Security Management Guide (G06.29+, H06.08+, J06.03+)
Concerns for the System Administration Team
Security Management Guide — 522283-021
6 - 17
Periodic Password and Phone Number Changes
lines should include special criteria for screening requests for dial-up access. Users of
dial-up systems are sometimes required to accept legal and financial liability for
intrusions carried out using their access codes.
Periodic Password and Phone Number Changes
Periodically change system passwords and phone numbers, but avoid both changing
them too often and retaining them too long. Also try to acquire phone numbers that are
not sequential. A password or phone number that is changed too often tends to get
written down in easy-to-see places. A password or phone number that is retained too
long becomes a security liability.
Action If the Line Is Dropped
A phone line might disconnect (drop) before a session completes. Design your TACL
or application so that when a line drops before session completion, the session
terminates automatically. Failure to terminate the session provides an avenue of
intrusion.
Installation Controls
Be sure procedures exist to prevent the installation of all software except the legitimate
software.
For example, without adequate controls, an intruder might persuade you to install an
update tape that you believe to contain legitimate software but that actually allows the
intruder unlimited and undetected access to the system.
Whenever you install new software or updates from computer vendors, use a checklist
of questions such as these to assess legitimacy:
Did the software come through ordinary channels?
Is the software documented in the way that is usual for the organization?
If the software is an update, does it update the particular version of the software
you already have?
Are the installation instructions ordinary, or do they require you to expose your
system security?
Be sure that access to the new software follows your organization’s security policy.
Exercise similar care when dealing with software created by your system programmers
or application programmers. Review their software carefully, especially if it performs
actions on behalf of other users or uses special privileges. Include the following
questions in your check list:
Was the software subjected to standard quality assurance and offline testing?
Was the software reviewed and approved by management?