S 2.61 Provisions governing modem usage
Initiation responsibility: IT Security Officer
Implementation responsibility: IT Security Officer
The following must be defined:
- Who is responsible for the secure operation of the modem (e.g. IT users for stand-alone operation, the administrator for networked systems)?
- Who is entitled to use the modem?
- In which cases must confidential information be encrypted before transmission?
- In which cases must data transmissions be logged (e.g. transmission of person related data)? If the communications software includes a logging feature, it should be used effectively.
All login procedures, successful or not, must be recorded. Correctly entered passwords should not be recorded, but it is worth considering listing unsuccessful login attempts in order to reveal password attacks.
Evidence of password attacks could be, for example, frequent unsuccessful login attempts by one user, unsuccessful login attempts always from the same connection, attempts to log in under different user names from one connection or during a connection.
After the connection has been established, a login prompt will appear for the caller. Before the successful login it must be ensured that as little information as possible is given regarding the contacted IT system. Neither the type of installed hardware nor the operating system should be revealed. The login prompt should contain the name of the IT system and/or the organisation, a warning that all connections will be logged and a prompt for user name and password. The reason for an unsuccessful login attempt must not be shown (false user name, false password).
Separating dial-in / dial-out
For incoming and outgoing connections, separate lines and modems should be used. A caller should not have the opportunity to reconnect externally via the dialled IT system. (If this is absolutely necessary for workers with external duties, they must provide strong authentication, e.g. via a chip card). Otherwise, hackers might abuse access to set up expensive long-distance connections or to cover up any traces they may have left.
When calling back, a different modem or a different line should be used than the modem used when first calling (see also S 5.44 One-way connection setup).
Review questions:
- Have the general conditions for use of modems been clarified?
- Are the general conditions for use of modems known to the employees?