Top Detailed TOC Last Update: 12 oct. 2001
Appendix B: Miscellaneous
(Stuff which I didn't know where to put)
The following template is used in this document for component analysis/auditing:
- Assurance: Documentation, Certification
level (ITSEC, TCSEC), Physical security
- Accountability: Identification / authorisation, Audit Trail, Logging
(detail, analysis & alerting tools/automation level)
- Accuracy: Integrity checking mechanisms.
- Access Control: Discretionary Access Control, Secure
system startup.
- Object reuse
- Secure data exchange / communications: Network Peer entity
authentication, Network Data integrity, Network Data confidentiality, Non repudiation of
origin / receipt, Network Access control.
- Availability: Backup and restore, Prevention of Resource Abuse,
Change/release management, Redundancy / Replication, Disaster Recovery
Actually, a must better checklist is included in the "Matrix"
presentation.
In the U.S. the following laws should be considered during a risk analysis/security
incident handling. There are probably additional relevant laws (e.g. in different states,
or concerning civil liability) not listed here.
- Abuse of credit cards, account numbers, access codes, passwords (USC 1029, title 18)
- Accreditation Manual for Hospitals
- Banking Circular 177 from the Office on the Controller of the Currency
- Bulletin R-67 from the Federal Home Loan Bank
- Clinical Laboratory Information Act
- Computer Fraud and Abuse Act, 1986 (USC 1030)
- Computer Security Act, 1987 (Public Law 100-235).
- Copyright Violation (USC 506b, title 17)
- Electronic Funds Transfer (USC 1693n, title 15)
- Electronic Privacy Act, 1986 (USC 2701)
- Emergency Planning and Community Right-to-know Act, 1986 (3USC 300)
- Fair Credit Reporting Act
- Federal Procurement Regulations
- Foreign Corrupt Practices Act, 1977.
- Letter #161 from the National Credit Union Association
- Letter A-130 from the Office of Management and Budget (OMB)
- Privacy Act, 1974 (5USC 552a)
- Wire Fraud (USC 1341, title 18)
Within the European Community there is a Data Protection Directive (95/46/EC)
which controls how data may be collected, used, processed and to whom it may be
sent.
Privacy laws: Personal data is protected by Swiss Law. The VDSG (Vollzugsverordnung
zum Bundesgesetz über den Datenschutz) of 14.6.1993 specifies technical and
organisational measures necessary to protect personal data, based on the data privacy law,
Datenschutzgesetz Artikel 6,7,8,11,16,24 and 36.
Measures for Swiss government bodies are specified in Articles 20-23 and 34. Measures
for non government bodies are specified in Articles 8-12.
In addition, Swiss Law (Artikel 135, 197, Ziffer 3, 259, 261, 261bis und 305bis des
Schweizerischen Strafgesetzbuches) forbids incitement to racism, gambling, money
laundering or the use of, or distribution of, pornographic or violent material. This
includes electronic media such as the Internet.
More information can be had from the "Office of the Data Protection
Commissioner" mailto:info@dataprivacy.irlgov.ie
. A few relevant laws are:
- Criminal Damage Act (1991)
- Data Protection Act (1988) (section 22 for illegal access to data, section for the data
controller's responsibilities)
- The Statute books: the Data Protection Act 1998 (ch. 29).
- The Electronics Communications Act 2000
- Regulation of Investigatory Powers Act 2000
- The Computer Misuse Act 1990 that would be relevant under this section.
What ISO security relevant standards exist?
The standards are available on-line, for a fee. See http://www.itu.ch
.
- X.400: Email standard or "message handling system, two versions: 1984 & 1988.
X.400 runs o the Application layer of the OSI model.
Interoperability is problematic, standard is not tight enough. However many enterprises
use X.400 backbones and most proprietary email systems offer gateways to X.400.
- X.500: Enterprise directory services. The directory is a collection of systems that
co-operate to provide a logical database about real world objects. Users can
retrieve/modify the directory depend on permissions, using a Directory User Agent
(DUA). The information in the directory is called a Directory Information Base
(DIB). The directory should support a wide range of applications. DSA= directory service
agents
X519 specifies DAP, Directory Access Protocol for obtaining credentials.
- X.509: The ISO certificate standard is X.509 v3 and is comprised of: Subject name,
Subject attributes, Subject public key, Validity dates, Issuer name, Certificate serial
number and Issuer signature. X.509 names are similar to X.400 mail addresses, but with a
field for an Internet email address. The X.509 standard is used in S/MIME, SSL, S-HTTP,
PEM, IPsec Key Management. X.509 defines two-way peer-to-peer authentication scheme, with
certification authorities?
- FTAM (File Transfer, Access and Management) is the OSI standard for remote file access.
- EDI (Electronic Data Interchange) is a standard for the exchange of computer based
business information. It is designed to handle specific messages such as bank
transactions, invoices & orders etc.Used by very large companies, since the entry
level costs are high.
- X.736: Security alarm report record.
- X.740: defines a standard for audit trail information?
Since TCP/IP is now the accepted protocol standard, several ISO standards designed for
OSI protocols are now being moved to TCP/IP:
- LDAP is a "lightweight" implementation of the X.500 DAP (see above).
POSIX.1 is the standardised programming API for access to system services
POSIX.12 is the API for access to the GUI.
POSIX.? Is the system administration commands standard.
The IDEA encryption algorithm is not in the public domain. The following text comes
directly from the patent holders:
Non commercial use of IDEA is free. The following examples (regarding PGP) should
clarify what we mean by commercial and non-commercial use
Here are some examples of commercial use of PGP:
- When PGP is used for signing and/or encrypting e-mail messages exchanged between two
corporations.
- When a consultant uses PGP for his communications with his client corporations.
- When a bank makes PGP available to its clients for telebanking and charges them
money for it (directly or indirectly).
- When you use the software you receive from a company for commercial purposes
(telebanking included).
Some examples of non commercial use:
- When an individual uses PGP for his private communications.
- When an individual obtains PGP on the Internet and uses it for telebanking (assuming
this is approved by the bank).
- When you use the software you receive from a company for private purposes
(telebanking excluded).
You may use IDEA freely within your software for non commercial use. If you include
IDEA in your software, it must include the following copy right statement:
Copyright and Licensing Statement
IDEA(tm) is a trademark of Ascom Systec AG. There is no license fee required for
non-commercial use. Commercial users of IDEA may obtain licensing information from Ascom
Systec AG.
e-mail: IDEA@ascom.ch
fax: ++41 64 56 59 54
For selling the software commercially a product license is required:
The PRODUCT LICENSE gives a software developer the right to implement IDEA in a software
product and to sell this product world-wide. With the PRODUCT LICENSE we supply a source
listing in C and a software manual. We charge an initial fee per company and a percentage
of sales of the software product or products (typically between .5 and 4 per cent of the
sales price, depending on the price and the importance of IDEA for the product).
For further information please do not hesitate to contact us.
Best regards,
Roland Weinhart, Ascom Systec Ltd, IDEA Licensing, Gewerbepark, CH-5506 Maegenwil,
Switzerland.
Phone ++41 64 56 59 54 Fax ++41 64 56 59 98
Professional espionage does exist. It has been shown (even on popular television) that
the radiation given off by computer monitors can be picked up by sensors hundreds of
meters away and used to construct an exact copy of the screen contents. An other method is
placing a device inside the screen which monitors the video signals (removing sync
signals) and retransmits the signals externally to a vehicle (say) on the street.
Since spooks have been at this for years it is assumed that the equipment necessary is
now available to professional spies.
Prevention: use of low radiation monitors provides less signal for
detection and is better for the user's health. Shielding of buildings and locating
sensitive monitors away from windows.
TEMPEST stands for Transient Electromagnetic Pulse Surveillance Technology and is the
US Government's program for evaluation of electronic equipment that is safe from
eavesdropping. Tempest equipment is not legal for civilian use. The requirements on
electromagnetic radiation for Tempest endorsement are defined in the classified document
NACSIM 5100A.
The following is a code of ethics suggested by the Computer Ethics Institute,
Washington, D.C, USA.
- Thou shalt not use a computer to harm other people.
- Thou shalt not interfere with other people's computer work.
- Thou shalt not snoop around in other people's computer files.
- Thou shalt not use a computer to steal.
- Thou shalt not use a computer to bear false witness.
- Thou shalt not copy or use proprietary software for which you have not paid.
- Thou shalt not use other people's computer resources without authorisation or proper
compensation.
- Thou shalt not appropriate other people's intellectual output.
- Thou shalt think about the social consequences of the program you are writing or the
system you are designing.
- Thou shalt always use a computer in ways that insure consideration and respect for your
fellow human being.
- The printer manager cannot browse printers in other domains (as guest for example),
however they can be mounted on the command line (e.g. in a logon script):
net use lpt3: \\MYCOMPUTER\MYPRINTER /USER:Guest
- An NT server cannot share Netware client printers.
- Many GUI options for setting up NT are not available on the command line. For example in
Account policy:
Options only available via the command line: Force logoff.
Options only available via the graphical interface: Account lockout options, Force
disconnect when logon hours expire, Users must logon to change password.
- NT backup can only backup the local machine and has no on-line indices, primitive
logging options and primitive error handling.
- No NIS+, NIS, NFS or Kerberos clients are delivered with NT.
- DCE is not nearly fully implemented (only RPC is available).
- Using NT as an LPD printer server: Install a Generic only/text printer driver and
connect it to the local printer. UNIX clients can then connect to it and send jobs in the
format that the printer understands. Otherwise NT will try to translate, so that if the
UNIX client sends postscript, NT will print the postscript code, rather than let it be
interpreted by the printer!
- NT Workstation cannot print to UNIX printer clients.
- Colorado tape streamers (i.e. IDE interface) are not supported.
- Any password checking libs available?
- Get a decent 3rd party quota software.
- Clients: Workstations, Laptops, PCs, Character Terminals, X-Terminals.
- Naming Services Servers: DNS, DHCP, WINS, NIS, NIS+, Kerberos (& DCE), Novell, Lan
Manager (NT or OS/2) Logon servers.
- Resources Servers : File, Printer, Database, WWW, Application servers.
- Gateways: Emulation / application gateways & Firewalls (filters, proxies and
encryption gateways).
- Network components: Routers, bridges, hubs, switches, repeaters, etc.
I use an NT4 Laptop alot and need a reliable way to synchroniase files with my main
Workstation.
Microsoft's "Briefcase", delivered with Win95 and NT4 is pretty good, but would
some times hang, could not handle certain excel files, on rare occasions got sompletely
confused, and always did some kind of timeout when opening directories in the Briefcase
offline - so offline access could be dog slow.
I have hundreds or Megabytes in the hundred folders to be synchronised, so I had a look at
some other products. However, testing some of them caused me to lose a few files dur to
minusderstandings.. I recommend you set up some test directories and use those.
Ease of use is a key requirement, the software must synchronise files as we
"expect" (which is not trivial and needs a good GUI).
Summary: I've not found anything that provide the same functonality as Briefcase, most
are pure directory sync or file sync products (and only for one directory or tree).
Typical search words used on the sites below: "directory compare",
"directory sync", "file sync"
- www.tucows.com:
- SynchronX: Couldn't handle several directories, can't select action per file which
thinks should be updated, not enough detail, no drag and drop. Did have an understandable
GUI and could add sync Items to the Desktop.
- TreeComp V3.5: Worked for a while, but then got constant error "R:\ not found" (R was the workstation
directory mounted), could no longer change directories. GUI is pretty good.
- Directory Monitor V4.1: unstable, functionality not enough.
- www.shareware.com (search for "file
sync") This site only lists zip files and does not offer a summary of tools, to help
before you decide which to download:
- FileTiger 1.11: Is more like a File Explorer, not briefcase.
- www.download.com ("directory compare"
and "briefcase", got a list of 16 products)
- Directory Compare V1.4: Not bad, not enough like Briefcase, can only compare one
tree/directory.
- Araxis Merge 99 Professional V5, $149: not enough like Briefcase, can only compare one
tree/directory.
- Briefcase Plus V1.2: Couldn't get it to work.
- Comparator V2.0, free: is simple, but works quite well. GUI in English,
French, German.
Can only compare one tree/directory. I'm going to try this one for a while..
- MirrorTree, free: Difficult to use.