marchany@vtserf.cc.vt.edu (Randy Marchany) (05/21/91)
I posted a query a while ago asking about other sites' policies on setting computer usage policies. I received a number of replies and thought I would summarize the major points here to start the discussion. We are a major university in VA and are responsible for maintaining a mixed vendor OS environment (IBM, DEC, Sun, HP, DG, Next, Apple). We also have an extensive workstation network. We are currently teaching system management seminars and one of the things we want to impress upon the new system managers is responsible user behavior. So with this intro, this is a summary of the internet responses we received. 1. The IETF has a security policy working group that is putting together a "guidebook" for setting security policies at internet sites. This guide book is geared toward the system managers at a particular site. The working draft is available via anonymous FTP from cert.sei.cmu.edu under the pub/ssphwg directory. I have a copy of it and it is quite helpful. A brief outline of the document is: I. Establishing official site policy on computer security/use. A. Who makes the policy? What are their responsibilities? B. Risk Assessment - Don't spend more on security than what you're protecting is worth. C. Define authorized access to computing resources. D. Handling Policy Violations. E. Publicizing the policy. II. Establishing procedures to "prevent" security problems. A. System security audits B. Account management procedures C. Configuration management procedures D. Procedures for recognizing unauthorized activity. E. How to deal with unauthorized activity F. Communicating lessons learned G. Resources to prevent security breaches III. Incident Handling A. Evaluation B. Types of notification C. Response E. Legal/Investigative F. Documentation Logs G. Establishing post-incident procedures At the university level, it is important to establish a uniform policy for the entire university. While the political ramifications of the previous sentence are obvious, a useful argument to adopt such a policy is that of liability. The statement need not be specific, but can be a general statement such as: "computer usage at XXXX must not be contrary to international, Federal, state and local laws." and it should contain specific references to the laws. Some of these laws are: the Computer Fraud and Abuse Act of 1986, 18 USC section 1030, the Computer Virus Eradication Act of 1989, HR5061, HR55 (amendments to USC 18, sect. 1030), Interstate Transportation of Stolen Property, 18 USC sect. 2314, the VA Computer Crimes Act, VA Article 7.1. With the general statement in place, a series of statements on Computer Use/Access can be drawn up citing more specific examples of unacceptable behavior, penalties, etc. and these can be used for training/education. The three main areas of setting up a policy are 1) defining the policy 2) teaching your users the policy 3) enforcing the policy. Some ways of being able to verify that the policy was given to the user is to have them sign a form stating that they are aware of the policy. This gives the sysmgr proof that the user was aware of the policy. A number of sites sent me copies of their "user" forms. While it is a paperwork nightmare, it is a sure way of defining your user community. It is more work but the burden of prood will be on us and so I think it's worth it in the long run. My main concern is in section III.E,F of the above outline. I'm sure some of you have run across an employee/student who send obscene mail thru the net. I'm sure there are a number who couldn't do anything to the offender because the logs were not secure. There needs to be some type of training program/document from the police/FBI agencies that can help system managers collect, protect and document any evidence of abuse in a manner that won't be subject to challenge in court. The "chain of evidence" is crucial to successful prosecution yet, I'd be willing to bet that 95% of all sysmgrs don't know how to preserve it. Are there any agencies that provide training seminars to sysmgr types? Well, I've said enough for now. Hope this gets the ball rolling. -Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Internet: marchany@vtserf.cc.vt.edu
kadie@m.cs.uiuc.edu (Carl M. Kadie) (05/21/91)
marchany@vtserf.cc.vt.edu (Randy Marchany) writes: [...] >My main concern is in section III.E,F of the above outline. I'm sure >some of you have run across an employee/student who send obscene mail >thru the net. I'm sure there are a number who couldn't do anything to >the offender because the logs were not secure. [...] Are you using the word "obscene" in its legal sense (i.e. Miller vs. California, 1973)? Or do you mean harassment? - Carl -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
marchany@vtserf.cc.vt.edu (Randy Marchany) (05/21/91)
In article <1991May21.043947.20481@m.cs.uiuc.edu> kadie@m.cs.uiuc.edu (Carl M. Kadie) writes: >Are you using the word "obscene" in its legal sense (i.e. Miller vs. >California, 1973)? Or do you mean harassment? I'm not familiar with Miller vs. CA, 1973 and am not concerned with defining what is "obscene" or not. I feel that is for the local courts to decide. So, I guess I would say that "harassment" is the more general term that covers what I was trying to say. The VA code doesn't specifically contain any reference to "harassment" but it does have a section on "personal trespass by computer" that mentions using a computer or computer network w/o authority and with the intent to cause physical injury to an individual. Again, that's not the main point of my discussion. I'm more concerned that *in the event* of a violation such as sending harassing mail, and AFTER confronting the individual and asking them to stop and AFTER all the other recourses have been taken, leaving the sysmgr with only the legal enforcement option, that the sysmgrs are NOT trained in proper evidence collection techniques that can hold up to court scrutiny. Sending harassing mail is just an example, other examples include using userids other than your own, using CPU time w/o authorization, etc. The question of illegal userid access is of concern. As you know, there are password checking programs readily available on the net. As you also know, sysmgrs are not going to be the only ones getting copies of these. How do you "prosecute" someone who uses such a program to gain access to userids at your site? Do you make your "real" user responsible for ensuring that they have a reasonably secure password? With respect to Universities, there are numerous examples (see the STGEORGE index at UNMVM listserv) of individual departments formulating computer usage policies. This is usually as a result of the lack of university-wide policies that SPECIFICALLY relate to computer abuse. Another poster mentions the evolvement of university regulations. I agree with his statement. I think the creation of a single uniform policy statement eliminates any confusion. The real issue for creating such a statement is NOT the enforcement per se but rather teaching the ethics of computer use. The enforcement of the policy is the LAST recourse in handling suspected violations. -Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 INTERNET: marchany@vtserf.cc.vt.edu
mcovingt@athena.cs.uga.edu (Michael A. Covington) (05/22/91)
"How do you prosecute someone who steals passwords? ... Do you make the real user responsible for choosing a secure password?" No. As long as there _is_ a password, intruders will know they are unwelcome. It's like having a lock on your door. The lock can be picked. Its purpose is not to make the door impenetrable; its purpose is to make sure that anyone who gets in will know he's not welcome. We _urge_ our users to use secure passwords. But if they don't, we still don't "blame the victim." An intruder is an intruder. In my view the single biggest need in computer security today is to raise people's awareness of the _human_ element: trust, responsibility, and accountability. I don't buy the idea that passwords are basically a video game for hackers, which is what hackers consider them to be. -- ------------------------------------------------------- Michael A. Covington | Artificial Intelligence Programs The University of Georgia | Athens, GA 30602 U.S.A. -------------------------------------------------------