CSE4884 Network Design and Management
Lecturer: Dr Carlo Kopp, MIEEE, MAIAA, PEng
Lecture 21-22
Network Security vs Information Conflict; Managing Security in Networks
Reference Sources
NOTE: Information Conflict is a new discipline and good resources are limited.
Prof Dorothy Denning (formerly Georgetown) COSC 511 Information Warfare: Terrorism, Crime, and
National Security http://www.cs.georgetown.edu/~denning/cosc511/fall02/index.ht
ml http://devost.typepad.com/cosc511/
CSE 468 - Information Conflict http://www.csse.monash.edu.au/courseware/cse468/subject-info
.html
What is Information Conflict? Why Does it Matter?
Information Conflict (IC or IW) is a biological phenomenon and has existed for as long a life has existed [Kopp-Mills].
Information Conflict involves the use of information to gain a competitive advantage in a survival game [Kopp-Mills].
Information Conflict has been used by governments, non-state organisations, commercial entities for millennia but has only been formally recognised as a discipline since 1995.
The ability to very rapidly and cheaply transfer or distribute large volumes of information – a feature of the digital era – has increased the importance of Information Conflict.
Managers must be cognisant of the potential risks which may arise from IW techniques being used by third parties – against public and private entities, and individuals.
A systematic information attack by a third party can cripple any organisation which is dependent on a digital infrastructure.
Large scale use of wireless equipment with poor security increases risks of IW attacks and site penetration.
Taxonomy of IW Categories
Taxonomy of IW Categories Class I IW - Compromising Personal or Corporate Privacy is the
lowest grade of IW, and occurs when a personal account is compromised and confidential information accessed, such as private email being read, or phone calls charged to a third party account.
Class II IW - Industrial and Economic Espionage is the next step up, in which instance government or corporate computers are hacked into and information covertly stolen.
Class III IW - Info-Terrorism and Denial of Services. The intentional trashing of another party's computer or network, or denial of service via other means is usually described as info-terrorism. Whether the offending party is a malicious hacker, a criminal extortionist, a genuine terrorist, or a foreign government seeking to take down a system or systems, the end result falls into the same category.
Military IW - The use of all of the above combined with other military techniques in order to disrupt an opponent's military operations, government activity and economy qualifies as military IW. Military IW is the most destructive category, as it involves both soft and hard kill techniques.
Denial of Service Attacks
Denial of Service Attacks Denial of service attacks are an offensive technique intended to
cripple an organisation by preventing it from using its digital systems.
Denial of Service attacks are increasingly common especially involving attacks on websites, and large scale attacks on networked systems using viruses and worms.
Where an organisation depends on its digital infrastructure such attacks can produce significant material losses.
Recently documented Denial of Service attacks have been associated with nation state conflicts, and political, religious or ideological disputes.
Many attacks are performed by malicious individuals for personal gratification. This is especially true of virus/worm attacks which are performed for no material gain but costs hundreds of millions in lost productivity and repair time.
Offensive vs Defensive IW In any IW engagement there is an offensive player or attacker, and
a defensive player or defender. Strategic planners and managers will typically play the defender’s
game. Their role is to ensure that the organisation’s infrastructure can resist IW attacks – starting with Class I, and then Class II and III IW. Class IV attacks are usually the responsbility of governments.
Given the diversity of ways in which IW attacks can be mounted, concentrating on established security techniques is not enough – it will protect against hackers and physical Denial of Service attacks, but not against viruses and worms or other forms of attack.
If a network depends on websites for billing, notifications and support, losing that website even temporarily could inflict significant monetary losses.
Resistance to IW attacks must be planned for from the outset when developing and planning infrastructure. Attempting to add defensive measures to production systems can be very expensive.
Practioners of IW Technique Malicious hackers and worm/virus writers inflict damage for
amusement or peer group approval. They can attack globally. Hackers, Phrackers and Whackers may steal bandwidth by
penetrating networks or manipulating accounts. Criminals may hack to acquire information, such as credit card
numbers, confidential information etc, or threaten DoS attacks to extort money from a victim organisation such as a bank or telco.
Industrial and commercial espionage may be performed to steal proprietary information such as manufacturing techniques for financial gain.
Espionage against government departments, esp police and military, may be performed to gain access to national secrets, operational or technical. Foreign governments or contracted hackers may be involved.
[Info-]Terrorists may perform DoS attacks to promote their cause by inflicting economic or political damage. A car bomb deployed against a stock exchange, national bank, media site or central telephone exchange qualifies as an IW attack.
Moore’s Law, Bandwidth Law vs IW Moore’s Law predicts monotonic growth in computing power over
time, the Bandwidth Law predicts monotonic growth in network bandwidth over time. Both laws are well validated empirically [Kopp]
Rapid growth and commodification of hardware and software have duel effects on IW: The cost of computer systems and tools capable of use for IW declines
and these become more available, globally. The cost of defensive measures and encryption technology declines
over time, making defensive measures more affordable. It is necessary to look at IW as an evolutionary game – as better
defensive measures are created, better offensive measures evolve to overcome these.
Strategic planning and budgeting must allow for evolutionary growth in defensive measures to account for increasing capabilities for IW over time.
Senior management in many organisations may not appreciate these issues and will need to educated.
Privacy and Copyright Considerations Individual privacy and corporate client privacy are important
considerations. Legislation exists in most developed nations – including Australia – intended to protect privacy.
Many types of IW attack violate privacy and the onus is upon the carrier or provider to protect against such attacks. Failure to provide proper protection could see a carrier or provider criminally and commercially liable for damages.
Privacy becomes critical where financial transactions, medical records and private correspondence are involved.
If a hacker steals such information, he/she may never be caught. The damaged party could launch legal action against the provider or carrier on the basis of inadequate protective measures being implemented, or file charges with a law enforcement agency.
In some nations privacy violation is automatically considered a criminal offense and carriers or providers are held responsible.
Copyright violations are a special case since the material is available to the public, but its distribution is controlled. Such violations have become a major political and commercial issue globally, especially in the entertainment industry.
Copyright and Intellectual Property Illegal or unauthorised reproduction of digital materials is a major
problem. With cheaply available networking, hard disk, CD-R and DVD burner
technology, almost any materials can be reproduced, often in bulk quantities, for little material expense.
This has led to the growth of illegal ‘pirate’ industries which steal and market digital materials, especially software products, and entertainment products such as cinema, music and publications. The result is significant losses to the owners of the intellectual property in the products.
Weak legislation in some nations allows these to become ‘havens’ for such industries.
It is important that organisations carefully assess the origins of any digital materials used internally to ensure that these are not pirate copies.
A good example would be software tools used within an organisation. Using pirated copies or unwittingly distributing such materials opens the organisation to civil litigation over copyright violation or criminal charges.
SPAM SPAM is unauthorised and unsolicited distribution of marketing
materials via email, in bulk quantities. Spammer violate the privacy of spam recipients.
Spammers will market everything from pornography, discount pharmaceuticals, junk stocks, dubious home loans, consumer products, to pirated software and CD/DVD.
Spam is also used to distribute propaganda on behalf of political and religious movements.
Modern spamming techniques use tools which use digital archives (usually harvested off the web on CD-ROM) of victim addresses, and which usually forge the sender address by using another victim address.
Spam is not illegal in most nations since legislation was injudiciously adopted which does not require prior consent by the recipient when being spammed.
It is likely that anti-spam legislation will be adopted in the developed world over coming years since spam often accounts for a significant fraction of bandwidth used causing economic losses globally.
Privacy on the Web The internet creates many opportunities for privacy violations. Many websites use the cookie mechanism to retain state information and
identity information. Cookies allow the web server to recognise systems accessing a site. In turn this information can be stored to produce profiles of visitor accesses on a site, and thus divine visitor interests or agendas.
Such information can be used to support marketing activities directed at visitors. An example is a website which uses such statistics to adaptively present advertising material to visitors.
Most web servers collect access statistics which allow operators to track which visitors are making what accesses and when. While this can be used for legitimate purposes, it also allows profiles of specific visitors to be produced.
Cookies and server statistics are usually gathered silently and visitors are unaware of their existence or possible/actual uses.
Website owners often compromise their own privacy by putting materials on websites which are not intended for distribution, but forgetting to disable read access.
Online directories now allow gathering of significant materials on individuals such as addresses, phone numbers, email addresses and other details. While most users are legitimate, criminals and terrorists also have access.
Espionage and Intelligence Gathering Espionage and intelligence gathering – the second oldest profession
- has a long history. The advent of digital communications has made some aspects of this craft easier, and some more difficult.
Practicioners may be acting on behalf of governments – illegally or as part of law enforcement, political movements and parties, religious movements, commercial organisations or individuals.
Most espionage or intelligence gathering amounts to covert collection of information or materials without the consent or knowledge of the victim.
This can be performed by acoustic eavesdropping, visual/video surveillance, electronic eavesdropping of analogue or digital channels (SIGINT), hacking into computers (CyberWAR), breaking into offices, filing cabinets or safes (HUMINT), or by unauthorised reproduction of accessible materials (HUMINT).
While most intelligence gathering and espionage is performed by governments against other governments, industrial espionage is also common. The latter is of interest to managers since it can result in significant losses. Target information can vary from technical data on products or processes, to marketing plans, costing information and tender proposal documents.
Surveillance Techniques Surveillance can be performed using acoustic (microphone ‘bugs’ or
phone tap), visual (film or video camera) or electronic (radio/mobile phone/wireless network) intercepts.
In most nations surveillance is only lawful if performed by a law enforcement or intelligence agency ie government entities.
Commercial operators are usually permitted to use video surveillance of publicly accessible areas ie banks, ATMs, carparks, foyers etc.
An large scale example of such surveillance is the CCTV network in London used to apprehend terrorists after the recent attempts to bomb public transport.
Law enforcement agencies rely heavily on acoustic and visual surveillance to gather intelligence or evidence.
Managers need to be aware of the potential for unlawful surveillance and plan infrastructure to make it difficult to perform.
Counter-surveillance technologies may be illegal in some nations – for instance voice scramblers for telephone links.
SIGINT/COMINT – Signals/Communications The interception of radio signals and communications has been
practiced since the advent of wireless communications. It is mostly practiced by the military and law enforcement due to the cost of the complex equipment required.
The advent of cheap radio ‘scanners’ has opened up opportunities for individuals and organisations to intercept unencrypted or unscrambled wireless voice traffic.
Intercepts may be targeted, ie a single individual or site is monitored on a specific channel, or they may be performed en masse by recording swaths of the radio spectrum for later semi-automated or manual analysis by human operators.
Wireless channels without strong encryption must be therefore considered insecure and should never be used to transmit information which is sensitive – either from a privacy perspective, commercial perspective, or where sensitive government traffic is involved. GSM mobile phones are a good example.
Network Sniffers Network sniffers are a vital tool for legitimate traffic analysis and
network maintenance tasks. They can also be used to perform lawful and unlawful surveillance and monitoring of specific users or sites on a network.
A sniffer is a software/hardware device which collects and decodes network packets, and can often reassemble traffic flows.
Network protocols with weak or absent encryption will allow the user of a sniffer to collect accounts/password information, email traffic, file transfers and web traffic.
Sniffers with wireless network interfaces allow penetration of wireless networks without having physical access to a network port or cable.
Network planning needs to account for unlawful surveillance by users of sniffer equipment. Active network ports in publicly accessible areas are not acceptable, and wireless channels must use the strongest available encryption techniques.
‘Insider attacks’ by staff using sniffer software on internal systems are a real possibility. Superuser access on computers should be carefully controlled.
Van Eck Radiation Van Eck radiation is defined as Unintended Emissions (UE) in the
radio-frequency bands. Computer monitors and to a lesser extent keyboard or poorly
impedance matched network cables will radiate signals as a result of the digital or analogue modulations they are carrying.
Specialised receivers can be used to collect UE – the typical example cited is equipment which can reconstruct what is being displayed on a computer monitor from outside the building housing the computer.
UE surveillance and intelligence gathering is expensive and usually limited to governments and law enforcement.
The US NACSIM 5000 Tempest series of standards defines design specifications and techniques for computer equipment to prevent the emission of Van Eck radiation.
Managers in government organisations need to understand the risks arising from UE and ensure that computer equipment used for classified or highly sensitive material is suitable for such use.
Electrical Denial of Service Attacks The dependency of computer and digital communications
equipment upon electrical power feeds and electrical data cables makes it vulnerable to electrical denial of service attacks.
Such attacks aim to inject high voltage or radio frequency signals into mains power or data cables to cause electrical damage or computer crashes and loss of service.
Example A: a Tazer device with a cable harness and connector allowing it to inject high voltage into a local area network via a wall socket can destroy netwrok adaptors in dozens of computers.
Example B: a shortwave radio transmitter connected to mains voltage power can destroy power supplies in computer or communications equipment.
The best defence is to deny access to electrical power and data cables to ensure an attacker cannot connect his equeipment.
Proving such an attack can be difficult.
Radio Frequency Denial of Service Attacks Jamming of radio frequency communications channels has been
practiced for almost a century, usually in wartime. During the Cold War the Soviets continuously jammed Western radio broadcasts.
Jamming involves transmitting a signal which interferes with the modulation used by the signal, degrading intelligibility. A wide range of jamming techniques exist against all known modulation types.
Designers of military communications equipment plan from the outset to deal with jamming. This is generally not true of commercial equipment which usually has very poor jam resistance.
Jamming equipment to disrupt mobile phones (GSM, CDMA etc) is now widely available and is built to prevent terrorists from using mobile phones to set off bombs remotely.
Wireless 802.11 networks are highly susceptible to jamming due to the use of short Barker code modulations.
Denial of Service attacks against mobile phones or wireless networks can be effected quite cheaply using ‘throwaway’ expendable jammers and can be very difficult to prove.
Radio Frequency Weapons – Denial of Service Denial of service can also be effected by radio frequency (RF) weapons
which emit enough RF power to damage or disrupt the function of computing and communications equipment.
RF radiation can couple into mains and data cabling, or cooling apertures on equipment, causing equipment to crash or fail permanently with electrical damage.
HERF guns are portable devices which emits pulsed or continuous wave RF radiation.
Tesla coils can be used to emit high voltage RF fields with similar effects to HERF guns. A hidden battery powered Tesla coil can cripple equipment inside buildings for as long as the battery lasts.
Electromagnetic bombs (E-bombs) can produce damage over areas the size of city blocks, or greater. E-bombs remain in development for military applications.
Radio frequency weapons were claimed to have been used during the 1990s for criminal extortion against at least one bank. To date there are no confirmed reports of E-bombs being used in combat operations, despite ongoing speculation.
The best defensive measure is electromagnetic hardening of computer and communications equipment – the electrical equivalent of armour plating.
Perception Management and Propaganda Perception management and propaganda are used to change the
perceptions or views of a target or victim population. This can be done to advance a political, religious, commercial or
other agenda. Historically these techniques were most extensively developed and
used by Nazi Germany and later the Soviet Union, but have since become widely adopted by governments and commercial operators to market their agendas.
These techniques most frequently involve manipulating information presented to an audience to conceal key issues and emphasise intended agendas. The aim is always to present a reality different from that perceived previously by the target audience.
Open lies are usually used less frequently than half-truths as the latter are more difficult to disprove. Audience literacy and prior knowledge can often frustrate even sophisticated or intensive attacks.
Commercial advertising and marketing materials are frequently deceptive and aim to seduce victims to increase product sales. Managers need to be alert when assessing marketing materials.
Psychological Warfare (Psywar) Techniques Psywar is used most frequently in wartime (radio/leaflets), but is
often seen in commercial or political mass media advertising. Psywar techniques aim to amplify existing anxieties in a
target/victim population to disrupt their behaviour, and disrupt the cohesion of an organisation or group.
A prerequisite for successful ‘Psyops’ is that the target or victim population has an existing anxiety or prejudice over some issue.
Statements or claims which reinforce such anxieties or prejudices will produce distress or anger in the victim population.
Examples are political advertising emphasising issues like job losses or interest rate increases, or commercial advertising pointing out bugs or vulnerabilities in computer products. Commercial foodstuff advertising alleging weight gains, cancer or heart disease also qualifies as Psywar.
The internet and mass media are the preferred channels for Psywar attacks.
Most nations have inadequate legislation regulating this area.
Censorship Censorship is a mechanism used to control access to information. It
typically involves denying access or punitive criminal legislation intended to deter distribution.
In developed nations censorship is mostly directed at entertainment products with explicit or violent content. In wartime censorship is used to deny an opponent knowledge of sensitive developments. Many nations apply political censorship to control public and political debate. Internet censorship exists in some nations to deny access to a wide range of materials not deemed suitable for public access.
Censorship is a double edged sword, since it can increase the attractiveness of the censored material to a potential audience.
Censorship remains a controversial issue in Western democracies since the criteria used to determine exclusion are often difficult to achieve consensus on.
Managers operating in a global market or across national boundaries need to be sensitive to censorship legislation since criminal law is often used to enforce it.
Hacking, Cybercrime, Cyberwar (HCC) Hacking is the term used to describe unauthorised access to
computer systems. The term originally applied to programmers who worked on operating system kernels but the media and entertainment industries popularised the currently accepted use of the term.
Cybercrime is the use of ‘hacking’ techniques to commit criminal offences, usually theft of money or intellectual property.
Cyberwar is the use of ‘hacking’ techniques to perform denial of service attacks or intelligence gathering for political or military purposes.
HCC relies on poor password security and security ‘holes’ in computer operating systems.
Phracking (Phone Hacking) is hacking into telephone networks mostly to steal bandwidth.
Whacking (Wireless Hacking) is hacking into wireless networks mostly to steal bandwidth.
Hacking remains a controversial issue. In most developed nations it is a criminal offence, frequently punished by long jail terms.
Techniques for Gaining Unauthorised Access A wide range of techniques exist for ‘hacking’ into computer
systems. Passwords may be stolen by sniffing, or by entering offices and
reading paper notes. Passwords may also be guessed using robots, or ‘purchased’ from unethical staff members. Unsecured terminals left logged in may be exploited.
Trojan horse or backdoor entry code may be inserted into systems where a hacker has access to the original source code.
Sophisticated attackers may perform identity spoofing by replacing real network packets with substitutes.
Security holes in some network applications may permit remote entry by driving the application with messages known to expose the vulnerability.
Software tools developed for security testing of networks can also be used to expose security holes for unauthorised entry.
Robust firewalling and system security audits are essential to protect against unauthorised site entries.
Viruses and Worms Viruses are malicious programs which embed themselves in file
systems, operating systems or applications upon which they propagate themselves via removable storage media or networks to other systems.
Viruses may be benign or destructive in effect, and can be used to compromise security by propagating password files or email address lists.
Worms are malicious programs which consume system resources to the point where a system becomes unusable.
Highly integrated mailer and word processor programs are the most common targets of viruses and worms since they permit easy entry and propagation between systems. Some proprietary systems are considered the most vulnerable, cf Linux, BSD and commercial Unix systems.
Managers and strategic planners need to be sensitive to risks which may arise from using some commodity software products known to be susceptible to such attacks.
Identity Theft and Fraud Identity theft is an increasing problem in the computer and
communications industry. The simplest examples involve theft of mobile phones and credit
cards for profit. Spammers today mostly forge return and sender email addresses
by using addresses of other spam victims held in digital archives. Internet newsgroups have also seen identity thefts where hoaxers
pretend to be actual or fictional persons. An example was a hoaxer on rec.aviation.military impersonating a retiree, who was actually bedridden in a nursing home suffering from severe stroke impairment.
Validation of subscriber identity for web accessible services can present genuine issues, especially where sites are used to effect financial transactions.
Bogus websites set up to visually emulate actual bank websites have been used to steal electronic banking passwords, in turn to fraudulently access accounts.
‘Nigerian scams’ involving impersonations are now of epidemic proportions in the spammer community.
Denial of Service Attacks vs Extortion Denial of Service attacks can be used as a tool to extort money from
victims. Organisations which rely on uninterrupted computer operation to
effect financial transactions, or which rely on web servers for client access, are the most common targets of such attacks.
The attacker will cause repeated service loss and then extort money by promising to cease attacks.
Cyber attacks - as the attacker may be located on another continent, in a nation with weak or absent cybercrime legislation, major problems arise with identifying the attacker, and with prosecuting the attacker.
Radio-frequency / electrical attacks – the attacker will be geographically local but may not leave a detectable signature or footprint permitting law enforcement to apprehend or prosecute.
Usually DoS extortionists prey on organisations with poor expertise levels in computer/network administration and security.
In general DoS attacks can be difficult to prove and prosecute.
Law Enforcement Problems Law enforcement faces significant challenges when dealing with
offenders in the information Conflict domain. Jurisdictional boundaries may prevent prosecutions against known
offenders. Determining the identity of criminal offenders or military / political /
revolutionary movement attackers may be difficult or impossible given available tools or expertise.
Proving cybercrime may be difficult or impossible. Proving electrical or radio-frequency attacks may be even more difficult.
Key problems remain with inadequate technical expertise and forensic skills in many law enforcement agencies, globally.
Legislation for dealing with IW domain offences or attacks may be weak or inappropriately structured.
Managers need to consider that in the event of an attack or penetration, law enforcement agencies may have little to offer in dealing with the problem.
The best strategy is plan systems so that they are inherently unattractive as targets for criminals or other attackers. Most frequently ‘softer’ targets will be attacked instead.
Managing Network Security
Given the wide range of possible threats to a network and potentially wide opportunities for such threats to be realised, security is a major issue in network management.
Complacency is a major problem in network security since it encourages threat actors to attack the network.
A network manager must therefore always consider security in defining a network design and configuration.
Penetration of an unsecured network is not an ‘if’ question, it is a ‘when’ question.
Network managers are usually held responsible when security breaches occur.
Postulate Threats
AND
Threats to Identified
AssetsInternal or External
Threats to Identified
AssetsInternal or External Non-Deliberate
Vulnerability
Error/Carelessness
Acts of God/AccidentsOR
Motivation
CapabilityDeliberate
Assets Impacts
Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse
Asset TypesInformation * * * * *
Physical assets * * * *Intangibles * * *
People * * * *
Assets Impacts
Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse
Asset TypesInformation * * * * *
Physical assets * * * *Intangibles * * *
People * * * *
Impacts if Threat Eventuates
What is the greatest threat to security?
The greatest threat to security is the belief that there is no threat
Justice Hope
Threats “No threat” to an asset implies “no security problem” Some assets suffer from multiple concurrent threats eg consider an
executive’s $4000 Laptop computer. It could be:
stolen to be sold ‘in the pub’ (opportunistic theft motivation $100 to $500)
stolen for specific software / hardware components
(generically targeted but any similar laptop would do - motivation $500+)
stolen for commercial / industrial espionage
(“Fortune 500” companies executive’s laptops -street value $US10,000)
(Laptop specifically targeted $POA - but up to $US100,000, or more)
lost (ie genuinely lost, or possibly stolen by employee or unknown)
destroyed / damaged accidentally or deliberately
(dropped, run over, burnt out by wrong voltage, damaged by water
or chemicals, strong magnetic fields, electrostatic discharge etc)
Types of Threats
Threats may be: Deliberate (hostile intent)
eg theft, damage, espionage, delaying information or action,
criminal negligence or wilful carelessness
Accidental (no hostile intent) eg errors and omissions, taking assetts accidentally,
thoughtlessness
Coincidental or Incidental to another act (non intentional) eg physical damage incidental to graffiti, damaged strongbox during
burglary, confidentiality breach when stolen documents dumped,
person injured incidental to an armed hold-up
Acts of God eg floods, wildfire, earthquake, building collapse, meteor strike
Sources of Deliberate Threats People with ‘Insider’ Information and motivation
very knowledgeable about your organisation, and often with ‘authorised’ access
Disgruntled Employee, contractor, security guard, maintainer Careless Employee etc Other insider (eg office comedian, office ‘payback’) Ex-employee/contractor/guard/maintainer etc Possibly disgruntled customer, supplier
Outsiders - Strangers, but with motivation to succeed Thief, Vandal, or Hacker Commercial Espionage Agent
(eg on behalf of a competitor, or subcontractor)
Issue Motivated Groups (eg animal liberationists, greenies, ….) Terrorists - Groups and Sympathisers Foreign Intelligence Service Agent (Spy) People with a mental illness or imbalance
What is Their Capability?
Near term capability (‘know how’, and ability to perform) is available, for a price if necessary (but price may exceed
motivation): High Capability-
Foreign Intelligence Service Ex Employee (has knowledge of systems & procedures) Big Money Interests (could buy high capability via ex-employee)
Medium Capability- Hackers/Crackers (have some general knowledge of your site) General Commercial Interests (could buy capability via hackers)
Low Capability- Disgruntled Customer (has minor knowledge, limited access, and
motivation is too low to buy a capability)
Threat Capability Enhancement
Internet has many sites servicing ‘capability enhancement’
Some provide information, links to other sites etc Some sell equipment, devices, tools, videos and education,
usually by mail order Some sell consultant and other services/skills
Search Internet using keywords eg ‘lock picking’, ‘spy camera’ (watch out for pornography with this one)
Look at D.I.R.T at http://www.codexdatasystems.com/cdsnews.html
Capability is more than Tools
Be aware and concerned, but not frightened Capability requires
tools, knowledge of techniques, and skills; AND knowledge of the target and its environment
The Internet sites address tools and knowledge of tools but acquisition of a skill requires practice, and most people do not have discipline to acquire skill
However, professional or highly motivated people can develop knowledge of target (intelligence gathering) by collusion with staff, etc, and also skills / techniques
Information Systems Provide:
•Easy Storage of information
•Easy Access to Information;
•Easy Analysis of Information;
•Easy Modification of Information; &•Easy Communication of Information.
Information Systems
These capabilities are just as easily used against an organisation as they are used to support it.
or
Information Security
Information is a strategic resource: significant portion of budget spent managing IT; many types of information; all have security related problems:
confidentiality (secrecy, privacy) - protect information value; integrity - protect information accuracy; availability - ensure information delivery when needed
(often expressed as ‘accessibility of information”); and freedom from misuse and abuse.
Some information also needs non-repudiation assurance This may be considered a mis-use issue
Threats to Information Loss of Confidentiality or Privacy
Legal action, either criminal or civil Embarrassment & political pressures Loss of commercial advantage (eg trade secrets)
Loss of Integrity Inappropriate decision making Loss of accuracy and control
Loss of Availability/Accessibility Loss of capability to do useful work
Misuse and Abuse of Information Civil action or legal penalties - both expensive even if you win case Loss of reputation
All cause loss of confidence- The real impact is loss of business and profit
IT Threats that Eventuate
Various surveys, with results of the order of:
55% human error, including carelessness
15% accidents and ‘Acts of God’
30% deliberate action by people
Of the above “55% Human Errors”
Almost always employees / legitimate users are involved
“15% accidents and Acts of God” Half probably belong in other 85% of threat sources
“30% deliberate acts” 1/3 disgruntled employees / legitimate users
1/3 dishonest employees / legitimate users
1/3 outsider or unknown
Countermeasures - Technical Trade Off Tree
Secure
Fast/EasyCheap
Where are the countermeasures?
AND
Threats to Identified
AssetsInternal or External
Threats to Identified
AssetsInternal or External Non-Deliberate
Vulnerability
Error/Carelessness
Acts of God/AccidentsOR
Motivation
CapabilityDeliberate
Assets Impacts
Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse
Asset TypesInformation * * * * *
Physical assets * * * *Intangibles * * *
People * * * *
Assets Impacts
Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse
Asset TypesInformation * * * * *
Physical assets * * * *Intangibles * * *
People * * * *
Impacts if Threat Eventuates
Locations of Countermeasures
AND
Threats to Identified
AssetsInternal or External
Threats to Identified
AssetsInternal or External Non-Deliberate
Vulnerability
Error/Carelessness
Acts of God/AccidentsOR
Motivation
CapabilityDeliberate
Assets Impacts
Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse
Asset TypesInformation * * * * *
Physical assets * * * *Intangibles * * *
People * * * *
Assets Impacts
Confidentiality Integrity & Availability Damage & Misuse & Privacy Modification Destruction & Abuse
Asset TypesInformation * * * * *
Physical assets * * * *Intangibles * * *
People * * * *
Impacts if Threat Eventuates
A
T RI
RT RV
D R
LEGEND for red starsA = AvoidanceD = Detect ManifestationR = Recover ManifestationRC = Reduce/limit CapabilityRI = Reduce ImpactRM = Reduce MotivationRT = Reduce ThreatRV = Reduce VulnerabilityT = Transfer Risk (insurance)R
C
RM
RT
RT
Countermeasures Countermeasures are selected to
reduce or eliminate threats, or reduce the impact if a threat eventuates.
Typical countermeasures are: Strong buildings (eg doors, walls, floors, ceilings, locks on doors) Strong containers (filing cabinets, locked cash boxes, safes) Trusted personnel (eg “Authorised Staff Only”) Procedures (eg formal induction briefings, last person out locks
doors)
NOTE:‘Security by Obscurity’ (eg hiding keys under the doormat, passwords and safe combinations written in the form of ‘telephone numbers’ )
is generally discredited as a countermeasure.
Countermeasure Selection
Countermeasures are not all equal some more effective than others against particular threats some more expensive some harder to use
Cost-Effectiveness Most cost-effective are those which avoid or reduce threats
eg education and training deterrence can be cheap
Least cost-effective - ‘transfer risk’ eg insurance - but sometimes it is all that is feasible
Some countermeasures protect from multiple threats and some threats require multiple countermeasures
Use a variety of countermeasure types and categories
Principles of Security Design Principle of Individual Accountability
each person carries responsibility for themselves, and for activities performed on their behalf with their authorisation.
Principle of Least Privilege the maximum privileges, rights, or capabilities given any entity
are minimum required to perform their legitimate activity. Also expressed as ‘Need-to-know’ or ‘Need-to-Access’.
Principle of Defence-in-Depth a series of overlapping security barriers such that failure of a
single barrier does not allow an immediate security breach. Principle of Defence-by-Diversity
where the series of overlapping security barriers implement diverse mechanisms so many skills are required to defeat all barriers.
Principle of Commonality of Approach logically parallel barriers or techniques are implemented similarly
to minimise range of potential vulnerabilities
Activities to Support Principles
The following activities are required to support the principles.
Education and Training where the individuals and groups are made aware of security
issues, and their role in achieving security.
Configuration Control where the system security is maintained through control of
modifications to the systems
Monitoring and Auditing where compliance with the policies is verified, and trends are
analysed so that corrective action may be initiated
Trusted Systems
‘Trusted Systems’ are required when system performs critical functions. The more critical the function, the more trust required.
Similar issues regarding trustworthiness apply to both safety and security related systems
How far can we trust computer based systems?
Trusted Systems?
Passengers on plane at departure gate were asked:
‘Would you remain on this computer controlled aircraft knowing that your group had built the control systems?’
All said ‘No way’, except one woman.
When queried she said: ‘If my group had built the system, we would be quite safe because this aircraft would not be able to leave the terminal!’
Trusted Systems (3)
Need to consider Total system and environment: Physical facilities and environment
buildings and containment essential services (water, electricity, drainage, etc)
Hardware trustworthiness Firmware trustworthiness Software trustworthiness Communications sub-system integrity and reliability Administration procedures and Personnel reliability and trustworthiness
Security Trustworthy Systems
Generally refers to ‘Computer Systems’ or ‘IT’, but in reality, includes anything closely connected to the IT system
Some aspects glossed over, particularly in lowly trusted systems eg hardware and hardware components of firmware facilities and containment physical and electronic aspects of communications
Emphasis on trustworthy IT systems
Types of Secure IT Systems Dedicated:-
single task - all personnel authorised to access all info Security is totally external to the computing elements
Hence computer system need not be trusted System-High:-
multiple tasks - has need-to-know differentiation between users only minor problems if users see extraneous information
Minor security capability needed, (assumes benign users) Multi-Level:-
some users legally not permitted to access some information eg classified data at levels higher than some users allowed to access
strong compartmentation between any user and other users, and between users and information being processed or stored
Proven strong security capability needed
Trusted Software Software implementation of security functionality
Software component of firmware is software Software trustworthiness has long been an issue.
Problems: Appropriateness of functional and performance specification
Specification correctly addresses all necessary functions? Performance specification correct for all circumstances?
Implementation of specifications Does design and code truly implement the specification?
Operational and support documentation adequacy Is it usable, or too difficult? Describes all assumptions and limitations of the implementation?
Provability of trustworthiness
Software Assurance Levels
Graduated scale of ratings and approaches Unplanned ‘bowl of spaghetti’ code
unreliable, difficult to maintain: $5 per line of code to develop
Structured coding reduces code level errors approx $50 per line of code, tested and documented
Specifications in structured language and style improves communication between specifier and designer/builder/user
Specifications based on modelling of functionality Facilitates appropriate and correct specifications
Formal Specifications using mathematical language (eg Z, Gypsy, VDM etc) allows rigorous analysis of specifications
Proof-of-correctness of both design and implementation up to $1500 per line of code, plus massive delays in project
Trusted Systems Evaluations Evaluations always by Gov’t accredited organisations
USA –performed by NSA National Computer Security Centre (NCSC) UK now uses CLEFs – Commercial Evaluation Facility,
overseen by UK Gov’t Authorities CESG and CCTA Australia – used to be performed by DSD QC section
Now performed by AISEFs - Australian Information Security Evaluation Facilities Work overseen by DSD
Other countries operate similarly NZ, Canada, Germany, France, Netherlands etc
Costs and Delays Early system evaluations cost 48 person-months & 2 years Similar cost/delay across all evaluation levels
Low end systems casually designed, hence difficult to evaluate Higher grade systems
specified and designed better, but more rigorously investigated
Trusted Systems Evaluations (2)
Evaluation applies only to the exact product specified, installed & operated as directed by
the developer/evaluator not upgrades, new releases, nor even patched releases Note: updates have been rated lower than predecessors
EXCEPT those updated IAW approved program Ratings Maintenance Phase (RAMP) is USA mechanism for
maintaining rating through updates and new releases Certificate Maintenance Scheme (CMS) is integral part of the UK
ITSEC scheme, reducing re-evaluation costs/ timescales.
A good product, poorly implemented or maintained, is worse than poor product well implemented
because it gives false sense of security
USA -TCSEC – “Orange Book” Trusted Computing System Evaluation Criteria TCSEC
(1983) USA Trusted Computer System Evaluation Criteria
National Computer Security Centre (part of DoD/NSA) First Published 1983 and reissued 1985, in flame orange covers
Nickname “The Orange book”Derivatives and related publications- known as “Rainbow Books”
Single dimension of ratings A1 Experimental level of high
security B3, B2, B1 Government grade multilevel systems C2, C1 Commercial grade systems D unevaluated, or failed to attain a
higher rating Rating covers functionality & assurance criteria
Higher ratings => higher functionality and higher assurance Criteria are oriented to mainframe systems of early 1980s
Most large USA big names (IBM, HP etc) use TCSEC
Orange Book Ratings (2)
Division Class DescriptionA Division A1 B3 functionality, formal assurance
Highest
B Division (Government Multi-level) B3 Tough and unfriendly B2 Low end of formally designed
systems B1 High grade traditional op system
C Division (Commercial) C2 Good commercial security C1 Basic security features only
D Division (Unrated) D No formal security trust
Lowest
Orange Book Ratings
D C1 C2 B1 B2 B3 A1
No Trust
Low Trust
HighTrust
Increasing Security functions and Assurance
Division D encompasses systems which have not been assessed, or which have failed to attain higher rating
Most USA mainframe operating systems are C2, some have B1 capability, either as built or by add-ons.B2 and above requires security functionality and assuranceto be incorporated in system design, not an afterthought.
Orange Book Evaluation Criteria
TrustworthinessNil Low Increasing High
Policies Discretionary Policies Discretionary and Mandatory Policies
Increasing Audit trail RequirementsAudit trail
A1B3B2B1C2C1D
System ArchitectureWEAK, but increasing
architecture requirementsSTRONG, but increasingarchitecture requirements
Top Level Spec’ns DTLS FTLS
Penetration Testing Increasing Penetration Testing
Change Management Increasing Config Man’t
Covert Channel Restrictions Increasing Covert Channel Restriction
Distribution path from vendor to customer Trusted
Security Model ValidityInformal“shown”
Formal Security model“proven” valid
Trusted Computing Base (TCB)
TCSEC uses concept of a small TCB acting as the reference monitor arbitrating between
Users (Subjects) and Data entities (Objects)
As all access between users and data is via TCB, then only the TCB needs to be trusted
avoids having to trust each and every application, compiler etc, PROVIDED that the TCB can be adequately ‘proven’
TCB concept implies that there must be: identified and authenticated users; security sensitivity labels associated with data objects; and an information access policy identifying who may access what
TCB implements Access Controls
TCB includes: Architecture and structure which separates:
‘user’ domains from ‘system’ domains; users from each other; and executable code from data.
User identification and authentication mechanism Security sensitivity labeling of files and resources
(ports, devices, op system functions etc) - either implicitly - where sensitivity is implied from the parent directory, file
type, file name, file owner, port identification etc; or explicitly - where sensitivity information is associated with every
resource on the system (like Windows NT File System NTFS). Enforced controls over access to files & resources Audit and monitoring capabilities over security functions
Access Controls Concepts
TCB must limit access of resource objects (eg files, ports, system functions) to authorised subjects (Authorised User’s or system functions acting on behalf
of authorised Users)
Generally by means of a Lattice based model: Example
Objects(Files, Ports, etc)
Object 1 X X X X X X accessible by all Users
Object 2 accessible by none
Object 3 X X X X accessible by some users
1 2 3 4 5 6 Subjects (Users)
Access Models
Detailed Security policy defines: Objects and object classes (Files, ports, functions etc)
Subjects (Users, user groups, active functions etc)
Which subjects (eg users) may access what objects (eg files), and
How they may access them (eg read, write, create, modify, execute, rename, delete, append, activate etc)
Questions: Who sets the Lattice model parameters? (Administrator & owner)
Is this flexible and responsive enough? (Barely)
Is one model sufficient for all cases? (No - but usually must suffice)
DAC and MAC
Discretionary Access Control (DAC) (ratings C1 and all above )
established by information owner sets flags to indicate who may read/write/modify etc the file can have default settings (which owner may over-ride) in TCB
Mandatory Access Control (MAC) (ratings B1 and above)
directed by policy statements, ‘hard wired’ into system usually set in the TCB by Systems Administrator
eg policy statement ‘data from R&D area not to be read by finance group’
not able to be overridden by data owner should be checked during audits and monitoring activity typically applied to nationally classified information
no person may access info classified higher than their clearance(Bell-LaPadula (BLP) security model)
USA ‘Rainbow Books’
Explain, extend, interpret etc the Orange Book All available from http://www.radium.ncsc.mil/tpep/library/rainbow/
Topics include: DoD Password Management Guideline,
12 April 1985. (Green Book)
Guidance for Applying the DoD TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book)
Advisory Memorandum on Office Automation Security Guidelines
A Guide to Understanding Audit in Trusted Systems 1 June 1988, Version 2. (Tan Book)
Trusted Product Evaluations - A Guide for Vendors, 22 June 1990. (Bright Blue Book)
A Guide to Understanding Discretionary Access Control in Trusted Systems, 30 September 1987. (Neon Orange Book)
ITSEC
Information Technology Security Evaluation Criteria
ofFrance - Germany - the Netherlands - the United Kingdom
1991
EU – Information Technology Security Evaluation Criteria ITSEC
Published 1990, updated 1991 Based on UK, German & French criteria, and inputs from others
Significant input from USA Orange Book concepts but overcomes the ‘star connected mainframe’ and USA bias
Considers functionality and assurance orthogonally One axis addresses assurance
six hierarchical levels above zero trust (E0 through E6) Other axis addresses functionality
10 predefined non-hierarchical classes of functionality (F1 through F10) - little used in Australia
user may define functionality to suit task
Defines a ‘Claims Language’ to assist evaluation semi-formalised and structured language, with defined
terminology etc
ITSEC Assurance Classes
ITSEC TCSEC CommentsEquivalent
“E0” D No proven trustworthiness
E1 C1 Low commercial
E2 C2 High commercial
E3 B1 Low multilevel
E4 B2
E5 B3 High multilevel
E6 A1 Formal ‘Proof of Correctness’
ITSEC Functionality Classes
ITSEC TCSEC ITSEC Used forEquivalent
F1 C1 F6 High Integrity
F2 C2 F7 Networking
F3 B1 F8 N/W with Integrity
F4 B2 F9 N/W with Conf’y
F5 B3 & A1 F10 Network I&C
ITSEC Users may define their own functionality
User Defined Functionality
The ITSEC standard functionality classes are OK but do not reflect all situations
A developer may define the functionality they claim, and have it evaluated to a particular assurance level
eg firewalls, weapons systems, banking systems Most Australian ITSEC evaluations based on
‘user’ (read ‘vendor’) defined functionality A rock could rate E6 if appropriate functionality was claimed
Always verify functionality claimed for the evaluation rating. Eg a firewall is evaluated and advertised as ‘E3’ - but what does it do at the ‘E3’ level of trustworthiness?
Types of Network Threats
Adapted from “Cryptography and Network Security: Principles and Practice” Second Edition, by William Stallings
Network Threats (2)
Passive Threats(Interception)
Release of Contents Read plain text Decrypt and read
Traffic Analysis activity analysis characteristics analysis
Interruption(Availability)
Fabrication(Authenticity)
Active Threats
Modification(Integrity)
Encrypted Data Stream
Target Information
Extraneous data can’t enter the stream
Intelligible information can’t leave the pipe
Encryption ‘Pipe’
Encryption may be considered a protective pipe
Network Threats (3)
Encryption is main tool used to inhibit network threats Assuming unbroken encryption:
Release of message contents defeated by encryption
Modification of traffic Modification is still possible, but result cannot be predicted
Fabrication or Replay of traffic Creation of new traffic is defeated Replay of previous traffic is defeated in Cypher feedback modes, but not in
Electronic Code Book mode (ECB)
Traffic Analysis If headers and body are encrypted, traffic analysis can only be based on
traffic timings, flow rates, and transaction size If body only encrypted, header info can be used in traffic analysis
Summary
Security is a concept and attitude of mind Difficult to define
Definition must derive from Management directives and policy
Security Management is Management of Risks otherwise security becomes a black hole
Main issues for consideration are: Assets Threats to those assets Countermeasures to those threats Ongoing management leadership, and support
Internet Issues Summary Most Internet security issues identified are mainly
Internet specific implementations of broader issues Encryption of VPN and E-mail is an encryption issue
Internet is only the vehicle E-commerce requirements for authentication and non-
repudiation are Internet or computer based variants of signatures
Public key encryption mechanisms are addressing the issues Personnel abusing Internet access are only one specific
manifestation of widespread poor practices: Abuse of company cars, telephones, accommodation, equipment
Concentrate on the real issues: Perimeter security and internal segmentation (Firewalls)
Use firewalls for virus checks etc Develop understanding of censorship processes and needs Develop security awareness and sense of Ethics in all parties
Common Reactions (Management)
“It won’t happen to us / our company / me” Just wait and it will - best to lock the stable door before the horse
bolts “Security gets in the way - is obstructive”
Frequently true and unavoidable to some extent, but impact can be minimised with planning, management commitment, and training
Good security must always be in the context of the business Lack of written Security Policy and directions
Planned policies and committed management guide everyone Treating security as black/white issues
eg is all xxx-in-confidence info really the same value? Graduated scale of values and risks are needed Some people are more trustworthy than others, as are some
countermeasures - such as procedures, locks and computers
Common Reactions (Implementation) Addressing Wrong Problem, because it is easier
Assuming most attacks are external (ie “we trust all our people”) Non-acceptence that commercial intelligence or sabotage are occurring
in Australia now Addressing wrong threats
eg assuming high risk attacks are violent, high intensity, short duration (eg terrorists or armed holdup) rather than slow and subtle (eg espionage)
Implementing Unbalanced Security - eg High grade firewalls, but lack of lockable containers or rooms
Ineffectual Security - has all of the costs but little benefits High grade (and costly) firewalls, intrusion detectors etc, poorly
implemented and not supported Good policies and mission statements, but management do not show
support and leadership - ie the policies are not implemented Failure of aftercare for people, procedures, & equipment
Finale
Security has become the major issue following Y2K
Media hype about Internet related security problems hassensitised management, auditors and legislators to issues - but they generally need technical guidance
Deliberate attacks against businesses are increasing dramatically
Outsourcing of security management to specialist companies is not necessarily the best way for an organisation to go.
Employees should be in control of all sensitive activities.
Tutorial
Q&A and case studies