Site Security Handbook May 1996
1339 Kerberos is a distributed network security system which provides for
1340 authentication across unsecured networks. If requested by the
1341 application, integrity and encryption can also be provided. Kerberos
1342 was originally developed at the Massachusetts Institute of Technology
1343 (MIT) in the late 1980's. There are two major releases of Kerberos,
1344 version 4 and 5, which are for practical purposes, incompatible.
1346 Kerberos relies on a symmetric key database using a key distribution
1347 center (KDC) which is known as the Kerberos server. A user or
1348 service (known as "principals") are granted electronic "tickets"
1349 after properly communicating with the KDC. These tickets are used
1350 for authentication between principals. All tickets include a time
1351 stamp which limits the time period for which the ticket is valid.
1352 Therefore, Kerberos clients and server must have a secure time
1353 source, and be able to keep time accurately.
1355 The practical side of Kerberos is its integration with the
1356 application level. Typical applications like FTP, telnet, POP, and
1357 NFS have been integrated with the Kerberos system. There are a
1358 variety of implementations which have varying levels of integration.
1359 Please see the Kerberos FAQ available at http://www.ov.com/misc/krb-
1360 faq.html for the latest information.
1362 4.1.3 Choosing and Protecting Secret Tokens and PINs
1364 When selecting secret tokens, take care to choose them carefully.
1365 Like the selection of passwords, they should be robust against brute
1366 force efforts to guess them. That is, they should not be single
1367 words in any language, any common, industry, or cultural acronyms,
1368 etc. Ideally, they will be longer rather than shorter and consist of
1369 pass phrases that combine upper and lower case character, digits, and
1372 Once chosen, the protection of these secret tokens is very important.
1373 Some are used as pins to hardware devices (like token cards) and
1374 these should not be written down and placed in the same location as
1375 the device with which they are associated. Others, such as a secret
1376 PGP key, should be protected from unauthorized access.
1378 One final word on this subject. When using cryptography products,
1379 like PGP, take care to determine the proper key length and ensure
1380 that your users are trained to do likewise. As technology advances,
1381 the minimum safe key length continues to grow. Make sure your site
1382 keeps up with the current state of knowledge on the subject so that
1383 you can ensure any cryptography used will be providing you the
1384 protection you are assuming it is.
1386 4.1.4 Password Assurance
1388 While the need to eliminate the use of standard, reusable passwords
1389 cannot be overstated, it is recognized that some organizations may
1390 have to transition to the use of better technology. Given that
1391 situation, we have included the following advice to help with the
1392 selection and maintenance of traditional passwords. But remember,
1396 Site Security Working Group [Page 21]
1402 Internet Draft Site Security Handbook May 1996
1405 none of these measures provides protection against disclosure due to
1408 (1) The importance of robust passwords - In many (if not most) cases o=
1410 system penetration, the intruder needs to gain access to an accoun=
1412 on the system. One way that goal is typically accomplished is
1413 through guessing the password of a legitimate user. This is often
1414 accomplished by running an automated password cracking program,
1415 which utilizes a very large dictionary, against the system's passw=
1417 file. The only way to guard against passwords being disclosed in =
1419 manner is through the careful selection of passwords which cannot =
1421 easily guessed (i.e., combinations of numbers, letters, and punctu=
1425 (2) Changing default passwords - Many operating systems and applicatio=
1427 programs are installed with default accounts and passwords. These
1428 must be changed immediately to something that cannot be guessed or
1431 (3) Restricting access to the password file - In particular, a site
1432 wants to protect the encrypted password portion of the file so tha=
1434 would-be intruders don't have them available for cracking. One
1435 effective technique is to use shadow passwords where the password
1436 field of the standard file contains a dummy or false password. Th=
1438 file containing the legitimate passwords are protected elsewhere o=
1442 (4) Password aging - When and how to expire passwords is still a subje=
1444 of controversy among the security community. It is generally acce=
1446 that a password should not be maintained once an account is no lon=
1448 use, but it is hotly debated whether a user should be forced to ch=
1450 good password that's in active use. The arguments for changing
1451 passwords relate to the prevention of the continued use of penetra=
1453 accounts. However, the opposition claims that frequent password
1454 changes lead to users writing down their passwords in visible area=
1456 (such as pasting them to a terminal), or to users selecting very s=
1458 passwords that are easy to guess. It should also be stated that a=
1460 intruder will probably use a captured or guessed password sooner r=
1462 than later, in which case password aging provides little if any
1465 While there is no definitive answer to this dilemma, a password po=
1467 should directly address the issue and provide guidelines for how o=
1469 a user should change the password. It is recommended that passwor=
1471 be changed whenever root is penetrated, there is a critical change=
1473 personnel (especially if it is the system administrator!), or when=
1475 account has been compromised. In particular, if the root password=
1477 compromised, all passwords on the system should be changed. In
1478 addition, an annual change in their password is usually not diffic=
1480 for most users, and you should consider requiring it.
1484 There will be information assets that your site will want to protect
1488 Site Security Working Group [Page 22]
1494 Internet Draft Site Security Handbook May 1996
1497 from disclosure to unauthorized entities. Operating systems often
1498 have built-in file protection mechanisms that allow an administrator
1499 to control who on the system can access, or "see," the contents of a
1500 given file. A stronger way to provide confidentiality is through
1501 encryption. Encryption is accomplished by scrambling data so that it
1502 is very difficult and time consuming for anyone other than the
1503 authorized recipients or owners to obtain the plain text. Authorized
1504 recipients and the owner of the information will possess the
1505 corresponding decryption keys that allow them to easily unscramble
1506 the text to a readable (clear text) form. We recommend that sites
1507 use encryption to provide confidentiality and protect valuable
1510 The use of encryption is sometimes controlled by governmental and
1511 site regulations, so we encourage administrators to become informed
1512 of laws or policies that regulate its use before employing it. It is
1513 outside the scope of this document to discuss the various algorithms
1514 and programs available for this purpose, but we do caution against
1515 the casual use of the UNIX crypt program as it has been found to be
1516 easily broken. We also encourage you to take time to understand the
1517 strength of the encryption in any given algorithm/product before
1518 using it. Most well-known products are well-documented in the
1519 literature, so this should be a fairly easy task.
1523 As an administrator, you will want to make sure that information
1524 (e.g., operating system files, company data, etc.) has not been
1525 altered in an unauthorized fashion. This means you will want to
1526 provide some assurance as to the integrity of the information on your
1527 systems. One way to provide this is to produce a checksum of the
1528 unaltered file, store that checksum offline, and periodically (or
1529 when desired) check to make sure the checksum of the online file
1530 hasn't changed (which would indicate the data has been modified).
1532 Some operating systems come with checksumming programs, such as the
1533 UNIX sum program. However, these may not provide the protection you
1534 actually need. Files can be modified in such a way as to preserve
1535 the result of the UNIX sum program! Therefore, we suggest that you
1536 use a cryptographically strong program, such as the message digesting
1537 program MD5 [ref], to produce the checksums you will be using to
1540 There are other applications when integrity will want to be assured,
1541 such as when transmitting an email message between two parties. There
1542 are products available that can provide this capability. The purpose
1543 of this section is to acquaint you with this concept so that you can
1544 apply it where needed. Once you identify that this is a capability
1545 you need, you can go about identifying technologies that will provide
1550 Authorization refers to the process of granting privileges to
1554 Site Security Working Group [Page 23]
1560 Internet Draft Site Security Handbook May 1996
1563 processes and, ultimately, users. This differs from authentication
1564 in that authentication is what occurs to identify a user. Once
1565 identified (reliably), the privileges, rights, property, and
1566 permissible actions of the user are determined by authorization.
1568 Explicitly listing the authorized activities of each user (and user
1569 process) with respect to all resources (objects) is impossible in a
1570 reasonable system. In a real system certain techniques are used to
1571 simplify the process of granting and checking authorization(s).
1573 One approach, popularized in UNIX systems, is to assign to each
1574 object three classes of user: owner, group and world. The owner is
1575 either the creator of the object or the user assigned as owner by the
1576 super-user. The owner permissions (read, write and execute) apply
1577 only to the owner. A group is a collection of users which share
1578 access rights to an object. The group permissions (read, write and
1579 execute) apply to all users in the group (except the owner). The
1580 world refers to everybody else with access to the system. The world
1581 permissions (read, write and execute) apply to all users (except the
1582 owner and members of the group).
1584 Another approach is to attach to an object a list which explicitly
1585 contains the identity of all permitted users (or groups). This is an
1586 Access Control List. The advantage of these are that they are easily
1587 maintained (one central list per object).
1591 4.5.1 Physical Access
1593 Restrict physical access to areas containing hosts to people who are
1594 supposed to use the hosts. Hosts include "trusted" terminals (such
1595 as system consoles, operator terminals and terminals dedicated to
1596 special tasks), and individual microcomputers and workstations,
1597 especially those connected to your network. Make sure access
1598 restrictions mesh well with people's work patterns; otherwise they
1599 will find ways to circumvent your physical security (e.g., jamming
1602 Keep original and backup copies of data and programs safe. Apart
1603 from keeping them in good condition for backup purposes, they must be
1604 protected from theft.
1606 Portable hosts are a particular risk. Make sure it won't cause
1607 problems if one of your staff's portable computer is stolen.
1608 Consider developing guidelines for the kinds of data that should be
1609 allowed to reside on the disks of portable computers as well as how
1610 the data should be protected (e.g., encryption) when it is on a
1613 Other areas where physical access should be restricted is the wiring
1614 closets and important network elements like file servers, name server
1620 Site Security Working Group [Page 24]
1626 Internet Draft Site Security Handbook May 1996
1629 4.5.2 Walk-up Network Connections
1631 By "walk-up" connections, we mean sockets located so as to provide a
1632 convenient way for users to connect a portable host to your network.
1634 Consider whether you need to provide this service, bearing in mind
1635 that it allows any user to attach an unauthorized host to your
1636 network. This increases the risk of attacks via techniques such as
1637 IP address spoofing, packet sniffing, etc. Users and site management
1638 must appreciate the risks involved. If you decide to provide walk-up
1639 connections, plan the service carefully and define precisely where
1640 you will provide it so that you can provide the necessary physical
1643 A walk-up host should be authenticated before its user is permitted
1644 to access resources on your network. As an alternative, it may be
1645 possible to control physical access. For example, if the service is
1646 to be used by students, you might only provide walk-up connection
1647 sockets in student laboratories.
1649 Keep an eye on empty offices. It may be sensible to disconnect
1650 connections to unused offices at the wiring closet. Consider using
1651 secure hubs and monitoring attempts to connect unauthorized hosts.
1653 4.5.3 Other Network Technologies
1655 Technologies considered here include X.25, ISDN, SMDS, DDS and Frame
1656 Relay. All are provided via physical links which go through
1657 telephone exchanges, providing the potential for them to be diverted.
1658 Crackers are certainly interested in telephone switches as well as in
1661 With switched technologies, use Permanent Virtual Circuits or Closed
1662 User Groups whenever this is possible. Technologies which provide
1663 authentication and/or encryption (such as IPv6) are evolving rapidly;
1664 consider using them on links where security is important.
1668 4.5.4.1 Modem lines must be managed
1670 Although they provide convenient access to a site for its users, they
1671 can also provide an effective detour around the site's firewalls.
1672 For this reason it is essential to maintain proper control of modems.
1674 Don't allow users to install a modem line without proper
1675 authorization. This includes temporary installations (e.g., plugging
1676 a modem into a facsimile or telephone line overnight).
1678 Maintain a register of all your modem lines and keep your register up
1679 to date. Conduct regular site checks for unauthorized modems.
1681 4.5.4.2 Dial-in users must be authenticated
1686 Site Security Working Group [Page 25]
1692 Internet Draft Site Security Handbook May 1996
1695 A username and password check should be completed before a user can
1696 access anything on your network. Normal password security
1697 considerations are particularly important (see section 4.1.1).
1699 Remember that telephone lines can be tapped, and that it is quite
1700 easy to intercept messages to cellular phones. Modern high-speed
1701 modems use more sophisticated modulation techniques, which makes them
1702 somewhat more difficult to monitor, but it is prudent to assume that
1703 hackers know how to eavesdrop on your lines. For this reason, you
1704 should use one-shot passwords if at all possible.
1706 It is helpful to have a single dial-in point (e.g., a single large
1707 modem pool) so that all users are authenticated in the same way.
1709 Users will occasionally mis-type a password. Set a short delay - say
1710 two seconds - after the first and second failed logins, and force a
1711 disconnect after the third. This will slow down automated password
1712 attacks. Don't tell the user whether the username, the password, or
1713 both, were incorrect.
1715 4.5.4.3 All logins (successful and unsuccessful) should be logged
1717 Don't keep correct passwords in the log, but consider keeping
1718 incorrect passwords to aid in detecting password attacks. However,
1719 most incorrect passwords are correct passwords with one character
1720 mistyped and may suggest the real password. If you can't keep this
1721 information secure, don't log it at all.
1723 If Calling Line Identification is available, take advantage of it by
1724 recording the calling number for each login attempt. Be sensitive to
1725 the privacy issues raised by Calling Line Identification. Also be
1726 aware that Calling Line Identification is not to be trusted; use the
1727 data for informational purposes only, not for authentication.
1729 4.5.4.4 Minimize the amount of information given in your opening banner
1731 In particular, don't announce the type of host hardware or operating
1732 system - this encourages specialist hackers.
1734 Display a short banner, but don't offer an "inviting" name (e.g.,
1735 University of XYZ, Student Records System). Instead, give your site
1736 name, a short warning that sessions may be monitored, and a
1737 username/password prompt. Get your site's lawyers to check your
1738 banner to make sure it states your legal position correctly.
1740 For high-security applications, consider using a "blind" password
1741 (i.e., give no response to an incoming call until the user has typed
1742 in a password). This effectively simulates a dead modem.
1744 4.5.4.5 Call-back Capability
1746 Some dial-in servers offer call-back facilities (i.e., the user dials
1747 in and is authenticated, then the system disconnects the call and
1748 calls back on a specified number). You will probably have to pay the
1752 Site Security Working Group [Page 26]
1758 Internet Draft Site Security Handbook May 1996
1761 charges for such calls.
1763 This feature should be used with caution; it can easily be bypassed.
1764 At a minimum, make sure that the return call is never made from the
1765 same modem as the incoming one. Overall, although call-back can
1766 improve modem security, you should not depend on it alone.
1768 4.5.4.6 Dial-out authentication
1770 Dial-out users should also be authenticated, particularly since your
1771 site will have to pay their telephone charges.
1773 Never allow dial-out from an unauthenticated dial-in call, and
1774 consider whether you will allow it from an authenticated one. The
1775 goal here is to prevent callers using your modem pool as part of a
1776 chain of logins. This can be hard to detect, particularly if a
1777 hacker sets up a path through several hosts on your site.
1779 At a minimum, don't allow the same modems and phone lines to be used
1780 for both dial-in and dial-out. This can be implemented easily if you
1781 run separate dial-in and dial-out modem pools.
1783 4.5.4.7 Make your modem programming as "bullet-proof" as possible
1785 Be sure modems can't be reprogrammed while they're in service. At a
1786 minimum, make sure that three plus signs won't put your dial-in
1787 modems into command mode!
1789 Program your modems to reset to your standard configuration at the
1790 start of each new call. Failing this, make them reset at the end of
1791 each call. This precaution will protect you against accidental
1792 reprogramming of your modems.
1794 Check that your modems terminate calls cleanly. When a user logs out
1795 from an access server, verify that the server hangs up the phone line
1796 properly. It is equally important that the server forces logouts
1797 from whatever sessions were active if the user hangs up unexpectedly.
1801 This section covers the procedures for collecting data generated by
1802 network activity, which may be useful in analyzing the security of a
1803 network and responding to security incidents.
1805 4.6.1 What to collect
1807 Audit data should include any attempt to achieve a different security
1808 level by any person, process, or other entity in the network. This
1809 includes login and logout, su (or the non-UNIX equivalent), ticket
1810 generation (for Kerberos, for example), and any other change of
1811 access or status. It is especially important to note "anonymous" or
1812 "guest" access to public servers.
1814 The actual data to collect will differ for different sites and for
1818 Site Security Working Group [Page 27]
1824 Internet Draft Site Security Handbook May 1996
1827 different types of access changes within a site. In general, the
1828 information you want to collect includes: username and hostname, for
1829 login and logout; previous and new access rights, for a change of
1830 access rights; and a timestamp. Of course, there is much more
1831 information which might be gathered, depending on what the system
1832 makes available and how much space is available to store that
1835 One very important note: do not gather passwords. This creates an
1836 enormous potential security breach if the audit records should be
1837 improperly accessed. Do not gather incorrect passwords either, as
1838 they often differ from valid passwords by only a single character or
1841 4.6.2 Collection Process
1843 The collection process should be enacted by the host or resource
1844 being accessed. Depending on the importance of the data and the need
1845 to have it local in instances in which services are being denied,
1846 data could be kept local to the resource until needed or be
1847 transmitted to storage after each event.
1849 There are basically three ways to store audit records: in a
1850 read/write file on a host, on a write-once/read-many device (e.g., a
1851 CD-ROM or a specially configured tape drive), or on a write-only
1852 device (e.g., a line printer). Each method has advantages and
1855 File system logging is the least resource intensive of the three
1856 methods and the easiest to configure. It allows instant access to
1857 the records for analysis, which may be important if an attack is in
1858 progress. File system logging is also the least reliable method. If
1859 the logging host has been compromised, the file system is usually the
1860 first thing to go; an intruder could easily cover up traces of the
1863 Collecting audit data on a write-once device is slightly more effort
1864 to configure than a simple file, but it has the significant advantage
1865 of greatly increased security because an intruder could not alter the
1866 data showing that an intrusion has occurred. The disadvantage of
1867 this method is the need to maintain a supply of storage media and the
1868 cost of that media. Also, the data may not be instantly available.
1870 Line printer logging is useful in system where permanent and
1871 immediate logs are required. A real time system is an example of
1872 this, where the exact point of a failure or attack must be recorded.
1873 A laser printer, or other device which buffers data (e.g., a print
1874 server), may suffer from lost data if buffers contain the needed data
1875 at a critical instant. The disadvantage of, literally, "paper
1876 trails" is the need to keep the printer fed and the need to scan
1877 records by hand. There is also the issue of where to store the,
1878 potentially, enormous volume of paper which may be generated.
1880 For each of the logging methods described, there is also the issue of
1884 Site Security Working Group [Page 28]
1890 Internet Draft Site Security Handbook May 1996
1893 securing the path between the device generating the log and actual
1894 logging device (i.e., the file server, tape/CD-ROM drive, printer).
1895 If that path is compromised, logging can be stopped or spoofed or
1896 both. In an ideal world, the logging device would be directly
1897 attached by a single, simple, point-to-point cable. Since that is
1898 usually impractical, the path should pass through the minimum number
1899 of networks and routers. Even if logs can be blocked, spoofing can
1900 be prevented with cryptographic checksums (it probably isn't
1901 necessary to encrypt the logs because they should not contain
1902 sensitive information in the first place).
1904 4.6.3 Collection Load
1906 Collecting audit data may result in a rapid accumulation of bytes so
1907 storage availability for this information must be considered in
1908 advance. There are a few ways to reduce the required storage space.
1909 First, data can be compressed, using one of many methods. Or, the
1910 required space can be minimized by keeping data for a shorter period
1911 of time with only summaries of that data kept in long-term archives.
1912 One major drawback to the latter method involves incident response.
1913 Often, an incident has been ongoing for some period of time when a
1914 site notices it and begins to investigate. At that point in time,
1915 it's very helpful to have detailed audit logs available. If these are
1916 just summaries, there may not be sufficient detail to fully handle
1919 4.6.4 Handling and Preserving Audit Data
1921 Audit data should be some of the most carefully secured data at the
1922 site and in the backups. If an intruder were to gain access to audit
1923 logs, the systems themselves, in addition to the data, would be at
1926 Audit data may also become key to the investigation, apprehension,
1927 and prosecution of the perpetrator of an incident. For this reason,
1928 it is advisable to seek the advice of legal council when deciding how
1929 audit data should be treated. This should happen before an incident
1932 If a data handling plan is not adequately defined prior to an
1933 incident, it may mean that there is no recourse in the aftermath of
1934 an event, and it may create liability resulting from improper
1935 treatment of the data.
1937 4.6.5 Legal Considerations
1939 Due to the content of audit data, there are a number of legal
1940 questions that arise which need to be addressed by your legal
1941 counsel. If you collect and save audit data, you need to be prepared
1942 for consequences resulting both from its existence and its content.
1944 One area concerns the privacy of individuals. In certain instances,
1945 audit data may contain personal information. Searching through the
1946 data, even for a routine check of the system's security, could
1950 Site Security Working Group [Page 29]
1956 Internet Draft Site Security Handbook May 1996
1959 represent an invasion of privacy.
1961 A second area of concern involves knowledge of intrusive behavior
1962 originating from your site. If an organization keeps audit data, is
1963 it responsible for examining it to search for incidents? If a host
1964 in one organization is used as a launching point for an attack
1965 against another organization, can the second organization use the
1966 audit data of the first organization to prove negligence on the part
1967 of that organization?
1969 The above examples are meant to be comprehensive, but should motivate
1970 your organization to consider the legal issues involved with audit
1973 4.7 Securing Backups
1975 The procedure of creating backups is a classic part of operating a
1976 computer system. Within the context of this document, backups are
1977 addressed as part of the overall security plan of a site. There are
1978 several aspects to backups that are important within this context:
1980 (1) Make sure your site is creating backups
1981 (2) Make sure your site is using offsite storage for backups. The
1982 storage site should be carefully selected for both its security an=
1985 (3) Consider encrypting your backups to provide additional protection =
1987 the information once it is off-site. However, be aware that you w=
1989 need a good key management scheme so that you'll be able to recove=
1991 data at any point in the future. Also, make sure you will have
1992 access to the necessary decryption programs at such time in the
1993 future as you need to perform the decryption.
1994 (4) Don't always assume that your backups are good. There have been
1995 many instances of computer security incidents that have gone on fo=
1997 long periods of time before a site has noticed the incident. In s=
1999 cases, backups of the affected systems are also tainted.
2000 (5) Periodically check your backups.
2002 5. Security Incident Handling
2004 This section of the document will supply guidance to be applied
2005 before, during, and after a computer security incident occurs on a
2006 machine, network, site, or multi-site environment. The operative
2007 philosophy in the event of a breach of computer security is to react
2008 according to a plan. This is true whether the breach is the result
2009 of an external intruder attack, unintentional damage, a student
2010 testing some new program to exploit a software vulnerability, or a
2011 disgruntled employee. Each of the possible types of events, such as
2012 those just listed, should be addressed in advance by adequate
2015 Traditional computer security, while quite important in the overall
2016 site security plan, usually pays little attention to how to actually
2017 handle the attack once it occurs. The result is that when an attack
2018 is in progress, many decisions are made in haste and can be damaging
2022 Site Security Working Group [Page 30]
2028 Internet Draft Site Security Handbook May 1996
2031 to tracking down the source of the incident, collecting evidence to
2032 be used in prosecution efforts, preparing for the recovery of the
2033 system, and protecting the valuable data contained on the system.
2035 One of the most important, but often overlooked, benefits for
2036 efficient incident handling is an economic one. Having both
2037 technical and managerial personnel respond to an incident requires
2038 considerable resources. If trained to handle incidents efficiently,
2039 less staff time is required when one occurs.
2041 Due to the world-wide network most incidents are not restricted to a
2042 single site. Operating systems vulnerabilities apply (in some cases)
2043 to several millions of systems, and many vulnerabilities are
2044 exploited within the network itself. Therefore, it is vital for all
2045 sites with involved parties are informed as soon as possible.
2047 Another benefit is related to public relations. News about computer
2048 security incidents tends to be damaging to an organization's stature
2049 among current or potential clients. Efficient incident handling
2050 minimizes the potential for negative exposure.
2052 A final benefit of efficient incident handling is related to legal
2053 issues. It is possible that in the near future organizations may be
2054 sued because one of their nodes was used to launch a network attack.
2055 In a similar vein, people who develop patches or workarounds may be
2056 sued if the patches or workarounds are ineffective, resulting in
2057 compromise of the systems, or, if the patches or workarounds
2058 themselves damage systems. Knowing about operating system
2059 vulnerabilities and patterns of attacks, and then taking appropriate
2060 measures to counter these potential threats, is critical to
2061 circumventing possible legal problems.
2063 The sections in this chapter provide an outline and starting point
2064 for creating your site's policy for handling security incidents. The
2067 (1) Preparing and planning (what are the goals and objectives in
2068 handling an incident).
2069 (2) Notification (who should be contacted in the case of an incident).
2070 (3) Evaluation (how serious is the incident).
2071 (4) Handling (what should be done when an incident occurs).
2072 - Notification (who should be notified about the incident).
2073 - Containment (how can the damage be limited).
2074 - Eradication (how to eliminate the reasons for the incident).
2075 - Recovery (how to reestablish service and systems).
2076 - Follow Up (what actions should be taken after the incident).
2077 - Legal/Investigative implications (what are the legal and
2078 prosecutorial implications of the incident).
2079 - Documentation Logs (what records should be kept from
2080 before, during, and after the incident).
2081 (5) Aftermath (what are the implications of past incidents).
2082 (6) Responsibilities (how to handle an incident responsibly).
2084 The remainder of this chapter will detail the issues involved in each
2088 Site Security Working Group [Page 31]
2094 Internet Draft Site Security Handbook May 1996
2097 of the important topics listed above, and provide some guidance as to
2098 what should be included in a site policy for handling incidents.
2100 5.1 Preparing and Planning for Incident Handling
2102 Part of handling an incident is being prepared to respond to an
2103 incident before the incident occurs in the first place. This
2104 includes establishing a suitable level of protections as explained in
2105 the preceding chapters. Doing this should help your site prevent
2106 incidents as well as limit potential damage resulting from them when
2107 they do occur. Protection also includes preparing incident handling
2108 guidelines as part of a contingency plan for your organization or
2109 site. Having written plans eliminates much of the ambiguity which
2110 occurs during an incident, and will lead to a more appropriate and
2111 thorough set of responses. It is vitally important to test the
2112 proposed plan before an incident occurs through "dry runs". A team
2113 might even consider hiring a tiger team to act in parallel with the
2116 Learning to respond efficiently to an incident is important for a
2119 (1) protecting the assets which could be compromised
2120 (2) protecting resources which could be utilized more
2121 profitably if an incident did not require their services
2122 (3) complying with (government or other) regulations
2123 (4) preventing the use of your systems in attacks against other
2124 systems (which could cause you to incur legal liability)
2125 (5) minimizing the potential for negative exposure
2127 As in any set of pre-planned procedures, attention must be paid to a
2128 set of goals for handling an incident. These goals will be
2129 prioritized differently depending on the site. A specific set of
2130 objectives can be identified for dealing with incidents:
2132 (1) Figure out how it happened.
2133 (2) Find out how to avoid further exploitation of the same
2135 (3) Avoid escalation and further incidents.
2136 (4) Recover from the incident.
2137 (5) Find out who did it.
2139 Due to the nature of the incident, there might be a conflict between
2140 analyzing the original source of a problem and restoring systems and
2141 services. Overall goals (like assuring the integrity of critical
2142 systems) might be the reason for not analyzing an incident. Of
2143 course, this is an important management decision; but all involved
2144 parties must be aware that without analysis the same incident may
2147 It is also important to prioritize the actions to be taken during an
2148 incident well in advance of the time an incident occurs. Sometimes
2149 an incident may be so complex that it is impossible to do everything
2150 at once to respond to it; priorities are essential. Although
2154 Site Security Working Group [Page 32]
2160 Internet Draft Site Security Handbook May 1996
2163 priorities will vary from institution to institution, the following
2164 suggested priorities may serve as a starting point for defining your
2165 organization's response:
2167 (1) Priority one -- protect human life and people's
2168 safety; human life always has precedence over all
2169 other considerations.
2171 (2) Priority two -- protect classified and/or sensitive
2172 data. Prevent exploitation of classified and/or
2173 sensitive systems, networks or sites. Inform affected
2174 classified and/or sensitive systems, networks or sites
2175 about already occurred penetrations.
2176 (Be aware of regulations by your site or by government)
2178 (3) Priority three -- protect other data, including
2179 proprietary, scientific, managerial and other data,
2180 because loss of data is costly in terms of resources.
2181 Prevent exploitations of other systems, networks or
2182 sites and inform already affected systems, networks or
2183 sites about successful penetrations.
2185 (4) Priority four -- prevent damage to systems (e.g., loss
2186 or alteration of system files, damage to disk drives,
2187 etc.). Damage to systems can result in costly down
2190 (5) Priority five -- minimize disruption of computing
2191 resources. It is better in many cases to shut a system
2192 down or disconnect from a network than to risk damage
2195 An important implication for defining priorities is that once human
2196 life and national security considerations have been addressed, it is
2197 generally more important to save data than system software and
2198 hardware. Although it is undesirable to have any damage or loss
2199 during an incident, systems can be replaced. However, the loss or
2200 compromise of data (especially classified or proprietary data) is
2201 usually not an acceptable outcome under any circumstances.
2203 Another important concern is the effect on others, beyond the systems
2204 and networks where the incident occurs. Within the limits imposed by
2205 government regulations it is always important to inform affected
2206 parties as soon as possible. Due to the legal implications of this
2207 topic, it should be included in the planned procedures to avoid
2208 further delays and uncertainties for the administrators.
2210 Any plan for responding to security incidents should be guided by
2211 local policies and regulations. Government and private sites that
2212 deal with classified material have specific rules that they must
2215 The policies chosen by your site on how it reacts to incidents will
2216 shape your response. For example, it may make little sense to create
2220 Site Security Working Group [Page 33]
2226 Internet Draft Site Security Handbook May 1996
2229 mechanisms to monitor and trace intruders if your site does not plan
2230 to take action against the intruders if they are caught. Other
2231 organizations may have policies that affect your plans. Telephone
2232 companies often release information about telephone traces only to
2233 law enforcement agencies.
2235 5.2 Notification and Points of Contact
2237 It is important to establish contacts with various personnel before a
2238 real incident occurs. These contacts are either local, other system
2239 responsible or administrative contacts administrators elsewhere on
2240 the Internet or are investigative agencies. Working with these
2241 contacts appropriately will help to make your incident handling
2242 process more efficient.
2244 Communication may need to be established with various "Points of
2245 Contact" (POC). These may be technical or administrative in nature
2246 and may include legal or investigative agencies as well as Service
2247 Providers and vendors. It is important to decide how much
2248 information will be shared, especially with the wider community of
2249 users at a site, with the public (the press) and with other sites.
2251 Settling these issues are especially important for the local person
2252 responsible for handling the incident, since that is the person
2253 responsible for the actual notification of others. A list of
2254 contacts in each of these categories is an important time saver for
2255 this person during an incident. It can be quite difficult to find an
2256 appropriate person during an incident when many urgent events are
2257 ongoing. Including relevant telephone numbers (also electronic mail
2258 addresses and fax numbers) in the site security policy is strongly
2259 recommended. It is especially important to know how to contact
2260 individuals who will be directly involved in handling a security
2263 5.2.1 Local Managers and Personnel
2265 When an incident is under way, a major issue is deciding who is in
2266 charge of coordinating the activity of the multitude of players. A
2267 major mistake that can be made is to have a number of POCs who are
2268 not pulling their efforts together. This will only add to the
2269 confusion of the event and will probably lead to wasted or
2272 The single POC may or may not be the person responsible for handling
2273 the incident. There are two distinct roles to fill when deciding who
2274 shall be the POC and who will be the person in charge of the
2275 incident. The person in charge of the incident will make decisions
2276 as to the interpretation of policy applied to the event. In
2277 contrast, the POC must coordinate the effort of all the parties
2278 involved with handling the event.
2280 The POC must be a person with the technical expertise to successfully
2281 coordinate the effort of the system managers and users involved in
2282 monitoring and reacting to the attack. Often the management
2286 Site Security Working Group [Page 34]
2292 Internet Draft Site Security Handbook May 1996
2295 structure of a site is such that the administrator of a set of
2296 resources is not a technically competent person with regard to
2297 handling the details of the operations of the computers, but is
2298 ultimately responsible for the use of these resources.
2300 Another important function of the POC is to maintain contact with law
2301 enforcement and other external agencies to assure that multi-agency
2302 involvement occurs. The level of involvement will be determined by
2303 management decisions as well as legal constraints.
2305 Finally, if legal action in the form of prosecution is involved, the
2306 POC may be asked to speak for the site in court. The alternative is
2307 to have multiple witnesses whose input may be hard to coordinate in a
2308 legal sense. This may lead to a weakening of any case against the
2309 attackers. A single POC may also be the single person in charge of
2310 collecting evidence, which will keep the number of people accounting
2311 for evidence to a minimum. As a rule of thumb, the more people that
2312 touch a potential piece of evidence, the greater the possibility that
2313 it will be inadmissible in court.
2315 One of the most critical tasks for the POC is the coordination of all
2316 relevant processes. As responsibilities might be distributed over
2317 the whole site, which may well consist of multiple independent
2318 departments or groups, a well coordinate effort is crucial for
2319 overall success. The situation get even worse if multiple sites are
2320 involved. In many cases, no single POC in one site can coordinate
2321 the handling of an entire incident. The appropriate incident
2322 response teams are more suitable, if multiple sites are involved.
2324 The incident handling process should provide some escalation
2325 mechanisms. The POC might change; the impact of the incident force
2326 the management to take the lead instead of giving the technical
2327 administrator the responsibility. Other reasons for changing the POC
2328 are the emergence of conflicts of interest, or changing priorities or
2329 responsibilities. Regardless of why the POC is changed, all involved
2330 parties must be informed. Arrangements should be made to allow the
2331 new POC to contact the old one, to ensure an adequate briefing of
2332 background information.
2334 5.2.2 Law Enforcement and Investigative Agencies
2336 In the event of an incident that has legal consequences, it is
2337 important to establish contact with investigative agencies (e.g, the
2338 FBI and Secret Service in the U.S.) as soon as possible. Local law
2339 enforcement, local security offices, and campus police departments
2340 should also be informed as appropriate.
2342 A primary reason is that once a major attack is in progress, there is
2343 little time to call these agencies to determine exactly who the
2344 correct point of contact is. Another reason is that it is important
2345 to cooperate with these agencies in a manner that will foster a good
2346 working relationship, and that will be in accordance with the working
2347 procedures of these agencies. Knowing the working procedures in
2348 advance and the expectations of your point of contact is a big step
2352 Site Security Working Group [Page 35]
2358 Internet Draft Site Security Handbook May 1996
2361 in this direction. For example, it is important to gather evidence
2362 that will be admissible in a court of law, requiring prior knowledge
2363 of how to gather such evidence. A final reason for establishing
2364 contacts as soon as possible is that it is impossible to know the
2365 particular agency that will assume jurisdiction in any given
2366 incident. Making contacts and finding the proper channels early will
2367 make responding to an incident go considerably more smoothly.
2369 If your organization or site has a legal counsel, you need to notify
2370 this office soon after you learn that an incident is in progress. At
2371 a minimum, your legal counsel needs to be involved to protect the
2372 legal and financial interests of your site or organization. There
2373 are many legal and practical issues, a few of which are:
2375 (1) Whether your site or organization is willing to risk negative
2376 publicity or exposure to cooperate with legal prosecution efforts.
2378 (2) Downstream liability--if you leave a compromised system as is so
2379 it can be monitored and another computer is damaged because the
2380 attack originated from your system, your site or organization
2381 may be liable for damages incurred.
2383 (3) Distribution of information--if your site or organization distribu=
2385 information about an attack in which another site or organization =
2387 be involved or the vulnerability in a product that may affect abil=
2389 to market that product, your site or organization may again be lia=
2391 for any damages (including damage of reputation).
2393 (4) Liabilities due to monitoring--your site or organization may be su=
2395 if users at your site or elsewhere discover that your site is
2396 monitoring account activity without informing users.
2398 Unfortunately, there are no clear precedents yet on the liabilities
2399 or responsibilities of organizations involved in a security incident
2400 or who might be involved in supporting an investigative effort.
2401 Investigators will often encourage organizations to help trace and
2402 monitor intruders. Indeed, most investigators cannot pursue computer
2403 intrusions without extensive support from the organizations involved.
2404 However, investigators cannot provide protection from liability
2405 claims, and these kinds of efforts may drag out for months and may
2406 take a lot of effort.
2408 On the other hand, an organization's legal council may advise extreme
2409 caution and suggest that tracing activities be halted and an intruder
2410 shut out of the system. This, in itself, may not provide protection
2411 from liability, and may prevent investigators from identifying the
2414 The balance between supporting investigative activity and limiting
2415 liability is tricky. You'll need to consider the advice of your legal
2416 counsel and the damage the intruder is causing (if any) when making
2417 your decision about what to do during any particular incident.
2419 Your legal counsel should also be involved in any decision to contact
2423 Site Security Working Group [Page 36]
2429 Internet Draft Site Security Handbook May 1996
2432 investigative agencies when an incident occurs at your site. The
2433 decision to coordinate efforts with investigative agencies is most
2434 properly that of your site or organization. Involving your legal
2435 counsel will also foster the multi-level coordination between your
2436 site and the particular investigative agency involved, which in turn
2437 results in an efficient division of labor. Another result is that
2438 you are likely to obtain guidance that will help you avoid future
2441 Finally, your legal counsel should evaluate your site's written
2442 procedures for responding to incidents. It is essential to obtain a
2443 "clean bill of health" from a legal perspective before you actually
2444 carry out these procedures.
2446 It is vital, when dealing with investigative agencies, to verify that
2447 the person who calls asking for information is a legitimate
2448 representative from the agency in question. Unfortunately, many well
2449 intentioned people have unknowingly leaked sensitive details about
2450 incidents, allowed unauthorized people into their systems, etc.,
2451 because a caller has masqueraded as a representative of a government
2454 A similar consideration is using a secure means of communication.
2455 Because many network attackers can easily re-route electronic mail,
2456 avoid using electronic mail to communicate with other agencies (as
2457 well as others dealing with the incident at hand). Non-secured phone
2458 lines (the phones normally used in the business world) are also
2459 frequent targets for tapping by network intruders, so be careful!
2461 There is no established set of rules for responding to an incident
2462 when the local government becomes involved. Normally, except by
2463 court order, no agency can force you to monitor, to disconnect from
2464 the network, to avoid telephone contact with the suspected attackers,
2465 etc. As discussed before, you should consult the matter with your
2466 legal counsel, especially before taking an action that your
2467 organization has never taken.
2469 The particular agency involved may ask you to leave an attacked
2470 machine on and to monitor activity. Complying with this request will
2471 ensure continued cooperation of the agency. This is usually the best
2472 route towards finding the source of the network attacks and,
2473 ultimately, terminating the attacks. Additionally, you may need
2474 information or a favor from the agency involved. You are likely to
2475 get what you need only if you have been cooperative. It is
2476 particularly important to avoid unnecessary or unauthorized
2477 disclosure of information about the incident, including any
2478 information furnished by the agency involved. In other words, don't
2479 compromise the case the agency is trying to build. And remember, if
2480 you do not cooperate with an agency, you will be less likely to
2481 receive help from that agency in the future.
2483 Sometimes your needs and the needs of an investigative agency will
2484 differ. Your site may want to get back to normal business by closing
2485 an attack route, but the investigative agency may want you to keep
2489 Site Security Working Group [Page 37]
2495 Internet Draft Site Security Handbook May 1996
2498 this route open. Similarly, your site may want to close a
2499 compromised system down to avoid the possibility of negative
2500 publicity, but again the investigative agency may want you to
2501 continue monitoring. When there is such a conflict, there may be a
2502 complex set of tradeoffs (e.g., interests of your site's management,
2503 amount of resources you can devote to the problem, jurisdictional
2504 boundaries, etc.). An important guiding principle is related to what
2505 might be called "Internet citizenship" and its responsibilities. See
2508 5.2.3 Computer Security Incident Handling Teams
2510 There now exists a number of Computer Security Incident Response
2511 teams (CSIRTs) such as the CERT Coordination Center and the CIAC or
2512 other teams around the globe. Teams exist for many major government
2513 agencies and large corporations. If such a team is available,
2514 notifying it should be of primary importance during the early stages
2515 of an incident. These teams are responsible for coordinating
2516 computer security incidents over a range of sites and larger
2517 entities. Even if the incident is believed to be contained within a
2518 single site, it is possible that the information available through a
2519 response team could help in closing out the incident.
2521 If it is determined that the breach occurred due to a flaw in the
2522 system's hardware or software, the vendor (or supplier) and a
2523 Computer Security Incident Handling team should be notified as soon
2524 as possible. This is especially important because many other systems
2525 are vulnerable, too.
2527 In setting up a site policy for incident handling, it may be
2528 desirable to create a subgroup, much like those teams that already
2529 exist, that will be responsible for handling computer security
2530 incidents for the site (or organization). If such a team is created,
2531 it is essential that communication lines be opened between this team
2532 and other teams. Once an incident is under way, it is difficult to
2533 open a trusted dialogue between other teams if none has existed
2536 5.2.4 Affected and Involved Sites
2538 If an incident has an impact on other sites, it is good practice to
2539 inform them. It may be obvious from the beginning that the incident
2540 is not limited to the local site, or it may emerge only after further
2543 Each site might choose to contact other sites directly or they can
2544 pass the information to an appropriate incident response team, to
2545 which the involved site belongs. As it is often very difficult to
2546 find the responsible POC at remote sites, the involvement of an
2547 incident response team will facilitate contact by making use of
2548 already established channels.
2550 The legal and liability issues arising from a security incident may
2551 differ from site to site. It is important to define a policy for the
2555 Site Security Working Group [Page 38]
2561 Internet Draft Site Security Handbook May 1996
2564 sharing and logging of information about other sites before an
2565 incident occurs. This policy should be crafted in consultation with
2568 Information about specific people is especially sensitive, and may be
2569 subject to privacy laws. To avoid problems in this area, irrelevant
2570 information should be deleted and a statement of how to handle the
2571 remaining information should be included. A clear statement of how
2572 this information is to be used is essential. No one who informs a
2573 site of a security incident wants to read about it in the public
2574 press. Incident response teams are valuable in this respect. When
2575 they pass information to responsible POCs, they are able to protect
2576 the anonymity of the original source. But, be aware that, in many
2577 cases, the analysis of logs and information at other sites will
2578 reveal addresses of your site.
2580 All the problems discussed above should be not taken as reasons not
2581 to involve other sites. In fact, the experiences of existing teams
2582 reveal that most sites informed about security problems are not even
2583 aware that their site had been compromised. Without timely
2584 information, other sites are often unable to take action against
2587 5.2.5 Public Relations - Press Releases
2589 One of the most important issues to consider is when, who, and how
2590 much to release to the general public through the press. There are
2591 many issues to consider when deciding this particular issue. First
2592 and foremost, if a public relations office exists for the site, it is
2593 important to use this office as liaison to the press. The public
2594 relations office is trained in the type and wording of information
2595 released, and will help to assure that the image of the site is
2596 protected during and after the incident (if possible). A public
2597 relations office has the advantage that you can communicate candidly
2598 with them, and provide a buffer between the constant press attention
2599 and the need of the POC to maintain control over the incident.
2601 If a public relations office is not available, the information
2602 released to the press must be carefully considered. If the
2603 information is sensitive, it may be advantageous to provide only
2604 minimal or overview information to the press. It is quite possible
2605 that any information provided to the press will be quickly reviewed
2606 by the perpetrator of the incident. Also note that misleading the
2607 press can often backfire and cause more damage than releasing
2608 sensitive information.
2610 While it is difficult to determine in advance what level of detail to
2611 provide to the press, some guidelines to keep in mind are:
2613 (1) Keep the technical level of detail low. Detailed
2614 information about the incident may provide enough
2615 information for copy-cat events or even damage the
2616 site's ability to prosecute once the event is over.
2621 Site Security Working Group [Page 39]
2627 Internet Draft Site Security Handbook May 1996
2630 (2) Keep the speculation out of press statements.
2631 Speculation of who is causing the incident or the
2632 motives are very likely to be in error and may cause
2633 an inflamed view of the incident.
2635 (3) Work with law enforcement professionals to assure that
2636 evidence is protected. If prosecution is involved,
2637 assure that the evidence collected is not divulged to
2640 (4) Try not to be forced into a press interview before you are
2641 prepared. The popular press is famous for the "2 am"
2642 interview, where the hope is to catch the interviewee off
2643 guard and obtain information otherwise not available.
2645 (5) Do not allow the press attention to detract from the
2646 handling of the event. Always remember that the successful
2647 closure of an incident is of primary importance.
2649 5.3 Identifying an Incident
2653 This stage involves determining if a problem really exists. Of
2654 course many if not most signs often associated with virus infection,
2655 system intrusions, malicious users, etc., are simply anomalies such
2656 as hardware failures or suspicious system/user behavior. To assist
2657 in identifying whether there really is an incident, it is usually
2658 helpful to obtain and use any detection software which may be
2659 available. Audit information is also extremely useful, especially in
2660 determining whether there is a network attack. It is extremely
2661 important to obtain a system snapshot as soon as one suspects that
2662 something is wrong. Many incidents cause a dynamic chain of events
2663 to occur, and an initial system snapshot may be the most valuable
2664 tool for identifying the problem and any source of attack. Finally,
2665 it is important to start a log book. Recording system events,
2666 telephone conversations, time stamps, etc., can lead to a more rapid
2667 and systematic identification of the problem, and is the basis for
2668 subsequent stages of incident handling.
2670 There are certain indications or "symptoms" of an incident which
2671 deserve special attention:
2674 (2) New user accounts (the account RUMPLESTILTSKIN has been
2675 unexpectedly created), or high activity on a previously
2677 (3) New files (usually with novel or strange file names,
2678 such as data.xx or k or .xx ).
2679 (4) Accounting discrepancies (in a UNIX system you might
2680 notice the shrinking of an accounting file called
2681 /usr/admin/lastlog, something that should make you very
2682 suspicious that there may be an intruder).
2683 (5) Changes in file lengths or dates (a user should be
2687 Site Security Working Group [Page 40]
2693 Internet Draft Site Security Handbook May 1996
2696 suspicious if .EXE files in an MS DOS computer have
2697 unexplainedly grown by over 1800 bytes).
2698 (6) Attempts to write to system (a system manager notices
2699 that a privileged user in a VMS system is attempting to
2700 alter RIGHTSLIST.DAT).
2701 (7) Data modification or deletion (files start to disappear).
2702 (8) Denial of service (a system manager and all other users
2703 become locked out of a UNIX system, now in single user mode).
2704 (9) Unexplained, poor system performance
2705 (10) Anomalies ("GOTCHA" is displayed on the console or there
2706 are frequent unexplained "beeps").
2707 (11) Suspicious probes (there are numerous unsuccessful login
2708 attempts from another node).
2709 (12) Suspicious browsing (someone becomes a root user on a UNIX
2710 system and accesses file after file on many user accounts.)
2712 By no means is this list comprehensive; we have just listed a number
2713 of common indicators. It is best to collaborate with other technical
2714 and computer security personnel to make a decision as a group about
2715 whether an incident is occurring.
2717 5.3.2 Types and Scope of Incidents
2719 Along with the identification of the incident is the evaluation of
2720 the scope and impact of the problem. It is important to correctly
2721 identify the boundaries of the incident in order to effectively deal
2722 with it and prioritize responses.
2724 In order to identify the scope and impact a set of criteria should be
2725 defined which is appropriate to the site and to the type of
2726 connections available. Some of the issues include:
2728 (1) Is this a multi-site incident?
2729 (2) Are many computers at your site affected by this incident?
2730 (3) Is sensitive information involved?
2731 (4) What is the entry point of the incident (network,
2732 phone line, local terminal, etc.)?
2733 (5) Is the press involved?
2734 (6) What is the potential damage of the incident?
2735 (7) What is the estimated time to close out the incident?
2736 (8) What resources could be required to handle the incident?
2737 (9) Is law enforcement involved?
2739 5.3.3 Assessing the Damage and Extent
2741 The analysis of the damage and extent of the incident can be quite
2742 time consuming, but should lead to some insight into the nature of
2743 the incident, and aid investigation and prosecution. As soon as the
2744 breach has occurred, the entire system and all of its components
2745 should be considered suspect. System software is the most probable
2746 target. Preparation is key to be able to detect all changes for a
2747 possibly tainted system. This includes checksumming all tapes from
2748 the vendor using a algorithm which is resistant to tampering. (See
2753 Site Security Working Group [Page 41]
2759 Internet Draft Site Security Handbook May 1996
2762 Assuming original vendor distribution tapes are available, an
2763 analysis of all system files should commence, and any irregularities
2764 should be noted and referred to all parties involved in handling the
2765 incident. It can be very difficult, in some cases, to decide which
2766 backup tapes are showing a correct system status. Consider, for
2767 example, that the incident may have continued for months or years
2768 before discovery, and the suspect may be an employee of the site, or
2769 otherwise have intimate knowledge or access to the systems. In all
2770 cases, the pre-incident preparation will determine what recovery is
2773 If the system supports centralized logging (most do), go back over
2774 the logs and look for abnormalities. If process accounting and
2775 connect time accounting is enabled, look for patterns of system
2776 usage. To a lesser extent, disk usage may shed light on the
2777 incident. Accounting can provide much helpful information in an
2778 analysis of an incident and subsequent prosecution. Your ability to
2779 address all aspects of a specific incident strongly depends on the
2780 success of this analysis.
2782 5.4 Handling an Incident
2784 Certain steps are necessary to take during the handling of an
2785 incident. In all security related activities, the most important
2786 point to be made is: One should have policies in place. Without
2787 defined goals, activities undertaken will remain without focus. The
2788 goals should be defined by management and legal counsel in advance.
2790 One of the most fundamental objectives is to restore control of the
2791 affected systems and to limit the impact and damage. In the worst
2792 case scenario, shutting down the system, or disconnecting the system
2793 from the network, may the only practical solution.
2795 As the activities involved are complex, try to get as much help as
2796 necessary. While trying to solve the problem alone, real damage
2797 might occur due to delays or missing information. Most system
2798 administrators take the discovery of an intruder as personal
2799 challenge. By proceeding this way, other objectives as outlined in
2800 the local policies may not always be considered. Trying to catch
2801 intruders may be a very low priority, compared to system integrity,
2802 for example. Monitoring a hacker's activity is useful, but it might
2803 not be considered worth the risk to allow continued access.
2805 5.4.1 Types of notification, Exchange of information
2807 When you have confirmed that an incident is occurring, the
2808 appropriate personnel must be notified. How this notification is
2809 achieved is very important to keeping the event under control both
2810 from a technical and emotional standpoint. The circumstances should
2811 be described in as much detail as possible, in order to aid prompt
2812 acknowledgment and understanding of the problem. Great care should
2813 be taken when determining to which groups detailed technical
2814 information is given during the notification. For example, it is
2815 helpful to pass this kind of information to an incident handling team
2819 Site Security Working Group [Page 42]
2825 Internet Draft Site Security Handbook May 1996
2828 as they can assist you by providing helpful hints for eradicating the
2829 vulnerabilities involved in an incident. On the other hand, putting
2830 the critical knowledge into the public domain (e.g., via USENET
2831 newsgroups or mailing lists) may potentially put a large number of
2832 systems at risk of intrusion. It is invalid to assume that all
2833 administrators reading a particular newsgroup have access to
2834 operating system source code, or can even understand an advisory well
2835 enough to take adequate steps.
2837 First of all, any notification to either local or off-site personnel
2838 must be explicit. This requires that any statement (be it an
2839 electronic mail message, phone call, or fax) providing information
2840 about the incident be clear, concise, and fully qualified. When you
2841 are notifying others that will help you handle an event, a "smoke
2842 screen" will only divide the effort and create confusion. If a
2843 division of labor is suggested, it is helpful to provide information
2844 to each participant about what is being accomplished in other
2845 efforts. This will not only reduce duplication of effort, but allow
2846 people working on parts of the problem to know where to obtain
2847 information relevant to their part of the incident.
2849 Another important consideration when communicating about the incident
2850 is to be factual. Attempting to hide aspects of the incident by
2851 providing false or incomplete information may not only prevent a
2852 successful resolution to the incident, but may even worsen the
2855 The choice of language used when notifying people about the incident
2856 can have a profound effect on the way that information is received.
2857 When you use emotional or inflammatory terms, you raise the potential
2858 for damage and negative outcomes of the incident. It is important to
2859 remain calm both in written and spoken communications.
2861 Another consideration is that not all people speak the same language.
2862 Due to this fact, misunderstandings and delay may arise, especially
2863 if it is a multi-national incident. Other international concerns
2864 include differing legal implications of a security incident and
2865 cultural differences. However, cultural differences do not only
2866 exist between countries. They even exist within countries, between
2867 different social or user groups. For example, an administrator of a
2868 university system might be very relaxed about attempts to connect to
2869 the system via telnet, but the administrator of a military system is
2870 likely to consider the same action as a possible attack.
2872 Another issue associated with the choice of language is the
2873 notification of non-technical or off-site personnel. It is important
2874 to accurately describe the incident without generating undue alarm or
2875 confusion. While it is more difficult to describe the incident to a
2876 non-technical audience, it is often more important. A non-technical
2877 description may be required for upper-level management, the press, or
2878 law enforcement liaisons. The importance of these communications
2879 cannot be underestimated and may make the difference between
2880 resolving the incident properly and escalating to some higher level
2885 Site Security Working Group [Page 43]
2891 Internet Draft Site Security Handbook May 1996
2894 If an incident response team becomes involved, it might be necessary
2895 to fill out a template for the information exchange. Although this
2896 may seem to be an additional burden and adds a certain delay, it
2897 helps the team to act on this minimum set of information. The
2898 response team may be able to respond to aspects of the incident of
2899 which the local administrator is unaware. If information is given out
2900 to someone else, the following minimum information should be
2903 (1) timezone of logs, ... in GMT or local time
2904 (2) information about the remote system, including host names,
2905 IP addresses and (perhaps) user IDs
2906 (3) all log entries relevant for the remote site
2907 (4) type of incident (what happened, why should you care)
2909 If local information (i.e., local user IDs) is included in the log
2910 entries, it might be necessary to sanitize the entries beforehand to
2911 avoid privacy issues. In general, all information which might assist
2912 a remote site in resolving an incident should be given out, unless
2913 local policies prohibit this.
2915 5.4.2 Protecting Evidence and Activity Logs
2917 When you respond to an incident, document all details related to the
2918 incident. This will provide valuable information to yourself and
2919 others as you try to unravel the course of events. Documenting all
2920 details will ultimately save you time. If you don't document every
2921 relevant phone call, for example, you are likely to forget a
2922 significant portion of information you obtain, requiring you to
2923 contact the source of information again. At the same time, recording
2924 details will provide evidence for prosecution efforts, providing the
2925 case moves in that direction. Documenting an incident will also help
2926 you perform a final assessment of damage (something your management,
2927 as well as law enforcement officers, will want to know), and will
2928 provide the basis for later phases of the handling process:
2929 eradication, recovery, and follow-up "lessons learned."
2931 During the initial stages of an incident, it is often infeasible to
2932 determine whether prosecution is viable, so you should document as if
2933 you are gathering evidence for a court case. At a minimum, you
2936 (1) all system events (audit records)
2937 (2) all actions you take (time tagged)
2938 (3) all phone conversations (including the person with whom
2939 you talked, the date and time, and the content of the
2942 The most straightforward way to maintain documentation is keeping a
2943 log book. This allows you to go to a centralized, chronological
2944 source of information when you need it, instead of requiring you to
2945 page through individual sheets of paper. Much of this information is
2946 potential evidence in a court of law. Thus, when you initially
2947 suspect that an incident will result in prosecution or when an
2951 Site Security Working Group [Page 44]
2957 Internet Draft Site Security Handbook May 1996
2960 investigative agency becomes involved, you need to:
2962 (1) Regularly (e.g., every day) turn in photocopied, signed
2963 copies of your logbook (as well as media you use to record
2964 system events) to a document custodian.
2965 (2) The custodian should store these copied pages in a secure
2966 place (e.g., a safe).
2967 (3) When you submit information for storage, you should
2968 receive a signed, dated receipt from the document
2971 Failure to observe these procedures can result in invalidation of any
2972 evidence you obtain in a court of law.
2976 The purpose of containment is to limit the extent of an attack. An
2977 essential part of containment is decision making (e.g., determining
2978 whether to shut a system down, disconnect from a network, monitor
2979 system or network activity, set traps, disable functions such as
2980 remote file transfer, etc.).
2982 Sometimes this decision is trivial; shut the system down if the
2983 information is classified, sensitive, or proprietary. Bear in mind
2984 that removing all access while an incident is in progress obviously
2985 notifies all users, including the alleged problem users, that the
2986 administrators are aware of a problem; this may have a deleterious
2987 effect on an investigation. In some cases, it is prudent to remove
2988 all access or functionality as soon as possible, then restore normal
2989 operation in limited stages. In other cases, it is worthwhile to
2990 risk some damage to the system if keeping the system up might enable
2991 you to identify an intruder.
2993 This stage should involve carrying out predetermined procedures.
2994 Your organization or site should, for example, define acceptable
2995 risks in dealing with an incident, and should prescribe specific
2996 actions and strategies accordingly. This is especially important
2997 when a quick decision is necessary and it is not possible to first
2998 contact all involved parties to discuss the decision. In the absence
2999 of predefined procedures, the person in charge of the incident will
3000 often not have the power to make difficult management decisions (like
3001 to lose the results of a costly experiment by shutting down a
3002 system). A final activity that should occur during this stage of
3003 incident handling is the notification of appropriate authorities.
3007 Once the incident has been contained, it is time to eradicate the
3008 cause. But before eradicating the cause, great care should be taken
3009 to collect all necessary information about the compromised system(s)
3010 and the cause of the incident as they will likely be lost when
3011 cleaning up the system.
3013 Software may be available to help you in the eradication process,
3017 Site Security Working Group [Page 45]
3023 Internet Draft Site Security Handbook May 1996
3026 such as anti-virus software for small systems. If any bogus files
3027 have been created archive them before deleting them. In the case of
3028 virus infections, it is important to clean and reformat any disks
3029 containing infected files. Finally, ensure that all backups are
3030 clean. Many systems infected with viruses become periodically re-
3031 infected simply because people do not systematically eradicate the
3032 virus from backups. After eradication, a new backup should be taken.
3034 Removing all vulnerabilities once an incident has occurred is
3035 difficult. The key to removing vulnerabilities is knowledge and
3036 understanding of the breach.
3038 It may be necessary to go back to the original distribution tapes and
3039 re-customize the system. To facilitate this worst case scenario, a
3040 record of the original system setup and each customization change
3041 should be maintained. In the case of a network-based attack, it is
3042 important to install patches for each operating system vulnerability
3043 which was exploited.
3045 As discussed in section 5.4.2, a security log can be most valuable
3046 during this phase of removing vulnerabilities. The logs showing how
3047 the incident was discovered and contained can be used later to help
3048 determine how extensive the damage was from a given incident. The
3049 steps taken can be used in the future to make sure the problem does
3050 not resurface. Ideally, one should automate and regularly apply the
3051 same test as was used to detect the security incident.
3053 If a particular vulnerability is isolated as having been exploited,
3054 the next step is to find a mechanism to protect your system. The
3055 security mailing lists and bulletins would be a good place to search
3056 for this information, and you can get advice from incident response
3061 Once the cause of an incident has been eradicated, the recovery phase
3062 defines the next stage of action. The goal of recovery is to return
3063 the system to normal. In general, bringing up services in the order
3064 of demand to allow a minimum of user inconvenience is the best
3065 practice. Understand that the proper recovery procedures for the
3066 system are extremely important and should be specific to the site.
3070 Once you believe that a system has been restored to a "safe" state,
3071 it is still possible that holes, and even traps, could be lurking in
3072 the system. One of the most important stages of responding to
3073 incidents is also the most often omitted, the follow-up stage. In
3074 the follow-up stage, the system should be monitored for items that
3075 may have been missed during the cleanup stage. It would be prudent
3076 to utilize some of the tools mentioned in section xxx (e.g., xxx) as
3077 a start. Remember, these tools don't replace continual system
3078 monitoring and good systems administration practices.
3083 Site Security Working Group [Page 46]
3089 Internet Draft Site Security Handbook May 1996
3092 The most important element of the follow-up stage is performing a
3093 postmortem analysis. Exactly what happened, and at what times? How
3094 well did the staff involved with the incident perform? What kind of
3095 information did the staff need quickly, and how could they have
3096 gotten that information as soon as possible? What would the staff do
3097 differently next time?
3099 After an incident, it is prudent to write a report describing the
3100 exact sequence of events: the method of discovery, correction
3101 procedure, monitoring procedure, and a summary of lesson learned.
3102 This will aid in the clear understanding of the problem. Creating a
3103 formal chronology of events (including time stamps) is also important
3106 A follow-up report is valuable for many reasons. It provides a
3107 reference to be used in case of other similar incidents. It is also
3108 important to, as quickly as possible obtain a monetary estimate of
3109 the amount of damage the incident caused. This estimate should
3110 include costs associated with any loss of software and files
3111 (especially the value of proprietary data that may have been
3112 disclosed), hardware damage, and manpower costs to restore altered
3113 files, reconfigure affected systems, and so forth. This estimate may
3114 become the basis for subsequent prosecution activity. The report can
3115 also help justify an organization's computer security effort to
3118 5.5 Aftermath of an Incident
3120 In the wake of an incident, several actions should take place. These
3121 actions can be summarized as follows:
3123 (1) An inventory should be taken of the systems' assets,
3124 (i.e., a careful examination should determine how the
3125 system was affected by the incident).
3127 (2) The lessons learned as a result of the incident
3128 should be included in revised security plan to
3129 prevent the incident from re-occurring.
3131 (3) A new risk analysis should be developed in light of the
3134 (4) An investigation and prosecution of the individuals
3135 who caused the incident should commence, if it is
3138 If an incident is based on poor policy, and unless the policy is
3139 changed, then one is doomed to repeat the past. Once a site has
3140 recovered from and incident, site policy and procedures should be
3141 reviewed to encompass changes to prevent similar incidents. Even
3142 without an incident, it would be prudent to review policies and
3143 procedures on a regular basis. Reviews are imperative due to today's
3144 changing computing environments.
3149 Site Security Working Group [Page 47]
3155 Internet Draft Site Security Handbook May 1996
3158 The whole purpose of this post mortem process is to improve all
3159 security measures to protect the site against future attacks. As a
3160 result of an incident, a site or organization should gain practical
3161 knowledge from the experience. A concrete goal of the post mortem is
3162 to develop new proactive methods. Another important facet of the
3163 aftermath may be end user and administrator education to prevent a
3164 reoccurrence of the security problem.
3166 5.6 Responsibilities
3168 5.6.1 Not crossing the line
3170 It is one thing to protect one's own network, but quite another to
3171 assume that one should protect other networks. During the handling
3172 of an incident, certain system vulnerabilities of one's own systems
3173 and the systems of others become apparent. It is quite easy and may
3174 even be tempting to pursue the intruders in order to track them.
3175 Keep in mind that at a certain point it is possible to "cross the
3176 line," and, with the best of intentions, become no better than the
3179 The best rule when it comes to propriety is to not use any facility
3180 of remote sites which is not public. This clearly excludes any entry
3181 onto a system (such as a remote shell or login session) which is not
3182 expressly permitted. This may be very tempting; after a breach of
3183 security is detected, a system administrator may have the means to
3184 "follow it up," to ascertain what damage is being done to the remote
3185 site. Don't do it! Instead, attempt to reach the appropriate point
3186 of contact for the affected site.
3188 5.6.2 Good Internet Citizenship
3190 During a security incident there are two choices one can make.
3191 First, a site can choose to watch the intruder in the hopes of
3192 catching him; or, the site can go about cleaning up after the
3193 incident and shut the intruder out of the systems. This is a
3194 decision that must be made very thoughtfully, as there may be legal
3195 liabilities if you choose to leave your site open, knowing that an
3196 intruder is using your site as a launching pad to reach out to other
3197 sites. Being a good Internet citizen means that you should try to
3198 alert other sites that may have been impacted by the intruder. These
3199 affected sites may be readily apparent after a thorough review of
3202 5.6.3 Administrative Response to Incidents
3204 When a security incident involves a user, the site's security policy
3205 should describe what action is to be taken. The transgression should
3206 be taken seriously, but it is very important to be sure of the role
3207 the user played. Was the user naive? Could there be a mistake in
3208 attributing the security breach to the user? Applying administrative
3209 action that assumes the user intentionally caused the incident may
3210 not be appropriate for a user who simply made a mistake. It may be
3211 appropriate to include sanctions more suitable for such a situation
3215 Site Security Working Group [Page 48]
3221 Internet Draft Site Security Handbook May 1996
3224 in your policies (e.g., education or reprimand of a user) in addition
3225 to more stern measures for intentional acts of intrusion and system
3228 6. Ongoing Activities
3230 At this point in time, your site has hopefully developed a complete
3231 security policy and developed procedures to assist in the
3232 configuration and management of your technology in support of those
3233 policies. How nice it would be if you could sit back and relax at
3234 this point and know that you were finished with the job of security.
3235 Unfortunately, that isn't the case. Your systems and networks are
3236 not a static environment, so you will need to review policies and
3237 procedures on a regular basis. There are a number of steps you can
3238 take to help you keep up with the changes around you so that you can
3239 initiate corresponding actions to address those changes. The
3240 following is a starter set and you may add others as appropriate for
3243 (1) Subscribe to advisories that are issued by various security incide=
3245 response teams, like those of the CERT Coordination Center [ref], =
3247 update your systems against those threats that apply to your site'=
3251 (2) Monitor security patches that are produced by the vendors of your
3252 equipment, and obtain and install all that apply.
3254 (3) Actively watch the configurations of your systems to identify any
3255 changes that may have occurred, then investigate all anomalies.
3257 (4) Review all security policies and procedures annually (at a minimum=
3260 (5) Read appropriate mailing lists and USENET newsgroups to keep up to
3261 date with the latest information being shared by fellow
3264 (6) Regularly check for compliance to policies and procedures. This
3265 audit should be performed by someone other than the people who
3266 define or implement the policies and procedures.
3268 7. Tools and Locations
3270 This section provides a brief overview of publicly available security
3271 technology which can be downloaded from the Internet. Many of the
3272 items described below will undoubtedly be surpassed or made obsolete
3273 before this document is published. This section is divided into two
3274 major subsections, applications and tools. The applications heading
3275 will include all end user programs (clients) and their supporting
3276 system infrastructure (servers). The tools heading will deal with
3277 the tools that a general user will never see or need to use, but
3278 which may be part of or used by applications, used to troubleshoot
3279 security problems or guard against intruders by system and network
3285 Site Security Working Group [Page 49]
3291 Internet Draft Site Security Handbook May 1996
3294 The emphasis will be on UNIX applications and tools, but other
3295 platforms, particularly PC's and Macintoshes, will be mentioned where
3296 information is available.
3298 Most of the tools and applications described below can be found in
3299 one of the following two archive sites:
3301 (1) CERT Coordination Center
3302 ftp://info.cert.org:/pub/tools
3304 ftp://ftp.cert.dfn.de/pub/tools/
3305 (3) Computer Operations, Audit, and Security Tools (COAST)
3306 coast.cs.purdue.edu:/pub/tools
3308 Any references to CERT or COAST will refer to these two locations.
3309 These two sites act as repositories for most tools, exceptions will
3310 be noted in the text. *** It is important to note that many sites,
3311 including CERT and COAST are mirrored throughout the Internet. Be
3312 careful to use a "well known" mirror site to retrieve software and to
3313 use whatever verification tools possible, checksums, md5 checksums,
3314 etc... to validate that software. A clever cracker might advertise
3315 security software with designed flaws in order to gain access to data
3320 The sad truth is that there are very few security conscious
3321 applications currently available. The real reason is the need for a
3322 security infrastructure which must be first put into place for most
3323 applications to operate securely. There is considerable effort
3324 currently taking place to place this infrastructure so that
3325 applications can take advantage of secure communications.
3327 Unix based applications
3332 identd (not really a security tool)
3340 rpcbind/portmapper replacement
3351 Site Security Working Group [Page 50]
3357 Internet Draft Site Security Handbook May 1996
3364 8. Mailing Lists and Other Resources
3366 It would be impossible to list all of the mail-lists and other
3367 resources dealing with site security. However, these are some "jump-
3368 points" from which the reader can begin. All of these references are
3369 for the "INTERNET" constituency. More specific (vendor and
3370 geographical) resources can be found through these references.
3375 Send mail to: cert-advisory-request@cert.org
3376 Message Body: subscribe cert <FIRST NAME> <LAST NAME>
3378 A CERT advisory provides information on how to obtain a patch or
3379 details of a workaround for a known computer security problem.
3380 The CERT Coordination Center works with vendors to produce a
3381 workaround or a patch for a problem, and does not publish
3382 vulnerability information until a workaround or a patch is
3383 available. A CERT advisory may also be a warning to our
3384 constituency about ongoing attacks (e.g.,
3385 "CA-91:18.Active.Internet.tftp.Attacks").
3388 CERT advisories are also published on the USENET newsgroup:
3389 comp.security.announce
3391 CERT advisory archives are available via anonymous FTP from
3392 info.cert.org in the /pub/cert_advisories directory.
3394 (2) CERT Tools Mailing List
3395 Send mail to: cert-tools-request@cert.sei.cmu.edu
3396 Message Body: subscribe cert-tools FIRSTNAME LASTNAME
3398 The purpose of this moderated mailing list is to
3399 encourage the exchange of information on security
3400 tools and techniques. The list should not be used
3401 for security problem reports.
3404 Send mail to: listserv%lehiibm1.bitnet@mitvma.mit.edu
3405 Message Body: subscribe virus-L FIRSTNAME LASTNAME
3407 VIRUS-L is a moderated mailing list with a focus
3408 on computer virus issues. For more information,
3409 including a copy of the posting guidelines, see
3410 the file "virus-l.README", available by anonymous
3411 FTP from cs.ucr.edu.
3413 (4) Academic Firewalls
3417 Site Security Working Group [Page 51]
3423 Internet Draft Site Security Handbook May 1996
3426 Send mail to: majordomo@greatcircle.com
3427 Message Body: subscribe firewalls user@host
3429 The Firewalls mailing list is a discussion forum for
3430 firewall administrators and implementors.
3434 (1) comp.security.announce
3435 The comp.security.announce newsgroup is moderated
3436 and is used solely for the distribution of CERT
3439 (2) comp.security.misc
3440 The comp.security.misc is a forum for the
3441 discussion of computer security, especially as it
3442 relates to the UNIX(r) Operating System.
3445 The alt.security newsgroup is also a forum for the
3446 discussion of computer security, as well as other
3447 issues such as car locks and alarm systems.
3450 The comp.virus newsgroup is a moderated newsgroup
3451 with a focus on computer virus issues. For more
3452 information, including a copy of the posting
3453 guidelines, see the file "virus-l.README",
3454 available via anonymous FTP on info.cert.org
3455 in the /pub/virus-l directory.
3458 The comp.risks newsgroup is a moderated forum on
3459 the risks to the public in computers and related
3462 World-Wide Web Pages
3464 (1) http://www.first.org/
3466 Computer Security Resource Clearinghouse. The main focus is on
3467 crisis response information; information on computer
3468 security-related threats, vulnerabilities, and solutions. At the
3469 same time, the Clearinghouse strives to be a general index to
3470 computer security information on a broad variety of subjects,
3471 including general risks, privacy, legal issues, viruses,
3472 assurance, policy, and training.
3474 (2) http://www.telstra.com.au/info/security.html
3476 This Reference Index contains a list of links to information
3477 sources on Network and Computer Security. There is no implied
3478 fitness to the Tools, Techniques and Documents contained within th=
3480 archive. Many if not all of these items work well, but we do
3484 Site Security Working Group [Page 52]
3490 Internet Draft Site Security Handbook May 1996
3493 not guarantee that this will be so. This information is for the
3494 education and legitimate use of computer security techniques only.
3496 (3) http://www.alw.nih.gov/Security/security.html
3498 This page features general information about computer security.
3499 Information is organized by source and each section is organized
3500 by topic. Recent modifications are noted in What's New page.
3505 [Appelman, et. al., 1995] Appelman, Heller, Ehrman, White, and
3506 McAuliffe, "The Law and The Internet", USENIX 1995 Technical
3507 Conference on UNIX and Advanced Computing, New Orleans, LA, January
3510 [ABA, 1989] American Bar Association, Section of Science and
3511 Technology, "Guide to the Prosecution of Telecommunication Fraud by
3512 the Use of Computer Crime Statutes", American Bar Association, 1989.
3514 [Aucoin, 1989] R. Aucoin, "Computer Viruses: Checklist for Recovery",
3515 Computers in Libraries, Vol. 9, No. 2, Pg. 4, February 1989.
3517 [Barrett, 1996] D. Barrett, "Bandits on the Information
3518 Superhighway", O'Reilly & Associates, Sebastopol, CA, 1996.
3520 [Bates, 1992] R. Bates, "Disaster Recovery Planning: Networks,
3521 Telecommunications and Data Communications", McGraw-Hill, 1992.
3523 [Bellovin, 1989] S. Bellovin, "Security Problems in the TCP/IP
3524 Protocol Suite", Computer Communication Review, Vol 19, 2, pp. 32-48,
3527 [Bellovin, 1990] S. Bellovin, and M. Merritt, "Limitations of the
3528 Kerberos Authentication System", Computer Communications Review,
3531 [Bellovin, 1992] S. Bellovin, "There Be Dragon", USENIX: Proceedings
3532 of the Third Usenix Security Symposium, Baltimore, MD. September,
3535 [Bender, 1894] D. Bender, "Computer Law: Evidence and Procedure", M.
3536 Bender, New York, NY, 1978-present.
3538 [Bloombecker, 1990] B. Bloombecker, "Spectacular Computer Crimes",
3539 Dow Jones- Irwin, Homewood, IL. 1990.
3541 [Brand, 1990] R. Brand, "Coping with the Threat of Computer Security
3542 Incidents: A Primer from Prevention through Recovery", R. Brand, 8
3545 [Brock, 1989] J. Brock, "November 1988 Internet Computer Virus and
3546 the Vulnerability of National Telecommunications Networks to Computer
3550 Site Security Working Group [Page 53]
3556 Internet Draft Site Security Handbook May 1996
3559 Viruses", GAO/T-IMTEC-89-10, Washington, DC, 20 July 1989.
3561 [BS 7799] British Standard, BS Tech Cttee BSFD/12, Info. Sec. Mgmt,
3562 "BS 7799 : 1995 Code of Practice for Information Security
3563 Management", British Standards Institution, London, 54, Effective 15
3566 [Caelli, 1988] W. Caelli, Editor, "Computer Security in the Age of
3567 Information", Proceedings of the Fifth IFIP International Conference
3568 on Computer Security, IFIP/Sec '88.
3570 [Carroll, 1987] J. Carroll, "Computer Security", 2nd Edition,
3571 Butterworth Publishers, Stoneham, MA, 1987.
3573 [Cavazos and Morin, 1995] E. Cavazos and G. Morin, "Cyber-Space and
3574 The Law", MIT Press, Cambridge, MA, 1995.
3576 [CCH, 1989] Commerce Clearing House, "Guide to Computer Law",
3577 (Topical Law Reports), Chicago, IL., 1989.
3579 [Chapman, 1992] B. Chapman, "Network(In) Security Through IP Packet
3580 Filtering", USSENIX: Proceedings of the Thrid UNIX Security
3581 Symposium, Baltimore, MD, September 1992.
3583 [Chapman and Zwicky, 1995] B. Chapman and E. Zwicky, "Building
3584 Internet Firewalls", O'Reilly and Associates, Sebastopol, CA, 1995.
3586 [Cheswick, 1990] B. Cheswick, "The Design of a Secure Internet
3587 Gateway", Proceedings of the Summer Usenix Conference, Anaheim, CA,
3590 [Cheswick1] W. Cheswick, "An Evening with Berferd In Which a Cracker
3591 is Lured, Endured, and Studied", AT&T Bell Laboratories.
3593 [Cheswick and Bellovin, 1994] W. Cheswick and S. Bellovin, "Firewalls
3594 and Internet Security: Repelling the Wily Hacker", Addison-Wesley,
3597 [Conly, 1989] C. Conly, "Organizing for Computer Crime Investigation
3598 and Prosecution", U.S. Dept. of Justice, Office of Justice Programs,
3599 Under Contract Number OJP-86-C-002, National Institute of Justice,
3600 Washington, DC, July 1989.
3602 [Cooper, 1989] J. Cooper, "Computer and Communications Security:
3603 Strategies for the 1990s", McGraw-Hill, 1989.
3605 [CPSR, 1989] Computer Professionals for Social Responsibility, "CPSR
3606 Statement on the Computer Virus", CPSR, Communications of the ACM,
3607 Vol. 32, No. 6, Pg. 699, June 1989.
3609 [CSC-STD-002-85, 1985] Department of Defense, "Password Management
3610 Guideline", CSC-STD-002-85, 12 April 1985, 31 pages.
3612 [Curry, 1990] D. Curry, "Improving the Security of Your UNIX System",
3616 Site Security Working Group [Page 54]
3622 Internet Draft Site Security Handbook May 1996
3625 SRI International Report ITSTD-721-FR-90-21, April 1990.
3627 [Curry, 1992] D. Curry, "UNIX System Security: A Guide for Users and
3628 Systems Administrators", Addision-Wesley, Reading, MA, 1992.
3630 [DDN88] Defense Data Network, "BSD 4.2 and 4.3 Software Problem
3631 Resolution", DDN MGT Bulletin #43, DDN Network Information Center, 3
3634 [DDN89] DCA DDN Defense Communications System, "DDN Security Bulletin
3635 03", DDN Security Coordination Center, 17 October 1989.
3637 [Denning, 1990] P. Denning, Editor, "Computers Under Attack:
3638 Intruders, Worms, and Viruses", ACM Press, 1990.
3640 [Eichin and Rochlis, 1989] M. Eichin, and J. Rochlis, "With
3641 Microscope and Tweezers: An Analysis of the Internet Virus of
3642 November 1988", Massachusetts Institute of Technology, February 1989.
3644 [Eisenberg, et. al., 89] T. Eisenberg, D. Gries, J. Hartmanis, D.
3645 Holcomb, M. Lynn, and T. Santoro, "The Computer Worm", Cornell
3646 University, 6 February 1989.
3648 [Ermann, Willians, and Gutierrez, 1990] D. Ermann, M. Williams, and
3649 C. Gutierrez, Editors, "Computers, Ethics, and Society", Oxford
3650 University Press, NY, 1990. (376 pages, includes bibliographical
3653 [Farmer and Spafford, 1990] D. Farmer and E. Spafford, "The COPS
3654 Security Checker System", Proceedings of the Summer 1990 USENIX
3655 Conference, Anaheim, CA, Pgs. 165-170, June 1990.
3657 [Farrow, 1991] Rik Farrow, "UNIX Systems Security", Addison-Wesley,
3660 [Fenwick, 1985] W. Fenwick, Chair, "Computer Litigation, 1985: Trial
3661 Tactics and Techniques", Litigation Course Handbook Series No. 280,
3662 Prepared for distribution at the Computer Litigation, 1985: Trial
3663 Tactics and Techniques Program, February-March 1985.
3665 [Fites, Kratz, and Brebner, 1989] M. Fites, P. Kratz, and A. Brebner,
3666 "Control and Security of Computer Information Systems", Computer
3667 Science Press, 1989.
3669 [Fites, Johnson, and Kratz, 1992] Fites, Johnson, and Kratz, "The
3670 Computer Virus Crisis", Van Hostrand Reinhold, 2nd edition, 1992.
3672 [Forester and Morrison, 1990] T. Forester, and P. Morrison, "Computer
3673 Ethics: Tales and Ethical Dilemmas in Computing", MIT Press,
3674 Cambridge, MA, 1990.
3676 [Foster and Morrision, 1990] T. Forester, and P. Morrison, "Computer
3677 Ethics: Tales and Ethical Dilemmas in Computing", MIT Press,
3678 Cambridge, MA, 1990. (192 pages including index.)
3682 Site Security Working Group [Page 55]
3688 Internet Draft Site Security Handbook May 1996
3691 [GAO/IMTEX-89-57, 1989] U.S. General Accounting Office, "Computer
3692 Security - Virus Highlights Need for Improved Internet Management",
3693 United States General Accounting Office, Washington, DC, 1989.
3695 [Garfinkel and Spafford, 1991] S. Garfinkel, and E. Spafford,
3696 "Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2,
3699 [Garfinkel, 1995] S. Garfinkel, "PGP:Pretty Good Privacy", O'Reilly &
3700 Associates, Sebastopol, CA, 1996.
3702 [Garfinkel and Spafford, 1996] S. Garfinkel and E. Spafford,
3703 "Practical UNIX and Internet Security", O'Reilly & Associates,
3704 Sebastopol, CA, 1996.
3706 [Gemignani, 1989] M. Gemignani, "Viruses and Criminal Law",
3707 Communications of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989.
3709 [Goodell, 1996] J. Goodell, "The Cyberthief and the Samurai: The True
3710 Story of Kevin Mitnick-And The Man Who Hunted Him Down", Dell
3711 Publishing, 328pp, 1996.
3713 [Gould, 1989] C. Gould, Editor, "The Information Web: Ethical and
3714 Social Implications of Computer Networking", Westview Press, Boulder,
3717 [Greenia, 1989] M. Greenia, "Computer Security Information
3718 Sourcebook", Lexikon Services, Sacramento, CA, 1989.
3720 [Hafner and Markoff, 1991] K. Hafner and J. Markoff, "Cyberpunk:
3721 Outlaws and Hackers on the Computer Frontier", Touchstone, Simon &
3724 [Hess, Safford, and Pooch] D. Hess, D. Safford, and U. Pooch, "A Unix
3725 Network Protocol Security Study: Network Information Service", Texas
3728 [Hoffman, 1990] L. Hoffman, "Rogue Programs: Viruses, Worms, and
3729 Trojan Horses", Van Nostrand Reinhold, NY, 1990. (384 pages,
3730 includes bibliographical references and index.)
3732 [Howard, 1995] G. Howard, "Introduction to Internet Security: From
3733 Basics to Beyond", Prima Publishing, Rocklin, CA, 1995.
3735 [Huband and Shelton, 1986] F. Huband, and R. Shelton, Editors,
3736 "Protection of Computer Systems and Software: New Approaches for
3737 Combating Theft of Software and Unauthorized Intrusion", Papers
3738 presented at a workshop sponsored by the National Science Foundation,
3741 [Hughes, 1995] L. Hughes Jr., "Actually Useful: Internet Security
3742 Techniques", New Riders Publishing, Indianapolis, IN, 1995.
3744 [IAB-RFC1087, 89] Internet Activities Board, "Ethics and the
3748 Site Security Working Group [Page 56]
3754 Internet Draft Site Security Handbook May 1996
3757 Internet", RFC 1087, IAB, January 1989. Also appears in the
3758 Communications of the ACM, Vol. 32, No. 6, Pg. 710, June 1989.
3760 [Icove, Seger, and VonStorch, 1995] D. Icove, K. Seger, and W.
3761 VonStorch, "Computer Crime: A Crimefighter's Handbook", O'Reilly &
3762 Associates, Sebastopol, CA, 1995.
3764 [IVPC, 1996] IVPC, "International Virus Prevention Conference '96
3765 Proceedings", NCSA, 1996.
3767 [Johnson and Podesta] D. Johnson, and J. Podesta, "Formulating A
3768 Company Policy on Access to and Use and Disclosure of Electronic Mail
3769 on Company Computer Systems".
3771 [Kane, 1994] P. Kane, "PC Security and Virus Protection Handbook: The
3772 Ongoing War Against Information Sabotage", M&T Books, 1994.
3774 [Kaufman, Perlman, and Speciner, 1995] C. Kaufman, R. Perlman, and M.
3775 Speciner, "Network Security: PRIVATE Communication in a PUBLIC
3776 World", Prentice Hall, Englewood Cliffs, NJ, 1995.
3778 [Kent, 1990] S. Kent, "E-Mail Privacy for the Internet: New Software
3779 and Strict Registration Procedures will be Implemented this Year",
3780 Business Communications Review, Vol. 20, No. 1, Pg. 55, 1 January
3783 [Levy, 1984] S. Levy, "Hacker: Heroes of the Computer Revolution",
3786 [Lewis, 1996] S. Lewis, "Disaster Recovery Yellow Pages", The Systems
3789 [Littleman, 1996] J. Littleman, "The Fugitive Game: Online with Kevin
3790 Mitnick", Little, Brown, Boston, MA. 333p, 1996.
3792 [Lu and Sundareshan, 1989] W. Lu and M. Sundareshan, "Secure
3793 Communication in Internet Environments: A Hierarchical Key Management
3794 Scheme for End-to-End Encryption", IEEE Transactions on
3795 Communications, Vol. 37, No. 10, Pg. 1014, 1 October 1989.
3797 [Lu and Sundareshan, 1990] W. Lu and M. Sundareshan, "A Model for
3798 Multilevel Security in Computer Networks", IEEE Transactions on
3799 Software Engineering, Vol. 16, No. 6, Page 647, 1 June 1990.
3801 [Martin and Schinzinger, 1989] M. Martin, and R. Schinzinger, "Ethics
3802 in Engineering", McGraw Hill, 2nd Edition, 1989.
3804 [Merkle] R. Merkle, "A Fast Software One Way Hash Function", Journal
3805 of Cryptology, Vol. 3, No. 1.
3807 [McEwen, 1989] J. McEwen, "Dedicated Computer Crime Units", Report
3808 Contributors: D. Fester and H. Nugent, Prepared for the National
3809 Institute of Justice, U.S. Department of Justice, by Institute for
3810 Law and Justice, Inc., under contract number OJP-85-C-006,
3814 Site Security Working Group [Page 57]
3820 Internet Draft Site Security Handbook May 1996
3823 Washington, DC, 1989.
3825 [MIT, 1989] Massachusetts Institute of Technology, "Teaching Students
3826 About Responsible Use of Computers", MIT, 1985-1986. Also reprinted
3827 in the Communications of the ACM, Vol. 32, No. 6, Pg. 704, Athena
3828 Project, MIT, June 1989.
3830 [Mogel, 1989] Mogul, J., "Simple and Flexible Datagram Access
3831 Controls for UNIX-based Gateways", Digital Western Research
3832 Laboratory Research Report 89/4, March 1989.
3834 [Muffett, 1992] A. Muffett, "Crack Version 4.1: A Sensible Password
3837 [NCSA1, 1995] NCSA, "NCSA Firewall Policy Guide", 1995.
3839 [NCSA2, 1995] NCSA, "NCSA's Corporate Computer Virus Prevention
3840 Policy Model", NCSA, 1995.
3842 [NCSA, 1996] NCSA, "Firewalls & Internet Security Conference '96
3845 [NCSC-89-660-P, 1990] National Computer Security Center, "Guidelines
3846 for Formal Verification Systems", Shipping list no.: 89-660-P, The
3847 Center, Fort George G. Meade, MD, 1 April 1990.
3849 [NCSC-89-254-P, 1988] National Computer Security Center, "Glossary of
3850 Computer Security Terms", Shipping list no.: 89-254-P, The Center,
3851 Fort George G. Meade, MD, 21 October 1988.
3853 [NCSC-C1-001-89, 1989] Tinto, M., "Computer Viruses: Prevention,
3854 Detection, and Treatment", National Computer Security Center C1
3855 Technical Report C1-001-89, June 1989.
3857 [NCSC Conference, 1989] National Computer Security Conference, "12th
3858 National Computer Security Conference: Baltimore Convention Center,
3859 Baltimore, MD, 10-13 October, 1989: Information Systems Security,
3860 Solutions for Today - Concepts for Tomorrow", National Institute of
3861 Standards and National Computer Security Center, 1989.
3863 [NCSC-CSC-STD-003-85, 1985] National Computer Security Center,
3864 "Guidance for Applying the Department of Defense Trusted Computer
3865 System Evaluation Criteria in Specific Environments", CSC-STD-003-85,
3868 [NCSC-STD-004-85, 1985] National Computer Security Center, "Technical
3869 Rationale Behind CSC-STD-003-85: Computer Security Requirements",
3870 CSC-STD-004-85, NCSC, 25 June 1985.
3872 [NCSC-STD-005-85, 1985] National Computer Security Center, "Magnetic
3873 Remanence Security Guideline", CSC-STD-005-85, NCSC, 15 November
3876 [NCSC-TCSEC, 1985] National Computer Security Center, "Trusted
3880 Site Security Working Group [Page 58]
3886 Internet Draft Site Security Handbook May 1996
3889 Computer System Evaluation Criteria", DoD 5200.28-STD, CSC-STD-001-
3890 83, NCSC, December 1985.
3892 [NCSC-TG-003, 1987] NCSC, "A Guide to Understanding DISCRETIONARY
3893 ACCESS CONTROL in Trusted Systems", NCSC-TG-003, Version-1, 30
3894 September 1987, 29 pages.
3896 [NCSC-TG-001, 1988] NCSC, "A Guide to Understanding AUDIT in Trusted
3897 Systems", NCSC-TG-001, Version-2, 1 June 1988, 25 pages.
3899 [NCSC-TG-004, 1988] National Computer Security Center, "Glossary of
3900 Computer Security Terms", NCSC-TG-004, NCSC, 21 October 1988.
3902 [NCSC-TG-005, 1987] National Computer Security Center, "Trusted
3903 Network Interpretation", NCSC-TG-005, NCSC, 31 July 1987.
3905 [NCSC-TG-006, 1988] NCSC, "A Guide to Understanding CONFIGURATION
3906 MANAGEMENT in Trusted Systems", NCSC-TG-006, Version-1, 28 March
3909 [NCSC-TRUSIX, 1990] National Computer Security Center, "Trusted UNIX
3910 Working Group (TRUSIX) rationale for selecting access control list
3911 features for the UNIX system", Shipping list no.: 90-076-P, The
3912 Center, Fort George G. Meade, MD, 1990.
3914 [NRC, 1991] National Research Council, "Computers at Risk: Safe
3915 Computing in the Information Age", National Academy Press, 1991.
3917 [Nemeth, et. al, 1995] E. Nemeth, G. Snyder, S. Seebass, and T. Hein,
3918 "UNIX Systems Administration Handbook", Prentice Hall PTR, Englewood
3919 Cliffs, NJ, 2ed. 1995.
3921 [NIST, 1989] National Institute of Standards and Technology,
3922 "Computer Viruses and Related Threats: A Management Guide", NIST
3923 Special Publication 500-166, August 1989.
3925 [NSA] National Security Agency, "Information Systems Security
3926 Products and Services Catalog", NSA, Quarterly Publication.
3928 [NSF, 1988] National Science Foundation, "NSF Poses Code of
3929 Networking Ethics", Communications of the ACM, Vol. 32, No. 6, Pg.
3930 688, June 1989. Also appears in the minutes of the regular meeting
3931 of the Division Advisory Panel for Networking and Communications
3932 Research and Infrastructure, Dave Farber, Chair, November 29-30,
3935 [NTISSAM, 1987] NTISS, "Advisory Memorandum on Office Automation
3936 Security Guideline", NTISSAM CONPUSEC/1-87, 16 January 1987, 58
3939 [OTA-CIT-310, 1987] United States Congress, Office of Technology
3940 Assessment, "Defending Secrets, Sharing Data: New Locks and Keys for
3941 Electronic Information", OTA-CIT-310, October 1987.
3946 Site Security Working Group [Page 59]
3952 Internet Draft Site Security Handbook May 1996
3955 [OTA-TCT-606] Congress of the United States, Office of Technology
3956 Assessment, "Information Security and Privacy in Network
3957 Environments", OTA-TCT-606, September 1994.
3959 [Palmer and Potter, 1989] I. Palmer, and G. Potter, "Computer
3960 Security Risk Management", Van Nostrand Reinhold, NY, 1989.
3962 [Parker, 1989] D. Parker, "Computer Crime: Criminal Justice Resource
3963 Manual", U.S. Dept. of Justice, National Institute of Justice, Office
3964 of Justice Programs, Under Contract Number OJP-86-C-002, Washington,
3967 [Parker, Swope, and Baker, 1990] D. Parker, S. Swope, and B. Baker,
3968 "Ethical Conflicts: Information and Computer Science, Technology and
3969 Business", QED Information Sciences, Inc., Wellesley, MA. (245
3972 [Pfleeger, 1989] C. Pfleeger, "Security in Computing", Prentice-Hall,
3973 Englewood Cliffs, NJ, 1989.
3975 [Quarterman, 1990] J. Quarterman, J., "The Matrix: Computer Networks
3976 and Conferencing Systems Worldwide", Digital Press, Bedford, MA,
3979 [Ranum1, 1992] M. Ranum, "An Internet Firwall", Proceedings of World
3980 Conference on Systems Management and Security, 1992.
3982 [Ranum2, 1992] M. Ranum, "A Network Firewall", Digital Equipment
3983 Corporation Washington Open Systems Resource Center, June 12, 1992.
3985 [Ranum, 1993] M. Ranum, "Thinking About Firewalls", 1993.
3987 [Ranum and Avolio, 1994] M. Ranum and F. Avolio, "A Toolkit and
3988 Methods for Internet Firewalls", Trustest Information Systems, 1994.
3990 [Reinhardt, 1992] R. Reinhardt, "An Architectural Overview of UNIX
3993 [Reinhardt, 1993] R. Reinhardt, "An Architectural Overview of UNIX
3994 Network Security", ARINC Research Corporation, February 18, 1993.
3996 [Reynolds-RFC1135, 1989] The Helminthiasis of the Internet, RFC 1135,
3997 USC/Information Sciences Institute, Marina del Rey, CA, December
4000 [Russell and Gangemi, 1991] D. Russell and G. Gangemi, "Computer
4001 Security Basics" O'Reilly & Associates, Sebastopol, CA, 1991.
4003 [Schneier 1996] B. Schneier, "Applied Cryptography: Protocols,
4004 Algorithms, and Source Code in C", John Wiley & Sons, New York,
4005 second edition, 1996.
4007 [Seeley, 1989] D. Seeley, "A Tour of the Worm", Proceedings of 1989
4008 Winter USENIX Conference, Usenix Association, San Diego, CA, February
4012 Site Security Working Group [Page 60]
4018 Internet Draft Site Security Handbook May 1996
4023 [Shaw, 1986] E. Shaw Jr., "Computer Fraud and Abuse Act of 1986",
4024 Congressional Record (3 June 1986), Washington, D.C., 3 June 1986.
4026 [Shimomura, 1996] T. Shimomura with J. Markoff, "Takedown:The Pursuit
4027 and Capture of Kevin Mitnick, America's Most Wanted Comptuer Outlaw-
4028 by the Man Who Did It", Hyperion, 324p, 1996.
4030 [Shirey, 1990] R. Shirey, "Defense Data Network Security
4031 Architecture", Computer Communication Review, Vol. 20, No. 2, Page
4034 [Slatalla and Quittner, 1995] M. Slatalla and J. Quittner, "Masters
4035 of Deception: The Gang that Ruled Cyberspace", Harper Collins
4038 [Smith, 1989] M. Smith, "Commonsense Computer Security: Your
4039 Practical Guide to Preventing Accidental and Deliberate Electronic
4040 Data Loss", McGraw-Hill, New York, NY, 1989.
4042 [Smith, 1995] D. Smith, "Forming an Incident Response Team", Sixth
4043 Annual Computer Security Incident Handling Workshop, Boston, MA, July
4046 [Spafford, 1988] E. Spafford, "The Internet Worm Program: An
4047 Analysis", Computer Communication Review, Vol. 19, No. 1, ACM SIGCOM,
4048 January 1989. Also issued as Purdue CS Technical Report CSD-TR-823,
4051 [Spafford, 1989] G. Spafford, "An Analysis of the Internet Worm",
4052 Proceedings of the European Software Engineering Conference 1989,
4053 Warwick England, September 1989. Proceedings published by Springer-
4054 Verlag as: Lecture Notes in Computer Science #387. Also issued as
4055 Purdue Technical Report #CSD-TR-933.
4057 [Spafford, Keaphy, and Ferbrache, 1989] E. Spafford, K. Heaphy, and
4058 D. Ferbrache, "Computer Viruses: Dealing with Electronic Vandalism
4059 and Programmed Threats", ADAPSO, 1989. (109 pages.)
4061 [Stallings1, 1995] W. Stallings, "Internet Security Handbook", IDG
4062 Books, Foster City CA, 1995.
4064 [Stallings2, 1995] W. Stallings, "Network and InterNetwork Security",
4065 Prentice Hall, , 1995.
4067 [Stallings3, 1995] W. Stallings, "Protect Your Privacy: A Guide for
4068 PGP Users" PTR Prentice Hall, 1995.
4070 [Stoll, 1988] C. Stoll, "Stalking the Wily Hacker", Communications of
4071 the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM, New York, NY, May 1988.
4073 [Stoll, 1989] C. Stoll, "The Cuckoo's Egg", ISBN 00385-24946-2,
4078 Site Security Working Group [Page 61]
4084 Internet Draft Site Security Handbook May 1996
4087 [Treese and Wolman, 1993] G. Treese and A. Wolman, "X Through the
4088 Firewall, and Other Applications Relays", Digital Equipment
4089 Corporation, Cambridge Research Laboratory, CRL 93/10, May 3, 1993.
4091 [Trible, 1986] P. Trible, "The Computer Fraud and Abuse Act of 1986",
4092 U.S. Senate Committee on the Judiciary, 1986.
4094 [Venema] W. Venema, "TCP WRAPPER: Network monitoring, access control,
4095 and booby traps", Mathematics and Computing Science, Eindhoven
4096 University of Technology, The Netherlands.
4098 [USENIX, 1988] USENIX, "USENIX Proceedings: UNIX Security Workshop",
4099 Portland, OR, August 29-30, 1988.
4101 [USENIX, 1990] USENIX, "USENIX Proceedings: UNIX Security II
4102 Workshop", Portland, OR, August 27-28, 1990.
4104 [USENIX, 1992] USENIX, "USENIX Symposium Proceedings: UNIX Security
4105 III", Baltimore, MD, September 14-16, 1992.
4107 [USENIX, 1993] USENIX, "USENIX Symposium Proceedings: UNIX Security
4108 IV", Santa Clara, CA, October 4-6, 1993.
4110 [USENIX, 1995] USENIX, "The Fifth USENIX UNIX Security Symposium",
4111 Salt Lake City, UT, June 5-7, 1995.
4113 [Wood, et.al., 1987] C. Wood, W. Banks, S. Guarro, A. Garcia, V.
4114 Hampel, and H. Sartorio, "Computer Security: A Comprehensive
4115 Controls Checklist", John Wiley and Sons, Interscience Publication,
4118 [Wrobel, 1993] L. Wrobel, "Writing Disaster Recovery Plans for
4119 Telecommunications Networks and LANS", Artech House, 1993.
4121 [Vallabhaneni, 1989] S. Vallabhaneni, "Auditing Computer Security: A
4122 Manual with Case Studies", Wiley, New York, NY, 1989.
4124 10. Annotated Bibliography
4126 The intent of this annotated bibliography is to offer a
4127 representative collection of resources of information that will help
4128 the user of this handbook. It is meant provide a starting point for
4129 further research in the security area. Included are references to
4130 other sources of information for those who wish to pursue issues of
4131 the computer security environment.
4135 [Appelman, et. al., 1995] Appelman, Heller, Ehrman, White, and
4136 McAuliffe, "The Law and The Internet", USENIX 1995 Technical
4137 Conference on UNIX and Advanced Computing, New Orleans, LA, January
4140 [ABA, 1989] American Bar Association, Section of Science and
4144 Site Security Working Group [Page 62]
4150 Internet Draft Site Security Handbook May 1996
4153 Technology, "Guide to the Prosecution of Telecommunication Fraud by
4154 the Use of Computer Crime Statutes", American Bar Association, 1989.
4156 [Bender, 1894] D. Bender, "Computer Law: Evidence and Procedure", M.
4157 Bender, New York, NY, 1978-present.
4159 Kept up to date with supplements. Years covering 1978-1984 focuses
4160 on: Computer law, evidence and procedures. The years 1984 to the
4161 current focus on general computer law. Bibliographical references
4164 [Bloombecker, 1990] B. Bloombecker, "Spectacular Computer Crimes",
4165 Dow Jones- Irwin, Homewood, IL. 1990.
4167 [Cavazos and Morin, 1995] E. Cavazos and G. Morin, "Cyber-Space and
4168 The Law", MIT Press, Cambridge, MA, 1995.
4170 [CCH, 1989] Commerce Clearing House, "Guide to Computer Law",
4171 (Topical Law Reports), Chicago, IL., 1989.
4173 Court cases and decisions rendered by federal and state courts
4174 throughout the United States on federal and state computer law.
4175 Includes Case Table and Topical Index.
4177 [Conly, 1989] C. Conly, "Organizing for Computer Crime Investigation
4178 and Prosecution", U.S. Dept. of Justice, Office of Justice Programs,
4179 Under Contract Number OJP-86-C-002, National Institute of Justice,
4180 Washington, DC, July 1989.
4182 [Fenwick, 1985] W. Fenwick, Chair, "Computer Litigation, 1985: Trial
4183 Tactics and Techniques", Litigation Course Handbook Series No. 280,
4184 Prepared for distribution at the Computer Litigation, 1985: Trial
4185 Tactics and Techniques Program, February-March 1985.
4187 [Gemignani, 1989] M. Gemignani, "Viruses and Criminal Law",
4188 Communications of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989.
4190 [Huband and Shelton, 1986] F. Huband, and R. Shelton, Editors,
4191 "Protection of Computer Systems and Software: New Approaches for
4192 Combating Theft of Software and Unauthorized Intrusion", Papers
4193 presented at a workshop sponsored by the National Science Foundation,
4196 [McEwen, 1989] J. McEwen, "Dedicated Computer Crime Units", Report
4197 Contributors: D. Fester and H. Nugent, Prepared for the National
4198 Institute of Justice, U.S. Department of Justice, by Institute for
4199 Law and Justice, Inc., under contract number OJP-85-C-006,
4200 Washington, DC, 1989.
4202 [Parker, 1989] D. Parker, "Computer Crime: Criminal Justice Resource
4203 Manual", U.S. Dept. of Justice, National Institute of Justice, Office
4204 of Justice Programs, Under Contract Number OJP-86-C-002, Washington,
4210 Site Security Working Group [Page 63]
4216 Internet Draft Site Security Handbook May 1996
4219 [Shaw, 1986] E. Shaw Jr., "Computer Fraud and Abuse Act of 1986,
4220 Congressional Record (3 June 1986), Washington, D.C., 3 June 1986.
4222 [Trible, 1986] P. Trible, "The Computer Fraud and Abuse Act of 1986",
4223 U.S. Senate Committee on the Judiciary, 1986.
4226 10.2 Computer and Network Security
4228 [Brand, 1990] Brand, R., "Coping with the Threat of Computer Security
4229 Incidents: A Primer from Prevention through Recovery", R. Brand,
4230 available on-line from: cert.sei.cmu.edu:/pub/info/primer, 8 June
4233 [Bellovin, 1989] S. Bellovin, "Security Problems in the TCP/IP
4234 Protocol Suite", Computer Communication Review, Vol 19, 2, pp. 32-48,
4237 [Bellovin, 1990] S. Bellovin, and M. Merritt, "Limitations of the
4238 Kerberos Authentication System", Computer Communications Review,
4241 [BS 7799] British Standard, BS Tech Cttee BSFD/12, Info. Sec. Mgmt,
4242 "BS 7799 : 1995 Code of Practice for Information Security
4243 Management", British Standards Institution, London, 54, Effective 15
4246 Based on PD 0003: Price c. GBP 35
4248 The code is divided into 10 sections: security policy, security
4249 organization, assets classification and control, personnel security,
4250 physical and environmental security, computer and network management,
4251 system and access control, system development and maintenance,
4252 business continuity planning, and compliance.
4254 [Caelli, 1988] W. Caelli, Editor, "Computer Security in the Age of
4255 Information", Proceedings of the Fifth IFIP International Conference
4256 on Computer Security, IFIP/Sec '88.
4258 [Carroll, 1987] J. Carroll, "Computer Security", 2nd Edition,
4259 Butterworth Publishers, Stoneham, MA, 1987.
4261 [Cooper, 1989] J. Cooper, "Computer and Communications Security:
4262 Strategies for the 1990s", McGraw-Hill, 1989.
4264 [Brand, 1990] R. Brand, "Coping with the Threat of Computer Security
4265 Incidents: A Primer from Prevention through Recovery", R. Brand, 8
4268 As computer security becomes a more important issue in modern
4269 society, it begins to warrant a systematic approach. The vast
4270 majority of the computer security problems and the costs associated
4271 with them can be prevented with simple inexpensive measures. The
4272 most important and cost effective of these measures are available in
4276 Site Security Working Group [Page 64]
4282 Internet Draft Site Security Handbook May 1996
4285 the prevention and planning phases. These methods are presented in
4286 this paper, followed by a simplified guide to incident handling and
4287 recovery. Available on-line from:
4288 cert.sei.cmu.edu:/pub/info/primer.
4290 [Cheswick, 1990] B. Cheswick, "The Design of a Secure Internet
4291 Gateway", Proceedings of the Summer Usenix Conference, Anaheim, CA,
4294 Brief abstract (slight paraphrase from the original abstract): AT&T
4295 maintains a large internal Internet that needs to be protected from
4296 outside attacks, while providing useful services between the two.
4297 This paper describes AT&T's Internet gateway. This gateway passes
4298 mail and many of the common Internet services between AT&T internal
4299 machines and the Internet. This is accomplished without IP
4300 connectivity using a pair of machines: a trusted internal machine and
4301 an untrusted external gateway. These are connected by a private
4302 link. The internal machine provides a few carefully-guarded services
4303 to the external gateway. This configuration helps protect the
4304 internal internet even if the external machine is fully compromised.
4306 This is a very useful and interesting design. Most firewall gateway
4307 systems rely on a system that, if compromised, could allow access to
4308 the machines behind the firewall. Also, most firewall systems
4309 require users who want access to Internet services to have accounts
4310 on the firewall machine. AT&T's design allows AT&T internal internet
4311 users access to the standard services of TELNET and FTP from their
4312 own workstations without accounts on the firewall machine. A very
4313 useful paper that shows how to maintain some of the benefits of
4314 Internet connectivity while still maintaining strong security.
4316 [Curry, 1992] D. Curry, "UNIX System Security: A Guide for Users and
4317 Systems Administrators", Addision-Wesley, Reading, MA, 1992.
4319 [Curry, 1990] D. Curry, "Improving the Security of Your UNIX System",
4320 SRI International Report ITSTD-721-FR-90-21, April 1990.
4322 This paper describes measures that you, as a system administrator can
4323 take to make your UNIX system(s) more secure. Oriented primarily at
4324 SunOS 4.x, most of the information covered applies equally well to
4325 any Berkeley UNIX system with or without NFS and/or Yellow Pages
4326 (NIS). Some of the information can also be applied to System V,
4327 although this is not a primary focus of the paper. A very useful
4328 reference, this is also available on the Internet in various
4329 locations, including the directory cert.sei.cmu.edu:/pub/info.
4331 [Farmer and Spafford, 1990] D. Farmer and E. Spafford, "The COPS
4332 Security Checker System", Proceedings of the Summer 1990 USENIX
4333 Conference, Anaheim, CA, Pgs. 165-170, June 1990.
4335 [Farrow, 1991] Rik Farrow, "UNIX Systems Security", Addison-Wesley,
4338 [Fites, Kratz, and Brebner, 1989] M. Fites, P. Kratz, and A. Brebner,
4342 Site Security Working Group [Page 65]
4348 Internet Draft Site Security Handbook May 1996
4351 "Control and Security of Computer Information Systems", Computer
4352 Science Press, 1989.
4354 This book serves as a good guide to the issues encountered in forming
4355 computer security policies and procedures. The book is designed as a
4356 textbook for an introductory course in information systems security.
4358 The book is divided into five sections: Risk Management (I),
4359 Safeguards: security and control measures, organizational and
4360 administrative (II), Safeguards: Security and Control Measures,
4361 Technical (III), Legal Environment and Professionalism (IV), and CICA
4362 Computer Control Guidelines (V).
4364 The book is particularly notable for its straight-forward approach to
4365 security, emphasizing that common sense is the first consideration in
4366 designing a security program. The authors note that there is a
4367 tendency to look to more technical solutions to security problems
4368 while overlooking organizational controls which are often cheaper and
4369 much more effective. 298 pages, including references and index.
4371 [Forester and Morrison, 1990] T. Forester, and P. Morrison, "Computer
4372 Ethics: Tales and Ethical Dilemmas in Computing", MIT Press,
4373 Cambridge, MA, 1990.
4375 [Garfinkel and Spafford, 1991] S. Garfinkel, and E. Spafford,
4376 "Practical Unix Security", O'Reilly & Associates, ISBN 0-937175-72-2,
4379 Approx 450 pages, $29.95. Orders: 1-800-338-6887 (US & Canada),
4380 1-707-829-0515 (Europe), email: nuts@ora.com
4382 This is one of the most useful books available on Unix security. The
4383 first part of the book covers standard Unix and Unix security basics,
4384 with particular emphasis on passwords. The second section covers
4385 enforcing security on the system. Of particular interest to the
4386 Internet user are the sections on network security, which address
4387 many of the common security problems that afflict Internet Unix
4388 users. Four chapters deal with handling security incidents, and the
4389 book concludes with discussions of encryption, physical security, and
4390 useful checklists and lists of resources. The book lives up to its
4391 name; it is filled with specific references to possible security
4392 holes, files to check, and things to do to improve security. This
4393 book is an excellent complement to this handbook.
4395 [Garfinkel, 1995] S. Garfinkel, "PGP:Pretty Good Privacy", O'Reilly &
4396 Associates, Sebastopol, CA, 1996.
4398 [Garfinkel and Spafford, 1996] S. Garfinkel and E. Spafford,
4399 "Practical UNIX and Internet Security", O'Reilly & Associates,
4400 Sebastopol, CA, 1996.
4402 If you thought that the first edition was good, well this is better.
4404 [Greenia, 1989] M. Greenia, "Computer Security Information
4408 Site Security Working Group [Page 66]
4414 Internet Draft Site Security Handbook May 1996
4417 Sourcebook", Lexikon Services, Sacramento, CA, 1989.
4419 A manager's guide to computer security. Contains a sourcebook of key
4420 reference materials including access control and computer crimes
4423 [Hess, Safford, and Pooch] D. Hess, D. Safford, and U. Pooch, "A Unix
4424 Network Protocol Security Study: Network Information Service", Texas
4427 [Hoffman, 1990] L. Hoffman, "Rogue Programs: Viruses, Worms, and
4428 Trojan Horses", Van Nostrand Reinhold, NY, 1990. (384 pages,
4429 includes bibliographical references and index.)
4431 [Hughes, 1995] L. Hughes Jr., "Actually Useful: Internet Security
4432 Techniques", New Riders Publishing, Indianapolis, IN, 1995.
4434 [Howard, 1995] G. Howard, "Introduction to Internet Security: From
4435 Basics to Beyond", Prima Publishing, Rocklin, CA, 1995.
4437 [Icove, Seger, and VonStorch, 1995] D. Icove, K. Seger, and W.
4438 VonStorch, "Computer Crime: A Crimefighter's Handbook", O'Reilly &
4439 Associates, Sebastopol, CA, 1995.
4441 [Johnson and Podesta] D. Johnson, and J. Podesta, "Formulating A
4442 Company Policy on Access to and Use and Disclosure of Electronic Mail
4443 on Company Computer Systems".
4445 A white paper prepared for the EMA, written by two experts in privacy
4446 law. Gives background on the issues, and presents some policy
4449 Available from: The Electronic Mail Association (EMA) 1555 Wilson
4450 Blvd, Suite 555, Arlington, VA, 22209. (703) 522-7111.
4452 [Kaufman, Perlman, and Speciner, 1995] C. Kaufman, R. Perlman, and M.
4453 Speciner, "Network Security: PRIVATE Communication in a PUBLIC
4454 World", Prentice Hall, Englewood Cliffs, NJ, 1995.
4456 A comprehensive guide to the latest advances in computer network
4457 security protocols. 504 pages.
4459 [Kent, 1990] S. Kent, "E-Mail Privacy for the Internet: New Software
4460 and Strict Registration Procedures will be Implemented this Year",
4461 Business Communications Review, Vol. 20, No. 1, Pg. 55, 1 January
4464 [Lu and Sundareshan, 1989] W. Lu and M. Sundareshan, "Secure
4465 Communication in Internet Environments: A Hierarchical Key Management
4466 Scheme for End-to-End Encryption", IEEE Transactions on
4467 Communications, Vol. 37, No. 10, Pg. 1014, 1 October 1989.
4469 [Lu and Sundareshan, 1990] W. Lu and M. Sundareshan, "A Model for
4470 Multilevel Security in Computer Networks", IEEE Transactions on
4474 Site Security Working Group [Page 67]
4480 Internet Draft Site Security Handbook May 1996
4483 Software Engineering, Vol. 16, No. 6, Page 647, 1 June 1990.
4485 [Merkle] R. Merkle, "A Fast Software One Way Hash Function", Journal
4486 of Cryptology, Vol. 3, No. 1.
4488 [Mogel, 1989] Mogul, J., "Simple and Flexible Datagram Access
4489 Controls for UNIX-based Gateways", Digital Western Research
4490 Laboratory Research Report 89/4, March 1989.
4492 [Muffett, 1992] A. Muffett, "Crack Version 4.1: A Sensible Password
4495 [NRC, 1991] National Research Council, "Computers at Risk: Safe
4496 Computing int the Information Age", National Academy Press, 1991.
4498 [Nemeth, et. al, 1995] E. Nemeth, G. Snyder, S. Seebass, and T. Hein,
4499 "UNIX Systems Administration Handbook", Prentice Hall PTR, Englewood
4500 Cliffs, NJ, 2ed. 1995.
4502 Best book on UNIX System Administration. Also addresses UNIX
4503 security in easy understandable way.
4505 [NSA] National Security Agency, "Information Systems Security
4506 Products and Services Catalog", NSA, Quarterly Publication.
4508 NSA's catalogue contains chapter on: Endorsed Cryptographic Products
4509 List; NSA Endorsed Data Encryption Standard (DES) Products List;
4510 Protected Services List; Evaluated Products List; Preferred Products
4511 List; and Endorsed Tools List.
4513 The catalogue is available from the Superintendent of Documents, U.S.
4514 Government Printing Office, Washington, D.C. One may place telephone
4515 orders by calling: (202) 783-3238.
4517 [OTA-CIT-310, 1987] United States Congress, Office of Technology
4518 Assessment, "Defending Secrets, Sharing Data: New Locks and Keys for
4519 Electronic Information", OTA-CIT-310, October 1987.
4521 This report, prepared for congressional committee considering Federal
4522 policy on the protection of electronic information, is interesting
4523 because of the issues it raises regarding the impact of technology
4524 used to protect information. It also serves as a reasonable
4525 introduction to the various encryption and information protection
4526 mechanisms. 185 pages. Available from the U.S. Government Printing
4529 [OTA-TCT-606] Congress of the United States, Office of Technology
4530 Assessment, "Information Security and Privacy in Network
4531 Environments", OTA-TCT-606, September 1994.
4533 "This report was prepared in response to a request by the Senate
4534 Committee on Governmental Affairs and the House Subcommittee on
4535 Telecommunications and Finance. The report focuses on policy issues
4536 in three areas: 1)national cryptography policy, including federal
4540 Site Security Working Group [Page 68]
4546 Internet Draft Site Security Handbook May 1996
4549 information processing standards and export controls; 2)guidance on
4550 safeguarding unclassified information in federal agencies; and
4551 3)legal issues and information security, including electronic
4552 commerce, privacy, and intellectual property." 244 pages. Available
4553 from the U.S. Government Printing Office.
4555 [Palmer and Potter, 1989] I. Palmer, and G. Potter, "Computer
4556 Security Risk Management", Van Nostrand Reinhold, NY, 1989.
4558 [Pfleeger, 1989] C. Pfleeger, "Security in Computing", Prentice-Hall,
4559 Englewood Cliffs, NJ, 1989.
4561 A general textbook in computer security, this book provides an
4562 excellent and very readable introduction to classic computer security
4563 problems and solutions, with a particular emphasis on encryption.
4564 The encryption coverage serves as a good introduction to the subject.
4565 Other topics covered include building secure programs and systems,
4566 security of database, personal computer security, network and
4567 communications security, physical security, risk analysis and
4568 security planning, and legal and ethical issues. 538 pages including
4569 index and bibliography.
4571 [Quarterman, 1990] J. Quarterman, J., "The Matrix: Computer Networks
4572 and Conferencing Systems Worldwide", Digital Press, Bedford, MA,
4575 [Reinhardt, 1992] R. Reinhardt, "An Architectural Overview of UNIX
4578 More details in USENIX Thrid UNIX Security Symposium, September 14-16
4581 [Reinhardt, 1993] R. Reinhardt, "An Architectural Overview of UNIX
4582 Network Security", ARINC Research Corporation, February 18, 1993.
4584 [Russell and Gangemi, 1991] D. Russell and G. Gangemi, "Computer
4585 Security Basics" O'Reilly & Associates, Sebastopol, CA, 1991.
4587 [Shirey, 1990] R. Shirey, "Defense Data Network Security
4588 Architecture", Computer Communication Review, Vol. 20, No. 2, Page
4591 [Smith, 1994] D. Smith, "Forming an Incident Response Team", Sixth
4592 Annual Computer Security Incident Handling Workshop, Boston, MA, July
4595 [Smith, 1989] M. Smith, "Common Sense Computer Security: Your
4596 Practical Guide to Preventing Accidental and Deliberate Electronic
4597 Data Loss", McGraw-Hill, New York, NY, 1989.
4599 A general text on computer security and how to access actual effort
4602 [Spafford, Keaphy, and Ferbrache, 1989] E. Spafford, K. Heaphy, and
4606 Site Security Working Group [Page 69]
4612 Internet Draft Site Security Handbook May 1996
4615 D. Ferbrache, "Computer Viruses: Dealing with Electronic Vandalism
4616 and Programmed Threats", ADAPSO, 1989. (109 pages.)
4618 This is a good general reference on computer viruses and related
4619 concerns. In addition to describing viruses in some detail, it also
4620 covers more general security issues, legal recourse in case of
4621 security problems, and includes lists of laws, journals focused on
4622 computers security, and other security-related resources.
4624 Available from: ADAPSO, 1300 N. 17th St, Suite 300, Arlington VA
4625 22209. (703) 522-5055.
4627 [Stallings1, 1995] W. Stallings, "Internet Security Handbook", IDG
4628 Books, Foster City CA, 1995.
4630 [Stallings2, 1995] W. Stallings, "Network and InterNetwork Security",
4631 Prentice Hall, , 1995.
4633 [Stallings3, 1995] W. Stallings, "Protect Your Privacy: A Guide for
4634 PGP Users" PTR Prentice Hall, 1995.
4636 [Stool, 1988] C. Stoll, "Stalking the Wily Hacker", Communications of
4637 the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM, New York, NY, May 1988.
4639 This article describes some of the technical means used to trace the
4640 intruder that was later chronicled in "Cuckoo's Egg" (see below).
4642 [Stool, 1989] C. Stoll, "The Cuckoo's Egg", ISBN 00385-24946-2,
4645 Clifford Stoll, an astronomer turned UNIX System Administrator,
4646 recounts an exciting, true story of how he tracked a computer
4647 intruder through the maze of American military and research networks.
4648 This book is easy to understand and can serve as an interesting
4649 introduction to the world of networking. Jon Postel says in a book
4650 review, "[this book] ... is absolutely essential reading for anyone
4651 that uses or operates any computer connected to the Internet or any
4652 other computer network."
4654 [USENIX, 1988] USENIX, "USENIX Proceedings: UNIX Security Workshop",
4655 Portland, OR, August 29-30, 1988.
4657 [USENIX, 1990] USENIX, "USENIX Proceedings: UNIX Security II
4658 Workshop", Portland, OR, August 27-28, 1990.
4660 [USENIX, 1992] USENIX, "USENIX Symposium Proceedings: UNIX Security
4661 III", Baltimore, MD, September 14-16, 1992.
4663 [USENIX, 1993] USENIX, "USENIX Symposium Proceedings: UNIX Security
4664 IV", Santa Clara, CA, October 4-6, 1993.
4666 [USENIX, 1995] USENIX, "The Fifth USENIX UNIX Security Symposium",
4667 Salt Lake City, UT, June 5-7, 1995.
4672 Site Security Working Group [Page 70]
4678 Internet Draft Site Security Handbook May 1996
4681 [Vallabhaneni, 1989] S. Vallabhaneni, "Auditing Computer Security: A
4682 Manual with Case Studies", Wiley, New York, NY, 1989.
4687 [CPSR, 1989] Computer Professionals for Social Responsibility, "CPSR
4688 Statement on the Computer Virus", CPSR, Communications of the ACM,
4689 Vol. 32, No. 6, Pg. 699, June 1989.
4691 This memo is a statement on the Internet Computer Virus by the
4692 Computer Professionals for Social Responsibility (CPSR).
4694 [Denning, 1990] P. Denning, Editor, "Computers Under Attack:
4695 Intruders, Worms, and Viruses", ACM Press, 1990.
4697 A collection of 40 pieces divided into six sections: the emergence of
4698 worldwide computer networks, electronic break-ins, worms, viruses,
4699 counterculture (articles examining the world of the "hacker"), and
4700 finally a section discussing social, legal, and ethical
4703 A thoughtful collection that addresses the phenomenon of attacks on
4704 computers. This includes a number of previously published articles
4705 and some new ones. The previously published ones are well chosen,
4706 and include some references that might be otherwise hard to obtain.
4707 This book is a key reference to computer security threats that have
4708 generated much of the concern over computer security in recent years.
4710 [Ermann, Willians, and Gutierrez, 1990] D. Ermann, M. Williams, and
4711 C. Gutierrez, Editors, "Computers, Ethics, and Society", Oxford
4712 University Press, NY, 1990. (376 pages, includes bibliographical
4715 [Foster and Morrision, 1990] T. Forester, and P. Morrison, "Computer
4716 Ethics: Tales and Ethical Dilemmas in Computing", MIT Press,
4717 Cambridge, MA, 1990. (192 pages including index.)
4719 From the preface: "The aim of this book is two-fold: (1) to describe
4720 some of the problems created by society by computers, and (2) to show
4721 how these problems present ethical dilemmas for computers
4722 professionals and computer users.
4724 The problems created by computers arise, in turn, from two main
4725 sources: from hardware and software malfunctions and from misuse by
4726 human beings. We argue that computer systems by their very nature
4727 are insecure, unreliable, and unpredictable -- and that society has
4728 yet to come to terms with the consequences. We also seek to show how
4729 society has become newly vulnerable to human misuse of computers in
4730 the form of computer crime, software theft, hacking, the creation of
4731 viruses, invasions of privacy, and so on."
4733 The eight chapters include "Computer Crime", "Software Theft",
4734 "Hacking and Viruses", "Unreliable Computers", "The Invasion of
4738 Site Security Working Group [Page 71]
4744 Internet Draft Site Security Handbook May 1996
4747 Privacy", "AI and Expert Systems", and "Computerizing the Workplace."
4748 Includes extensive notes on sources and an index.
4750 [Gould, 1989] C. Gould, Editor, "The Information Web: Ethical and
4751 Social Implications of Computer Networking", Westview Press, Boulder,
4754 [IAB-RFC1087, 89] Internet Activities Board, "Ethics and the
4755 Internet", RFC 1087, IAB, January 1989. Also appears in the
4756 Communications of the ACM, Vol. 32, No. 6, Pg. 710, June 1989.
4758 This memo is a statement of policy by the Internet Activities Board
4759 (IAB) concerning the proper use of the resources of the Internet.
4760 Available on-line on host ftp.nisc.sri.com, directory rfc, filename
4761 rfc1087.txt. Also available on host nis.nsf.net, directory RFC,
4762 filename RFC1087.TXT-1.
4764 [Martin and Schinzinger, 1989] M. Martin, and R. Schinzinger, "Ethics
4765 in Engineering", McGraw Hill, 2nd Edition, 1989.
4767 [MIT, 1989] Massachusetts Institute of Technology, "Teaching Students
4768 About Responsible Use of Computers", MIT, 1985-1986. Also reprinted
4769 in the Communications of the ACM, Vol. 32, No. 6, Pg. 704, Athena
4770 Project, MIT, June 1989. This memo is a statement of policy by the
4771 Massachusetts Institute of Technology (MIT) on the responsible use of
4774 [NIST, 1989] National Institute of Standards and Technology,
4775 "Computer Viruses and Related Threats: A Management Guide", NIST
4776 Special Publication 500-166, August 1989.
4778 [NSF, 1988] National Science Foundation, "NSF Poses Code of
4779 Networking Ethics", Communications of the ACM, Vol. 32, No. 6, Pg.
4780 688, June 1989. Also appears in the minutes of the regular meeting
4781 of the Division Advisory Panel for Networking and Communications
4782 Research and Infrastructure, Dave Farber, Chair, November 29-30,
4785 This memo is a statement of policy by the National Science Foundation
4786 (NSF) concerning the ethical use of the Internet.
4788 [Parker, Swope, and Baker, 1990] D. Parker, S. Swope, and B. Baker,
4789 "Ethical Conflicts: Information and Computer Science, Technology and
4790 Business", QED Information Sciences, Inc., Wellesley, MA. (245
4793 Additional publications on Ethics:
4795 The University of New Mexico (UNM)
4797 The UNM has a collection of ethics documents. Included are
4798 legislation from several states and policies from many
4804 Site Security Working Group [Page 72]
4810 Internet Draft Site Security Handbook May 1996
4813 Access is via FTP, IP address ariel.umn.edu. Look in the
4819 [Bellovin, 1992] S. Bellovin, "There Be Dragon", USENIX: Proceedings
4820 of the Third Usenix Security Symposium, Baltimore, MD. September,
4823 [Chapman, 1992] B. Chapman, "Network(In) Security Through IP Packet
4824 Filtering", USSENIX: Proceedings of the Thrid UNIX Security
4825 Symposium, Balimore, MD, September 1992.
4827 [Chapman and Zwicky, 1995] B. Chapman and E. Zwicky, "Building
4828 Internet Firewalls", O'Reilly and Associates, Sebastopol, CA, 1995.
4830 [Cheswick1] W. Cheswick, "An Evening with Berferd In Which a Cracker
4831 is Lured, Endured, and Studied", AT&T Bell Laboratories.
4833 [Cheswick2] W. Cheswick, "The Design of a Secure Internet Gateway",
4834 Proceedings of the Summer Usenix Conference, Anaheim, CA, June 1990.
4836 [Cheswick and Bellovin, 1994] W. Cheswick and S. Bellovin, "Firewalls
4837 and Internet Security: Repelling the Wily Hacker", Addision-Wesley,
4840 Landmark book on Firewalls. A must for anyone designing, installing,
4843 [NCSA, 1995] NCSA, "NCSA Firewall Policy Guide", 1995.
4845 [NCSA, 1996] NCSA, "Firewalls & Internet Security Conference '96
4848 [Ranum, 1992] M. Ranum, "A Network Firewall", Digital Equipment
4849 Corporation Washington Open Systems Resource Center, June 12, 1992.
4851 [Ranum, 1992] M. Ranum, "An Internet Firwall", Proceedings of World
4852 Conference on Systems Management and Security, 1992.
4854 Available ftp://decuac.dec.com/pub/docs/firewall/firewall.ps
4856 [Ranum, 1993] M. Ranum, "Thinking About Firewalls", 1993.
4858 A good start for those implementing or installing firewalls.
4859 Available ftp://ftp.tis.com
4861 [Ranum and Avolio, 1994] M. Ranum and F. Avolio, "A Toolkit and
4862 Methods for Internet Firewalls", Trustest Information Systems, 1994.
4864 Available ftp://ftp.tis.com
4866 [Treese and Wolman, 1993] G. Treese and A. Wolman, "X Through the
4870 Site Security Working Group [Page 73]
4876 Internet Draft Site Security Handbook May 1996
4879 Firewall, and Other Applications Relays", Digital Equipment
4880 Corporation, Cambridge Research Laboratory, CRL 93/10, May 3, 1993.
4882 [Venema] W. Venema, "TCP WRAPPER: Network monitoring, access control,
4883 and booby traps", Mathematics and Computing Science, Eindhoven
4884 University of Technology, The Netherlands.
4886 Available ftp://ftp.win.tue.nl/pub/security
4888 10.5 Internet Worms, Hackers, Computer Viruses, etc
4890 [Barrett, 1996] D. Barrett, "Bandits on the Information
4891 Superhighway", O'Reilly & Associates, Sebastopol, CA, 1996.
4893 [Brock, 1989] J. Brock, "November 1988 Internet Computer Virus and
4894 the Vulnerability of National Telecommunications Networks to Computer
4895 Viruses", GAO/T-IMTEC-89-10, Washington, DC, 20 July 1989.
4897 Testimonial statement of Jack L. Brock, Director, U. S. Government
4898 Information before the Subcommittee on Telecommunications and
4899 Finance, Committee on Energy and
4900 Commerce, House of Representatives.
4902 [Eichin and Rochlis, 1989] M. Eichin, and J. Rochlis, "With
4903 Microscope and Tweezers: An Analysis of the Internet Virus of
4904 November 1988", Massachusetts Institute of Technology, February 1989.
4906 Provides a detailed dissection of the worm program. The paper
4907 discusses the major points of the worm program then reviews
4908 strategies, chronology, lessons and open issues, Acknowledgments;
4909 also included are a detailed appendix on the worm program subroutine
4910 by subroutine, an appendix on the cast of characters, and a reference
4913 [Eisenbery, et. al., 89] T. Eisenberg, D. Gries, J. Hartmanis, D.
4914 Holcomb, M. Lynn, and T. Santoro, "The Computer Worm", Cornell
4915 University, 6 February 1989.
4917 A Cornell University Report presented to the Provost of the
4918 University on 6 February 1989 on the Internet Worm.
4920 [Fites, Johnson, and Kratz, 1992] Fites, Johnson, and Kratz, "The
4921 Computer Virus Crisis", Van Hostrand Reinhold, 2nd edition, 1992.
4923 [GAO/IMTEX-89-57, 1989] U.S. General Accounting Office, "Computer
4924 Security - Virus Highlights Need for Improved Internet Management",
4925 United States General Accounting Office, Washington, DC, 1989.
4927 This 36 page report (GAO/IMTEC-89-57), by the U.S. Government
4928 Accounting Office, describes the Internet worm and its effects. It
4929 gives a good overview of the various U.S. agencies involved in the
4930 Internet today and their concerns vis-a-vis computer security and
4936 Site Security Working Group [Page 74]
4942 Internet Draft Site Security Handbook May 1996
4945 Available on-line on host nnsc.nsf.net, directory pub, filename
4946 GAO_RPT; and on nis.nsf.net, directory nsfnet, filename GAO_RPT.TXT.
4948 [Goodell, 1996] J. Goodell, "The Cyberthief and the Samurai: The True
4949 Story of Kevin Mitnick-And The Man Who Hunted Him Down", Dell
4950 Publishing, 328pp, 1996.
4952 [Hafner and Markoff, 1991] K. Hafner and J. Markoff, "Cyberpunk:
4953 Outlaws and Hackers on the Computer Frontier", Touchstone, Simon &
4956 [Kane, 1994] P. Kane, "PC Security and Virus Protection Handbook: The
4957 Ongoing War Against Information Sabotage", M&T Books, 1994.
4959 [IVPC, 1996] IVPC, "International Virus Prevention Conference '96
4960 Proceedings", NCSA, 1996.
4962 [Levy, 1984] S. Levy, "Hacker: Heroes of the Computer Revolution",
4967 [NCSA, 1995] NCSA, "NCSA's Corporate Computer Virus Prevention Policy
4970 [Littleman, 1996] J. Littleman, "The Fugitive Game: Online with Kevin
4971 Mitnick", Little, Brown, Boston, MA. 333p, 1996.
4973 [Reynolds-RFC1135, 1989] The Helminthiasis of the Internet, RFC 1135,
4974 USC/Information Sciences Institute, Marina del Rey, CA, December
4977 This report looks back at the helminthiasis (infestation with, or
4978 disease caused by parasitic worms) of the Internet that was unleashed
4979 the evening of 2 November 1988. This document provides a glimpse at
4980 the infection,its festering, and cure. The impact of the worm on the
4981 Internet community, ethics statements, the role of the news media,
4982 crime in the computer world, and future prevention is discussed. A
4983 documentation review presents four publications that describe in
4984 detail this particular parasitic computer program. Reference and
4985 bibliography sections are also included. Available on-line on host
4986 ftp.nisc.sri.com directory rfc, filename rfc1135.txt. Also available
4987 on host nis.nsf.net, directory RFC, filename RFC1135.TXT-1.
4989 [Seeley, 1989] D. Seeley, "A Tour of the Worm", Proceedings of 1989
4990 Winter USENIX Conference, Usenix Association, San Diego, CA, February
4993 Details are presented as a "walk through" of this particular worm
4994 program. The paper opened with an abstract, introduction, detailed
4995 chronology of events upon the discovery of the worm, an overview, the
4996 internals of the worm, personal opinions, and conclusion.
4998 [Shimomura, 1996] T. Shimomura with J. Markoff, "Takedown:The Pursuit
5002 Site Security Working Group [Page 75]
5008 Internet Draft Site Security Handbook May 1996
5011 and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-
5012 by the Man Who Did It", Hyperion, 324p, 1996.
5014 [Slatalla and Quittner, 1995] M. Slatalla and J. Quittner, "Masters
5015 of Deception: The Gang that Ruled Cyberspace", Harper Collins
5018 [Spafford, 1988] E. Spafford, "The Internet Worm Program: An
5019 Analysis", Computer Communication Review, Vol. 19, No. 1, ACM SIGCOM,
5020 January 1989. Also issued as Purdue CS Technical Report CSD-TR-823,
5023 Describes the infection of the Internet as a worm program that
5024 exploited flaws in utility programs in UNIX based systems. The
5025 report gives a detailed description of the components of the worm
5026 program: data and functions. Spafford focuses his study on two
5027 completely independent reverse-compilations of the worm and a version
5028 disassembled to VAX assembly language.
5030 [Spafford, 1989] G. Spafford, "An Analysis of the Internet Worm",
5031 Proceedings of the European Software Engineering Conference 1989,
5032 Warwick England, September 1989. Proceedings published by Springer-
5033 Verlag as: Lecture Notes in Computer Science #387. Also issued as
5034 Purdue Technical Report #CSD-TR-933.
5037 10.6 National Computer Security Center (NCSC)
5039 All NCSC publications, approved for public release, are available
5040 from the NCSC Superintendent of Documents.
5042 NCSC =3D National Computer Security Center 9800 Savage Road Ft Meade,
5045 CSC =3D Computer Security Center: an older name for the NCSC
5047 NTISS =3D National Telecommunications and Information Systems Security
5048 NTISS Committee, National Security Agency Ft Meade, MD 20755-6000
5050 [CSC-STD-002-85, 1985] Department of Defense, "Password Management
5051 Guideline", CSC-STD-002-85, 12 April 1985, 31 pages.
5053 The security provided by a password system depends on the passwords
5054 being kept secret at all times. Thus, a password is vulnerable to
5055 compromise whenever it is used, stored, or even known. In a
5056 password-based authentication mechanism implemented on an ADP system,
5057 passwords are vulnerable to compromise due to five essential aspects
5058 of the password system: 1) a password must be initially assigned to a
5059 user when enrolled on the ADP system; 2) a user's password must be
5060 changed periodically; 3) the ADP system must maintain a 'password
5061 database'; 4) users must remember their passwords; and 5) users must
5062 enter their passwords into the ADP system at authentication time.
5063 This guideline prescribes steps to be taken to minimize the
5064 vulnerability of passwords in each of these circumstances.
5068 Site Security Working Group [Page 76]
5074 Internet Draft Site Security Handbook May 1996
5077 [NCSC-TG-001, 1988] NCSC, "A Guide to Understanding AUDIT in Trusted
5078 Systems", NCSC-TG-001, Version-2, 1 June 1988, 25 pages.
5080 Audit trails are used to detect and deter penetration of a computer
5081 system and to reveal usage that identifies misuse. At the discretion
5082 of the auditor, audit trails may be limited to specific events or may
5083 encompass all of the activities on a system. Although not required
5084 by the criteria, it should be possible for the target of the audit
5085 mechanism to be either a subject or an object. That is to say, the
5086 audit mechanism should be capable of monitoring every time John
5087 accessed the system as well as every time the nuclear reactor file
5088 was accessed; and likewise every time John accessed the nuclear
5091 [NCSC-TG-003, 1987] NCSC, "A Guide to Understanding DISCRETIONARY
5092 ACCESS CONTROL in Trusted Systems", NCSC-TG-003, Version-1, 30
5093 September 1987, 29 pages.
5095 Discretionary control is the most common type of access control
5096 mechanism implemented in computer systems today. The basis of this
5097 kind of security is that an individual user, or program operating on
5098 the user's behalf, is allowed to specify explicitly the types of
5099 access other users (or programs executing on their behalf) may have
5100 to information under the user's control. [...] Discretionary
5101 controls are not a replacement for mandatory controls. In any
5102 environment in which information is protected, discretionary security
5103 provides for a finer granularity of control within the overall
5104 constraints of the mandatory policy.
5106 [NCSC-TG-006, 1988] NCSC, "A Guide to Understanding CONFIGURATION
5107 MANAGEMENT in Trusted Systems", NCSC-TG-006, Version-1, 28 March
5110 Configuration management consists of four separate tasks:
5111 identification, control, status accounting, and auditing. For every
5112 change that is made to an automated data processing (ADP) system, the
5113 design and requirements of the changed version of the system should
5114 be identified. The control task of configuration management is
5115 performed by subjecting every change to documentation, hardware, and
5116 software/firmware to review and approval by an authorized authority.
5117 Configuration status accounting is responsible for recording and
5118 reporting on the configuration of the product throughout the change.
5119 Finally, though the process of a configuration audit, the completed
5120 change can be verified to be functionally correct, and for trusted
5121 systems, consistent with the security policy of the system.
5123 [NTISSAM, 1987] NTISS, "Advisory Memorandum on Office Automation
5124 Security Guideline", NTISSAM CONPUSEC/1-87, 16 January 1987, 58
5127 This document provides guidance to users, managers, security
5128 officers, and procurement officers of Office Automation Systems.
5129 Areas addressed include: physical security, personnel security,
5130 procedural security, hardware/software security, emanations security
5134 Site Security Working Group [Page 77]
5140 Internet Draft Site Security Handbook May 1996
5143 (TEMPEST), and communications security for stand-alone OA Systems, OA
5144 Systems used as terminals connected to mainframe computer systems,
5145 and OA Systems used as hosts in a Local Area Network (LAN).
5146 Differentiation is made between those Office Automation Systems
5147 equipped with removable storage media only (e.g., floppy disks,
5148 cassette tapes, removable hard disks) and those Office Automation
5149 Systems equipped with fixed media (e.g., Winchester disks).
5151 Additional NCSC Publications:
5153 [NCSC-TG-004, 1988] National Computer Security Center, "Glossary of
5154 Computer Security Terms", NCSC-TG-004, NCSC, 21 October 1988.
5156 [NCSC-TCSEC, 1985] National Computer Security Center, "Trusted
5157 Computer System Evaluation Criteria", DoD 5200.28-STD, CSC-STD-001-
5158 83, NCSC, December 1985.
5160 [NCSC-CSC-STD-003-85, 1985] National Computer Security Center,
5161 "Guidance for Applying the Department of Defense Trusted Computer
5162 System Evaluation Criteria in Specific Environments", CSC-STD-003-85,
5165 [NCSC-STD-004-85, 1985] National Computer Security Center, "Technical
5166 Rationale Behind CSC-STD-003-85: Computer Security Requirements",
5167 CSC-STD-004-85, NCSC, 25 June 1985.
5169 [NCSC-STD-005-85, 1985] National Computer Security Center, "Magnetic
5170 Remanence Security Guideline", CSC-STD-005-85, NCSC, 15 November
5173 This guideline is tagged as a "For Official Use Only" exemption under
5174 Section 6, Public Law 86-36 (50 U.S. Code 402). Distribution
5175 authorized of U.S. Government agencies and their contractors to
5176 protect unclassified technical, operational, or administrative data
5177 relating to operations of the National Security Agency.
5179 [NCSC-89-660-P, 1990] National Computer Security Center, "Guidelines
5180 for Formal Verification Systems", Shipping list no.: 89-660-P, The
5181 Center, Fort George G. Meade, MD, 1 April 1990.
5183 [NCSC-89-254-P, 1988] National Computer Security Center, "Glossary of
5184 Computer Security Terms", Shipping list no.: 89-254-P, The Center,
5185 Fort George G. Meade, MD, 21 October 1988.
5187 [NCSC-TRUSIX, 1990] National Computer Security Center, "Trusted UNIX
5188 Working Group (TRUSIX) rationale for selecting access control list
5189 features for the UNIX system", Shipping list no.: 90-076-P, The
5190 Center, Fort George G. Meade, MD, 1990.
5192 [NCSC-TG-005, 1987] National Computer Security Center, "Trusted
5193 Network Interpretation", NCSC-TG-005, NCSC, 31 July 1987.
5195 [NCSC-C1-001-89, 1989] Tinto, M., "Computer Viruses: Prevention,
5196 Detection, and Treatment", National Computer Security Center C1
5200 Site Security Working Group [Page 78]
5206 Internet Draft Site Security Handbook May 1996
5209 Technical Report C1-001-89, June 1989.
5211 [NCSC Conference, 1989] National Computer Security Conference, "12th
5212 National Computer Security Conference: Baltimore Convention Center,
5213 Baltimore, MD, 10-13 October, 1989: Information Systems Security,
5214 Solutions for Today - Concepts for Tomorrow", National Institute of
5215 Standards and National Computer Security Center, 1989.
5218 10.7 Security Checklists
5220 [Aucion, 1989] R. Aucoin, "Computer Viruses: Checklist for Recovery",
5221 Computers in Libraries, Vol. 9, No. 2, Pg. 4, 1 February 1989.
5223 [Wood, et.al., 1987] C. Wood, W. Banks, S. Guarro, A. Garcia, V.
5224 Hampel, and H. Sartorio, "Computer Security: A Comprehensive
5225 Controls Checklist", John Wiley and Sons, Interscience Publication,
5228 10.8 Disaster Recovery
5230 [Bates, 1992] R. Bates, "Disaster Recovery Planning: Networks,
5231 Telecommunications and Data Communications", McGraw-Hill, 1992.
5233 [Lewis, 1996] S. Lewis, "Disaster Recovery Yellow Pages", The Systems
5236 [Wrobel, 1993] L. Wrobel, "Writing Disaster Recovery Plans for
5237 Telecommunications Networks and LANS", Artech House, 1993.
5239 10.9 Additional Publications
5241 10.9.1 Defense Data Network's Network Information Center (DDN NIC)
5243 The DDN NIC maintains DDN Security bulletins and DDN Management
5244 bulletins online on the machine: NIC.DDN.MIL. They are available via
5245 anonymous FTP. The DDN Security bulletins are in the directory: SCC,
5246 and the DDN Management bulletins are in the directory: DDN-NEWS.
5248 For additional information, you may send a message to:
5249 NIC@NIC.DDN.MIL, or call the DDN NIC at: 1-800-235-3155.
5251 [DDN88] Defense Data Network, "BSD 4.2 and 4.3 Software Problem
5252 Resolution", DDN MGT Bulletin #43, DDN Network Information Center, 3
5255 A Defense Data Network Management Bulletin announcement on the 4.2bsd
5256 and 4.3bsd software fixes to the Internet worm.
5258 [DDN89] DCA DDN Defense Communications System, "DDN Security Bulletin
5259 03", DDN Security Coordination Center, 17 October 1989.
5261 10.9.2 IEEE Proceedings
5266 Site Security Working Group [Page 79]
5272 Internet Draft Site Security Handbook May 1996
5275 [IEEE] "Proceedings of the IEEE Symposium on Security and Privacy",
5278 IEEE Proceedings are available from:
5280 Computer Society of the IEEE P.O. Box 80452 Worldway Postal Center
5281 Los Angeles, CA 90080
5283 10.9.3 Other Publications:
5285 Computer Law and Tax Report Computers and Security Security
5286 Management Magazine Journal of Information Systems Management Data
5287 Processing & Communications Security SIG Security, Audit & Control
5293 Software Engineering Institute
5294 Carnegie Mellon University
5296 Pittsburgh, PA 15213
5298 Phone: (412) 268-5010
5332 Site Security Working Group [Page 80]
projects / homepage.git / blob