-------------------------------------------------------------------------- Data Access Security Bulletin 3006 03/29/04 Copyright (C) 2002, Coastal Security Systems, Inc. All rights reserved. -------------------------------------------------------------------------- Central One makes information about subscribers available to dealers using a variety of means: 1. Verbally over the telephone. 2. Over the internet using Citrix. 3. Over the internet using mobile web devices and browsers. 4. Via FaxBack document order. 5. Via web services. When releasing information Central One (and the dealer) must be concerned about AUTHENTICATION and AUTHORIZATION. Authentication deals with identifying the person who is requesting information from Central One. Authorization deals with determing what information is given out once the person has been authenticated (identified). ----------------------------- Authentication of Dealers Authentication of a dealer is generally accomplished by obtaining a sequence of dealer number, employee number and pin code. Dealer and employee numbers are not especially secret but the pin code is secret and should be known only by the employee using the code and highly trusted upper management. This method of authentication is used for (1) verbal inquiries, (2) mobile web and browser inquiries, and (3) FaxBack document orders. Authentication for Citrix access is accomplished by obtaining a sequence of dealer number, employee number and password. Because Citrix is capable of giving complete access to the entire subscriber database it was decided that the typical four digit pin code was not sufficient and that an alphanumeric password was warranted. When selecting a password it is prudent to use a combination of upper case letters, lower case letters, digits and symbols to obtain the maximum degree of security. An eight character password that uses this technique will have over 722 trillion combinations and be virtually impossible to hack. Authentication for web services is accomplished using the dealer number and an alphanumeric password. Information provided via web services is not specifically targeted to any single employee so the employee number is not required. There is a single password per dealer for this authentication. Ordinarily this password is placed in the dealer's computer and need not be remembered by anyone when it is used. ----------------------------- Authorization When pin codes are assigned to employees there is an option labeled "Full Menu (Y/N)?" This option determines the level of authorization that the employee will have when using FaxBack and internet access. If "Full Menu" is set to "N" for no then the employee will be able to place accounts on test and locate other employees but will not be able to order documents, reports or bulletins through the system or change the "on call" order for sales leads, service calls or other categories. If "Full Menu" is "Y" for yes then all FaxBack menu options including order subscriber data sheet and alarm history, order employee logs, order bulletins, and change on call order is available. The ability to add, change and delete pin codes is available only to employee number zero. Employee number zero always has "Full Menu" set to yes. If "Full Menu" is set to "N" for no then the employee will have internet access for the purpose of placing accounts on test and obtaining alarm signal history but will not be able to look up accounts by name or display subscriber data. When "Full Menu" is set to "N" for no then a central station operator or supervisor may not accept instructions or fulfill requests for information from that employee if it appears the employee is exceeding his or her authority in making the request or giving the instruction. For web access using Citrix there are several authorization options that can be enabled or disabled per employee. Main menu options F2 (edit subscriber account, F3 (display dealer account) and F4 (edit dealer account) may be turned on or off per employee. It is recomended that F4 be turned off for all but the most trusted employees because access to all pin codes and passwords can be obtained there. An option labeled "PR" can be set to "N" for no to prevent an individual employee from printing reports that contain significant subscriber data. An alarm history report can be printed regardless of this setting. By default all logins will be restricted to the dealer's business hours. An option labeled "AH" (after hours) will permit an employee's access via Citrix at any time. If you choose to restrict an employee's access to business hours then you should turn off access to F4 (edit dealer) too. Otherwise the employee can change the "AH" option to "Y" or extend the business hours. It is important for each dealer who relies on the business hours schedule to update it whenever the office will be closed for a holiday and to restore the schedule after the holiday has passed. ----------------------------- Termination Practices When a field employee, such as a service technician or installer who does not have access to the office computer and who has never been granted Citrix access, is terminated it is generally sufficient to delete that employee's FaxBack pin code. It is a good practice to edit the call list to delete the employee's phone numbers and enter "no longer employed" after his name. This entry can be deleted after some time has passed. Please make sure the terminated employee is not still on call for service or other categories. When an office employee who never had Citrix F4 access (or access to equivalent information on office printouts or files) is terminated it is generally sufficient to delete that employee's Citrix login password and, if any, FaxBack pin code. If the employee knew or, by reason of familiarity with the computer system, could have known the web services password then that too must be changed. When an office employee with Citrix F4 access is terminated it is necessary to change all of the pins and logins for all employees of the company and to change the password used for web services, if one is in use. If there is reason to suspect the employee could try to obtain information from the central station then you must also contact a central station supervisor so that we can put all personnel on notice. It is important for dealers to keep track of any authorizations made to Central One regarding account access and to cancel that access when it is no longer appropriate. Dealers occasionally grant access to "friendly competitors" who help them with installation and service and to account financing companies who fund RMR contracts and use Central One web services for account status and verification. Web services can also be used to supply third party billing companies with access to information that aids in the collection of RMR.