This draft policy is provided as

Found at: 0x1bi.net:70/textfiles/file?hacking/POLICIES/policyasc.hac

A Draft Security Policy

This draft policy is provided as a model for your organization's consideration 
and adoption. It was prepared by the National Computer Security Association. 
We would appreciate your comments or revisions to it. You may write 
us at Suite 309, 4401-A Connecticut Av NW, Washington, DC 20008. Or 
you may call our BBS at 202-364-1304. Or you may call voice at 202-364-8252.


Each of the six basic requirements defined below are used by DoD in 
evaluating system security, and are appropriate throughout all computer 

Security Policy

There must be an explicit and well-defined security policy enforced 
by the system. Given identified subjects and objects, there must 
be a set of rules that are used by the system to determine whether 
a given subject can be permitted to gain access to a specific object. 
Computer systems of interest must enforce a mandatory security policy 
that can effectively implement access rules for handling sensitive 
nformation. These rules include requirements such as: <169>No
to classified information.<170> In addition, discretionary security 
controls are required to ensure that only selected users or groups 
of users may obtain access to data <197> for instance, based on a 
need-to-know basis.


Access control labels must be associated with objects. In order 
to control access to information stored in a computer, according to 
the rules of a mandatory security policy, it must be possible to mark 
every object with a label that reliably identifies the object's sensitivity 
level and/or the modes of access accorded those subjects who may potentially 
access the object.

Individual subjects must be identified. Each access to information 
must be mediated based on who is accessing the information and what 
classes of information they are authorized to deal with. This identification 
and authorization information must be securely maintained by the computer 


Audit information must be selectively kept and protected so that 
actions affecting security can be traced to the responsible party. 
A trusted system must be able to record the occurrences of security-relevant 
events in an audit log. The capability to select the audit events 
to be recorded is necessary to minimize the expense of auditing and 
to allow efficient analysis.  Audit data must be protected from modification 
and unauthorized destruction to permit detection and after-the-fact 
nvestigations of security violations.


The computer system must contain hardware/software mechanisms that 
can be independently evaluated to provide sufficient assurance that 
the system enforces the policy, marking, identification, and accountability 
dentified and unified collection of hardware and software controls
that perform these functions.  These mechanisms are typically embedded 
n the operating system of mainframes, or a combination of operating
to carry out the assigned tasks in a secure manner.  The basis for 
trusting such system mechanisms in their operational setting must 
be clearly documented such that it is possible to independently examine 
the evidence to evaluate their sufficiency.

Continuous Protection

The trusted mechanisms that enforce these basic requirements must 
be continuously protected against tampering and/or unauthorized changes. 
No computer system can be considered truly secure if the basic hardware 
and software mechanisms that enforce the security policy are themselves 

Creating a security policy is fairly simple.  You can copy 
the material that follows, for instance, and get the chief to sign 
t. Implementing a security policy is more difficult.

	*  The organizations with the most success in implementing security 
and somehow convince all staff that security is an ongoing business 

While seemingly everyone concerned with security agree that a policy 
s important, not everyone agrees that it should be agency-wide.  For
example, NASA's Richard W. Carr believes that a standard approach 
like the NSA's C2 level of safeguarding is not cost-effective.  Because 
local approaches to safeguarding information, rather than an agency-wide 


Before reviewing sophisticated data security issues, it is necessary 
to consider the basic physical protection of the equipment itself.


Access to micros should be physically limited to authorized users.  Untrained 
or malicious individuals could damage or make inappropriate use of 
the equipment or the accessible data.  At some organizations, such 
as GTE, the entire microcomputer is kept in a locked room.  If users 
are reluctant to do this when they are finished with it, then they 
are provided with an external hard disk that can be locked up.

	*  Do not permit users to leave workstations or micros unattended, 

	*  Install timelocks that activate after an interval of no keyboard 
activity, and require password to resume entry.

	*  Change all passwords immediately whenever an employee leaves the 

	*  Change passwords routinely - perhaps every other month - of all 


the rooms where the hardware is located, or install lockdown systems 

Environmental Damage

Electrical Power

Computers are sensitive to the quality of electrical power.  Use surge 
from heavy appliances or office equipment.

Smoking, Eating, and Drinking

Smoke can damage disks.  Food and ashes that are dropped in the keyboard 
can work down into the mechanism and cause malfunctions.  Smoking, 
eating, and drinking should be prohibited in the vicinity of computers.

Static Electricity

Static electricity can badly damage a computer.  This danger can be 
minimized through the use of anti-static sprays, carpets, or pads.

Magnetic Media Protection

media, as it is the primary means of data storage.

Floppy Disks

Floppy disks should be handled with care.

	*  Always store in the protective jacket.

	*  Protect from bending or similar handling.

	*  Maintain an acceptable temperature range (50-125 degrees F.)

	*  Avoid contact with magnetic fields, such as telephone handsets.

	*  Do not write on the diskette, either directly or through the jacket 
or sleeve.

Hard Disks

Rough handling of hard disks may damage the device.  Take care not 
to jostle the unit unnecessarily.  Never power off the system without 

Media Declassification or Destruction

Magnetic media, such as disks and tapes, that contain sensitive or 
classified information should not be put in regular waste containers.  They 

Defective or damaged magnetic storage media that have been used in 
a sensitive environment should not be returned to the vendor unless 
they have been degaussed.  This is required since many <169>ERASE<170> 
commands do not actually erase the file.  The DoD-approved erasure 
method requires three overwrites of the file: first overwriting with 
<169>1"s, then <170>0"s, and then random bits.  Each overwrite should 
be verified by visually inspecting the file contents, using some low-level 

Electromagnetic Emanations

All electronic equipment emanates electromagnetic signals.  Emanations 
and translated into readable form by monitoring devices.  Secure measures 
ntended to combat these radio frequency emissions are known as <169>TEMPEST<170>
controls.  TEMPEST-certified equipment is available, and used regularly 
by government organizations and contractors processing classified 

Hardware Modifications

Hardware modifications should be strictly controlled. Uncontrolled 
or poorly considered hardware modifications can adversely affect the 
operation of the computer.  For example, any modifications to TEMPEST-approved 
of any hardware systems used for sensitive processing should be very 
carefully monitored.  Such devices should be sealed to prevent tampering, 
and modifications made only by trusted, qualified personnel.

Trusted, Authorized Technicians

Advanced microelectronic techniques make computers vulnerable to <169>bugging.<170>  A 
transmitter chip can be installed by a hostile technician under the 
certain that the technician performing maintenance is both authorized 
and qualified.  Also, circuit boards or components removed in the 
course of any maintenance at a classified facility should not leave 



Classify your information.  IBM uses five classes of data, from unclassified, 
only to employees with a predetermined need to know.  If your organization 


Sensitive or classified information resources must be clearly labeled 
as such.  These <169>resources<170> include both the hardware and 
the storage media.

External Classification Labels on Micros

Micros should have external classification labels indicating the highest 
cannot be reliably removed except by degaussing the entire disk surface.  Also, 
t is very difficult to ascertain that sensitive information has not
been stored on the disk.  Consequently, hard disk systems must be 
labeled to indicate the highest level of data sensitivity to which 
they have ever been exposed.

Floppy Disk Labels

Label all floppy disks to indicate the type and sensitivity of data 
on the disk.  A floppy must be considered to assume the sensitivity 
level of the device in which it is inserted.  For example, a hard 
a sensitive device, and any floppy disk inserted into any machine 
connected (directly or through cabling) to such a hard disk must assume 
that level of sensitivity.  Conversely, if the floppy were more sensitive 
than the hard disk, the hard disk now assumes the higher sensitivity 
of the floppy.


Files stored on a hard disk containing any sensitive files must be 
cannot be readily confirmed as such.  Visual inspection of a file's 
the file space.  Sensitive files, if they must be stored on hard disks, 
files are sensitive is to store them in a separated disk partition.  However, 


Data encryption provides a partial solution to the problem of labeling 
as well as providing access control.  Encryption is a technique for 
to the tools necessary to see it.

Hardware implementations of encryption can provide a higher degree 
of security, since software-based implementations are susceptible 
to penetration by interlopers.  However, take steps to ensure the 
ntegrity of the device.  Sensitive equipment should be sealed and
the internal configuration audited.

Securing Data Media

Lock Floppy Disks

Diskettes should be locked in a secure container.  Be sure that the 
keys are unique and not interchangeable with the keys to other locks.

Use Removable Hard Disk Systems

When feasible, use removable hard disk systems instead of fixed disk 
consider installing power-on locks that restrict access to the machine 
to individuals with lock keys.  Again, the keys should be unique.


Make backup copies of all important software and data files.

Clearing Memory

Clear the micro's memory between users.  Turning most micros off for 

Data Transmission

Microcomputers can enable users to transfer data to or from a mainframe.  Transferring 
micro user is responsible for ensuring that sensitive or classified 
nformation is transferred only to other computers designated for
from mainframe to micro.  Note that such transmissions may include 
nformation which the user may not have perceived as being transferred.


Software Vulnerabilities

The lack of micro hardware security engenders software insecurity.  Because 
modifications cannot be prevented, critical software, including operating 

Operating System Weaknesses

Unlike many mainframe computer operating systems, most micro operating 

User Identification and Authentication

User identification is the process by which an individual identifies 
by which the user establishes that he is indeed that user, and has 
a right to use the system.  During the login process, the user enters 
name or account number (identification) and password (authentication).  

	*  Add password systems - software or hardware - to micros.

	*  Do not permit employees to use inappropriate passwords that are 
easy to guess (first name, spouse's name, pet's name, birthday, etc.)

	*  Authentication (and, for multi-user micros and LANs, identification) 

Software Attacks - Trapdoors/Trojan Horses/Viruses

Don't use any software that is not a <169>known quantity<170>.  Isolate 
and test new software on a test system, where Trojan horses and viruses 
can do little damage.

Consider a policy which prohibits users from bringing unapproved software 
nto the building. (Rockwell International has had such a written
that it be tested by your virus test group first.

Follow the advice in the chapter on viruses.

Communication Attacks

be intercepted by someone masquerading as you, actively receiving 
your information, or through passive eavesdropping.  Therefore, sensitive 
nformation should be protected during transmission.  Masquerading
can be thwarted through the use of dial-back.  Dial-back is an interactive 
the identification of the caller, then disconnects.  If the caller's 
the answering system will call back the originating system at a prearranged 
number.  The effectiveness of dial-back as a security measure is questionable 
convenience features like call forwarding.  Also, various methods 
of call-back protection have been broken by hackers.  Encryption is 
one sure method of transmission protection.

Encryption can be adapted as a means of remote user authentication.  A 
user key, entered at the keyboard, authenticates the user.  A second 
encryption key can be stored in encrypted form in the calling system 
firmware that authenticates the calling system as an approved communication 
endpoint.  When dial-back is used in conjunction with two-key encryption, 
key), located at authorized locations (those with phone numbers listed 
n the answering system's phone directory).

Remote connections to other systems make micros susceptible to remote 
attacks.  A micro connected to a network, for example, may be subjected 
to attack by other network users.  The attacker could transmit control 
characters that affect the interrupt logic of the micro in such a 
even if he is incapable of passing the system's login challenge.  The 
attacker could use other techniques to examine the user's communication 


To create computer security, four basic changes must occur in the 

	*  senior management must provide strong, overt support of the 
and they must set good examples.

	*  employees must be educated. Employees would support security 
felt that they were part of the program. Educate and involve them.

	*  all members of the organization must participate in the program. 
Because information is handled by all employees, all must understand 
the value of their contribution to security, and the value of the 
nformation they access.

	*  staff effort must be rewarded.  Be sure to reward those 

The <169>human factors<170> in computer security are probably far 
more important than the hardware or software you throw at the problem.

too.  Ken Thompson, one of the co-developers of UNIX, writes <169>It 
s only the inadequacy of the criminal code that saves the hackers
from very serious prosecution... There is an explosive situation brewing. 
On the one hand, the press, television, and movies make heroes of 
vandals by calling them whiz kids. On the other hand, the acts performed 
by these kids will soon be punishable by years in prison... The act 
of breaking into a computer system has to have the same social stigma 
as breaking into a neighbor's house. It should not matter that the 
neighbor's door is unlocked. The press must learn that misguided use 
of a computer is no more amazing than drunk driving of an automobile.<170>

Downloaded From P-80 International Information Systems 304-744-2253