Most of the measures described in this section are concerned only with the protection of communication links against attack by unauthorised persons. Few of the techniques safeguard against illicit activities by authorised users who misuse their privilege. This section gives guidance on the acceptability of various communications methods and services for the transfer of commercially sensitive information. The methods recommended do not necessarily give complete protectionÑabsolute security is never feasible.
This section addresses the issues of computer systems connected by networks, either to other computers for exchange of information or to enable remote access where the users of computer-based applications are remote from the service or information provider.
The advice and guidance offered herein is applicable to networks of mainframes, personal computers and terminals or any combination of them.
The following general policies apply to every case of electronic transfer of privacy marked information.
The originator shall ensure that information to be communicated is correctly marked in accordance with the Information Security Code.
It is the responsibility of the author and originator of privacy marked or commercially sensitive information communicated via electronic means to ensure that it is always correctly safeguarded.
The originator shall ensure that IN STRICTEST CONFIDENCE information is sent only to a specific authorised recipient.
HIGH IMPACT or IN STRICTEST CONFIDENCE information shall not be transmitted without the protection of an encryption system approved by Director of Security and Investigation except where one of the following is used:
IN CONFIDENCE information shall not be transmitted without the protection of approved encryption system unless communication is strongly authenticated, such as by:
Privacy marked or sensitive information shall not be transmitted between systems using Electronic Mail Systems that have not been approved as suitable for that use by the Director of Security and Investigation.
Where special justification exists, for example in emergencies, IN STRICTEST CONFIDENCE information may exceptionally be transmitted according to the conditions for IN CONFIDENCE material. In these circumstances, prior authority from a person in the Senior Management Group shall be obtained on each occasion.
The connection of a system of computers by means of a network forms the basis for bilateral agreements and practices between those responsible for the security of the computers and those responsible for the security of the network. A failure by any of those involved to correctly secure the equipment for which they are responsible, may result in a failure of security of the entire network.
It is the responsibility of the owners of all computer systems connected to a network to ensure that their security is not compromised by the network techniques used, or by any subsequent changes to the network configuration and topology. Before allowing connection of a computer system to a LAN or other network, the owners of the business processes entrusted to that system must satisfy themselves that their policy for security will not be violated.
Connection must be refused by the computer system administrator on behalf of the business process owner if the networking arrangements are or become inconsistent with the security policy. These considerations apply to any network which permits access to several computer systems via a common telecommunications facility (whether all users need such access or not).
The connection of any computer system to a network introduces a number of additional threats to the security of that system, to the security of the network and to any other computer system sharing the network. By far the greatest threat to a computer connected to a network is the possibility of unauthorised access from other network users. Other threats include the accidental or unintentional distribution of privacy marked information across the network.
The vulnerability of the network increases because the authority to grant users permission to access the network is given to the administrator of the connected computer system. If that computer were already connected to another network, for example, the number of potential users might increase dramatically.
The administrators of a computer system connected to networks shall ensure that the network arrangements do not contravene the security policy of the business processes or applications being supported by their system.
Networks shall not be joined together unless it can be shown that the resulting network does not contravene the security policy of either network or of the security policy of those systems connected to either network.
The administrators of a computer system connected to networks shall ensure that the security administration of their system does not contravene the security policy of the network to which their system is connected.
Owners of systems connected to a network have a level of expectation about the services that the network provides. For example, network users may expect that the service:
Providers of networks that claim to provide security functions shall declare to their users and customers the protective measures, and conditions placed on the users of the network, for security offered by the network and shall make available a document describing these features and their applications.
The following means of computer-to-computer and user-to-computer access are commonly encountered:
Private Circuits are often perceived as being secure because of their immunity to logical attack, that is, hacking. They are not necessarily physically secure because their fixed routing may make them vulnerable to direct interception. Typically, Private Circuits may be routed via the distribution frame of the local exchange and the building serving the user. Unless otherwise protected, the information on the Private Circuit is vulnerable to interception at these points.
The PSTN is open to public access and is the favoured medium for unauthorised access world-wide. Because Calling Line Identification (CLI) is not currently provided as a basic facility, it is not easy to identify the origin of connection attempts. For this reason, dialup PSTN access to BT systems containing sensitive data is forbidden unless adequate precautions are taken.
The connection of computers to the PSTN for the purposes of outward-bound connections to information service providers is strongly discouraged unless it can be demonstrated that the connection equipment cannot be subverted or incorrectly configured so as to permit inward-bound connections.
BT computer systems containing or processing sensitive information shall not be connected to the PSTN unless adequate precautions are taken to protect the system from unauthorised access.
Worldwide, there are many different data networks available to the public. The following comments refer specifically to BT's UK data network known as PSS.
In general, there are two methods by which a connection to PSS can be achieved:
If the user gains access to the PSS by dial connection to a PAD, he identifies himself to the network by means of a password (sometimes called the Network User Identity, NUI). This is, in turn, checked by the network management software to find the corresponding NUA of the user. Because the NUA does not identify a particular line or location, security may be compromised if a password is discovered by other people.
Use of the following facilities can decrease the vulnerability of the PSS to attack:
Access to computers and computer-to-computer communications via LANs may present a substantial risk to security. Most LANs are implemented using a shared transmission medium which broadcasts all the signals to most or all of the attached nodes. Some LANs support Closed User Groups (CUGs) in a manner analogous to the PSS and so may also provide some call origination information. The relative ease of user access to LAN control software and hardware makes dependence on the security of any of these facilities unwise. The situation is especially aggravated where LANs are connected by gateways to one another, the PSS, or to the PSTN. In each case the risk of unauthorised access is increased enormously.
See earlier CSM Policies in this section regarding the interconnection of networks. Data on LANs are generally regarded as being at risk because:
An Exclusive LAN is one where its security depends on:
An Access-controlled LAN is one which incorporates special precautions to restrict access between users and resources. All resources accessible from equipment under a user's control, for example a dumb terminal, PC or workstation are protected by strong authentication mechanism. Strong authentication is an authentication mechanism that is resilient to eavesdropping and masquerade attacks in the context of the communications network between user and system. Authentication of connections to LAN nodes may be implemented using systems based on Kerberos. (Further advice may be obtained from D&P Data Security Laboratories, see Section 11).
Where there may be a number of separate LAN segments interconnected by bridges or gateways, each individual LAN segment must comply with the access control policy.
An Ordinary LAN is one which does not meet the security criteria for an Exclusive or an Access-controlled LAN.
In general the following applies:
LAN Type Usage Exclusive In Strictest Confidence Access Controlled In Confidence Ordinary Non-Privacy markedNote that use of a specific LAN architecture does not negate the use of other mandatory features which may be required for handling sensitive information.
The security of a LAN is a complex issue, especially when the mechanisms for processing, storing, or transmitting sensitive information do not all offer the same level of security. In this case contact the Commercial Security Unit for further guidance.
A LAN shall be characterised as one of Exclusive, Access Controlled, or Ordinary so that the owners, administrators, and users, are aware of the security controls that must be enforced.
Four major threats exist to networked systems:
Much sensitive information (access information as well as user data) can be gained from illicit interception of telecommunications signals by tapping and bugging. These activities are usually committed against local lines rather than the main network. This is because local plant is more accessible to illicit interception and there is little or no confusion from other multiplexed signals.
All forms of radio, microwave, infrared and other beam transmission techniques are also vulnerable to interception.
Four classes of countermeasures may be brought to bear to reduce the risk of information disclosure. These are:
Depending on the architecture of the chosen network, information of varying sensitivity may be in transit simultaneously across a single channel. Under these circumstances, there needs to be a clear distinction between the level of sensitivity of information. This can be achieved by either:
Because any network may be vulnerable to eavesdropping, special care must be taken when transmitting highly sensitive information.
Many networks are located in buildings that are considerably less secure than purpose-built computer centres. When planning the installation of the network, the guidelines and suggestions detailed in the section on Electronic Systems Installations should be followed as far as possible.
On these occasions, where it is operationally necessary to install networks in insecure buildings, including those to which members of the public have access, the following additional points must be considered:
The use of network monitoring equipment must be strictly controlled.
Communications lines, personal computers, Visual Display Units (VDUs) and printers may radiate significant amounts of radio frequency energy and it is possible for data displayed on a screen or being printed to be intercepted. TEMPEST is the name of the technology that enables this unintentional radio emission to be reduced to acceptable proportions. In practice the signals can only be received over a short distance and identifying one particular VDU/printer among several others is difficult. Although the threat may be real in some military situations, for the commercial world it must be considered a threat only when the information being handled is extremely sensitive.
For specialist advice on the applicability and methods of TEMPEST protection, refer to Section 10.
The use of cryptographic techniques is not limited in its application to the protection of communications networks. This topic is covered in the Cyptographic Protection section.
Connection requests across a network should be verified as to their authenticity. The chosen authentication mechanism should not place undue or unwarranted trust on the network to carry the authentication information accurately or in secrecy unless it has been proved able to carry out that function. Care should be taken to ensure that the chosen mechanisms for user authentication are sufficiently strong and that they are managed correctly.
It is important to realise that user authentication information is carried across the network and should be appropriately protected, that is, with the same rigour as that afforded to the information that it protects. If cryptographic methods are used to facilitate access control, then the algorithm, configuration and key management must be approved by the Director of Security and Investigation. Where cryptographic keys are shared, a method of personal authentication should be used in addition.
If a strong method of authentication (eg. a one time password) is used, then this may be adequate as the sole means of authentication. Otherwise, in addition to personal authentication, authentication of the recipient's point of entry to the communications network is required. To be acceptable this must reliably identify the recipient as being at a fixed physical location. This location must be authenticated as one at which the recipient may receive the information. Suitable methods are dependent on the type of connection and are as follows:
The identity of network users shall be authenticated. Where the method of authentication is weak, strong technical methods shall be employed to determine the point of access of the originator into the network.
The security of dial in access may be enhanced by providing an 'Automatic Dialback' facility whereby the caller is forced, at the outset of a call, to declare his identity to the system. The equipment terminates the call and dials the caller on a different outgoing-only line using a telephone number it associates with the caller's declared identity. This prevents access from arbitrary telephone locations and offers an audit and accountability mechanism.
Some types of dialback device may be defeated by quite simple techniques, and therefore do not give the intended protection. Only the system administrator should be able to modify the list of authorised telephone numbers stored in the dialback equipment. Dialback systems used to protect BT's commercially sensitive information must be approved by the Director of Security and Investigation.
In some systems manual dialback may be appropriate, however, whether dialback is automatic or manual, a full log of each access should be maintained. Because Dialback units only provide authentication of the point of entry into the Public Switched Telephone Network (PSTN), other measures should be taken for High Impact Systems.
Dialback techniques can be rendered ineffective if the exchange offers a Call Diversion facility.
Where the method of network user authentication is weak, the point of access into the network shall be established using a dialback unit that has been approved by the Director of Security and Investigation.
Special measures may need to be taken to ensure that information is not lost or corrupted in transit across a network. For example, message sequence numbers can be used to detect the accidental or deliberate deletion or insertion of entire blocks of information in the information stream.
Accidental modification of the information in transit can be detected by the use of comparatively simple techniques, for example checksums or Cyclic Redundancy Checks (CRCs). Where it is anticipated that deliberate attempts will be made to modify information then cryptographic techniques may be appropriate.
Cryptographic techniques may be used to prove:
In the design of systems where proof of origin of a message must be ascertained, Digital Signature techniques shall be considered and documented.
In the design of systems where it is necessary to prove that the intended recipient has received information, cryptographic techniques to manufacture an incontrovertible receipt note shall be considered and documented.
In the design of systems where there is a requirement to prove the identity of the origin of data then cryptographic techniques shall be considered and documented.
In the office environment there is generally no need to provide fallback communication systems as the standard response time for fault correction is adequate for most requirements. However, for systems which use private circuits or the PSS as the prime means of communication, it is worth considering using PSTN as a fallback for nonsensitive data provided that the PSTN connection is not made permanent.
At purpose-built computer centres the situation is somewhat different as most systems would become useless in the event of loss of their communications links. Some link redundancy is generally necessary to protect against this. Communication links that are provisioned as backup should if possible, be terminated on different hardware in the system and routed via different cable ducts and transmission routes so as to minimise the danger of loss of both links in the event of a hardware failure.
In the design of systems, measures shall be taken to ensure that the availability of the network satisfies the system's requirement.
Modern encryption techniques are regarded as offering a formidable barrier to any adversary and probably an insurmountable barrier unless substantial computing power is available or the key and algorithm are compromised.
The use of cryptographic techniques can contribute significantly to security by offering strong mechanisms to:
Any cryptographic techniques or encryption systems selected to safeguard BT information shall have been approved by the Director of Security and Investigation prior to their use.
There are considerable risks associated with current electronic mail systems. In particular, data may be forged, altered, redirected or intercepted. Although techniques are being developed to solve many of these problems, users of electronic mail systems should be aware of their present limitations. The advice given here is for guidance and is intended to highlight areas of concern. In the future specific policies will be produced to cover electronic mail security.
Currently, most systems authenticate users by means of User IDs and passwords. This is not a strong means of authenticating users. Electronic mail systems should not be used as a means of providing authorisation to other individuals for carrying out tasks unless they have been specified, designed and installed for that purpose. For example, it should not be possible to requisition goods on the basis of an uncorroborated electronic mail message. At present, in the UK, a handwritten signature is a legally-binding proof of authorisation. Electronic mail systems using weak authentication do not offer the required level of proof and assurance of the origination of a message. Designers of electronic mail systems should look at currently-available technologies which offer scope for proof of origination.
Without appropriate coding techniques, messages may easily be intercepted and modified or replayed. Designers of systems should ensure that the threats are understood and that appropriate countermeasures are adopted. Digital signatures can be used very effectively to ensure the integrity and authenticity of a message.
Labelling is a way of attaching a marker to a message, file or segment of data, to indicate a specific attribute. Often the attribute is the sensitivity of the information. Systems which make use of labels are able to utilise sophisticated access methods for permitting access to data An example might be a system which permitting IN CONFIDENCE material to be redirected to a colleague for action, perhaps because of holiday arrangements, but which did not permit STAFF IN CONFIDENCE material to be so directed.
Automatic electronic mail redirection should not be used unless it is possible for the message originator to know that message redirection is in operation.
Where it is operationally necessary for another person to use an electronic mail account for a short time, it is imperative that a hand over is arranged in a manner which ensures: