WIXLIB

I T - S E C U R I T YI N F O R M AT IO NTECHNOLOGYSECURITYHANDBOOKbyGeorge SadowskyJames X. DempseyAlan GreenbergBarbara J. MackAlan Schwartz

2003The International Bank forReconstruction and Development / The World Bank1818 H Street, NWWashington, DC 20433Telephone 202-473-1000Internet www.worldbank.orgE-mail feedback@worldbank.orgAll rights reserved.The findings, interpretations, and conclusions expressed herein are those of the author(s) and do not necessarily reflect the viewsof the Board of Executive Directors of the World Bank or the governments they represent.The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, andother information shown on any map in this work do not imply any judgment on the part of the World Bank concerning the legalstatus of any territory or the endorsement or acceptance of such boundaries.This Handbook is distributed on the understanding that if legal or other expert assistance is required in any particular case,readers should not rely on statements made in this Handbook, but should seek the services of a competent professional.Neither the authors, nor the reviewers or The World Bank Group accepts responsibility for the consequences of actions takenby readers who do not seek necessary advice from competent professionals, on legal or other matters that require expert advice.Rights and PermissionsThe material in this work is copyrighted. Copying and/or transmitting portions or all of this work without permission may be aviolation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission promptly.Portions of this publication have been extracted, with permission of the publisher, from Simson Garfinkel, Gene Spafford, and AlanSchwartz, Practical Unix and Internet Security, 3rd edition, O'Reilly & Associates, Inc., February 2003, and Simson Garfinkel andGene Spafford, Web Security, Privacy and Commerce, 2nd edition, O'Reilly & Associates, Inc., January 2002.For permission to photocopy or reprint any part of this work, please send a request with complete information to theCopyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA, telephone 978-750-8400, fax 978-750-4470,www.copyright.com.All other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher,World Bank, 1818 H Street NW, Washington, DC 20433, USA, fax 202-522-2422, e-mail pubrights@worldbank.org.

Design:Studio Grafik, Herndon, VA

GLOBAL INFORMATION ANDCOMMUNICATION TECHNOLOGIESDEPARTMENTTHE WORLD BANK1818 H STREET · NWWASHINGTON · DC 20433 infodev@worldbank.orgwebsiteinfodev.orgISBN 0-9747888-0-5INFORMATION FOR DEVELOPMENT PROGRAM

ACRONYMSICTOECD DACInformation and Communication TechnologyOrganization for Economic Cooperation and Development's Development Assistance CommitteeMDGsMillennium Development 8World Summit on the Information SocietyDigital Opportunity Task Force of the G8 states.Major industrial democracies have been meeting annually since 1975 to deal with the majoreconomic and political issues facing their domestic societies and the international communityas a whole. These states – the G8 – contain France, USA, Germany, Japan, Italy, Great Britain,Canada and – since the Birmingham Summit in 1998 - Russia.UN ICT Task ForcePDAUnited Nations Information and Communication Technology Task ForcePersonal Digital AssistantSME’sSmall and Medium EnterprisesHIPCHighly Indebted Poor CountriesFDIForeign Direct InvestmentOECDOrganization for Economic Cooperation and DevelopmentDFIDDepartment for International DevelopmentITDGIntermediate Technologies Development GroupVoIPVoice-over-Internet-Protocol

iiiInformation Technology Security HandbookCONTENTS1PREFACE7EXECUTIVE SUMMARY125 CHAPTER 9. COMPUTER CRIME130 CHAPTER 10. MOBILE RISK MANAGEMENT139 CHAPTER 11. BEST PRACTICES:BUILDING SECURITY CULTURE144 CHAPTER 12. GENERAL RULES FOR13 PART 1. INTRODUCTIONCOMPUTER USERS14 CHAPTER 1. IT SECURITY IN THE DIGITAL AGE150 CHAPTER 13. GLOBAL DIALOGUES ON SECURITY29 PART 2. SECURITY FOR INDIVIDUALS163 PART 4. INFORMATION SECURITY AND30 CHAPTER 1. INTRODUCTION TO SECURITYFOR INDIVIDUALS31 CHAPTER 2. UNDERSTANDING ANDADDRESSING SECURITY35 CHAPTER 3. KEEPING YOUR COMPUTERAND DATA SECURE43 CHAPTER 4. KEEPING YOURGOVERNMENT POLICIES164 CHAPTER 1. INTRODUCTION167 CHAPTER 2. PROTECTING GOVERNMENT SYSTEMS174 CHAPTER 3. THE ROLE OF LAW AND GOVERNMENTPOLICY VIS A VIS THE PRIVATE SECTOR176 CHAPTER 4. GOVERNMENTCYBER-SECURITY POLICIESOPERATING SYSTEM ANDAPPLICATION SOFTWARE SECURE47 CHAPTER 5. MALICIOUS SOFTWARE53 CHAPTER 6. SECURING SERVICES OVER NETWORKS189 PART 5. IT SECURITY FORTECHNICAL ADMINISTRATORS63 CHAPTER 7. TOOLS TO ENHANCE SECURITY190 CHAPTER 1. BACKGROUND68 CHAPTER 8. PLATFORM SPECIFIC ISSUES196 CHAPTER 2. SECURITY FOR ADMINISTRATORS73 ADDENDUM 1. INTRODUCTION TO ENCODING209 CHAPTER 3. PHYSICAL SECURITYAND ENCRYPTION220 CHAPTER 4. INFORMATION SECURITY77 ADDENDUM 2. TCP/IP238 CHAPTER 5. IDENTIFICATION AND AUTHENTICATION79 ADDENDUM 3. MINI-GLOSSARY OF TECHNICAL TERMS266 CHAPTER 6. SERVER SECURITY288 CHAPTER 7. NETWORK SECURITY314 CHAPTER 8. ATTACKS AND DEFENSES81 PART 3. SECURITY FOR ORGANIZATIONS326 CHAPTER 9. DETECTING AND MANAGING A BREAK-IN82 CHAPTER 1. INTRODUCTION341 CHAPTER 10. SYSTEM-SPECIFIC GUIDELINES86 CHAPTER 2. OVERVIEW OF E-SECURITYRISK MITIGATION94 CHAPTER 3. RISK EVALUATION AND LOSS ANALYSIS351 ANNEXES101 CHAPTER 4. PLANNING YOUR SECURITY NEEDS352 ANNEX 1. GLOSSARY105 CHAPTER 5. ORGANIZATIONAL SECURITY POLICY362 ANNEX 2. BIBLIOGRAPHYAND PREVENTION371 ANNEX 3. ELECTRONIC RESOURCES112 CHAPTER 6. PERSONNEL SECURITY378 ANNEX 4. SECURITY ORGANIZATIONS117 CHAPTER 7. SECURITY OUTSOURCING384 ANNEX 5. PRINT RESOURCES122 CHAPTER 8. PRIVACY POLICIES LEGISLATION,AND GOVERNMENT REGULATION

Information Technology Security HandbookvFORWARDhe Preparation of this book was fully funded by a grant from the infoDev Program of the World Bank Group.The topic of Information Technology (IT) security has been growing in importance in the last few years, andwell recognized by infoDev Technical Advisory Panel. We would like to thank the State Secretariat of EconomicAffairs of Switzerland (SECO) for having been instrumental not only in providing the funding for this project, butalso in recognizing the urgency of the matter and allowing this book to come to fruition.TWe recognize the fundamental role of Informational and Communication Technologies (ICT) for social and economicdevelopment. Similarly, we recognize that there cannot be an effective use of ICT in the absence of a safe andtrusted ICT environment. Thus, IT security plays a prime role in helping creating the environment needed to set theground for implementing successful national ICT plans, e-Government or e-Commerce activities, as well as sectoralprojects, such as, for example, in the areas of education, health, or finance.IT security is a complex topic and evolves almost as fast as technology does. The authors have succeeded inproviding technology-independent best practices, as well as recommendations for particular IT environments.As technology evolves, the accompanying web site (www.infodev-security.net) will provide updates as appropriate,allowing for a constant dissemination of developments in the field of IT security. While the opinions and recommendations made in this book do not necessarily reflect the views of infoDev or The World Bank Group, we believe thatthe combination of the book and its supporting web site will make a valuable contribution to the understanding ofIT security around the globe.The book is composed of five parts, each of which can be read independently. After an introduction to generalissues of IT security, the book addresses issues relevant specifically to individuals, small and medium organizations,government, and technical administrators. Although most of the research and publications on IT security comesfrom developed countries, the authors have attempted to provide practical guidance applicable anywhere and toinclude examples from developing countries.We hope that this book and its supporting web site will provide the beginning of an interactive process, where thecontent and best practices will evolve overtime as technology advances, but more importantly, as readers will sharetheir experiences and best practices with their peers.Mohsen A. KhalilDirector, Global Information andCommunication Technologies DepartmentThe World Bank GroupBruno LanvinProgram Manager, infoDev ProgramThe World Bank GroupMichel H. MaechlerInfoDev Task ManagerSenior Informatics SpecialistThe World Bank Group

viReviewCommitteeMembersInformation TechnologySecurity HandbookWalter DussVice President,swiss interactive media andsoftware association (simsa)Managing Director,ASP Konsortium SwitzerlandWilen, SwitzerlandBertrand Livinec, CISAPractice Lead Sub-SaharanFrancophone Africa RegionGroup Risk Management Solutions(GRMS)PriceWaterhouseCoopersParis, FranceKurt HaeringPresidentEFSI AGBasel, Switzerland(Formerly President ofInfosurance, Zürich,Switzerland)Michel Maechler, CISA, CISMSenior Informatics SpecialistGlobal Information andCommunications Technology, PolicyDivisionThe World BankWashington, DC, USAThomas Kellermann, CISMSenior Data Risk ManagementSpecialistFinancial Sector Operations &Policy DepartmentThe World BankWashington, DC, USAScott MusmanPresident and CEOAugmented SystemsAlexandria, VA, USA(Formerly Director of Research andDevelopment at IMSI)Werner Lippuner, CISASenior Manager,Technology and SecurityRisk Services – Public SectorErnst & Young LLPWashington, DC, USADavid SatolaSenior CounselFinance, Private Sector Dvt, &InfrastructureLegal DepartmentThe World BankWashington, DC, USA