Preview only show first 10 pages with watermark. For full document please download

「イスラエルにおけるセキュリティ関連動向調査報告書」

Rating
Date

October 2018
Size

395.9KB
Views

5,529
Categories

Computers & electronics Software Antivirus security software

Transcript

2005 情財第 0677 号イスラエルにおけるセキュリティ関連動向調査報告書 2006 年 3 月 INDEX Pages: Summary 3-8 Introduction 9-10 Countermeasures by: The Government: Activities of the Parliament 11-15 The Government Policy 16 The expert Council 17 The Treasury Ministry 53-65 Tehila 66-68 The Standard Institute 69-70 The Security Companies 71-72 The Technologies 73-76 The Users Countermeasures 77-80 Different threats 81-89 The Budget 90-91 Common Criteria Recognition Arrangement 92 In the Government 93-94 Security Companies 95-96 Enterprisers, users 97-98 List of contacts, institutes and people 99 2 Summary Security in general and Information Security specifically, is the central concern of Israel’s vital existence. Security experts determined that Information Security is the most important of all security issues, especially because Information Security can be breached from afar, regardless walls and fences. There is a constant threat to the critical infrastructure of Israel, and it must be protected to the maximum extent from external threats and the leaking of information. Information management in every subject is such a monumental task that it needs to be performed using advanced network technology. The possibilities for violating the network systems are many and varied and even when the system appears to be successfully protected from outside sources, penetration may still be possible through employee’s negligence or intentional penetration. Our report surveyed the current status of the countermeasures taken by the Israeli government, the national policy that the government established in order to enforce Information security in its organizations. We also detailed the countermeasures taken by the companies that the security consciousness is relatively high. We details as requested, the budget allocated by the government and the Israeli industry for Information security, and the types of technologies that are developed in Israel. In the second part of our report we surveyed the current status of promotion strategy of security certification and adoption policy for certified products in the government, the users and security companies in Israel. The Government Policy The government has turned the subject of Information Security over to the Israeli National Security Council, in accordance with the general policy made by the government and enforced by the General Security Services (GSS), through its Operational Authority. The policy of the Israeli government is maximum freedom and services for its citizens, so long as it doesn’t compromise the security of the country. To 3 execute this policy, the aforementioned bodies inspect and instruct the various governmental entities through technological means, systems, and the budget which will be use in managing Information Security. The Operational Authority of the GSS also determines the level of security which will be in each and every governmental agency, according to its responsibility. Both ad hoc and permanent committees have been established in every governmental agency, to execute the current operation of Information Security. A brief description of the committees that were established to deal with the issue of Information Security, aside from those previously mentioned, is included below. The first committee to be established was initiated by the Parliament. It is referred to in our report as the “Parliamentary Committee” which is part of the government operations. The Parliamentary Committee determined the framework to be established, and the changes that needed to be made to the existing laws. According to the recommendations of the Parliament, the government established a council for this subject which specified 38 rules that serve as instructions to the government offices. The council determined that every government office will establish a permanent Information Security committee with specific tasks of each member of the committee. These members of the committee that have different responsibilities will have independent authority, (within the framework of their tasks) for the execution of activities to be taken for Information Security. The highest authority in every office is the General Manager who supervises the Information Security system in his office. After the aforementioned council completed its task, the government decided to establish a permanent ‘Steering National Information Security Council’. The Council, which is comprised of specialists, will instruct the various government agencies on the subject of Information Security, based on experience accumulated. 4 Technological countermeasures taken by the Government The technologies used by the Israeli government create a number of circles of defense for Information Security. Some of the technologies are developed by government agencies and others are developed according to the requirements demanded by the government. Since the scope of the threats is infinite, there is a need to use technologies and other means that can be divided into two main channels: A. Technological and Technical: 1. Screening and checking the material that enters the organization. 2. Combining intelligence to locate the source of the attacks. 3. Drafting legitimate hackers (he who knows how to attack knows how to defend). 4. The critical systems are isolated from the Internet. 5. Separation of the management network from the operating network. 6. Blocking the possibility to access information in loopholes that are created between the networks. 7. Averting the possibility of remote manipulation of the control panel that is a shelf product produced by a small number of companies. 8. Preventing the installation of innocent-looking chips that allow the user to obtain information (Chipping). 9. Preventing the passage from open systems to closed systems. (Programs that are open protocols can be used as leads by a hostile source that will withdraw information from them. 10. Preventing bugging of operating computers, inspecting and following the remote computers that are the most vulnerable point of any system. B. Procedural Countermeasures taken by the Government: 1. Making Information Security widely known, increasing awareness, and assimilating a culture of Information Security among the employees and whoever deals with the subject. 2. Using complex and difficult simulations to maintain a permanent state of alertness. 5 3. Allocating a generous budget for Information Security of national infrastructure. 4. Blocking communication protocols (for example, if there is a Trojan Horse on a government computer, it will not be able to withdraw relevant information). 5. Forbidding the downloading of programs to personal computers, or using programs for downloading programs such as music programs. 6. Forbidding access to websites that are not government websites. 7. Forbidding the installation of programs such as Messenger. 8. Inspecting employees’ outgoing e-mails. 9. In very high security offices, sending attachments is not allowed. 10. Checking the security clearance of the employees and any other person with access to the organization’s network. The Security companies In Israel there are over 150 companies that develop Information Security technology. Such technologies provide both specific and diverse solutions for Information Security. In general the technologies developed by the Information Security companies are divided to 5 major categories. In our report you will find indication of examples of companies according to this list: 1. Access control 2. System integrity 3. Cryptography 4. Audit and monitoring 5. Configuration management and Assurance The Users Countermeasures We surveyed the countermeasures that are used by the Israeli industry and found that almost all of the companies we approached use antivirus and firewall software. We gave some examples of types of protection that different segment use such as banks, law firms that deal with very sensitive information. Obviously, the more sensitive information handled in the organization, the more security is used, for example as we mentioned in 6 our report, banks that deal with very sensitive information take high precaution to their security. The companies consult with an expert that is either an employee of the company or an external expert to determine the type of security will be used in the organization. The Budget A key indicator of the importance that Information Security is given within an organization is how much of the IT budget is allocated to support security related staffing services and products. The average budget allocated in 2005 by the Israeli companies for their information security is approximately 5% from the total IT budget. This percentage represents an average number composed of different percentages of budget allocation by the companies according to their ability to secure their information. In other words, the larger companies usually spend between 6%-7% and the smaller companies allocate 2.5%-3.5%. Common Criteria Recognition Arrangement The Israeli government joined the CCRA in 2000 as a certificate consuming participant (CCP). The ministry that represents the government in the CCRA is the Ministry of Industry and Trade. On its behalf, the Standard Institute carries out the task of promoting, developing and assimilating the CC among, 1. The Government offices, 2. The Enterprises - the users of the Information Security technologies, 3. The developers of Information Security technologies. Up until now the Government has required CC by law in the Electronic signature process at two CC EAL levels: 1. EAL-4 is used for the components and communication means that are used for the applicants’ identification. 2. EAL2 is used for physical cryptographic means to access the digital signature. 7 The government’s internal regulations require purchasing technologies that are certified by CC with different EAL levels according to the different level needed. 8 Introduction Information Security is of vital importance to Israeli governmental bodies, industry and other service providers such as banks, insurance companies and medicine institutes. In reality, this includes any person who is aware of the risk of the discovery of his personal information, which exists in government databases, the databases of any other organization with which he has had contact and even within his own personal computer. The risk of non-secure information can cause disastrous interference in normal everyday life in fields of state security, state economy, infrastructure such as traffic lights, interruption of banking procedures, flooding of entire areas, disruption of work in surgical departments and other important hospital units, theft of information from insurance companies about the property of individuals whose data resides within insurance companies' computers, and so on. The enclosed report enumerates the countermeasures taken by the different authorities and organizations in Israel in the field of Information Security. The report responds to the two main questions, raised by the Information Technology Promotion Agency of Japan, which is outlined below. 1. The first main question is divided to four sub-questions, which refer to the countermeasures that are taken in Israel by the government, the information security companies, and the users against the different threats to information technology. Following are the sub-question: a. What is the government policy? b. What is the budget allocated for this subject? c. What are the technologies that have been developed for this subject? d. What countermeasures have been taken by the users? 2. The second main question is related to the Common Criteria Recognition Arrangement, the current status of the promotion strategy for security certification 9 and the adoption policy for certified products? Specifically; what is the current status of the promotion strategy used by: a. the Israeli government b. the enterprises (the users) c. the information security companies 10 The Government: Activities of the Parliament in Information Security The Israeli Parliament established a committee in 2002 whose purpose was to examine and study the subject of Information Security as regards to defining the Israeli state's readiness to withstand the threats inherent within the information era. The committee’s goal was to identify areas related to Information Security where governmental intervention was needed in order to remove different obstacles that stand before the state and society. In its summary, the committee determined that: The rapid development of the use of communication network in the organizations and the ability to contact external factors creates the possibility to penetrate into private information. The ability to access to various websites increased the risk of the exposure of information, enabling malicious penetration into the organization’s network and its different information sources. The possibility of disclosing an organization's sensitive information causes some corporations and government bodies to hesitate about using communication networks to transfer information that may damage their current business. In contrast to that, the committee found that there are organizations that do not give enough weight to the different aspects of Information Security. Thus, various breaches of security occur which could be taken advantage of competitors or other hostile individuals. The committee also determined that the business opportunities in electronic commerce, such as the transfer of information and payments over information networks are a necessary basis for the development of the economy, commerce and industry. Reliable Information Security is a requirement for using information networks. The committee found that Israel's abilities in the field of developing Information Security are among the best in the world, and that some of the finest cryptographists are in Israel. 11 There are many successful companies in the field of Information Security which are very advanced, but whose abilities cannot be used in order to develop information security products containing strong cryptography because of bureaucratic restrictions involving licenses and endorsements for marketing. The outcome is that new rules have been implemented. The parliamentary committee determined that the cryptography decree needs to be controlled and permanently adjusted to meet the needs of the industry on one side and the security of the state on the other. By this process, companies that create information security products will be able to develop new and advanced technologies and export them without harming the security of the state of Israel. The committee referred to the security of governmental systems and advised that one of the challenges faced by today’s governments is to create government information service on line (e-government) in existing public networks, thereby, giving the citizen access to information sources that are managed by governmental factors (The government information is partly public and available to all, and partly private and should be revealed only to private sectors). It would be impossible to make such a concept reality without supplying the means for securing information that will enable the identification of the person (or organization) that desires the information, thereby preserving the privacy of the information without hindering its accessibility. One of the proposed solutions is the creation of a smart card that will contain within it all relevant information for the performance of electronic commerce, including, perhaps, financial, medical, and other related information. It can be assumed of course, that such means will be available for use by anyone who needs such identification for various purposes, including access to the system of e-government. Still, such a system may create some conceptual problems that must be taken into consideration. 12 The committee decided that such potential difficulties must be considered and verified and may be overcome by choosing the right kind of technology. In addition, the process of choosing the future means of identification should be shared, with interested parties, including professionals, lawyers, and representative of the social sciences in order to consider the social, moral, and juristic aspects of the subject. The parliamentary committee recommended a clear change in the existing situation of Israeli Information Security, and determined that the government should carry out the following actions: • Collect information on attacks, penetration attempts and penetration into computer systems within the network. • Transfer the above information to the developers of Information Security systems, in the quickest possible way and through hidden channels, in order to give solutions in the shortest time possible. • Transfer the above information through hidden channels to parallel organizations worldwide in order to enable a quick reaction to the new threats and to locate the sources of penetration. • Publish advisories that include recommended solutions for system security problems, including a reference to the developer’s solution in case of need. The above will regularize the overall authority and responsibility for supervision of the usage of cryptography. The committee determines that the law of cryptography should be updated as follows: • Create a clear definition for measuring licensing for the use of cryptography. • Create a clear definition of the licensing process (including a definition of the needed activities, time framework, etc.). • Change the limits on export of cryptography by barring states that are in open warfare with Israel or with other countries that are defined as terrorist countries. • Create procedures for governmental systems for Information Security. • Determine policies (including implementation of the procedures) that will be obligatory. 13 • Establish professional responsibility for authorization of Information Security in offices and organizations, including responsibility for updating their professional training. The new authority will be composed of professionals in the different fields. The authority will gain its authority from the prime minister's office and its determination will be obligatory. The committee determined that the Parliament should initiate a new law that will authorize and supervise the activity of the usage of cryptography. The committee determined that each governmental office would nominate an Information Security authority whose role will be to: • Increase the awareness of the subject of Information Security in the organization for which it is responsible. • Increase the knowledge among the people who deal with the computer systems. • Compose relevant instructions to the system on the subject of Information Security. • Enforce the policies and instructions of the authority, in the different computerized systems. The committee also determined that there is a need for procedure in the field of Information Security so that all governmental communication will be inspected and controlled as regards to Information Security. The committee recommended the following to be included within the rules: • Authentication • Access control • Confidentiality • Integrity • Audit • Non-repudiation 14 The committee decreed that each project would have a reference to the subject of Information Security, starting from the initial stage. Each tender, without exception, will be inspected by the person nominated as Information Security supervisor before its publication, in a manner similar to other legal examinations. A clear endorsement will be needed before the publication of the tender. In the implementation stage of each tender, before passing the project to the customer, a clear confirmation will be needed from the Information Security supervisor stating the appropriateness of the Information Security procedures for which he is responsible. The committee recommended the establishment of an organization that will operate 24 hours a day and whose role will be to: • Coordinate information on attacks, penetration attempts and penetrations to the computerized system in the network. • Share information on such penetrations with the systems’ producers, in the quickest possible way through hidden channels, in order to enable them to supply quick solutions to the breach. • Share information, through hidden channels to parallel organizations worldwide, in order to enable a quick response to new threats and to locate breach sources. The committee also recommended the development of professional manpower for Information Security through academic organizations, such as schools and colleges which teach computer sciences. The committee determined that Israeli standards must be prepared on the subject of Information Security, and recommended methods to facilitate this process. According to the recommendations of the Parliament’s committee, the government decided its policy in information security as follows: 15 The Government Policy The government policy for Information Security comes to guide its offices in order to protect, control and audit sensitive information and databases from one or more of the following factors: A. The regular management and functioning of the state by the government. B. The regular management of the state security and markets. C. Protecting individual privacy according to the Privacy Protection Law and its decrees. D. Maintaining the security of sensitive information. E. Preventing delays or damage in research processing or the judicial proceeding of any person in any trial. F. Guarding the information and the data systems according to the decrees of the law. The government determines that the governmental offices and its authorities must be directed and guided in the subject of Information Security. The government sees as vital the uniformity of the instructions and the means that the different government offices must take in order to maintain Information Security. In addition, the Israeli government determined a clear policy of strengthening and deepening the existing means in order to advance and make more effective the service to the citizen, such as easier exit and entrance from and into the State’s borders, using a smart card that will be given to each citizen as an identity card, a driving license, a credit card, etc. A smart card will enable the citizen to identify himself during his governmental contacts through electronic means, and will enable a contact from the government to the citizen. Technological means, such as biometric means or technologies applied through a smart card. The government has instructed its research institutes to intensify their research and to develop the needed means for achieving its purposes. In addition, the government decided on establishing a committee that will guide and will instruct the different offices, in order to implement Information Security technology. 16 The Expert Council The Government and the Prime Minister’s office in Israel are aware of the Information Security subject and in September 2005 established an Expert Council for determining a framework of rules governing Information Security for the Governmental Institutes and Offices. The Expert Council began to construct a program for relevant procedures regarding Information Security and computerized systems in order to improve information management and the Information Security environment. These procedures include 38 basic principles, which are the basis for the program that every Governmental Institute will formulate for itself. In each Governmental office, Councils were established to determine the framework based on the principles that the Prime Minister's office has prepared. The Expert Council’s summary of principles is presented in the following pages, and is the basis upon which the Governmental offices build their own procedures. The purpose of these procedures is: 1. To direct the general manager and the office employees in the preparation of “Information Security policy", "sensitive information" and “sensitive systems" documents, that deal with subjects that are under the office’s jurisdiction, and to aid in their assimilation within the office. 2. To explain to all office employees who deal with sensitive information, who are aided by sensitive information, or who have access to the database and control systems, the Information Security principles regarding sensitive information and database and control systems that were determined by the Council. The procedure framework also determines who within the Government offices is responsible for managing Information Security. The general manager is administratively responsible for preparing the policy for securing sensitive information, database, control and audit, and for supervising the implementation of this policy. 17 The Information Security supervisor (hereinafter "the supervisor") is responsible for preparing the policy document of the office (in consultation) with the information system manager), which will include all the procedures that the council has determined. This document will be signed by the general manager. Each of the office employees, without exception, is personally responsible for acting according to the office policy. The Council also determines the security fields: Information Security and information systems, controls, and inspection. These will be implemented in the Government offices, in its institutes and organizations by law. This will be implemented in the following fields: A. Physical security of computers, and their environment, and of sensitive documents (papers). B. Logical security of information access and authorized use of information and information systems. C. Securing information communication and data (of data systems, control and inspection) in the office’s buildings and yards, including transmitted information in channels that are unsupervised or uncontrolled by the office. D. Securing computer output and different databases. E. Securing personal computers, including laptops. F. Preparation for disaster situations (preparing activity alternatives for cases of penetration of information systems, communication systems, control and inspection, and a yearly check of their implementation). G. Securing non-magnetic or optic documents (papers, formal certificates, seals, etc.). H. Preparing reliability tests of employees who carry sensitive information, or, who are in sensitive positions with, regard to information systems, technological control and inspection in the office (all the employees, including contractors and their employees). I. Preparing audit and supervision of sensitive information and information systems security. The control and inspection are part of the supervisor’s role. 18 Separation of Authorities The Council determined seven different factors for Information Security in governmental offices. The idea of the Council is separation of authorities so that every authority or every factor may act independently, with full responsibility for its own actions. The Council demands that the governmental bodies compartmentalize the information and the information systems, control and inspection, and those who are allowed to use or operate them. These will have access only to the part that they need for the performance of their duty. In addition, the Council requires personal responsibility on the part of the managers and the employees for the implementation of the Information Security procedures, including training and implementation of the procedures, as well as internal inspection of the rules and their implementation. Also, the Council imposed responsibility on the Governmental Institutes to include Information Security procedures in contracts with all external users. Auditing The Council determined an audit trail in the information systems of the offices, which will enable the identification of users who made changes within the information, data, software, different access management tables, or who accessed confidential information or very confidential information, detailing and recording the different actions, the date of its performance, the station from which it was made, who performed, etc. The office procedures will include the scope of the data and the amount of time they will be kept. The Council determined that external factors which supply technology of sensitive information and are connected to the state economy and national security will not be responsible for the Information Security in the office. This includes determining policy, as well as responsibility for the existence of continuous audit and supervision (and its implementation) to bodies that aren’t regular employees of the office (such as contract workers, outsourcing, and others). Only the office employees will administer access and cryptography management, because of the potential for conflict of interest in care of other systems. Mapping and Classification of Sensitive Information in Database 19 The Council determined that the first and central step among the general activities for securing sensitive Information Security in governmental offices is the process of mapping and classifying sensitive information. This means that entire systems of information resources and systems that exist in the office will be recorded in an organized way that can be reviewed by the different role carriers, who need to make decisions in fields such as management of information systems, development, purchase, maintenance, security and contact with outsourcing suppliers. A clear mapping of all types of information and information systems, control and audit will enable the determination of all the information resources of unique sensitivities. This will help to develop the methods and tools needed to keep and to guard them. These will be done according to two types of information sensitivities: 1. Confidentiality-privileged 2. Necessity (maintaining availability, completeness, reliability, and survival of the information). This activity of mapping and classification is the precondition for the continuity of any action, in the field of information systems within the organization. The Council gave examples of how to do the mapping and classification. After the mapping and classification, it will be possible to perform other targets such as characterizing the technological information systems, purchase or local development, preparing programs for protecting information, installing technological and administrative means and performing inspections according to the order of preference – made by the classification. In any case, the Council determined that among the existing classification some of the subjects will always be highly classified: 1. Combined storage means of all the systems, such as backup cassettes of the central system. 2. Information about software internal security means, such as: security software packages, identification mechanisms and access within the software. 3. The organization’s communication system and its protection against external and internal organizational intrusion. 20 The Council determined criterions for governmental offices, which information will be considered confidential and which will be considered very confidential. Confidential information is information, which damage to its completeness, reliability or survival may cause faults such as: 1. Damage or slowing the performance of the state’s economic, managerial, social, legal and other activities. 2. Causing faults in the work of public bodies that lead to delays or additional expenses regarding working procedures, or disturbance in the performance of law enforcement. 3. Exposing personal information protected by the Privacy Protection law (1981). 4. A violation of any rule that necessitates keeping confidentiality of the information. 5. Inside information that the management of the Institute wants to keep as confidential. Very confidential information is defined as information that if damaged in its availability, completeness, reliability, confidentiality or survival may cause damage to, or abort (partial/full) the ability of the State management or public bodies, by: 1. Giving economical advantage to a foreign state or factor. 2. Causing failure of programs or commercial/economical activities of the Israeli state. 3. Exposure of information that will cause public panic. 4. Exposure of sensitive or restricted personal information, as defined under the law of Privacy Protection, of a unique sensitivity. 5. Paralysis of public bodies’ information systems. 6. System damage or weakening, or collapse of the systems of the State’s emergency. Risk Surveys The Council stated that risk surveys should be taken in order to ensure awareness of possible threats and risks to information systems and computers, to appropriately assess and manage them. 21 The identification, audit and minimization or removal of security risks that can affect information systems is made through a regular cost. In case of risk management, a risk survey is performed, which purpose is to locate the risks for the organization and to assess their severity. This is done in order to enable decision-making, which depends upon the risks, order of preferences, cost and schedule. Risk surveys are done in every Government office, for follow-up of information security events. The follow-up is done in a regular manner, in order to determine which actions should be taken to prevent information damage in the Government. This follow-up helps to determine the size of budget that must be allotted and to determine if the budget should be reduced or increased. In the procedure, the Council marks the Law of Privacy Protection which obliges all public organizations to nominate an Information Security supervisor. The Council determines the different role carriers who comprise the organizational structure for the implementation of information security within the office. 1. A senior managerial factor – The general manager or the deputy director general for management and human resources, who are responsible for the implementation of the office’s Information Security procedures, according to the Privacy Protection law, (1981 and amendments). 2. A directing factor – The information security Steering Council whose its role, among others, is to suggest guidelines, authorize suggested procedures, direct the determination of the policy with respect to authorizations and access to data and determining special events and activities that are risky in enforcement or in relation to managing the office. 3. A security managing factor – The supervisor for information security is a professional and security body that acts according to the Information Security procedure in the office. His role will be to direct the duties and the end users to maintain the information security. The supervisor is responsible for conducting inspections of the way the information security procedures are implemented. The supervisor is responsible for initiating, updating, assimilating and implementing the working procedures and regulations in the Information Security field. 22 4. A security helping factor – A technical role, whose carriers are responsible for taking care of and maintaining information systems within their units – and, who in addition to their role, help the Information Security supervisor in the implementation of the procedures, and are guided by him (in subjects of security). 5. Performance factors – Information system managers, managers of databases and infrastructure workers – are responsible for the implementation of the instruments and methods for securing information, according to the procedures determined by the office, with direct mentoring of the information security supervisor. 6. A factor responsible for passing public information – A person with the authority to examine requests for information within the office, to confirm or to reject them according to the instructions of the Information Freedom Law (1998). 7. A factor responsible for passing information to public organizations – As required by the Privacy Protection Law (1981), the information security authority will be responsible for this subject. Committee for Computers and Information Security The Council through its decrees determined that in each government office will be a central committee for Information Security. It will be the main authority for implementing the council decrees. This committee will be responsible for the policy of Information Security in its office, to share the budget of IT and Information Security, to survey the penetration attacks, and analyze them for making the strategy of the countermeasures that each department should take according to the importance of the information it deals with. Advance the subject of Information Security within the office with allocation appropriate resources. The Council ordered who will be member of the committee and the task of each member. Checking the Employee’s Integrity and Their Commitment to Secrecy The Council determined that the instructions about verifying employees’ credibility and commitment for keeping confidentiality are composed with the purpose of reducing the risk of human errors, theft, fraud or unlawful use of information gained in the office. The subject of Information Security and confidentiality will be dealt with during the different stages of the employees’ advancement will be included in their contracts, and will be 23 monitored throughout their employment. Each potential job candidate will be investigated, especially regarding sensitive roles. All the employees and third-party users who use information processing will sign an agreement of confidentiality. This also refers to the relations with outsourcing factors. The Council determined a general basis for any arrangement that is connected to the access of any third party to the organization’s information processing equipment, that will be based on a formal contract that contains all the demands of security, or which refers to them, in order to ensure a correlation to the security methods and the organization’s security standards. The contract ensures that no misunderstandings will occur between the organization and any third party. The organizations will insure their supplier’s compensation. The Council suggested 21 basic rules in respect to Information Security that the institutes will consider including in the contract between the governmental body and the outsourcing factors, appropriate paragraphs may be added according to need. Awareness, Guidance, Assimilation The main factor in any Information Security event is usually connected to the organization’s employees, therefore the Council decided to decree rules about training, awareness, assimilation and informing employees. Furthermore, the Council determines that all the office employees, and if relevant, third party users, will receive appropriate training and will be regularly updated about the office’s actions and procedures. The training will include the demands of security, commitment according to the law and the supervision of the office, as well as training for appropriate use of information processing possibilities, such as procedures for entering into the system and use of software packages, all before giving access to information and services. It was also determined that every year, all employees will need to take refreshment courses in order to increase their security awareness. It was also determined that any case of an irregular security event will be examined in order to prevent similar events in future. Social Engineering 24 The Council referred to the subject of social engineering where external or internal factors, within or out of the organization, perform different manipulations in order to gain unauthorized access while being seen as a legitimate user. The social engineering attack is used when there is: A. Lack of regular password policy. B. Attachment of modems and following them software such as PC-Anywhere. C. Support processes such as help desks that do not give solutions for threats. D. Organizational Internet services that supply superfluous information on working procedures and organizational structure. Inspection of Information Security Each office will set a time-table for regular inspections in the central computer unit, in the central office’s different departments, in the departments that are outside the central office, or in those that are within governmental offices or in other regions. Different kinds of inspections should be performed in order to give a comprehensive answer to the general rules of Information Security. It is preferable to prepare a list of classifications for a quick examination of the subject in order to make it easier for the examiners to prevent skipping any inspections. The legal department should be consulted before the performance of an inspection which might harm an individual’s privacy. The interior office controller will be updated about the contents of the inspection program before it is publicized. Before every inspection, a plan mapping the inspection program will be written. A detailed list of parameters will be issued before each inspection and will detail the types of inspection which will be carried out. This list will be forwarded to the examinee before the inspection. The information security supervisor will coordinate each inspection in advance, together with the manager of the inspected department, in order to ensure that the inspected body will assist in the inspection process. 25 Additional rules were determined for office security and for end stations’ inspection, servers’ inspection, communication inspection, application inspection, inspection of keeping the law of privacy, and inspection of access control that will include: • A confidential examination by an external examiner, who will try to gain access to the site. • An open examination, which will examine the performance of access control on the physical level. Finally, the Council determined how to treat the findings that will be gathered, including the choice of inspection means. The inspection means that are necessary to organizations by law are: • Rights of intellectual property. • Protecting organizational records. • Protecting the data and the privacy of private information. Means of control that are considered necessary for organization are: A. A document of information security policy. B. Allotting authority in the subject of information security. C. Training and mentoring in subjects of information security. D. Reporting information security events. E. Managing business continuity (recovery program). In addition, inspection must also be determined regarding access to the central computer and PC’s. Inspection of Access to the Central Computer and PC’s In case the central computer processes confidential information, two physical security circles will be built around it. The circles will be external and inner peripherals. Compartmentalization will be performed for employees and strangers in the site that composes the central computer. Following are the sites that compose the area of the central computer: The operation hall. The library of optical and magnetic media. The communication room. 26 The typing room. The output/input room. The machinery or air conditioning and power room. The communication lines in the field of computer units. Decrees were determined regarding the presence of different role carriers in the central computer unit in areas where they need to be according to their duty. Other invitees, who aren’t office employees, will be accompanied from the moment of their entrance to the compartmentalized area of the information system, throughout their stay, until they are out of that area. It was also determined that a special discovery and warning system will be installed. The decrees determine how to build the central computer unit. The instructions describe the width of the internal and external walls, the type of blocks used, the type of concrete, the strength of the grilles, the gaps between the grilles, etc. A single external entrance will be defined for employees’ passage. All the other openings will be locked in a way that will enable escape in emergency situations. For the second security circle it was also determined that the site will be planned and constructed with partitions and walls, according to compartmentalization principals with supervised passages through physical, electronic or human means. The decree also determines the method of construction of the site of the central computer. The decree specified the width of the inner and outer walls, as well as the type of blocks and concrete which will be used. It also determines the strength of the bars and the spacing between them. Only one entrance and exit will be available for the employees. All other doors will always be locked but will allow for emergency passage. Compartmentalization, Authentication and Authorization of the Users: The Council found it necessary to enlarge its rulings, to include small details that explain to the addressed governmental bodies how to act in this case. 27 We will hereby explain the Council’s following decrees that determine the securing the use of the computer, which will be based on a security mechanism that is built into the operation system. All options that the system provides must be operated. All the users of the information systems will be given personal passwords upon joining the system. Only through the passwords may they gain access to the system. Each of the system’s users, without exception, will be personally defined and have his own exclusive authorizations. The different database managers will be responsible for determining access of the employees who are under their supervision. The implementation of the authorizations will be performed in correlation with the application managers and the direct managers. In order to resolve doubts, it is emphasized that the authorization isn’t the only possibility of access to a certain system. There will also be a clear definition of the activities that the users can perform in each screen/application: retrieval and/or updating and/or addition and/or deletion. A user/programmer who would like to enter the system will be asked to identify himself. Only in case that the identification, has passed successfully, will the subject receive onscreen a list of the systems/applications that he may access. The list will not include other applications. The identification of the user will be through his user ID. In case of a problem in identification, the communication will be blocked and an appropriate message will be displayed. Only the responsible operator or another authorized person may free the blockage, after examining the case. It will not be possible to pass from one application to another application, or from one working environment of development to a productive working environment, without going through the main menu and the password system. 28 The activity of the programmers in the production environment will be defined as an irregular activity, with all its implications. The current activity of the programmers will only be performed from the programmers’ stations in the area of the computer unit. It will be forbidden to use stations of other operators or any other station of users, barring exceptional events. The group of system operators will be separated from that of the application programmers which applies to the level of authorizations. It is recommended that the application programmers and the system operators not receive same level of authorization. Once a year, the system operators will inspect the users in order to update the authorization list. The inspection will be initiated by the system operators and coordinated with their direct supervisors. The system operator will add or delete people from the list only by written notice from the Database manager. An immediate notice will be forwarded to the System operator once an employee leaves the company (including a manpower worker) or if the worker has changed jobs, within the company. The responsibility for sending the notice will belong top the direct manager or the human resources manager in the organization, and he will immediately cancel the access capabilities of this employee. In general, it will not be allowed to work on the computer out of working hours, weekends and holidays. It will only be allowed in special cases and with advance coordination with the system operator. Password Authentication Each user will only be able to access the database as per his permission in order to reduce the exposure of the personal passwords. On top of the authentication by name of the user, it will only be possible to access with a password. These passwords will serve as the main protection for authenticating the access. Identification and Verification of Users by Biometric Means 29 The Israeli Government decided in 2002 to establish a committee with representatives from the different governmental offices in order to examine the need and possibility of using biometric means for Information Security in governmental offices. This will be done with reference to the needed balance between the purposes and other principles, such as protecting privacy, using biometric applications in the service of the state, preventing fraud and improving security in governmental offices and organizations. The committee will examine the existing biometric applications and will determine guiding rules for adopting biometric applications in governmental offices. The committee will examine each application by the relevant office taking into consideration its special needs. This decision will not delay any work which is performed to advance the use of biometric applications in governmental offices, including inter-office working groups that advance the program for applying biometric applications on the subject of foreign employees or law enforcement authorities. The government established a special minister’s committee which will be responsible for Information Security and will guide the committee of government offices representatives. The minister’s committee executes decrees and rules in this subject as well as use of biometric security means for identifying irregular payments or double payments which are made through governmental offices and the Social Security, or including biometric information in the ID certificate that will appear in the newly planned smart card and passport. This includes the factors that must be included in the biometric solutions and the principles for implementing biometric systems in the different government offices. The committee determined of four levels of risk and security classification. One example out of the four: biometric systems for activity at high risk levels. These will be defined as biometric systems that necessitate several additional security circles that will prevent any opponent at a foreign intelligence level from attacking the system in order to perform hostile activities or to damage the system’s regular operation. Specifically, this refers to 30 an attack by a body with high technological capabilities and readiness to invest research, time and money in the attack of the system. Another subject that the committee addressed is the integration of a new information unit into one of the government offices. All new information systems (bought or developed) will be examined. In addition, any update of existing systems will be examined and confirmed in order to formally confirm their use in the office. The Council provided instructions on how to endorse and perform a plan for the integration of the system, including instructions about the installment and the fitting of the system as well as instructions about the update or upgrade of the system. This refers to cases where an external body does the updating or upgrading. The committee prepares instructions on the subject of installing software or hardware within a system, without the will or knowledge of the owner/user, for the benefit of a foreign factor. Within the Council’s decree several instructions exist that deal with the securing activities of development and maintenance of information systems including infrastructure. The instructions include different applications of the governmental offices and applications, which were developed by the users. The Council determined that initial planning of security components in the stages of gathering information, primary characterizing of the needs, are the only way to guarantee a system with appropriate security means. The lack of security integration in each of the system’s developing stages and an effort to built it in later stages is tied with high costs, incomplete solutions and sometimes even lack of ability to locate any solution. It is forbidden to develop any system and/or to perform any correction in the production area. Each development of system, improvement or correction will be made only within the development environment. Use of production environment will be only done accompanied by the responsible office body within the system. 31 In formulating the demands of the office for new systems, or improving the existing systems, the inspection demands must be declared. The demands must take into account the automatic inspections that must be integrated within the system and the need for support of non-automatic inspection systems. The instructions regarding the techniques for security activities and preventing intrusions into the programs of governmental offices deal among other things with: 1. Securing application systems – the planning of application systems, including applications written by the users, will include an appropriate inspection and audit trail or an activity journal. These documents will validate the input data, the internal processing and the output data. 2. Validating the input data – must be done in order to promise reliability and validity. The output data will be examined and the following inspections will be considered: A. Double inspections or other inspections of output, in order to discover mistakes such as the following: • Values that deviate from the rages. • Non-valid notes in the data fields. • Missing and incomplete data. • Upward or downward deviation from the given volume borders. • Unconfirmed or inconsistent inspection data. B. Periodical reviews of the contents of the main fields or of the main data files, in order to confirm their validity and integrity. C. Examining the input documents on hard copies in order to discover any unauthorized changes in the input data (all the changes in input data must be authorized). D. Reaction procedures for mistakes will give validation. E. Examination procedures for examining the probability of the input data. 32 F. Defining the responsibility of the employees involved in the process of inserting data. 3. The internal inspection process for preventing destruction of inserted data will be integrated within the validation of the systems. 4. Inspections and controls will be determined according to the character of the application and the business implications of data destruction. 5. Verification and authentication of the messages is a technique that is used for discovering unauthorized changes in the content of electronic messages or their destruction. It is possible to apply the techniques to hardware – a physical device for verification of the identity, or to software an algorithm for verifying the messages’ identity. 6. Validating the output data – will be done in order to ensure that the stored information processing is correct and appropriate for the circumstances. 7. Cryptographic controls and cryptographic techniques will serve to protect sensitive information, which cannot be protected by other controls. 8. A policy of using cryptographic control will be developed in each office for protecting its information. Such a policy is needed in order to increase to the maximum the benefits and to reduce to the minimum the risks tied with using these cryptographic techniques. 9. Cryptography – using the office’ cryptographic policy, taking into account the relevant demands of the law and the national limitations of cryptography techniques, in different parts of the world, with respect to the flow of information outside the borders of countries. 10. Digital signatures are also a protective means of authenticity and validity of electronic documents. Other techniques which are mentioned as part of Information Security means are: 11. No reputation service will be used in need of settling disagreements in respect to occurrences or non-occurrence of any event or activity. 33 12. Managing cryptographic keys is necessary for effective use of cryptographic techniques. Each risk or loss of keys may lead to the risk of verification, authenticity, or validity of information. The keys' management system will be based on an agreed upon group of standards, procedures, and security means. In order to reduce the probability of putting the keys at risk, they will have known dates for starting of operation and cancellation, so that they could only be used for limited periods. This period will depend upon the circumstances of cryptography, its control and the assumed risk. Protecting the System’s Data Controls Special protection must be given to the control system, especially if it contains private information that must be concealed, and if they are used for the control, they must be supervised. The decrees determine rules for the security of developing and supporting processes as well as change control procedures. Treatment of Input/Output Documents The goal of the treatment of input/output documents is to reduce the risk of exposing classified information that is contained in those documents, through an appropriate security treatment. Each output produced from the computer will receive a classification according to the database classification. Every copy of computer reports which include “very confidential” material will be numbered, and the number of pages will be marked on each copy. This act will be done by hand, and the numbers will appear on the first and last page of each copy. Management and Security of Storage for Magnetic and Optic Means It is easy to reconstruct information from magnetic and/or optical storage, and this can be a severe security hazard unless appropriate security measures are taken. The use of magnetic storage means will only be made by authorized users. Forwarding and Taking Out Information: 34 The Council issued a special procedure for this subject, the purpose of which was to provide instruction on how to take data out of the office. In case of forwarding information and/or taking it out of the office, the information must never leave the employee’s sight if it has been defined as confidential and contains concentrated details about people and information that has been classified as sensitive according to the instructions of the Privacy Protection Law, as well as any other information about the office. The employee will not take any information out of the office for any purpose without receiving his manager’s endorsement to do so, and before he is briefed about the Information Security procedures which he must implement. All irregular cases which relate to Information Security will immediately be reported by the person who has the information to the Information Security supervisor and to the employee’s direct manager. Forwarding Information between Public Organizations: Forwarding information between public organizations will only be done according to the demands of the law. This is both in cases where the government office is the referring factor and/or where the application is referred to the government office. The receiver of the information will sign a commitment that he/she will not pass the information to any third party and that he/she will use it only for the purpose for which the information was given. Special attention is given to the database which relates to information about people. They must be treated according to the Private Protection Law. In contrast, Information Security on the inventory of the office's software or hardware includes instructions about the control of the software and hardware and their location, to help prevent installation of software that can harm the equipment or the information contained therein. Such listing of software and hardware helps to effectively protect all property. An additional area that has special security is formal records and certificates. The purpose of this special security is to prevent hostile or unauthorized factors from gaining 35 information contained within the records, or harming their reliability, wholeness, availability and survival. The Council determines which information is a document or a certificate that must be protected. It also determines different types of information that need to be protected. For example, information that harms the confidentiality, wholeness, reliability, availability or survival, may cause one of the following: 1. Harming the state's normal management. 2. Harming or disrupting the regular activity of government offices and other public authorities. Information which requires special protection may contain one or more of the following elements: • Information that contains private information that is protected by the Private Protection Law (1981) and its later rulings (1985). • Information about policy that is still in the formation stage. • Information that includes details on negotiation with a body or a person outside of the organization. • Information that needs to be kept by law. • Secret commercial information or professional secrets that have monetary value, and whose publication could damage its value; and information regarding commercial or professional issues that are related to a person’s business and that, if revealed, could harm professional, commercial or economic interests. • Information that will reach the public authority which received it on the condition that it not reveal its details, and the revelation of which might harm the continued reception of the information. • Information about working methods and regulations of the public authority that deals with law enforcement, or that has investigating authority or control, or that clarifies complaints by law if its revelation could cause one of the following: 36 1. Damage to enforcement or control, or clarifying the legal complaints of the organization. 2. Damage to the investigation procedures or trial, or a person’s right to a fair trial. Reveal or option to reveal the identity of the source of privileged information. • Information with respect to discipline issues of an employee of a public organization, except for information regarding public procedures by law. Until now the decrees dealt with steps for the security of information in different governmental bodies and offices. From here on, the instructions regard the measures that must be taken in case the above-mentioned measures are unsuccessful and an intrusion has occurred into the information systems. Disaster Recovery Planning: The purpose of the Disaster Recovery instructions is to prevent any disruption of the office activities, to protect critical procedures from the effect of serious failure or disaster situations, and to define the organization’s procedures for recovery processes in cases of serious damage of computerized systems. The instructions state that the office must be prepared for an intrusion into information systems, which can sometimes cause critical damage to property or persons. During an emergency, the staff will take the following steps: evaluate the situation, determine the level of disaster, and pass its findings on to an entity with the authority to declare a state of emergency. The recovery plan will take into consideration the preparation of all the office sectors and the connection between the server and the different computer units after damage has occurred in the server. The treatment will include not only the computer units but also the relevant office’s activities from the moment the damage occurred until the problem has been rectified. A replacement site will be created as a temporary solution to a disastrous scenario in which usage of the permanent site is impossible. 37 It is also determined that once a year, an inspection must be performed on all recovery programs. This inspection will include restoration of backup files and use of alternative sites. Testing the alternative website will include transport and use of backup copies of the different databases. Securing PC Software and Hardware: Special instructions are given regarding removable disks, PCs, Palm Pilots and laptops. Portable computers, such as Palm Pilots and laptops, are forbidden in the workplace. In addition, employees are not allowed to access information which they do not need for their work. Obviously, people who do not work in the office are also denied access to any sensitive information. The access password shouldn't be revealed or exposed to anyone without proper clearance in any case. Viruses in Private Computers: 1. The infection of computers by viruses is very rapid and could cause damage to information stored within the office network, and to the programs that have been installed on the office computers. Viruses would disrupt the working procedure of the office and cause loss of working hours. 2. The user must ensure that he has an up-to-date anti-virus program running on his computer, and should in no way to disable it. 3. No outside programs may be brought in for use of the office computers, unless they have been authorized by the computer authority. 4. In the event that information must be received or transferred by the means of magnetic disks to office computers from the outside, or from office computers to an outside computer, all such disks must be free of any and all viruses. 5. It is mandatory to run a virus scan of the computer‘s hard drive, and any and all removable disks that are used daily, for viruses every few days. 6. It is mandatory to check each disk or CD before using it. Only programs that were purchased legally and have been endorsed by the office may be installed. No use should be made of programs from unauthorized sources. Only a certified technician will install software. An anti-virus program must be installed in every 38 computer. Any computers which have been authorized to connect to the Internet will be automatically updated. The connection of a laptop to the office's communication network will only be done after the manager of laptops in the information system unit has verified that there is a continuous existence of appropriate protective software for both the laptop computer and the office network. Storing information on a removable disk will only be allowed on the condition that these disks will be stored separately from the computer itself. In addition, the Council determined that removable disks might be used as means of eavesdropping. Owing to their small size and data storage capacity, removable disks present the risk of the information stored therein being exposed to undesirable persons or entities. Therefore, it is totally forbidden to enter the office with any private removable disks. Communication Security Communication security is defined as communication between office computers and computers that are physically located in another place, and whose communication lines pass through public areas outside of the secured building. External communication will be defined as communication between a computer to a station, or from a computer to another computer, or from a computer to any distant input/output means. Transfer of confidential information using a modem or dialing line between computers within government offices and organizations will be allowed only in special cases. Further, such transfer will be allowed only under the condition that a thorough examination will be done prior to the transfer, to ensure that all security systems (cryptography, filtering, etc) are operating properly. This examination, which will follow administrative procedure, will make use of a digital signature and any other means deemed necessary, according to the regulations.) Whenever the information to be transferred is sensitive, the external communication will be encrypted. Programs and mechanisms will be installed and operated to warn of and locate intrusions into the networks. An office that operates a network TCP/IP is required to regularly operate such mechanisms in order to locate intrusions into the network. Also, 39 checking mechanisms that will identify dangerous programs such as viruses, Trojan horses, or threats to Java and active-x that may infiltrate the systems will be installed and operated. e-Government: Connecting the Public to Government Services and Vice-versa: The Council determined rules for Information Security, efficiency of information systems, and the steps that will be taken in order to be prepared for the connection of the information systems to external communication. In addition, the Council determined which subjects must be referred to in the planning process, such as access, identity verification, control access, ratification, preventing information systems activities, maintaining confidentiality, preserving the completeness and verification of data, insuring the availability of information, monitoring, analysis and reaction. The Technologies Which are Recommended for the Implementation of Information Security Which Will Allow the Public to Connect to Governmental Institutes are: A. Division and Compartmentalization 1. Electro-mechanical switching (between two different (networks), together with the partition of the computer’s hard disk into two storage areas each with different classifications (as well as a “transfer zone”), in order to transfer information between the public area (which isn’t sensitive) to the secured area in the disk, and preventing any possibility of passing information in the opposite direction. This method was examined and confirmed by the Council for compartmentalization between the unclassified networks and the classified networks. 2. A special A-B switch, which enables communication between the computer and a single network, (that have different classifications) prevents direct connection between networks with different levels of classification. B. Electronic Smart Card 40 It is necessary to have a smart card that supplies a changing code in order to verify a user who tries to access the system. It is necessary to extend the implementation of controlling the access to databases which are of medium or high necessity. C. Mechanisms for Authentication and Authorization. The request for information is sent to a server, which verifies the identification of the user. The server performs authorization and recording of the references. D. Digital Signature. A digital signature is a mechanism whereby the employee who creates the information then “signs” the transferred information. The employee who receives the information verifies the identity of the “signer” and thereby confirms the completeness of the information sent. E. Implementation of File Signatures. F. Cryptography Cryptography is a technology which guarantees the secrecy of information which is transferred through the networks. (Handling cryptographic “confidential” information in the government offices will be according to Council regulations). G. Mechanisms for Locating and Flagging Vulnerable Points Recording mechanisms will be activated in order to record the information flow processes (external monitor, trace functions and so on). H. Leaving trace mechanisms open is a security risk, because it enables the withdrawal of information; therefore the employee who is authorized to use a trace mechanism must shut it immediately when he stops using it. I. Activating mechanisms that search for loopholes within the system and warn about them. J. Passing Information in a Reliable Protocol using a reliable protocol can contribute to the completeness and authenticity of the data, using appropriate security mechanisms, repeat broadcasts, numbering information units, etc. K. Increasing Security of Information Flow Through Alternative Means alternative means of increasing the security of information flow include: dialing checksums, repeat broadcasts, numbering information units, etc. 41 L. Managing a Mediating Network, parallel to the flow of general information out of band, and passing the network’s managerial information through a channel other than the regular information channels, will prevent the attacker from controlling the audit information even when he controls the information data. M. Mapping security technologies before activities. N. Authentication Security Certification - Digital signature use. - Locking components that enable a change of the guiding mechanisms. - Locking components that can put at risk factors such as the protocol components, or software that enables access to unauthorized entities. - Locking of software modules that passed the login opening. O. Securing the Reliability and Authenticity of the Information and Data - Applied through the use of a digital signature. - Applied through files signature. P. Securing the Availability of Information - Protecting the guiding mechanisms. - Passing highly necessary information in alternative ways. - Operating a system of net management parallel to a mediator where the general information flows. (off band out) - Locking mechanisms in the protocols or software that enables the “flooding” of the network. The committee refers to Information Security for the use of Internet because the government offices and organizations are being prepared today for an accelerated use within Internet communication, as an effective and cheap method of internal communication between the government offices and the other public organizations, and communication between government bodies and businesses both in and out of the country, or with citizens. Each use of the Internet has special and unique risks that necessitate taking technical and managerial measures above and beyond those that government offices have used up until now. Purchasing protective technology programs such as firewalls or antivirus software 42 cannot give the full protection needed for Information Security; therefore, it was determined that a specialist will be involved in the purchase of programs and their installation, including continuous updates and preventative maintenance. The need for a specialist is required in order to prevent a false sense of security and to ensure that the full protection is given. Restrictions on direct communication between the Internet and internal information systems within the office were determined, in cases where: 1. Data systems process, store or create information classified as “confidential” and which have no means of “secured divisions” within the computer’s hard drive; 2. The computer processes, stores or creates information under the “very confidential” classification ; or 3. The databases, data, or programs contain information – even if not classified as confidential – that is used for managing the office or the management of the state’s economy and is classified as having medium or higher indispensability. A partition must be made within the systems, which includes a total separation between the database within the office and the Internet. The Council detailed security methods that establish a separation between the systems. 1. This will be done through the establishment of an independent and stand-alone computer which will be a local station of the Internet, and which will be operated according to the following conditions: A. A stand-alone computer that will not be connected to the internal office network (Intranet), in each of following cases: a) The Intranet is defined as a passage of “sensitive information” which has been classified “confidential” or “very confidential”. b) The Intranet and databases which are contained within, and are of medium or high indispensability for managing the office or managing the state economy. 43 B. The station will be located in a room or in an area where there are no available “hot” ports or “sensitive” office networks nets. C. Information that is classified as either “confidential” or “very confidential” will not be processed or stored in the hard disk of the stand alone computer. No removable information storage such as diskettes, tapes, C.D.s, JAZ, etc. which have been classified “very confidential” will be kept in the room (or the area) where the stand alone computer is positioned. D. The “Supervisor” will include the above mentioned restrictions in the internal regulations of the office. 2. The establishment of an organizational-internal Intranet, which is not connected to “sensitive” databases, internal or external, or to highly indispensable networks. The condition of implementing secured communication in such a network is that each of the links will be totally different from the links of the sensitive network’s connection. This is done in order to prevent employees or maintenance and operation people from connecting (by error or through malice) the Intranet to the data bases that process “sensitive information” (in the channeling path of the net cables or in the rooms of the “end user”). 3. Compartmentalization/partition in place and time through security equipment (processing two different classification levels in one PC). 1. Despite the above, whereas storing and processing “sensitive information” on the hard-disk of the ‘stand alone’ computer is restricted, there is a method (based on software switches) which unifies both methods and will be descried below: The advantages of this approach are as follows: a. Removes the need to install a separate ‘stand alone’ computer in order to be connected to the Internet. b. “End user” can work alternately and securely in a communication network that has been classified “confidential” or in public networks such as the Internet, telephone net, etc. 44 c. The hard disk is partitioned into three separate areas, which enables allotting “a secured area” for storing “confidential” information, “a transfer area” which will be used for the performance of intermediate procedures such as checking for different viruses, and “a public area” to which the public networks (such as the Internet, dialing lines, etc) will be linked. d. Enabling the passage of secured information from the “public area” (which isn’t sensitive) into the “secured area”, and preventing the passage of confidential information into the “public area.” 3. This method was examined and confirmed for secure use in all the government offices and institutes, under the Council's authority and will be under the responsibility of the supervisor. 4. This method will not apply for switching between the Internet and "highly confidential" classified networks or computers, or such which are defined as "highly necessary" to the management of the office or the state economy. No end point or indirect link will be established for the Internet to the network within a room where there is an end point of one of these networks. Later, the paper presents the decrees that were determined regarding secured import of files and programs from the Internet. A special system will be installed for examining, identifying and cleaning databases (such as disks, movies, etc.), software damage, etc. The employee will not use Java or Active-X, which are restricted for secured use in the Internet. It must be ascertained that special checking mechanisms are installed which identify malicious programs that were inserted into the system, such as: viruses, Trojan Horses or Java and Active-X. The Council decided to employ external counselors for security communication with the Internet, providing detailed instructions on the subject. The government established a committee whose purpose was to advance the project of the Israeli preparation for the new information era. Among other things, its role was to create communication infrastructure between the government offices and the country's citizens. The committee prepared a list of detailed rules and instructions for the clients and the use of Internet. 45 One of the important subjects is the heightening of Information Security awareness among the employees. It is decreed that the instructions must be memorized by the Information Security employees. Use of Information Security will be defined as necessary for any communication within governmental offices. The office employees are personally responsible for Information Security within their fields. This document will be brought to the attention of all the office employees. Severe restraints were determined for employees regarding work from home through the Internet, including rules for cryptography and advanced identification means (smart card combined with a password). The subject of communication security through the Internet is also included within the decrees, including the communication between the citizens and the government. Special requirements were specified to characterize the Firewall: A. Protecting the network and the services: 1. Creating a secured qualitative filtering that will enable the passage of information or data only to those who have been specified by the office’s information security policy. 2. The default state of the Firewall will block all the links to and from the intranet. Only specific links authorized by the “supervisors” will be allowed. 3. Prevention and blocking systems must be activated, as detailed below, blocking the Internet from attacks and intrusions, such as: (This list will constantly be updated): SYN flood attack Network probes IP spoofing Session hijacking Ping of death (fat ping attach) SNMP attacks Malformed packet attack (both CMP broadband flooding TCP & UDP) ACK storms Land attack ARP attacks Ghost routing attacks 46 Sequence number prediction Buffer overflows Forges source address packets Packet fragmentation attacks Log overflow attacks Log manipulation Sources routed packets DNS cache corruption FTP bounce or port call attack ICMP protocol tunneling VNP key generation attacks Authentication race attacks B. Mechanisms that enable Dynamic Routing will be neutralized through the Firewall. C. The system will activate supervisory, checking, and filtering mechanisms on all of the following levels: 1. Packet filtering. 2. Checking port circuits. 3. Proxies – it is possible to define each proxy, including a user-defined proxy. D. The system will activate protection on services and applications such as: TELENET, FINGER, PING, FTP, HTTP, RLOGIN. E. The system will support the protecting measures of SMTP services: hiding addresses, limiting the passage of transferred files, attached files and limiting the size of mailboxes. F. The Firewall will support the protection of services which are based on TCP/IP protocols (mostly) and as an option also UDP and RPC. G. The system will enable support and/or interfaces for designated software that offers solutions for virus protection in order to verify the existence of viruses attached to electronic mail or in filers that are transferred to the internal network. H. The system will enable support and or interface to related programs in order to avoid Java Applets and Active-X attacks. I. The system will enable a demilitarized area. J. The system will enable support and/or interface for related software that handles filtering of URL’s for the purpose of limiting the access of office users into undesirable Internet sites. 47 K. A Firewall system will also contain content filtering in order to prevent overloading the network with futile browsing, or with any use that is forbidden by the office management. This mechanism will be part of the “Firewall” which will enable the blockage of certain content according to the following categories: confidential or secret content, violence, sex, drugs, etc. L. Services of URL’s translation. The Firewall will enable the translation of URL and PORT numbers in a way that both the URLs and the port will be hidden. The Firewall will use the M.A.T. (Multiple Address Translation) method, in order to enable installation and hiding of several servers of the same type such as SMTP, WWW and FTP. Hiding the Host or the Sub domain will be possible, and the website or the computer that will be presented in the public network will not be similar to the real URL of the site or the computer. Protecting the Firewall System Components A. It is required to create immunity and logistic protection for the Firewall components, including the operational infrastructure. B. The Firewall will operate on the hard disk operating system, which will be inaccessible even to the system’s protocols (the operational system and the Firewall will be integrated into one software). C. The Firewall will have a dual kernel – one for continuous operation and one for administration and determining formation. Managing the Firewall System A. It will be possible to distantly manage the configuration from the internal network, based on the identification of the user and verification of the identification in a way that will prevent “impersonation” or possibility of denial. B. It is required to use a graphic interface. C. It is required to enable the definition of Rule Base rules authorization. D. It is required to enable authorizations by groups. 48 E. It is recommended to define and manage a uniform Information Security policy to several Firewalls, in case that more than one Firewall needs to be installed. F. It will be possible to enable the decentralization of management authority, giving authorization to managers according to the different management levels. For example: possibility of compartmentalizing activities between a managerial function that will be allowed to define users and a managerial function that will be allowed to define rules. G. It is required to define different ACL’s and to create different combinations (such as forbidding FTP on certain days of the week, excluding certain e-mail addresses, users and groups, types of FTP, Telnet, e-mail, WWW services, a maximum number of parallel sessions and a necessary level of cryptography). H. In order to perform FTP and Telnet services from outside the office into the office, Authentication (one time passwords) will be activated within the Firewall. I. It will be possible to enable support and determination of different identification and verification options - supporting different identification means such as: password into the operating system, internal password for the Firewall, and common identification means (such as smart cards). J. It will be possible to enable the limitation of users according to week/day/date working hours. K. A password protocol mechanism for the Firewall will be installed (manager’s and user’s passwords), determining the length of the password, periodical demands for changing the password, etc. Cryptography A. The Firewall system will enable the support of a V.P.N (Private Virtual Net) as well as support of DVPN (Dynamic VPN) needed for supporting laptops. B. The system will enable the cryptography of information on the internal network, using logarithms that will be determined by official bodies. C. It is necessary to use cryptography information flow within the network between the components of the Firewall. In any case, the cryptography will be done according to the protocols of the Council and the written endorsement of the unit’s manager in advance. 49 Control A. The databases manager will create an audit trail in order to follow attempts to penetrate the security mechanism of the Firewall, or any penetration attempts into the network. B. A high and improved level of control will be initiated, and will be enabled whenever a suspected activity is identified. C. The Firewall must include a Log management mechanism which will enable reading and understanding the LOG. D. The Firewall will manage a LOG of the communication and the disconnection of a communication of remote users. E. The Firewall system (built within or alongside) will warn of penetration attempts to the e-mail in real time. Additionally, restricting rules were determined for private installations or communication through intermediate bodies. Malicious Software in Private PC’s and in Local Nets The following will define the concept malicious software: Malicious software is software designed to damage a computer system or database, without the owner's consent. Examples of malicious software include viruses. Computer virus: a computer program that infects other executable software, and knows how to duplicate itself into data files / sorts and later damages them in different ways, for example: deleting information, slowing activities, filling the memory, changing information, etc. Logic bomb: also called slag code, is programming code that is inserted surreptitiously, and is designed to execute (or "explode") under circumstances such as the lapse of a certain amount of time or the failure of a program user to respond to a program command. A logic bomb, when "exploded," may be designed to display or print a spurious message, delete or corrupt data, or have other undesirable effects. The reconstruction efforts may move from “uncomfortable” to impossible”. 50 Trojan horse: program that is intended for one operation but includes an unknown factor that, when it runs, conceals a harmful or malicious payload. Viruses and logic bombs often hide within Trojan horses. The Trojan horse can work quite normally for a long time until the virus’s operation mechanism or logic bomb begins to operate. Worm: a program that scans the system or network and looks for an open place to operate within. A worm tends to tie the system’s or network’s resources for the purpose of paralyzing it. 1. In order to prevent the presence of computer viruses, there is a complete restriction on the insertion of any unauthorized program through any CD, drive (private program or any other program which source is unknown). 2. Also, there is a complete restriction on installing any program within the server’s disk and/or personal computer that was received by means of an external communication from another computer or from external program storage. 3. Each file from any external source, including files and disks, must be examined separately in a stand-alone station that does not contain sensitive information Installing and Securing Distantly Controlled Programs: Securing modems In general, modems will not be linked to computers that are connected to the office network. Each link will be made through a computer which is not connected to the office network, subject to Information Security instructions. The type of modems that may be installed was also determined. In general, the modems that may be installed are of two types: • A modem of qualitative access control. • A modem with built-in callback means. The modems that will be installed will be used only for external calls. Modems that will be used as hosts will be characterized by the needs of the projects and the purpose for which they were intended. In addition, they will be designated special security measures. In a telephone line that has been designated for outgoing calls, and where a modem is connected, the PBX will have characteristics that will prevent the line from receiving incoming calls. 51 Use of Fax It was determined that it is totally forbidden to transfer any information defined as “sensitive information” by a fax (according to the Privacy Protection Law). For all above mentioned decrees it was determined that, in special cases, it will be possible to deviate from the decree with a supervisor’s authorization, although even then special decrees were determined for each possible case. For example, passing sensitive information will be done in the following ways: A. Forwarding a fax will be possible if the addressee will wait by the fax machine, in order to ensure that the fax was delivered to the correct recipient. B. A cover page will be sent before the actual text, in order to ensure that the addressee receives the information. Only after the supervisor’s approval has been given may the sensitive or “low classified” information be sent following the cover page. Barring extraordinary cases, and only by the authorization of the supervisor, any identifying data must be deleted from the paper. It is best that sensitive information be sent from a switchboard extension to a switchboard extension (possible also by direct dialing into the extension) in order to avoid, as much as possible, any eavesdropping to a defined or direct line. 52 The Treasury Ministry We chose to bring the Treasury Ministry as an example for all the governmental ministries. Each ministry issued decrees to its offices and institutes which are under its authority. In the framework of governmental activities in the field of information security, the following are the activities of the Treasury Ministry. The Ministry of the Treasury issued decrees to its different organizations. While the main structure of the decrees has the same principles, the Ministry tailored the decree to suit the needs of each organization. The Treasury Ministry issued decrees to the insurance organizations, including insurance agencies, insurance agents and other segments in the insurance field which are under its authority that will act in order to protect the information of their customers. The structure of the decree includes three fields: 1. Demands for managing Information Security within the organization. 2. General demands for implementation of Information Security supervision. 3. The treatment of subjects that demand special attention. The instructions determine that any organization that deals with insurance must define the principles of secure use of the organization's information systems. These principles will define the way computerized equipments for processing or keeping information within the organization will be used. These principles will also include Information Security systems that will act to discover the following: 1. Penetration 2. Recording 3. Deterring, which will exposed information intrusions implementing the decree in the following manner: a. The assimilation of managing Information Security within the organization. b. Defining work programs for the implementation of the decree. 53 c. The definition of Information Security policies, classifying property and performing risk management. d. Planning the method for supervision of Information Security, including writing the implementation of supervision of Information Security mechanisms. The purpose of managing Information Security is to ensure that Information Security is well integrated into in the organization's information technology. It is specified in the decree that the initial responsibility is on the organization’s directorate. To define the policy of the Information Security in the organization, the directorate must go into details about the management role in Information Security. Following are a number of instructions to the organization management: 1. Nominate one of the management members, who will be responsible for the subject of Information Security directly under the CEO. 2. A member of the management will be responsible for the supervision and control of the activity within the field of Information Security as well as supervise the working program of Information Security, in correlation to the organization’s Information Security policy. 3. Nominate an Information Security manager who will act directly under the jurisdiction of the management member who is responsible for the organization’s Information Security, giving the latter the needed resources for managing Information Security. 4. The Information Security manager: • Will not deal with operational fields of information systems that can cause conflict of interest with the carriers of Information Security. • Will be responsible for the implementation of Information Security policies. • Will be responsible for the supervisor of Information Security in the organization. • Will be responsible for the insertion and assimilation of the organization's Information Security. 54 • Will professionally mentor the organization in leading subjects of Information Security. 5. The Information Security manager will have experience and skills in the field of Information Security. The decree of Information Security specifies different factors such as the classification of property and evaluating security risks with the purpose of keeping appropriate Information Security within the organization. The decree includes an evaluation of the threats to Information Security within insurance organizations, such as medical information, personal details tied to the right of privacy, etc. Also, the organization must perform risk surveys of Information Security and supervise penetration tests with the purpose of securing the information systems' standards according to the organization's Information Security policy and the methodology of conventional Information Security systems all over the world. Systems with high classification will be reviewed at least once every 18 months. The management must determine the frequency of the survey taken in correlation to the system's sensitivity. Each organization will have detailed data on the subject of Information Security. These regulations will be part of policy of the Information Security and in accordance with the Information Security needs within the organization. The head of Information Security will confirm the regulations, once written, or once changes are made and will then proceed to assimilate them. The regulations will be examined and updated according to need, in the event of significant changes within the technological environment, after an attack on or threat to Information Security, and/or at least once every 24 months. The Treasury Ministry's regulations review the form of Information Security inspection, with the purpose of reducing the risks caused by human error, fraud, theft, or abuse of the system. The decree details the Information Security concerning the process of manpower recruitment, mostly in (but not limited to) the case of sensitive positions. The decree also deals with raising awareness of information security among the organization's employees 55 before, during and at the end of their employment. The decree details the physical means of securing the information, with the purpose of preventing unauthorized access or disruption of the structure of the business and its information. The Treasury Ministry will allocate secured areas as follows: 1. The organization will divide the working environment into security circles/areas, which are secured according to level of sensitivity. Here is an example for such a division: high security (server room); moderate security (working areas for the office employees); low security (back office, and public areas where visitors may enter). 2. The organization will determine the sensitivity of the working areas and the type of security to use in each of them – according to the information, which is kept in each area. 3. The organization will implement several circles of supervising physical access in each of its sites. The sensitivity of the information and the information systems will be examined in each area, and those who are allowed access to each area will be defined. 4. In correlation with the risk evaluation, physical supervision will be defined for Information Security. This supervision must include subjects such as control of access, physical protection of property, and control for discovery and prevention of fires. 5. The access control of areas which are defined as sensitive must include at least one gateway, which opens only after clear identification. 6. Insurance companies that give public services in their office will separate the areas where such services are given from regular working areas within the organization. This separation will prohibit access by anyone not authorized to enter restricted areas. 7. The public areas that include classified information (such as written documents or customers insurance policies, media that contains information for agents, etc.) will be protected and sectionalized to prevent entrance to people who are not authorized to access the information. These areas include offices, mail boxes of the agents, archives, and areas of loading and unloading equipment. 56 The Treasury decree also details security of equipment as follows: 1. Taking out equipment which contains sensitive information from one of the secured areas will be done according to the risk evaluation. 2. The organization will verify that equipment which contains sensitive information and is intended for eradication or maintenance, or that was given to a body out of the organization, doesn't contain information about the customers. 3. The memory media that contained highly classified information will be taken out of the organization for maintenance only after taking all the necessary steps to delete the information in a way that prevents reconstruction of the information through technologic means even after its deletion. 4. In correlation with the risk evaluation, a policy defines the physical treatment of documents which are sent to be scanned out of the organization, during daily use and at the end of a working day, or leaving the working environment. 5. The insurance company will verify the shredding of sensitive material that is no longer in use. The decree determines different details of Information Security on the subject of management, communication and operation with the purpose of promising continuous and secure activity of the information systems, and of protecting the completeness, verification and availability of the information in order to prevent its damage. In order to protect the organization’s network and its users, the organization will establish measures that reduce the exposure of the different experiences, including location, identification and prevention, including at least: 1. An anti-virus program in each station and server. 2. A firewall system of filtering net traffic. 3. A system for the location of penetration efforts from the Internet and the organization itself (IDS). 4. Content filtering systems. 5. Mechanisms for the identification of changing efforts and irregular use of information in the databases. 57 Managing Networks: In addition, the organization will back up all its information. The decree determines instructions for managing the net and protecting the infrastructure: 1. The connection of external factors to/from the organization’s network will be done in a concentrated way, through several protected gateways. No “independent” connection will be allowed, which is not processed through these secured information points of entrance. 2. Compartmentalizing the different parts of the network through its logical and physical division and limiting the possibilities of connection between the different networks. The level of compartmentalization will be determined according to the sensitivity level of the systems. 3. Control and filtering of in/out communication according to the organization’s definitions. 4. Controlling communication activities and locating irregular events. In addition to continuous control, supervision will also take place in real time. Damage to business assets in regular business activities must be prevented as follows: 1. The organization will consider forbidding the use of plug-in memory bases (such as disks, disk on key, flash memory). In any case, the definition of what is allowed or forbidden must be clearly specified with consideration of the needs of Information Security. 2. The form of treating and securing plug-in memory bases will be gathered according to its use and the information that they contain. 3. The organization will determine a regular process of deleting logic bases that contain sensitive information about the organization. When sensitive information is in use within the organization or, when there is transfer of sensitive information out of the organization, the decree demands awareness of Information Security and thus requires supervision. 1. Mechanical mechanisms will be implemented for managing control of access into information systems and applications. 58 2. Access control will be composed by means of identification and audit trails between the end station and the server. 3. The policy of access control will take into account appropriate compartmentalization of authorization between the organization, sub-companies and other companies that belong to the organization and aren’t necessarily insurance companies. Insurance organizations must determine means of identification in order to identify without doubt every person who has authorization to access the information systems. Also, it must be verified that the list of persons with authorized access to information systems is appropriately confirmed, allotted and maintained. A process of recording and canceling access authorization to information systems and services must be defined. It must also be limited and supervised in correlation with the system’s sensitivity. The access authorization of employees and systems will be examined regularly, as defined by the organization but not less frequently than every six months. The access authorization will be done by a mechanism for management authorization. Access to the organization through the Internet must be under control in order to prevent quoting or leaking of information, and also must use strong identification means. Access control from the Internet must be made in order to enforce the policy in the organization. In order to insure this, passwords should be given to users in order to prevent the access of unauthorized users to information systems. Following are the decrees for the management of passwords: 1. The organization will define the password policy and apply it in correlation with the sensitivity of the system. 2. Only the user will know the password. 3. The initial password will be defined by the user or given to him in a protected form. In any case, the password will not be referred through the Internet or through the infrastructure that the password needs to identify. 59 4. In the event that the password is given to the user, the identity of the user must be first confirmed. The user will be obliged to change the password in his/her first access to the system. The validity of the initial password will be kept for a period of one day. 5. Passwords will not be kept in any way that can be reconstructed in the records, memory or on the database. 6. A password will be immediately cancelled in the event that its secrecy has been compromised. 7. If an account is not used for a period of six months the password will automatically be cancelled. 8. The complexity of the password will be determined according to regular standards (such as the Israeli standard 1495). The password will be composed of at least the following demands: • Length of password – at least 6 characters. • The password will be composed of a combination of letters and numbers. • No repeated or consecutive characters will be allowed. • No letters or numbers that are in proximity on the keyboard will be allowed. • The validity of the password will end after 60 days. • In order to re-use a password, five cycles are needed. • The system will lock itself after 4 incorrect password attempts. It has also been determined that cryptographic supervision will be performed by the organization with the implementation of cryptographic mechanisms for protecting the system’s vulnerability. In cases needing a signature or identification, a digital signature will be used as follows: A. The organization will consider the implementation of a digital signature for protecting the verification and completeness of highly classified information. B. The signature will be implemented in a way that will enable external organizations to identify the digital signature owners through the use of internationally accepted standards. C. In any case of performing insurance activities between the organization, its customer and third party companies, through the internet, the digital signature 60 will be implemented in a way that will guarantee the verification of the sender’s identity. Development and Maintenance of Systems Information Security consideration should be taken during the absorption of new information systems within the organization, or during their updating. Cryptographic mechanisms will be implemented in order to ensure confidentiality and the integrity of high-classified data. Information Security will be assimilated within the application level including the verification of input, output, messages, data integrity, etc. The organization must take into account the considerations of Information Security whenever a change is considered within the system, and to request the endorsement of the Information Security manager. Disaster Recovery Planning It is vital to determine a program for continuing business activity during crisis situations. This includes prevention of any disturbances to critical business activities in the event of system failure or in disaster situations. An emergency site will be established for operating database and the period of time to start its operation will be determined from the moment the organization was penetrated or violated in any way. An emergency situation will be declared. One of the most difficult problems in information security is when the responsibility for the storage and maintenance of information is given to another organization. The management must verify that the supplier of the outsourcing services keeps appropriate Information Security principles in order to protect the information resources of the organization and its customers from leakage, change or deletion. In order to verify that this obligation is kept, the organization will enforce continuous supervision and will perform surprise supervisions of the supplier’s activities. Defining the communication with the supplier of the outsourcing services will be done in writing and will include the following: 1. Defining the responsibility fields of each of the parties, including subcontractors. 2. Service level agreement. 61 3. Necessity of secrecy and Information Security and provision for emergency situations. 4. Regulations for violating agreements and resolving conflicts. 5. Agreement with the supplier that the organization will conduct supervision on its property. The Treasury decrees obligates all insurance organizations to determine an audit trail in order to discover unauthorized activity and to identify its source; meaning that any failed irregular effort to enter into the system will be monitored and recorded in the event recorder mechanism. This mechanism is an audit trail of the following subjects: Identification of user’s database. Opening, changing and deleting accounts and customer’s information. Enabling the change or cancellation of access authorization or authorization for the performance of activities within the different systems. Each transaction of financial implications to the organization. The monitoring mechanism clock should be synchronized with an exact time recorder source for exact recording. Log files will be secured from deletion, change or unauthorized reading. This example we have provided of the insurance companies also refers to insurance agents and agencies in order to prevent the possibility of unauthorized approach to the insurance company network through the computers. The computers of insurance agents and agencies aren’t secured in a way that enables verification that only authorized factors may access sensitive information in the insurance agency’ information systems. Any station that includes links to the insurance agency is included under this category, including banks, travel agencies or even the post office. A. The agents will not be allowed direct access to information systems within the organization’s internal networks (direct access to LAN) but only through secured gateways, which are located in a neutral area outside of 62 the internal network that will initiate the communication to the internal network by the agent. B. In case there is a need to connect an agent to the internal information system, the organization will define a secured access method. In such a case, the access control will include strong identification means, cryptography of the mediation from one end to the other, a rigid authorization policy and implementation of audit trails for the prevention and location of regulations. C. Each agent (including clerks) will directly identify the different information systems of the insurers. D. The organization will define for each agent authorization of approach to the different systems. These authorizations will be immediately cancelled at the end of the agent’s employment. E. Communication with the agents will be performed through cryptographic means on both ends. F. Use of e-mail will be done according to the treasury decrees. G. No use of controlling software will be allowed within agent’s computer in any way that endangers sensitive information of the insurers. H. The insurer will have no access to the information systems and the communication means of the agents in a way that will enable him to access the network of another insurer and/or information reserved in the agency. I. Insurers will use new and existing communications that the insurance agents will operate for securing their computers, in order to prevent damage to the insurers’ information systems. These include installation of anti-virus software, measures for reducing the damage from using the Internet, and an access supervisor. J. Mail boxes for agents that are located within the insurance companies will be secured in a way that will prevent access to their contents by unauthorized factors. The decrees limit the use of Internet to authorized employees: 63 Employees who connect to the internal organization’s system that contains highly classified data will connect to the Internet through a system which will be disconnected from the main working environment through: 1. A stand-alone computer – where download of files may be done through secured protocol. 2. The Internet link, which will be secured before unauthorized approach from the Internet, malicious programs and inappropriate use. Even the use of e-mail is limited in order to prevent the leakage of classified information out of the organization: 1. E-mail that is sent through a public network, such as the Internet, will not include highly classified information. 2. In any case of passing sensitive information through e-mail, cryptographic means will be needed, including keeping the integrity of the data, a digital signature and personal identification. This must be done through the commonly used means. 3. These e-mail messages will be kept in a secure recorded form for a period of time that will be determined in the policy of Information Security. The systems of scanning documents should be limited in order to prevent unauthorized access to scanned documents and their leakage to unauthorized factors. 1. The organization will implement access control to the scanning systems for unauthorized bodies. 2. Different types of authorization will be defined for the use of the different users within the system according to the level of classification of the employee in addition to authorization control. 3. Highly classified information will be cryptographic. 4. Different activities within the system, especially unauthorized activities, will be monitored. 5. Paperwork intended for scanning will be appropriately secured, including the process of archiving and shredding. 64 All the Treasury’s decrees intend to prevent the exposure of private information to unauthorized factors, and to reduce the ability of unauthorized factors to penetrate into the organization’s net. The decrees determine behavior in online services and commerce: 1. Sensitive information that is transferred through online commercial or service systems through the public communication infrastructure (such as the company’s internet site), and through telephone communication, will be secured in a way that will reduce the risk for its exposure. 2. Any such case will need the use of cryptographic means, keeping the integrity of the data, identification and means for preventing repudiation. 3. The means of any communication session will be secured throughout its lifetime. In case of need, repeated identification will be needed through the communication, even after primary identification. 4. The organization will implement security mechanisms on all levels (including level of application) within the system. 5. No direct external approach will be allowed (through the company’s website) to information systems within the organization’s intranet (direct contact to the LAN), but only through a gateway system, which is positioned in the DMZ (Demilitarized Zone) that will initiate the communication with the Intranet. 6. The databases that contain sensitive information will not be accessible to users from the Internet and will not be put within the DMZ. The access to the databases will be enabled only through the organization’s computers, which act as secured mediators. 7. Authorizations will be defined in a way that each user may only perform the activities that he was authorized to do. 65 Tehila In the framework of the National Policy of Information Security, the government established an institute in the frame of the Treasury Ministry to act on its behalf and fulfill its policy in Information Security activities. Tehila is one of the organizations that the government designated to fulfill its Information Security policy. Tehila, in Hebrew, is an acronym for the Governmental Infrastructure for the Internet Era. Tehila is the central body that provides government ministries and institutions with highly secure Internet services. In this way, the dangers associated with connecting these networks to the Internet are significantly reduced. The Tehila project began in 1997, to answer the growing need of government ministries to be connected to the Internet, in order to: • • • Provide services and information Make use of Internet resources Communicate via email with people both in Israel and worldwide. The Tehila project aims to provide a solution to the risks associated with exposing the Government network, in terms of Information Security, by connecting government ministries with appropriate security and control measures. Mission and Goals The main mission of the Tehila project is to provide two main services: 1. Secure access to Internet services for government users. Users receive a “service package” that meets with the specific Information Security requirements. 2. Hosting of government websites that provide information and services to the public, while using Information Security mechanisms to protect the data. The goals of the Tehila project are: • • • To provide government users with access to basic Internet services, while minimizing the Information Security risk to government office computer systems. To make Internet services available to a large number of workers who require them and are unable to access them at their desks due to Information Security concerns. To build a secure platform upon which government applications and data can appear on the Internet. 66 • • • To accelerate the entry of government offices to the Internet world, by creating an inexpensive and readily available infrastructure for creating websites. To provide solutions to the problems encountered when entering the Internet world with the goal of distributing information to citizens. To conserve resources for government offices that are required to set up Internet infrastructures, including: hardware, software and communication infrastructures. Tehila Server Farm Tehila’s Server Farm is located in the government complex in Jerusalem. It hosts websites of government offices and bodies that invest a great deal of effort in exposing information and online services as part of the e-government revolution. A highly trained, world-class staff maintains the Server Farm 24-hours-a-day, 7 days a week, with maximum security. Entrance to the Server Farm is permitted only to authorized personnel and is departmentalized using advanced protection methods, including retinal scans, use of smart cards and more. Hosting possibilities vary – from server and/or database hosting on the Tehila hosts to hosting of independent servers in the Server Farm, while taking advantage of the security and maintenance Tehila provides. The Communications Center infrastructure is protected using various means: flood warning equipment, fire detection and extinguishing systems, and air conditioning systems, which maintain optimal temperature conditions. The Server Farm is also protected by a UPS (Uninterruptible Power Supply) system that guarantees that the system will remain available even during emergency situations. The Server Farm is continually backed-up. Back-ups are stored at an external location. Information Security - Expertise Tehila uses a variety of resources to maintain its Information Security goals – beginning with a staff of Information and Communication Security experts and continuing with a variety of products and technologies of world-leading companies. Security systems at Tehila stopped approximately 250 attacks on Communications Systems and components of protected government networks in 2002. • Approximately 45 formal letters of complaint were sent daily. 67 • • • • 90,000 attempted attacks were seen, with 14,000 of them considered of high quality. Tehila’s automatic testing systems tested approximately 6.7 million objects in surfing traffic from within government offices – almost 2.5 billion objects. Approximately 19,000 were tainted with harmful software. Tehila’s mail servers process an average of 85,000 messages daily – about 30GB of data. On days with e-mail attacks, there may be as many as 550,000 messages. Each day approximately 100 virus attacks and attacks of other harmful software are avoided. On days with email attacks, up to 80,000 harmful messages are received. 68 The Standard Institute The Standard Institute acts also in the Information Security field. Its standards and activities are included in the government policy of countermeasures in this field. The following details the Standards Institute’s activities in this field: There are 13 standards which were written by the Standard Institute for Information Security including the series of Israeli standards 5408 for Common Criteria. The Standard Institute continues activities in the field of countermeasures for Information Security in different committees as detailed below: 1. The Standard Institute established a committee to deal with biometric issues. This forum includes 10 active companies that develop biometric technologies and are interested to influence the international standards in the different biometric fields. The company’s representatives participate in the ISO committees that are active in this field. The main objective of the committee is to leverage the international standard for the interest of the Israeli companies and the Israeli market. 2. The Standard Institute established a committee in the field of Cyber Security. This forum is still being incorporated and its goals are similar to the biometric committee but relevant to the Cyber Security issues. 3. The Standard Institute established an expert committee for Digital Signature. This committee’s goal is to survey the national standards in the field of Digital Signature and to prepare adjustments to these standards according to the business environment and the Israeli law. Furthermore, this committee will suggest new and original regulations and 69 standards in this field in case it will not find the relevant answers in the international standards. 4. The Standard Institute also established a committee in the Perimeter defense field. 70 The Security Companies In the scope of this project we interviewed 50 companies that develop technologies for information security. These technologies each at a different stage of development come to give solutions for the users for countermeasures for Information Security. Most of the companies we interviewed advised that their technology does not regard specific viruses but can prevent any attack. Each of their technologies comes to give a unique solution for the different needs. We found that the variety of possibilities is huge and finding the right technology for a user’s need is quite difficult due to the amount of possibilities. It is therefore necessary to first characterize the security needs and the type of security required for the user before looking for the technologies. The technologies in the market give a wide spectrum of security possibilities. The following table defines five control function categories for the information security technologies: Access control Restricts the ability of unknown or unauthorized users or use information hosts or networks. System integrity Ensures that a computer system and its data are not illicit modified or corrupted by malicious code. Cryptography Includes encryption of data during transmission and when stored on a system. Encryption is the process of transforming ordinary data into code form so that the information is accessible only to those who are authorized to have access. Help administrators to perform investigations, during and after a cyber attack. Help administrators view and change the security settings on their hosts and networks, verify the correctness of security settings and maintain operations in a secure fashion under conditions of duress. Audit and monitoring Configuration management and assurance 71 The following table specifies information security technologies according to the above categories, furthermore it details the Israeli companies according to the field of the development of the technologies: Access control Authentication Authentication Access protection System Integrity Cryptography Audit and monitoring Configuration management and assurance Technology Smart tokens What it does Establishes identity of users through an integrated circuit chip in a portable device such as smart card or time synchronized token Biometrics Uses human characteristics such as fingertips, face elements, memory, and voice to establish the identity of the user Firewalls Control access to and from a network or computer Authorization-rights Allow or prevent & privileges access to data, systems Anti-virus software Provides protection against malicious computer code, such as viruses, worms and Trojan Horse Digital signatures and Use public key certificate cryptography to provide assurance that both the sender and the recipient of a Virtual private message or transaction Networks will be identified, assures that the data was not changed, verifies integrity and origin of data. Intrusion detection, Detects inappropriate, Intrusion prevention, incorrect activity on a network or computer system Network management, Allows control and Scanners, monitoring of Policy enforcement networks including management of faults and security. 72 developing companies Aladdin knowledge systems Ltd 1. SentryCom Ltd 2. Hebrew University 1. Check point Ltd 2. Gita Technologies Ltd 1. Lamda Ltd 2. Connect and control 1. Commtouch Software Ltd 2. PineApp Ltd 1. Cyber Ark 2. AGS Encryptions Ltd 3. ANC Solutions Ltd 4. Cipher Active Tech. Ltd 5. Skybox 6. Parallel 1. Moozatech IT Systems Ltd 2. Beyond Security 3. Safend Ltd 4. Rit Technologies Ltd 1. Applicure Tech Ltd 2. Cyota Ltd The Technologies Out of the companies we interviewed, we selected 15 companies. Following is a list by Alphabetic order with a short description of their technology. Appendix number 3 includes each company’s information on its technology. 1. Aladdin Knowledge systems Ltd Provides solutions for software commerce and Internet security with a USB token which gives strong authentication method and enables a wide variety of security related solutions all in one device. The HASP (Hardware Against Software Piracy) is a hardware-based software protection system that prevents unauthorized use of software applications, protecting intellectual property. The HASP key is a small hardware device (sometimes called a dongle) that connects to a computer and protects software applications against piracy by prohibiting use if the key is not present. http://www.aks.com/ 2. AppliCure Technologies Ltd Provides security solution for business Internet-linked systems. Using a technological model to block inappropriate usage, exploitation and cybercrime, both at the web site and within the company’s critical, confidential applications and databases. The technology is aimed to protect the web portal and continues through internal application servers, and extends into the heart of the company's critical business data and its confidential databases. http://www.applicure.com/ 3. ASG Encryptions Ltd Provides very fast cryptography, giving a multi level solution for encryption, authentication, digital signature, storage security device, digital coins, bankless transaction platform, for e-payment, m-payment. This technology also addresses the cellular telephones that provide a lot of information and it works on open data channel. http://www.agsencryptions.com/ 4. Beyond Security Ltd Provides tools that uncover security holes in servers, expose vulnerabilities in the corporate network, check computer systems for the possibility of hostile external attacks and audit vendor products for security holes. It is a hardware appliance that scans the vulnerability in the system, database, network application and web application level even through wireless networks and wireless access points. It has the ability to manage multiple servers from one location which means it can control the servers’ configurations. http://www.beyondsecurity.com/ 73 5. Check Point Software Technologies Ltd Provides security technologies for the Internet both VPN and firewall. Delivers a broad range of solutions in the areas of perimeter, internal and Web security. The technology comes to protect the PCs from hackers, spyware and data theft giving internal security. The Company's Secure Virtual Network (SVN) architecture provides infrastructure that enables secure internet communications. SVN secures business-to-business (B2B) communications between networks, systems, applications and users across the internet, intranets and extranets. Gives an open Platform for Security (OPSEC). This solution addresses the wide range of entities from small business, medium and up to enterprise level provides the framework for integration and interoperability. http://www.checkpoint.com/ 6. Cipher Active Technology Provides security encryption/decryption software code, designed for video, audio and data broadband applications on existing hardware platforms. Hardware-independent, for store and forward nets, multiple destination points, video bit stream Encryption Management system including generation of ID, ID distribution, control authentication and protection. The Encryption Algorithm is made of: (a) Two factor key numbers of magnitude of at least 96 bit. (b) Mathematically irreversible, untraceable logical combination of the output from two 96 bit linear shift register. Process includes: (a) creating, exchanging authenticating encrypting a random ID seed key for communicating between encryption units. (b) Transmitting the encrypted data stream and seed key across to the recipient encryption unit. The encryption system's integrity maintenance is based on periodic, random and automatic cryptographic key change of once every frame header or once every transmission. http://www.cipheractive.com/ 7. Commtouch Software Ltd Provides proprietary anti-spam solutions. A vendor of email software applications and provider of global messaging services. Their detection center analyzes a large amount of e-mail traffic over the Internet. It detects massive e-mail outbreaks within minutes of their spread into the Internet. Gives protection from new viruses and gives real-time blocking of spam in any language, content or form. http://www.commtouch.com/ 8. Cyber-Ark Software Ltd Provides the computer user, means to secure information without the need for security expertise. Develop a secure wide Area Network (WAN) over the Internet. It enables enterprises to share information directly over the Internet as if they have deployed a shared WAN, without actually doing so. Various modules enable enterprise users to leverage existing mail, file, and FTP servers securely without any changes in the way they work. Network Vault is a secure repository that provides a safe haven, highly secured regardless of 74 overall network security, to protect critical documents and administrative passwords. Based on multiple unified layers of security which serves to protect the single data access channel to the data-storage, the Network Vault protects information at rest as well as while in transit to end users inside the enterprise. It also provides auditing and access control capabilities. http://www.cyber-ark.com/ 9. Cyota Provides of anti-fraud and security solutions for financial institutions. Cyota services multiple clients worldwide with anti-fraud and security systems. Processes each online banking activity in real time, compares its characteristics against the accountholder’s previous profile. The technology can show online transactions and activities both in using transactional data and can interact in real-time with the user’s device/browser in order to obtain more data. Shows profiles of users using their device fingerprints; internet profile and transaction profile, and also detects fraudster patterns even if it’s hidden identity. As a result, the technology recognizes deviations and differences from the automatically generated statistical profiles, creates a fraud pattern entry and adds it to the fraud patterns database. It processes each activity, and records its specific parameters. These are compared against the fraud patterns in the database, and a risk score is then calculated for this specific activity. http://www.cyota.com/ 10. Gita Technologies Ltd- Waterfall one way connection Provides the Waterfall system which implements a physical, one way connection based on fiber-optic communication, which creates a separation between networks, while creating a secure one way data channel. By allowing the data transfer to go through the one way link, the need for protection over online connectivity is reduced, therefore it gives the security for transferring data in or out of the organization as the connection is only one-way. http://www.waterfall.co.il/ 11. Parallel Communications Ltd Provides secured communications software solutions for all locations such as headquarters, to the office, to employees on the roads consisting of High quality voice calls, Video calls, Multi-party calls, Chat, Presence, SMS, MMS, Desktop collaboration and Call center features. http://www.parallel-communications.com/ 12. Pine App Provides a technology to secure networks and e-mail systems which include a full rage of gateway security components of Anti-spam, Anti virus, Worm protection, Fraud Protection, Anti Relay, Hacker Protection, Backscatter, Prevention, Dos (Denial of Service) Protection, Zombie Prevention, mail 75 bombing protection, SpyWare Protection, URL filtering and content filtering all with advanced policy management tools. http://www.pineapp.com/ 13. Rit Technologies Provides a physical layer network management system that provides full connectivity information in real time and allows the network administrator to direct all connectivity changes in the network from a central management console. It provides enterprises and carriers the possibility to control physical network infrastructures for maximum utilization and enhanced uptime, physical safeguarding of data and property, simplified deployment and asset tracking, pinpointing and troubleshooting of failures and service qualification and verification. http://www.rittech.com/ 14. Safend Ltd Provides endpoint security solutions to shield desktops, laptops and mobile devices in the organization by protecting their wired and wireless communication ports and connections to external devices and networks, such as disks on key, PDAs, smart phones, modems and wireless modems. Providing endpoint security in the area of data leakage prevention and penetration prevention to enterprises through the physical and wireless ports of their servers, desktops and laptops. http://www.safend.com/ 15. SentryCom Ltd Provides biometric voice authentication solutions that verify a person's claimed identity. Voice Authentication Engine (VAE) technology which is designed to increase and enhance security while improving end-users privacy and confidence. www.sentry-com.co.il 76 The User’s Countermeasures: The industrial sector in Israel seems to be aware of the probability of different malicious computer attacks, but still there is no one program or trend that everyone uses to prevent them. This is due to the large variety of technologies and possibilities that are in the market. It has been found that in many cases in the industry, companies employ a computer expert, either on a permanent or as-needed basis. In the latter case, a company will hire the expert’s services for the purpose of advising and helping the company decide which technology to use for the specific office, and how much Information Security is needed for the business. The known anti-virus programs and firewalls are installed in most of the organizations and offices, and on user terminals. In most cases that are not regarded as producing or handling sensitive information, re-evaluations to add or change the Information Security in the office are mostly done only after an office has been attacked or damaged by malicious programs. Only once such an attack has occurred will the office look for a new technology to prevent the next attack or penetration. In offices where the information that is handled is privileged or confidential, the organization will prepare itself differently. Also in this case, each organization or office will decide for itself the type of protection needed. The office managers or computer specialists will characterize the information that needs to be protected, and will decide on the level of security and the suitable technology. Since there is no one trend or regulation that the private industry uses in order to decide how to protect itself from malicious attacks or penetration to the computer system, each organization has its own policy and means of protection. We interviewed some companies from the different segments of the private users to find out the countermeasures that are taken against malicious attacks. On top of the users that protect their computer systems with the basic anti-virus and firewall programs, we would 77 like to show examples of companies that protect their computer systems in the following manner: 1. Private companies that deal with very privileged information, like patent lawyers: This segment possesses PKI technologies and only forwards information to its customers in a cryptographic manner. The clients hold the same technology and de-cryptograph it on their end. This requirement usually comes from the customers. In the office, the network is secured with anti-virus software, firewalls, and a program that encrypts the entrance to the computer for remote use by office employees, as many of the lawyers work from home or away from the office. The office expense for information security is about $5,000. This expense will remain consistent until a problem arises or a new computer system will be needed and the issue of information security will be brought up again. 2. A high-tech company that develops technology for High Speed Internet and Voice Solutions is more worried about its Intellectual Property than about other security attacks. Therefore, the company maintains two separate systems that are not open to the public and are located on separate domains. The company also operates offsite tapes that record and backup the information once a day. This information is kept in a secured office outside the offices of the company. At the end of each working day a guard comes to collect the tapes to store them in the storage rooms. This company invests approximately 50,000 NIS a year (about $11,500) in Information Security. 3. An insurance agency differentiates between the office’s information and the client’s information. Some of the client’s information is forwarded to the insurance company through internal computers and systems that are disconnected from the main network, and only authorized users can connect to this system. The users that are authorized to use the insurance company’s internal networks are required to use a password and different authentication means. The company’s network is departmentalized. Furthermore, a full backup mechanism is used on a daily basis and is put in fireproof-safes. 78 4. A leading bank has a center for Information Security at the main branch. The bank has two computer systems that are not connected. One system is connected to the Internet and lets the clients of the bank into their bank accounts. This system is departmentalized, and the connection to the Internet is limited to certain sites. Only certain employees are connected to the Internet and to e-mail; they forward to the computers supervisors a list of people from whom they expect emails, and only these people are accepted in the system. All other e-mails are stopped on the way into the system. The second system is the Intranet that connects all the bank employees. 5. A large telephone service provider company restricts e-mails containing attachments. On top of this, the security system scans every e-mail coming in and going out of the organization, to look for words that have been defined in advance as having the potential to allow unwanted information to leak out of the system. A Survey on User’s Countermeasures: The following will detail a survey that was done in Israel to show the countermeasures that advertising companies took after the Trojan horse affair. A survey held by ‘The A.C. Marketing Information & Research Institute’ surveyed the trend for Information Security among the large advertising companies in Israel, following the Trojan horse affair that occurred in the summer 2005. The survey questions 200 chief executive officers & deputy director-generals. The managers were asked: A. If they had changed their organization’s Information Security rules. B. If they plan to change the office rules in respect to transferring sensitive information through their computer systems. C. If they plan to enlarge the budget allocated for Information Security. D. If they are concerned about the security of their information. The survey came up with the following results for the above questions: A. 42% plan to change their office regulations for Information Security. B. 18% have instructed their employees not to transfer sensitive information through the computers. 79 C. 12% plan to enlarge the budget for Information Security. D. 28% were not disturbed by the Trojan horse affair. 80 The Different Threats That are Known in the Israeli Market Computer viruses are software programs deliberately designed to interfere with computer operation, by recording, corrupting, or deleting data, or by spreading themselves to other computers and throughout the Internet. This threat refers to any country, including Israel. We will present here a short review of viruses and other malicious programs, especially those that are known in Israel. There is no regular standard for viruses’ names. Each virus can be called by several names. Some viruses or other harmful factors are defined in correlation to the format of their file and type of contagion, in order to differentiate between the different viruses. Professionals use the general name of a "malicious program" for all the types of viruses and worm programs. In addition to viruses there are worm programs that in their spreading process consume the bandwidth of the infected program until it becomes completely nonfunctional. A Trojan horse is another malicious program that is disguised as legitimate software. Trojan horse programs cannot replicate themselves, in contrast to some other types of malware, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful software by a hacker, or it can be spread by tricking users into believing that it is a useful program. Thus it is considered a computer program and not a virus. Once the Trojan horse has penetrated the computer it can be used to spy on every detail on one’s PC, which means that the hacker may learn about the general behavior of a user on his PC, and may gain gaining total control of the PC, including the mouse and keyboard. The Trojan horse The Trojan horse mostly attacks end users’ personal computers at home or in the organization, without the knowledge of the owner. The program includes, in most cases, a malicious code that enables the developer of the Trojan horse to control the computer from an external computer. He is, thereby, able to observe typed material, steal passwords, and sometimes even gain complete control of the computer, through the organizational network or the Internet. 81 Some of these programs gather information, which is stored in the personal computer or server and sent to external factors. For example, a Trojan horse program may send entire Word documents that are stored in the infected computers through a mail program to a certain addressee who was defined beforehand by the developer of the malicious code. Thus, the hacker can see what happens in the computer, take sensitive information out of it and distribute it to any desired place. In worse cases, the program may attack other computers and make it look as if the attack comes from the penetrated computer. How does Trojan horse infect? It is possible to be infected in different ways. For example, an innocent e-mail arrives with a video or animation file. An infected file can be included as an attachment. Opening the file allows the malicious code to infect the computer. It can also happen through downloading infected programs from the Internet, or when visiting different websites. Another way a computer can become infected is through file sharing, or by running programs that provide file sharing capabilities for downloading movies and music from the Internet. These may have vulnerabilities similar to those described above. These programs and services may open a network port, giving attackers the means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs. Another option for infection is to receive a link to a known Internet website, which looks like a real site but is actually a counterfeit site whose purpose is to infect the PC. The main problem with Trojan horses is that they operate behind the enemy lines. The Trojan horses bypass most of the conventional mechanisms for Information Security, such as firewalls and anti-virus software, and enter into the organization. A Trojan horse can enter a computer through means other than the Internet or e-mail. An infected program could be inserted by a person from inside the organization such as the janitor, who can insert a disk-on key or similar device with malicious codes. Once the computer starts, the Trojan horse is loaded. The main threat is that the Trojan horse can penetrate directly into the organization, by mistake or maliciously. The Trojan horse works very differently from viruses. Viruses are distributed to as many computers as possible to cause damage. After the virus reaches the user it is possible to identify its signature and pass it to the anti-virus programs, and then, when the virus 82 arrives in other computers it can be stopped because it is identifiable. The Trojan horse, on the other hand, isn’t intended for large distribution. It is intended for a specific organization, in order to gather certain information; therefore, a totally new code will be written for it, and there is no possible way to identify it beforehand. In May 2005, the largest business espionage scandal ever erupted in Israel, based on the operation of a Trojan horse program. A large number of leading companies in Israel are suspected of inserting a malware program in the computers of their competitors. Among the suspected people it is possible to find producers of computer programs, ten of the most senior private investigators in Israel, and a list of leading commercial companies in the market. All these compose an unusually large industrial espionage case which was exposed in an investigation managed by the Police Fraud Division, over the course of 6 months. Some of the leading commercial companies were connected to this case, either as suspected perpetrators of the espionage program or as victims. Apparently, the Trojan horse was used by private investigation offices for the purpose of industrial espionage. The program enabled the investigators to gather information that included documents and photographs that were passed over to leading companies in the market, helping them in their commercial fight against their competitors. For example, a private investigation office that was hired to investigate a company sent them a disk or e-mail, which appeared to have been sent from a well-known company. Once the computer was started, the Trojan horse attacked. The victim was unaware of this intrusion to his PC. From that moment, the investigation office could observe any information that passed through the infected computer, extract documents, and even make changes within the computer. Some Trojan horses can even provide expected results while quietly damaging the system or other networked computers at the same time. In other words, the information that someone outside can achieve through using a Trojan horse can be almost anything, from observing your general behavior to almost complete control of your computer. 83 According to the police, the computerized espionage continued for at least a year and a half, but they admit that it isn’t possible to evaluate the damage caused to the companies which were infected by the virus. The assumption is that the damage was high. The investigation began at the end of 2004 following a complaint that was submitted to the Police Department. The investigation of the Trojan horse espionage revealed the immense theft of huge amounts of documentation from companies involved. According to the Fraud Division, the investigation has only just begun. This may well prove to be one of the biggest commercial espionage cases ever known. This case caused Israeli managers to consider the Trojan horse problem every time they open their computer, making the assumption that each file and article that appears at home in the personal computer or in the organization can reach competitors or others. Key Logging is one of the classic methods of the Trojan horse. Specialists agree that it is one of the most serious and painful problems of large organizations. This approach exposes them to the loss of sensitive information or even to industrial espionage. We found some companies that developed new software that can detect the Trojan horse; more information will be detailed in this paper in the section on Information Security technologies developed in Israel. The Trojan horse has been known as a malicious program for quite a long time. Like other such programs, it is able to change its form. In 2002, a Trojan horse was found that used Microsoft’s Internet Explorer. The FYLE-BNC Trojan horse uses six different problems in the Explorer, which integration enables the attacker to control the personal computer from distance. The Trojan horse searches for openings in order to create “backdoors” to the attacked computer. This “back door” enables each user in the Internet to read sensitive files (such as electronic mail, details of credit card, etc.), to delete files, or to take full control of the computer from distance. Internet Explorer is most often targeted by makers of Trojan 84 horses and other malware, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding. The more "features" a web browser has (for example, Java, Flash, and Active-X objects), the higher the risk of having security holes that can be exploited by a Trojan horse. It is also possible that other Trojan horses use these openings. The Microsoft Company distributed a patch and updates to its own security malfunctions in this case, but because many users don’t download the Microsoft security patch, the infection may pass to hundreds of thousands of computers via worms that use the security openings in the Microsoft programs. As a result of the Trojan horse intrusion and the anxiety it caused, the Israeli Treasury Ministry Office developed a special program called Tehila which has been detailed above. This program looks only for one type of Trojan horse. It doesn’t clean or remove the Trojan horse from the computer; it only looks for signs of its existence. A specialist must then work to solve the problem. If the computer is suspected of being infected, the recommendation is not to try to remove the Trojan horse alone, because this act may destroy important evidence. The Ministry of Justice reacted and decided to establish a new legal department for computer law that will act in cases of Information Security and privacy. The department will formulate appropriate legal measures to use against the new threats in the field of computers (for example, the Trojan horse case and the industrial espionage which was mentioned before). The new legal department was scheduled to begin its activities during 2005. The Ministry of Justice considers that the unification of different factors, (such as the recorder of data bases, the recorder of authorizing factors, the recorder for credit data services and information services for businesses), under one professional department, and headed by a professional will facilitate the harmonious and effective operation of these units. The establishment of a separate department will aid the enforcement of computer and 85 information laws. The Ministry of Justice has indicated that this department will provide legal backup to police investigative divisions and to the prosecution, in such cases. The international law which develops the legislation of computer law demands the establishment of a special legal department that will help international investigations of computer and information crimes. The new department is supposed to, among other things operate in aiding the mechanism for enforcing the law of information and computer crimes, initiate appropriate legislation regarding the development of information and technology infrastructure, and to operate a unit that will submit international aid according to the computer crime treaty. In addition, the new department is intended to accompany the technologies of legal regularization in the field of information technologies and to help the different governmental offices in their communication with information systems. As the Trojan horse story quieted, a new worry arose regarding industrial espionage. The laptops of several senior advertising executives’ were stolen from the offices of one of the big advertising agencies. This crime demonstrated the great damage that can be caused through such thefts, as the computers contained the future marketing strategies of the office’s customers, most of which are among the leading Israeli marketing companies. The desire to penetrate into the big advertising offices has strengthened because of the long term marketing activities that most companies work by. The advertising companies prepare campaigns that design new brands which will be marketed in the future. These campaigns include sensitive information about customers, as well as future strategies, some of which extend for years into the future. The advertising offices sometimes do their own research on their customers, and then compare the data they gather to that supplied by the customer. Such data, if stored on the advertising agency’s computers, may be vulnerable to penetration and is therefore potentially available to the customer’s competitors. It is interesting that, in the opinion of the Israeli police department, the value of the information gained through industrial espionage in Israel is estimated to reach hundreds 86 of millions of dollars. “There is no doubt that the high-tech world raised the standard regarding the financial value of the requested information, especially regarding the willingness to invest higher resources in order to gain it”. What can be done when it is discovered that computer systems or units were exposed to espionage activities? The first step is to determine who is involved, either directly or indirectly, in the espionage activity. The next step is to prosecute the perpetrator under the appropriate criminal law. The criminal law (Penal Code, 1977) allows for the conviction not only of the perpetrator of a crime, but also anyone else who has attempted, persuaded, or aided in the commitment of the crime, unless otherwise decreed by law. Under the civil law, it is possible to receive compensation even from those who are only indirectly responsible for the crime. The computer law of 1995 established a sentence of three years’ imprisonment if it is found that a) any one individual or organization involved in the espionage damaged the victim’s computer’s regular activities or disrupted its use; b) penetrated, deleted, changed, disrupted or caused other damage to the program and or computerized data; or c) the spyware can cause future damage to the computer or to disrupt its activities. The imprisonment period will grow to five years if it is found that the activity of the spyware created information that may mislead its users, or its purpose is to cause damage to the computer or disrupt its activities. The Privacy Protection Law (1981) and the Eavesdropping Law (1979) punishes those involved in espionage activities with a possible maximum sentence of imprisonment of 5 years. Anyone convicted of any or all of the following activities may receive a sentence of 3 – 5 years imprisonment, according to the laws of copyright protection: interference with or duplicating confidential information; using illegally attained information; breach of confidence; eavesdropping, recording or copying information gained by means of illicit communication between computers, including the installation of spyware; or made use of any such illegally-attained information, including revealing said information to others. 87 In the framework of the civil process for gaining compensation, it is possible to make use of decrees mentioned in the following laws: A) Computer Law, which defines civil-wrong doing for which damages must be paid as any unauthorized interruption, use, theft, deletion, change or disruption to a computer, a program or computerized data; B) The Commercial Wrongs Law (1999), as it refers to the theft of commercial secrets; C) The Copyright Decree and the Producers’ Rights Law (1991), regarding the breach of copyright; D) The Privacy Protection Law, regarding a large number of wrongs, some of which were detailed above; Statistics of Viruses and Trojan Horses Companies avoid giving data about penetration efforts of viruses and Trojan horses mostly because of their desire to prevent those who try to infiltrate computers with malware from knowing that they have succeeded. Despite that, the Treasury office, which is responsible for all governmental offices’ Internet websites, through the Tehila Project, is greatly concerned about Trojan horses. The Tehila website reports about 1,000-1,500 daily penetration attempts affecting government websites, by means of viruses and Trojan horses. Among other things, the Treasury chose a policy of blocking FTP communication protocols – the same protocol through which Trojan horses were able to penetrate. This means that even if Trojan horse was installed into any of the government computers, it would not be able to broadcast out the relevant materials. In order to reduce the possibility of infiltration into governmental offices the following is restricted: downloading programs to personal computers in all Internet stations of governmental offices; browsing in banking websites (because of the secured communication of the banks themselves that cannot be supervised by the governmental Information Security people); and installing messenger programs. Using commercial electronic sites is limited, and using programs for downloading music is forbidden. 88 In addition, a filter is installed in governmental offices that filter the documents being sent by e-mail. Only documents in Office format, without a programming code, can enter into the organizational network. It is impossible to send programs or codes of programs out, through e-mail. In some governmental offices, there is supervision of the employees’ e-mails, in order to verify that sensitive material doesn’t flow out. The e-mail supervision policy is determined by the Information Security officer of each office, separately. In addition, in some of the offices there are programs that continually scan the computer systems, in order to examine if any spyware or Trojan horses have been installed in the computers through CD or by disk-on-key. Still, the government officer is aware that no solution if infallible. The Treasury Ministry reported, in a special discussion of the Parliament’s Economy Committee, that their office performed a pilot test for new software that was developed to stop Trojan horses by the Trustware Company. In addition, Tehila’s servers store information which is given to the public by the governmental offices’ websites. That information is duplicated, and is not from the original data systems of the offices, which are totally blocked to Internet access. Thus, if a hacker will penetrate into the systems, he will be able to discover certain sensitive information, but not to destroy the office’s data center. Additionally, he will be unable to access any sensitive and classified information that it was not supplied to civilians through the Internet. These who follow the field of Information Security are aware of the fact that every year the number of reports on penetration cases in the organizations increased tenfold. These reports are only the tip of the iceberg, because we must remember that in the published material, only the reported cases are taken into account, while many organizations don’t report penetration into their systems, in order to decrease the awareness of criminal factors to the vulnerability of their systems. 89 The Budget The Government and Its Offices: The Council was nominated by the government on September 2005 to determine rules for the governmental bodies on the subject of Information Security. Those rules, in accordance with the government’s policy, instructed all of the government offices to allocate a separate budget for Information Security based on the importance of the issue in the office. The Council made a basic rule that at least 5% of the total budget of each office for Information Technology (IT) will be allocated to Information Security. This provision ensures funds to cover minimum expense for Information Security. This means that each ministry will allocate as much the budget as needed, but must allocate a minimum of 5% a year. For example, the Prime Minister’s office, the Ministry of Defense, and the Ministry for Foreign Affairs will allocate a larger part of the budget to Information Security than the other offices. The Council also decided to establish steering committees in each office to manage all the Information Security. Among the duties of each steering committee will be to budget for the office’s Information Security needs. The budget for Information Security does not comprise a special section in the budget; rather it is included under the total IT budget of each office. For example, the Ministry of Justice’s budget for IT is about $5,000,000 a year. The Users In talking with different users we learned that the user’s budget is more complicated to define, as in each sector, each company allocates the budget differently. For example, the banks in Israel allocate the largest budget and after them the hospitals and medical service providers. Specific details about different users are detailed in the “Users countermeasures” page number 72. Users, including the government, allocate a main budget for Information Security technologies once. The following years, the Information Security budget is only intended 90 to cover expenses of maintaining and up-dating the technology, which means a much lower budget per year. 91 Common Criteria Recognition Arrangement The following document contains information on the current status of Information Security evaluation in Israel and the certification scheme used by: 1. The government 2. The security companies 3. The enterprises The State of Israel joined the Common Criteria Recognition Arrangement (CCRA) on November 8, 2000. Israel was the 14th nation to join the CCRA. According to the rules of the CCRA, after joining, the member nations are required to elect a body in their country that will monitor Information Security products and create general recognition in the Common Criteria standard among the government offices, official institutes and the Information Security industry. Furthermore, the country is required to establish laboratories that would be able to inspect the products. Israel entered the Arrangement as a certificate consuming participant (CCP), which means it accepted the security testing results produced by other participants. Israel intends to apply for Certificate Producer status and maintain a complete certification or validation authority for securing evaluations, and to authorize the use of a Common Criteria (CC) certificate when its own Common Criteria Testing Program becomes operational. The testing program is currently being set up by the Software Testing Center of the Standards Institution. The pages that follow will detail the status on Information Security evaluation and the certification scheme in each of the specified areas. 92 1. The Government: The Ministry of Industry and Trade in Israel was selected by the Government to represent Israel in the CCRA. The Ministry of Industry and Trade exclusively mandated the Standard Institute, which is one of its institutes, to carry out the CCRA task. This decision was made based on the following reasons: a. The Standard Institute has an independent software testing laboratory which provides high level technology testing services in a laboratory environment to companies which manufacture hi-tech products such as software, or hardware which is technology-based (such as Smart-cards, firewalls, VPN’s, etc.) The Software Testing Center (STC), with some adjustments, will be able to evaluate products according to CC standards when Israel changes status in the CCRA to Certificate Producer status. The Government authorities instructed the Standard Institute to prepare the STC to be ready to evaluate products according to CC criteria. b. The Standard Institute is the only institute that deals with the Israeli and international standards, and has the ability to promote the Common Criteria and convince the Information Security industry to take the necessary steps to meet the CC requirements. According to the Standard Institute, it is organizing seminars and helping companies that have interest in this subject. It also makes limited promotion among the security companies on the importance of the CC. The government of Israel declared its desire to adopt the CC system by joining the CCRA, and to use CC to impose it by law or to use it when it is necessary. The Electronic Signature regulations from 2001, determine that: (a) The component of the system that is used to identify the applicant will also issue and cancel electronic identification. The component must meet the security standards as determined by the Common Criteria 93 EAL4, or by any other accepted standard that guarantees an equivalent level of security, according to the determination of the Registrar ; And (b) The means of communication that are used for the essential activities of the certification authority will meet a high security standard that will be deemed satisfactory by the Registrar. The same regulation also adds that: To operate or access the digital signature, it is required to use physical or especially encrypted means that meet the security standards of FIPS 140-2 level 1, or at least the security level of the standard CC EAL2. The certification authority requires all bodies that use electronic signatures (such as banks, law firms, and individuals) to use CC certified products. Due to very high sensitivity and high security needs, the Israeli government has established special R&D centers in Israel, in order to develop technologies for securing its information according to CC standards. As a matter of fact, there are three different R&D centers in Israel which develop this kind of technology according to CC standards. 94 2. The Security Companies Some Israeli companies develop their products according to CC requirements. These companies are selling their products to the Israeli government, to foreign governments, and to companies which are required to use CC certified products according to the Electronic Signature regulations of 2001. Since there are no certified CCRA laboratories in Israel, these companies employ an expert who applies to the CC in the country where the products will be sold to and follows the process of obtaining the certification. The companies that are producing their products according to CC are in the minority among the Israeli security companies. But, it seems that the adoption of the CC requirements is in the process of growing and slowly penetrating to the awareness of the Information Security companies, so the demand for CC evaluation will constantly increase. Interviewing the companies that develop Information Security products and that export them to most developed countries like USA, Japan, and some European Countries, we found that there is limited demand for the CC certified products. We also found that some of the Israeli security companies are not aware of the CC and would like to learn more about it. We assume that the reason for this is the lack of demand for CC certified products on the part of the consumer. This subject will not take root in Israel, nor perhaps in additional countries, as long as the CC is not part of the demand of the commercial sector that is the main consumer for this type of products. Another reason that Israeli companies avoid the CC is the cost involved in the process of obtaining the CC certificate. According to the information we received, the cost for obtaining a CC certificate is quite high. Today in Israel the security information developers will make the effort in issuing the CC certificate only when a government or other enterprise that buys security products demands certificate evaluation. In general, companies prefer not to be obligated by any standards if there is no demand for it. Therefore, the producing side will not make the change unless required. 95 According to a source in the Information security industry, due to the lack of CC evaluating laboratories in Israel, and the need to use laboratories in foreign countries in order to evaluate the products, the companies sometimes purchase CC certified components or configurations from different companies that certify their products at CC laboratories and assimilate them in their products to give the CC level of assurance. 96 3. The Enterprises The enterprises, or users of the technology (hereinafter the users), is the third part of the triangle of the subject of CC. According to our survey, apart from the users that purchase electronic signature devises and smart cards, a large number of the users of Information Security products are not aware of CC. Users who purchase Information Security technology for resale to governmental authorities, and to other customers who demand a CC certificate, require a CC certificate for themselves. In those cases, the CC certificate must be of the level required by the ultimate purchaser. The segment of Information Security users, who are not aware of the CC evaluations, rely on other standards like the ISO/IEC 9594-8, also called X509v.3, issued by the IETF or the Israeli standard 1953, or use experts to check the quality of the product for them. Sometimes they will investigate different technologies in order to find the most efficient product. Another reason that the users will not choose a certified product unless forced by the law and decrees is the cost element. The technologies that are CC certified are usually more expensive, due to the cost of the CC evaluation; therefore, the demand from the users for those products is limited. Some of the users prefer having the freedom to choose the technology according to their choice, and to be guided by their expert in deciding the efficiency of the product. This is also due to the fact that no product can be guaranteed to be “hacker proof” or “impenetrable”. Among the users, however, there are companies that present the opposite opinion. They support the purchase of products with CC certification, because they believe that purchasing products with the CC certificate will help them choose the best available security level according to the CC standard. Further, they are of the opinion that evaluated products will be less vulnerable to threats than unevaluated products. Adopting the standard and bringing it to the awareness of the Israeli users of Information Security products will create a situation in which Information Security products that 97 receive a Common Criteria certificate will be used without the need for further evaluation. Using this standard will provide grounds for confidence in the reliability of such products, as it will be common knowledge that the Common Criteria certificate meets high and consistent standards. 98 List of contacts with Institutes, companies Institutes: 1. 2. 3. 4. 5. 6. Ministry of Commerce & Industry Ministry of Treasury The Export Institute The Standard Institute Bank Leumi Union Bank Companies by Alphabetic order: 7. AGS Encryptions 8. AirSpan Ltd 9. Aladdin Knowledge Systems Ltd 10. ANC Securities 11. Applicure Technologies Ltd 12. Avnet Information Security Ltd 13. Bar Ziv Ravid Insurance Consultants and Agents 14. Beyond Security Ltd 15. Cellcom Telephone service providers 16. Check Point 17. Cipher Active Technologies 18. Com Touch Software 19. Comsign Ltd 20. Cyber-Ark 21. Cyota 22. Finjan Software Ltd 23. Gita Technologies 24. Network Privacy 25. Novolution 26. Parallel Communications 27. Pine App 28. Rit Technologies 29. Safend Ltd 30. Securenet Ltd 31. SentryCom Ltd 32. SkyBox Ltd 33. Soroker Agmon Law Firm 99

「イスラエルにおけるセキュリティ関連動向調査 報告書」

Rating

Date

Size

Views

Categories

Share

Transcript

「イスラエルにおけるセキュリティ関連動向調査報告書」