1 Information
This document is a collection of standards, procedures, and ways of working as used at the present time within Company that are being used to uphold the level of security as far as this is implemented.
Security is necessary for everyone and everything that is working with confidential information and should therefore also be everyone’s responsibility.
This document has been written as an attempt to shed some light on these responsibilities and to point out to people what responsibility they have regarding security.
2 Physical security
Information should never be physically accesible to 3rd party that shouldn’t have access to them,
It may be clear that confidential documents that are stored in a fire and burglar proof vault is no good if there’s a second copy lying somewhere on your desk or in even a worser case somewhere on a remote printer.
This applys to many cases , like physical access to file and application servers should be prohibited to anyone except for people that are truly authorised to have acces to these locations and machines.
If in any case people need to be on a location where materials or machines as mentioned above are located it is absolutely important that they are always accompanied by someone that is authorised to access such a location.
If a fileserver is 100% secured with all the neccessary policies it is still vulnerable if someone has physical access to the machine and restarts it with a floppydisk with a simple tool to reset the administrator password.
Such a tool is free to download from the internet and could allow someone to gain administrative control to such a machine in a bink of an eye.
Even the most tightly designed secure password policy is obsolete and unuseable as soon as people start using sticky notes attached to the monitor or the backside of the keyboard containing their password.
3 Current situation Company
3.1 standard user ID / Password
The settings regarding the NT authentication at the present time are the following :
- Password expires every 90 days : A single password stays valid for 90 days
- Allow changes after 5 days : Password can be changed only after 5 days.
- Force strong password policy : Passwords must contain a special character and 1 capital.
- 12 passwords history : User is not allowed to reuse the last 12 password.
The settings regarding the Unix authentication at the present time are the following :
- Password expires in 180 days : A single password stays valid for 180 days
- Password should be >=6 characters : Passwords need to be at least 6 Characters.
- Usage of special chars : A password needs to contain 1 number and 2 special chars.
- Username/password : The password may not be the same as the username
3.2 NT Share and file Security settings
On several shares and fileservers access has been implemented in the following way :
Share = single group access, NTFS = everyone full control
Access has been granted to a share through share level security after which anyone has fully read/write/deletion access to the files and directories that resides in this share.
When someone could get passed the sharing security (for example through third party file sharing, FTP) they could gain complete control over this directory and everything below this directory.
3.3 System and functional accounts / passwords
At the present time there are several functional user accounts active on windows authentication level :
The reason some users are member of more than one group is due to the fact that authorisations could differentiate at certain levels and certain parts of the infrastructure.
4 Access to buildings and rooms
Access to buildings and rooms takes place through badges with magnetic keys, numberlocks or regular keys
In the server room there’s a logbook which should be filled out properly at every visit of this room, information logged should be at least date, time of arrival, time of departure and the reason of the visit.
4.1 Company buildings
Building | Location | Contact | Remarks |
4.2 Rooms
Room | Location | |
Serverroom | Access by using Cardreader | |
Tape vault | Access by using key | |
Software vault | Access by using key (Keylocker Douglas) | |
Storage Room | Access by using key (Keylocker Helpdesk) | |
Sys. Admin room | Access by using key (Keylocker Server room) | |
Helpdesk | Access by using personal keys helpdesk employees |
5 Handling and storage of Backups and media
5.1 Information backup
To secure critical data it is neccessary to store this kind of information on a secondary (backup) medium.
At the moment the media used for this type of storage is tape , the physical tape formats used at the current time.
5.2 Backup schedule
Data backups at the moment are done with the GFS+ rotation schema
(Grandfather-Father-Son), this schema works as following :
Monthly backup (G) : Full backup , is contained for 12 months before it will be overwritten by the monthly backup 12 months later.
Weekly backup (F) : Full Backup is contained for 4 weeks before it will be overwritten by the weekly backup 4 weeks later.
Daily backup (S) : Differential backup, is contained for 14 days before it will be
overwritten by the daily backup 14 days later.
The plus sign means that this is an extended GFS schema since the normal scheme will only have 1 set of daily backup tapes meaning that every Monday the tape of last Monday will be reused.
The extended scheme allows you to use for the odd weeks and even weeks a different set of tapes giving you the ability to go back 2 weeks with daily backups and thus enhancing the restore possibilities in case of problems with the data.
5.3 Lifecycle and termination of backup media
To keep the reliability as high as possible it is neccessary to exchange tapes before they are worn out and end of life (lifecycle varies with type and brand of each tape)
At the current time we are not exactly keeping record of tape lifecycle and are also not actively replacing tapes that have reached the end of life status
The lifecycle of a tape is not measured in time units or number of times data has been written to it, but in tape uses.
This tape uses are f.e. : loading, unloading , winding, rewinding, backup, restore and will increase up to ten or more uses for each restore or backup that the tape is being used.
When tapes finally reached their end of life status , they will be stored in the vault or serverroom and occasionally a tape is rendered unuseable thrown away in a regular trashcan.
5.4 Restore possibilities
When is data to be ensured of a valid backup and for how long is this backup available :
Files that are on the server between Monday morning and Friday afternoon :
These files are only stored on the daily tapes from Monday, Tuesday, Wednesday and Thursday of tapeset #1 or tapeset #2 and they will be available for 14 days before their content will be overwritten with a new backup.
Files that are on the server between Friday afternoon and Monday morning :
These files are only stored on the week tape of the specific week and they will be available for 4 weeks before their content will be overwritten with a new weekly backup.
Files that are on the server on the last weekend of the month :
These files are only stored on the month tape of the specific month and they will be available for 12 months before their content will be overwritten with a new monthly backup.
5.5 Guidelines regarding storage of data on the fileserver :
- Data that is not stored on the server for at least 1 night (mo / fr) will not be available on tape.
- Data that is not stored on the server for at least 1 Friday will be upmost retrievable for the next 5 days.
- Data that is not stored on the server at the last Friday of the month will be upmost retrievable for the next 4 weeks.
Adittionally to the above mentioned backup facilities the following extra options are available for data backup and/or restore :
5.6 Transport and storage of backup media
Backup tapes are changed on a daily basis and are stored in a break and fireproof vault, this vault is stored in the same building as were the server room resides.
Transport of the tapes is always done while accompanied by on of the system administrators who are responsible for the backup.
If for any reason the tapes are not directly stored in the vault, thay are not accessible for unauthorized people other than those who have physical access to the serverroom through a badge with special clearance.
Adviseable is to store the tapes as soon as possible after a succesful backup in the vault because in case of a fire or any other event the risk of losing data is much bigger if both the server and the backup media is stored in the same room / location.
6 Securing the information
6.1 Clean desk
To keep company information accessible to restricted people only one should keep in mind that this information should not be left unattended in any unsecure area.
To give an example:
Desk : Never leave critical information on your desk when you leave your room (even if it is only to get a cup or coffee or if you are called away for just a minute)
Printer : Ensure yourself that whenever you are sending documents to a printer that the selected printer is the correct one , and you should not forget to pick up the output from your printer immediately.
You can however when printing to the new Canon machines print into a mailbox , and starting the printjob from the user console of the printer (Make sure the mailbox is password protected otherwise it’s still not secure).
Faxes : Whenever an incoming fax arrives containing confidential information you should make sure that this information is removed from the fax right away . When sending a fax one should check and doublecheck that the correct faxnumber is dialed where the fax has to be sent to (both internal or external phonenumbers)
Email : By sending an email you should ensure yourself that the addressee is correct and when you send a reply that you send it to the originating sender only and not using the reply to all in case you don’t want everyone on the cc list to read the information also.
Whiteboards : In case you use a whiteboard to write down confidential information (schema’s , telephone numbers etc etc) make sure that when leaving the room make sure the board is wiped properly.
One should be aware that the contents of a whiteboard are easily read by someone passing by down the hall or even from outside through a window during and after working hours.
Flipover / Overhead projector : After giving a presentation you shouldn’t forget to take care of information in the location the presentation was given. One should think about things like flipover pages containing confidential information or transparencys used for doing a presentation with the use of a overhead projector.
6.2 Computer equipment
When leaving the office after finishing your job you should assure yourself that you leave no computer equipment accessible for unauthorized persons.
Laptops removed from your desk , removed from the dockingstation and locked inside a cabinet or drawer. If your laptop gets stolen it could be a valuable source of information on the company or department you’re working for.
Usually the data stored on a stolen machine is much more valuable than the machine itsself.
Make sure that desktop computers do not contain any floppy or cd-rom disks with critical data when leaving them unattended because even if your PC is locked it is possible to eject a disk and take away the disk containing the data.
When writing critical data onto a CD or DVD and due to a write error the media is (or at least seems to be) unuseable do not throw the disc into a trashcan because if someone picks the disc up the odds that this disc still is (partially) readable through the use of freely available specialised tools to provide this functionality are very high.
The same goes for floppy disks that are (seemingly) rendered useless because of aging.
One should realise that even after a reformat the floppy contains in most cases enough magnetic residu to recover data that was on the floppy before it was (re)formatted.
All machines should be shut down after working hours because of several reasons like energy savings, fire hazard and dataloss unless they are in some way exceptional.
As an example for exceptional PC’s are :
Servers, build PC’s, monitoring PC’s and other machines that are running scripts or big calculations.
A PC that was instantly disconnected from power without being properly shutdown has a very great chance to have corrupted files or even the whole disk could turn out to be corrupted.Worst case scenario the system files could get corrupted rendering this machine unuseable without reinstalling the system and restoring a (hopefully made) recent backup of the data stored on that machine.
6.3 Hardcopy’s and output
Usually when walking to the printer picking up your output you’ll notice a pile of printed documents lying on and around the printer , simply because people do not pick up their output or only after days.
Ofcourse it is for the company’s best , and therefore for everyone’s best that there is no critical information lying around at or near the printer where anyone can read of steal the information without being suspicious.
Environmental protection is a good thing but for the people that have no good intentions it is a lot easier to browse through the information tossed into the paper basket instead of a garbage can.
It should be clear that only paper with no critical information belong in such paper baskets, because especially for critical and sensitive information there are containers that are locked and are reliable destroyed by a certified company like the ‘datazeker’ concept officially certified by the dutch FNOI as used by SITA.
People do think that destroying documents by using a shredder is a safe way to destroy critical information but sadly this is not the case, simply because there are shredders that leave pieces of paper that are big enough for someone to be puzzled out.
The shredder would improve overal security if the output of the shredder would be deposited in the locked container so that there is a extra level of security if such a container would be opened and it’s contents would be stolen.
7 Patching Hardware and Software
7.1 Introduction
With the introduction of each new version of an Operating System (Hereafter O/S genoemd) or application it is almost impossible to prevent a large number of bugs and vulnerabilities that are being introduced with such a release.
Many of these kind of problems are not discovered right after the introduction of the O/S or software release version.
Even after several years there are vulnerabilities discovered that compromise security and availability on such releases.
The same goes for hardware although in the case of hardware the problems mostly arise because of the combination of older hardware and new software or O/S.
For example a SCSI host adapter which works flawlessly under a certain buildlevel of an O/S , and after patching the O/S the SCSI subsystem does not work (properly) anymore which could render windows to be unstartable.
When the O/S doesn’t boot up anymore the chance to repair or uninstall it is almost an impossible task
A real life example of such an issue was the installation of the Post SP6a Security Rollup Patch which after installation on a windows NT 4 machine with a intellimouse driver.
If the driver version is lower than a certain level the machine will boot up after it has been patched but with one minor problem which is that the mouse and keyboard drivers both don’t work anymore.
Installing a new driver whilst the mouse and keyboard are not functioning becomes a difficult task if possible
The right way to proceed :
Whenever a (O/S or software) patch has been released, one should investigate of this particular patch is valid for the soft and hardware currently used in our comapny. (this goes for both servers and workstations) in the (or connected to) the EMT domain. And if this is the case there has to be an impact analysis done on this patch and the systems that should receive this patch.
Even if there is no direct need to install a patch it is in most of the cases wise to install it (Remember ‘Code Red’ which used a vulnerability in Microsoft Internet Information Server that was reported and had a patch that was already available for over a year.
Still the worm was widely spread within days because almost no-one had their system patched with the patch provided by Microsoft).
It’s important to investigate the impact a certain patch has (or could have) on a system before implementing the patch because in certain cases the patch creates more problems than the vulnerability would ever do.
One should verify the stability of a patch before implementing it , even if the supplier tests the patch on 100 or 1000 systems it does not give you any warranty that the patch will work on the setup as we currently have.
Verifying is possible in 2 ways :
- Installing the patch on a system that is not used as an operational system but with the exact same specs as the operational machine has. (Test server)
- Researching and reading information on the internet, several sites that are maintaining knowledgebases on patches and vulnerabilities are :
o http://www.cert.org
o http://www.security.nl
But also websites from suppliers like Network Associates (Mcafee), contain valuable information about functionality and reliability of the patches that have just been released.
What action to take under wich circumstances is very difficult to predict especially since the diversity and the complexity of the subject.
Still i want to try to shed some light on the direction you should take when patching any of the components whithin the Company infrastructure.
7.2 Patch policy & Instruction
To keep yourself informed about security breaches and the patches released for those breaches it is neccessay to keep yourself informed by using several resources that are providing information on this subject.
One should consider websites like Cert.org, Microsoft.com, Webwereld.nl, Tweakers.net en Security.nl that are a enormous resource of information regarding virusses and security breaches, second is the possibilty to subscribe yourself to several newsletters that deliver this kind of information right at your desk so to speak.
Some examples of those publications are newsletters from Webwereld, CERT, Security.nl and from Microsoft itsself.
Whenever a patch is released it is neccessary to determine the impact and the and the risk that comes with applying such a patch.
One could divide the patches into 3 levels.
- Severity #1 :If a patch is not applied directly there is very large chance that the availability of the component or even the complete infrastructure will be endangered.
- Severity #2 :If a patch is not applied directly there is only a slightl chance that the availability of the component or even the complete infrastructure will be endangered and waiting for a tactical moment to apply such a patch is possible.
- Severity #3 :this type of patches are in no way crucial because there is no issue with availability because there are no bussinesscritical parts involved or they repair elements that aren’t active.
All patches that have Severity #2 & #3 should be installed as far as possible during a service window. Advantage of applying patches during servicewindows is the fact that the machine can be brought down to create a backup or image for doing a simple rollback in case applying a patch ends in a disastrous way.
Severity #1 patches should be at least applied during non office hours to keep downtime as much as possible outside of the support window.
One of the biggest disadvantages of applying patches directly is that there’s no room investigating responses and reports from other people that have applied the patch already and what the impact was on their environment. (This is a kind of saying that rushing into patching your systems could not always be wise)
7.2.1 File and application servers (SUN / Microsoft)
- Patches with Severity #3 , only during a service window once in one or two months and only after having a 100% certainty that applying this patch only fixes problems and that there are no issues introduced when applying this patch.
- Patches with Severity #2 , only during a service window and only after having a 100% certainty that applying this patch only fixes problems and that there are no issues introduced with hardware, O/S or applications on the machine when applying this patch.
- Patches with Severity #1 , preferrably during a service window but at least after office hours (17:00) It is almost impossible to get ensured if the patch is stabile and 100% functional. Therefore a choice has to be made between applying the patch immediately and taking the risc that the remedie is even worse than the risc, or to wait until there is more certainty that applying this patch only fixes problems and that there are no issues introduced with hardware, O/S or applications on the machine when applying this patch.
- Before applying a patch one should at least try to have a (tested / proven) rollback scenario in place , by using a Ghost image or a disaster recovery backup of the machine(s).
- If the choice is given to you you should always backup the current files while applying a patch, if the patch was not successful and the system at least still boots the easist way to do a rollback is a complete uninstall of the last applied patch.
7.2.2 Hardware
To ensure yourself that a device or a part of a device will not be rendered useless after a patch it is important to visit the vendor’s website to see if there are newer drivers or firmware’s released for it.
This does not imply that every driver or firmware upgrade is neccessary and has to be installed simply because the principle ‘if it ain’t broke, don’t fix it’ also applies here !
But a firmware or driver update contains most of the times a readme document that tells you why the fix is released and this info is important simply if an upgrade is afterwards done because of dependencies while applying a patch on an O/S
8 Disposal of obsolete / aged materials
Like mentioned several times before , for different kinds of materials there are different requirements and ways of disposal to make sure that the information stored on these materials does not get into the wrong hands.
8.1 Hardware
Disposal of defect and / or obsolete hardware should be done very carefully because of the possibility to retrieve data from a presumed clean system.
A harddisk that has crashed is supposed to be rendered unuseable and will be disposed into a trashcan , allthough with the use of proper tooling in a qualified cleanroom usually 99% of the readable data is retrieveable
Allthough using a specialized lab in a cleanroom is expensive one can image that corporate espionage can be a very profiteable bussiness and like this could be an easy way of making money.
So simply throwing a defect harddisk into a trashcan is a very tempting and easy way to retrieve company information which should not be the case.
Also selling or giving away old and obsolete PC’s should be done while considering that there are rules that one should keep in mind while doing so.
Assumeable is that when a PC is transferred to a employee of the company the abuse of the system (and information on it) will not be done simply because of the employee’s attachment to the company.
But experience tells us that a lot of computers transferred to employees will not be used directly by them but are sold or given away to friends or relatives, or a stranger is installing the PC for them.
Erasing a harddisk is not enough to get rid of the data that once existed on the harddisk, formatting a drive will clean the visible and retrieveable data , but this gives you a feeling of security that is not completely true.
Because of the fact that even a formatted disk still contains enough magnetical information to give away lots of information if it is properly treated.
In most cases it will be neccessary to null (write the complete data area with data like only zero’s) such a drive before it can really be considered as safe, there are special programs that can do this for you or you can use a simple script which repeat a copy over and over again until the disk is complete filled.
Old matrix and or daisywheel printers could also be a risk for leaking confidential information to whomever gets his hands on the printer or the ink ribbon.
In some cases the last typed text can literally be read off of the inkt ribbon simply because the impact of the printhead is so visible that with some patience text can literally be read of the ribbon as produced on paper at that time.
8.2 Software & Media
When software expires one should take care that software has to be seperately disposed from all other obsolete material.
Example : If with such software is also a client regsitration number and/or access code for a support website or for support by phone , this could allow people to request or even change information about the registrar by phone or website.
Also the chance that any written info in manuals (passwords, access ports, ip addresses etc) gets into wrong hands so one should ensure of the contents of such a piece of software before the box is disposed.
Floppy’s, CD-rom’s, zip disks, Tape’s and all other media needs to be rendered unuseable at all occasions before it should be disposed.
This can to a certain level be done by yourself (Cutting CD’s, Floppydisks and Tapes in pieces) but to ensure a 100% quality this should be done by an especialized and reliable company where the obsolete media is burnt in special ovens.
However it’s always okay to do the first actions yourself before sending it to such a specialized company to narrow the chance that critical business information gets into wrong hands.
Whenever you have media that may contain confidential information you can hand this over to Facility mgt. which will ensure the proper disposal of the materials.
8.3 Printer output and other hardcopy’s
Although it is every company’s dream to have a completele paperless office , in reality this is far from being the case in most of the company’s.
All the information on paper piles up and soon this will reach the ceiling , simply because every (small) change in the digital version of a document renders the hardcopy useless simply because it is not up to date anymore.
This document is ready to be disposed into the papertrashcan , unless there’s sensitive information inside the document(s).
The same goes for email, people do intend to read easier from paper than from the screen so lot’s of emails are sent to the printer. When read the hardcopy will be stored, archived or disposed into the papertrashcan, unless …..
So it’s not wise to dispose paper or documents which has sensitive information stored on it into a wastebucket, trashcan or regular papertrashcan.
Every hardcopy or document that contain sensitive information should be disposed in specially locked papercontainers that will be transported and destroyed by a specialised company which ensures that the sensitive information cannot get into wrong hands.
Many people think that using a (low budget) shredder to dispose documents that have sensitive information stored on it while this is sadly not always the case.
The shreds that such a machine creates are in some cases big enough to recreate the information , especially someone that loves to puzzle this will be an easy challenge ;-).
However using a shredder before disposing such documents into the specially locked paper containers is an extra level of insurance that the sensitive information on such documents will not fall into the hands of people with bad intentions.
8.4 Office furniture
For old office furniture there are always people that are interrested to take away such obsolete items.This goes for people working at the company but also for third party people.
Unfortunately there’s no guarantee that unitendedly left documents in drawers or cabinets are treated with the neccessary care by the new owner of the furniture.
Experience teaches me that in much cases unneeded documents are left behind in drawers and cabinets simply because they are no longer needer by the owner , and instead of disposing it properly it is left behind for the next owner of the furniture.
I myself have found several cad drawings of components from the Company products inside a cabinet which has been moved by third party movers into the new location where we moved to.
This type of information can be very valuable for the right people and this should never have taken place like this.
Always ensure yourself that whenever you have obsolete furniture that will be removed or stored that there is nothing left behind in drawers and/or cabinets.
Even if the information is old and obsolete it can be usefull or compromitting if it fells into wrong hands.
8.5 Data from servers and PC’s
With the disposal of all kinds of materials one should also keep in mind the disposal of data when an employee leaves the company (voluntarily or forced)
The following precautions should be taken as soon as the employee is voluntary leaving and his job is finished :
- Block / remove Mail account and personal mail archive on the server.
- Block / remove NT user-account.
- Block / remove Unix user-account.
- Block / remove PDS account.
- Remove data from the personal homedrive of the user.
- Remove personal data from the projectdrives..
- Change passwords and user-id’s that are (or could be) compromised.
Whenever a employee is instantly fired or whenever a employee has to leave as part of a reorganization and has to leave the company it is wise to take some or perhaps all actions right away.
This way the risk of an angry employee compromising functionality or stealing bussiness critical information is minimized.