'Participating with Safety' index   «   Mobbs' Environmental Investigations   «   FRAW

APC/GreenNet Internet Rights Logo Association for Progressive Communications: 'Participating With Safety'
A series of briefings on information security and on-line safety for civil society organisations

Unit 1. Introducing Information Security

How to protect your information and computer systems

Written by Paul Mobbs for the Association for Progressive Communications, 2002.
© 2002-2008 APC/Paul Mobbs, released under The Gnu Free Documentation License (GFDL), version 1.2.
For further information contact: http://www.fraw.org.uk/mei/ or mei@fraw.org.uk.
For a PDF version of this document, click here.
For a Word version of this document, click here.

Introduction

Using computers is a complex business. To use them properly you must learn not only how to use the functions of the word processor or database that you rely on; you also need to learn how to organise your computer and the information it contains in order to protect against the accidental loss of information.

It is also important to prepare your computer, your information and your premises, for the possibility of deliberate external damage, which could be caused by computer viruses, interception, monitoring or physical raids by the state or other forces which oppose your work.

This briefing is the first in a series about information security. It should be read in conjunction with the other briefings in this series, which concentrate on the practical aspects of security. They cover:

This briefing outlines the main points you need to consider when addressing the security of your computers and systems. The other briefings look in more detail at features mentioned here. Much of what this briefing discusses is theoretical. It cannot be proscribed, because it is dependent upon the needs and circumstances of the individual. Although the content of the briefing may seem daunting, it is worthwhile reading the material as it provides the context for the use of other briefings as part of a system of security rather than a piecemeal system of protection. This briefing considers:



The need for security

Information Security (also known as IT Security, or Infosec) is the theory and practice of using computers and information systems in order to:

The above list of potential threats to security is in decreasing order of probability.

« back to top »



The objectives of good security

The ingredients of a good information security plan to control and/or enable the sensitivity, security, access and performance of your data and systems:

How to approach information security

The best way to approach the problem is to develop systems and cycles:

Security is a process, not a product. You cannot buy security and install it. It is a collection of different measures, tailored to your own needs, methods and ways of working.

Assessing the risks

The most common everyday risks you are likely to face are, in order of probability:

There will also be risks that apply only to you, as a result of the type of work you undertake, or because of the location your equipment.

When organising your information, systems and equipment you need to consider what risks you face and how you can plan for contingencies as a result:

« back to top »



Looking after your information

In industry, 75% of information loss or system damage is caused by staff error, rather than by external forces (such as hacker/crackers or viruses). Analyse your own information security skills, and identify where you need additional training or resources in order take steps to deal with those needs.

Get organised

From filing cabinets to floppy disks, looking after information is all about how you organise your data. You need to make sure it is:

Developing and organising a good information system is a process of learning, and experimenting with different ideas until you find a system that works for you and those you work with. Learn from your mistakes.

Security barriers

As noted earlier, you need to set up barriers so that people cannot get hold of your information unless you want them to.

Paper-based information is fairly easy to protect because it is bulky; you would notice if it went missing. Electronic information is more difficult to control because it is easily copied; someone could break into your office with a laptop, transfer your information onto their system, and you would be none the wiser as to what they had taken.

A word of caution – if your system is too well indexed, or too well classified in files and boxes or directories, then it's easier for people to locate sensitive information within your filing system. Therefore it's a good idea to have a few gaps and illogical filing practices that those using the information are familiar with, in order to make sure your files are not completely open to everyone.

Protecting your information

There are various ways in which your information can be compromised (in increasing order of severity):

Guarding against the first two is fairly simple - basic access barriers and security measures will prevent access, and if loss does occur, you can swiftly replace it.

Guarding against raids and arson is more difficult, and ultimately futile. Guarding against arson can be expensive, and is most effectively solved by keeping copies of important information and files in another location. To be effective in the immediate aftermath of an attack or raid, you must also ensure you can always beg or borrow access to a compatible computer.

State Intervention

Guarding against action by the state presents a different set of problems. The purpose of access barriers is to increase the amount of time taken to gain access to your information. Those seeking covert access will be deterred by good access barriers because of the additional time taken to circumvent the protection you have installed. When the state acts officially it does not have this problem. It can act openly. It can employ staff and specialists tools to help gain access. It also has complete legal rights to prevent any efforts by you stop or frustrate their attempts to gain access.

No matter what physical security you have in place the officers of the state will forcibly enter your premises and destroy or remove computer equipment if they believe you have information concealed there. Even then, if they are not happy, they will take those people they believe have the information and hold or interrogate them until they turn it over. The greatest risks are usually presented when you have the best security – those people who hold the password to systems or encryption keys, or who know of the location of backed up data, will be under the most pressure to reveal what they know.

Although access barriers do not provide effective protection from action by the state, they can provide valuable time to allow you to take other action. For example, calling legal support or other organisation who can provide assistance. If you have good physical security, you might also have time to encrypt sensitive databases, or back up your current work off the computer in case the computer is taken away.

The best defence against raids by the state is to have many copies of your valued information held amongst a number of people. In the event of a raid they can circulate copies and publicise the work of those who have been subject to state action, according to the instructions you give them.

« back to top »



Security barriers

The Onion graphic - illustrating layers of security Security is all about protection layered in depth through the provision of barriers to access. You must build different layers of protection – like the layers of an onion (see right, click here for a larger version) – around important equipment and information. You need to protect access to:

Another important issue are services, such as power and Internet or network connections, that penetrate through the layers. These too must be secured if you are to have effective security. In particular, network or Internet connections should use firewalls to prevent access remotely over a network. You should also consider the other ways by which security can be covertly breached and try and minimise the potential for their use (see the briefing 7 on Living Under Surveillance).

Level 1: Securing your premises

Securing your building is a matter of common sense. If you lost your keys, could you get into your office? If you can find a way in, it is likely that somebody else could. You will first need to consider the three types of intrusion you can expect:

When looking at physical security measures, consider the following points:

Roof and ceiling spaces are good locations for listening/surveillance devices because they provide space for equipment, and they have power supplies running through them. Tell-tale signs of interference from a roof or ceiling space are small holes on the ceiling, or unexplained damage/repair to the paint work. You should restrict people's ability to access roof spaces in general.

Planning for a 'catastrophic' raid or burglary

As part of the assessment of risks, it is important to consider the 'what ifs...' for common events. Two significant problems are raids by the state, or motivated attacks or burglaries that seek to remove or destroy your data and equipment.

In the event of a raid you should have identified procedures to: call or inform other persons or organisation you work with; obtain legal support, if possible immediately, in order to lessen the damage or impacts of the raid; and activate a network of friends or supporters who can immediately begin fighting your cause whilst you are in the middle of having to deal with the circumstances of the raid, and perhaps the detention that might immediately follow.

Classifying information as 'general', 'irreplaceable' or 'sensitive' allows you to provide appropriate protection with minimum effort. If the information was appropriately classified, backed-up off-site according to its importance, and protected according to its sensitivity, the loss of the information should not prove a major obstacle. So long as sensitive data was encrypted, and the passwords for encryption were not disclosed, you may assume that the information has not been disclosed (but you may not be able to rely on this if someone who knows the passwords was pressured to disclose them).

What is important is ensuring you can recover and start again. For this reason you should try and arrange with someone to have access to another computer that your backed-up information will be compatible with. You should also make sure that, if the original copies and licenses for your software were taken or destroyed, that you can obtain copies of the licenses from the manufacturer, and access to copies of the software, to reinstall when you get another computer of your own.

Finally, either after a burglary or raid, you should change all passwords - for computers, Internet access or email. You should also generate a new set of encryption keys with a new password (but keep the old ones – you'll have to decrypt sensitive data that has been backed-up, and then re-encrypt with the new password).


Level 2: Securing The Room

You can secure a house or office up to a point, but not so far that it may prevent emergency services getting in when you really need assistance. Once you have done what you can to make your building secure you should then consider the room, or rooms, where you keep sensitive information.

There are a few basic things you can do:

Level 3: Your Computer Hardware

Computer hardware (the physical components of your system) usually comes with a number of features that make it more difficult (although not impossible) for unauthorised people to use a computer system. These features are a mixture of physical and 'firmware' (programmable hardware) locks:

How far you need to go in securing your hardware will very much depend upon the type of threats you are guarding against:

Hardware, in particular the monitor (the display screen) gives off strong radio waves. These can be picked up using special equipment; just a few hundred metres from where you are using your computer, someone can reassemble an image of what you have on your screen at any time (the military code name for this type of system is 'tempest').

If you are concerned that the material being displayed on your system is so sensitive that you cannot risk any disclosure, you should pay for an extremely expensive 'shielded' monitor. This has a metal mesh running inside the case, and the glass screen is interlaced with fine wires, to prevent the emissions of radio waves. The easier option is to use a laptop computer, which is far less liable to give off large amounts of radio waves from the display screen.

Level 4: Your Operating System

How you make your operating system secure will very much depend upon the threats that you are likely to face. If you want to secure against opportunistic damage or theft, operating systems do not provide a great deal of additional protection. If you want to protect against theft of or damage to data, the operating system is very important.

Windows (the most popular desktop operating system in the world) has next to no security at the operating system level:

The best form of security available at the operating system layer is encryption of the hard disk.

If you use Windows you should be aware that:

A simple and effective way of protecting your system when computers are running is to use a screen saver with password protection:

Level 5: Protecting Your Data at Program Level

Most program-level security uses passwords to prevent access to word processed or database files.

The password protection systems available with most mainstream office programs are completely insecure. They work by simply refusing access to the file; because they do not encrypt the contents of a file they still allow the raw data to be read by anyone who knows how.

Other systems work by 'hashing' the data. This is a very weak, low-level form of encryption that is easily cracked. You can find programs available over the Internet that enable you to do this.

The main form of program-level security is the use of secure encryption programs, such as PGP, to encrypt files (see the briefing on Using Encryption and Digital Signatures).

You should not rely on encryption for total security. When editing data, your computer uses areas of the hard disk for temporary files. These files are not fully erased from the hard disk when you close the file you're editing, and so for some days afterwards, parts of the file you were editing will be available to anyone who knows how to access the raw data stored on the hard disk.

The only certain safeguard against this is to encrypt your hard disk at the operating system level.

A less reliable option is to use a program that scrambles or overwrites all unused areas of your hard disk with random data and so completely erases any temporary files. If you use this sort of program, you must remember to run it on a regular basis, otherwise you will jeopardise your security.

The other essential aspect of program-level security is maintaining the system and protecting against computer viruses. There is a variety of specific programs available to help you do this:

« back to top »



Persistence

Paper records are easy to destroy. They can be shredded or pulped, or sensitive sections can be blocked out with indelible ink. But computer data can be more difficult to deal with:

« back to top »



Email and the Internet

The use of email and the Internet to send data also presents problems of persistence. Depending on the requirements imposed by law, some Internet Service Providers will store some or all or the data you move over the Internet. Therefore not only may the text of the messages you send be available, but perhaps the files you attach. The only solution to this is to send sensitive information using encrypted messages or files.

Even so, the fact that you have sent information across the 'Net will always generate communications data. Communications data is the description of your information transactions on the Internet – dates, times, addresses and the quantity of information passed. Communications data is increasingly being used as a means of covert surveillance by states and security services.

« back to top »



Going beyond passive security – counter-surveillance

Securing the space where you work is the first objective. If anyone can walk in and use your computers and other equipment, you have no security. But after that you should consider developing systems that actively seek to avoid the potential for the surveillance of your activities.

The first thing to concentrate on is the security of the computer itself. As well as securing the operating the operating system, described at length earlier, you should take steps to secure the hardware. Some computers have locks on the case. Those that do not can be secured by fitting some sort of lock to the case.

An option to secure not only computer cases but any type of cased equipment it to provide a 'seal' on the screw or bolts. Take a very fine brush, and a pot of model-makers enamel paint with the colour chosen at random, and paint a small line over the minute gap between the head of the screw and the case of the enclosure (but do not paint over the head of the screw!). Then, if the screws are ever undone, the paint will split and the tampering will be obvious. The reason for choosing a random colour is that any attempt to redo the paint seal will be foiled unless they can match your colour.

You should assume that all mechanical locks can be picked by professional surveillance operatives. Therefore do not assume that good locks will secure your working area. Instead seek to secure the workplace 'in depth' so that even if access is gained to the working area, access to information can still be frustrated. There are various options to do this:

Those who wish to access your information will, if required, smash their way in. But the object of good space security is to make covert access harder, as well as preventing general theft. Covert access is more of a problem because it does not provide you with a warning that someone has attempted to make an entry. Good security around your workplace should primarily be aimed at highlighting any access attempts. Having detected them you can step-up your security.

If there are any attempts to access your workplace you should always conduct a thorough search of the area. Your first goal should be to check that all your computers are intact. Then you should check that you data back-ups and installation disks are intact and uncorrupted. If you find that the computer has been tampered with to gain access, you should assume that the computer may have been uploaded with a virus or other rogue program. You should disconnect it from any networks before booting the system, take off any data files that cannot carry viruses, and then wipe and reinstall the system.

After dealing with the immediate problems of any attempt to access your work space, you should then systematically check all your communications equipment. The cases of telephones and other communications equipment can be secured using a small line of paint on the screws that secure the case, as described above. This will show any attempts to open them up. But you should also check for any damage to the walls, ceiling or floor of the room, or for any attempts to mask damage with paint. This may give away attempts to install some sort of surveillance device. You should also check the mains power sockets as these provide both a space and a power supply for surveillance devices.

If you have access to the equipment, you might also sweep the area for radio transmitters. But unless you have professional sweeping equipment, this is likely to only pick up the low-tech/amateur style listening devices.

Counter-surveillance is difficult to described in a general way. This is because, unlike general computer security, it is highly specific to the location and layout of the areas/equipment that need to be protected. There is further information provided on this issue in briefing no.7 – Living Under Surveillance.

« back to top »




Free Documentation License:

Copyright © 2001-2008 Association for Progressive Communications (APC) and Paul Mobbs. Further contributions, editing and translation by Karen Banks, Michael de Beer, Roman Chumuch, Jim Holland, Marek Hudema, Pavel Prokopenko and Pep Turro. The project to develop this series of briefings was managed by the Association for Progressive Communications, and funded by OSI.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version (see http://www.gnu.org/copyleft/ for a copy of the license). You can also download the license here.

Please note that the title of the briefing and the 'free documentation license' section are protected as 'invariant sections and should not be modified.

For more information about the Participating With Safety project, or if you have questions about the briefings, contact secdocs@apc.org.







Paul Mobbs/Mobbs' Environmental Investigations Archive – http://www.fraw.org.uk/mei/
© 2002-2008 APC/Paul Mobbs. This document has been released under The Gnu Free Documentation License (GFDL, version 1.2).