IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.61 Requirements document for modem usage
Initiation responsibility: IT Security Management
Implementation responsibility: IT Security Management
The following must be determined:
- Who is responsible for the secure operation of the modem (e.g. IT users for
stand-alone operation, the administrator for networked systems)
- Who is entitled to use the modem
- In which cases must confidential information be encrypted before
transmission?
- In which cases must data transmissions be entered in a protocol (e.g.
transmission of person related data)? If the communications software
includes a protocol feature, it should be used effectively.
All login procedures, successful or not, must be recorded. Correctly entered
passwords should not be recorded. But it is worth considering listing
unsuccessful login attempts in order to reveal password attacks.
Evidence of password attacks could be, for example, frequent unsuccessful
login attempts by one user, unsuccessful login attempts always from the same
connection, attempts to login under different user names from one connection
or during a connection.
After the connection has been established, a login prompt will appear for the
caller. Before the successful login it must be ensured that as little information
as possible is given regarding the contacted IT system. Neither the type of
installed hardware nor the operating system should be revealed. The login
prompt should contain the name of the IT system and/or the organisation, a
warning that all connections will be listed and an input requirement for user
name and password. The reason for an unsuccessful login attempt may not be
shown (false user name, false password).
Separating Dial-In / Dial-Out
For incoming and outgoing connections, separate lines and modems should be
deployed. A caller should not have the opportunity to reconnect externally via
the dialled IT system. (If this is absolutely necessary for workers with external
duties, they must provide strong authentication, e.g. via a chip-card).
Otherwise, hackers might abuse access to set up expensive long-distance
connections or to cover up any traces they may have left.
When calling back, a different modem or a different line should be used for
the call back than the modem used when first calling (see also S 5.44 One-way
connection setup).
Additional controls:
- Are all employees authorised for communication aware of the related
regulations?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000