Examples of Threats to HGA Systems
Loss/Release of Disclosure-Sensitive Information
Destruction of Information
of Information due to Virus Contamination
of System Resources
Access to Telecommunications Resources *
* HGA operates
a PBX system, which may be vulnerable to (1) hacker disruptions
of PBX availability and, consequently, agency operations,
(2) unauthorized access to outgoing phone lines for long-distance
services, (3) unauthorized access to stored voice-mail messages,
and (4) surreptitious access to otherwise private conversations/data
data that are sensitive with respect to disclosure or modification
are expected to make effective use of the automated access control
mechanisms available on HGA computers to reduce the risk of exposure
to unauthorized individuals. (Appropriate training and education
are in place to help users do this.) In general, access to disclosure-sensitive
information is to be granted only to individuals whose jobs require
Protection Against Payroll Fraud and Errors: Time and Attendance
and attendance application plays a major role in protecting against
payroll fraud and errors. Since the time and attendance application
is a component of a larger automated payroll process, many of its
functional and security requirements have been derived from both
governmentwide and HGA-specific policies related to payroll and
leave. For example, HGA must protect personal information in accordance
with the Privacy Act. Depending on the specific type of information,
it should normally be viewable only by the individual concerned,
the individual's supervisors, and personnel and payroll department
employees. Such information should also be timely and accurate.
employees must sign and submit a time sheet that identifies the
number of hours they have worked and the amount of leave they have
taken. The Time and Attendance Clerk enters the data for a given
group of employees and runs an application on the LAN server to
verify the data's validity and to ensure that only authorized users
with access to the Time and Attendance Clerk's functions can enter
time and attendance data. The application performs these security
checks by using the LAN server's access control and identification
and authentication (I&A) mechanisms. The application compares
the data with a limited database of employee information to detect
incorrect employee identifiers, implausible numbers of hours worked,
and so forth. After correcting any detected errors, the clerk runs
another application that formats the time and attendance data into
a report, flagging exception/out-of-bound conditions (e.g., negative
supervisors are responsible for reviewing the correctness of the
time sheets of the employees under their supervision and indicating
their approval by initialing the time sheets. If they detect significant
irregularities and indications of fraud in such data, they must
report their findings to the Payroll Office before submitting the
time sheets for processing. In keeping with the principle of separation
of duty, all data on time sheets and corrections on the sheets that
may affect pay, leave, retirement, or other benefits of an individual
must be reviewed for validity by at least two authorized individuals
(other than the affected individual).
Against Unauthorized Execution
with access to Time and Attendance Supervisor functions may approve
and submit time and attendance data -- or subsequent corrections
thereof -- to the mainframe. Supervisors may not approve their own
time and attendance data.
System Administrator has been granted access to assign a special
access control privilege to server programs. As a result, the server's
operating system is designed to prevent a bogus time and attendance
application created by any other user from communicating with the
WAN and, hence, with the mainframe.
and attendance application is supposed to be configured so that
the clerk and supervisor functions can only be carried out from
specific PCs attached to the LAN and only during normal working
hours. Administrators are not authorized to exercise functions of
the time and attendance application apart from those concerned with
configuring the accounts, passwords, and access permissions for
clerks and supervisors. Administrators are expressly prohibited
by policy from entering, modifying, or submitting time and attendance
data via the time and attendance application or other mechanisms.141
against unauthorized execution of the time and attendance application
depends on I&A and access controls. While the time and attendance
application is accessible from any PC, unlike most programs run
by PC users, it does not execute directly on the PC's processor.
Instead, it executes on the server, while the PC behaves as a terminal,
relaying the user's keystrokes to the server and displaying text
and graphics sent from the server. The reason for this approach
is that common PC systems do not provide I&A and access controls
and, therefore, cannot protect against unauthorized time and attendance
program execution. Any individual who has access to the PC
could run any program stored there.
possible approach is for the time and attendance program to perform
I&A and access control on its own by requesting and validating
a password before beginning each time and attendance session. This
approach, however, can be defeated easily by a moderately skilled
programming attack, and was judged inadequate by HGA during the
application's early design phase.
the server is a more powerful computer equipped with a multiuser
operating system that includes password-based I&A and access
controls. Designing the time and attendance application program
so that it executes on the server under the control of the server's
operating system provides a more effective safeguard against unauthorized
execution than executing it on the user's PC.
Against Payroll Errors
of data entry errors is reduced by having Time and Attendance clerks
enter each time sheet into the time and attendance application twice.
If the two copies are identical, both are considered error free,
and the record is accepted for subsequent review and approval by
a supervisor. If the copies are not identical, the discrepancies
are displayed, and for each discrepancy, the clerk determines which
copy is correct. The clerk then incorporates the corrections into
one of the copies, which is then accepted for further processing.
If the clerk makes the same data-entry error twice, then the two
copies will match, and one will be accepted as correct, even though
it is erroneous. To reduce this risk, the time and attendance application
could be configured to require that the two copies be entered by
each department has one or more Time and Attendance Supervisors
who are authorized to review these reports for accuracy and to approve
them by running another server program that is part of the time
and attendance application. The data are then subjected to a collection
of "sanity checks" to detect entries whose values are
outside expected ranges. Potential anomalies are displayed to the
supervisor prior to allowing approval; if errors are identified,
the data are returned to a clerk for additional examination and
When a supervisor
approves the time and attendance data, this application logs into
the interagency mainframe via the WAN and transfers the data to
a payroll database on the mainframe. The mainframe later prints
paychecks or, using a pool of modems that can send data over phone
lines, it may transfer the funds electronically into employee-designated
bank accounts. Withheld taxes and contributions are also transferred
electronically in this manner.
of Personnel is responsible for ensuring that forms describing significant
payroll-related personnel actions are provided to the Payroll Office
at least one week before the payroll processing date for the first
affected pay period. These actions include hiring, terminations,
transfers, leaves of absences and returns from such, and pay raises.
of the Payroll Office is responsible for establishing and maintaining
controls adequate to ensure that the amounts of pay, leave, and
other benefits reported on pay stubs and recorded in permanent records
and those distributed electronically are accurate and consistent
with time and attendance data and with other information provided
by the Personnel Department. In particular, paychecks must never
be provided to anyone who is not a bona fide, active-status employee
of HGA. Moreover, the pay of any employee who terminates employment,
who transfers, or who goes on leave without pay must be suspended
as of the effective date of such action; that is, extra paychecks
or excess pay must not be dispersed.
Against Accidental Corruption or Loss of Payroll Data
mechanisms used to protect against fraudulent modification are used
to protect against accidental corruption of time and attendance
data -- namely, the access-control features of the server and mainframe
backups of the server's disks protect against loss of time and attendance
data. To a limited extent, HGA also relies on mainframe administrative
personnel to back up time and attendance data stored on the mainframe,
even though HGA has no direct control over these individuals. As
additional protection against loss of data at the mainframe, HGA
retains copies of all time and attendance data on line on the server
for at least one year, at which time the data are archived and kept
for three years. The server's access controls for the on-line files
are automatically set to read-only access by the time and attendance
application at the time of submission to the mainframe. The integrity
of time and attendance data will be protected by digital signatures
as they are implemented.
communications protocols also protect against loss of data during
transmission from the server to the mainframe (e.g., error checking).
In addition, the mainframe payroll application includes a program
that is automatically run 24 hours before paychecks and pay stubs
are printed. This program produces a report identifying agencies
from whom time and attendance data for the current pay period were
expected but not received. Payroll department staff are responsible
for reviewing the reports and immediately notifying agencies that
need to submit or resubmit time and attendance data. If time and
attendance input or other related information is not available on
a timely basis, pay, leave, and other benefits are temporarily calculated
based on information estimated from prior pay periods.
Protection Against Interruption of Operations
regarding continuity of operations are derived from requirements
stated in OMB Circular A-130. HGA requires various organizations
within it to develop contingency plans, test them annually, and
establish appropriate administrative and operational procedures
for supporting them. The plans must identify the facilities, equipment,
supplies, procedures, and personnel needed to ensure reasonable
continuity of operations under a broad range of adverse circumstances.
COG is responsible
for developing and maintaining a contingency plan that sets forth
the procedures and facilities to be used when physical plant failures,
natural disasters, or major equipment malfunctions occur sufficient
to disrupt the normal use of HGA's PCs, LAN, server, router, printers,
and other associated equipment.
prioritizes applications that rely on these resources, indicating
those that should be suspended if available automated functions
or capacities are temporarily degraded. COG personnel have identified
system software and hardware components that are compatible with
those used by two nearby agencies. HGA has signed an agreement with
those agencies, whereby they have committed to reserving spare computational
and storage capacities sufficient to support HGA's system-based
operations for a few days during an emergency.
devices or network interfaces may be connected to HGA's systems
without written approval of the COG Manager. The COG staff is responsible
for installing all known security-related software patches in a
timely manner and for maintaining spare or redundant PCs, servers,
storage devices, and LAN interfaces to ensure that at least 100
people can simultaneously perform word processing tasks at all times.
against accidental corruption or loss of data, COG personnel back
up the LAN server's disks onto magnetic tape every night and transport
the tapes weekly to a sister agency for storage. HGA's policies
also stipulate that all PC users are responsible for backing up
weekly any significant data stored on their PC's local hard disks.
For the past several years, COG has issued a yearly memorandum reminding
PC users of this responsibility. COG also strongly encourages them
to store significant data on the LAN server instead of on their
PC's hard disk so that such data will be backed up automatically
during COG's LAN server backups.
more limited computer equipment malfunctions from interrupting routine
business operations; COG maintains an inventory of approximately
ten fully equipped spare PC's, a spare LAN server, and several spare
disk drives for the server. COG also keeps thousands of feet of
LAN cable on hand. If a segment of the LAN cable that runs through
the ceilings and walls of HGA's buildings fails or is accidentally
severed, COG technicians will run temporary LAN cabling along the
floors of hallways and offices, typically restoring service within
a few hours for as long as needed until the cable failure is located
against PC virus contamination, HGA authorizes only System Administrators
approved by the COG Manager to install licensed, copyrighted PC
software packages that appear on the COG-approved list. PC software
applications are generally installed only on the server. (These
stipulations are part of an HGA assurance strategy that relies on
the quality of the engineering practices of vendors to provide software
that is adequately robust and trustworthy.) Only the COG Manager
is authorized to add packages to the approved list. COG procedures
also stipulate that every month System Administrators should run
virus-detection and other security-configuration validation utilities
on the server and, on a spot-check basis, on a number of PCs. If
they find a virus, they must immediately notify the agency team
that handles computer security incidents.
COG is also
responsible for reviewing audit logs generated by the server, identifying
audit records indicative of security violations, and reporting such
indications to the Incident-Handling Team. The COG Manager assigns
these duties to specific members of the staff and ensures that they
are implemented as intended.
Manager is responsible for assessing adverse circumstances and for
providing recommendations to HGA's Director. Based on these and
other sources of input, the Director will determine whether the
circumstances are dire enough to merit activating various sets of
procedures called for in the contingency plan.
also must develop and maintain their own contingency plans. The
plans must identify critical business functions, the system resources
and applications on which they depend, and the maximum acceptable
periods of interruption that these functions can tolerate without
significant reduction in HGA's ability to fulfill its mission. The
head of each division is responsible for ensuring that the division's
contingency plan and associated support activities are adequate.
major application used by multiple divisions, a chief of a single
division must be designated as the application owner. The
designated official (supported by his or her staff) is responsible
for addressing that application in the contingency plan and for
coordinating with other divisions that use the application.
If a division
relies exclusively on computer resources maintained by COG (e.g.,
the LAN), it need not duplicate COG's contingency plan, but is responsible
for reviewing the adequacy of that plan. If COG's plan does not
adequately address the division's needs, the division must communicate
its concerns to the COG Director. In either situation, the division
must make known the criticality of its applications to the COG.
If the division relies on computer resources or services that are
not provided by COG, the division is responsible for (1)
developing its own contingency plan or (2) ensuring that the contingency
plans of other organizations (e.g., the WAN service provider) provide
adequate protection against service disruptions.
Protection Against Disclosure or Brokerage of Information
against information disclosure is based on a need-to-know policy
and on personnel hiring and screening practices. The need-to-know
policy states that time and attendance information should be made
accessible only to HGA employees and contractors whose assigned
professional responsibilities require it. Such information must
be protected against access from all other individuals, including
other HGA employees. Appropriate hiring and screening practices
can lessen the risk that an untrustworthy individual will be assigned
policy is supported by a collection of physical, procedural, and
automated safeguards, including the following:
- · Time and attendance
paper documents are must be stored securely when not in use,
particularly during evenings and on weekends. Approved storage
containers include locked file cabinets and desk drawers---to
which only the owner has the keys. While storage in a container
is preferable, it is also permissible to leave time and attendance
documents on top of a desk or other exposed surface in a locked
office (with the realization that the guard force has keys to
the office). (This is a judgment left to local discretion.)
Similar rules apply to disclosure-sensitive information stored
on floppy disks and other removable magnetic media.
- Every HGA PC is
equipped with a key lock that, when locked, disables the PC.
When information is stored on a PC's local hard disk, the user
to whom that PC was assigned is expected to (1) lock the PC
at the conclusion of each workday and (2) lock the office in
which the PC is located.
- The LAN server
operating system's access controls provide extensive features
for controlling access to files. These include group-oriented
controls that allow teams of users to be assigned to named groups
by the System Administrator. Group members are then allowed
access to sensitive files not accessible to nonmembers. Each
user can be assigned to several groups according to need to
know. (The reliable functioning of these controls is assumed,
perhaps incorrectly, by HGA.)
- All PC users undergo
security awareness training when first provided accounts on
the LAN server. Among other things, the training stresses the
necessity of protecting passwords. It also instructs users to
log off the server before going home at night or before leaving
the PC unattended for periods exceeding an hour.
Protection Against Network-Related Threats
set of external network safeguards has only been in place for a
few months. The basic approach is to tightly restrict the kinds
of external network interactions that can occur by funneling all
traffic to and from external networks through two interfaces that
filter out unauthorized kinds of interactions. As indicated in Figure
20.1, the two interfaces are the network router and the LAN server.
The only kinds of interactions that these interfaces allow are (1)
e-mail and (2) data transfers from the server to the mainframe controlled
by a few special applications (e.g., the time and attendance application).
shows that the network router is the only direct interface between
the LAN and the Internet. The router is a dedicated special-purpose
computer that translates between the protocols and addresses associated
with the LAN and the Internet. Internet protocols, unlike those
used on the WAN, specify that packets of information coming from
or going to the Internet must carry an indicator of the kind of
service that is being requested or used to process the information.
This makes it possible for the router to distinguish e-mail packets
from other kinds of packets--for example, those associated with
a remote login request.142 The router
has been configured by COG to discard all packets coming from or
going to the Internet, except those associated with e-mail. COG
personnel believe that the router effectively eliminates Internet-based
attacks on HGA user accounts because it disallows all remote log-in
sessions, even those accompanied by a legitimate password.
server enforces a similar type of restriction for dial-in access
via the public-switched network. The access controls provided by
the server's operating system have been configured so that during
dial-in sessions, only the e-mail utility can be executed. (HGA
policy, enforced by periodic checks, prohibits installation of modems
on PCs, so that access must be through the LAN server.) In addition,
the server's access controls have been configured so that its WAN
interface device is accessible only to programs that possess a special
access-control privilege. Only the System Administrator can assign
this privilege to server programs, and only a handful of special-purpose
applications, like the time and attendance application, have been
assigned this privilege.
Protection Against Risks from Non-HGA Computer Systems
on systems and components that it cannot control directly because
they are owned by other organizations. HGA has developed a policy
to avoid undue risk in such situations. The policy states that system
components controlled and operated by organizations other than HGA
may not be used to process, store, or transmit HGA information without
obtaining explicit permission from the application owner and the
COG Manager. Permission to use such system components may not be
granted without written commitment from the controlling organization
that HGA's information will be safeguarded commensurate with its
value, as designated by HGA. This policy is somewhat mitigated by
the fact that HGA has developed an issue-specific policy on the
use of the Internet, which allows for its use for e-mail with outside
organizations and access to other resources (but not for transmission
of HGA's proprietary data).
Reported by the Risk Assessment Team
assessment team found that many of the risks to which HGA is exposed
stem from (1) the failure of individuals to comply with established
policies and procedures or (2) the use of automated mechanisms whose
assurance is questionable because of the ways they have been developed,
tested, implemented, used, or maintained. The team also identified
specific vulnerabilities in HGA's policies and procedures for protecting
against payroll fraud and errors, interruption of operations, disclosure
and brokering of confidential information, and unauthorized access
to data by outsiders.
Vulnerabilities Related to Payroll Fraud
safeguards against falsified time sheets are review and approval
by supervisory personnel, who are not permitted to approve their
own time and attendance data. The risk assessment has concluded
that, while imperfect, these safeguards are adequate. The related
requirement that a clerk and a supervisor must cooperate closely
in creating time and attendance data and submitting the data to
the mainframe also safeguards against other kinds of illicit manipulation
of time and attendance data by clerks or supervisors acting independently.
When a PC
user enters a password to the server during I&A, the password
is sent to the server by broadcasting it over the LAN "in the
clear." This allows the password to be intercepted easily by
any other PC connected to the LAN. In fact, so-called "password
sniffer" programs that capture passwords in this way are widely
available. Similarly, a malicious program planted on a PC could
also intercept passwords before transmitting them to the server.
An unauthorized individual who obtained the captured passwords could
then run the time and attendance application in place of a clerk
or supervisor. Users might also store passwords in a log-on script
Time and Attendance Applications
access controls are probably adequate for protection against bogus
time and attendance applications that run on the server. However,
the server's operating system and access controls have only been
in widespread use for a few years and contain a number of security-related
bugs. And the server's access controls are ineffective if not properly
configured, and the administration of the server's security features
in the past has been notably lax.
Modification of Time and Attendance Data
against unauthorized modification of time and attendance data requires
a variety of safeguards because each system component on which the
data are stored or transmitted is a potential source of vulnerabilities.
time and attendance data are entered on the server by a clerk. On
occasion, the clerk may begin data entry late in the afternoon,
and complete it the following morning, storing it in a temporary
file between the two sessions. One way to avoid unauthorized modification
is to store the data on a diskette and lock it up overnight. After
being entered, the data will be stored in another temporary file
until reviewed and approved by a supervisor. These files, now stored
on the system, must be protected against tampering. As before, the
server's access controls, if reliable and properly configured, can
provide such protection (as can digital signatures, as discussed
later) in conjunction with proper auditing.
when the Supervisor approves a batch of time and attendance data,
the time and attendance application sends the data over the WAN
to the mainframe. The WAN is a collection of communications equipment
and special-purpose computers called "switches" that act
as relays, routing information through the network from source to
destination. Each switch is a potential site at which the time and
attendance data may be fraudulently modified. For example, an HGA
PC user might be able to intercept time and attendance data and
modify the data enroute to the payroll application on the mainframe.
Opportunities include tampering with incomplete time and attendance
input files while stored on the server, interception and tampering
during WAN transit, or tampering on arrival to the mainframe prior
to processing by the payroll application.
arrival at the mainframe, the time and attendance data are held
in a temporary file on the mainframe until the payroll application
is run. Consequently, the mainframe's I&A and access controls
must provide a critical element of protection against unauthorized
modification of the data.
to the risk assessment, the server's access controls, with prior
caveats, probably provide acceptable protection against unauthorized
modification of data stored on the server. The assessment concluded
that a WAN-based attack involving collusion between an employee
of HGA and an employee of the WAN service provider, although unlikely,
should not be dismissed entirely, especially since HGA has only
cursory information about the service provider's personnel security
practices and no contractual authority over how it operates the
source of vulnerabilities, however, is the mainframe. Although its
operating system's access controls are mature and powerful, it uses
password-based I&A. This is of particular concern, because it
serves a large number of federal agencies via WAN connections. A
number of these agencies are known to have poor security programs.
As a result, one such agency's systems could be penetrated (e.g.,
from the Internet) and then used in attacks on the mainframe via
the WAN. In fact, time and attendance data awaiting processing on
the mainframe would probably not be as attractive a target to an
attacker as other kinds of data or, indeed, disabling the system,
rendering it unavailable. For example, an attacker might be able
to modify the employee data base so that it disbursed paychecks
or pensions checks to fictitious employees. Disclosure-sensitive
law enforcement databases might also be attractive targets.
control on the mainframe is strong and provides good protection
against intruders breaking into a second application after they
have broken into a first. However, previous audits have shown that
the difficulties of system administration may present some opportunities
for intruders to defeat access controls.
Vulnerabilities Related to Payroll Errors
has established procedures for ensuring the timely submission and
interagency coordination of paperwork associated with personnel
status changes. However, an unacceptably large number of troublesome
payroll errors during the past several years has been traced to
the late submission of personnel paperwork. The risk assessment
documented the adequacy of HGA's safeguards, but criticized the
managers for not providing sufficient incentives for compliance.
Vulnerabilities Related to Continuity of Operations
assessment commended HGA for many aspects of COG's contingency plan,
but pointed out that many COG personnel were completely unaware
of the responsibilities the plan assigned to them. The assessment
also noted that although HGA's policies require annual testing of
contingency plans, the capability to resume HGA's computer-processing
activities at another cooperating agency has never been verified
and may turn out to be illusory.
assessment reviewed a number of the application-oriented contingency
plans developed by HGA's divisions (including plans related to time
and attendance). Most of the plans were cursory and attempted to
delegate nearly all contingency planning responsibility to COG.
The assessment criticized several of these plans for failing to
address potential disruptions caused by lack of access to (1) computer
resources not managed by COG and (2) nonsystem resources, such as
buildings, phones, and other facilities. In particular, the contingency
plan encompassing the time and attendance application was criticized
for not addressing disruptions caused by WAN and mainframe outages.
assessment found HGA's virus-prevention policy and procedures to
be sound, but noted that there was little evidence that they were
being followed. In particular, no COG personnel interviewed had
ever run a virus scanner on a PC on a routine basis, though several
had run them during publicized virus scares. The assessment cited
this as a significant risk item.
Corruption and Loss of Data
assessment concluded that HGA's safeguards against accidental corruption
and loss of time and attendance data were adequate, but that safeguards
for some other kinds of data were not. The assessment included an
informal audit of a dozen randomly chosen PCs and PC users in the
agency. It concluded that many PC users store significant data on
their PC's hard disks, but do not back them up. Based on anecdotes,
the assessment's authors stated that there appear to have been many
past incidents of loss of information stored on PC hard disks and
predicted that such losses would continue.
Vulnerabilities Related to Information Disclosure/Brokerage
a conservative approach toward protecting information about its
employees. Since information brokerage is more likely to be a threat
to large collections of data, HGA risk assessment focused primarily,
but not exclusively, on protecting the mainframe.
assessment concluded that significant, avoidable information brokering
vulnerabilities were present--particularly due to HGA's lack of
compliance with its own policies and procedures. Time and attendance
documents were typically not stored securely after hours, and few
PCs containing time and attendance information were routinely locked.
Worse yet, few were routinely powered down, and many were left logged
into the LAN server overnight. These practices make it easy for
an HGA employee wandering the halls after hours to browse or copy
time and attendance information on another employee's desk, PC hard
disk, or LAN server directories.
assessment pointed out that information sent to or retrieved from
the server is subject to eavesdropping by other PCs on the LAN.
The LAN hardware transmits information by broadcasting it to all
connection points on the LAN cable. Moreover, information sent to
or retrieved from the server is transmitted in the clear--that is,
without encryption. Given the widespread availability of LAN "sniffer"
programs, LAN eavesdropping is trivial for a prospective information
broker and, hence, is likely to occur.
assessment noted that HGA's employee master database is stored on
the mainframe, where it might be a target for information brokering
by employees of the agency that owns the mainframe. It might also
be a target for information brokering, fraudulent modification,
or other illicit acts by any outsider who penetrates the mainframe
via another host on the WAN.
assessment concurred with the general approach taken by HGA, but
identified several vulnerabilities. It reiterated previous concerns
about the lack of assurance associated with the server's access
controls and pointed out that these play a critical role in HGA's
approach. The assessment noted that the e-mail utility allows a
user to include a copy of any otherwise accessible file in an outgoing
mail message. If an attacker dialed in to the server and succeeded
in logging in as an HGA employee, the attacker could use the mail
utility to export copies of all the files accessible to that employee.
In fact, copies could be mailed to any host on the Internet.
also noted that the WAN service provider may rely on microwave stations
or satellites as relay points, thereby exposing HGA's information
to eavesdropping. Similarly, any information, including passwords
and mail messages, transmitted during a dial-in session is subject
for Mitigating the Identified Vulnerabilities
in the following subsections were chosen to illustrate a broad
sampling143 of handbook topics.
Risk management and security program management themes are integral
throughout, with particular emphasis given to the selection of risk-driven
Mitigating Payroll Fraud Vulnerabilities
the vulnerabilities related to payroll fraud, the risk assessment
team recommended144 the use of stronger
authentication mechanisms based on smart tokens to generate one-time
passwords that cannot be used by an interloper for subsequent sessions.
Such mechanisms would make it very difficult for outsiders (e.g.,
from the Internet) who penetrate systems on the WAN to use them
to attack the mainframe. The authors noted, however, that the mainframe
serves many different agencies, and HGA has no authority over the
way the mainframe is configured and operated. Thus, the costs and
procedural difficulties of implementing such controls would be substantial.
The assessment team also recommended improving the server's administrative
procedures and the speed with which security-related bug fixes distributed
by the vendor are installed on the server.
from COG security specialists and application owners, HGA's managers
accepted most of the risk assessment team's recommendations. They
decided that since the residual risks from the falsification of
time sheets were acceptably low, no changes in procedures were necessary.
However, they judged the risks of payroll fraud due to the interceptability
of LAN server passwords to be unacceptably high, and thus directed
COG to investigate the costs and procedures associated with using
one-time passwords for Time and Attendance Clerks and supervisor
sessions on the server. Other users performing less sensitive tasks
on the LAN would continue to use password-based authentication.
immaturity of the LAN server's access controls was judged a significant
source of risk, COG was only able to identify one other PC LAN product
that would be significantly better in this respect. Unfortunately,
this product was considerably less friendly to users and application
developers, and incompatible with other applications used by HGA.
The negative impact of changing PC LAN products was judged too high
for the potential incremental gain in security benefits. Consequently,
HGA decided to accept the risks accompanying use of the current
product, but directed COG to improve its monitoring of the server's
access control configuration and its responsiveness to vendor security
reports and bug fixes.
that risks of fraud due to unauthorized modification of time and
attendance data at or in transit to the mainframe should not be
accepted unless no practical solutions could be identified. After
discussions with the mainframe's owning agency, HGA concluded that
the owning agency was unlikely to adopt the advanced authentication
techniques advocated in the risk assessment. COG, however, proposed
an alternative approach that did not require a major resource commitment
on the part of the mainframe owner.
approach would employ digital signatures based on public key cryptographic
techniques to detect unauthorized modification of time and attendance
data. The data would be digitally signed by the supervisor
using a private key prior to transmission to the mainframe. When
the payroll application program was run on the mainframe, it would
use the corresponding public key to validate the correspondence
between the time and attendance data and the signature. Any modification
of the data during transmission over the WAN or while in temporary
storage at the mainframe would result in a mismatch between the
signature and the data. If the payroll application detected a mismatch,
it would reject the data; HGA personnel would then be notified and
asked to review, sign, and send the data again. If the data and
signature matched, the payroll application would process the time
and attendance data normally.
to use advanced authentication for time and attendance Clerks and
Supervisors can be combined with digital signatures by using smart
tokens. Smart tokens are programmable devices, so they can be loaded
with private keys and instructions for computing digital signatures
without burdening the user. When supervisors approve a batch of
time and attendance data, the time and attendance application on
the server would instruct the supervisor to insert their token in
the token reader/writer device attached to the supervisors' PC.
The application would then send a special "hash" (summary)
of the time and attendance data to the token via the PC. The token
would generate a digital signature using its embedded secret key,
and then transfer the signature back to the server, again via the
PC. The time and attendance application running on the server would
append the signature to the data before sending the data to the
mainframe and, ultimately, the payroll application.
this approach did not address the broader problems posed by the
mainframe's I&A vulnerabilities, it does provide a reliable
means of detecting time and attendance data tampering. In addition,
it protects against bogus time and attendance submissions from systems
connected to the WAN because individuals who lack a time and attendance
supervisor's smart token will be unable to generate valid signatures.
(Note, however, that the use of digital signatures does require
increased administration, particularly in the area of key management.)
In summary, digital signatures mitigate risks from a number of different
kinds of threats.
concluded that digitally signing time and attendance data was a
practical, cost-effective way of mitigating risks, and directed
COG to pursue its implementation. (They also noted that it would
be useful as the agency moved to use of digital signatures in other
applications.) This is an example of developing and providing a
solution in an environment over which no single entity has overall
Mitigating Payroll Error Vulnerabilities
the risk assessment, HGA's management concluded that the agency's
current safeguards against payroll errors and against accidental
corruption and loss of time and attendance data were adequate. However,
the managers also concurred with the risk assessment's conclusions
about the necessity for establishing incentives for complying (and
penalties for not complying) with these safeguards. They thus tasked
the Director of Personnel to ensure greater compliance with paperwork-handling
procedures and to provide quarterly compliance audit reports. They
noted that the digital signature mechanism HGA plans to use for
fraud protection can also provide protection against payroll errors
due to accidental corruption.
Mitigating Vulnerabilities Related to the Continuity of Operations
recommended that COG institute a program of periodic internal training
and awareness sessions for COG personnel having contingency plan
responsibilities. The assessment urged that COG undertake a rehearsal
during the next three months in which selected parts of the plan
would be exercised. The rehearsal should include attempting to initiate
some aspect of processing activities at one of the designated alternative
sites. HGA's management agreed that additional contingency plan
training was needed for COG personnel and committed itself to its
first plan rehearsal within three months.
short investigation, HGA divisions owning applications that depend
on the WAN concluded that WAN outages, although inconvenient, would
not have a major impact on HGA. This is because the few time-sensitive
applications that required WAN-based communication with the mainframe
were originally designed to work with magnetic tape instead of the
WAN, and could still operate in that mode; hence courier-delivered
magnetic tapes could be used as an alternative input medium in case
of a WAN outage. The divisions responsible for contingency planning
for these applications agreed to incorporate into their contingency
plans both descriptions of these procedures and other improvements.
to mainframe outages, HGA determined that it could not easily make
arrangements for a suitable alternative site. HGA also obtained
and examined a copy of the mainframe facility's own contingency
plan. After detailed study, including review by an outside consultant,
HGA concluded that the plan had major deficiencies and posed significant
risks because of HGA's reliance on it for payroll and other services.
This was brought to the attention of the Director of HGA, who, in
a formal memorandum to the head of the mainframe's owning agency,
called for (1) a high-level interagency review of the plan by all
agencies that rely on the mainframe, and (2) corrective action to
remedy any deficiencies found.
agreed to improve adherence to its virus-prevention procedures.
It agreed (from the point of view of the entire agency) that information
stored on PC hard disks is frequently lost. It estimated, however,
that the labor hours lost as a result would amount to less than
a person year--which HGA management does not consider to
be unacceptable. After reviewing options for reducing this risk,
HGA concluded that it would be cheaper to accept the associated
loss than to commit significant resources in an attempt to avoid
it. COG volunteered, however, to set up an automated program on
the LAN server that e-mails backup reminders to all PC users once
each quarter. In addition, COG agreed to provide regular backup
services for about 5 percent of HGA's PCs; these will be chosen
by HGA's management based on the information stored on their hard
Mitigating Threats of Information Disclosure/Brokering
with the risk assessment's conclusions about its exposure to information-brokering
risks, and adopted most of the associated recommendations.
recommended that HGA improve its security awareness training (e.g.,
via mandatory refresher courses) and that it institute some form
of compliance audits. The training should be sure to stress the
penalties for noncompliance. It also suggested installing "screen
lock" software on PCs that automatically lock a PC after a
specified period of idle time in which no keystrokes have been entered;
unlocking the screen requires that the user enter a password or
reboot the system.
recommended that HGA modify its information-handling policies so
that employees would be required to store some kinds of disclosure-sensitive
information only on PC local hard disks (or floppies), but not on
the server. This would eliminate or reduce risks of LAN eavesdropping.
It was also recommended that an activity log be installed on the
server (and regularly reviewed). Moreover, it would avoid unnecessary
reliance on the server's access-control features, which are of uncertain
assurance. The assessment noted, however, that this strategy conflicts
with the desire to store most information on the server's disks
so that it is backed up routinely by COG personnel. (This could
be offset by assigning responsibility for someone other than the
PC owner to make backup copies.) Since the security habits of HGA's
PC users have generally been poor, the assessment also recommended
use of hard-disk encryption utilities to protect disclosure-sensitive
information on unattended PCs from browsing by unauthorized individuals.
Also, ways to encrypt information on the server's disks would be
recommended that HGA conduct a thorough review of the mainframe's
safeguards in these respects, and that it regularly review the mainframe
audit log, using a query package, with particular attention to records
that describe user accesses to HGA's employee master database.
Mitigating Network-Related Threats
recommended that HGA:
stronger I&A for dial-in access or, alternatively, that a restricted
version of the mail utility be provided for dial-in, which would
prevent a user from including files in outgoing mail messages;
- replace its current
modem pool with encrypting modems, and provide each dial-in
user with such a modem; and
- work with the mainframe
agency to install a similar encryption capability for server-to-mainframe
communications over the WAN.
previous risk assessment recommendations, HGA's management tasked
COG to analyze the costs, benefits, and impacts of addressing the
vulnerabilities identified in the risk assessment. HGA eventually
adopted some of the risk assessment's recommendations, while declining
others. In addition, HGA decided that its policy on handling time
and attendance information needed to be clarified, strengthened,
and elaborated, with the belief that implementing such a policy
would help reduce risks of Internet and dial-in eavesdropping. Thus,
HGA developed and issued a revised policy, stating that users are
individually responsible for ensuring that they do not transmit
disclosure-sensitive information outside of HGA's facilities via
e-mail or other means. It also prohibited them from examining or
transmitting e-mail containing such information during dial-in sessions
and developed and promulgated penalties for noncompliance.
has illustrated how many of the concepts described in previous chapters
might be applied in a federal agency. An integrated example concerning
a Hypothetical Government Agency (HGA) has been discussed and used
as the basis for examining a number of these concepts. HGA's distributed
system architecture and its uses were described. The time and attendance
application was considered in some detail.
some national and agency-level policies were referenced. Detailed
operational policies and procedures for computer systems were discussed
and related to these high-level policies. HGA assets and threats
were identified, and a detailed survey of selected safeguards, vulnerabilities,
and risk mitigation actions were presented. The safeguards included
a wide variety of procedural and automated techniques, and were
used to illustrate issues of assurance, compliance, security program
oversight, and inter-agency coordination.
effective computer security requires clear direction from upper
management. Upper management must assign security responsibilities
to organizational elements and individuals and must formulate or
elaborate the security policies that become the foundation for the
organization's security program. These policies must be based on
an understanding of the organization's mission priorities and the
assets and business operations necessary to fulfill them. They must
also be based on a pragmatic assessment of the threats against these
assets and operations. A critical element is assessment of threat
likelihoods. These are most accurate when derived from historical
data, but must also anticipate trends stimulated by emerging technologies.
A good security
program relies on an integrated, cost-effective collection of physical,
procedural, and automated controls. Cost-effectiveness requires
targeting these controls at the threats that pose the highest risks
while accepting other residual risks. The difficulty of applying
controls properly and in a consistent manner over time has been
the downfall of many security programs. This chapter has provided
numerous examples in which major security vulnerabilities arose
from a lack of assurance or compliance. Hence, periodic compliance
audits, examinations of the effectiveness of controls, and reassessments
of threats are essential to the success of any organization's security
While this chapter draws upon many actual systems, details and characteristics
were changed and merged. Although the chapter is arranged around
an agency, the case study could also apply to a large division or
office within an agency.
Technically, Systems Administrators may still have the ability to
do so. This highlights the importance of adequate managerial reviews,
auditing, and personnel background checks.
Although not discussed in this example, recognize that technical
"spoofing" can occur.
Some of the controls, such as auditing and access controls, play
an important role in many areas. The limited nature of this example,
however, prevents a broader discussion.
Note that, for the sake of brevity, the process of evaluating the
cost-effectiveness of various security controls is not specifically