Introduction: goals and objectives

This document gives an introduction to what an investigator needs to know about Information Technology (IT) security measures in order to be able to carry out investigations in an IT environment and to give advice in crime prevention methods.

Information Technology plays an important and vital role in all sectors of society. As a consequence, security has become an essential component of IT. However, it is a complex subject and the appropriate measures will often depend, to a large extent, on the type and location of the IT equipment.

The potential security threats and risks have to be carefully assessed in every situation.It is absolutely vital that all concerned are made aware of the threats and risks that may affect them, and over which they have control. Only then will they fully understand and apply the appropriate security procedures.

This report attempts to explain the various threats and risks posed by criminal activity in IT environments and offers advice about security procedures and computer crime prevention methods. It is not intended to be a comprehensive study. Threats to information systems may arise from intentional or unintentional acts and may come from internal or external sources. This guide will address only threats, made with criminal intent, to confidentiality and integrity. Availability security functions will only be addressed if they have an effect on confidentiality and/or integrity. Examples of prevention methods will be given.

The prevention methods in this report can be used to prevent crime in companies, but can also be used to protect private computer systems.

1. IT security: definitions

CONFIDENTIALITY (Secrecy)

Information and other resources are only disclosed for those 'users' (persons, entities or processes) who are authorised to have access to it.

INTEGRITY

Information and other resources are modified only by those 'users' who have the right to do so. The accuracy and completeness of the data and information is also guaranteed.

AVAILABILITY

Authorised 'users' can access information and other resources when needed.

THREAT

A 'threat' is a potential undesirable incident.

RISK

A 'risk' is the estimated probability that a 'threat' will be activated.

2. Information processing and IT security

In order to protect the data held on a computer system, various steps have to be taken: individual users should only be able to read the information which is needed to do their job; they should only be able to modify information which is specifically their job to modify. Finally, some information should not be accessible at all for individual users, e.g. the various log records.

In simple terms, information processing involves the following types of operation:

• READ/CREATE/MODIFY/DELETE information
  
• TRANSPORT (in one way or another) of information
  
• STORE information (on computer 'media' to keep it somewhere).

i. READ/CREATE/MODIFY/DELETE

Information is 'Read/Created/Modified/Deleted' by a 'User'. A 'User' is a person or a process (e.g. a computer program). Authorisation to 'Read' information is a question of confidentiality while 'Create/Modify/Delete' is primarily a question of integrity.

ii. TRANSPORT

One of the simplest ways of 'transporting' information is the internal transport between the keyboard, the memory and the hard disk in a Personal Computer. Another is the external 'transport' of a diskette from one place to another. Information can also be 'transported' using a 'Local Area Network' (LAN) and/or a 'Wide Area Network' (WAN). Insecure 'transport' affects both confidentiality and integrity.

A special kind of undesirable 'transport' is 'Electronic Emission' (see below).

iii. STORE information

Once the information has been 'stored' on some kind of media (diskettes, tapes etc.), it may become the target of unauthorized activities which will have an effect on the confidentiality and/or integrity of the information.

3. Important IT security functions

As well as knowledge of computer architecture, the investigator also needs to be familiar with a number of important IT security functions and organizational matters if she/he is to be able to give advice on prevention methods and conduct investigations.

Some important functions are:

• Information classification
  
• Documentation rules
  
• Administration and personnel
  
• User Identification and Authorisation
  
• Logging
  
• Back-up
  
• Firewalls
  
• Intrusion Detection System (IDS)
  
• Incident Handling (IH)

3.1. Information classification

It is essential to classify the information according to the appropriate level of availability, e.g. 'open', 'confidential', 'secret' or 'top secret'. Only then will it be possible to apply the most effective security measures. The classification should be carried out by the management or by the 'information owner'.

3.2. Documentation

All systems, but especially the 'Identification and Authorisation system', 'Information Classification system' and 'Application systems', must be fully documented.

IT security policy and the security rules for the organisation as well as details of contingency plans in the event of a major incident should be documented in a 'Security Handbook'. The chapter on IT security should have separate sections for each user category, e.g. 'Management', 'System Administrators', 'End Users' etc.

Create a checklist with guidelines concerning the actions which have to be taken in case of an incident (e.g. immediate reaction, who to contact). See chapter 'Incident Handling'.

3.3. Administration and personnel

Success in information security work depends first and foremost on developing good basic working practices and establishing procedures to ensure that they are maintained. It is also important to create a security-conscious atmosphere and establish a disciplined approach.

If confidential information is to be handled, it is essential that the people chosen for the job are absolutely reliable. They should be security screened to a level equal to the highest level of confidential information they are likely to be asked to work on. Access to information should be restricted to that which the individual 'needs to know' to do his job. Particularly sensitive material should be split into sections that only authorised staff can handle; no member of staff should have access to all the information.

Furthermore, security measures will only be effective if staff are properly trained. It is essential that they understand the problem. This can be achieved with in-house training. The individual users must be trained how to use the network, how to handle confidential information, making back-ups etc. Employees can be taught what to do to counter certain threats, what they should not do, whom they can call and where they can get help. It is also very important to encourage employees to report incidents so that steps can be taken to prevent any further damage.

New or temporary employees should be given introductory training, during which data security and data integrity can be explained. It might also be useful to consider including a clause on security and confidentiality obligations in employees’ contracts.

(a) Management responsibilities

To achieve functional and cost-effective IT security, a number of initial steps must be taken by the management:

Risk analysis - What are the threats and what is the risk that they will be activated? Threats and risks, acceptable or unacceptable, vary between different organizations. It is important to analyse the risks to make it possible for the management to form a policy with their security intentions.

Policy - There must be an Information security policy written and approved by management. No management approved policy means no resources. It should include the main security targets, information classification principles, responsible persons, and principles to reach the targets.

Security plan - A plan has to be made to define how the targets and the intentions in the policy document should be realised. A priority list must be set up because it may not be possible to realise everything in the policy at the same time. The plan is a living document and has to be scrutinised by the IT security officer.

Security architecture - With the risk analysis, the policy and the plan as a base, security architecture must be chosen. Security architecture is a high level description of technical security functions and organisational needs to fulfil the security demands.

Implementation - With the security architecture as a base, different security functions and products must be selected to implement the security architecture.

The main points requiring attention are:

1. All senior management, and not just the computer security manager, should be sufficiently familiar with the computer systems in use, to enable them to know what is going on and why.
   
   
2. The role of the system manager is crucial. He/she must be of the highest degree of integrity, and sufficiently computer literate to be able to administer the system in a secure and responsible manner. The system manager access level should be restricted to the minimum number of staff required. However it must be possible for the IT security manager to check on the system manager’s activities.
   
   
3. The only way of establishing how a problem has occurred, whether the origin is accidental or deliberate, is to examine the logging information stored on the computer. (One of the reasons for restricting privileges is that the logging information of the system is available at this level). Analysis of this information should show when, where and how the problem occurred. In some cases careful examination will also indicate who was responsible. It is essential therefore that the logging capabilities of the particular system are fully understood and utilised. If the logging functions on the system are inadequate, consideration should be given to acquiring suitable software.

(b) User responsibilities

Users should be given specific guidelines about what they should do - and more importantly - what they should not do. These guidelines should be distributed in written form, and signed for. This will counter the defence that they were unaware of the contents of the guidelines and at the same time provide the investigator with written proof. Specimen guidelines are given below. They are certainly not exhaustive and others can be added to take account of particular circumstances.

1. Do not use any computer equipment without permission.
   
2. Do not try to access information unless you know you are authorised to do so.
   
3. Do not alter any information on a computer system unless you know you are authorised to do so. (It is also important to provide a clear written statement of what information each user is allowed to access, to whom that information may be disclosed and what action will be taken if the rules are broken.)
   
4. Do not use a company or authority computer for personal matters without permission.
   
5. Do not leave a working computer unattended, without using security options that demand retyping a password (e.g. screen saver password).
   
6. Make sure you know what to do in the event of a virus being discovered on the system. Use virus protection programs.
   
7. Be aware of malicious program code, when loading files, mails etc. from the internet or other media.
   
8. Keep your password and user-ID confidential.
   
9. Do not allow anyone else to use your password. (If people like engineers need access to the system, they should be referred to the system manager.)
   
10. Do not use anyone else’s password.
    
11. Remember that anything done on the system using your ID and password can be your responsibility.

3.4. User identification and authorisation

Access to a computer can be restricted by means of controls based on various kinds of 'Identification and Authorisation' systems.

Identification is a two step function: (a) to Identify the user and (b) to Authenticate (validate) the identity (i.e. confirm that it is true).

The simplest systems rely on passwords only. More sophisticated systems use cards (e.g. 'SmartCard') and/or 'biometric' methods in combination with passwords.

3.4.1. Identification

(a) Password systems

These give some measure of protection against casual browsing of information, but will rarely stop a determined criminal. A computer password acts like a key to a computer. Allowing several people to use the same password is like everyone using the same key.

Passwords should:

1. Be issued to an individual and kept confidential, they should not be shared with anyone. (The golden rule is ONE PERSON ONE PASSWORD). Should a temporary user need access to a system, it is usually fairly simple to add to the list of authorised users; once the temporary user has finished his work, his user-ID must be deleted from the system.)
2. Be distinct from the user-ID.
3. Ideally be:
   
   
   1. alphanumeric and
      
   2. at least six characters long.
      
      
4. Be changed regularly, at least every 30 days. It is possible to warn the user automatically when his password expires. To ensure that he enters a new one, he will not be able to enter the system after the expiration date, although he may be allowed a limited number of 'grace' log-ins.
   
   
5. Be properly managed. This will involve:
   
   
   1. Using a password history list, giving all the passwords used in the past year or two. New passwords will be checked against the list and not accepted if they have already been used.
      
      
   2. Making a list of frequently used passwords such as names, brands and other words that are easy to guess and therefore not suitable as passwords. This list will be used in the same way as the history list, except that new passwords will not be added; only the system manager will be able to change the list. Some systems conform to these standards and generate passwords automatically.
      
      
6. Be removed immediately if an employee leaves the organisation or gives notice of leaving.

Last but not least it is important to note that care should be taken with the password used for remote maintenance. Standard passwords which are often used to get access to different systems, for maintenance purposes, should always be avoided.

(b) Other identification systems

The 'password' method is built on something you 'know' and might be misused by someone getting hold of the password. A system built on something you 'know' (password, PIN-code etc.) AND something you 'have' (i.e. authorisation card) is a much stronger system. Even if someone gets hold of your password it is useless without the card. Today, the strongest method is something you 'know', something you 'have' and something you 'are' (biometrics).

There are two main types of card:

1. Magnetic strip card: As its name suggests, this type of card has a magnetic strip containing some confidential information to be used together with the holder’s personal code;
2. Chip card: Instead of a magnetic strip, the card has a built in microchip. The simplest type contains a memory chip (e.g. telephone cards) containing some information but has no processing capability. The other, better, type is the 'Active' (or 'Smart') Card. It contains a microchip with both a memory to store some information and a processor. It is often used in combination with cryptographic techniques.

Biometric systems make use of specific personal characteristics (biometrics) of a specific person e.g. fingerprint, voice, keystroke characteristics or the 'pattern' of the retina. Biometric systems are still quite expensive (except for the keystroke system) and not very common.

However, even these sophisticated techniques are not infallible.

3.4.2. Authorisation

After identification and authentication of the user (subject) there must be a function and set of rules to control what object (files, devices etc.) each user is allowed to access. This is the Access Control system.

3.5. Logging

Most computer systems have some kind of log. Even stand-alone systems sometimes have identification and authorisation systems (and a log) if different users, with different authorisation levels, use them and/or when it is desirable to prevent users from using the disk drive (as an anti-virus measure) or changing files.

In a multi-user system (client-server-, mini-, mainframe-systems) there are always logging functions and there is often more than one kind of log.

The desired level of protection will only be achieved if the various security measures are properly followed up with a log that can be analysed as and when necessary. A proper log will answer the questions:

• WHO (user)
  
• WHEN (time - date)
  
• WHERE (place)
  
• WHAT (event/activity)
  
• ADDITIONAL (Additional information depending on activity)

There are often many different types of logs, e.g.:

• HISTORY files (e.g. Internet activities)
  
• TEMPORARY files
  
• SYSTEMS log
  
• TRANSACTION log
  
• SECURITY SYSTEM log
  
• DATABASE log
  
• APPLICATION log
  
• TECHNICAL log (mainly on mainframes)

Log information is one of the most important items for a computer crime investigator to look for.

3.6. Back-up

Although modern computer systems are generally very reliable, breakdowns and failures do occur, and users can make mistakes that lead to the accidental destruction of information. To guard against total loss of information under these circumstances, it is necessary to set up procedures for making regular copies. The information on the computer system should be copied to some form of back-up medium. This medium can then be stored in a safe place until it is needed.

For particularly valuable information several copies should be made, and each copy stored in a different place and at least in different buildings, if not different cities.

The frequency with which back-ups are taken should be based on the frequency with which the information changes, the relative value of the information, and the problems its loss would cause. Regular back-up of data and system files are an essential security measure. When combined with the logging information, they should provide a comprehensive security information package. The following guidelines may be of assistance when making back-ups:

1. Make sure that regular back-up copies are made of both data and system files.
   
2. Back-up cycles should be of sufficient length to be of some use in the future. 24-hour overwrite cycles are not recommended.
   
3. Take a full back-up (both system and data) out of the cycle on a regular basis and archive it off site for an extended period.
   
4. Back-up tapes/diskettes should be kept in a safe place under lock and key and away from the computer and where they are secured from fire, flood, magnetic and electric fields etc., preferably off site.
   
5. Periodically test the back-up to ensure that the information can actually be restored in an emergency; do not wait for disaster to strike to find the back-up system does not work.

Back-ups (including old ones) are another important source of information for an investigator.

3.7. Firewalls

One frequently asked question is 'how to secure the internal network from an external network such as the Internet?' One solution is to set up a firewall system.

'A firewall is a system or group of systems that enforces an access control policy between two networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one, which exists to lock traffic, and the other that exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasise permitting traffic. Probably the most important thing to recognise about a firewall is that it implements an access control policy. If you don’t have a good idea what kind of access you want to permit or deny, or you simply permit someone or some product to configure a firewall based on what they or it think it should do, then they are making policy for your organisation as a whole.' (The Internet Firewall FAQ )

Firewall systems are typically the first line of defence between an internal network (ex. of companies but also private networks) and the outside world, especially its connection to the Internet. It should be configured not only to allow certain operations to occur (FTP, mail delivery, etc), but to make it difficult or impossible for an attacker on the outside to use the firewall to penetrate the internal nets.

There are primarily two types of firewall systems, the packet-filtering firewall system and the application-level gateway.

The major difference between the two techniques lies in the flow of communication. A packet-filter gateway acts as a router between the two networks; as packets flow from their source to the destination, the gateway either forwards or blocks the packets. With application gateways, all packets are addressed to a user-level application on the gateway that relays the packets between the two communication points.

Firewall system requirements

Firewall systems must support features that will do the following:

• Prevent unauthorized users from accessing the internal network.
  
• Prevent unwanted IP service requests from being passed through it to the internal network.
  
• Log its activities.
  
• Be easy to administer.
  
• Provide alarm mechanisms.
  
• Preferably support SNMP.
  
• Be configurable at the user, service, and IP host level.

Security policy

If a firewall system will be deployed to secure the access to the Internet, the configuration of the firewall system must reflect the security policy of the organization. The security policy must address, as a minimum, the following questions:

What is the policy on IP addresses?
Is the organization's IP address space a registered IP address?
Who is or will be the organisation's Internet service provider?
What is the Internet service provider's security policy? Is their network secure?
Will firewall systems be used to secure the connection to the Internet?
If so, what type of firewall system?
What is the firewall system architecture?
All entry and exit points to the Internet need to be identified. The firewall network architecture must be defined to control authorised inbound and outbound connections.
What is the policy for inbound access to systems?
Which specific protocols will be allowed to access nodes on the internal network?
What is the policy on outbound access to nodes on the Internet?
Do remote offices or branches connect to the home office?
If so, are remote offices directly connected to the Internet or is their access to the Internet through the home office?
If there is a direct connection between the remote office and the Internet, verify that if the security of the remote office is compromised, the security of the corporate network is not compromised.
Are there external networks that are not trusted?
Are there external networks that do need access to the internal network via the Internet?

3.8. Intrusion Detection Systems (IDS)

Do I need an Intrusion Detection System if I have a firewall?

Yes, the main purpose with a firewall is to protect against unauthorized external attacks but it will normally leave the network unprotected from internal attacks or intrusions. Firewalls sometimes fail to protect from external intrusions because:

• It is hard to configure the firewall properly
  
• Hacker/Crackers can get some packets through most firewalls and firewalls don’t know what happens once someone gets through them
  
• The software contains a software bug (software always has bugs)
  
• Bad protocols can be blocked by the firewall but HTTP is allowed through and 'hack' in HTTP will pass through
  
• The firewall can only protect against known problems

An intruder is somebody attempting to break into or misuse the system. Intruders can be divided into two categories:

• Outsiders - Intruders from outside your own network who try to attack your system via dial-up lines, the Internet, a vendor or other 'partner' etc.
• Insiders - Intruders that are authorised to use your internal network but are misusing their privileges.

There are different types of IDS. Two main types are:

• Statistical detection - The IDS looks for deviations from statistical measures to detect unusual behaviour. A set of variables is defined for subject and objects such as servers, files, users and other resources. A 'normal' value is set for each variable by looking at historical data or by setting expected values. When system activities occur, the list of variables is maintained and updated for each subject or object.
• Pattern (or signature) matching detection - This type of IDS compares activities against a collection of known attacks or a set of rules. The main idea is to watch for events that matches one of the patterns or violates the rules.

Why should I use a firewall and an IDS? Because most attacks come from inside and every company or organisation needs a well managed single point of entry as well. In addition, a Firewall can keep hackers running automated intrusion programs out of the internal network. Otherwise those programs can detect and exploit holes in your security architecture. There is a lot of information explaining different IDS on the Internet.

3.9. Incident Handling System

Even if you have installed a firewall and an Intrusion Detection System someone has to take care of an incident when it occurs (not 'if' it occurs, because it will happen sooner or later). To be well prepared is the best way to handle an incident. It is very important to stay calm and not panic when an incident occurs. It is also very important to have a special form to register incidents.

For example the SANS Institute has a step by step method for incident handling and the latest information can be obtained from the Internet at address ih@sans.org. Their method has six stages:

• preparation
  
• detection
  
• containment
  
• eradication
  
• recovery
  
• follow-up

Preparation
This stage covers things like policy, management support, training and interfaces to law enforcement.

Identification
How to identify an incident, responsible staff, co-ordination with network suppliers, etc.

Containment
Create the on-site team to survey the situation. Backup of the system. Risk determination (to let the system run) etc.

Eradication
Perform vulnerability analysis. Remove the cause of the incident, etc

Recovery
Restore the system. Validate the system, etc

Follow-up
Develop a follow-up report.

4. Computer architecture

The main types of computer architecture are indicated below. In many cases, the specific threats and risks to which a particular system is exposed will depend on its architecture. However, there are a number of threats which can affect all systems, irrespective of their architecture.

Main architecture types

• Microcomputers
• Network architectures and mini computers
• Mainframes
• Hand-held computers.

4.1. Microcomputers (stand-alone)

These computers have no facilities for permanent external communications, apart from links to peripherals (e.g. printer, scanner, streamer, extra disk drive etc.). Nowadays it is common to have a modem and a temporary connection to the Internet.

This architecture is easiest to 'protect' but it is also the architecture where the users are least aware of the possible threats and risks. If it is connected to the Internet it can be vulnerable to external attacks if it is not properly configured. The user is responsible for back-ups, keeping media in a safe place, protecting data from unauthorized access, etc.

4.2. Network architectures and mini computers

A mini computer is linked to several workstations to serve a limited number of users. The workstations may consist of just a keyboard and screen, or microcomputers (so-called 'intelligent' terminals) may be used. Today, these mini computers are often referred to as 'servers' linked to their workstations through a Local Area Network (LAN). Commonly known as client-server architecture.

In many organizations the old mainframe architecture is now being replaced with a number of 'servers' each of which has a different set of functions. Connections from the LAN to Wide Area Networks (WAN) are common.

The user is only responsible for backing up the files on the hard disk on his own workstation (if it has one). One or more administrators are responsible for all other back-ups, loading new programs etc. Management of the network is normally left to a Network Administrator.

4.3. Mainframes

Used in big organisations to serve a great number of users and/or where considerable computing capacity is needed. A special computer room with air conditioning is needed, too. This is often located in a restricted area of the building and specialists are required to operate the computer. Network operators monitor the communication functions and assist users if there are communication problems. System development and programming is a task for specialised staff. The user is only responsible for backing up the files on the hard disk of his workstation (if it has a disk). Because of the very fast technical development in the field of client-server it is today not possible to clearly define the difference between mainframes and servers.

4.4. Hand-held computers

This type of computers, like personal organizers, is completely different from the others and is discussed in section 'Technical devices & communications' in the Interpol Computer Crime Manual. The most important prevention method is to keep the equipment in a safe place and away from unauthorized persons.

5. Threats and crime prevention methods

This section gives examples of the threats that may occur. Some may be encountered in all types of environment, others may only occur with specific types of computer architecture.

The prevention methods mentioned are only given as examples. The risk of the threat being activated must be assessed in each organisation and depends on factors such as the company's information policy, employees' awareness, etc.

In the following tables, the various threats to which a system may be exposed are grouped according to where the information is located in the IT process.

READ/CREATE/MODIFY/DELETE refers to information (data and software) inside the computer system.

TRANSPORT refers to information (data and software) 'transported' via a network or on media.

STORE refers to information (data and software) when it is stored on computer media and taken out of the computer system. (I.e. back-up tapes/diskettes).

5.1. Architecture-independent threats

There are a number of important 'architecture-independent security targets':

• Members of staff, with certain responsibilities, powers, information
  
• Media handling
  
• Malicious programs
  
• Electronic emission

5.1.1. Members of staff

5.1.2. unauthorized access from external sources

5.1.3. Media handling

5.1.4. Malicious program code

5.1.5. Electronic Emission

5.2. Microcomputer (stand-alone, Personal Computer) systems

Much sensitive information is stored on personal computer systems. The main risk is unauthorized access to that data, or that the data may become corrupted or lost.

READ/CREATE/MODIFY/DELETE

TRANSPORT

STORE

5.3. Network architectures and mini computer systems

Local Area Network (LAN)

If a Personal Computer (PC) is connected to a network, there are two other possibilities for interfering with data, in addition to the dangers of physical access to the machine (as mentioned above).

Firstly, it becomes possible to access the information stored on the PC via the network. Care should therefore be taken to ensure networking software is correctly configured, and that only that information which is intended to be generally accessible is stored in directories which can be accessed via a network.

Secondly, the danger of leaving a PC unattended is much greater: not only can the data on the PC itself be compromised, but there is also a risk that any data which the rightful user may be able to access over the network will also be compromised.

In a network environment, especially where sensitive material is in use, it is essential to keep a central record of activity, i.e. a log. This should be held on a machine that is known to be secure, and should contain a record of ALL activity on the network; there should also be a procedure for examining the log, so that all suspicious events can be highlighted and investigated.

Wide Area Network (WAN)

Networks are connected either by cable, by microwave or satellite. The latter are vulnerable to interception as are any radio transmissions unless the data is encrypted. The transmission of electronic signals is governed by standards that are called 'protocols'. There are many standards, the most common is the TCP/IP which is the standard packet-switching protocol used for the Internet. Such connection can be protected against improper use or interception in various ways. The best way is to use Identification, Authentication and Cryptography as well as firewall and Intrusion Detection Systems (IDS).

Costs have also to be considered. Telecommunication companies can offer the use of dedicated lines - as often used by financial institutions, which means that these lines are not available for normal public use and are protected against intrusion, but they cost substantially more. This also applies to encryption. There are a number of encryption standards and devices ranging from small logical keys installed on sending and receiving equipment to higher levels of coding which use complicated mathematical cycles and algorithms. The decision to implement such higher level systems will have to be taken in the light of the value of transmitted data.

It must also be remembered that encryption is not an infallible solution and that its use raises various problems, e.g. several countries are developing, or discussing the development of a specific law to regulate the use of encryption.

Even when communications are well protected, problems of unauthorized access can occur if a well-protected system is linked directly to another that is not protected. Any given system is only as secure as those to which it is connected.

The Internet

Victims of Internet attacks are often organizations that did not bother too much about their security or who trusted some sales person who said that the Internet connection was absolutely safe.

A lot of safeguards are mentioned above and they are applicable for the Internet as well. Some additions are:

• Do not connect computers or entire networks, which contain your critical information (e.g. financial, confidential, privacy) to the Internet.
  
• If possible restrict the way to the Internet to just one single point of connection.
  
• Do not store your password or identification number on your hard disk, protect it otherwise from unauthorized access. Create a password policy (see chapter 3.4.1, identification - password systems).
  
• Check and update your list of user accounts.
  
• Install a firewall system and an IDS.
  
• Do not download files or open emails which you do not trust.
  
• Install an anti-virus software and update it frequently.
  
• Be aware of shared-files which might be accessed of unauthorized persons.
  
• Be aware of cookies, Java and ActiveX applets, etc.
  
• Install only minimal options.

THREATS

READ/CREATE/MODIFY/DELETE

TRANSPORT in Local Area Network (LAN)

TRANSPORT in Wide Area Network (WAN)

TRANSPORT of media

STORE

5.4. Mainframe computer systems

There is normally some kind of access system to a mainframe via terminals or a number of LANs with workstations, which will be subject to the threats mentioned above. In that connection, see 5.1. (Architecture-independent threats), 5.2. (Microcomputer systems), and 5.3. (Network architectures and mini computer systems), as appropriate.

THREATS

READ/CREATE/MODIFY/DELETE

TRANSPORT in Local Area Network (LAN)

TRANSPORT in Wide Area Network (WAN)

TRANSPORT of media

STORE

6. International work groups

The European Commission has recognised the need for a comprehensive approach to information system security to protect the individual, the business community and public administrations against increasingly sophisticated threats and combinations of threats.

Consequently, the Commission took the initiative of proposing an overall 'framework' in which information security problems could be assessed and an appropriate set of solutions identified and developed.

The evaluation of the security of information systems has been a key activity with regard to the implementation of a number of the action lines. The European criteria ITSEC (IT Security Evaluation Criteria), and associated methodology (ITSEM), has been the subject of many of the INFOSEC projects. The art of US evaluation criteria (TCSEC, Trusted Computer System Evaluation Criteria) is commonly known as the 'Orange Book'. A new standard – the CC (Common Criteria) – has been adopted as new international standard and will replace ITSEC and TCSEC in a period. However, ITSEC and TCSEC will be used parallel with CC for some time.