© 2006, Monash University, Australia CSE4884 Network Design and Management Lecturer: Dr Carlo Kopp, MIEEE, MAIAA, PEng Lecture 21-22 Network Security vs

CSE4884 Network Design and Management

Lecturer: Dr Carlo Kopp, MIEEE, MAIAA, PEng

Lecture 21-22

Network Security vs Information Conflict; Managing Security in Networks

Reference Sources

NOTE: Information Conflict is a new discipline and good resources are limited.

Prof Dorothy Denning (formerly Georgetown) COSC 511 Information Warfare: Terrorism, Crime, and

National Security http://www.cs.georgetown.edu/~denning/cosc511/fall02/index.ht

ml http://devost.typepad.com/cosc511/

CSE 468 - Information Conflict http://www.csse.monash.edu.au/courseware/cse468/subject-info

.html

What is Information Conflict? Why Does it Matter?

Information Conflict (IC or IW) is a biological phenomenon and has existed for as long a life has existed [Kopp-Mills].

Information Conflict involves the use of information to gain a competitive advantage in a survival game [Kopp-Mills].

Information Conflict has been used by governments, non-state organisations, commercial entities for millennia but has only been formally recognised as a discipline since 1995.

The ability to very rapidly and cheaply transfer or distribute large volumes of information – a feature of the digital era – has increased the importance of Information Conflict.

Managers must be cognisant of the potential risks which may arise from IW techniques being used by third parties – against public and private entities, and individuals.

A systematic information attack by a third party can cripple any organisation which is dependent on a digital infrastructure.

Large scale use of wireless equipment with poor security increases risks of IW attacks and site penetration.

Taxonomy of IW Categories

Taxonomy of IW Categories Class I IW - Compromising Personal or Corporate Privacy is the

lowest grade of IW, and occurs when a personal account is compromised and confidential information accessed, such as private email being read, or phone calls charged to a third party account.

Class II IW - Industrial and Economic Espionage is the next step up, in which instance government or corporate computers are hacked into and information covertly stolen.

Class III IW - Info-Terrorism and Denial of Services. The intentional trashing of another party's computer or network, or denial of service via other means is usually described as info-terrorism. Whether the offending party is a malicious hacker, a criminal extortionist, a genuine terrorist, or a foreign government seeking to take down a system or systems, the end result falls into the same category.

Military IW - The use of all of the above combined with other military techniques in order to disrupt an opponent's military operations, government activity and economy qualifies as military IW. Military IW is the most destructive category, as it involves both soft and hard kill techniques.

Denial of Service Attacks

Denial of Service Attacks Denial of service attacks are an offensive technique intended to

cripple an organisation by preventing it from using its digital systems.

Denial of Service attacks are increasingly common especially involving attacks on websites, and large scale attacks on networked systems using viruses and worms.

Where an organisation depends on its digital infrastructure such attacks can produce significant material losses.

Recently documented Denial of Service attacks have been associated with nation state conflicts, and political, religious or ideological disputes.

Many attacks are performed by malicious individuals for personal gratification. This is especially true of virus/worm attacks which are performed for no material gain but costs hundreds of millions in lost productivity and repair time.

Offensive vs Defensive IW In any IW engagement there is an offensive player or attacker, and

a defensive player or defender. Strategic planners and managers will typically play the defender’s

game. Their role is to ensure that the organisation’s infrastructure can resist IW attacks – starting with Class I, and then Class II and III IW. Class IV attacks are usually the responsbility of governments.

Given the diversity of ways in which IW attacks can be mounted, concentrating on established security techniques is not enough – it will protect against hackers and physical Denial of Service attacks, but not against viruses and worms or other forms of attack.

If a network depends on websites for billing, notifications and support, losing that website even temporarily could inflict significant monetary losses.

Resistance to IW attacks must be planned for from the outset when developing and planning infrastructure. Attempting to add defensive measures to production systems can be very expensive.

Practioners of IW Technique Malicious hackers and worm/virus writers inflict damage for

amusement or peer group approval. They can attack globally. Hackers, Phrackers and Whackers may steal bandwidth by

penetrating networks or manipulating accounts. Criminals may hack to acquire information, such as credit card

numbers, confidential information etc, or threaten DoS attacks to extort money from a victim organisation such as a bank or telco.

Industrial and commercial espionage may be performed to steal proprietary information such as manufacturing techniques for financial gain.

Espionage against government departments, esp police and military, may be performed to gain access to national secrets, operational or technical. Foreign governments or contracted hackers may be involved.

[Info-]Terrorists may perform DoS attacks to promote their cause by inflicting economic or political damage. A car bomb deployed against a stock exchange, national bank, media site or central telephone exchange qualifies as an IW attack.

Moore’s Law, Bandwidth Law vs IW Moore’s Law predicts monotonic growth in computing power over

time, the Bandwidth Law predicts monotonic growth in network bandwidth over time. Both laws are well validated empirically [Kopp]

Rapid growth and commodification of hardware and software have duel effects on IW: The cost of computer systems and tools capable of use for IW declines

and these become more available, globally. The cost of defensive measures and encryption technology declines

over time, making defensive measures more affordable. It is necessary to look at IW as an evolutionary game – as better

defensive measures are created, better offensive measures evolve to overcome these.

Strategic planning and budgeting must allow for evolutionary growth in defensive measures to account for increasing capabilities for IW over time.

Senior management in many organisations may not appreciate these issues and will need to educated.

Privacy and Copyright Considerations Individual privacy and corporate client privacy are important

considerations. Legislation exists in most developed nations – including Australia – intended to protect privacy.

Many types of IW attack violate privacy and the onus is upon the carrier or provider to protect against such attacks. Failure to provide proper protection could see a carrier or provider criminally and commercially liable for damages.

Privacy becomes critical where financial transactions, medical records and private correspondence are involved.

If a hacker steals such information, he/she may never be caught. The damaged party could launch legal action against the provider or carrier on the basis of inadequate protective measures being implemented, or file charges with a law enforcement agency.

In some nations privacy violation is automatically considered a criminal offense and carriers or providers are held responsible.

Copyright violations are a special case since the material is available to the public, but its distribution is controlled. Such violations have become a major political and commercial issue globally, especially in the entertainment industry.

Copyright and Intellectual Property Illegal or unauthorised reproduction of digital materials is a major

problem. With cheaply available networking, hard disk, CD-R and DVD burner

technology, almost any materials can be reproduced, often in bulk quantities, for little material expense.

This has led to the growth of illegal ‘pirate’ industries which steal and market digital materials, especially software products, and entertainment products such as cinema, music and publications. The result is significant losses to the owners of the intellectual property in the products.

Weak legislation in some nations allows these to become ‘havens’ for such industries.

It is important that organisations carefully assess the origins of any digital materials used internally to ensure that these are not pirate copies.

A good example would be software tools used within an organisation. Using pirated copies or unwittingly distributing such materials opens the organisation to civil litigation over copyright violation or criminal charges.

SPAM SPAM is unauthorised and unsolicited distribution of marketing

materials via email, in bulk quantities. Spammer violate the privacy of spam recipients.

Spammers will market everything from pornography, discount pharmaceuticals, junk stocks, dubious home loans, consumer products, to pirated software and CD/DVD.

Spam is also used to distribute propaganda on behalf of political and religious movements.

Modern spamming techniques use tools which use digital archives (usually harvested off the web on CD-ROM) of victim addresses, and which usually forge the sender address by using another victim address.

Spam is not illegal in most nations since legislation was injudiciously adopted which does not require prior consent by the recipient when being spammed.

It is likely that anti-spam legislation will be adopted in the developed world over coming years since spam often accounts for a significant fraction of bandwidth used causing economic losses globally.

Privacy on the Web The internet creates many opportunities for privacy violations. Many websites use the cookie mechanism to retain state information and

identity information. Cookies allow the web server to recognise systems accessing a site. In turn this information can be stored to produce profiles of visitor accesses on a site, and thus divine visitor interests or agendas.

Such information can be used to support marketing activities directed at visitors. An example is a website which uses such statistics to adaptively present advertising material to visitors.

Most web servers collect access statistics which allow operators to track which visitors are making what accesses and when. While this can be used for legitimate purposes, it also allows profiles of specific visitors to be produced.

Cookies and server statistics are usually gathered silently and visitors are unaware of their existence or possible/actual uses.

Website owners often compromise their own privacy by putting materials on websites which are not intended for distribution, but forgetting to disable read access.

Online directories now allow gathering of significant materials on individuals such as addresses, phone numbers, email addresses and other details. While most users are legitimate, criminals and terrorists also have access.

Espionage and Intelligence Gathering Espionage and intelligence gathering – the second oldest profession

- has a long history. The advent of digital communications has made some aspects of this craft easier, and some more difficult.

Practicioners may be acting on behalf of governments – illegally or as part of law enforcement, political movements and parties, religious movements, commercial organisations or individuals.

Most espionage or intelligence gathering amounts to covert collection of information or materials without the consent or knowledge of the victim.

This can be performed by acoustic eavesdropping, visual/video surveillance, electronic eavesdropping of analogue or digital channels (SIGINT), hacking into computers (CyberWAR), breaking into offices, filing cabinets or safes (HUMINT), or by unauthorised reproduction of accessible materials (HUMINT).

While most intelligence gathering and espionage is performed by governments against other governments, industrial espionage is also common. The latter is of interest to managers since it can result in significant losses. Target information can vary from technical data on products or processes, to marketing plans, costing information and tender proposal documents.

Surveillance Techniques Surveillance can be performed using acoustic (microphone ‘bugs’ or

phone tap), visual (film or video camera) or electronic (radio/mobile phone/wireless network) intercepts.

In most nations surveillance is only lawful if performed by a law enforcement or intelligence agency ie government entities.

Commercial operators are usually permitted to use video surveillance of publicly accessible areas ie banks, ATMs, carparks, foyers etc.

An large scale example of such surveillance is the CCTV network in London used to apprehend terrorists after the recent attempts to bomb public transport.

Law enforcement agencies rely heavily on acoustic and visual surveillance to gather intelligence or evidence.

Managers need to be aware of the potential for unlawful surveillance and plan infrastructure to make it difficult to perform.

Counter-surveillance technologies may be illegal in some nations – for instance voice scramblers for telephone links.

SIGINT/COMINT – Signals/Communications The interception of radio signals and communications has been

practiced since the advent of wireless communications. It is mostly practiced by the military and law enforcement due to the cost of the complex equipment required.

The advent of cheap radio ‘scanners’ has opened up opportunities for individuals and organisations to intercept unencrypted or unscrambled wireless voice traffic.

Intercepts may be targeted, ie a single individual or site is monitored on a specific channel, or they may be performed en masse by recording swaths of the radio spectrum for later semi-automated or manual analysis by human operators.

Wireless channels without strong encryption must be therefore considered insecure and should never be used to transmit information which is sensitive – either from a privacy perspective, commercial perspective, or where sensitive government traffic is involved. GSM mobile phones are a good example.

Network Sniffers Network sniffers are a vital tool for legitimate traffic analysis and

network maintenance tasks. They can also be used to perform lawful and unlawful surveillance and monitoring of specific users or sites on a network.

A sniffer is a software/hardware device which collects and decodes network packets, and can often reassemble traffic flows.

Network protocols with weak or absent encryption will allow the user of a sniffer to collect accounts/password information, email traffic, file transfers and web traffic.

Sniffers with wireless network interfaces allow penetration of wireless networks without having physical access to a network port or cable.

Network planning needs to account for unlawful surveillance by users of sniffer equipment. Active network ports in publicly accessible areas are not acceptable, and wireless channels must use the strongest available encryption techniques.

‘Insider attacks’ by staff using sniffer software on internal systems are a real possibility. Superuser access on computers should be carefully controlled.

Van Eck Radiation Van Eck radiation is defined as Unintended Emissions (UE) in the

radio-frequency bands. Computer monitors and to a lesser extent keyboard or poorly

impedance matched network cables will radiate signals as a result of the digital or analogue modulations they are carrying.

Specialised receivers can be used to collect UE – the typical example cited is equipment which can reconstruct what is being displayed on a computer monitor from outside the building housing the computer.

UE surveillance and intelligence gathering is expensive and usually limited to governments and law enforcement.

The US NACSIM 5000 Tempest series of standards defines design specifications and techniques for computer equipment to prevent the emission of Van Eck radiation.

Managers in government organisations need to understand the risks arising from UE and ensure that computer equipment used for classified or highly sensitive material is suitable for such use.

Electrical Denial of Service Attacks The dependency of computer and digital communications

equipment upon electrical power feeds and electrical data cables makes it vulnerable to electrical denial of service attacks.

Such attacks aim to inject high voltage or radio frequency signals into mains power or data cables to cause electrical damage or computer crashes and loss of service.

Example A: a Tazer device with a cable harness and connector allowing it to inject high voltage into a local area network via a wall socket can destroy netwrok adaptors in dozens of computers.

Example B: a shortwave radio transmitter connected to mains voltage power can destroy power supplies in computer or communications equipment.

The best defence is to deny access to electrical power and data cables to ensure an attacker cannot connect his equeipment.

Proving such an attack can be difficult.

Radio Frequency Denial of Service Attacks Jamming of radio frequency communications channels has been

practiced for almost a century, usually in wartime. During the Cold War the Soviets continuously jammed Western radio broadcasts.

Jamming involves transmitting a signal which interferes with the modulation used by the signal, degrading intelligibility. A wide range of jamming techniques exist against all known modulation types.

Designers of military communications equipment plan from the outset to deal with jamming. This is generally not true of commercial equipment which usually has very poor jam resistance.

Jamming equipment to disrupt mobile phones (GSM, CDMA etc) is now widely available and is built to prevent terrorists from using mobile phones to set off bombs remotely.

Wireless 802.11 networks are highly susceptible to jamming due to the use of short Barker code modulations.

Denial of Service attacks against mobile phones or wireless networks can be effected quite cheaply using ‘throwaway’ expendable jammers and can be very difficult to prove.

Radio Frequency Weapons – Denial of Service Denial of service can also be effected by radio frequency (RF) weapons

which emit enough RF power to damage or disrupt the function of computing and communications equipment.

RF radiation can couple into mains and data cabling, or cooling apertures on equipment, causing equipment to crash or fail permanently with electrical damage.

HERF guns are portable devices which emits pulsed or continuous wave RF radiation.

Tesla coils can be used to emit high voltage RF fields with similar effects to HERF guns. A hidden battery powered Tesla coil can cripple equipment inside buildings for as long as the battery lasts.

Electromagnetic bombs (E-bombs) can produce damage over areas the size of city blocks, or greater. E-bombs remain in development for military applications.

Radio frequency weapons were claimed to have been used during the 1990s for criminal extortion against at least one bank. To date there are no confirmed reports of E-bombs being used in combat operations, despite ongoing speculation.

The best defensive measure is electromagnetic hardening of computer and communications equipment – the electrical equivalent of armour plating.

Perception Management and Propaganda Perception management and propaganda are used to change the

perceptions or views of a target or victim population. This can be done to advance a political, religious, commercial or

other agenda. Historically these techniques were most extensively developed and

used by Nazi Germany and later the Soviet Union, but have since become widely adopted by governments and commercial operators to market their agendas.

These techniques most frequently involve manipulating information presented to an audience to conceal key issues and emphasise intended agendas. The aim is always to present a reality different from that perceived previously by the target audience.

Open lies are usually used less frequently than half-truths as the latter are more difficult to disprove. Audience literacy and prior knowledge can often frustrate even sophisticated or intensive attacks.

Commercial advertising and marketing materials are frequently deceptive and aim to seduce victims to increase product sales. Managers need to be alert when assessing marketing materials.

Psychological Warfare (Psywar) Techniques Psywar is used most frequently in wartime (radio/leaflets), but is

often seen in commercial or political mass media advertising. Psywar techniques aim to amplify existing anxieties in a

target/victim population to disrupt their behaviour, and disrupt the cohesion of an organisation or group.

A prerequisite for successful ‘Psyops’ is that the target or victim population has an existing anxiety or prejudice over some issue.

Statements or claims which reinforce such anxieties or prejudices will produce distress or anger in the victim population.

Examples are political advertising emphasising issues like job losses or interest rate increases, or commercial advertising pointing out bugs or vulnerabilities in computer products. Commercial foodstuff advertising alleging weight gains, cancer or heart disease also qualifies as Psywar.

The internet and mass media are the preferred channels for Psywar attacks.

Most nations have inadequate legislation regulating this area.

Censorship Censorship is a mechanism used to control access to information. It

typically involves denying access or punitive criminal legislation intended to deter distribution.

In developed nations censorship is mostly directed at entertainment products with explicit or violent content. In wartime censorship is used to deny an opponent knowledge of sensitive developments. Many nations apply political censorship to control public and political debate. Internet censorship exists in some nations to deny access to a wide range of materials not deemed suitable for public access.

Censorship is a double edged sword, since it can increase the attractiveness of the censored material to a potential audience.

Censorship remains a controversial issue in Western democracies since the criteria used to determine exclusion are often difficult to achieve consensus on.

Managers operating in a global market or across national boundaries need to be sensitive to censorship legislation since criminal law is often used to enforce it.

Hacking, Cybercrime, Cyberwar (HCC) Hacking is the term used to describe unauthorised access to

computer systems. The term originally applied to programmers who worked on operating system kernels but the media and entertainment industries popularised the currently accepted use of the term.

Cybercrime is the use of ‘hacking’ techniques to commit criminal offences, usually theft of money or intellectual property.

Cyberwar is the use of ‘hacking’ techniques to perform denial of service attacks or intelligence gathering for political or military purposes.

HCC relies on poor password security and security ‘holes’ in computer operating systems.

Phracking (Phone Hacking) is hacking into telephone networks mostly to steal bandwidth.

Whacking (Wireless Hacking) is hacking into wireless networks mostly to steal bandwidth.

Hacking remains a controversial issue. In most developed nations it is a criminal offence, frequently punished by long jail terms.

Techniques for Gaining Unauthorised Access A wide range of techniques exist for ‘hacking’ into computer

systems. Passwords may be stolen by sniffing, or by entering offices and

reading paper notes. Passwords may also be guessed using robots, or ‘purchased’ from unethical staff members. Unsecured terminals left logged in may be exploited.

Trojan horse or backdoor entry code may be inserted into systems where a hacker has access to the original source code.

Sophisticated attackers may perform identity spoofing by replacing real network packets with substitutes.

Security holes in some network applications may permit remote entry by driving the application with messages known to expose the vulnerability.

Software tools developed for security testing of networks can also be used to expose security holes for unauthorised entry.

Robust firewalling and system security audits are essential to protect against unauthorised site entries.

Viruses and Worms Viruses are malicious programs which embed themselves in file

systems, operating systems or applications upon which they propagate themselves via removable storage media or networks to other systems.

Viruses may be benign or destructive in effect, and can be used to compromise security by propagating password files or email address lists.

Worms are malicious programs which consume system resources to the point where a system becomes unusable.

Highly integrated mailer and word processor programs are the most common targets of viruses and worms since they permit easy entry and propagation between systems. Some proprietary systems are considered the most vulnerable, cf Linux, BSD and commercial Unix systems.

Managers and strategic planners need to be sensitive to risks which may arise from using some commodity software products known to be susceptible to such attacks.

Identity Theft and Fraud Identity theft is an increasing problem in the computer and

communications industry. The simplest examples involve theft of mobile phones and credit

cards for profit. Spammers today mostly forge return and sender email addresses

by using addresses of other spam victims held in digital archives. Internet newsgroups have also seen identity thefts where hoaxers

pretend to be actual or fictional persons. An example was a hoaxer on rec.aviation.military impersonating a retiree, who was actually bedridden in a nursing home suffering from severe stroke impairment.

Validation of subscriber identity for web accessible services can present genuine issues, especially where sites are used to effect financial transactions.

Bogus websites set up to visually emulate actual bank websites have been used to steal electronic banking passwords, in turn to fraudulently access accounts.

‘Nigerian scams’ involving impersonations are now of epidemic proportions in the spammer community.

Denial of Service Attacks vs Extortion Denial of Service attacks can be used as a tool to extort money from

victims. Organisations which rely on uninterrupted computer operation to

effect financial transactions, or which rely on web servers for client access, are the most common targets of such attacks.

The attacker will cause repeated service loss and then extort money by promising to cease attacks.

Cyber attacks - as the attacker may be located on another continent, in a nation with weak or absent cybercrime legislation, major problems arise with identifying the attacker, and with prosecuting the attacker.

Radio-frequency / electrical attacks – the attacker will be geographically local but may not leave a detectable signature or footprint permitting law enforcement to apprehend or prosecute.

Usually DoS extortionists prey on organisations with poor expertise levels in computer/network administration and security.

In general DoS attacks can be difficult to prove and prosecute.

Law Enforcement Problems Law enforcement faces significant challenges when dealing with

offenders in the information Conflict domain. Jurisdictional boundaries may prevent prosecutions against known

offenders. Determining the identity of criminal offenders or military / political /

revolutionary movement attackers may be difficult or impossible given available tools or expertise.

Proving cybercrime may be difficult or impossible. Proving electrical or radio-frequency attacks may be even more difficult.

Key problems remain with inadequate technical expertise and forensic skills in many law enforcement agencies, globally.

Legislation for dealing with IW domain offences or attacks may be weak or inappropriately structured.

Managers need to consider that in the event of an attack or penetration, law enforcement agencies may have little to offer in dealing with the problem.

The best strategy is plan systems so that they are inherently unattractive as targets for criminals or other attackers. Most frequently ‘softer’ targets will be attacked instead.

Managing Network Security

Given the wide range of possible threats to a network and potentially wide opportunities for such threats to be realised, security is a major issue in network management.

Complacency is a major problem in network security since it encourages threat actors to attack the network.

A network manager must therefore always consider security in defining a network design and configuration.

Penetration of an unsecured network is not an ‘if’ question, it is a ‘when’ question.

Network managers are usually held responsible when security breaches occur.

Postulate Threats

AND

Threats to Identified

AssetsInternal or External


AssetsInternal or External Non-Deliberate

Vulnerability

Error/Carelessness

Acts of God/AccidentsOR

Motivation

CapabilityDeliberate

Assets Impacts

Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse

Asset TypesInformation * * * * *

Physical assets * * * *Intangibles * * *

People * * * *

Assets Impacts




People * * * *

Impacts if Threat Eventuates

What is the greatest threat to security?

The greatest threat to security is the belief that there is no threat

Justice Hope

Threats “No threat” to an asset implies “no security problem” Some assets suffer from multiple concurrent threats eg consider an

executive’s $4000 Laptop computer. It could be:

stolen to be sold ‘in the pub’ (opportunistic theft motivation $100 to $500)

stolen for specific software / hardware components

(generically targeted but any similar laptop would do - motivation $500+)

stolen for commercial / industrial espionage

(“Fortune 500” companies executive’s laptops -street value $US10,000)

(Laptop specifically targeted $POA - but up to $US100,000, or more)

lost (ie genuinely lost, or possibly stolen by employee or unknown)

destroyed / damaged accidentally or deliberately

(dropped, run over, burnt out by wrong voltage, damaged by water

or chemicals, strong magnetic fields, electrostatic discharge etc)

Types of Threats

Threats may be: Deliberate (hostile intent)

eg theft, damage, espionage, delaying information or action,

criminal negligence or wilful carelessness

Accidental (no hostile intent) eg errors and omissions, taking assetts accidentally,

thoughtlessness

Coincidental or Incidental to another act (non intentional) eg physical damage incidental to graffiti, damaged strongbox during

burglary, confidentiality breach when stolen documents dumped,

person injured incidental to an armed hold-up

Acts of God eg floods, wildfire, earthquake, building collapse, meteor strike

Sources of Deliberate Threats People with ‘Insider’ Information and motivation

very knowledgeable about your organisation, and often with ‘authorised’ access

Disgruntled Employee, contractor, security guard, maintainer Careless Employee etc Other insider (eg office comedian, office ‘payback’) Ex-employee/contractor/guard/maintainer etc Possibly disgruntled customer, supplier

Outsiders - Strangers, but with motivation to succeed Thief, Vandal, or Hacker Commercial Espionage Agent

(eg on behalf of a competitor, or subcontractor)

Issue Motivated Groups (eg animal liberationists, greenies, ….) Terrorists - Groups and Sympathisers Foreign Intelligence Service Agent (Spy) People with a mental illness or imbalance

What is Their Capability?

Near term capability (‘know how’, and ability to perform) is available, for a price if necessary (but price may exceed

motivation): High Capability-

Foreign Intelligence Service Ex Employee (has knowledge of systems & procedures) Big Money Interests (could buy high capability via ex-employee)

Medium Capability- Hackers/Crackers (have some general knowledge of your site) General Commercial Interests (could buy capability via hackers)

Low Capability- Disgruntled Customer (has minor knowledge, limited access, and

motivation is too low to buy a capability)

Threat Capability Enhancement

Internet has many sites servicing ‘capability enhancement’

Some provide information, links to other sites etc Some sell equipment, devices, tools, videos and education,

usually by mail order Some sell consultant and other services/skills

Search Internet using keywords eg ‘lock picking’, ‘spy camera’ (watch out for pornography with this one)

Look at D.I.R.T at http://www.codexdatasystems.com/cdsnews.html

Capability is more than Tools

Be aware and concerned, but not frightened Capability requires

tools, knowledge of techniques, and skills; AND knowledge of the target and its environment

The Internet sites address tools and knowledge of tools but acquisition of a skill requires practice, and most people do not have discipline to acquire skill

However, professional or highly motivated people can develop knowledge of target (intelligence gathering) by collusion with staff, etc, and also skills / techniques

Information Systems Provide:

•Easy Storage of information

•Easy Access to Information;

•Easy Analysis of Information;

•Easy Modification of Information; &•Easy Communication of Information.

Information Systems

These capabilities are just as easily used against an organisation as they are used to support it.

or

Information Security

Information is a strategic resource: significant portion of budget spent managing IT; many types of information; all have security related problems:

confidentiality (secrecy, privacy) - protect information value; integrity - protect information accuracy; availability - ensure information delivery when needed

(often expressed as ‘accessibility of information”); and freedom from misuse and abuse.

Some information also needs non-repudiation assurance This may be considered a mis-use issue

Threats to Information Loss of Confidentiality or Privacy

Legal action, either criminal or civil Embarrassment & political pressures Loss of commercial advantage (eg trade secrets)

Loss of Integrity Inappropriate decision making Loss of accuracy and control

Loss of Availability/Accessibility Loss of capability to do useful work

Misuse and Abuse of Information Civil action or legal penalties - both expensive even if you win case Loss of reputation

All cause loss of confidence- The real impact is loss of business and profit

IT Threats that Eventuate

Various surveys, with results of the order of:

55% human error, including carelessness

15% accidents and ‘Acts of God’

30% deliberate action by people

Of the above “55% Human Errors”

Almost always employees / legitimate users are involved

“15% accidents and Acts of God” Half probably belong in other 85% of threat sources

“30% deliberate acts” 1/3 disgruntled employees / legitimate users

1/3 dishonest employees / legitimate users

1/3 outsider or unknown

Countermeasures - Technical Trade Off Tree

Secure

Fast/EasyCheap

Where are the countermeasures?

AND





Vulnerability

Error/Carelessness


Motivation


Assets Impacts




People * * * *

Assets Impacts




People * * * *


Locations of Countermeasures

AND





Vulnerability

Error/Carelessness


Motivation


Assets Impacts




People * * * *

Assets Impacts




People * * * *


A

T RI

RT RV

D R

LEGEND for red starsA = AvoidanceD = Detect ManifestationR = Recover ManifestationRC = Reduce/limit CapabilityRI = Reduce ImpactRM = Reduce MotivationRT = Reduce ThreatRV = Reduce VulnerabilityT = Transfer Risk (insurance)R

C

RM

RT

RT

Countermeasures Countermeasures are selected to

reduce or eliminate threats, or reduce the impact if a threat eventuates.

Typical countermeasures are: Strong buildings (eg doors, walls, floors, ceilings, locks on doors) Strong containers (filing cabinets, locked cash boxes, safes) Trusted personnel (eg “Authorised Staff Only”) Procedures (eg formal induction briefings, last person out locks

doors)

NOTE:‘Security by Obscurity’ (eg hiding keys under the doormat, passwords and safe combinations written in the form of ‘telephone numbers’ )

is generally discredited as a countermeasure.

Countermeasure Selection

Countermeasures are not all equal some more effective than others against particular threats some more expensive some harder to use

Cost-Effectiveness Most cost-effective are those which avoid or reduce threats

eg education and training deterrence can be cheap

Least cost-effective - ‘transfer risk’ eg insurance - but sometimes it is all that is feasible

Some countermeasures protect from multiple threats and some threats require multiple countermeasures

Use a variety of countermeasure types and categories

Principles of Security Design Principle of Individual Accountability

each person carries responsibility for themselves, and for activities performed on their behalf with their authorisation.

Principle of Least Privilege the maximum privileges, rights, or capabilities given any entity

are minimum required to perform their legitimate activity. Also expressed as ‘Need-to-know’ or ‘Need-to-Access’.

Principle of Defence-in-Depth a series of overlapping security barriers such that failure of a

single barrier does not allow an immediate security breach. Principle of Defence-by-Diversity

where the series of overlapping security barriers implement diverse mechanisms so many skills are required to defeat all barriers.

Principle of Commonality of Approach logically parallel barriers or techniques are implemented similarly

to minimise range of potential vulnerabilities

Activities to Support Principles

The following activities are required to support the principles.

Education and Training where the individuals and groups are made aware of security

issues, and their role in achieving security.

Configuration Control where the system security is maintained through control of

modifications to the systems

Monitoring and Auditing where compliance with the policies is verified, and trends are

analysed so that corrective action may be initiated

Trusted Systems

‘Trusted Systems’ are required when system performs critical functions. The more critical the function, the more trust required.

Similar issues regarding trustworthiness apply to both safety and security related systems

How far can we trust computer based systems?

Trusted Systems?

Passengers on plane at departure gate were asked:

‘Would you remain on this computer controlled aircraft knowing that your group had built the control systems?’

All said ‘No way’, except one woman.

When queried she said: ‘If my group had built the system, we would be quite safe because this aircraft would not be able to leave the terminal!’

Trusted Systems (3)

Need to consider Total system and environment: Physical facilities and environment

buildings and containment essential services (water, electricity, drainage, etc)

Hardware trustworthiness Firmware trustworthiness Software trustworthiness Communications sub-system integrity and reliability Administration procedures and Personnel reliability and trustworthiness

Security Trustworthy Systems

Generally refers to ‘Computer Systems’ or ‘IT’, but in reality, includes anything closely connected to the IT system

Some aspects glossed over, particularly in lowly trusted systems eg hardware and hardware components of firmware facilities and containment physical and electronic aspects of communications

Emphasis on trustworthy IT systems

Types of Secure IT Systems Dedicated:-

single task - all personnel authorised to access all info Security is totally external to the computing elements

Hence computer system need not be trusted System-High:-

multiple tasks - has need-to-know differentiation between users only minor problems if users see extraneous information

Minor security capability needed, (assumes benign users) Multi-Level:-

some users legally not permitted to access some information eg classified data at levels higher than some users allowed to access

strong compartmentation between any user and other users, and between users and information being processed or stored

Proven strong security capability needed

Trusted Software Software implementation of security functionality

Software component of firmware is software Software trustworthiness has long been an issue.

Problems: Appropriateness of functional and performance specification

Specification correctly addresses all necessary functions? Performance specification correct for all circumstances?

Implementation of specifications Does design and code truly implement the specification?

Operational and support documentation adequacy Is it usable, or too difficult? Describes all assumptions and limitations of the implementation?

Provability of trustworthiness

Software Assurance Levels

Graduated scale of ratings and approaches Unplanned ‘bowl of spaghetti’ code

unreliable, difficult to maintain: $5 per line of code to develop

Structured coding reduces code level errors approx $50 per line of code, tested and documented

Specifications in structured language and style improves communication between specifier and designer/builder/user

Specifications based on modelling of functionality Facilitates appropriate and correct specifications

Formal Specifications using mathematical language (eg Z, Gypsy, VDM etc) allows rigorous analysis of specifications

Proof-of-correctness of both design and implementation up to $1500 per line of code, plus massive delays in project

Trusted Systems Evaluations Evaluations always by Gov’t accredited organisations

USA –performed by NSA National Computer Security Centre (NCSC) UK now uses CLEFs – Commercial Evaluation Facility,

overseen by UK Gov’t Authorities CESG and CCTA Australia – used to be performed by DSD QC section

Now performed by AISEFs - Australian Information Security Evaluation Facilities Work overseen by DSD

Other countries operate similarly NZ, Canada, Germany, France, Netherlands etc

Costs and Delays Early system evaluations cost 48 person-months & 2 years Similar cost/delay across all evaluation levels

Low end systems casually designed, hence difficult to evaluate Higher grade systems

specified and designed better, but more rigorously investigated

Trusted Systems Evaluations (2)

Evaluation applies only to the exact product specified, installed & operated as directed by

the developer/evaluator not upgrades, new releases, nor even patched releases Note: updates have been rated lower than predecessors

EXCEPT those updated IAW approved program Ratings Maintenance Phase (RAMP) is USA mechanism for

maintaining rating through updates and new releases Certificate Maintenance Scheme (CMS) is integral part of the UK

ITSEC scheme, reducing re-evaluation costs/ timescales.

A good product, poorly implemented or maintained, is worse than poor product well implemented

because it gives false sense of security

USA -TCSEC – “Orange Book” Trusted Computing System Evaluation Criteria TCSEC

(1983) USA Trusted Computer System Evaluation Criteria

National Computer Security Centre (part of DoD/NSA) First Published 1983 and reissued 1985, in flame orange covers

Nickname “The Orange book”Derivatives and related publications- known as “Rainbow Books”

Single dimension of ratings A1 Experimental level of high

security B3, B2, B1 Government grade multilevel systems C2, C1 Commercial grade systems D unevaluated, or failed to attain a

higher rating Rating covers functionality & assurance criteria

Higher ratings => higher functionality and higher assurance Criteria are oriented to mainframe systems of early 1980s

Most large USA big names (IBM, HP etc) use TCSEC

Orange Book Ratings (2)

Division Class DescriptionA Division A1 B3 functionality, formal assurance

Highest

B Division (Government Multi-level) B3 Tough and unfriendly B2 Low end of formally designed

systems B1 High grade traditional op system

C Division (Commercial) C2 Good commercial security C1 Basic security features only

D Division (Unrated) D No formal security trust

Lowest

Orange Book Ratings

D C1 C2 B1 B2 B3 A1

No Trust

Low Trust

HighTrust

Increasing Security functions and Assurance

Division D encompasses systems which have not been assessed, or which have failed to attain higher rating

Most USA mainframe operating systems are C2, some have B1 capability, either as built or by add-ons.B2 and above requires security functionality and assuranceto be incorporated in system design, not an afterthought.

Orange Book Evaluation Criteria

TrustworthinessNil Low Increasing High

Policies Discretionary Policies Discretionary and Mandatory Policies

Increasing Audit trail RequirementsAudit trail

A1B3B2B1C2C1D

System ArchitectureWEAK, but increasing

architecture requirementsSTRONG, but increasingarchitecture requirements

Top Level Spec’ns DTLS FTLS

Penetration Testing Increasing Penetration Testing

Change Management Increasing Config Man’t

Covert Channel Restrictions Increasing Covert Channel Restriction

Distribution path from vendor to customer Trusted

Security Model ValidityInformal“shown”

Formal Security model“proven” valid

Trusted Computing Base (TCB)

TCSEC uses concept of a small TCB acting as the reference monitor arbitrating between

Users (Subjects) and Data entities (Objects)

As all access between users and data is via TCB, then only the TCB needs to be trusted

avoids having to trust each and every application, compiler etc, PROVIDED that the TCB can be adequately ‘proven’

TCB concept implies that there must be: identified and authenticated users; security sensitivity labels associated with data objects; and an information access policy identifying who may access what

TCB implements Access Controls

TCB includes: Architecture and structure which separates:

‘user’ domains from ‘system’ domains; users from each other; and executable code from data.

User identification and authentication mechanism Security sensitivity labeling of files and resources

(ports, devices, op system functions etc) - either implicitly - where sensitivity is implied from the parent directory, file

type, file name, file owner, port identification etc; or explicitly - where sensitivity information is associated with every

resource on the system (like Windows NT File System NTFS). Enforced controls over access to files & resources Audit and monitoring capabilities over security functions

Access Controls Concepts

TCB must limit access of resource objects (eg files, ports, system functions) to authorised subjects (Authorised User’s or system functions acting on behalf

of authorised Users)

Generally by means of a Lattice based model: Example

Objects(Files, Ports, etc)

Object 1 X X X X X X accessible by all Users

Object 2 accessible by none

Object 3 X X X X accessible by some users

1 2 3 4 5 6 Subjects (Users)

Access Models

Detailed Security policy defines: Objects and object classes (Files, ports, functions etc)

Subjects (Users, user groups, active functions etc)

Which subjects (eg users) may access what objects (eg files), and

How they may access them (eg read, write, create, modify, execute, rename, delete, append, activate etc)

Questions: Who sets the Lattice model parameters? (Administrator & owner)

Is this flexible and responsive enough? (Barely)

Is one model sufficient for all cases? (No - but usually must suffice)

DAC and MAC

Discretionary Access Control (DAC) (ratings C1 and all above )

established by information owner sets flags to indicate who may read/write/modify etc the file can have default settings (which owner may over-ride) in TCB

Mandatory Access Control (MAC) (ratings B1 and above)

directed by policy statements, ‘hard wired’ into system usually set in the TCB by Systems Administrator

eg policy statement ‘data from R&D area not to be read by finance group’

not able to be overridden by data owner should be checked during audits and monitoring activity typically applied to nationally classified information

no person may access info classified higher than their clearance(Bell-LaPadula (BLP) security model)

USA ‘Rainbow Books’

Explain, extend, interpret etc the Orange Book All available from http://www.radium.ncsc.mil/tpep/library/rainbow/

Topics include: DoD Password Management Guideline,

12 April 1985. (Green Book)

Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book)

Advisory Memorandum on Office Automation Security Guidelines

A Guide to Understanding Audit in Trusted Systems 1 June 1988, Version 2. (Tan Book)

Trusted Product Evaluations - A Guide for Vendors, 22 June 1990. (Bright Blue Book)

A Guide to Understanding Discretionary Access Control in Trusted Systems, 30 September 1987. (Neon Orange Book)

ITSEC

Information Technology Security Evaluation Criteria

ofFrance - Germany - the Netherlands - the United Kingdom

1991

EU – Information Technology Security Evaluation Criteria ITSEC

Published 1990, updated 1991 Based on UK, German & French criteria, and inputs from others

Significant input from USA Orange Book concepts but overcomes the ‘star connected mainframe’ and USA bias

Considers functionality and assurance orthogonally One axis addresses assurance

six hierarchical levels above zero trust (E0 through E6) Other axis addresses functionality

10 predefined non-hierarchical classes of functionality (F1 through F10) - little used in Australia

user may define functionality to suit task

Defines a ‘Claims Language’ to assist evaluation semi-formalised and structured language, with defined

terminology etc

ITSEC Assurance Classes

ITSEC TCSEC CommentsEquivalent

“E0” D No proven trustworthiness

E1 C1 Low commercial

E2 C2 High commercial

E3 B1 Low multilevel

E4 B2

E5 B3 High multilevel

E6 A1 Formal ‘Proof of Correctness’

ITSEC Functionality Classes

ITSEC TCSEC ITSEC Used forEquivalent

F1 C1 F6 High Integrity

F2 C2 F7 Networking

F3 B1 F8 N/W with Integrity

F4 B2 F9 N/W with Conf’y

F5 B3 & A1 F10 Network I&C

ITSEC Users may define their own functionality

User Defined Functionality

The ITSEC standard functionality classes are OK but do not reflect all situations

A developer may define the functionality they claim, and have it evaluated to a particular assurance level

eg firewalls, weapons systems, banking systems Most Australian ITSEC evaluations based on

‘user’ (read ‘vendor’) defined functionality A rock could rate E6 if appropriate functionality was claimed

Always verify functionality claimed for the evaluation rating. Eg a firewall is evaluated and advertised as ‘E3’ - but what does it do at the ‘E3’ level of trustworthiness?

Types of Network Threats

Adapted from “Cryptography and Network Security: Principles and Practice” Second Edition, by William Stallings

Network Threats (2)

Passive Threats(Interception)

Release of Contents Read plain text Decrypt and read

Traffic Analysis activity analysis characteristics analysis

Interruption(Availability)

Fabrication(Authenticity)

Active Threats

Modification(Integrity)

Encrypted Data Stream

Target Information

Extraneous data can’t enter the stream

Intelligible information can’t leave the pipe

Encryption ‘Pipe’

Encryption may be considered a protective pipe

Network Threats (3)

Encryption is main tool used to inhibit network threats Assuming unbroken encryption:

Release of message contents defeated by encryption

Modification of traffic Modification is still possible, but result cannot be predicted

Fabrication or Replay of traffic Creation of new traffic is defeated Replay of previous traffic is defeated in Cypher feedback modes, but not in

Electronic Code Book mode (ECB)

Traffic Analysis If headers and body are encrypted, traffic analysis can only be based on

traffic timings, flow rates, and transaction size If body only encrypted, header info can be used in traffic analysis

Summary

Security is a concept and attitude of mind Difficult to define

Definition must derive from Management directives and policy

Security Management is Management of Risks otherwise security becomes a black hole

Main issues for consideration are: Assets Threats to those assets Countermeasures to those threats Ongoing management leadership, and support

Internet Issues Summary Most Internet security issues identified are mainly

Internet specific implementations of broader issues Encryption of VPN and E-mail is an encryption issue

Internet is only the vehicle E-commerce requirements for authentication and non-

repudiation are Internet or computer based variants of signatures

Public key encryption mechanisms are addressing the issues Personnel abusing Internet access are only one specific

manifestation of widespread poor practices: Abuse of company cars, telephones, accommodation, equipment

Concentrate on the real issues: Perimeter security and internal segmentation (Firewalls)

Use firewalls for virus checks etc Develop understanding of censorship processes and needs Develop security awareness and sense of Ethics in all parties

Common Reactions (Management)

“It won’t happen to us / our company / me” Just wait and it will - best to lock the stable door before the horse

bolts “Security gets in the way - is obstructive”

Frequently true and unavoidable to some extent, but impact can be minimised with planning, management commitment, and training

Good security must always be in the context of the business Lack of written Security Policy and directions

Planned policies and committed management guide everyone Treating security as black/white issues

eg is all xxx-in-confidence info really the same value? Graduated scale of values and risks are needed Some people are more trustworthy than others, as are some

countermeasures - such as procedures, locks and computers

Common Reactions (Implementation) Addressing Wrong Problem, because it is easier

Assuming most attacks are external (ie “we trust all our people”) Non-acceptence that commercial intelligence or sabotage are occurring

in Australia now Addressing wrong threats

eg assuming high risk attacks are violent, high intensity, short duration (eg terrorists or armed holdup) rather than slow and subtle (eg espionage)

Implementing Unbalanced Security - eg High grade firewalls, but lack of lockable containers or rooms

Ineffectual Security - has all of the costs but little benefits High grade (and costly) firewalls, intrusion detectors etc, poorly

implemented and not supported Good policies and mission statements, but management do not show

support and leadership - ie the policies are not implemented Failure of aftercare for people, procedures, & equipment

Finale

Security has become the major issue following Y2K

Media hype about Internet related security problems hassensitised management, auditors and legislators to issues - but they generally need technical guidance

Deliberate attacks against businesses are increasing dramatically

Outsourcing of security management to specialist companies is not necessarily the best way for an organisation to go.

Employees should be in control of all sensitive activities.

Tutorial

Q&A and case studies

Documents

© 2006, Monash University, Australia CSE4884 Network Design and Management Lecturer: Dr Carlo Kopp, MIEEE, MAIAA, PEng Lecture 21-22 Network Security vs