S 4.99 Protection against subsequent change to information

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

Files disclosed to third parties may generally also be processed further by those third parties. This is not always what was originally intended. Therefore, protection against subsequent changes, extract disclosure, or processing would be desirable.

Frequently, one faces the problem that information is made available for third parties via the internet or other networks, but this information is not intended to be printed out a hundred times or integrated seamlessly into other work.

There are various solutions to this problem, and some of these solutions can be combined. Examples of this include:

• The use of digital signatures in order to prevent undetected changes to files (see also S 4.34 Using encryption, checksums, or digital signatures or S 3.23 Introduction to basic cryptographic terms).
• The addition of copyright notes to information such as brochures or files on websites. These may be as follows: "The work, including all of its parts, is protected by copyright. Any use outside of the stringent copyright law without the consent of the author shall be inadmissible and prosecutable.", as well as "Copyright (©) 7/2009 by BSI".
• The use of file formats making subsequent changes and/or extract processing more difficult. For example, Postscript or the security features of application programs, e.g. PDF files, can be used for the aforementioned.

Many application programs offer security mechanisms in order to restrict the further handling of created files. In the following, some of these security mechanisms are presented using PDF files as an example. Since the security mechanisms of the different application programs are defined differently and sometimes even vary between two versions, it is important to provide the employees with information as to how these must be used and which steps must be taken into consideration before disclosing electronic documents. Frequently, it makes sense to thoroughly train one employee (plus substitute) regarding this. This employee should then process all documents to be disclosed in accordance with the security provisions or be available as contact person.

Protection of PDF documents

PDF documents can be equipped with access restrictions when they are created. For example, opening, printing, or copying PDF files may be restricted.

• Frequently, individual passages should be effaced in a document before it is published. A popular but error-prone method is to electronically "black out" text passages.
  
  However, the information effaced this way can easily be read out in many cases. Therefore, this must not be done. (see also T 3.13 Passing on false or internal information).

• By using cryptographic procedures, PDF documents can be signed or encrypted in such a way that only certain users are allowed to use the documents.
• Security policies can be created for PDFs. These can be created by an individual user or security policies specified by the organisation may be used, with an Adobe Policy Server being required for the aforementioned.
• File protection
  
  Using Adobe Acrobat, i.e. the most commonly used application for creating and subsequently editing PDF files, it is possible to assign two types of passwords. One type is used for opening the documents and the other type is used for changing the security attributes. When assigning a password, the first question addresses the program versions the protective function is to be compatible with. In this, up to version "Adobe 5.0 and higher", only 40bit encryption with RC4 is possible; in "Adobe 5.0 and higher", 128bit encryption with RC4 is designed, and in "Adobe 7.0 and higher", 128bit encryption with AES is designed. Encryption with at least 128bis should be ensured, because document protection can be bypassed easily otherwise.
  
  The following functions, amongst other things, can be restricted using the security attributes:
  - opening a document
  - printing
  - changing a document
  - copying text, image or other content
  - access to document's metadata
  - adding or changing notes and form fields
  This way, the rights can be restricted very easily so that nobody can adopt the contents of a publication using the cut and paste function. If even print-outs are prevented in extreme cases, the file can only be read online.

The metadata a file shall contain should be considered carefully. For example, it may be required to include numerous metadata in a file so that the file can be found using search engines. However, it may also make sense to not disclose any metadata, for example the name of the author should be removed if a document is to be disclosed anonymously.

Unfortunately, this only provides rudimentary protection, because PDF files (regardless of the program version used for their creation) can also be opened using programs which ignore these security attributes. For example, as long as printing is allowed, the document can be converted back into a PDF file without any restrictions at any time.

Review questions:

• Are sufficient security safeguards taken so that files cannot be changed in an undetected manner?