Computer Security Handbook 4th pdf

(1)

TE

AM

FL

Y

(2)

COMPUTER SECURITY

HANDBOOK

Fourth Edition

Edited by

SEYMOUR BOSWORTH

M.E. KABAY

(3)

This book is printed on acid-free paper.

䡬

⬁

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-6011, fax (212) 850-6008, E-Mail: PERMREQ @ WILEY.COM.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought.

ISBN 0-471-41258-9

Printed in the United States of America.

(4)

PREFACE

Computers are an integral part of our economic, social, professional, governmental, and military infrastructures. They have become necessities in virtually every area of modern life, but their vulnerability is of increasing concern. Computer-based systems are constantly under threats of inadvertent error and acts of nature, as well as those attributable to unethical, immoral, and criminal activities. It is the purpose of this Com-puter Security Handbookto provide guidance in eliminating these threats where pos-sible, and if not, then to lessen any losses attributable to them.

ThisHandbookwill be most valuable to those directly responsible for computer, network, or information security, as well as those who must design, install, and main-tain secure systems. It will be equally important to those managers whose operating functions can be affected by breaches in security, and to those executives who are responsible for protecting the assets that have been entrusted to them.

With the advent of desktop, laptop, and handheld computers, and with the vast inter-national networks that interconnect them, the nature and extent of threats to computer security have grown almost beyond measure. In order to encompass this unprecedented expansion, the Computer Security Handbook has grown apace.

When the first edition of the Handbookwas published, its entire focus was on main-frame computers, the only type then in widespread use. The second edition recognized the advent of small computers, while the third edition placed increased emphasis on PCs and networks.

Now, this fourth edition of the Computer Security Handbook,gives almost equal attention to mainframes and microcomputers. With 54 chapters alone requiring over 1,100 pages, the related tutorials and appendixes have been installed on the Internet at www.wiley.com/go/securityhandbook. This electronic supplement has made possible the manageable size and weight of the present hard-copy book, while presenting a greater wealth of material than ever before. The Internet presence has the added advan-tages of providing hyperlinks to other relevant sites and of making updates feasible.

v Edition Date Chapters Text Pages of Total Internet

Pages Appendices Pages Supplement

First 1973 12 162 3 165 —

Second 1988 19 298 93 391 —

Third 1995 23 571 365 984 —

(5)

The Internet has been invaluable in another way. Each of the 54 chapters has made at least seven retransmissions via e-mail among authors, editors, and the publisher. Earlier editions had all of this done by courier or overnight delivery, with attendant delays and significant costs. Not only are PCs and the Internet a major subject of this volume, but they have also been the instruments without which it might never have come into being.

In speaking of the earlier editions, I would like to give grateful recognition to Arthur Hutt and Douglas Hoyt, my previous co-editors. Although both Art and Doug are deceased, their commitment and their competence remain as constant reminders to strive for excellence. Mich Kabay, my new co-editor continues in their tradition. I would not have wanted to undertake this project without him.

Thanks are also due to our colleagues at John Wiley and Sons. Sheck Cho as Exec-utive Editor, Tim Burgard as Associate Editor, Louise Jacobs as Associate Managing Editor, and Debra Manette and John Curley as copyeditors all have performed their duties in exemplary manner.

Finally, although the authors and editors of this Handbookhave attempted to cover the essential elements of computer security, the disaster of September 11, 2001, demon-strates that new threats may come from unexpected directions. The primary emphasis of the Computer Security Handbookhas always been on prevention, but should this fail, the fundamental practices described here will help to mitigate the consequences.

SEYMOURBOSWORTH Senior Editor February 2002

A Note from the Co-Editor

I am immeasurably grateful to Sy Bosworth for his leadership in this project. Although we have never met each other in the physical world, I feel that we have become good friends through our constant communication through cyberspace.

Our authors deserve enormous credit for the professional way in which they responded to our requests, outlines, suggestions, corrections, and nagging. I want to express my personal gratitude and appreciation for their courteous, collaborative, and responsive interactions with us.

Finally, as always, I want to thank my beloved wife, Deborah Black, light of my life, for her support and understanding over the many months during which this project has taken away from our time together.

(6)

ABOUT THE EDITORS

Seymour Bosworth (e-mail: sybosworth@aol.com), MS, CDP, is president of S. Bosworth & Associates, Plainview, New York, a management consulting firm active in computing applications for banking, commerce, and industry. Since 1972, he has been a contributing editor of all four editions of the Computer Security Handbook,and he has written many articles and lectured extensively about computer security and other technical and managerial subjects. He has been responsible for design and manufacture, system analysis, programming, and operations, of both digital and analog computers. For his technical contributions, including an error-computing calibrator, a program-ming aid, and an analog-to-digital converter, he has been granted a number of patents, and is working on several others.

Bosworth is a former president and CEO of Computer Corporation of America, manufacturers of computers for scientific and engineering applications; president of Abbey Electronics Corporation, manufacturers of precision electronic instruments and digital devices; and president of Alpha Data Processing Corporation, a general-purpose computer service bureau. As a vice president at Bankers Trust company, he had overall responsibility for computer operations, including security concerns.

For more than 20 years, Bosworth was an adjunct associate professor of manage-ment at the Information Technologies Institute of New York University, where he lec-tured on computer security and related disciplines. He holds a master’s degree from the Graduate School of Business of Columbia University, and the Certificate in Data Processing of the Data Processing Management Association.

M.E. Kabay,Ph.D., CISSP (e-mail: mkabay@norwich.edu) began learning assem-bler at age 15 and had learned FORTRAN IV G at McGill University by 1966. In 1976, he received his Ph.D. from Dartmouth College in applied statistics and inver-tebrate zoology. He has published over 350 articles in operations management and security in several trade journals. He currently writes two columns a week for Net-work World Fusion; archives are at www.nwfusion.com/newsletters/sec/. Kabay was Director of Education for the National Computer Security Association from 1991 to the end of 1999. He was Security Leader for the INFOSEC Group of AtomicTangerine, Inc., from January 2000 to June 2001 and joined the faculty at Norwich University in July 2001 as Associate Professor of Computer Information Systems. In January 2002, he took on additional duties as the director of the graduate program in information assurance at Norwich. He has a Web site at www2.norwich.edu/mkabay/index.htm.

(7)

(8)

ABOUT THE CONTRIBUTORS

Rebecca G. (Becky) Bace (e-mail: infomom@infidel.net) is the President/CEO of Infidel, Inc. (www.infidel.net), a network security consulting practice. She has been an active force in the intrusion detection community for over a decade: as the director of the National Security Agency’s research program for intrusion detection (1989 –1996), where she funded much of the early research in intrusion detection; as deputy secu-rity officer for the Computing Information, and Communications Division of the Los Alamos National Laboratory (1996 –1997); and in her current capacity at Infidel. Bace is author of the National Institute for Standards and Technology’s Special Publication on Intrusion Detection (SP 800-31), the book Intrusion Detection(Macmillan Technical Publishing, 2000), and a variety of intrusion detection references published over the last five years. She is currently advising a group of security solution startups; working with Trident Capital (www.tridentcap.com), where she is responsible for directing net-work security investment activities; and serving as faculty for the popular Intrusion Detection Forum series for senior information security managers offered by the Insti-tute for Applied Network Security (www.ianetsec.com).

Timothy Braithwaite (e-mail:tim.braithwaite@titan.com) has more than 30 years of hands-on experience in all aspects of automated information processing and com-munications. He is currently Deputy Director of Strategic Programs at the Center for Information Assurance of Titan Corporation. Before joining Titan Corporation, he man-aged most aspects of information technology, including data and communications centers, software development projects, strategic planning and budget organizations, system security programs, and quality improvement initiatives. His pioneering work in computer systems and communications security while with the Department of Defense resulted in his selection to be the first Systems Security Officer for the Social Security Administration in 1980. After developing security policy and establishing a nation-wide network of regional security officers, Braithwaite directed the risk assessment of all payment systems for the agency. In 1982, he assumed the duties of Deputy Director, Systems Planning and Control of the SSA, where he performed substantive reviews of all major acquisitions for the Associate Commissioner for Systems and, through a facilitation process, personally led the development of the first Strategic Systems Plan for the Administration. In 1984, he became Director of Information and Communication Services for the Bureau of Alcohol, Tobacco, and Firearms at the Department of Trea-sury. In the private sector, he worked in senior technical and business development posi-tions for SAGE Federal Systems, a software development company; Validity Corporation, a testing and independent validation and verification company; and J.G. Van Dyke & Associates where he was Director: Y2K Testing Services. He was recruited to join Titan Corporation in December 1999 to assist in establishing and growing the company’s

(9)

Information Assurance (IA) practice. He recently authored Securing E-Business: A Guide for Managers and Executives (John Wiley & Sons, 2002). He can be reached by phone at 301 982 5414.

Paul J. Brusil,Ph.D (e-mail:brusil@post.harvard.edu) founded Strategic Manage-ment Directions, a security and enterprise manageManage-ment consultancy in Beverly, Mass-achusetts, He has been working with various industry and government sectors including healthcare, telecommunications, and middleware to improve the specification, imple-mentation, and use of trustworthy, quality, security-related products and systems. He supported strategic planning that led to the National Information Assurance Partner-ship and other industry forums created to understand, promote, and use the Common Criteria to develop security and assurance requirements and evaluated products. Brusil has organized, convened, and chaired several national workshops, conferences, and international symposia pertinent to management and security. Through these and other efforts to stimulate awareness and cooperation among competing market forces, he spearheaded industry’s development of the initial open, secure, convergent, standards-based network and enterprise management solutions. While at the MITRE Corp, Brusil led R&D critical to the commercialization of world’s first LAN solutions, Earlier, at Harvard, he pioneered research leading to noninvasive diagnosis of cardio-pulmonary dysfunction. He is a Senior Member of the IEEE, a member of the Editorial Advisory Board of the Journal of Network and Systems Management(JNSM), and has been Senior Technical Editor for JNSM.He has authored nearly over 100 papers and book chapters. He graduated from Harvard University with a joint degree in Engineering and Medicine.

David Brussin,CISSP (e-mail:dbrussin@pobox.com), is a leading technical security and privacy expert. His experience architecting robust, efficient, and secure informa-tion handling processes and electronic business systems for Fortune 100 organizainforma-tions led to the creation of unique formal models for information security, including Three Layer Analysis and Successive Compromise Analysis. His techniques, which provide a complete, repeatable methodology for designing and verifying the security of con-nected infrastructure, are recognized as an industry-leading approach. He is now serv-ing as Chief Technology Officer for ePrivacy Group, a Philadelphia-based privacy consulting, training, and technology company. He was a founding partner of InfoSec Labs, Inc., and then Director of Security Technology for Rainbow Technologies fol-lowing its acquisition of InfoSec Labs in 1999. Brussin has published numerous arti-cles and is a frequent speaker on security and privacy issues.

Quinn Campbell (e-mail:qcampbell@hushmail.com) has worked in the informa-tion security field for over six years. He specializes in IT threat analysis and educainforma-tion.

John M. Carroll,LL.B., Dr. Eng. Sci. (e-mail:jmcarroll7@aol.com) is a Professor Emeritus in the Department of Computer Science of the University of Western Ontario. He is a registered professional engineer and works in a criminal law practice. His research interests are information technology risk management; cryptography; and microdocumentary analysis. He has been consulted by police and security forces in seven countries.

(10)

numerous contributions to PKI technology and related standards including trust models, security, and policy and revocation processing. He is the inventor of the PKI Certifi-cate Policy and Certification Practices Statement Framework. His pioneering work in this area led to the Internet RFC that is used as the Standard for CP and CPS by gov-ernments and industry throughout the world. Before starting CygnaCom, he worked for The MITRE Corporation from 1978 to 1994. At MITRE, he was senior technical manager and managed a variety of technology research, development, and engineering projects in the areas of PKI, computer security, expert systems, image processing, and computer graphics. He obtained his Masters (1971) and Ph.D. (1975) in EE/CS from Rutgers University, where he was a Louis Bevior Fellow from 1971–1973.

Chey Cobb,CISSP (e-mail:chey@patriot.net) began her career in information secu-rity while at the National Computer Secusecu-rity Association (now known as TruSecure/ ICSA Labs). During her tenure as the NCSA award-winning Webmaster, she realized that Web servers often created security holes in networks and became an outspoken advocate of systems’ security. Later, while developing secure networks for the Air Force in Florida, her work captured the attention of the U.S. intelligence agencies. Chey moved to Virginia and began working for the government as the senior technical security advisor on highly classified projects. Ultimately, she went on to manage the security program at an overseas site. Chey is now semi-retired and writes books and articles on computer security and is a frequent speaker at security conferences.

Stephen Cobb,CISSP (e-mail:scobb@cobb.com) has been helping companies, gov-ernments, and individuals to secure their computer-based information for more than 15 years. A best-selling author of over 20 computer books, Cobb has presented secu-rity seminars and chaired secusecu-rity conferences in Europe, Asia, and America. He is now Senior V.P. of Research & Education for ePrivacy Group, a Philadelphia-based pri-vacy consulting, training and technology company. He served for two years as Direc-tor of Special Projects for the National Computer Security Association, launching its award-winning Web site and the Firewall Product Developers’ Consortium. He left NCSA to become a founding partner of InfoSec Labs, Inc., which was acquired by Rainbow Technologies in 1999. Frequently quoted by the media as a security expert in the United States, Europe, and Asia, Cobb has published in a wide range of publi-cations. His recent writings can be found on his Web site at www.cobb.com.

(11)

He holds a Master’s degree in Management Information Systems and undergraduate degrees and certificates in data processing and systems management.

Seth Finkelstein (e-mail: sethf@sethf.com) is a professional programmer with degrees in Mathematics and in Physics from MIT. He cofounded the Censorware Project, an anti-censorware advocacy group. In 1998, his efforts evaluating the sites blocked by the library’s Internet policy in Loudoun County, VA, helped the American Civil Liberties Union win a federal lawsuit challenging the policy. In 2001, he received a Pioneer of the Electronic Frontier Award from the Electronic Frontier Foundation for his groundbreaking work in analyzing content-blocking software.

Robert Gezelter, CDP (e-mail: gezelter@rlgsc.com) has over 27 years of experi-ence in computing, starting with programming scientific/technical problems. Shortly thereafter, his focus shifted to operating systems, networks, security, and related mat-ters. He has more than 26 years of experience in systems architecture, programming, and management. He has worked extensively in systems architecture, security, inter-nals, and networks, ranging from high-level strategic issues to the low-level specifi-cation, design, and implementation of device protocols and embedded firmware. He is the author of numerous published articles, which have appeared in Hardcopy, Com-puter Purchasing Update, Network Computing, Open Systems Today, Digital Systems Journal,andNetwork World. He is a frequent presenter of conference sessions on oper-ating systems, languages, security, networks, and related topics at local, regional, national, and international conferences; speaking for DECUS, Encompass, IEEE, ISSA, ISACA, and others. He previously authored the “Internet Security” chapters of “The Computer Security Handbook, 3rd Edition” (1995) and its supplement (1997).

Anup K. Ghosh, Ph.D. (e-mail: anup.ghosh@computer.org) is Vice President of Research at Cigital, Inc., and an expert in e-commerce security. He is the author of E-Commerce Security: Weak Links, Best Defenses(Wiley, 1998), a definitive guide to e-commerce security, and Security and Privacy for E-Business(John Wiley & Sons, 2001). His areas of research expertise include intrusion detection, mobile code secu-rity, software security certification, malicious software detection/tolerance, assessing the robustness of Win32 COTS software, and software vulnerability analysis. He has served as principal investigator on grants from DARPA, NSA, AFRL, and NIST’s Advanced Technology Program and has consulted with Fortune 50 companies to assess the security of e-commerce systems. He has written more than 40 peer-reviewed tech-nical publications, is a regular contributor to popular trade publications, and has been interviewed about Internet credit card fraud on CNBC Business News. He recently received an IEEE Third Millennium Medal for Outstanding Contributions to E-Com-merce Security. In February 2001, the District of Columbia Council of Engineering and Architectural Societies (DCCEAS) named Ghosh “Young Engineer of the Year.” He holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and a M.S. and Ph.D. in Electrical Engineering from the University of Virginia.

Carl Hallberg(e-mail:carl_hallberg@yahoo.com) has been a *nix systems admin-istrator for years, as well as an information security consultant. He has also written training courses for subjects including firewalls, VPNs, and home network security. He has a Bachelor’s degree in Psychology.

xii ABOUT THE CONTRIBUTORS

TE

AM

FL

Y

(12)

David Harley(e-mail:david.harley@nhsia.nhs.uk) is a senior manager in the United Kingdom’s National Health Service Information Authority, where he is responsible for threat assessment, security alert/advisory, and incident report tracking services. He also coordinates virus incident management within the National Health Service. His affiliations include AVIEN, AVAR, EICAR, and Team Anti-Virus. He works with TruSecure and the WildList Organization on Macintosh security issues. He is coauthor of Viruses Revealed (Osborne), and has contributed chapters to Maximum Security (SAMS) and Robert Vibert’s Enterprise Anti-Virus Book,and articles to Virus Bulletin and other security industry periodicals. He has presented at Virus Bulletin, SANS, and EICAR conferences.

Benjamin Hayes(e-mail:bhayes@kl.com) is an attorney with Kirkpatrick & Lock-hart, a national U.S. law firm. His practice centers on legal issues related to privacy, including state, federal, international, and transnational regulatory compliance, the development of codes of practice, and compliance with self-regulatory programs. He has advised multinational, high-technology, and traditional business clients in these matters and is the author of numerous articles on the law of privacy. He is the current Vice-Chair of the ABA Cyberspace Law Committee’s Electronic Privacy Subcom-mittee. He is a graduate of the Ohio State University College of Law and the Univer-sity of Vermont.

Robert Heverly (e-mail: techlaw@capturedgraphics.com) is an attorney and has been practicing law in New York state since 1993. From 1992 to 2001, he was at the Government Law Center of Albany Law School, most recently as assistant director. While at the Center, he focused on the law and policy of technology, telecommunica-tions, and the Internet, among other areas related to government and public adminis-tration. In August 2001, he returned to his studies, becoming a graduate fellow at Yale Law School, where his research focuses primarily on information technology and telecommunications. He is an honors graduate of Albany Law School and the State University of New York College at Oswego and anticipates receiving his LL.M. (Master of Laws) from Yale Law School in May 2002.

John D. Howard (e-mail:johnhoward@earthlink.net) is a former Air Force engineer and test pilot who currently works in the Security and Networking Research Group at the Sandia National Laboratories, Livermore, CA. His projects include development of the SecureLink software for automatic encryption of network connections. He has extensive experience in systems development, including an aircraft ground collision avoidance systems for which he holds a patent. He is a graduate of the Air Force Academy, has Master’s degrees in both Aeronautical Engineering and Political Science, and has a Ph.D. in Engineering and Public Policy from Carnegie Mellon University.

(13)

CUNY on curriculum and on data processing management. He also served on the mayor’s technical advisory panel for the City of New York. Hutt was active in devel-opment of national and international technical standards, via ANSI and ISO, for the banking industry. He was senior editor and contributing author to the Third Edition of theComputer Security Handbook.

Robert V. Jacobson,CPP, CISSP (e-mail:jacobson@ist-usa.com) is the president of International Security Technology, Inc., a New York City-based risk management consulting firm. Jacobson founded IST in 1978 to develop and apply superior risk man-agement systems. Current and past government and industry clients are located in the United States, Europe, Africa, Asia, and the Middle East. Jacobson pioneered many of the basic computer security concepts now in general use. He served as the first Infor-mation System Security Officer at Chemical Bank, now known as J P Morgan Chase. He is a frequent lecturer and has written numerous technical articles. Mr. Jacobson holds B.S. and M.S. degrees from Yale University, and is a Certified Information Sys-tems Security Professional (CISSP). He is also a Certified Protection Professional (CPP) of the American Society for Industrial Security. He is a member of the National Fire Protection Association (NFPA) and the Information Systems Security Association (ISSA). In 1991, he received the Fitzgerald Memorial Award for Excellence in Secu-rity from the New York Chapter of the ISSA. He developed the Cost-of-Risk Analysis (CORA) program, a risk management decision support system available online at www.ist-usa.com.

Henry L. Judy(e-mail:hjudy@kl.com) is of counsel to Kirkpatrick & Lockhart, a national U.S. law firm. He advises clients on a wide range of corporate and financial law matters, as well as federal and state securities, legislative, and regulatory matters, with a particular emphasis on financial institutions, housing finance and technology law. He is recognized for his work on the jurisdiction and dispute resolution issues of electronic commerce. He is a graduate of Georgetown University (J.D. and A.B.)

David M. Kennedy,CISSP (e-mail:david.kennedy@acm.org) is TruSecure Corpora-tion’s Chief of Research. He directs the Research Group to provide expert services to TruSecure Corporation members, clients, and staff. He supervises the Information Security Reconnaissance team (IS/R) who collect security-relevant information, both above and underground in TruSecure Corporation’s IS/R data collection. IS/R pro-vides biweekly and special topic reports to IS/ R subscribers. Kennedy is a retired U.S. Army Military Police officer. In his last tour of duty, he was responsible for enter-prise security of five LAN’s with Internet access and over 3,000 personal computers and workstations. He holds a B.S. in Forensic Science.

(14)

chapter (www.vtinfragard.org). He holds a B.A. in Mathematics and a M.S. in Com-puter Science. More information can be found at www.garykessler.net/.

Diane (“Dione”) E. Levine, CISSP, CFE, FBCI, CPS (e-mail: managesecurity@ hotmail.com), is President/CEO of Strategic Systems Management, Ltd., and one of the developers of the Certification for Information Systems Security Professionals. She has had a notable career in information security as both a developer and imple-menter of enterprise security systems. Levine has held a series of high-level risk man-agement and security positions in major financial institutions, spent many years as an Adjunct Professor at New York University, and is widely published in both the trade and academic press. She splits her time between security and business continuity con-sulting, writing, and teaching worldwide. She is a frequent public speaker and member of technical panels and regularly contributes articles and columns to Information Week, Information Security, Internet Week, Planet IT, ST&D, internet.comandSmart Com-puting. Levine is active in the Information Systems Security Association (ISSA), the Association of Certified Fraud Examiners (ACFE), the Business Continuity Institute (BCI), the Contingency Planning Exchange (CPE), and the Information Security Auditing and Control Association (ISACA) and has devoted many years serving on the Board of Directors of these organizations.

James Linderman, Ph.D. (e-mail:jlinderman@aol.com) is an Associate Professor in the Computer Information Systems department at Bentley College, Waltham, Massachusetts. He is a Research Fellow at Bentley’s Center for Business Ethics, and past Vice-Chair of the Faculty Senate. A resident of Fitzwilliam, NH, Linderman is a Permanent Deacon in the Roman Catholic Diocese of Worcester, Massachusetts, and a consultant in the area of computer-assisted academic scheduling and timetable construction.

Pascal Meunier,Ph.D. (e-mail:pmeunier@cerias.purdue.edu) obtained his Ph.D. in Biophysics in 1990. After taking computer classes at Purdue, where he enjoyed making computers sing passwords, he joined the Center for Education and Research in Infor-mation Assurance (CERIAS,www.cerias.purdue.edu) in 1998 as a student. He has participated on the Board of Editors of MITRE’s Common Vulnerabilities and Expo-sures (CVE) project since 1999. He obtained his M.Sc. in computer science in 2000 and became staff at CERIAS. He then created Cassandra (https://cassandra.cerias. purdue.edu) and the CERIAS Incident Response Database (https://cirdb.cerias. purdue.edu).

(15)

from the University of California and is a Certified Information Systems Security Pro-fessional (CISSP).

Mike Money,CISSP, CISA (e-mail:mmoney@redsiren.com) is a senior consultant with RedSiren Technologies. He has 20 years of experience in information security, risk management, and information systems auditing. He specializes in information systems strategy and policies, information security assessments, security awareness and education, work process optimization, application security, operating system secu-rity, investigations, risk management, privacy legislation, and network security. His clients have included the Federal Reserve System, Providian Financial, the New York Mercantile Exchange, Boeing, and Bank of America. His technical experience spans firewalls, NT servers, SAP R/3, SecurID, and remote access; and UNIX, AS/400, and ACF-2 for mainframes. Before joining RedSiren, he was manager of Information Secu-rity for Union Carbide Corporation, where he was responsible for developing infor-mation security strategy, architecture, and policy, including the implementation of SAP R/3. He holds an undergraduate degree from Fairfield University in Connecticut and an MBA from the University of Houston. He is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Scott J. Nathan(e-mail:snathan@mindspring.com) is affiliated with Gadsby Hannah LLP and an officer of Autolynx, Inc., a supply chain company in the automobile indus-try. He has focused his legal work in the areas of risk management, especially service and license agreements, insurance coverage, intellectual property and analysis of busi-ness risk for Web-based enterprises.

Louis Numkin(e-mail:LMN@nrc.gov) is a Senior Computer Security Specialist in the Office of the Chief Information Officer at the U.S. Nuclear Regulatory Commis-sion. His duties relate to computer security awareness/training, anti-virus activities, classified inspections of nuclear plants, disaster recovery planning, computer security plan review and approval, risk assessments, wireless security policy, and the like. Before joining the NRC, he performed computer security for the General Services Adminis-tration (GSA) on the FTS2000. He is a retired Army Sergeant Major with 26 years of service in several fields, including ADP and JAG. His Bachelor of Science Degree is in Business Administration and his Masters Degree is in Technology of Management (majoring in Management Information Systems and Computer Systems), both from the American University. Outside of the office, Numkin volunteers his time as an out-reach speaker to provide computer security sessions for schools (elementary through high school), senior citizen centers, and local social organizations, especially dealing in the area of Computer Ethics. He has also been invited to provide awareness presen-tations at other Government agencies and various conferences. He has served several years on the Steering Committee of the Federal Computer Security Program Managers’ Forum and on the Executive Board of the Federal Information Systems Security Edu-cators’ Association (FISSEA). Louis Numkin edits the FISSEA Newsletterand was presented with the coveted FISSEA “Educator of the Year” Award for 1998.

(16)

Parisi was in private practice, principally as legal counsel to Lloyds of London. He graduated cum laude from Fordham College and received his law degree from Fordham University School of Law. He is admitted to practice in New York and the U.S. Dis-trict Courts for the Eastern and Southern DisDis-tricts of NY. Mr. Parisi has spoken before various business, technology, legal, and insurance forums throughout the world, as well as writing, on issues effecting intellectual property, the Internet, e-commerce, and insurance.

Donn B. Parker,CISSP, Fellow of the Association for Computing Machinery (e-mail: donnlorna@aol.com) is a retired (1997) senior management consultant at RedSiren Technologies in Menlo Park, CA, who has specialized in information security and computer crime research for 35 of his 50 years in the computer field. He has written numerous books, papers, articles, and reports in his specialty based on interviews with over 200 computer criminals and reviews of the security of many large corporations. He received the 1992 Award for Outstanding Individual Achievement from the Infor-mation Systems Security Association, the 1994 National Computer System Security Award from the U.S. NIST/NCSC, the Aerospace Computer Security Associates 1994 Distinguished Lecturer award, and The MIS Training Institute Infosecurity News 1996 Lifetime Achievement Award. Information Security Magazineidentified him as one of the five top Infosecurity Pioneers (1998).

Franklin N. Platt (e-mail:fplatt@ncia.net) is president of Office Planning Services, a Wall Street consultancy for 20 years that has been headquartered in Stark, NH, since 1990. His academic background includes business administration, management, and electrical engineering. His company provides security planning services and emergency management assistance nationwide to protect people, property, and profit. Its services include site evaluation and risk analysis, second opinion, due diligence, exercises, and training. Platt is also a sworn public official and an active Emergency Manage-ment Director vetted by the State of New Hampshire and the FBI. He is professionally accredited by the State and by FEMA, and has received extensive government train-ing in emergency management, terrorism, weapons of mass destruction, and workplace violence-training mostly unavailable to the public. He can be reached by phone at 603 449 2211.

N. Todd Pritsky (e-mail:todd@hill.com) is the Director of E-learning Courseware at Hill Associates, a telecommunications training company in Colchester, VT (www.hill.com). He is a Senior Member of Technical Staff and an instructor of online, lecture, and hands-on classes. His teaching and writing specialties include e-commerce, network security, TCP/IP, and the Internet, and he also leads courses on fast packet and network access technologies. He enjoys writing articles on network security and is a contributing author of Telecommunications: A Beginner’s Guide(McGraw-Hill/ Osborne). Previously, he managed a computer center and created multimedia training programs. He holds a BA in Philosophy and Russian/Soviet Studies from Colby College.

(17)

Law and served as a Rapporteur to the United Nations on the legal aspects of interna-tional electronic commerce. His practice emphasizes assisting multinainterna-tional corpora-tions with privacy, security and compliance implementation efforts.

K Rudolph, CISSP (e-mail: kaie@nativeintelligence.com), is President and Chief Inspiration Officer of Native Intelligence, Inc. (www.NativeIntelligence.com), a Maryland-based consulting firm focused on providing creative and practical informa-tion security awareness soluinforma-tions. K develops entertaining web-based security aware-ness courses and posters based on principles of learning. She frequently speaks on security-related topics. K has more than 15 years of experience in information tech-nology security covering a wide range of technologies and systems. Her experience includes performing system security reviews and assisting in systems designs in mil-itary and civilian environments. K now focuses on the most effective, proven IT secu-rity countermeasure: people. An aware, well-trained staff is frequently the best control to prevent, identify, and respond to potential security incidents. Thus, she now dedi-cates her talent and experience to developing effective awareness and training courses, materials, and presentations.

Ravi Sandhu (e-mail: sandhu@ise.gmu.edu) is Co-Founder and Chief Scientist of SingleSignOn.Net in Reston, VA, and Professor of Information Technology and Engi-neering at George Mason University in Fairfax, Virginia. An ACM and an IEEE Fellow, he is the founding editor-in-chief of ACM’s Transactions on Information and System Security,Chairman of ACM’s Special Interest Group on Security, Audit and Control, and security editor for IEEE Internet Computing. Sandhu has published over 140 tech-nical papers on information security. He is a popular teacher and has lectured all over the world. He has provided high-level consulting services to numerous private and government organizations.

William Stallings,Ph.D. (e-mail:ws@shore.net) is a consultant, lecturer, and author of over a dozen professional reference books and textbooks on data communications and computer networking. His clients have included major corporations and govern-ment agencies in the United States and Europe. He has received four awards for the Best Computer Science Textbook of the Year from the Text and Academic Authors Association. He has designed and implemented both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating systems, ranging from micro-computers to mainframes. Stallings created and maintains the Computer Science Stu-dent Resource Site at http:// WilliamStallings.com/StuStu-dentSupport.html.

(18)

products. He now lives in Atlanta, GA, with his wife, four grown biological children, six adopted children, and three poodles and plays guitar in his spare time.

Lee Tien (e-mail:tien@eff.org) is a senior staff attorney with the Electronic Frontier Foundation in San Francisco, California. He specializes in free speech and surveil-lance law and has authored several law review articles. He received his undergraduate degree in psychology from Stanford University and his law degree from Boalt Hall School of Law, UC-Berkeley. He is also a former newspaper reporter.

Peter Tippett,MD, Ph.D. (e-mail:ptippett@trusecure.com) is the CTO of TruSecure Corporation, the Chief Scientist at ICSA Labs, and the Executive Publisher of Informa-tion Security Magazine. He specializes in utilizing large-scale risk models and research to create pragmatic, corporate-wide security. Tippett studied under two different Nobel Prize laureates at Rockefeller University and has both an M.D. and a Ph.D. from Case Western Reserve University. He is widely credited with creating the first commercial anti-virus product, which later became the Norton Anti-virus. Tippett was awarded the Ernst & Young Entrepreneur of the Year in 1998 and led TruSecure/ICSA Labs to the Inc 500 list. He has spoken on all major television and radio networks and has briefed and consulted with Congress, the Senate, the Joint Chiefs of Staff, and numer-ous large and medium organizations and governments on practical approaches to com-puter security.

Myles Walsh (e-mail: mwalsh@orion.ramapo.edu) is an adjunct professor at three colleges in New Jersey: Ramapo College, County College of Morris, and Passaic County Community. For the past 12 years, he has taught courses in Microsoft Office and Web Page Design. He also implements small Office applications and Web sites. From 1966 until 1989, he worked his way from programmer to director in several positions at CBS, CBS Records, and CBS News. His formal education includes an M.B.A. from the Baruch School of Business and a B.B.A. from St. John’s University.

Gale Warshawsky(e-mail: msgale50@yahoo.com) worked at Lawrence Livermore National Laboratory (LLNL), and Visa International. She coordinated and managed the Information Security Awareness, Education, and Training programs. She was the recipient of the ISSA Individual Achievement Award in 1994 and was FISSEA’s Secu-rity Educator of the Year in 1995. She earned her M.S. in Information Systems from Golden Gate University. After moving to Hawaii, she served as the Director of InfoSec Services Hawaii, a division of Computer-Aided Technologies International, Inc. (CATI). Ms. Warshawsky is currently an adjunct professor at Chaminade University of Honolulu, teaching M.B.A. candidates a Management Information Systems course. She is currently pursuing a M.Ed. in elementary education.

(19)

law enforcement. He has conducted numerous training courses to law enforcement and private industry on computer crime/forensics, interview/interrogation, and insider crime and has been interviewed numerous times by national news media, including CNN, NBC,and ABC. Wright recently lectured at the Police College in Abu Dhabi, United Arab Emirates, on forensic investigation methods, tools, and insider crime. He holds Bachelor degrees in both Human Resource Management and Computer Infor-mation Systems.

Noel K. Zakin (e-mail: ranco212@aol.com) is President of RANCO Consulting LLC. He has been an Information Technology/Telecommunications industry executive for over 45 years. He has held managerial positions at the Gartner Group, AT&T, the American Institute of CPAs, and Unisys. These positions involved strategic planning, market research, competitive analysis, business analysis, and education and training. His consulting assignments have ranged from the Fortune 500 to small start-ups and involved data security, strategic planning, conference management, market research, and management of corporate operations. He has been active with ACM, IFIP, and AFIPS and currently with ISSA. He holds an M.B.A. from the Wharton School.

William Zucker (e-mail:wzucker@ghlaw.com) is a partner at Gadsby Hannah, LLP, located in Boston, MA; a senior consultant for the Cutter Consortium; and a member of the American Arbitration Association’s National Technology Panel. He has coun-seled clients concerning outsourcing, licensing, trademarks, technology transfers, asset transfers, and intellectual property matters, bringing more than 25 years of experi-ence to the task. He has authored or coauthored a number of publications, including IT Litigation StrategiesandOutsourcing Do’s and Don’tsfor the Cutter Consortium. Zucker is a graduate of Yale University and Harvard Law School. He can be reached at 617 345 7016.

(20)

PART TWO THREATS AND VULNERABILITIES

6. The Psychology of Computer Criminals Quinn Campbell and David M. Kennedy

7. Information Warfare Seymour Bosworth

8. Penetrating Computer Systems and Networks Chey Cobb, Stephen Cobb, and M.E. Kabay

9. Malicious Code Roger Thompson

10. Mobile Code Robert Gezelter

11. Denial of Service Attacks

Diane E. Levine and Gary C. Kessler

12. The Legal Framework for Protecting Intellectual Property in the Field of Computing and Computer Software

William A. Zucker and Scott J. Nathan

(21)

13. E-Commerce Vulnerabilities Anup K. Ghosh

14. Physical Threats to the Information Infrastructure Franklin N. Platt

PART THREE PREVENTION: TECHNICAL DEFENSES

15. Protecting the Information Infrastructure Franklin N. Platt

16. Identification and Authentication Ravi Sandhu

17. Operating System Security William Stallings

18. Local Area Networks

Gary C. Kessler and N. Todd Pritsky

19. E-Commerce Safeguards

Jeffrey B. Ritter and Michael Money

20. Firewalls and Proxy Servers David Brussin

21. Protecting Internet-Visible Systems Robert Gezelter

22. Protecting Web Sites Robert Gezelter

23. Public Key Infrastructures and Certificate Authorities Santosh Chokhani

24. Antivirus Technology Chey Cobb

25. Software Development and Quality Assurance Diane E. Levine

26. Piracy and Antipiracy Techniques Diane E. Levine

PART FOUR PREVENTION: HUMAN FACTORS

27. Standards for Security Products Paul Brusil and Noel Zakin xxii CONTENTS

TE

AM

FL

Y

(22)

28. Security Policy Guidelines M.E. Kabay

29. Security Awareness

K Rudolph, Gale Warshawsky, and Louis Numkin

30. Ethical Decision Making and High Technology James Landon Linderman

31. Employment Practices and Policies M.E. Kabay

32. Operations Security and Production Controls Myles E. Walsh and M.E. Kabay

33. E-Mail and Internet Use Policies M.E. Kabay

34. Working with Law Enforcement Morgan Wright

35. Using Social Psychology to Implement Security Policies M.E. Kabay

36. Auditing Computer Security Diane E. Levine

PART FIVE DETECTION

37. Vulnerability Assessment and Intrusion Detection Systems Rebecca Gurley Bace

38. Monitoring and Control Systems Diane E. Levine

39. Application Controls Myles Walsh

PART SIX REMEDIATION

40. Computer Emergency Quick-Response Teams Bernard Cowens and Michael Miora

41. Data Backups and Archives M.E. Kabay

42. Business Continuity Planning Michael Miora

(23)

43. Disaster Recovery Michael Miora

44. Insurance Relief Robert A. Parisi, Jr.

PART SEVEN MANAGEMENT’S ROLE

45. Management Responsibilities and Liabilities Carl Hallberg, Arthur E. Hutt, and M.E. Kabay

46. Developing Security Policies M.E. Kabay

47. Risk Assessment and Risk Management Robert V. Jacobson

48. Y2K: Lessons Learned for Computer Security Timothy Braithwaite

PART EIGHT OTHER CONSIDERATIONS

49. Medical Records Security Paul J. Brusil and David Harley

50. Using Encryption Internationally Diane E. Levine

51. Censorship and Content Filtering Lee Tien and Seth Finkelstein

52. Privacy in Cyberspace

Benjamin S. Hayes, Henry L. Judy, and Jeffrey B. Ritter

53. Anonymity and Identity in Cyberspace M.E. Kabay

54. The Future of Information Security Peter Tippett

INDEX

Appendices and Tutorials for this Handbookare online at www.wiley.com/go/securityhandbook.

(24)

PART ONE

FOUNDATIONS OF

COMPUTER SECURITY

CHAPTER 1

Brief History and Mission of Information System Security

CHAPTER 2

Cyberspace Law and Computer Forensics

CHAPTER 3

Using a “Common Language” for Computer Security

Incident Information

CHAPTER 4

Studies and Surveys of Computer Crime

CHAPTER 5

(25)

(26)

CHAPTER

1

BRIEF HISTORY AND MISSION OF

INFORMATION SYSTEM SECURITY

Seymour Bosworth and Robert V. Jacobson

CONTENTS

1.1 INTRODUCTION TO INFORMATION SYSTEM SECURITY. The growth of

computers and of information technology has been explosive. Never before has an entirely new technology been propagated around the world with such speed and with so great a penetration of virtually every human activity. Computers have brought vast benefits to fields as diverse as human genome studies, space exploration, artificial intel-ligence, and a host of applications from the trivial to the most life-enhancing.

Unfortunately, there is also a dark side to computers: They are used to design and build weapons of mass destruction as well as military aircraft, nuclear submarines, and reconnaissance space stations. The computer’s role in formulating biologic and chem-ical weapons, and in simulating their deployment, is one of its least auspicious uses. 1.1 INTRODUCTION

TO INFORMATION SYSTEM

SECURITY 1.1

1.2 EVOLUTION OF

INFORMATION SYSTEMS 1.3 1.2.1 1950s: Punched Card

Systems 1.3

1.2.2 Large-Scale Computers 1.4 1.2.3 Medium-Size

Computers 1.5

1.2.4 1960s: Small-Scale

Computers 1.6

1.2.5 Transistors and Core

Memory 1.6

1.2.6 Time Sharing 1.7 1.2.7 Real-Time, Online

Systems 1.7

1.2.8 A Family of Computers 1.7 1.2.9 1970s: Microprocessors,

Networks, and Worms 1.8

1.2.10 The First Personal

Computers 1.8

1.2.11 The First Network 1.8 1.2.12 Further Security

Considerations 1.8 1.2.13 The First “Worm” 1.9 1.2.14 1980s: Productivity

Enhancements 1.9 1.2.15 The Personal Computer 1.9 1.2.16 Local Area Networks 1.10 1.2.17 1990s: Total

Interconnection 1.11 1.2.18 Telecommuting 1.11 1.2.19 Internet and the

World Wide Web 1.12

1.3 ONGOING MISSION FOR INFORMATION SYSTEM

SECURITY 1.12

1.4 NOTES 1.13

(27)

Of somewhat lesser concern, computers used in financial applications, such as facil-itating the purchase and sales of everything from matchsticks to mansions, and trans-ferring trillions of dollars each day in electronic funds, are irresistible to miscreants; many of them see these activities as open invitations to fraud and theft. Computer sys-tems, and their interconnecting networks, are also prey to vandals, malicious egotists, terrorists, and an array of individuals, groups, companies, and governments intent on using them to further their own ends, with total disregard for the effects on innocent victims. Besides these intentional attacks on computer systems, there are innumerable ways in which inadvertent errors can damage or destroy a computer’s ability to per-form its intended functions.

Because of these security problems, as well as a great many others described in this volume, the growth of information systems security has paralleled that of the com-puter field itself. Only by a detailed study of the potential problems, and implemen-tation of the suggested solutions, can computers be expected to fulfill their promise, with few of the security lapses that plague less adequately protected systems. This chapter defines a few of the most important terms of information security and includes a very brief history of computers and information systems, as a prelude to the works that follow.

Securitycan be defined as the state of being free from danger and not exposed to damage from accidents or attack, or it can be defined as the process for achieving that desirable state. The objective of information system security1is to optimize the per-formance of an organization with respect to the risks to which it is exposed.

Riskis defined as the chance of injury, damage, or loss. Thus, risk has two elements: (1) chance — an element of uncertainty, and (2) loss or damage. Except for the possi-bility of restitution, information system security (ISS) actions taken today work to reducefuturerisk losses. Because of the uncertainty about future risk losses, perfect security, which implies zero losses, would be infinitely expensive. For this reason, ISS risk managers strive to optimize the allocation of resources by minimizing the total cost of ISS measures taken and the risk losses experienced. This optimization process is commonly referred to as risk management.

Risk managementin this sense is a three-part process:

1. Identification of material risks,

2. Selection and implementation of measures to mitigate the risks, and

3. Tracking and evaluating of risk losses experienced, in order to validate the first two parts of the process

The purpose of this Handbookis to describe ISS risks, the measures available to mitigate these risks, and techniques for managing security risks. (For a more detailed discussion of risk assessment and management, see Chapters 47 and 54.)

(28)

assets. Security risks are among the threats to corporate assets that directors have an obligation to address.

Double-entry bookkeeping, another Renaissance invention, proved to be an excel-lent tool for measuring and controlling corporate assets. One objective was to make insider fraud more difficult to conceal. The concept of separation of duties emerged, calling for the use of processing procedures that required more than one person to com-plete a transaction. As the books of account became increasingly important, account-ing standards were developed, and they continue to evolve to this day. These standards served to make books of account comparable and to assure outsiders that an organiza-tion’s books of account presented an accurate picture of its condition and assets. These developments led, in turn, to the requirement that an outside auditor perform an inde-pendent review of the books of account and operating procedures.

The transition to automated accounting systems introduced additional security requirements. Some early safeguards, such as the rule against erasures or changes in the books of account, no longer applied. Some computerized accounting systems lacked an audit trail, and others could have the audit trail subverted as easily as actual entries.

Finally, with the advent of the Information Age, intellectual property has become an increasingly important part of corporate and governmental assets. At the same time that intellectual property has grown in importance, threats to intellectual property have become more dangerous, because of Information System (IS) technology itself. When sensitive information was stored on paper and other tangible documents, and rapid copying was limited to photography, protection was relatively straightforward. Nev-ertheless, document control systems, information classification procedures, and need-to-know access controls were not foolproof, and information compromises occurred with dismaying regularity. Evolution of IS technology has made information access control several orders of magnitude more complex. The evolution and, more impor-tant the implementation, of control techniques have not kept pace.

The balance of this chapter describes how the evolution of information systems has caused a parallel evolution of Information System Security and at the same time has increased the importance of anticipating the impact of technical changes yet to come. This overview will clarify the factors leading to today’s Information System Security risk environment and mitigation techniques and will serve as a warning to remain alert to the implication of technical innovations as they appear. The remaining chapters of thisHandbookdiscuss ISS risks, threats, and vulnerabilities, their prevention and reme-diation, and many related topics in considerable detail.

1.2 EVOLUTION OF INFORMATION SYSTEMS. The first electromechanical

punched card system for data processing, developed by Herman Hollerith at the end of the nineteenth century, was used to tabulate and total census field reports for the U.S. Bureau of the Census in 1890. The first digital, stored-program computers devel-oped in the 1940s were used for military purposes, primarily cryptanalysis and the cal-culation and printing of artillery firing tables. At the same time, punched card systems were already being used for accounting applications and were an obvious choice for data input to the new electronic computing machines.

(29)

persons were permitted near the equipment. Although any of these individuals could have set up the equipment for fraudulent use, or even engaged in sabotage, apparently few, if any, actually did so.

The punched card accounting systems typically used four processing steps. As a preliminary, operators would be given a “batch” of documents, typically with an adding machine tape showing one or more “control totals.” The operator keyed the data on each document into a punched card and then added an extra card, the batch control card, which stored the batch totals. Each card consisted of 80 columns, each containing, at most, one character. A complete record of an inventory item, for example, would be contained on a single card. The card was called a unit record, and the machines that processed the cards were called either unit record or punched card machines. It was from the necessity to squeeze as much data as possible into an 80-character card that the later Y2K problem arose. Compressing the year into two characters was a univer-sally used space-saving measure; its consequences 40 years later were not foreseen. A group of punched cards, also called a “batch,” were commonly held in a metal tray, Sometimes a batch would be rekeyed by a second operator, using a “verify-mode” rather than actually punching new holes in the cards, in order to detect keypunch errors before processing the card deck. Each batch of cards would be processed separately, so the processes were referred to as “batch jobs.”

The first step would be to run the batch of cards through a simple program, which would calculate the control totals and compare them with the totals on the batch control card. If the batch totals did not reconcile, the batch was sent back to the key-punch area for rekeying. If the totals reconciled, the deck would be sort-merged with other batches of the same transaction type, for example, the current payroll. When this step was complete, the new batch consisted of a punched card for each employee in employee-number order. The payroll program accepted this input data card deck and processed the cards one by one. Each card was matched up with the corresponding employee’s card in the payroll master deck to calculate the current net pay and item-ized deductions and to punch a new payroll master card including year-to-date totals. The final step was to use the card decks to print payroll checks and management reports. These steps were identical with those used by early, small-scale, electronic computers. The only difference was in the speed at which the actual calculations were made. A complete process was still known as a batch job.

With this process, the potential for abuse was great. The machine operator could con-trol every step of the operation. Although the data were punched into cards and verified by others, there was always a keypunch machine close at hand for use by the machine operator. Theoretically, that person could punch a new payroll card, and a new batch total card to match the change, before printing checks, and again afterward. The low incidence of reported exploits was due to the controls that discouraged such abuse and possibly to the pride that machine operators experienced in their jobs.

1.2.2 Large-Scale Computers. While these electromechanical punched card machines were sold in large numbers, research laboratories and universities were work-ing to design large-scale computers that would have a revolutionary effect on the entire field. These computers, built around vacuum tubes, are known as the first generation. In March 1951, the first Universal Automatic Computer (UNIVAC) was accepted by the U.S. Census Bureau. Until then, every computer had been a one-off design, but UNIVAC was the first large-scale, mass-produced computer, with a total of 46 built. The word “universal” in its name indicated that UNIVAC was also the first computer designed for both scientific and business applications.3

(30)

UNIVAC contained 5,200 vacuum tubes, weighed 29,000 pounds, and consumed 125 kilowatts of electrical power. It dispensed with punched cards, receiving input from half-inch-wide metal tape recorded from keyboards, with output either to a sim-ilar tape or to a printer. Although not a model for future designs, its memory consisted of 1,000 72-bit words and was fabricated as a mercury delay line. Housed in a cabinet about six feet tall, two feet wide, and two feet deep was a mercury-filled coil running from top to bottom. A transducer at the top propagated slow-moving waves of energy down the coil to a receiving transducer at the bottom. There it was reconverted into electrical energy and passed on to the appropriate circuit, or recirculated if longer stor-age was required.

In 1956, IBM introduced the RAMAC (Random Access Method of Accounting and Control) magnetic disk system. It consisted of 50 magnetically coated metal disks, each 24 inches in diameter, and mounted on a common spindle. Under servo control, two coupled read/write heads moved to span each side of the required disk and then inward to any one of 100 tracks. In one revolution of the disks, any or all of the infor-mation on those two tracks could be read out, or recorded. The entire system was almost the size of a compact car and held what, for that time, was a tremendous amount of data — 5 megabytes. The cost was $10,000 per megabyte, or $35,000 per year to lease. This compares with today’s magnetic hard drives that measure about 31⁄2inches wide by 1 inch high, store as much as 80,000 megabytes, and cost less than $300.4

These massive computers were housed in large, climate-controlled rooms. Within the room, a few knowledgeable experts, looking highly professional in their white lab-oratory coats, attended to the operation and maintenance of their million-dollar charges. The concept of a “user” as someone outside the computer room who could interact directly with the actual machine did not exist.

Service interruptions, software errors, and hardware errors were usually not crit-ical. If any of these caused a program to fail or abort, beginning again was a relatively simple matter. Consequently, the primary security concerns were physical protection of the scarce and expensive hardware, and measures to increase their reliability. Another issue, then as now, was human fallibility. Because the earliest computers were programmed in extremely difficult machine languages, consisting solely of ones (1s) and zeros (0s), the incidence of human error was high, and the time to correct errors was excessively long. Only later were assembler and compiler languages developed to increase the number of people able to program the machines and to reduce the incidence of errors and the time to correct them.

Information system security for large-scale computers was not a significant issue then for two reasons. First, only a few programming experts were able to utilize and manipulate computers. Second, there were very few computers in use, each of which was extremely valuable, important to its owners, and consequently, closely guarded.

(31)

data processing (EDP) people within the computer room, could interact directly with the system. These systems had very simple operating systems and did not use multi-processing; they could run only one program at a time.

The IBM Model 650, as an example introduced in 1954, measured about 5 feet by 3 feet by 6 feet and weighed almost 2,000 pounds. Its power supply was mounted in a similarly sized cabinet, weighing almost 3,000 pounds. It had 2,000 (10-digit) words of magnetic drum primary memory, with a total price of $500,000 or a rental fee of $3,200 per month. For an additional $1,500 per month, a much faster core memory, of 60 words, could be added. Input and output both utilized read/write punch card machines.6The typical 1950s IS hardware was installed in a separate room, often with a viewing window so that visitors could admire the computer. In an early attempt at security, visitors actually within the computer room were often greeted by a printed sign saying:

Achtung! Alles Lookenspeepers!

Das computermachine ist nicht fur gefingerpoken und mittengrabben.

Ist easy schnappen der springenwerk, blowenfusen, und poppencorken mit spitzensparken. Ist nicht fur gewerken bei das dumbkopfen.

Das rubbernecken sightseeren keepen hans in das pockets muss . . . : Relaxen und watch das blinkenlichten.7

Since there were still no online users, there were no user IDs and passwords. Pro-grams processed batches of data, run at a regularly scheduled time — once a day, once a week, and so on, depending on the function. If the data for a program were not avail-able at the scheduled run time, the operators might run some other job instead and wait for the missing data. As the printed output reports became available, they were delivered by hand to their end users (e.g., the accounting department, payroll clerks, etc.). End users did not expect to get a continuous flow of data from the information processing system, and delays of even a day or more were not significant, except per-haps with paycheck production.

Information System Security was hardly thought of as such. The focus was on batch controls for individual programs, physical access controls, and maintaining a proper environment for the reliable operation of the hardware.

1.2.4 1960s: Small-Scale Computers. During the 1960s, with the introduction of small-scale computers, dumb8 terminals provided users with a keyboard to send a character stream to the computer and a video screen that could display characters transmitted to it by the computer. Initially, these terminals were used to help com-puter operators control and monitor the job stream, while replacing banks of switches and indicator lights on the control console. However, it was soon recognized that these terminals could replace card readers and keypunch machines as well. Now users, iden-tified by user IDs, and authenticated with passwords, could enter input data through a CRT terminal into an edit program, which would validate the input and then store it on a hard drive until it was needed for processing. Later, it was realized that users also could directly access data stored in online master files.

1.2.5 Transistors and Core Memory. The IBM 1401, introduced in 1960, with a core memory of 4,096 characters, was the first all-transistor computer, marking the advent of the second generation. Housed in a cabinet measuring 5 feet by 3 feet, the 1䡠6 BRIEF HISTORY AND MISSION OF INFORMATION SYSTEM SECURITY

TE

AM

FL

Y

(32)

1401 required a similar cabinet to add an additional 12 kilobytes of main memory. Just one year later, the first integrated circuits were used in a computer, making pos-sible all future advances in miniaturizing small-scale computers and in reducing the size of mainframes significantly.

1.2.6 Time Sharing. In 1961, the Compatible Time Sharing System (CTSS) was developed for the IBM 7090/7094. This operating system software, and its associated hardware, was the first to provide simultaneous remote access to a group of online users through multiprogramming.9“Multiprogramming” means that more than one pro-gram can appear to execute at the same time. A master control propro-gram, usually called an operating system (OS), managed execution of the functional applications programs. For example, under the command of the operator, the OS would load and start appli-cation 1. After 50 milliseconds, the OS would interrupt the execution of appliappli-cation 1 and store its current state in memory. Then the OS would start application 2 and allow it to run for 50 milliseconds, and so on. Usually, within a second after users had entered keyboard data, the OS would give their applications a time slice to process the input. During each time slice, the computer might execute hundreds of instructions. These techniques enabled the computer to make it appear to each user as if the computer were entirely dedicated to that user’s program. This was true only so long as the number of simultaneous users was fairly small. After that, as the number grew, the response to each user slowed down.

1.2.7 Real-Time, Online Systems. Because of multiprogramming and the ability to store records online and accessible in random order, it became feasible to provide end users with direct access to data. For example, an airline reservation system stores a record of every seat on every flight for the next 12 months. A reservation clerk working at a terminal can answer a telephoned inquiry, search for an available seat on a par-ticular flight, quote the fare, sell a ticket to the caller, and reserve the seat. Similarly, a bank officer can verify an account balance and make an adjusting entry to correct an error. In both cases, each data record can be accessed and modified immediately, rather than having to wait for a batch to be run.

While this advance led to a vast increase in available computing power, it also increased greatly the potential for breaches in computer security. With more complex operating systems, with many users online to sensitive programs, and with databases and other files available to them, protection had to be provided against inadvertent error and intentional abuse.

1.2.8 A Family of Computers. In 1964, IBM announced the S/360 family of computers, ranging from very small-scale to very large-scale models.10All of the six models used integrated circuits, which marked the beginning of the third generation of computers. Where transistorized construction could permit up to 6,000 transistors per cubic foot, 30,000 integrated circuits could occupy the same volume. This low-ered the costs substantially, and companies could buy into the family at a price within their means. Because all computers in the series used the same programming language and the same peripherals, companies could upgrade easily when necessary. The 360 family quickly came to dominate the commercial and scientific markets. As these com-puters proliferated, so did the number of users, knowledgeable programmers, and tech-nicians. Over the years, techniques and processes were developed to provide a high degree of security to these mainframe systems.

(33)

The year 1964 also saw the introduction of another computer with far-reaching influence: the Digital Equipment Corp (DEC) PDP-8. The PDP-8 was the first mass-produced true minicomputer. Although its original application was in process control, the PDP-8 and its progeny quickly proved that commercial applications for minicom-puters were virtually unlimited. Because these comminicom-puters were not isolated in secure computer rooms but were distributed throughout many unguarded offices in widely dispersed locations, totally new risks arose, requiring innovative solutions.

1.2.9 1970s: Microprocessors, Networks, and Worms. The foundations of all current personal computers (PCs) were laid in 1971 when Intel introduced the 4004 computer on a chip. Measuring 1_⁄16 _{inch long by}1_⁄8 _{inch high, the 4004 contained} 2,250 transistors with a clock speed of 108 kiloHertz. The current generation of this earliest programmable microprocessor contains millions of transistors, with speeds over 1 gigaHertz, or more than 10,000 times faster. Introduction of microprocessor chips marked the fourth generation.

1.2.10 The First Personal Computers. Possibly the first personal computer was advertised in Scientific Americanin 1971. The KENBAK–1, priced at $750, had three programming registers, five addressing modes, and 256 bytes of memory. Although not many were sold, the KENBACK–1 did increase public awareness of the possibility for home computers.

It was the MITS Altair 8800, advertised as a kit on the cover of the January 1975 issue of Popular Electronics,that became the first personal computer to sell in substan-tial quantities. Like the KENBACK–1, the Altair 8800 had only 256 bytes of memory, but it was priced at $375 without keyboard, display, or secondary memory. About one year later, the Apple II, designed by Steve Jobs and Steve Wozniak, was priced at $1,298, including a CRT display and a keyboard.

Because these first personal computers were entirely stand-alone and usually under the control of a single individual, there were few security problems. However, in 1978, the Visicalc spreadsheet program was developed. The a