Content-Type: multipart/related; start=<op.mhtml.1238058240911.6ce2fb5729566448@10.35.205.123>; boundary=----------lLgrBUPauw5v56O28k2TcN
Content-Location: http://www.itl.nist.gov/fipspubs/fip191.htm
Subject: =?utf-8?Q?FIPS=20191=20-=20Guideline=20for=20the=20Analysis=20of=20LAN=20Security?=
MIME-Version: 1.0

------------lLgrBUPauw5v56O28k2TcN
Content-Disposition: inline; filename=fip191.htm
Content-Type: text/html; name=fip191.htm
Content-Id: <op.mhtml.1238058240911.6ce2fb5729566448@10.35.205.123>
Content-Location: http://www.itl.nist.gov/fipspubs/fip191.htm
Content-Transfer-Encoding: Quoted-Printable

<html><body bgcolor=3D"FFFFFF"><title>FIPS 191 - Guideline for the Analy=
sis of LAN Security </TITLE> <A NAME=3D"FIPS_TOP"> <hr> <center>Return t=
o the FIPS<br>  <a href=3D"index.htm" target=3D_top">Home Page</a></CENT=
ER> <hr> <b>FIPS PUB 191</B><br> <center>Federal Information<br> Process=
ing Standards Publication 191<p> 1994 November 9<br></CENTER> <b><center=
>Announcing the Standard for</CENTER></B> <br> <center> <h1>GUIDELINE FO=
R THE ANALYSIS OF LOCAL AREA NETWORK SECURITY</h1></CENTER> <menu> <A HR=
EF=3D"#FORE_SEC">(The Foreword, Abstract, and Key Words</A><br> can be f=
ound at the end of this document.) <br> </MENU> <h5> Federal Information=
 Processing Standards Publications (FIPS PUBS) are issued by the Nationa=
l Institute of Standards and Technology after approval by the Secretary =
of Commerce pursuant to Section 111(d) of the Federal Property and Admin=
istrative Services Act of 1949, as amended by the Computer Security Act =
of 1987, Public Law 100-235.</h5> <p> <b>1.     Name of Guideline.</B>  =
Guideline for the Analysis of Local Area Network Security. <p> <b>2.    =
 Category of Guideline.</B>  Computer Security, Risk Analysis and Contin=
gency Planning. <p> <b>3.     Explanation.</B>  This guideline discusses=
 threats and vulnerabilities and considers technical security services a=
nd security mechanisms.  The use of risk management is presented to help=
 the reader to determine LAN assets, to identify threats and vulnerabili=
ties, to determine the risk of those threats to the LAN, and to determin=
e the possible security services and mechanisms that may be used to help=
 reduce the risk to the LAN. <p> <b>4.     Approving Authority. </B> Sec=
retary of Commerce. <p> <b>5.      Maintenance Agency.</B>  Department o=
f Commerce, National Institute of Standards and Technology, (Computer Sy=
stems Laboratory). <p> <b>6.     Cross Index.</B><dl> <dd>a. FIPS PUB 46=
-2, Data Encryption Standard. <dd>b. FIPS PUB 65, Guideline for Automati=
c Data Processing Risk Analysis. <dd>c. FIPS PUB 87, Guidelines for ADP =
Contingency Planning. <dd>d. FIPS PUB 112, Standard on Password Usage. <=
dd>e. FIPS PUB 113, Standard on Computer Data Authentication. <dd>f. FIP=
S PUB 140-1, Security Requirements for Cryptographic Modules <dd>g. FIPS=
 PUB 181, Automated Password Generator <dd>h. FIPS PUB 186, Digital Sign=
ature Standard. <dd>i. Special Publication 500-120, Security of Personal=
 Computers Systems - A Management Guide. <dd>j. Special Publication 500-=
137, Security for Dial-Up Lines. <dd>k. Special Publication 500-157, Sma=
rt Card Technology: New Methodologies for Computer Access Control. <dd>l=
. Special Publication 500-166, Computer Viruses and Related Threats: A M=
anagement Guide. <dd>M. Special Publication 500-172, Computer Security T=
raining Guidelines. <dd>n. Special Publication 500-174, Guide for Select=
ing Automated Risk Analysis Tools. </DL> Other NIST publications may be =
applicable to the use of this guidance.   A list (NIST Publications List=
 91) of currently available computer security publications, including or=
dering information, may be obtained from NIST. <p> <b>7.     Applicabili=
ty.</B>  This Guideline is a basic reference document for use by Federal=
 agencies to help in their efforts to provide appropriate security for l=
ocal area networks (LANs).  Many LANs store, process or transmit unclass=
ified but sensitive information.  Appropriate security controls should b=
e implemented in these LANs to reduce the risk to an acceptable level.  =
The guidance provided is intended to help determine cost-effective techn=
ical solutions that can, in part, provide these appropriate security con=
trols.  The use of this guidance is not mandatory and other techniques t=
hat are found more appropriate for a specific environment should be used=
. <p> <b>8.      Specifications.</B> Federal Information Processing Stan=
dards Publication (FIPS PUB) 191, Guideline for the Analysis of Local Ar=
ea Network Security (affixed). <p> <b>9.      Implementation.</B> Local =
area network (LAN) security should be addressed by Federal agencies in t=
he earliest stages of the development of a LAN.  During the design phase=
, issues should be resolved regarding appropriate protection of the LAN =
assets.  Security requirements that are identified during the requiremen=
ts analysis process can be factored into the decisions regarding the sec=
urity of the LAN.  This Guideline discusses the use of a risk-based proc=
ess that may be used to help determine the risk of the LAN.  The Guideli=
ne discusses the possible technical security services and mechanisms tha=
t may be used to reduce the risk of the LAN.  The guidance provided here=
 may also be used to help determine the security needs of a LAN that is =
currently operational; factoring in the existing security services and m=
echanisms that are implemented on the LAN into the risk-based process. <=
p> <b>10.    Qualifications.</B>  This Guideline may be used as a tool i=
n developing appropriate LAN security.  The guidance provided here focus=
es on the technical aspects of a LAN, primarily technical solutions.  As=
 more LAN security and management tools and solutions become available, =
they should be considered along with the security mechanisms discussed i=
n this document.  Because technical solutions are only one part of solvi=
ng the LAN security problem, other areas such as proper management, trai=
ning, and an effective LAN security policy should also be addressed. <p>=
 <b>11.    Where to Obtain Copies.</B>  Copies of this publication are a=
vailable for sale by the National Technical Information Service, U.S. De=
partment of Commerce, Springfield, VA 22161.  When ordering, refer to Fe=
deral Information Processing Standards Publication 191 (FIPSPUB191), and=
 title.  When microfiche is desired, this should be specified.  Payment =
may be made by check, money order, credit card, or deposit account. <br>=
<hr> <b>FIPS PUB 191</B> <p> <center>Federal Information<br> Processing =
Standards Publication 191<p> 1994 November 9<br></CENTER> <b><center>Spe=
cifications for</CENTER></B> <br> <center> <h1>Guideline for The Analysi=
s Local Area Network Security</h1></CENTER> <p> <font size=3D4><b> Conte=
nts</FONT></B><p> <dl> <dt>1 INTRODUCTION <dd>1.1 Why LAN Security is Im=
portant <dd>1.2 Purpose <dd>1.3 Overview of Document <dd>1.4 LAN Definit=
ion      <dl>      <dd>1.4.1 Distributed File Storing      <dd>1.4.2 Rem=
ote Computing      <dd>1.4.3 Messaging</DL> <dd>1.5 The LAN Security Pro=
blem      <dl>      <dd>1.5.1 Distributed File Storing - Concerns      <=
dd>1.5.2 Remote Computing - Concerns      <dd>1.5.3 Topologies and Proto=
cols - Concerns      <dd>1.5.4 Messaging Services - Concerns      <dd>1.=
5.5 Other LAN Security Concerns</DL> <dd>1.6 Goals of LAN Security <p> <=
dt>2 THREATS,VULNERABILITIES,SERVICES & MECHANISMS <dd>2.1 Threats and V=
ulnerabilities      <dl>      <dd>2.1.1 Unauthorized LAN Access      <dd=
>2.1.2  Inappropriate Access to LAN Resources      <dd>2.1.3 Disclosure =
of Data      <dd>2.1.4 Unauthorized Modification of Data and Software   =
   <dd>2.1.5 Disclosure of LAN Traffic      <dd>2.1.6 Spoofing of LAN Tr=
affic      <dd>2.1.7 Disruption of LAN Functions</DL> <dd>2.2 Security S=
ervices and Mechanisms      <dl>      <dd>2.2.1 Identification and Authe=
ntication      <dd>2.2.2 Access Control      <dd>2.2.3 Data and Message =
Confidentiality      <dd>2.2.4 Data and Message Integrity      <dd>2.2.5=
 Non-repudiation      <dd>2.2.6 Logging and Monitoring</DL><p> <dt>3 RIS=
K MANAGEMENT <dd>3.1 Current Approaches <dd>3.2 Participants <dd>3.3 Ele=
ments of Risk Management <dd>3.4 Risk Assessment      <dl>      <dd>3.4.=
1 Process 1 - Define the Scope and Boundary, and Methodology      <dd>3.=
4.2 Process 2 -  Identify and Value Assets      <dd>3.4.3 Process 3 -  I=
dentify Threats and Determine Likelihood      <dd>3.4.4 Process 4 - Meas=
ure Risk</DL> <dd>3.5 Risk Mitigation      <dl>      <dd>3.5.1 Process 5=
 - Select Appropriate Safeguards      <dd>3.5.2 Process 6 - Implement An=
d Test Safeguards      <dd>3.5.3 Process 7 - Accept Residual Risk</DL></=
DL> <p> Appendix A - LAN Security Policy <br> Appendix B - Personal Comp=
uter Considerations <br> Appendix C - Contingency Planning for LANs <br>=
 Appendix D - Training and Awareness <br> References <br> Further Readin=
g <p><br> <b>1. INTRODUCTION</B> <p> <b>1.1 Why LAN Security Is Importan=
t</B> <p> Local area networks (LANS) have become a major tool to many or=
ganizations in meeting data processing and data communication needs.  Pr=
ior to the use of LANs, most processing and communications were centrali=
zed; the information and control of that information were centralized as=
 well.     Now LANs logically and physically extend data, processing and=
 communication facilities across the organization. <p> Security services=
 that protect the data, processing and communication facilities must als=
o be distributed throughout the LAN.  For example, sending sensitive fil=
es that are protected with stringent access controls on one system, over=
 a LAN to another system that has no access control protection, defeats =
the efforts made on the first system.  Users must ensure that their data=
 and the LAN itself are adequately protected.  LAN security should be an=
 integral part of the whole LAN, and should be important to all users. <=
p> Electronic mail (email), a major application provided by most LANs, r=
eplaces much of the interoffice and even interorganizational mail that i=
s written on paper and placed in an envelope.   This envelope provides s=
ome confidentiality between the sender and receiver, and it can even be =
argued that the integrity of the paper envelope provides the receiver wi=
th some degree of assurance that the message was not altered.  Using ele=
ctronic mail does not provide these assurances.  Simple transfers on unp=
rotected LANs of inadequately protected electronic mail messages can be =
captured and read or perhaps even altered.  For some LANs, there can be =
no assurance that the message actually was sent from the named sender.  =
Fortunately tools such as encryption, digital signatures, and message au=
thentication codes help solve these problems and can help provide some a=
ssurance. <p> Understanding the necessity to provide security on a LAN a=
nd how to decide the appropriate security measures needed are major goal=
s of this document. <p><br> <b>1.2 Purpose</B> <p> The intended readers =
of this document include organizational management, LAN administrators, =
svstem administrators, security officers, LAN users and others who have =
a responsibility for protecting information processed, stored or associa=
ted with a LAN.         The purpose of this document is to help the read=
er understand the need for LAN security and to provide guidance in deter=
mining effective LAN security Controls. <p> <b>1.3 Overview of Document<=
/B> <p> <i>Section I - Introduction</I> - This section discusses the pro=
perties of a LAN, and the security concerns that result from those prope=
rties. <p> <i>Section 2 - Threats, Vulnerabilities, Security Services & =
Mechanisms</I> - This section describes threats, related vulnerabilities=
 and the possible security services and mechanisms that could be used to=
 protect the LAN from these threats. <p> <i>Section 3 - Risk Management<=
/I> - This section describes the risk management process and how it can =
be used to plan and implement appropriate LAN security. <p> <b>1.4 LAN D=
efinition</B> <p> The Institute of Electrical and Electronic Engineers (=
IEEE) has defined a LAN as "a datacomm system allowing a number of indep=
endent devices to communicate directly with each other, within a moderat=
ely sized geographic area over a physical communications channel of mode=
rate rates" [MART891.  Typically, a LAN is owned, operated, and managed =
locally rather than by a common carrier.  A LAN usually, through a commo=
n network operating system, connects servers, workstations, printers, an=
d mass storage devices, enabling users to share the resources and functi=
onality provided by a LAN. <p> According to [BARK891 the types of applic=
ations provided by a LAN include distributed file storing, remote comput=
ing, and messaging. <p> <b>1.4.1 Distributed File Storing</B> <p> Distri=
buted file storing provides users transparent access to part of the mass=
 storage of a remote server.  Distributed file storing provides capabili=
ties such as a remote filing and remote printing.   Remote filing allows=
 users to access, retrieve, and store files.  Generally remote filing is=
 provided by allowing a user to attach to part of a remote mass storage =
device (a file server) as though it were connected directly.  This virtu=
al disk is then used as though it were a disk drive local to the worksta=
tion.  Remote printing allows users to print to any printer attached to =
any component on the LAN.  Remote printing addresses two user needs: ong=
oing processing while printing, and shared use of expensive printers.  L=
AN print servers can accept files immediately, allowing users to continu=
e work on their local workstations, instead of waiting for the print job=
 to be completed.   Many users utilizing the same printer can justify th=
e cost of high quality, fast printers. <p> <b>1.4.2 Remote Computing</B>=
 <p> Remote computing refers to the concept of running an application or=
 applications on remote components.  Remote computing allows users to (1=
) remotely login to another component on the LAN, (2) remotely execute a=
n application that resides on another component, or (3) remotely run an =
application on one or more components, while having the appearance, to t=
he user, of running locally.   Remote login allows users to login to a r=
emote system (such as a multi-user system) as though the user were direc=
tly connected to the remote system. The ability to run an application on=
 one or more components allows the user to utilize the processing power =
of the LAN as a whole. <p> <b>1.4.3 Messaging</B><p>  Messaging applicat=
ions are associated with mail and conferencing capabilities.  Electronic=
 mail has been one of the most used capabilities available on computer s=
ystems and across networks.   Mail servers act as local post offices, pr=
oviding users the ability to send and receive messages across a LAN.  A =
conferencing capability allows users to actively communicate with each o=
ther, analogous to the telephone. <p> <b>1.5 The LAN Security Problem</B=
> <p> The advantages of utilizing a LAN were briefly discussed in the pr=
evious section.  With these advantages however, come additional risks th=
at contribute to the LAN security problem. <p> <b>1.5.1 Distributed File=
 Storing - Concerns</B> <p> File servers can control users' accesses to =
various parts of the file system.  This is usually done by allowing a us=
er to attach a certain file system (or directory) to the user's workstat=
ion, to be used as a local disk.  This presents two potential problems. =
 First, the server may only provide access protection to the directory l=
evel, so that a user granted access to a directory has access to all fil=
es contained in that directory.  To minimize risk in this situation, pro=
per structuring and management of the LAN file system is important.  The=
 second problem is caused by inadequate protection mechanisms on the loc=
al workstation.  For example, a personal computer (PC) may provide minim=
al or no protection of the information stored on it.  A user that copies=
 a file  from the server to the local drive on the PC loses the protecti=
on afforded the file when it was stored on the server.  For some types o=
f information this may be acceptable.  However, other types of informati=
on may require more stringent protections.  This requirement focuses on =
the need for controls in the PC environment. <p> <b>1.5.2 Remote Computi=
ng - Concerns</B> <p> Remote computing must be controlled so that only a=
uthorized users may access remote components and remote applications.  S=
ervers must be able to authenticate remote users who request services or=
 applications.  These requests may also call for the local and remote se=
rvers to authenticate to each other.  The inability to authenticate can =
lead to unauthorized users being granted access to remote servers and ap=
plications.  There must be some level of assurance regarding the integri=
ty of applications utilized by many users over a LAN. <p> <b>1.5.3 Topol=
ogies and Protocols - Concerns</B> <p> The topologies and protocols used=
 today demand that messages be made available to many nodes in reaching =
the desired destination.  This is much cheaper and easier to maintain th=
an providing a direct physical path from every machine to every machine.=
 (In large LANs direct paths are infeasible.) The possible threats inher=
ent include both active and passive wiretapping.  Passive wiretapping in=
cludes not only information release but also traffic analysis (using add=
resses, other header data, message length, and message frequency).  Acti=
ve wiretapping includes message stream modifications (including modifica=
tion, delay, duplication, deletion or counterfeiting). <p> <b>1.5.4 Mess=
aging Services - Concerns</B> <p> Messaging services add additional risk=
 to information that is stored on a server or in transit.   Inadequately=
 protected email can easily be captured, and perhaps altered and retrans=
mitted, effecting both the confidentiality and integrity of the message.=
 <p> <b>1.5.5 Other LAN Security Concerns</B> <p> Other LAN security pro=
blems include (1) inadequate LAN management and security policies, (2) l=
ack of training for proper LAN usage and security, (3) inadequate protec=
tion mechanisms in the workstation environment, and (4) inadequate prote=
ction during transmission. <p> A weak security policy also contributes t=
o the risk associated with a LAN.  A formal security policy governing th=
e use of LANs should be in place to demonstrate management's position on=
 the importance of protecting valued assets.  A security policy is a con=
cise statement of top management's position on information values, prote=
ction responsibilities, and organizational commitment.  A strong LAN sec=
urity policy should be in place to provide direction and support from th=
e highest levels of management.  The policy should identify the role tha=
t each employee has in assuring that the LAN and the information it carr=
ies are adequately protected. <p> The LAN security policy should stress =
the importance of, and provide support for, LAN management.  LAN managem=
ent should be given the necessary funding, time, and resources.   Poor L=
AN management may result in security lapses.  The resulting problems cou=
ld include security settings becoming too lax, security procedures not b=
eing performed correctly, even the necessary security mechanisms not bei=
ng implemented. <p> The use of PCs in the LAN environment can also contr=
ibute to the risk of the LAN.  In general, PCs have a relative lack of c=
ontrol with regard to authenticating users, controlling access to files,=
 auditing, etc.  In most cases the protection afforded information that =
is stored and processed on a LAN server does not follow the information =
when it is sent locally to a PC. <p> Lack of user awareness regarding th=
e security of the LAN can also add risk.  Users who are not familiar wit=
h the security mechanisms, procedures, etc. may use them improperly and =
perhaps less securely.   Responsibilities for implementing security mech=
anisms and procedures and following the policies regarding the use of th=
e PC in a LAN environment usually fall to the user <p> of the PC.  Users=
 must be given the proper guidance and t raining necessary to maintain a=
n acceptable level of protection in the LAN environment. <p> <b>1.6 Goal=
s of LAN Security</B> <p> The following goals should be considered to im=
plement effective LAN security. </DL><ul> <li>Maintain the confidentiali=
ty of data as it is stored, processed or transmitted on a LAN; <li>Maint=
ain the integrity of data as it is stored, processed or transmitted on a=
 LAN; <li>Maintain the availability of data stored on a LAN, as well as =
the ability to process and transmit the data in a timely fashion; <li>En=
sure the identity of the sender and receiver of a message; </UL><br> Ade=
quate LAN security requires the proper  combination  of  security  polic=
ies  and  procedures, technical controls, user training and awareness, a=
nd contingency planning.  While all of these areas are critical to provi=
de adequate protection, the focus of this document is on the technical c=
ontrols that can be utilized.  The other areas of control mentioned abov=
e are discussed in the appendices. <p><br> <b>2. THREATS, VULNERABILITIE=
S, SERVICES & MECHANISMS</B> <p> <i>A threat can be any person, object, =
or event that, if realized, could potentially cause damage to the LAN.</=
I>  Threats can he malicious, such as the intentional modification of se=
nsitive information, or can be accidental, such as an error in a calcula=
tion, or the accidental deletion of a file.  Threats can also be acts of=
 nature, i.e. flooding, wind, lightning, etc. <i> The immediate damage c=
aused by a threat is referred to as an impact.</I> <p> <i>Vulnerabilitie=
s  are weaknesses in a LAN that can be exploited by a threat. </I> For e=
xample, unauthorized access (the threat) to the LAN could occur by an ou=
tsider guessing an obvious password.  The vulnerability exploited is the=
 poor password choice made by a user.  Reducing or eliminating the vulne=
rabilities of the LAN can reduce or eliminate the risk of threats to the=
 LAN.  For example, a tool that can help users choose robust passwords m=
ay reduce the chance that users will utilize poor passwords, and thus re=
duce the threat of unauthorized LAN access. <p> A security    service is=
 the collection of security mechanisms, supporting data  files, and proc=
edures that help protect the LAN from specific threats. </I>          Fo=
r example, the identification and authentication service helps protect t=
he LAN from unauthorized LAN access by requiring that a user identify hi=
mself, as well as verifying that identity.  The security service is only=
 as robust as the mechanisms, procedures, etc. that make up the service.=
 <p> <i>Security mechanisms are the controls implemented to provide the =
security services needed to protect the LAN. </I> For example, a token b=
ased authentication system (which requires that the user be in possessio=
n of a required token) may be the mechanism implemented to provide the i=
dentification and authentication service.  Other mechanisms that help ma=
intain the confidentiality of the authentication information can also be=
 considered as part of the identification and authentication service. <p=
> This section is composed of two pans.  The first part discusses threat=
s, impacts and related vulnerabilities.  The threats are generally categ=
orized based on the impact caused if the threat is realized.  For each i=
mpact category there is a discussion regarding the threats that may caus=
e the impact, potential losses from the threat, and the vulnerabilities =
that may be exploited by the threat.  The second part of this section di=
scusses LAN security services and the possible mechanisms that can he im=
plemented to provide these services. <p> <b>2.1 Threats and Vulnerabilit=
ies</B> <p> Identifying threats requires one to look at the impact and c=
onsequence of the threat if it is realized.  The impact of the threat, w=
hich usually points to the immediate near-term problems, results in disc=
losure, modification, destruction, or denial of service.  The more signi=
ficant long- term consequences of the threat being realized arc the resu=
lt of lost business, violation of privacy, civil law suits, fines, loss =
of human life or other long term effects.  Consequences of threats will =
he discussed in Section 3, <i>Risk Management</I>.  The approach taken h=
ere is to categorize the types of impacts that can occur on a LAN so tha=
t specific technical threats can be grouped by the impacts and examined =
in a meaningful manner.  For example, the technical threats that can lea=
d to the impact 'LAN traffic compromise, in general can be distinguished=
 from those threats that can lead to the impact 'disruption of LAN funct=
ionalities'.  It should be recognized that many threats may result in mo=
re than one impact; however, for this discussion a particular threat wil=
l be discussed only in conjunction with one impact.  The impacts that wi=
ll be used to categorize and discuss the threats to a LAN environment ar=
e: </DL><ul> <li><b>Unauthorized LAN access </B>- results from an unauth=
orized individual gaining access to the LAN. <li><b>Inappropriate access=
 to LAN resources</B> - results from an individual, authorized or unauth=
orized, gaining access to LAN resources in an unauthorized manner. <li><=
b>Disclosure of data </B>- results from an individual accessing or readi=
ng information and possibly revealing the information in an accidental o=
r unauthorized intentional manner. <li><b>Unauthorized Modification to d=
ata and software</B> - results from an individual modifying, deleting or=
 destroying LAN data and software in an unauthorized or accidental manne=
r. <li><b>Disclosure of LAN traffic</B> - results from an individual acc=
essing or reading information and possibly revealing the information in =
an accidental or unauthorized intentional manner as it moves through the=
 LAN. <li><b>Spoofing of LAN traffic</B> - results when a message appear=
s to have been sent from a legitimate, named sender, when actually the m=
essage had not been. <li><b>Disruption of LAN functions</B> - results fr=
om threats that block LAN resources from being available in a timely man=
ner. </UL><p> <b>2.1.1 Unauthorized LAN Access</B> <p> LANs provide file=
 sharing, printer sharing, file storage sharing, etc.  Because resources=
 are shared and not used solely by one individual there is need for cont=
rol of the resources and accountability for use of the resources.  <i>Un=
authorized LAN access occurs when someone, who is not authorized to use =
the LAN, gains access to the LAN (usually by acting as a legitimate user=
 of LAN).</I>  Three common methods used to gain unauthorized access are=
 password sharing, general password guessing and password capturing.  Pa=
ssword sharing allows an unauthorized user to have the LAN access and pr=
ivileges of a legitimate user; with the legitimate user's knowledge and =
acceptance.   General password guessing is not a new means of unauthoriz=
ed access.  Password capturing is a process in which a legitimate user u=
nknowingly reveals the user's login id and password.  This may he done t=
hrough the use of a trojan horse program that appears to the user as a l=
egitimate login program; however, the trojan horse program is designed t=
o capture passwords.  Capturing a login id and password as it is transmi=
tted across the LAN unencrypted is another method used to ultimately gai=
n access.  The methods to capture cleartext LAN traffic, including passw=
ords, is readily available today.  Unauthorized LAN access can occur by =
exploiting the following types of vulnerabilities: <ul> <li>lack of, or =
insufficient, identification and authentication scheme, <li>password sha=
ring, <li>poor password management or easy to guess passwords, <li>using=
 known system holes and vulnerabilities that have not been patched, <li>=
single-user PCs that are not password protected at boot time, <li>underu=
tilized use of PC locking mechanisms, <li>LAN access passwords that are =
stored in batch files on PCs, <li>poor physical control of network devic=
es, <li>unprotected modems, <li>lack of a time-out for login Lime period=
 and log of attempts, <li>lack of disconnect for multiple login failures=
 and log of attempts, <li>lack of 'last successful login date/time' and =
'unsuccessful login attempt' notification and log, <li>lack of real-time=
 user verification (to detect masquerading). </UL> <b>2.1.2 Inappropriat=
e Access to LAN Resources</B> <p> One of the benefits of using a LAN is =
that many resources are readily available to many users, rather than eac=
h user having limited dedicated resources.  These resources may include =
file stores, applications, printers, data, etc.  However, not all resour=
ces need to be made available to each user.  To prevent compromising the=
 security of the resource (i.e. corrupting the resource, or lessening th=
e availability of the resource), only those who require the use of the r=
esource should be permitted to utilize that resource.  <i>Unauthorized a=
ccess occurs when a user, legitimate or unauthorized, accesses a resourc=
e that the user is not permitted to use. </I> Unauthorized access may oc=
cur simply because the access rights assigned to the resource are not as=
signed properly.   However, unauthorized access may also occur because t=
he access control mechanism or the      privilege mechanism is not granu=
lar enough. In these cases, the only way to  grant  the  user  the      =
needed access rights or privileges to perform a specific function is to =
grant the user more access      than is needed, or more privileges than =
are needed.  Unauthorized  access  to  LAN  resources  can      occur by=
 exploiting the following types of vulnerabilities: <ul> <li>use of syst=
em default permission settings that are too permissive to users, <li>imp=
roper use of administrator or LAN manager privileges, <li>data that is s=
tored with an inadequate level or no protection assigned, <li>lack of or=
 the improper use of the privilege mechanism for users, <li>PCs that uti=
lize no access control on a file level basis.</UL> <br> <b>2.1.3 Disclos=
ure of Data</B> <p> As LANs are utilized throughout an agency or departm=
ent, some of the data stored or processed on a Lan may require some leve=
l of confidentiality. <i>The disclosure of LAN data or software occurs w=
hen the data or software is accessed, read and possibly released to an i=
ndividual who is not authorized for the data. </I> This can occur by Som=
eone gaining access to information that is  not encrypted, or by viewing=
 monitors or printouts of the information.  The compromise of LAN data c=
an occur by exploiting the following types of' vulnerabilities: </DL><ul=
> <li>improper access control settings, <li>data, that has been deemed s=
ensitive enough to warrant encryption, stored in unencrypted form, <li>a=
pplication source code stored in unencrypted form, <li>monitors viewable=
 in high traffic areas, <li>printer stations placed in high traffic area=
s, <li>data and software backup copies stored in open areas. </UL><br> <=
b>2.1.4 Unauthorized Modification of Data and Software</B> <p> Because L=
AN users share data and applications, changes to those resources must be=
 controlled. <i>Unauthorized modification of data or software occurs whe=
n unauthorized changes (additions, deletions or modifications) are made =
to a file or program.</I> <p> When undetected modifications to data are =
present for long periods of time, the modified data may be spread throug=
h the LAN, possibly corrupting databases, spreadsheet calculations, and =
other various application data.  This can damage the integrity of most a=
pplication information. When undetected software changes are made, all s=
ystem software can become suspect, warranting a thorough review (and per=
haps reinstallation) of all related software and applications.  These un=
authorized changes can he made in simple command programs (for example i=
n PC batch files), in utility programs used on multi-user systems, in ma=
jor application programs, or any other typeof software.  They can be mad=
e by unauthorized outsiders, as well as those who are authorized to make=
 software changes (although the changes they make are not authorized).  =
These changes can divert information (or copies of the information) to o=
ther destinations, corrupt the data as it is processed, or harm the avai=
lability of' system or LAN services. <p> PC viruses can he a nuisance to=
 any organization that does not choose to provide LAN users the tools to=
 effectively detect and prevent virus introduction to the LAN.  Currentl=
y viruses have been limited to corrupting PCs, and generally do not corr=
upt LAN servers (although viruses can use the LAN to infect PCs). [WACK8=
9] provides guidance on detecting and preventing viruses. <p> The unauth=
orized modification ofdata and software can occur by exploiting the foll=
owing types of vulnerabilities: </DL><ul> <li>write permission granted t=
o users who only require read permission to access, <li>undetected chang=
es made to software, including the addition of code to create a trojan h=
orse program, <li>lack of a cryptographic checksum on sensitive data, <l=
i>privilege mechanism that allow unnecessary write permission, <li>lack =
of virus protection and detection tools. </UL><br> <b>2.1.5 Disclosure o=
f LAN Traffic</B> <p> <i>The disclosure of LAN traffic occurs when someo=
ne who is unauthorized reads, or otherwise obtains, information as it is=
 moved through the LAN. </I> LAN traffic can be compromised by listening=
 and capturing traffic transmitted over the LAN transport media (tapping=
 into a network cable, listening to traffic transmitted over the air, mi=
susing a provided network connection by attaching an analysis device, et=
c.). Many users realize the importance of confidential information when =
it is stored on their workstations or servers; however, it is also impor=
tant to maintain that confidentiality as the information travels through=
 the LAN.  Information that can be compromised in this way includes syst=
em and user names, passwords, electronic mail messages, application data=
, etc.  For example, even though passwords may be in an encrypted form w=
hen stored on a system, they can be captured in plaintext as they are se=
nt from a workstation or PC to a file server.  Electronic mail message f=
iles, which usually have very strict access rights when stored on a syst=
em, are often sent in plaintext across a wire, making them an easy targe=
t for capturing.   The compromise of LAN traffic can occur by exploiting=
 the following types of vulnerabilities: </DL><ul> <li>inadequate physic=
al protection of LAN devices and medium, <li>transmitting plaintext data=
 using broadcast protocols, <li>transmitting plaintext data (unencrypted=
) over the LAN medium,</UL> <br> <b>2.1.6 Spoofing of LAN Traffic</B> <p=
> Data that is transmitted over a LAN should not be altered in an unauth=
orized manner as a result of that transmission, either by the LAN itself=
, or by an intruder.  LAN users should be able to have a reasonable expe=
ctation that the message sent, is received unmodified.  <i>A modificatio=
n occurs when an intentional or unintentional change is made to any part=
 of the message including the contents and addressing information.</I> <=
p> Messages transmitted over the LAN need to contain some sort of addres=
sing information that reports the sending address of the message and the=
 receiving address of the message (along with other pieces of informatio=
n).  <i>Spooling of LAN traffic involves (1) the ability to receive a  m=
essage by masquerding as the legitimate receiving destination, or (2) ma=
squeriding as the sending machine and sending a message to a destination=
.</I> To  masquerade  as  a   receiving   machine,   the LAN must he per=
suaded into believing that the destination address is the legitimate add=
ress of the machine. (Receiving LAN traffic can also he done by listenin=
g to messages as they are broadcast to all nodes.)       Masquerading as=
 the sending machine to deceive a receiver into believing the message wa=
s legitimately sent can be done by masquerading the address, or by means=
 of a playback.  A playback involves capturing a session between a sende=
r and receiver, and then retransmitting that message (either with the he=
ader only, and new message contents, or the whole message).  The spoofin=
g of LAN traffic or the modification of LAN traffic can occur by exploit=
ing the following types of vulnerabilities: <p> Vulnerabilities <br></DL=
><ul> <li>transmitting LAN traffic in plaintext, <li>lack of a date/time=
 stamp (showing sending time and receiving time), <li>lack of message au=
thentication code mechanism or digital signature, <li>lack of real-time =
verification mechanism (to use against playback). </UL><br> <b>2.1.7 Dis=
ruption of LAN Functions</B> <p> A LAN is a tool, used by an organizatio=
n, to share information and transmit it from one location to another.  T=
his need is satisfied by LAN functionalities such those described in Sec=
tion 1.4, ZAN Definition.  A disruption of functionality occurs when the=
 LAN cannnot provide the needed functionality in an acceptable, timely m=
anner.  A disruption can interrupt one type of functionality or many.  A=
 disruption of LAN functionalities can occur by exploiting the following=
 types of vulnerabilities: <p> Vulnerabilities <br></DL><ul> <li>inabili=
ty to detect unusual traffic patterns (i.e. intentional flooding), <li>i=
nability to reroute traffic, handle hardware failures, etc, <li>configur=
ation of LAN that allows for a single point of failure, <li>unauthorized=
 changes made to hardware components (reconfiguring addresses on worksta=
tions, modifying router or hub configurations, etc.), a improper mainten=
ance of LAN hardware, <li>Improper physical security of LAN hardware. </=
UL><br> <b>2.2 Security Services and Mechanisms</B> <p> A security servi=
ce is the collection of mechanisms, procedures and other controls that a=
re implemented to help reduce the risk associated with threat.  For exam=
ple, the identification and authentication service helps reduce the risk=
 of the unauthorized user threat.      Some services provide protection =
from threats, while other services provide for detection of the threat o=
ccurrence.  An example of this would be a logging or monitoring service.=
  The following services will be discussed in this section: </DL><ul> <l=
i><b>Identification and authentication</B> - is the security service tha=
t helps ensure that the LAN is accessed by only authorized individuals. =
<li><b>Access control</B> - is the security service that helps ensure th=
at LAN resources are being utilized in an authorized manner. <li><b>Data=
 and message confidentiality</B> - is the security service that helps en=
sure that LAN data, software and messages are not disclosed to unauthori=
zed parties. <li><b>Data and message integrity</B> - is the security ser=
vice that helps ensure that LAN data, software and messages are not modi=
fied by unauthorized parties. <li><b>Non-repudiation</B> - is the securi=
ty service by which the entities involved in a communication cannot deny=
 having participated.  Specifically the sending entity cannot deny havin=
g sent a message (non-repudiation with proof of' origin) and the receivi=
ng entity cannot deny having received a message (non-repudiation with pr=
oof of delivery). <li><b>Logging and Monitoring</B> - is the security se=
rvice by which uses of LAN resources can be traced throughout the LAN. <=
/UL> The mechanisms, procedures and guidance provided in this section sh=
ould not be considered as mandatory requirements in this document.  This=
 FIPS Guideline is voluntary, and the controls listed here should be con=
sidered as potential solutions, and not required solutions.  Determining=
 the appropriate controls and procedures to use in any LAN environment i=
s the responsibility of those in each organization charged with providin=
g adequate LAN protection. <p> <b>2.2.1 Identification and Authenticatio=
n</B> <p> The first step toward securing the resources of a LAN is the a=
bility to verify the identities of users [BNOV911.  The process of verif=
ying a user's identity is referred to as authentication.   Authenticatio=
n provides the basis for the effectiveness of other controls used on the=
 LAN.  For example the logging mechanism provides usage information base=
d on the userid.  The access control mechanism permits access to LAN res=
ources based on the userid.  Both these controls are only effective unde=
r the assumption that the requestor of a LAN service is the valid user a=
ssigned to that specific userid. <p> Identification requires the user to=
 be known by the LAN in some manner.  This is usually based on an assign=
ed userid.  However the LAN cannot trust the validity that the user is i=
n fact, who the user claims to be, without being authenticated.  The aut=
hentication is done by having the user supply something that only the us=
er has, such as a token, something that only the user knows, such as a p=
assword, or something that makes the user unique, such as a fingerprint.=
  The more of these that the user has to supply, the less risk in someon=
e masquerading as the legitimate user. <p> A requirement specifying the =
need for authentication should exist in most LAN policies.  The requirem=
ent may be directed implicitly in a program level policy stressing the n=
eed to effectively control access to information and LAN resources, or m=
ay be explicitly stated in a LAN specific policy that states that all us=
ers must be uniquely identified and authenticated. <p> On most LANS, the=
 identification and authentication mechanism is a userid/password scheme=
. [BNOV9 I] states that "password systems can be effective if managed pr=
operly [FIPS 1 12], but seldom are.  Authentication which relies solely =
on passwords has often failed to provide adequate protection for systems=
 for a number of reasons.  Users tend to create passwords that are easy =
to remember and hence easy to guess.  On the other hand users that must =
use passwords generated from random characters, while difficult to guess=
, are also difficult to be remembered by users.   This forces the user t=
o write the password down, most likely in an area easy accessible in the=
 work area".  Research work such as [KLEIN] detail the ease at which pas=
swords can be guessed.   Proper password selection (striking a balance b=
etween being easy-to-remember for the user but difficult-to-guess for ev=
eryone else) has always been an issue.  Password generators that produce=
 passwords consisting of pronounceable syllables have more potential of =
being remembered than generators that produce purely random characters. =
[FIPS 180] specifies an algorithm that can be used to produce random pro=
nounceable passwords.  Password checkers are programs that enable a user=
 to determine whether a new passwords is considered easy-to-guess, and t=
hus unacceptable. <p> Password-only mechanisms, especially those that tr=
ansmit the password in the clear (in an unencrypted form) are susceptibl=
e to being monitored and captured.  This can become a serious problem if=
 the LAN has any uncontrolled connections to outside networks.  Agencies=
 that are considering connecting their LANs to outside networks, particu=
larly the Internet, should examine [BJUL93] before doing so. If, after c=
onsidering all authentication options, LAN policy determines that passwo=
rd-only Systems are acceptable, the proper management of password creati=
on, storage, expiration and destruction become all the more important. [=
FIPS 112] provides guidance on password management. [NCSC851  provides  =
additional  guidance  that   may   be considered appropriate. <p> Becaus=
e of the vulnerabilities that still exist with the use of password-only =
mechanisms, more robust mechanisms can be used. [BNOV91] discusses advan=
ces that have been made in the areas of token-based authentication and t=
he use of biometrics. A smartcard based or token based mechanism require=
s that a user be in possession of the token and additionally may require=
 the user to know a PIN or password. These devices then perform a challe=
nge/response authentication scheme using realtime parameters.  Using rea=
ltime parameters helps prevent an intruder from gaining unauthorized acc=
ess through a login session playback.  These devices may also encrypt th=
e authentication session, preventing the compromise of the authenticatio=
n information through monitoring and capturing. <p> Locking mechanisms f=
or LAN devices, workstations, or PCs that require user authentication to=
 unlock can be useful to users who must leave their work areas frequentl=
y.  These locks allow users to remain logged into the LAN and leave thei=
r work areas (for an acceptable short period of time ) without exposing =
an entry point into the LAN. <p> Modems that provide users with LAN acce=
ss may require additional protection.  An intruder that can access the m=
odem may gain access by successfully guessing a user password.          =
        The availability of modem use to legitimate users may also becom=
e an issue if an intruder is allowed continual access to the modem. <p> =
Mechanisms that provide a user with his or her account usage information=
 may alert the user that the account was used in an abnormal manner (e.g=
. multiple login failures).  These mechanisms include notifications such=
 as date, time, and location of last successful login, and number of pre=
vious login failures.  The type of security mechanisms that could be imp=
lemented to provide the identification and authentication service are li=
sted below. <p> Mechanisms<br></DL><ul>  <li>password based mechanism, <=
li>smartcards/smart tokens based mechanism, <li>biometrics based mechani=
sm, <li>password generator, <li>password locking, <li>keyboard locking, =
<li>PC or workstation locking, <li>termination of connection after multi=
ple failed logins <li>user notification of 'last successful login' and '=
number of login failures', <li>real-time user verification mechanism, <l=
i>cryptograhy with unique user keys. </UL></UL> <b>2.2.2 Access Control<=
/B> <p> This service protects against the unauthorized use of LAN resour=
ces, and can be provided by the use of access control mechanisms and pri=
vilege mechanisms.  Most file servers and muli-user workstations provide=
 this service to some extent.  However, PCs which mount drives from the =
file servers usually do not.  Users must recognize that files used local=
ly from a mounted drive are under the access control of the PC.  For thi=
s reason it may be important to incorporate access control, confidential=
ity and integrity services on PCs to whatever extent possible.  Appendix=
 C highlights some of the concerns that are inherent in the use of PCs. =
<p> According to [NCSC87], access control can be achieved by using discr=
etionary access control or mandatory access control.  Discretionary acce=
ss control is the most common type of access control used by LANS.  The =
basis of this kind of security is that an individual user, or program op=
erating on the user's behalf is allowed to specify explicitly the types =
of access other users (or programs executing on their behalf) may have t=
o information under the user's control.   Discretionary security differs=
 from mandatory security in that it implements the access control decisi=
ons of the user.  Mandatory controls are driven by the results of a comp=
arison between the user's trust level or clearance and the sensitivity d=
esignation of the information. <p> Access control mechanisms exist that =
support access granularity for acknowledging an owner, a specified group=
 of users, and the world (all other authorized users).  This allows the =
owner of the file (or directory) to have different access rights than al=
l other users, and allows the owner specify different access rights for =
a specified group of people, and also for the world.   Generally access =
rights allow read access, write access, and execute access.             =
  Some LAN operating systems provide additional access rights that allow=
 updates, append only, etc. <p> A LAN operating system may implement use=
r profiles, capability lists or access control lists to specify access r=
ights for many individual users and many different groups.              =
   Using these mechanisms allows more flexibility in granting different =
access rights to different users, which may provide more stringent acces=
s control for the file (or directory). (These more flexible mechanisms p=
revent having to give a user more access than necessary, a common proble=
m with the three level approach.) Access control lists assign the access=
 rights of named users and named groups to a file or directory.  Capabil=
ity lists and user profiles assign the files and directories that can he=
 accessed by a named user. <p> User access may exist at the directory le=
vel, or the file level.  Access control at the directory level places th=
e same access rights on all the files in the directory.  For example, a =
user that has read access to the directory can read (and perhaps copy) a=
ny file in that directory.  Directory access rights may also provide an =
explicit negative access that prevents the user from any access to the f=
iles in the directory. <p> Some LAN implementations control how a file c=
an be accessed. (This is in addition to controlling who can access the f=
ile.) Implementations may provide a parameter that allows an owner to ma=
rk a file sharable, or locked.  Sharable files accept multiple accesses =
to the file at the same time.   A locked file will permit only one user =
to access it.  If a file is a read only file, making it sharable allows =
many users to read it at the same time. <p> These access controls can al=
so be used to restrict usage between servers on the LAN.  Many LAN opera=
ting systems can restrict the type of traffic sent between servers.  The=
re may be no restrictions, which implies that all users may be able to a=
ccess resources on all servers (depending on the users access rights on =
a particular server).  Some restrictions may be in place that allow only=
 certain types of traffic, for example only electronic mail messages, an=
d further restrictions may allow no exchange of traffic from server to s=
erver.  The LAN policy should determine what types of information need t=
o be exchanged between servers.  Information that is not necessary to be=
 shared between servers should then be restricted. <p> Privilege mechani=
sms enable authorized users to override the access permissions, or in so=
me manner legally bypass controls to perform a function, access a file, =
etc.  A privilege mechanism should incorporate the concept of least priv=
ilege.     [ROBA91] defines least privilege as "a principle where each s=
ubject in a system be granted the most restrictive set or privileges nee=
ded for the performance of an authorized task." For example, the princip=
le of least privilege should be implemented to perform the backup functi=
on.  A user who is authorized to perform the backup function needs to ha=
ve read access to all files in order to copy them to the backup media. (=
However the user should not be given read access to all files through th=
e access control mechanism.) The user is granted a 'privilege' to overri=
de the read restrictions (enforced by the access control mechanism) on a=
ll files in order to perform the backup function.  The more granular the=
 privileges that can be granted, the more control there is not having to=
 grant excessive privilege to perform an authorized function.  For examp=
le, the user who has to perform the backup function does not need to hav=
e a write override privilege, but for privilege mechanisms that are less=
 granular, this may occur.  The types of security mechanisms that could =
be implemented to provide the access control service are listed below. <=
p> Mechanisms <br></DL><ul> <li>access control mechanism using access ri=
ghts (defining owner, group, world permissions), <li>access control mech=
anism using access control lists, user profiles, capability lists, <li>a=
ccess control using mandatory access control mechanisms (labels), <li>gr=
anular privilege mechanism. </UL><br> <b>2.2.3 Data and Message Confiden=
tiality</B> <p> The data and message confidentiality service can be used=
 when the secrecy of information is necessary.  As a front line protecti=
on, this service may incorporate mechanisms associated with the access c=
ontrol service, but can also rely on encryption to provide further secre=
cy protection.   Encrypting information converts it to an unintelligible=
 form called ciphertext, decrypting converts the information back to its=
 original form.  Sensitive information can be stored in the encrypted, c=
iphertext, form.  In this way if the access control service is circumven=
ted, the file may be accessed hut the information is still protected by =
being in encrypted form. (The use of encryption may be critical on PCs t=
hat do not provide an access control service as a front line protection.=
) <p> It is very difficult to control unauthorized access to LAN traffic=
 as it is moved through the LAN.   For most LAN users, this is a realize=
d and accepted problem.  The use of encryption reduces the risk of someo=
ne capturing and reading LAN messages in transit by making the message u=
nreadable to those who may capture it.  Only the authorized user who has=
 the correct key can decrypt the message once it is received. <p> A stro=
ng policy statement should dictate to users the types of information tha=
t a-re deemed sensitive enough to warrant encryption.  A program level p=
olicy may dictate the broad categories of information that need to be st=
ringently protected, while a system level policy may detail the specific=
 types of information and the specific environments that warrant encrypt=
ion protection.   At whatever level the policy is dictated, the decision=
 to use encryption should be made by the authority within the organizati=
on charged with ensuring protection of sensitive information.  If a stro=
ng policy does not exist that defines what information to encrypt, then =
the data owner should ultimately make this decision. <p> Cryptography ca=
n be categorized as either secret key or public key.  Secret key cryptog=
raphy is based on the use of a single cryptographic key shared between t=
wo parties . The same key is used to encrypt and decrypt data.  This key=
 is kept secret by the two parties.  If encryption of sensitive but uncl=
assified information (except Warner Amendment information) is needed, th=
e use of the <i>Data Encryption Standard</I> (DES), FIPS 46-2, is requir=
ed unless a waiver is granted by the head of the federal agency.  The DE=
S is a secret key algorithm used in a cryptographic system that can prov=
ide confidentiality.      FIPS 46-2 provides for the implementation of t=
he DES algorithm in hardware, software, firmware or some combination.  T=
his is a change from 46-1 which only provided for the use ot' hardware i=
mplementations. For an overview of DES, information addressong the appli=
cability of DES, and waiver procedures see [NCSL90]. <p> Public key cryp=
tography is a form of cryptography which make use of two keys: a public =
key and a private key.  The two keys are related but have the property t=
hat, given the public key, It  =

 is computationally infeasible to derive the private key [FIPS 140-1]   =
In a public key cryptosystem, each party has its own public/private key =
pair.  The public key can be known by anyone; the private key is kept se=
cret.  An example for providing confidentiality is as follows: two users=
, Scott and Jeff', wish to exchange sensitive information, and maintain =
the confidentiality of that information.  Scott can encrypt the informat=
ion with Jeff's public key.  The confidentiality of the information is m=
aintained since only Jeff can decrypt the information using his private =
key.   There is currently no FIPS approved public-key encryption algorit=
hm for confidentiality.   Agencies must waive FIPS 46-2 to use a public-=
key encryption algorithm for confidentiality.   Public key technology, i=
n the form of digital signatures, can also provide integrity and non- re=
pudiation.  This will he discussed in Section 2.2.4, <i>Data Integrity</=
I>. <p> FIFS 140- 1, <i>Security Reqirements for Cryptographic Modules</=
I>, should be used by agencies to specify the security requirements need=
ed to protect the equipment that is used encryption.  This standard spec=
ifies requirements such as authentication, physical controls and proper =
key management for all equipment that is used for encryption.  Systems t=
hat implement encryption in software have additional requirements placed=
 on them by FIPS 140-1.  LAN servers, PCs, encryption boards, encryption=
 modems, and all other LAN and data communication equipment that has an =
encryption capability should conform to the requirements of FIPS 140-1. =
 The types of security mechanisms that could be implemented to provide t=
he message and data confidentiality service are listed below. <p> Mechan=
isms <br></DL><ul> <li>file and message encryption technology, <li>prote=
ction for backup copies on tapes, diskettes, etc, <li>physical protectio=
n of physical LAN medium and devices, <li>use of routers that provide fi=
ltering to limit broadcasting (either by blocking or by masking message =
contents). </UL><br> <b>2.2.4 Data and Message Integrity</B> <p> The dat=
a and message integrity service helps to protect data and software on wo=
rkstations, file servers, and other LAN components from unauthorized mod=
ification.               The unauthorized modification can he intentiona=
l or accidental.      This service can be provided by the use of cryptog=
raphic checksums, and very granular access control and privilege mechani=
sms.  The more granular the access control or privilege mechanism, the l=
ess likely an unauthorized or accidental modification can occur. <p> The=
 data and message integrity service also helps to ensure that a message =
is not altered, deleted or added to in any manner during transmission. (=
The inadvertent modification of a message packet is handled through the =
media access control implemented within the LAN protocol.) Most of the s=
ecurity techniques available today cannot prevent the modification of a =
message, but they can detect the modifiation of a message (unless the me=
ssage is deleted altogether). <p> The use of check-sums provide a modifi=
cation detection capability.  A Message Authentication Code (MAC), a typ=
e of cryptographic checksum, can protect against both accidental and int=
entional, but unauthorized, data modification.  A MAC is initially calcu=
lated by applying a crvptographic algorithm and a secret value, called t=
he key, to the data.  The initial MAC is retained.  The data is later ve=
rified by applying the cryptographic algorithm and the same secret key t=
o the data to produce another MAC; this MAC is then compared to the init=
ial MAC.  If the two MACs are equal, then the data is considered authent=
ic.     Otherwise, an unauthorized modification is assumed.  Any party t=
rying to modify the data without knowing the key would not know how to c=
alculate the appropriate MAC corresponding to the altered data.  FIPS 11=
3, <i>Computer Data Authentication</I>, defines the Data Authentication =
Algorithm, based on the DES, which is used to calculate the MAC.  See [S=
MID88] for more information regarding the use of MACS. <p> The use of el=
ectronic signatures can also be used to detect the modification of data =
or messages.   An electronic signature can be generated using public key=
 or private key cryptography.  Using a public key system, documents in a=
 computer system are electronically signed by applying the originator s =
private key to the document.  The resulting digital signature and docume=
nt can then be stored or transmitted.  The signature can be verified usi=
ng the public key of the originator.   If the signature verifies properl=
y, the receiver has confidence that the document was signed using the pr=
ivate key of the originator and that the message had not been altered af=
ter it was signed.   Because private keys are known only to their owner,=
 it may also possible to verify the originator of the information to a t=
hird party.  A digital signature, therefore, provides two distinct servi=
ces: nonrepudiation and message integrity.  FIPS PUB 186, Digital Signat=
ure Standard, specifies a digital signature algorithm that should he use=
d when message and data integrity are required. <p> The message authenti=
cation code (MAC) described above can also be used to provide an electro=
nic signature capability.  The MAC is calculated based on the contents o=
f the message.   After transmission another MAC is calculated on the con=
tents of the received message.  If the MAC associated with the message t=
hat was sent is not the same as the MAC associated with the message that=
 was received, then there is proof that the message received does not ex=
actly match the message sent.  A MAC can he used to identify the signer =
of the information to the receiver.   However, the implementations of th=
is technology do not inherently provide nonrepudiation because both the =
sender of the information and the receiver of the information share the =
same key.  The types of security mechanisms that could be implemented to=
 provide the data and message integrity service are listed below. <p> Me=
chanisms <br></DL><ul> <li>message authentication codes used for softwar=
e or files, <li>use of secret key based electronic signature, <li>use of=
 public key digital signature, <li>granular privilege mechanism, <li>app=
ropriate access control settings (i.e. no unnecessary write permissions)=
, <li>virus detection software, <li>workstations with no local storage (=
,to prevent local storage of software and files), <li>workstations with =
no diskette drive/tape drive to prevent introduction of suspect software=
. <li>use of public key digital signatures. </UL><br> <b>2.2.5 Non-repud=
iation</B> <p> Non-repudiation helps ensure that the entities in a commu=
nication cannot deny having participated in all or part of the communica=
tion.  When a major function of the LAN is electronic mail, this service=
 becomes very important.  Non-repudiation with proof of origin gives the=
 receiver some confidence that the message indeed came from the named or=
iginator.  The nonrepudiation service can be provided through the use of=
 public key cryptographic techniques using digital signatures.  See Sect=
ion 2.2.4 <i>Data and Message Integrity</I> for a description and use of=
 digital signatures.  The security mechanism that could be implemented t=
o provide the non- repudiation service is listed below. <p> Mechanisms <=
br></DL><ul> <li>use of public key digital signatures. </UL><br> <b>2.2.=
6 Logging and Monitoring</B> <p> This service performs two functions.  T=
he first is the detection of the occurrence of a threat. (However, the d=
etection does not occur in real time unless some type of real-time monit=
oring capability is utilized.) Depending on the extensiveness of the log=
ging, the detected event should be traceable throughout the system.  For=
 example, when an intruder breaks into the system, the log should indica=
te who was logged on to the system at the time, all sensitive files that=
 had failed accesses, all programs that had attempted executions, etc.  =
It should also indicate sensitive files and programs that were successfu=
lly accessed in this time period.  It may be appropriate that some areas=
 of the LAN (workstations, fileservers, etc.) have some type of logging =
service. <p> The second function of this service is to provide system an=
d network managers with statistics that indicate that systems and the ne=
twork as a whole are functioning properly.  This can be done by an audit=
 mechanism that uses the log file as input and processes the file into m=
eaningful information regarding system usage and security.  A monitoring=
 capability can also be used to detect LAN availability problems as they=
 develop.  The types of security mechanisms that could be used to provid=
e the logging and monitoring service are listed below. <p> Mechanisms <b=
r></DL><ul> <li>logging of I&A information (including source machine, mo=
dem, etc.), <li>logging of changes to access control information, <li>lo=
gging of use of sensitive files, <li>logging of modifications made to cr=
itical software, <li>utilizing LAN traffic management tools, <li>use of =
auditing tools. </UL><p><br> <b>3. RISK MANAGEMENT</B> <p> A systematic =
approach should be used to determine appropriate LAN security measures. =
Deciding how to address security, where to implement security on the LAN=
, and the type and strength of the security controls requires considerab=
le thought.  This section will address the issues involving risk managem=
ent of a LAN.  The elements that are common to most risk management proc=
esses will be examined in terms of the unique properties of a LAN that m=
ay require special considerations beyond the risk process of a centraliz=
ed system or application.  In presenting this information, a simple risk=
 management methodology will be introduced that may be considered as a c=
andidate among the different methodologies and techniques that are curre=
ntly available. <p> It is the reader's task to determine the appropriate=
 level of protection required for his or her LAN.  This is accomplished =
through risk management. [KATZ92] defines risk management as the process=
 of: <ul> <li>estimating potential losses due to the use of or dependenc=
e upon automated information system technology, <li>analyzing potential =
threats and system vulnerabilities that contribute to loss estimates, an=
d <li>selecting cost effective safeguards that reduce risk to an accepta=
ble level. </UL><br> There are many risk management methodologies that a=
n organization may use.  However all should incorporate the process defi=
ned above. <p> <b>3.1 Current Approaches</B> <p> One of the most importa=
nt considerations  in  choosing  a  methodology  or  technique  is  that=
  the results obtained from the risk assessment he useful in providing L=
AN security.   If the methodology is too complicated to use, if it requi=
res input data that is too detailed, or if it produces results that are =
too intricate to infer what the risk to the LAN actually is, the methodo=
logy will not be useful and will not lead to effective LAN security.  On=
 the other hand, if the methodology does not allow for reasonable granul=
arity in its definition of variables such as loss, likelihood and cost, =
the results produced may be too simple and may not reflect the true risk=
 to the LAN.  Those responsible within the organization should adopt the=
 risk assessment approach that provides a technique that is understandab=
le, easily used, and produces results that helps the organization to eff=
ectively secure its LANs. <p> In 1979, NIST published FIPS 65 [FIPS65] w=
hich described a quantitative method for performing risk analysis.  This=
 document was issued as a guideline and not a standard.  Therefore the u=
se of FIPS 65 is not mandatory for performing risk analysis. [KATZ92] po=
ints out that its primary  =

 use was for the risk analysis of large data centers. [FIPS65] describes=
 how an estimate of risk (i.e., Annual Loss Expectancy) could he obtaine=
d by estimating, for each application data file: (1) the frequency of oc=
currence of harmful impact (i.e., destruction, modification, disclosure =
or unavailability of the data file) and (2) the consequences (in dollars=
) that could result from each of the impacts [KATZ92]. [KATZ92] explains=
 that "recognizing the lack of empirical data on frequency of occurrence=
 of' impacts and the related consequences, FIPS 65 suggested an 'order o=
f magnitude approach' to approximating these values.    That this concep=
t was not well understood by users of that method has been illustrated b=
y numerous attempts to be too precise in quantifying the input data to F=
IPS 65 and, by the same tokcn, interpreting the results as having more p=
recision than they actually had.  " FIPS 65 may be used for a risk asses=
sment of a LAN; however agencies may choose other methodologies and tech=
niques if the agency finds them to be more appropriate and effective. <p=
> Automated risk analysis tools are available that are tailored specific=
ally to the LAN environment. [GILB89] points out the many benefits of us=
ing automated risk analysis tools.  However there is a concern in using =
automated risk analysis tools.  There are many techniques available to c=
alculate risk.  While most depend on a loss variable and a likelihood or=
 probability variable, the manner in which these variables are represent=
ed, the calculations that are used on these variables, and the manner in=
 which the risk value is represented is not always made available to the=
 user.   This disadvantage is compounded because there is currently no s=
tandard method or agreed upon approach for performing risk analysis.   W=
hile there exists a proposed standard framework [KATZ92] for risk analys=
is that provides vendors with some guidance in developing these tools, t=
here are no agreed upon methods for representing the necessary variables=
 to perform a risk analysis, and there are no agreed upon methods for ca=
lculating risk using these variables.   Because of this lack of consiste=
nt agreement with the risk community, coupled with the proprietary natur=
e of the tools, determining the effectiveness of any particular method m=
ay be difficult.  On the other hand, if the methodology used by the tool=
 is understood and deemed acceptable for the user, then the tool may pro=
ve to be quite adequate.  The underlying question in determining if a to=
ol will he effective for a particular environment should be, "What is th=
e automated risk analysis tool measuring, and are the results produced b=
y it useful for providing appropriate LAN security'?" [GILB89] discusses=
 the use of automated risk analysis tools, and examines criteria that ca=
n be considered in the automated tools selection process. <p> Another ap=
proach for performing risk analyses is to develop sets of baseline secur=
ity controls needed for predefined levels of risk.  The predefined level=
s of risk may be based on the asset alone (e.g. data is considered sensi=
tive due to an agency policy or federal mandate), the consequence that w=
ould result from the loss of the asset (e.g. the agency may not be able =
to meet its mission) or other factors.  Ills allows data owners and thos=
e responsible for ensuring the security of the LAN to determine the leve=
l of risk for specific assets, and follow the guidance and implement the=
 controls that have been deemed appropriate.  This approach may provide =
an agency with the benefit of' having consistent protection for specifie=
d types of assets.        This approach has been implemented in [DOE89],=
 [HHS91], [NASA90].  A benefit of this approach  27  =

 is that the user is not only provided with a risk analysis methodology,=
 but also with an awareness and understanding of the agency policies tha=
t have derived the baseline controls.  In organizations where the respon=
sibility for security resides with someone who is not a security practit=
ioner, this approach may provide enough knowledge and direction to provi=
de effective security. <p> Other methodologies and approaches are availa=
ble.  Some require a manual process; others are implemented in software.=
  Whatever risk analysis method is chosen by an organization, it must be=
 effective in helping to implement effective LAN security and thus reduc=
e the risk to the LAN. <p> <b>3.2 Participants</B> <p> LAN security shou=
ld address the concerns and needs of the organization as a whole.  This =
perspective can only be obtained by including representatives from relev=
ant areas of the organization.  Minimally this should include: <ul> <li>=
<b>LAN Management</B> is responsible for the operation of the LAN.  LAN =
Management can provide the risk assessment group the correct LAN configu=
rations, including hardware, software, data, and functionality mapping. =
 LAN Management can also determine the immediate impacts that can occur =
if a threat is realized. <li><b>Organizational Management</B> is respons=
ible for supporting the LAN security policy by providing funding to impl=
ement required security services and making a commitment to ensure compl=
iance with policy goals.  Organizational management has the proper persp=
ective in assessing the longterm consequences to the organization if a t=
hreat is realized. <li><b>Security Personnel</B> are responsible for ens=
uring that organizational security policies are developed and adhered to=
. <li><b>Data and Application Owners</B> are responsible for ensuring th=
at their data and applications are adequately protected and are availabl=
e to authorized users. <li><b>LAN Users</B> are responsible for providin=
g accurate information about their applications, data and LAN usage. </U=
L><br> The above list generally represents those individuals involved in=
 the risk analysis of most computer systems and applications (with the e=
xception of LAN management if there is no network).  What is unique abou=
t this list with regard to forming a team to assess LAN risks is that ea=
ch group listed above may be multiplied to account for each part of an o=
rganization the LAN serves, each application that is processed on the LA=
N, and for the different requirements and mandates that are in place thr=
oughout the organization.  The requirements of the "LAN owner" in additi=
on to the needs of many data and application owners have to all be consi=
dered.  The ultimate goal of effective overall LAN security may not be m=
et if strong team leadership is not in place from the beginning.  For ex=
ample, organizations that lack strong centralized management of the LAN =
may have a difficult time assessing needs in any hierarchical manner, si=
nce each local manager or application owner may view his needs as a prio=
rity over other local managers and application owners, regardless of wha=
t the risk analysis results indicate. <p> Initially, those within the or=
ganization charged with performing the risk analysis need to make some d=
etermination regarding the proposed scope and boundary of the risk analy=
sis.  With this information, the necessary participants in the risk proc=
ess can be chosen. <p> <b>3.3 Elements of Risk Management</B> <p> Operat=
ion of a LAN involves risk.  The term risk management is commonly used t=
o define the process of determining risk, applying controls to reduce th=
e risk, and then determining if the residual risk is acceptable.        =
 Risk management supports two goals: measure risk (risk assessment) and =
selecting appropriate controls that will reduce risk to an acceptable le=
vel (risk mitigation).     Issues that should be addressed when assessin=
g LAN security include: <dl> <dd>1.    Assets - What should be protected=
? <p> <dd>2.    Threats - From what do the assets need protection and wh=
at is the likelihood that a threat will occur? <p> <dd>3.    Impacts - W=
hat are the immediate damages if the threat is realized (e.g. disclosure=
 of information, modification of data)? <p> <dd>4.    Consequences - Wha=
t are the long-term effects of the threat being realized (e.-. damage to=
 reputation of organization, loss of business)? <p> <dd>5.    Controls -=
 What are the effective security measures (security services and mechani=
sms) needed to protect the assets? <p> <dd>6. Risk - After implementatio=
n of the security controls, is the remaining risk acceptable? </DL><br> =
The goal of risk assessment is to determine the risk to the LAN.  The ri=
sk assessment process is conducted in two steps.  The first step defines=
 the boundary of the environment, determines the scope of the assessment=
 and selects the appropriate methodology to use.  In step two the risk a=
nalysis is conducted.  The risk analysis can be broken down into asset i=
dentification, threat and vulnerability identification, likelihood asses=
sment, and risk measure. <p> The goal of risk mitigation is to apply eff=
ective security controls such that the residual risk to the LAN is accep=
table.  Risk mitigation involves three steps: determining those areas wh=
ere risk is unacceptable; selecting effective safeguards, and evaluating=
 the controls and determining if the residual risk to the LAN is accepta=
ble. <p> Organizations can select from a variety of risk management meth=
odologies.  The goal is for an organization to choose the most effective=
 approach for the organization.  The methodology discussed here consists=
 of seven processes (outlined in Figure 3.1). <p> <b>~~~~~~~~~~~~~~~~~~~=
~~~~~~~~~~~~~~~~~~~~~~~~~</B><br> <b>Figure 3.1 - Risk Management Proces=
s</B> <dl><dl> <dd><i>1. Define the Scope and Boundary and Methodology <=
br> <dd>2. Identify and Value Assets, <br> <dd>3. Identify Threats and D=
etermine Likelihood, <br> <dd>4. Measure Risk, <br> <dd>5. Select Approp=
riate Safeguards, <br> <dd>6. Implement and Test Safeguards, <br> <dd>7.=
 Accept Residual Risk.</I> </DL></DL> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~~~~~~~~~~</B> <p> <b>3.4 Risk Assessment</B> <p> <b>3.4.1   Process =
1 - Define the Scope and Boundary, and Methodology</B> <p> This process =
determines the direction that the risk management effort will take.  It =
defines how much of the LAN (the boundary) and in how much detail (the s=
cope) the risk management process should entail.  The boundary will defi=
ne those parts of the LAN that will be considered.  The boundary may inc=
lude the LAN as a whole or parts of the LAN, such as the data communicat=
ions function, the server function, the applications, etc.    Factors th=
at determine the boundary may be based on LAN ownership, management or c=
ontrol.  Placing the boundary around a part of the LAN controlled elsewh=
ere may result in cooperation problems that may lead to inaccurate resul=
ts.  This problem stresses the need for cooperation among those involved=
 with the ownership and management of the different parts of the LAN, as=
 well as the applications and information processed on it. <p> The scope=
 of the risk management effort must also be defined.  The scope can be t=
hought of as a logical outline showing, within the boundary, the depth o=
f the risk management process.  The scope distinguishes the different ar=
eas of the LAN (within the boundary) and the different levels of detail =
used during the risk management process.  For example some areas may be =
considered at a higher or broader level, while other areas may be treate=
d in depth and with a narrow focus.   For smaller LANS, the boundary may=
 be the LAN as a whole, and the scope may define a consistent level of d=
etail throughout the LAN.       For larger LANS, an organization may dec=
ide to place the boundary around those areas that it controls and to def=
ine the scope to consider all areas within the boundary.  However the fo=
cus on data communications, external connections, and certain applicatio=
ns might be more narrow.  Changes in the LAN configuration, the addition=
 of external connections, or updates or upgrades to LAN software or appl=
ications may influence the scope. <p> The appropriate risk management me=
thodology for the LAN may  have  been  determined  prior  to defining th=
e boundary and scope.  If the methodology has already been determined, t=
hen it may be useful to scrutinize the chosen methodology given the defi=
ned boundary and scope.  If a methodology has not been chosen, the bound=
ary and scope information may be useful in selecting a methodology that =
produces the most effective results. <p> <b>3.4.2 Process 2 - Identify a=
nd Value Assets</B> <p> Asset valuation identifies and assigns value to =
the assets of the LAN.  All parts of the LAN have value although some as=
sets are definitely more valuable than others.  This step gives the firs=
t indication of those areas where focus should be placed.  For LANs that=
 produce large amounts of information that cannot be reasonably analyzed=
, initial screening may need to be done.   Defining and valuing assets m=
ay allow the organization to initially decide those areas that can be fi=
ltered downward and those areas that should be flagged as a high priorit=
y. <p> Different methods can be used to identify and value assets.  The =
risk methodology that an organization chooses may provide guidance in id=
entifying assets and should provide a technique for valuing assets.  Gen=
erally assets can be valued based on the impact and consequence to the o=
rganization.  This would include not only the replacement cost of the as=
set, but also the effect on the organization if the asset is disclosed, =
modified, destroyed or misused in any other way. <p> Because the value o=
f an asset should be based on more than just the replacement cost, valui=
ng assets is one of the most subjective of the processes.  However, if a=
sset valuation is done with the goal of the process in mind, that is, to=
 define assets in terms of a hierarchy of importance or criticality, the=
 relativeness of the assets becomes more important than placing the "cor=
rect" value on them.<p>  The risk assessment methodology should define t=
he representation of the asset values. Purely quantitative methodologies=
 such as FIPS 65 may use dollar values.  However having to place a dolla=
r value on some of the consequences that may occur in today's environmen=
ts may be sufficient to change the perception of the risk management pro=
cess from being challenging to being unreasonable. <p> Many risk assessm=
ent methodologies in use today require asset valuation in more qualitati=
ve terms.  While this type of valuation may be considered more subjectiv=
e than a quantitative approach, if the scale used to value assets is uti=
lized consistently throughout the risk management process, the results p=
roduced should he useful.  Figure 3.2 shows one of the simplest methods =
for valuing assets.<p> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</=
B><br> <b>Figure 3.2 - Simple Asset Valuation</B> <ul><ul> The value of =
the asset can be represented in terms<br> of the potential loss.  This l=
oss can be based on the<br> replacement value, the immediate impact of t=
he loss,<br> and the consequence.  One of the simplest valuing<br> techn=
iques to indicate the loss of an asset is to use<br> a qualitative ranki=
ng of high, medium and low. <br>  Assigning values to these rankings (3=3D=
high,<br> 2=3Dmedium, and `1=3Dlow) can assist in the risk<br> measure p=
rocess.</UL></UL> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B><br=
> <p> Throughout this discussion of the risk management process, a simpl=
e technique for valuing assets (as shown in Figure 3.2), determining ris=
k measure, estimating safeguard cost, and determining risk mitigation wi=
ll be presented.  This technique is a simple, yet valid technique; it is=
 being used here to show the relationship between the processes involved=
 in risk management.  The technique is not very granular and may not be =
appropriate for environments where replacement costs,sensitivities of in=
formation and consequences vary widely.  One of the implicit outcomes of=
 this process is that a detailed configuration of the LAN, as well as it=
s uses is produced.   This configuration should indicate the hardware in=
corporated, major software applications used, significant information pr=
ocessed on the LAN, as well as how that information flows through the LA=
N.  The degree of knowledge of the LAN configuration will depend on the =
defined boundary and scope. Figure 3.3 exemplifies some of the areas tha=
t should be included. <p> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~</B><br> <b>Figure 3.3 - Defining the LAN Configuration</B> <ul><ul> Ha=
rdware configuration - includes servers,<br> workstations, PCs, peripher=
al devices, external<br> connections, cabling maps, bridges or gateway<b=
r> connections, etc. <p> Software configuration - includes server operat=
ing<br> systems, workstation and PC operating systems, the<br> LAN opera=
ting system, major application software,<br> software tools, LAN managem=
ent tools, and software<br> under development.  This should also include=
 the <br> location of the software on the LAN and from where it<br> is c=
ommonly accessed. <p> Data - Includes a meaningful typing of the data<br=
> processed and communicated through the LAN, as<br> well as the types o=
f users who generally access the<br> data.    Indications of where the d=
ata is accessed,<br> stored  and processed on the LAN is important.<br> =
Attention to the sensitivity of the data should also be<br> considered.<=
/UL></UL> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B> <p> After =
the LAN configuration is completed, and the assets are determined and va=
lued, the organization should have a reasonably correct view of what the=
 LAN consists of and what areas of the LAN need to be protected. <p> <b>=
3.4.3   Process 3 - Identify Threats and Determine Likelihood</B> <p> Th=
e outcome of this process should be a strong indication of the adverse a=
ctions that could harm the LAN, the likelihood that these actions could =
occur, and the weaknesses of the LAN that can be exploited to cause the =
adverse action.   To reach this outcome, threats and vulnerabilities nee=
d to be identified and the likelihood that a threat will occur needs to =
be determined. <p> Large amounts of information on various threats and v=
ulnerabilities exist.  The Reference and Further Reading  Sections of th=
is document provide some information on LAN  threats and vulnerabilities=
.  Some risk management methodologies also provide information on  poten=
tial threats and vulnerabilities.  User experience and LAN manaement exp=
erience also provide inaight into threats and vulnerabilities. <p> The d=
egree to which threats are considered will depend on the defined boundar=
y and scope defined for the risk management process.  A high level analy=
sis may point to threats and vulnerabilities in general terms; a more fo=
cused analysis may tie a threat to a specific component or usage of the =
LAN.  For example a high level analysis may indicate that the consequenc=
e due to loss of data confidentiality through disclosure of information =
on the LAN is too great a risk.   A more narrowly focused analysis may i=
ndicate that the consequence due to disclosure of personnel data capture=
d and read through LAN transmission is too great a risk.  More than like=
ly, the generality of the threats produced in the high level analysis, w=
ill, in the end, produce safeguard recommendations that will also be hig=
h level.  This is acceptable if the risk assessment was scoped at a high=
 level.  The more narrowly focused assessment will produce a safeguard t=
hat can specifically reduce a given risk, such as the disclosure of pers=
onnel data. <p> The threats and vulnerabilities discussed in Section 2 m=
ay be used as a starting point, with other sources included where approp=
riate.  New threats and vulnerabilities should be addressed when they ar=
e encountered.  Any asset of the LAN that was determined to be important=
 enough (i.e., was not filtered through the screening process) should be=
 examined to determine those threats that could potentially harm it.  Fo=
r more focused assessments, particular attention should be paid to detai=
ling the ways that these threats could occur.  For example, methods of a=
ttack that result in unauthorized access may be from a login session pla=
yback, password cracking, the attachment of unauthorized equipment to th=
e LAN, etc.  These specifics provide more information in determining LAN=
 vulnerabilities and will provide more information for proposing safegua=
rds. <p> This process may uncover some vulnerabilities that can be corre=
cted by improving LAN management and operational controls immediately.  =
These improved controls will usually reduce the risk of the threat by so=
me degree, until such time that more thorough improvements are planned a=
nd implemented.  For example, increasing the length and composition of t=
he password for authentication may be one way to reduce a vulnerability =
to guessing passwords.  Using more robust passwords is a measure that ca=
n be quickly implemented to increases the security of the LAN.    Concur=
rently, the planning and implementation of a more advanced authenticatio=
n mechanism can occur. <p> Existing LAN security controls should be anal=
yzed to determine if they are currently providing adequate protection.  =
These controls may be technical, procedural, etc.  If a control is not p=
roviding adequate protection, it can be considered a vulnerability.  For=
 example, a LAN operating system may provide access control to the direc=
tory level, rather than the file  level.   For some users, the threat of=
 compromise of information may he too great not to have file level prote=
ction.  In this example, the lack ot' granularity in the access control =
could he considered a vulnerability. <p> As specific threats and related=
 vulnerabilities are identified, a likelihood measure needs to be associ=
ated with the threat/vulnerability pair (i.e. What is the likelihood tha=
t a threat will be realized, given that the vulnerability is exploited?)=
.     The risk methodology  chosen by the organization should provide th=
e technique used to measure likelihood.    Along with asset valuation, a=
ssigning likelihood measures can also be  a subjective process.  Threat =
data for traditional threats (mostly physical threats) does exist and ma=
y aid in determining likelihood.   However experience regarding the tech=
nical aspects of the LAN and knowledge of operational aspects of the org=
anization may prove more valuable to decide likelihood measure.  Figure =
3.4 defines a simple likelihood measure.  This likelihood measure coinci=
des with the asset valuation measure defined in Figure 3.1. Although the=
 asset valuation and the likelihood measures provided in this example ap=
pear to be weighted equally for each threat/vulnerability pair, it is a =
user determination regarding which measure should be emphasized during t=
he risk measurement process. <p> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~~~~~</B><br> <b>Figure 3.4 Assigning Likelihood Measure</B> <ul><ul>=
 The likelihood    of the threat occurring can be<br> normalized as a va=
lue that ranges from 1 to 3. A 1<br> will indicate a low likelihood, a 2=
 will indicate a<br> moderate likelihood and a 3 will indicate a high<br=
> likelihood.</UL></UL> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<=
/B> <p> <b>3.4.4 Process 4 - Measure Risk</B> In its broadest sense the =
risk measure can be considered the representation of the kinds of advers=
e actions that may happen to a system or organization and the degree of =
likelihood that these actions may occur.  The outcome of this process   =
   should    indicate   to    the organization the degree of risk associ=
ated with the defined assets.  This outcome is important because it its =
the basis for making safeguard selection and risk mitigation decisions. =
<p> There are many  ways to measure and represent risk.   [KATZ92] point=
s out that depending on the  particular methodology or approach, the mea=
sure could be defined in qualitative terms, quantitative terms, one dime=
nsional, multidimensional, or some combination of these.  The risk measu=
re process should be consistent with (and more than likely defined by) t=
he risk assessment methodology being used by the organization.   Quantit=
ative approaches are often associated with measuring risk in terms of do=
llar losses (e.g. FIPS 65).    Qualitative approaches are often associat=
ed with measuring risk in terms of quality as indicated through a scale =
or ranking.  One dimensional approaches consider only limited components=
 (e.g. risk =3D magnitude of loss X frequency of loss).  Multidimensiona=
l approaches consider additional components in the risk measurement such=
 as reliability, safety, or performance.  One of the most important aspe=
cts of risk measure is that the representation be understandable and mea=
ningful to those who need to make the safeguard selection and risk mitig=
ation decisions. <p> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B>=
<br> <b>Figure 3.5 - One Dimensional Approach to Calculate Risk</B> <ul>=
<ul> The <i>risk</I> associated with a threat can be considered<br> as a=
 function of <i>the relative likelihood that the threat<br> can occur</I=
>, and the <i>expected loss incurred eiven that<br> the threat occurred.=
</I>  The risk is calculated as<br> follows: <p> <b>risk =3D likelihood =
of threat occurring (given the<br> specific vulnerability) x loss incurr=
ed</B> <p> The value estimated for loss is determined to be a<br> value =
that ranges from I to 3. Therefor risk may<br> be calculated as a number=
 ranging from I to 9<br> meaning a risk of I or 2 is considered a low ri=
sk, a<br> risk of 3 or 4 would be a moderate risk, and a risk<br> of 6 o=
r 9 would be considered a high risk.<br></UL></UL> <p><pre>           <b=
>LIKELIHOOD  LOSS   RISK</B>                1      1  1 - LOW           =
     1      2  2 - LOW                1      3  3 - MODERATE            =
    2      1  2 - LOW                2      2  4 - MODERATE             =
   2      3  6 - HIGH                3      1  3 - MODERATE             =
   3      2  6 - HIGH                3      3  9 - HIGH </PRE> <b>~~~~~~=
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B><br> <p> Figure 3.5 provides a=
n example of a one dimensional approach for calculating risk.  In this e=
xample, the levels of risk are now normalized (i.e. low, medium and high=
) and can be used to compare risks associated with each threat.  The com=
parison of risk measures should factor in the criticality of the compone=
nts used to determine the risk measure.  For simple methodologies that o=
nly look at loss and likelihood, a risk measure that was derived from a =
high loss and low likelihood may result in the same risk measure as one =
that resulted from a low loss and high likelihood.  In these cases, the =
user needs to decide which risk measure to consider more critical, even =
though the risk measures may be equal.  In this case, a user may decide =
that the risk measure derived from the high loss is more critical than t=
he risk measure derived from the high likelihood. <p> With a list of pot=
ential threats, vulnerabilities and related risks, an assessment of the =
current security situation for the LAN can be determined.  Areas that ha=
ve adequate protection will not surface as contributing to the risk of t=
he LAN (since adequate protection should lead to low likelihood) whereas=
 those areas that have weaker protection do surface as needing attention=
. <p> <b>3.5  Risk Mitigation</B> <p> <b>3.5.1 Process 5 - Select Approp=
riate Safeguards</B> <p> The purpose of this process is to select approp=
riate safeguards.  This process can be done using risk acceptance testin=
g. <p> Risk acceptance testing is described by [KATZ92] as an activity t=
hat compares the current risk measure with acceptance criteria and resul=
ts in a determination of whether the current risk level is acceptable.  =
While effective security and cost considerations are important factors, =
there may be other factors to consider such as: organizational policy, l=
egislation and regulation, safety and  reliability requirements, perform=
ance requirements, and technical requirements. <p> The relationship betw=
een risk acceptance testing and safeguard selection can be iterative.   =
Initially, the organization needs to order the different risk levels tha=
t were determined during the risk assessment.  Along with this the organ=
ization needs to decide the amount of residual risk that it will be will=
ing to accept after the selected safeguards are implemented.  These init=
ial risk acceptance decisions can be factored into the safeguard selecti=
on equation.  When the properties of the candidate safeguards are known,=
 the organization can reexamine the risk acceptance test measures and de=
termine if the residual risk is achieved, or alter the risk acceptance d=
ecisions to reflect the known properties of the safeguards.        For e=
xample there may be risks that are determined to be too high.  However a=
fter reviewing the available safeguards, it may be realized that the cur=
rently offered solutions are very costly and cannot be easily implemente=
d into the current configuration and network software.         This may =
force the organization into either expending the resources to reduce the=
 risk, or deciding through risk acceptance that the risk will have to be=
 accepted because it is currently too costly to mitigate. <p> Many sourc=
es exist that can provide information on potential safeguards (See the R=
eference and Further Reading Sections).  The methodology discussed here =
defines safeguards in terms of security services and mechanisms.  A secu=
rity service is the sum of mechanisms, procedures, etc. that are impleme=
nted on the LAN to provide protection.  The security services (and mecha=
nisms) provided in Section 2 can be used as a starting point.  The secur=
ity services should be related to the threats defined in the risk assess=
ment. <p> In most cases the need for a specific service should be readil=
y apparent.       If  the risk acceptance results indicate that a risk i=
s acceptable,    (i.e., existing mechanisms are adequate) then there is =
no need to apply additional mechanisms to the service that already exist=
s. <p> After the needed security services are determined, consider the l=
ist of security mechanisms for each service.       For each security ser=
vice selected,   determine    the candidate mechanisms that would  best =
provide that service.  Using  the threat/vulnerability/risk     relation=
ships developed in  the  previous    processes,  choose those mechanisms=
 that could potentially reduce or eliminate the vulnerability and thus r=
educe the risk of the threat.  In many cases, a threat/vulnerability rel=
ationship will yield more than one candidate mechanism.  For example the=
 vulnerability of usino weak passwords could be reduced by using a passw=
ord generator mechanism, by using a token based mechanism, etc.  Choosin=
g the candidatemechanisms is a subjective process that will vary from on=
e LAN implementation to another.   Not every mechanism presented in Sect=
ion 2 is feasible for use in every LAN.  In order for this process to be=
 beneficial, some filtering of the mechanisms presented needs to be made=
 during this step. <p> Selecting appropriate safeguards is a subjective =
process.  When considering the cost measure of the mechanism, it is impo=
rtant that the cost of the safeguard be related to the risk measure to d=
etermine if the safeguard will be cost-effective.  The methodology chose=
n by the organization should provide a measure for representing costs th=
at is consistent with the measures used for representing the other varia=
bles determined so far.      Figure 3.6 shows a cost measure that is con=
sistent with the other measuring examples presented.  This cost measurin=
g method, while appearing to only consider the cost of the safeguard, ca=
n have the other factors mentioned above factored in. <p> <b>~~~~~~~~~~~=
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B><br> <b>Figure 3.6 - Calculating Co=
st Measure</B> <ul><ul> In this example cost measure, the cost of the<br=
> safeguard is the amount needed  to purchase or<br> develop and impleme=
nt each of the mechanisms. <br>  'Me cost can be normalized in the same =
manner as<br> was the value for potential loss incurred.  A 1 will<br> i=
ndicate a mechanism with a low cost, a 2 will<br> indicate a mechanism w=
ith a moderate cost, and a 3<br> will indicate a mechanism with a high c=
ost.<br></UL></UL> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B> <=
p> When a measure (or cost) is assigned to the safeguard, it can be comp=
ared to the other measures in the process.  The safeguard measure can be=
 compared to the risk measure (if it consists of one value, as shown in =
Figure 3.7) or the components of the risk measure.  There are different =
ways to compare the safeguard measure to the risk measure.  The risk man=
agement methodology chosen by the organization should provide a method t=
o select those effective safeguards that will reduce the risk to the LAN=
 to an acceptable level. <p> <b>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~~</B><br> <b>Figure 3.7 - Comparing Risk and Cost</B> <ul><ul> To cal=
culate risk/cost relationships use the risk<br> measure and the cost mea=
sure associated with each<br> threat/mechanism relationship and create a=
 ratio of<br> the risk to the cost (i.e., risk/cost).  A ratio that is<b=
r> less than I will indicate that the cost of the<br> mechanism is great=
er than the risk associated with<br> the threaL    This is generally not=
 an acceptable<br> situation (and may be hard to justify) but should not=
<br> be automatically dismissed.  Consider that the risk<br> value is a =
function of both the loss measure and the<br> likelihood measure.  One o=
r both of these may<br> represent something so critical about the asset =
that<br> the costly mechanism is justified.  This situation<br> may occu=
r when using simple methodologies such as<br> this one.<br></UL></UL> <b=
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</B> <p> <b>3.5.2 Process 6=
 - Implement And Test Safeguards</B> <p> The implementation and testing =
of safeguards should be done in a structured manner.  The goal of this p=
rocess is to ensure that the safeguards are implemented correctly, are c=
ompatible with other LAN functionalities and safeguards, and provide exp=
ected protection. <p> This process begins by developing a plan to implem=
ent the safeguards.  This plan should consider factors such as available=
 funding, users' leaming curve, etc.       A testing schedule for each s=
afeguard should be incorporated into this plan.  This schedule should sh=
ow how each safeguard interacts or effects other safeguards (or mechanis=
ms of some other functionality).  The expected results (or the assumptio=
n of no conflict) of the interaction should be detailed.  It should be r=
ecognized that not only is it important that the safeguard perform funct=
ionally as expected and provide the expected protections, but that the s=
afeguard does not contribute to the risk of the LAN through a conflict w=
ith some other safeguard or functionality. <p> Each safe-uard should fir=
st be tested independently of other safeguards to ensure that it provide=
s the expected protection.  This may not be relevant to do if the safegu=
ard is designed to interwork with other safeguards.  After testing the s=
afeguard independently, the safeguard should be tested with other safe g=
uards to ensure that it does not disrupt the normal functioning of those=
 existing safeguards.  The implementation plan should account for all th=
ese tests and should reflect any problems or special conditions as a res=
ult of the testing. <p> <b>3.5.3 Process 7 - Accept Residual Risk</B> <p=
> After all safeguards are implemented, tested and found acceptable, the=
 results of the risk acceptance test should be reexamined.    The risk a=
ssociated with the threat/vulnerability relationships should now be redu=
ced to an acceptable level or eliminated.  If this is not the case, then=
 the decisions made in the previous steps should be reconsidered to dete=
rmine what the proper protections should be. <p><br> <b>Appendix A - LAN=
 Security Policy</B> <p> A computer security policy is a concise stateme=
nt of top management's position on information values, protection respon=
sibilities, and organizational commitment.  This policy is one of the ke=
y components of an overall computer systems security program.  It is thi=
s policy statement that can drive the initial security requirements for =
a LAN.  However it may be appropriate to address LAN security goals, res=
ponsibilities, etc. with a separate policy to be used in conjunction wit=
h the existing broader policy.  This section discusses establishing a se=
curity policy that could be applied to a LAN.  It also presents one exam=
ple of a LAN security policy.  This example policy is for example purpos=
es only.  It is not intended to be used, as is, by an Agency.  The purpo=
se of this example policy is to highlight the issues that should be cons=
idered in developing a LAN security policy.<p>  The LAN security policy =
should be issued by the appropriate level of organizational management, =
i.e, the person in the organization to whom employees covered by this po=
licy ultimately report.   The policy should be created by a team of indi=
viduals that may include top management, security officers, and LAN mana=
gement.  The policy should state: <ul> <li>Information value - Managemen=
t's position on the value of information; <li>Responsibilities - Who is =
responsible for protecting the information on the LAN; <li>Commitment - =
The organization's commitment to protecting information and the LAN; <li=
>Applicability - What constitutes the LAN environment and what parts, if=
 any, are exempted. </UL> The LAN security policy should be written such=
 that modifications are rarely required.  The need for changes may indic=
ate that it is too specific.  For example, requiring that a specific vir=
us detection package be used and including the name of the package in th=
e policy may be too specific, considering the rapid pace that virus soft=
ware packages are developed.  It may be more reasonable to merely state =
that virus detection software should exist on LAN PCs, servers, etc. and=
 let LAN management specify the product. <p> The LAN security policy sho=
uld clearly define and establish responsibility for the protection of in=
formation that is processed, stored and transmitted on the LAN, and for =
the LAN itself.   Primary responsibility may be with the data owner, i.e=
., the manager of the organizational component that creates the data, pr=
ocesses it, etc.  Secondary responsibility may then be with the users an=
d end users, i.e. those persons within the organization given access to =
the information by those with primary responsibility.  LAN management sh=
ould clearly define the role of the individuals responsible for maintain=
ing the availability of the LAN.  The example LAN security policy below =
defines responsibilities for functional managers (who may have primary r=
esponsibility), users (who may have secondary responsibility), LAN manag=
ers (who are responsible for implementing and maintaining LAN security a=
nd availability), and local administrators (who are responsible for main=
taining security in their part of the LAN environment).  Local administr=
ators are usually responsible for one or a subset of the servers and wor=
kstations on a LAN.  These responsibilities were compiled from [OLDE92],=
 [COMM91], [WACK91], and [X9F292]. <p> <b><i>An Example LAN Security Pol=
icy</I></B> <p> <b>Purpose</B> <p> The information residing on the XYZ A=
gency local area network (LAN) is mission critical.  The size and comple=
xity of the LAN within XYZ has increased and now processes sensitive inf=
ormation.  Because of this specific security measures and procedures mus=
t be implemented to protect the information being processed on the XYZ L=
AN.  The XYZ LAN facilitates sharing of information and programs by mult=
iple users.  This environment increases security risk and requires more =
stringent protection mechanisms than would be needed for a standalone mi=
crocomputer (PC) operation.  These expanding security requirements in th=
e XYZ computing environment are recognized by this policy which addresse=
s the use of the XYZ LAN. <p> This policy statement has two purposes.  T=
his first is to emphasize for all XYZ employees the importance of securi=
ty in the XYZ LAN environment and their role in maintaining that securit=
y.   The second is to assign specific responsibilities for the provision=
 of data and information security, and for the security of the XYZ LAN i=
tself. <p> <b>Scope</B> <p> All automated information assets and service=
s that are utilized by the XYZ Agency Local Area Network (LAN) are cover=
ed by this policy.  It applies equally to LAN servers, peripheral equipm=
ent, workstations, and personal computers (PCs) within the XYZ LAN envir=
onment.  XYZ LAN resources include data, information, software, hardware=
, facilities, and telecommunications.   The policy is applicable to all =
those associated with the XYZ LAN, including all XYZ employees, vendors,=
 and contractors utilizing the XYZ LAN. <p> <b>Goals</B> <p> The goals o=
f the XYZ information security program are to ensure the integrity, avai=
lability and confidentiality of data which are sufficiently complete, ac=
curate, and timely to meet the needs of XYZ without sacrificing the unde=
rlying principles described in this policy statement.   Specifically the=
 goals are as follows: <ul> <li>Ensure that the XYZ LAN environment has =
appropriate security commensurate with sensitivity, criticality, etc.; <=
li>Ensure that security is cost-effective based on a cost versus risk ra=
tio, or that is necessary to meet with applicable mandates; <li>Ensure t=
hat appropriate support for the security of data in each functional area=
 is provided for; <li>Ensure individual accountability for data, informa=
tion, and other computing resources to which individuals have access;  <=
li>Ensure auditibility of the XYZ LAN environment; <li>Ensure that emplo=
yees are provided sufficient guidance for the discharge of responsibilit=
ies regarding automated information security; <li>Ensure that all critic=
al functions of the XYZ LAN have appropriate contingency plans or disast=
er recovery plans to provide continuity of operation; <li>Ensure that al=
l applicable federal department and organizational policies, mandates, e=
tc. are applied and adhered to. </UL><br> <b>Responsibilities</B> <p> Th=
e following groups are responsible for implementing and maintaining secu=
rity goals set forth in this policy.  Detailed responsibilities are pres=
ented in <i>Responsibilities for Ensuring XYZ LAN Security.</I> <p> 1.  =
 <b>Functional Management (FM)</B>  - those employees who have a program=
 or functional responsibility (not in the area of computer security) wit=
hin XYZ.  <i>Functional Management is responsible for informing staff ab=
out this policy,    assuring that each person has a copy, and interactin=
g with each employee on security issues.</I> <p> 2.  <b>  LAN Management=
 Division (LM)</B> - employees who are involved with the daily managemen=
t and operations of the XYZ LAN.  They are responsible for ensuring the =
continued operation of the LAN.  <i>The LAN Management Division is respo=
nsible for implementing appropriate LAN security measures in order to co=
mply with the XYZ LAN security policy.</I> <p> 3.  <b> Local Administrat=
ors (LA)</B> - employees who are responsible for ensuring that end users=
 have access to needed LAN resources that reside on their respective ser=
vers.  <i>Local administrators are responsible for ensuring that the sec=
urity of their respective servers is in accordance with the XYZ LAN secu=
rity policy.</I> <p> 4. <b>  End Users (U)</B> - are any employees who h=
ave access to the XYZ LAN.  They are responsible for using the LAN in ac=
cordance with the LAN security policy.  <i>All users of data are respons=
ible for complying with security policy established by those with the pr=
imary responsibility for the security of the data, and for reporting to =
management any suspected breach of security.</I> <p> <b>Enforcement</B> =
<p> The failure to comply with this policy may expose XYZ information to=
 the unacceptable risk of the loss of confidentiality, integrity or avai=
lability while stored, processed or transmitted on the XYZ LAN.  Violati=
ons of standards, procedures or guidelines in support of this policy wil=
l be brought to the attention of management for action and could result =
in disciplinary action up to and including termination of employment. <p=
> <b>GENERAL POLICIES OF THE LAN</B> <p> GP1.  Every personal computer s=
hould have an "owner" or "system manager" who is responsible for the mai=
ntenance and security of the computer, and for following all policies an=
d procedures associated with the use of the computer.  The primary user =
of the computer may fill this role. These users should be trained and gi=
ven guidance so that they can adequately follow all policies and procedu=
res. <p> GP2.  In order to prevent unauthorized access to LAN data, soft=
ware, and other resources residing on a LAN server, all security mechani=
sms of the LAN server must be under the exclusive control of the local a=
dministrator and the relevant personnel of the LAN Management Division. =
<p> GP3.  In order to prevent the spread of malicious software and to he=
lp enforce program license agreements, users must ensure that their soft=
ware is properly licensed and safe. <p> GP4.  All software changes and b=
ackups on the servers will be the responsibility of the LAN Management D=
ivision. <p> GP5.  Each user must be assigned a unique USERID and initia=
l password (or other identification information and authentication data)=
, only after the proper documentation has been completed.   Users must n=
ot share their assigned USERIDS. <p> GP6.  Users must be authenticated t=
o the LAN before accessing LAN resources. <p> GP7.  USERIDs must be susp=
ended after a consecutive period of non-use. <p> GP8.  Use of LAN hardwa=
re such as traffic monitors/recorders and routers must be authorized and=
 monitored by the LAN Management Division. <p> GP9.  The Computer Securi=
ty Act of 1987 (P.L. 100-235) states that "Each agency shall provide for=
 the mandatory periodic training in computer security awareness and acce=
pted computer practices of all employees who are involved with the manag=
ement, use, or operation of each Federal computer system within or under=
 the supervision of that agency". <ul> <li>Employees responsible for the=
 management, operations and use of the XYZ LAN must receive training in =
computer security awareness and acceptable computer practices. <li>Compu=
ter security training should be implemented into existing training progr=
ams such as orientation programs for new employees, and training courses=
 involved with information technology systems equipment and software pac=
kages. </UL> GP10.  Security reports must be generated and reviewed on a=
 daily basis. <p> <b><i>SPECIFIC RESPONSIBILITIES FOR ENSURING XYZ LAN S=
ECURITY</I></B> <p> <b>1. Users</B><p> Users are expected to be knowledg=
eable about and adhere to XYZ Agency security policies, and other applic=
able laws, policies, mandates and procedures.  Users are ultimately resp=
onsible for their own behavior.  Specifically users are responsible for =
the following: <p> U1.  Responsible for understanding and respecting rel=
evant Federal laws, Department policies and procedures, XYZ policies and=
 procedures, and other applicable security policies and associated pract=
ices for the XYZ LAN. <p> U2.  Responsible for employing available secur=
ity mechanisms for protecting the confidentiality and integrity of their=
 own information when required. <ul> U2.1.     Follow site procedures fo=
r security of sensitive data as well as for the XYZ LAN itself.  Use fil=
e protection mechanisms to maintain appropriate file access control. <p>=
 U2.2.     Select and maintain good passwords.  Use FIPS 112, Password U=
sage for guidance on good password selection.  Do not write passwords do=
wn, or disclose them to others.   Do not share accounts. </UL> U3.  Resp=
onsible for advising others who fail to properly employ available securi=
ty mechanisms.   Help to protect the property of other individuals.  Not=
ify them of resources (e.g., files, accounts) left unprotected. <p> U4. =
 Responsible for notifying the local administrator or management if a se=
curity violation or failure is observed or detected. <p> U5.  Responsibl=
e for not exploiting system weaknesses. <ul> U5.1.     Do not intentiona=
lly modify, destroy, read or transfer information in an unauthorized man=
ner: do not intentionally deny others authorized access to or use of LAN=
 resources and information. <p> U5.2.     Provide the correct identity a=
nd authentication information when requested and not attempt to assume a=
nother party's identity. </UL> U6.  Responsible for ensuring that backup=
s of the data and software on their own workstation's fixed disk drive a=
re performed. <p> U7.       Responsible for being familiar with how mali=
cious software operates, methods by which it is introduced and spread, a=
nd the vulnerabilities that are exploited by malicious software and unau=
thorized users. <p> U8.       Responsible for knowing and utilizing appr=
opriate policies and procedures for the prevention, detection, and remov=
al of malicious software. <p> U9.       Responsible for knowing how to m=
onitor specific systems and software to detect signs of abnormal activit=
y, and what to do or whom to contact for more information. <p> U10. Resp=
onsible for utilizing the technical controls that have been made availab=
le to protect systems from malicious software. <p> U11.           Respon=
sible for knowing and utilizing contingency procedures for containing an=
d recovering from potential incidents. <p> <b>2.        Functional Manag=
ers</B> <p> Functional managers (and higher-level management) are respon=
sible for the development and implementation of effective security polic=
ies that reflect specific XYZ LAN objectives.  They are ultimately respo=
nsible for ensuring that information and communications security is, and=
 remains, a highly visible and critical objective of day-to-day operatio=
ns.  Specifically functional managers are responsible for the following:=
 <p> FM1.  Responsible for implementing effective risk management in ord=
er to provide a basis for the formulation of a meaningful policy.  Risk =
management requires identifying the assets to be protected, assessing th=
e vulnerabilities, analyzing risk of exploitation, and implementing cost=
- effective safeguards. <p> FM2.  Responsible for ensuring that each use=
r receive, at a minimum, a copy of the security policy and site handbook=
 (if any) prior to establishing an account for the user. <p> FM3.  Respo=
nsible for implementing a security awareness program for users to ensure=
 knowledge of the site security policy and expected practices. <p> FM4. =
 Responsible for ensuring that all personnel within the operating unit a=
re made aware of this policy and responsible for incorporating it into c=
omputer security briefings and training programs. <p> FM4.  Responsible =
for informing the local administrator and the LAN Management Division of=
 the change in status of any employee who utilizes the XYZ LAN.  This st=
atus change includes an interagency position change, interdivision posit=
ion change, or a termination from XYZ employment. <p> FM5.  Responsible =
for ensuring that users understand the nature of malicious software, how=
 it is generally spread, and the technical controls to use for protectio=
n. <p> <b>3. Local Area Network (LAN) Management Division</B> <p> The LA=
N Management Division (or designated personnel) is expected to enforce (=
to the extent possible) local security policies as they relate to techni=
cal controls in hardware and software, to archive critical programs and =
data, and to control access and protect LAN physical facilities.   Speci=
fically, LAN management is responsible for the following: <p> NM1.  Resp=
onsible for rigorously applying available security mechanisms for enforc=
ement of local security policies. <p> NM2.  Responsible for advising man=
agement on the workability of the existing policies and any technical co=
nsiderations that might lead to improved practices. <p> NM3.  Responsibl=
e for securing the LAN environment within the site and interfaces to out=
side networks. <p> NM4.  Responsible for responding to emergency events =
in a timely and effective manner. <ul> NM4.1. Notify local administrator=
s if a penetration is in progress, assist other local administrators in =
responding to security violations. <p> NM4.2.     Cooperate with local a=
dministrators in locating violators and assist in enforcement efforts. <=
/UL> NM5.  Responsible for employing generally approved and available au=
diting tools to aid in the detection of security violations. <p> NM6.  R=
esponsible for conducting timely audits of LAN server logs. <p> NM7.  Re=
sponsible for  remaining  informed  on  outside  policies  and  recommen=
ded  practices  and when appropriate, informing local users and advising=
 management of changes or new developments. <p> NM8.  Responsible for ju=
diciously exercising the extraordinary powers and privileges that are in=
herent in their duties.  Privacy of users should always be a major consi=
deration. <p> NM9.  Responsible  for  developing  appropriate  procedure=
s  and  issuing  instructions  for   the prevention, detection, and remo=
val of malicious software consistent with the guidelines contained herei=
n. <p> NM 10.  Responsible for backing up all data and software on the L=
AN  servers  on  a  timely  basis. <p> NM11.  Responsible for identifyin=
g and recommending software packages for the detection and removal of ma=
licious software. <p> NM12.  Responsible for developing procedures that =
allow  users  to  report  computer  viruses  and other incidents and the=
n responsible for notifying potentially affected parties of the possible=
 threat. <p> NM 13.  Responsible for promptly notifying the appropriate =
security or incident response personnel of all computer security inciden=
ts including malicious software. <p> NM 14.  Responsible for providing a=
ssistance in determining the source of malicious software and the extent=
 of contamination. <p> NM 15.  Responsible for providing assistance for =
the removal of malicious software. <p> NM 16.  Responsible for conductin=
g periodic reviews to ensure that proper security procedures are followe=
d, including those designed to protect against malicious software.<p> <b=
>4. Local Administrators</B> <p> Local administrators (or designated per=
sonnel) are expected to utilize, on their assigned server, the available=
 LAN security services and mechanisms to support and enforce applicable =
security policies and procedures.  Specifically local administrators are=
 responsible for the following: <p> LA1.  Responsible for managing all u=
sers' access privileges to data, programs and functions. <p> LA2.  Respo=
nsible for monitoring all security-related events and the following-up o=
n any actual or suspected violations where appropriate.  When appropriat=
e, responsible for notifying and coordinating with the LAN Management Di=
vision the monitoring or investigation of security- relevant events. <p>=
 LA3.  Responsible for maintaining and protecting LAN server software an=
d relevant files using available security mechanisms and procedures. <p>=
 LA4.  Responsible for scanning the LAN server with anti-virus software =
at regular intervals to assure no virus becomes resident on the LAN serv=
er. <p> LA5.  Responsible for assigning a unique USERID and initial pass=
word (or other identification information or authentication data) to eac=
h user only after proper documentation has been completed. <p> LA6.  Res=
ponsible for promptly notifying the appropriate security or incident res=
ponse personnel of all computer security incidents, including malicious =
software; <ul> LA6. 1. Notify the LAN Management Division if a penetrati=
on is in progress, assist other local administrators in responding to se=
curity violations. <p> LA6.2. Cooperate with other local administrators =
and the LAN Management Division in finding violators and assisting in en=
forcement efforts. </UL> LA7.  Responsible for providing assistance in d=
etermining the source of malicious software and the extent of contaminat=
ion. <p><br> <b>Appendix B - Personal Computer Considerations</B> <p> Pe=
rsonal computers typically do not provide technical controls for user au=
thentication, access control, or memory protection that differentiates b=
etween system memory and memory used for user applications.  Because the=
 lack of controls and the resultant freedom with which users can share a=
nd modify software, personal computers are more prone to attack by virus=
es, unauthorized users and related threats. <p> Virus prevention in the =
PC environment must rely on continual user awareness to adequately detec=
t potential threats and then to contain and recover from the damage.  Pe=
rsonal computer users are in essence personal computer managers, and mus=
t practice their management as a part of their general computing.  Perso=
nal computers generally do not contain auditing features, thus a user ne=
eds to be aware at all times of the computer's performance, i.e., what i=
s normal or abnormal activity.  Ultimately, personal computer users need=
 to understand some of the technical aspects of their computers in order=
 to detect security problems, and to recover from those problems.    Not=
 all personal computer users are technically oriented, thus this poses s=
ome problems and places even more emphasis on user education and involve=
ment in virus prevention. <p> Because of the dependence on user involvem=
ent, policies for LAN environments (and thus PC usage) are more difficul=
t to implement than in a multi-user computer environment.  However, emph=
asizing these policies as part of a user education program will help to =
ingrain them in users' behavior.  Users should be shown via illustrated =
example what can happen if they do not follow the policies.  An example =
where users share infected software and them spread the software through=
out an organization would serve to effectively illustrate the point, thu=
s making the purpose of the policy more clear and more likely to be foll=
owed. (It is not sug-ested that an or-anization actually enact this exam=
ple, merely illustrate it).  Another effective method for increasing use=
r cooperation is to create a list of effective personal computer managem=
ent practices specific to each personal computing environment.  Creating=
 such a list would save users the problem of determining how best to ena=
ct the policies, and would serve as a convenient checklist that users co=
uld reference as necessary. <p> For guidance on general protection of PC=
s see [STIE85].  For guidance on protecting against malicious software s=
ee [WACK89]. <p><br> <b>Appendix C - Contingency Planning for LANs</B> <=
p> A Computer security incident is any adverse event whereby some aspect=
 of computer security could be threatened: loss of data confidentiality,=
 loss of data or system integrity, or disruption or denial of availabili=
ty.  In a LAN environment the concept of a computer security incident ca=
n be extended to all areas of the LAN (hardware, software, data, transmi=
ssions, etc.) including the LAN itself.  Contingency plans in a LAN envi=
ronment should be developed so that any LAN security incident can be han=
dled in a timely manner, with as minimal an impact as possible on the ab=
ility of the organization to process and transmit data.  A contingency p=
lan should consider (1)  incident response, (2) back-up operations, and =
(3) recovery. <p> 1.   The purpose of<b><i> incident response </I></B>is=
 to mitigate the potentially serious effects of a severe LAN security-re=
lated problem.     It requires not only the capability to react to incid=
ents, but the resources to alert and inform the users if necessary.  It =
requires the cooperation of all users to ensure that incidents are repor=
ted and resolved and that future incidents are prevented [WACK91,5]. [WA=
CK91] is recommended as guidance in developing an incident response capa=
bility. <p> 2.   <b><i>Back-up Operations</I></B> plans are prepared to =
ensure that essential tasks (as identified by a risk analysis) can be co=
mpleted subsequent to disruption of the LAN environment and continuing u=
ntil the LAN is sufficiently restored [NIST74,65]. <p> 3.    <b><i>Recov=
ery</I></B> plans are made to permit smooth, rapid restoration of the LA=
N environment following interruption of LAN usage [NIST74,65].  Supporti=
ng documents should be developed and maintained that will minimize the t=
ime required for recovery.  Priority should be given to those applicatio=
ns, services, etc. that are deemed critical to the functioning of the or=
ganization. Back-up operation procedures should ensure that these critic=
al services and applications are available to users. <p><br> <b>Appendix=
 D - Training and Awareness</B> <p> The Computer Security Act of 1987 (P=
.L. 100-235) states that "Each agency shall provide for the mandatory pe=
riodic training in computer security awareness and accepted computer pra=
ctices of all employees who are involved with the management, use, or op=
eration of each Federal computer system within or under the supervision =
of that agency."<p>  [TODD89] provides a framework for identifying compu=
ter security training requirements for a diversity of audiences who shou=
ld receive some form of computer security training.  It focuses on leami=
ng objectives based upon the extent to which computer security knowledge=
 is required by an individual as it applies to his or her job function. =
 For detailed discussion and guidance for general computer security trai=
ning the reader is directed to [TODD89]. <p> To maintain security in a L=
AN environment, training in certain areas of LAN operation and use shoul=
d be received by LAN users.  Security mechanisms, procedures, etc. may n=
ot be effective if they are used improperly.  Training areas that should=
 be considered are listed below for functional managers, LAN managers an=
d general users.               The training area for functional managers=
 focuses on (1) the need to understand the importance of the security po=
licy and (2) how that policy needs to be implemented into the LAN for it=
 to be effective.  The training area for LAN managers focuses on the nee=
d to understand how security is provided for operationally on the LAN.  =
It also directs attention on the need for effective incident response.  =
The training area for all users focuses on (1) recognizing the user role=
 in the security policy and the responsibilities assigned there, (2) usi=
ng the security services and mechanisms effectively to maintain security=
, and (3) understanding how to use the incident response procedures.  Sp=
ecifically these areas are discussed below. <p> <b>Functional Managers</=
B> <p> 1.   Recognize the importance of the LAN security policy and how =
this policy drives the decisions made regarding LAN security.  Recognize=
 the importance of determining adequate security for different types of =
information that the functional manager owns (or has responsibility for)=
. <p> 2. Recognize the LAN as a valuable resource to the organization an=
d the need for protecting that resource.  Recognize the importance of pr=
oviding for adequate protection (through funding, personnel, etc.). <p> =
<b>LAN Management</B> <p> 1.    Understand how the LAN operates in all a=
spects.  Ability to recognize normal operating behavior versus abnormal =
operating behavior. <p> 2.   Understand LAN management's role in impleme=
nting the security policy into the LAN. <p> 3.   Understand how the secu=
rity services and mechanisms work.  Ability to recognize improper use of=
 the security mechanisms by users. <p> 4.   Understand how to use the in=
cident response capability effectively. <p> <b>LAN  Users</B> <p> 1.   U=
nderstand the security policy and the user responsibilities dictated the=
re.  Understand why maintaining LAN security is important. <p> 2.   Unde=
rstand how to use the security services and mechanisms provided by the L=
AN to maintain the security of the LAN and protect critical information.=
 <p> 3.   Understand how to use the incident response capability, how to=
 report and incident, etc. <p> 4.   Recognize normal workstation or PC b=
ehavior versus abnormal behavior. <p><br> <b>References</B> <dl> <dt>[MA=
RT89]<dd>Martin, James, and K. K. Chapman, The Arben Group, Inc.; <b><i>=
Local Area Networks, Architectures and Implementations</I></B>, Prentice=
 Hall, 1989.<p>  <dt>[BARK89]<dd>Barkley, John F., and K. Olsen; <b><i>I=
ntroduction to Heterogenous Computing Environments</B></I>, NIST Special=
 Publication 500-176, November, 1989. <p> <dt>[NCSC87]<dd><b><i>A Guide =
to Understanding Discretionary Control in Trusted Systems</B></I>, NCSC-=
TG-003, Version 1, September 30, 1987 <p> <dt>[NCSL90] <dd> National Com=
puter Systems Laboratory (NCSL) Bulletin, <b><i>Data Encrryption Standar=
d</B></I>, June, 1990. <p> <dt>[SMID88]  <dd>Smid, Miles, E. Barker, D. =
Balenson, and M. Haykin; <b><i>Message Authentication Code ( MAC) Valida=
tion System: Requirements and Procedures</B></I>, NIST Special Publicati=
on 500-156, May, 1988. <p> <dt>[OLDE92] <dd> Oldehoeft, Arthur E.; <b><i=
>Foundations of a Security Policy for Use of the National Research and E=
ducational Network</B></I>, NIST Interagency Report, NISTIR 4734, Februa=
ry-1992. <p> <dt>[COMM91] <dd><b><i> U. S. Department of Commerce Inform=
ation Technology Management Handbook, Attachment 13-D Malicious Software=
 Policy and Guidelines</B></I>, November 8, 1991. <p> <dt>[WACK89] <dd> =
Wack, John P., and L. Carnahan; <b><i>Computer Viruses and Related Threa=
ts: A Management Guide</B></I>, NIST Special Publication 500-166, August=
 1989. <p> <dt>[X9F292]  <dd><b><i>Information Security Guideline for Fi=
nancial Institutions</B></I>, X9/TG-5,Accredited Committee X9F2, March 1=
992. <p> <dt>[BJUL93]<dd>  National Computer Systems Laboratory (NCSL) B=
ulletin, <b><i> Connecting to the Internet: Security Considerations</B><=
/I>, July 1993.<p>  <dt>[BNOV91] <dd> National Computer Systems Laborato=
ry (NCSL) Bulletin, <b><i>Advanced Authentication Technology</B></I>, No=
vember 1991. <p> <dt>[KLEIN] <dd>  Daniel V. Klein, "Foiling the Cracker=
- A Survey of, and Improvements to, Password Security", Software Enginee=
ring Institute. (This work was sponsored in part by the Department of De=
fense.) <p> <dt>[GILB89] <dd> Gilbert, Irene; <b><i>Guide for Selecting =
Automated Risk Analysis Tools</B></I>, NIST Special Publication 500-174,=
 October, 1989. <p> <dt>[KATZ92] <dd> Katzke, Stuart W. Phd., "A Framewo=
rk for Computer Security Risk  Management", NIST, October, 1992. <p> =

NOTE (March 2000): This reference is corrected as follows: Katzke, Stuar=
t W. Phd., NIST, "A Framework for Computer Security Risk Management," Th=
e Analysis, Communication, and Perception of Risk, edited by B.J. Garric=
k and W.C. Gekler, Plenun Press, New York, 1991.<P>
<dt>[NCSC85] <dd> <b><i>Department of Defense Password Management Guidel=
ine</B></I>, National Computer Security Center, April, 1985. <p> <dt>[NI=
ST85] <dd> Federal Information Processing Standard (FIPS PUB) 112, <b><i=
>Password Usage</B></I>, May, 1985. <p> <dt>[ROBA91] <dd> Roback Edward,=
 NIST Coordinator, <b><i>Glossary of Computer Security Terminology</B></=
I>, NISTIR 4659, September, 1991. <p> <dt>[TODD89] <dd> Todd, Mary Anne =
and Constance Guitian, <b><i>Computer Security Training Guidelines</B></=
I>, NIST Special Publication 500-172, November, 1989. <p> <dt>[STIE85] <=
dd> Steinauer, Dennis D.; <b><i>Security of Personal Computer Systems: A=
 Management Guide</B></I>, NBS Special Publication 500-120, January, 198=
5. <p> <dt>[WACK91]<dd>  Wack, John P.;<b><i> Establishing a Computer Se=
curity Incident Response Capabilitv (CSIRC)</B></I>, NIST Special Public=
ation 800-3, November, 1991. <p> <dt>[NIST74]<dd>  Federal Information P=
rocessing Standard (FIPS PUB) 31, <b><i>Guidelines for Automatic Data Pr=
ocessing Physical Security and Risk Management</B></I>, June, 1974.</DL>=
<br>  <b>Further   Reading</B> <p> [1]      Berson, T.A, and Beth, T. (E=
ds.);<b><i> Local Area Network Security Workshop LANSEC '89 Proceedings<=
/B></I>, Springer-Verlag, Berlin, 1989. <p> [2]   Federal Information Pr=
ocessing Standard Publication (FIPS PUB) 83, <b><i>Guideline on User Aut=
hentication Techniques for Network Access Control</B></I>, September, 19=
80. <p> [3]  Gahan, Chris; <b><i>LAN Security, the Business Threat from =
Within</B></I>, BICC Data Networks Limited, November, 1990. <p> [4]  Muf=
tic, Sead; <b><i>Security Mechanisms for Computer Networks</B></I>, Elli=
s Horwood Limited, West Sussex, England, 1989. <p> [5]  National Researc=
h Council; <b><i>Computers At Risk: Safe Computing in the Information Ag=
e</B></I>, National Academy Press, Washington, D.C., 1991. <p> [6]  Schw=
eitzer, James A.; <b><i>Protecting Information on Local Area Networks</B=
></I>, Butterworth Publishers, Stoneham, MA, 1988. <br><hr> <A NAME=3D"F=
ORE_SEC"> <center><b>The Foreword,  Abstract, and Key Words follow: </B>=
<br></CENTER> <p> FIPS PUB 191<br> FEDERAL INFORMATION<br>  PROCESSING S=
TANDARDS PUBLICATION<p>  1994 November 9<br> U.S. DEPARTMENT OF COMMERCE=
/National Institute of Standards and Technology<p>  <h2><center>GUIDELIN=
E FOR THE ANALYSIS OF LOCAL AREA NETWORK SECURITY</H2></CENTER> U.S. DEP=
ARTMENT OF COMMERCE, Ronald H. Brown, <i>Secretary</I><br>  National Ins=
titute of Standards and Technology, Arati Prabhakar, <i>Director</I> <br=
><br><center><b>Foreword</B></CENTER>      The Federal Information Proce=
ssing Standards Publication Series of the National Institute of Standard=
s and Technology (NIST) is the official publication relating to standard=
s and guidelines adopted and promulgated under the provisions of Section=
 111(d) of the Federal Property and Administrative Services Act of 1949 =
as amended by the Computer Security Act of 1987, Public Law 100-235. The=
se  mandates have given the Secretary of Commerce and NIST important res=
ponsibilities for improving the utilization and management of computers =
and related telecommunications systems in the Federal Government. The NI=
ST, through its Computer Systems Laboratory, provides leadership, techni=
cal guidance, and coordination of Government efforts in the development =
of standards and guidelines in these areas. <p>      Comments concerning=
 Federal Information Processing Standards Publications are welcomed and =
should be addressed to the Director, Computer Systems Laboratory, Nation=
al Institute of Standards and Technology, Gaithersburg, MD 20899. <p> Ja=
mes H. Burrows, <i>Director</I><br> Computer Systems Laboratory<p>  <cen=
ter><b>Abstract</CENTER></B> <p>      Local area networks (LANS) that ar=
e used to store, process, or transmit sensitive information must provide=
 appropriate protection to prevent undesirable events such as compromise=
 of information or denial of service.  This document can be used as a to=
ol to help improve the security of a local area network.  A LAN security=
 architecture is de- scribed that discusses threats and vulnerabilities =
that should be examined, as well as security services and mechanisms tha=
t should be explored.  A five-step process is defined that helps the rea=
der to determine LAN assets, environment-specific threats and vulner- ab=
ilities, the risk of those threats to the LAN, and possible security ser=
vices and mecha- nisms that can be used to help reduce the risk to the L=
AN.  A discussion concerning LAN security policy, contingency planning, =
and training issues is also included. <p> <b>Key words:</B> Federal Info=
rmation Processing Standards Publication (FIPS PUB); local area network =
(LAN); LAN security; risk; security; security mechanism; security servic=
e; threat; vulnerability.</P> <br>

<h5><p>Date Created:  1996 =

<p>Last Modified:  March 2000</h5>
<br>
<br>
<hr>
 <center> <menu>Go Back to the<A HREF=3D"#FIPS_TOP"> Top</A>.</MENU> Ret=
urn to the FIPS<br>  <a href=3D"index.htm" target=3D_top">Home Page</a><=
/CENTER> <br><hr><br> </BODY></HTML>
------------lLgrBUPauw5v56O28k2TcN--