From left to right: D. V. Stavola, W. Gregory McCormack II, George Steffen, William H. Murray, Robert V. Jacobson, Malcolm L. Worrell.

Note: Titles and addresses of attendees can be found in Appendix B.

EDITOR'S NOTES

W. E. MURRAY

William Hugh Murray is Senior Marketing Support Administrator in the Data Security Support Programs Department of IBM's Lata Processing Division. He is the author of the IBM publication Data Security Controls and Procedures" and of five BM training videotapes on data security. Be is a contributor to several other IBM publications on data security including "Considerations of Physical Security in a Computer Environment."

He is a frequent speaker on data security topics. National programs on which he has appeared include the AICPA, IIA and the EDP Auditors Association, INFO 76 and Data Com 77. He has appeared before SHARE and GUIDE in the C.S., SEAS and the Diebold Research Program in Europe.

In 1974, he chaired the Audit Working Group of the "Workshop on Controlled Accessibility in Shared Resource Computer Systems, sponsored jointly by the National Bureau of Standards (NBS) and the Association for Computing Machinery (ACM). In 1977, he chaired the Administrative and Physical Controls session of NBS Invitational Workshop on Audit and Evaluation of Computer Security.

In a previous IBM assignment, Mr. Murray managed the development of the security sub-system for IBM's Advanced Administrative System. This security system permits managers in 400 locations around the world to control the access of 16,000 users to the 900 transactions in 16 sensitive business applications. After ten years of operation this is still considered to be a "state-of-the-art" example of a secure system.

Mr. Murray joined IBM in 1956 as a programmer in the Boardman Road Research Laboratory in Poughkeepsie, New York. He received his Bachelor of Science degree in Business Administration in 1962 from Louisiana State University.

THE CHARGE TO THE GROUP

This sesion was to consider vulnerabilities inherent in remote processing and the countering controls which may be applied. All types of remote devices were to be considered with the exception of those associated with the communications network. Data communications were to be viewed as transparent. [See PART I, Section 2 for the complete charge given to this group.]

The report that follows is the consensus view of this session.

This session was asked to address the vulnerabilities inherent in remote processing and to recommend the appropriate countering controls. We were asked to consider all types of devices, but to view data communications as transparent. We were asked specifically not to consider the probability of exploitation of a vulnerability. Neither did we consider consequences. For example, in considering the vulnerability of modification of data, we did not consider whether or not anyone was motivated to do it nor what the result might be.

1.2 Audience

We have attempted to present our work in a manner that is useful to an auditor. More specifically we have attempted to present the material so that it will be useful to an auditor at the remote site.

In an attempt to give this work the longest possible useful life, we have tried to be as independent of any given technology or implementation as possible. We have attempted to view both vulnerabilities and controls in the most general terms. Therefore, specific devices, media, vulnerabilities or controls are considered only as examples or illustrations.

1.4 Limitations

1.4.1 Remote Only: In addition to treating communications as transparent, we elected to consider only those things that are under the direct control of the local (remote) management. Thus, we did not consider application or host system controls.

The auditor is cautioned that a site may be both local and remote for purposes of his audit. To the extent that a site has local applications he will also wish to review its controls as described in the report of the working group on Applications and Non-integrated Data Files.

1.4.2

Terminal Selection: We did not consider the appropriateness of the terminal for the security of the application. We assumed that security was a selection criteria for the terminal. However, the auditor is cautioned that a new application may be added to a preexisting terminal. The availability of the terminal may be the only selection criterion employed.

2. CHARACTERISTICS OF THE REMOTE TERMINAL ENVIRONMENT

2.1 General

In viewing security in the remote terminal environment, the auditor must consider those characteristics of the environment that will influence the selection of appropriate measures. The group identified three such factors. They are application, number of terminals and terminal characteristics.

2.2 Application

The biggest single characteristic influencing the risk of a system is the application or applications. A system that is used exclusively for personal computing will have different control requirements than one being used for business transactions. A system being used for application development may require still different controls. The system that is being used for all three of these may require the most stringent controls of all. The more flexibility or choice that is presented to the end user, the more rigorous must be the controls.

2.3 Quantity of Terminals

The number of terminals in the location will also influence the sensitivity and choice of controls. In general, sensitivity will increase with the number of terminals. Therefore, the auditor should expect to find a more rigorous application of controls in a multiterminal site.

2.4 Terminal Characteristics

A number of characteristics of the device itself were identified which affect sensitivity and the choice of controls.

2.4.1 Portability: Sensitivity was found to increase with the portability of the terminal. Portable terminals are more susceptible to theft. In addition they may be removed to an unsupervised site so as to avoid supervisory control.

2.4.2 Bandwidth: In general, sensitivity can be expected to increase with the bandwidth or character rate of the terminal. For example, it would be easier to mount an exhaustive attack (see paragraph 3.2.2.2, sec.3) upon the host using a paper tape driven terminal than a keyboard driven

one.

2.4.3 Storage: Sensitivity will increase with the amount of local storage in the device. (Also see discussion of media, paragraph 3.3.4). 2.4.4 Value: Other things being equal, the vulnerability of a remote site will increase with the value or marketability of the terminal used.

The

2.4.5 Construction, Modularity and Assembly: The susceptibility of the device to theft or conversion may vary with the way it is built. For example, a nonportable device may be composed of portable modules. value of a device may be primarily associated with one or two removable cards of chips.

2.4.6 Intelligence: The vulnerability of the host system to an exhaustive attack may be influenced by the intelligence in the remote device. For example, a local processor might be programmed to mount an exhaustive attack (see paragraph 3.2.2.2, sec.3)

2.4.7 Emanations: The susceptibility of the system to the disclosure of sensitive data to eavesdropping varies with the amplitude of signal bearing emanations as a function of the total emanations of the same type.

2.4.8 Media:

Vulnerability will vary with the number and types of media supported by the device. In general, sensitivity will increase with the number of types and sensitivity of the media types employed. (See media, paragraph 3.1.3).

3. VULNERABILITIES

3.1 Targets

The group elected to view vulnerabilities of the system primarily in terms of the targets within the system, i.e., in terms of the things which might be vulnerable. Four such targets were identified: 1) data and programs, 2) media (as distinct from the data recorded on it), 3) the terminal or device, and 4) the service or capacity of the system. We believe this list of targets to be complete.

3.1.1 Vulnerabilities of Data and Programs: The group agreed that data was vulnerable to accidental or intentional, but unauthorized modification, destruction or disclosure. We believe this list of vulnerabilities to be complete.

Four characteristics of data were discussed as to their effect on vulnerability. We reached a consensus on three and were unable to agree on the fourth.

3.1.1.1 Location: It appeared to the group that the vulnerability of the data will be influenced by whether it is stored in the host, in the local device or upon external media (because of the assumptions (see paragraph 1.4), only external media at the local (remote) site were treated.). The feeling of the group was that data on external media were most vulnerable to disclosure, but that data stored in the device or host were more vulnerable to modification or destruction. Vulnerability of data on external media will vary with the media (see paragraph 3.1.3). Data in the host were considered to be safer (from vulnerabilities influenced by the remote site) than data in the local device.