Control Title -> telephone access
Objective -> avoid computer access exposure
Description -> limiting access to a computer and data files can be an important means of security. Several means of accomplishing this are possible. It may be possible and important to eliminate dial-up access to a computer. A computer interfaced to the dial-up public telephone network is exposed to access from any telephone in the world. There may be a trade-off in computer security by giving up or limiting the benefits of dial-up access. This can be accomplished by using only point-to-point wire or leased-line telephone access to the computer. An alternative is to provide dial-up access to a small computer for development or other timesharing purposes while reserving another computer for more sensitive production activity that is not interfaced to dial-up telephones. A control computer providing access to two or more other computers can also be used as a means of protecting them from dial-up access. An alternative method of restricting access is to provide for dial-up access at limited periods of time of day. During periods of dial-up access, particularly sensitive files or applications would not be resident in the computer system or secondary storage. A partial degree of protection for dial-up access systems is to maintain strict need-to-know availability of the telephone numbers and log-in protocol for accessing the computer system. Most dial-up timesharing computer services have similar access protocols; therefore, a unique, very different initial access exchange of identifying information may be useful to limit access. The telephone numbers should be unlisted, different in pattern of digits, and have different prefixes from voice telephone numbers for the organizations that are publicly listed. Call back to verifying the source of telephone access is also popular.
Strengths -> avoidance of exposure is a particularly strong means of simplifying and reducing the problems of securing computer systems. Limiting or eliminating dial-up access significantly reduces exposure.
Weakness -> an important objective for computers is to make them easily and widely accessible. Eliminating or limiting dial-up significantly reduces this capability.
How to Audit -> access capabilities, review access logs
Purpose -> prevention
Control Area -> computer system
Mode -> hardware
Area of Responsibility -> operation
Cost -> high
Principles of Note -> least privilege, limit dependence on other mechanisms