Transcript EE579U

EE579U
Information Systems Security
and Management
10: Security Management Problems
Professor Richard A. Stanley
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #1
Overview of Today’s Class
• Review of last class
• Security management problems
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #2
Last time…
• Security management is the “glue” that
binds the entire security effort together.
• Absent proper and adequate management, it
doesn't matter how well the other bits and
pieces work
• This is probably the hardest part of all,
because it remains difficult to compute the
ROI
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #3
Why Are We Here?
• To manage systems security in an effective
manner, right?
• We have studied all the technologies and
tools, so nothing can go wrong, right?
• Wrong!
– There are lots of things that exist that can make
our jobs harder and more challenging
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #4
Spies at Work
• FBI counterintellingence agent Robert Hanssen
convicted for espionage
• What can we learn from this?
– He wasn’t caught because he was careless
– He knew all the tricks used to catch spies
– He was arrogant (Philby book)
– He did “exceptionally grave” damage to the nation, and
is probably directly responsible for at least two people
being executed
• So what does that have to do with system
security?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #5
Where to Hide Things?
• In a difficult to find location?
• In a safe deposit box?
• In a dead drop?
• How about in plain sight?
• And…why are we hiding them, anyway?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #6
One Worry
• This is a stegosaurus
• We need to worry about steganography
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #7
Steganography
• “Covered writing”
– from the Greek steganos and graphos
– steganos = covered (or roofed)
– graphos = writing
• Includes such arcana as invisible ink,
hollow heels in shoes, open codes
• A real problem for systems security, as we
shall see
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #8
Null Cipher Example
News Eight Weather: Tonight increasing snow.
Unexpected precipitation smothers eastern towns. Be
extremely cautious and use snowtires especially heading
east. The highways are knowingly slippery. Highway
evacuation is suspected. Police report emergency
situations in downtown ending near Tuesday.
Decodes as:
Newt is upset because he thinks he is President.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #9
Actual WWII Null Cipher
Apparently neutral's protest is thoroughly discounted and ignored.
Isman hard hit. Blockade issue affects pretext for embargo on
by products, ejecting suets and vegetable oils.
Decodes as:
Pershing sails from NY June 1.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #10
Another Example
S0:
S1:
Result:
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #11
Interesting, but So What?
• What if we were to replace the least
significant bits of a complex data file with
information we wanted to transmit secretly?
• File compression
– Lossless (e.g., GIF, BMP)
– Lossy (e.g. MPEG, JPEG)
• Downgrading information--how can you be
sure what you downgraded?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #12
King’s College,
Cambridge (UK)
The image in which
another image will
be hidden using
steganography
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #13
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #14
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #15
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #16
Stego Summary
• Careful comparison of the two King’s
College photos shows the stego image is
slightly less sharp than the original
• Careful examination of the Pentagon aerial
photos shows the recovered image is
slightly less sharp than the original
• BUT…you knew what to look for
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #17
Stego Implications
• How can you be sure that what has been
downgraded does not hide other
information?
• Steganography can be used as a covert
channel that is very hard to find
• Steganography also provides a tool that can
be used to watermark a complex file
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #18
Fortunately, Steganography is so complex
and hard to implement that is not likely
the average hacker or crook would be
able to exploit it.
Equally fortunately, we have discovered that the
moon is made of green cheese.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #19
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #20
Some Stego Tools
•
•
•
•
OutGuess
Information Hiding Homepage
Steganography Tools
Invisible Secrets
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #21
Other Stego Uses
• Covert information distribution
– eBay images have been found which contain
stego information believed to be messages to
terrorist cells
– Much of the imagery on the Internet contains
stego data, which could be executables
• Don’t get too cute -- why would you
suddenly start trading pictures with
someone?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #22
Some Thoughts
• What about Bell and Lapadula’s model?
– No write down?
– No read up?
• The Internet thrives on visual imagery.
What does this imply for security based on
what we have studied tonight?
• Why did it take 15 years to catch Hanssen?
How long would it find to uncover stego?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #23
Another Problem
How do you counter these?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #24
Security Domains
 Security
Management
Practices
 Security
Architecture and
Models
 Access Control
Systems &
Methodology
 Application
Development
Security
 Operations Security
 Physical Security
 Cryptography
 Telecommunications, Network, &
Internet Security
 Business
Continuity
Planning
EE578
EE579S
EE579T
EE579U
 Law,
Investigations, &
Ethics
Source: CISSP CBK
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #25
“The Myth of Cyberterrorism”
• Article by Joshua Green, November 2002
http://www.washingtonmonthly.com/features/2001/0211.green.html
• Offers the premise that “There is no such
thing as cyberterrorism--no instance of
anyone ever having been killed by a
terrorist (or anyone else) using a computer”
• Let’s take a look at this assertion to see if it
really makes sense
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #26
Green’s Thesis
• Only death by computer “counts” as
cyberterrorism
• Acknowledges that cybersecurity is a
“serious problem,” but believes “it’s
just not one that involves terrorists”
– Alleges $15B damage to global economy in
2001 due to viruses, worms, etc.
• Does this make sense?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #27
Consider This...
• “...nuclear weapons and other sensitive military
systems [are] not physically connected to the
Internet and are therefore inaccessible to outside
hackers”
• “It’s impossible to hijack a plane remotely, which
eliminates the possibility of a high-tech 9/11
scenario in which planes are used as weapons”
• So what? Does this mean cyberterror is not to be
worried about?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #28
What About Critical
Infrastructure?
• Green agrees that non-military systems are “less
secure” than government systems
• “Most hackers break in simply for sport”
– Even if this were true, is it cause for comfort?
• Dismisses the threat because “most serious
cybersecurity breaches...tend to come from
insiders”
– We know this already
– Is this reason not to worry?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #29
Examples
• Robert Hanssen, worst spy in US history
– Dismissed by Green because insider knowledge made his
espionage possible, and he was a “rogue employee,” not a terrorist
– Is this a meaningful definition?
• “Two years ago, an Australian man used an Internet
connection to release a million gallons of raw sewage
along Queensland's Sunshine Coast after being turned
down for a government job”
– Green believes this is not terrorism, but another rogue employee
– Perpetrator was former employee of sewage plant, therefore
somehow not a terrorist
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #30
US Naval War College Study
• Simulated massive attack on national critical
infrastructure
– Failed to crash the Internet, but caused sporadic damage
– Estimated that “terrorists hoping to stage such an attack
‘would require a syndicate with
significant resources, including $200 million, countrylevel intelligence and five years of preparation time.’”
– This level of funding is available to terrorist groups, as
is the intelligence. The 9/11 attacks are now believed to
have involved more than two years of planning.
– Does this make you rest easier?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #31
Al Qaeda Computers
• Contained “structural and engineering
software, electronic models of a dam, and
information on computerized water systems,
nuclear power plants, and U.S. and
European stadiums. But nothing suggested
they were planning cyberattacks, only that
they were using the Internet to communicate and coordinate physical attacks.”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #32
An Example
• Worcester Airport attacked, shut down by teenage hacker
using Internet connection (March 10, 1997)
• “… [the] youth temporarily disabled a loop carrier system,
which combines multiple phone lines for transmission over
a single fiber-optic cable.
• “By targeting the loop carrier system, the confessed hacker
wiped out telephone access to the airport's control tower,
fire department, airport security, and weather service, as
well as private airfreight firms for six hours. The attack
also downed the airport's main radio transmitter and the
circuit that lets incoming aircraft switch on runway lights.”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #33
Example, Continued
• The same hacker also
– disrupted telephone service to Rutland, MA
– “...attack[ed] ... the branch of an unidentified major
pharmacy chain … on four separate occasions from
January through March of last year [1997]. The hacker
– acquired the names, contact information, and
prescriptions for the pharmacy's customers, but neither
altered nor distributed that information” But could have!
• Only chance prevented these events from
becoming disastrous
• Is this terrorism?
[Source: Paul Festa, “DOJ charges youth in hack attacks” CNET News.com, March 18, 1998]
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #34
Some Thoughts
• Concern about over-hyping a threat is a valid issue
• But that does not mean that the threat is not real
• History provides some very discomforting
examples
• Narrowly defining “terrorism” may allow it to be
dismissed in an academic discussion, but it does
not diminish the actual threat.
– This sort of approach actually plays into the hands of
those who seek to exploit existing systems
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #35
Historical Examples
• Prior to the 9/11 attacks, “experts” dismissed the
possibility that airliners could or would be used as
flying bombs
– History was that hijackers would not harm passengers if
their demands were met, so crew were to “go along”
– However, in 1995, terrorists were arrested in the
Philippines with plans to hijack many aircraft and crash
them into buildings. These plans were well-known,
even in the press, 6 years before they were implemented
• Pearl Harbor provides similar lessons
• Tragedy usually results from a failure to think
“outside the box”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #36
Observations
• There is a fine line separating healthy paranoia
from hysteria
• Technologists need to be skeptical and to look
beyond simple history in applying technology
• If history teaches us anything, it is that we are all
too often well-positioned to fight the last war, and
poorly situated to deal with the current situation
• Problems do not disappear by redefining them so
that they appear to be less significant
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #37
Now What?
• Policy is essential, but how do you know if
it is working, and how well?
• You need to do an audit
–
–
–
–
Not a once in a lifetime event
Need to be regular, but aperiodic
Follow the financial industry guidelines
May want to follow standards
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #38
Audit Types and Purposes
 Types of audits
 Global security audits
 Verification audits
 Compliance audits
 Intrusive audits, or “Tiger Teams”
 Who should perform?
 Internal audit staff
 Audit performed by a trusted outside party
 Accredited external audit team
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #39
Planning an Audit: 1
 Policy review and analysis
• Choosing the methodology and time frame to use for the audit
• Obtaining senior management approval and consent for the
level of the audit and the auditors
• Contract
• Legal liabilities
• Rules of conduct, including forbidden areas
• Data collection planning
• Scope of work to be undertaken (e.g., how extensive an audit is
to be performed?)
• Managing expectations
• Dealing with problems (e.g., what if no issues are found in the
allotted time?)
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #40
Planning an Audit: 2
 Comparing the system described in the policy
to the system that actually exists
 How to find the differences
 What to do about them?
 How will they affect the audit?
 The final audit plan
 Approval
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #41
Conducting an Audit: 1
 Obtain information about the system to be audited
 Policy analysis
 Actual system scans and evaluations
 Collect and protect audit data
 Work methodically and professionally at all times
 Tools available to help in the audit
 Develop and adhere to the data collection plan (e.g., take screen
shots)
 Keep the customer informed
 Reports as agreed in the plan
 Immediate reporting if something big is found
 The customer’s ability to fix the problem exceeds the auditor’s need
to crow about finding it
 Keep findings confidential
 Don’t leap to conclusions
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #42
Conducting an Audit: 2
 Follow-up / retesting
 Prepare the audit report
 Executive summary
 Vulnerabilities and/or problems found
 Several small things can add up to a large problem
 Business impact
 Recommendations
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #43
Evaluating Audit Results
 Assess the severity of the findings
 Depends on the organizational security policy and business model
 Deciding if external help is needed to deal with the findings (e.g., are
we able to understand and deal with the findings?)
 Do the findings corroborate the perceived threats?
 Is a change to the security policy needed?
 Does this warrant another audit before proceeding further?




Rank problems: what to fix first; where to stop?
Match vulnerabilities and problems to legal liability issues
Determine if further, perhaps more extensive auditing is warranted
Evaluate what, if any changes to security policy are warranted
based on findings
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #44
Dealing With Problems: 1
 Workstation problems
 Physical access controls
 Environmental controls
 Object controls
 Data validation and auditing
 Data file controls
 Output controls
 Performance
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #45
Dealing With Problems: 2
 Software problems
 Licensing issues
 Version and configuration control
 Update control
 Business continuity problems
 Disaster events and probabilities
 Alternative sites
 Testing business continuity plan
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #46
Audit Standards & Tools
 BS 7799 / ISO 17799




Good starting point for policies and audits
Compliance not trivial
Agreed-upon international standard
COBRA tool automates compliance checking
 COBIT (Control Objectives for Information and related
Technology)
 Generally accepted IT control objectives
 Developed and recognized by the ISACA (Information
Systems Audit and Control Association), the international IT
auditors’ professional organization
 Includes audit guidelines
 Developing your own standards
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #47
ISO 17799 Overview
• Business Continuity
Planning
• System Access
Control
• System Development
and Maintenance
• Physical and
Environmental
Security
Spring 2004
© 2000-2004, Richard A. Stanley
•
•
•
•
Compliance
Personnel Security
Security Organization
Computer & Network
Management
• Asset Classification
and Control
• Security Policy
EE579U/10 #48
Audit Review
• Necessary element to ensure compliance
with security policies
• Many approaches to performing
• Standards-based approach has merit, but
requires rigorous compliance
• Recent financial escapades illustrate the
need for frequent, thorough system audits
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #49
Copyrights in the Digital Age
• Once a digital copy of a copyrighted work
“gets loose,” how to control its
dissemination?
• A very real issue for media such as eBooks,
CD-ROMs, etc.
• The Digital Millennium Copyright Act
attempts to deal with this problem
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #50
Digital Millennium Copyright
Act (DMCA)
• Passed by Congress October 28, 1998
• Expands the protection of copyrighted
works on the Internet and in digital form
– “Black Box” Provisions
• Limits the liability of on-line service
providers for infringement of copyrighted
works
– Safe Harbor” Provisions
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #51
DMCA “Safe Harbor”
• Service providers, upon payment of $20 fee
and meeting reporting requirements, can
qualify for liability protection against
copyright infringement
– “Service provider” is defined broadly as “a
provider of online services or network access,
or the operator of facilities therefor”
• Providers must not interfere with “standard”
measures used to ID and protect copyrights
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #52
DMCA “Black Box”
• DMCA makes circumventing protective
technologies, such as encryption and passwords, a
violation of the law
• Removing, changing, or altering “copyright
management information” also a violation
• Even if your copyrighted work is not actually
copied, a person could be liable for attempting to
do so, or for giving others the tools and access to
do so
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #53
DMCA Observations
• This is a major extension of copyright law!
• Penalties for “black box” violations exceed
the penalties in 17 USC for infringement
• There is little, if any, case law yet
• Does this violate the “fair use” doctrine?
• Feared placing a damper on research into
cryptography and cryptanalysis
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #54
ElcomSoft, Dmitry Sklyarov
and the DMCA
• Sklyarov a Russian programmer who, with his
company, developed a way to defeat the
encryption on Adobe eBooks, allegedly to make
backup copies or to be read audibly
• Sklyarov arrested July, 2001 in Las Vegas, and
charged with violating the DMCA
– Four circumvention counts, one conspiracy
– No copyright infringement counts
• Sklyarov acquitted on all counts, December 2002
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #55
Technological Solutions?
• Copy protection schemes are as old as
magnetic media, and most have not worked
as planned
• Newest approach is Digital Rights
Management
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #56
Digital Rights Management
• Provides controlled delivery of digital
media content such as eBooks, etc.
• Enables
–
–
–
–
Content protection
Secure content distribution
Content authenticity
Transaction non-repudiation
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #57
Types of DRM Rights
• Time-based
– License expires at specific time or after
stipulated period of use
• Object-based
– Rights attach to an object
• Transferable
– Rights able to migrate across platforms, etc.
– Can control copying amount, frequency
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #58
DRM Specification Languages
• Three primary languages used presently:
– eXtensible Rights Markup Language n (XrML)
– Open Digital Rights Language (ODRL)
– Extensible Media Commerce Language
(XCML)
• Languages intended to communicate rights
information, not enforce protection
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #59
Issues
• Interoperability
– Consumers want digital media that is easily
read on multiple platforms
• Standards a problem (cf. VHS vs. Betamax)
– Content providers want to protect content and
also make content available to as many
consumers as possible
• Also interested in standards
• Lower costs if only one media standard evolves
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #60
DRM Functional Architecture
Validate Rights
IP Asset Creation
Create Rights
Repository
DRM Architecture
IP Asset Management
Trading
Permission Mgmt
IP Asset Usage
Tracking Mgmt.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #61
DRM Rights Expression Model
Time
Constraints
Count
Copy
Rights Holders
Permissions
Print
Register
Obligations
Pay charge
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #62
Securing Content
• Encryption
– Called “containment” in DRM
• Marking
– Placing a watermark or other marker to indicate
that the media is copy protected
• Neither of these approaches is foolproof
• DMCA provides legal remedies, but may
not stand the test of court scrutiny
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #63
Summary - 1
• The existence of secure tools and protocols is not
a guarantee of security
• Human spies are a real problem, and hard to catch
• Steganography is one way for information to leak
out of a system
• Steganography can be very hard to find, but it is
very easy to implement at low cost
• New, helpful devices can make security much
harder than it used to be
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #64
Summary - 2
• Policy is essential to establishing a secure
computing system
• Audits are needed to verify the policy
• Good auditing is as hard as good policy
• Digital technology raises difficult new
challenges to the copyright laws
• DRM seeks to protect copyrighted material
• DMCA deals with defeating copy protection
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #65
Homework: 1
• Using the Internet, conduct a survey of
steganography tools available for download,
and -- to the best of your ability based on
the descriptions provided -- compare and
contrast them.
• How would you protect your IT system
against steganography leaks, both looking
inwards and looking outwards?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #66
Homework: 2
• Read the Joshua Green article discussed at
the beginning of the lecture, found at
(http://www.washingtonmonthly.com/features/2001/0211.green.html). Write a
short essay (400-800 words or so)
explaining your opinion on Mr. Green’s
thesis and analysis. Do not be afraid to be
original or to express an opinion you
believe may be contrary to the professor’s.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/10 #67