Computers at Risk Safe Computing in the Information Age (1991) / Chapter Skim
Currently Skimming:
Overview and Recommendations
Overview and Recommendations
Pages 7-48
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 7... ...
1 Overview and Recommendations We are at risk. Increasingly, America depends on computers.
|
From page 8... ...
Finally, politically motivated attacks may also target a new class of system that is neither commercial nor military: computerized voting systems.3 Outside of the government, attention to computer and communications security has been episodic and fragmented. It has grown by spurts in response to highly publicized events, such as the politically motivated attacks on computer centers in the 1960s and 197Os and the more recent rash of computer viruses and penetrations of networked computer systems.4 Commercial organizations have typically concentrated on abuses by individuals authorized to use their systems, which typically have a security level that prevents only the most straightforward of attacks.
|
From page 9... ...
. Penetrations and disruptions of communication systems appear to be increasing: · A software design error freezing much of AT&T's long~istance network; · The German Chaos Computer Club break-ins to the National Aeronautics and Space Administration's Space Physics Analysis Network; · The West German Wily Hacker attacks (involving international espionage)
|
From page 10... ...
firms lead overall in the computer and communications market, several European governments are now promoting product evaluation schemes and standards that integrate other elements of trust, notably safety, with security. These developments may make it difficult for American industry to sell products in the European market.5 Although the committee focuses on technical, commercial, and related social concerns, it recognizes that there are a number of related legal issues, notably those associated with the investigation and prosecution of computer crimes, that are outside of its scope.
|
From page 11... ...
In many instances (e.g., design of computer viruses, penetration of communications systems, credit card system fraud) attacks are becoming more sophisticated.
|
From page 12... ...
So long as the machine is turned on, the network connection can be exercised by a remote attacker to penetrate the machine. Unfortunately, MS/DOS does not contain security features that, for example, can protect against unwanted access to or modification of data stored on PCs.
|
From page 13... ...
TOWARD A PLANNED APPROACH Taking a coherent approach to the problem of achieving improved system security requires understanding the complexity of the problem and a number of interrelated considerations, balancing the sometimes conflicting needs for security and secrecy, building on groundwork already laid, and formulating and implementing a new plan for action. Achieving Understanding The Nature of Secunly: Vulnerability, Threat, and Countermeasure The field of security has its own language and mode of thought, which focus on the processes of attack and on preventing, detecting, and recovering from attacks.
|
From page 14... ...
Effort may be expended in countering attacks that are never attempted.~° The need to speculate and to budget resources for countermeasures also implies a need to understand what it is that should be protected, arid why; such understanding should drive the choice of a protection strategy and countermeasures. This thinking should be captured in security policies generated by management; poor security often reflects both weak policy and inadequate forethought.
|
From page 15... ...
Security requires ongoing attention and planning, because yesterday's safeguards may not be effective tomorrow, or even today. Special Security Concerns Associated with Computers Computerization presents several special security challenges that stem from the nature of the technology, including the programmability of computers, interconnection of systems, and the use of computers as parts of complex systems.
|
From page 16... ...
The Internet worm of November 1988 also showed how networking externalizes risk. Many of the more than 2,000 affected nodes were entered easily once a "neighbor" node had been entered, usually through the electronic equivalent of an unlocked door.
|
From page 17... ...
A recognized public interest in eliminating the damage may compel the installation of pollution control equipment for the benefit of the community, although the installation may not be justified by the narrow self-interest of the polluter. Just as average citizens have only a limited technical understanding of their vulnerability to pollution, so also individuals and organizations today have little understanding of the extent to which their computer systems are put at risk by those systems to which they are connected, or vice versa.
|
From page 18... ...
Some analyses (OTA, 1987b) have characterized so-called military security policies (i.e., those
|
From page 19... ...
National security activities, such as military operations, rely heavily on the integrity of data in such contexts as intelligence reports, targeting information, and command and control systems, as well as in more mundane applications such as payroll systems. Private sector organizations are concerned about protecting the confidentiality of merger and divestiture plans, personnel data, trade secrets, sales and marketing data and plans, and so on.
|
From page 20... ...
The secrecy imperative has historically dominated the communications security field. Cryptology (the science of making and breaking codes)
|
From page 21... ...
Through the NCSC and the publication of the Trusted Computer System Evaluation Criteria, or Orange Book (U.S.
|
From page 22... ...
GOVERNMENT . Establ ishment of the N ationa I Computer Security Center · The Orange Book, Trusted Network Interpretation, related publications, and the Trusted Products Evaluation Program · National Security Decision Directive 145; revised and recast as NSD 42 · The Computer Fraud and Abuse Act of 1986 · The Computer Security Act of 1987 - National Telecommunications and Intormation System Security Policy 200~2 by '92 The Secure Data Network System project NlST's Integrity Workshop program DARPA's Computer Emergency Response Team program .
|
From page 23... ...
Of these documents, perhaps the most widely known is the so-called Orange Book, which is formally known as the Department of Defense Trusted Computer System Evaluation Criteria. The following are brief descriptions of some of the documents that form the Rainbow Series: Trusted Computer System Evaluation Criteria (TCSEC)
|
From page 24... ...
A more complete solution calls for the formulation and implementation of a new, more comprehensive plan that would inject greater resources into meeting commercial computer security needs. SCOPE, PURPOSE, CONTENTS, AND AUDIENCE This report provides an agenda for public policy, computer and communications security research, technology development, evaluation, and implementation.
|
From page 25... ...
· Chapter 3 describes technology associated with computer and communications security, relating technical approaches to security policies and management controls. · Chapter 4 discusses methodological issues related to building secure software systems.
|
From page 26... ...
RECOMMENDATIONS The central concern of this report is how to get more and better computer and communications security into use. Five of the committee's six recommendations endorse actions with medium- to long-range impacts.
|
From page 27... ...
To achieve a similar level of consensus, one that builds on but reaches beyond that accorded to the Orange Book (see Appendix A) , the GSSP development process should be endorsed by and accept input from all relevant communities, including commercial users, vendors, and interested agencies of the U.S.
|
From page 28... ...
· Access control on code as well as dat~Every system must have the means to control which users can perform operations on which pieces of data, and which particular operations are possible. A minimum mechanism has a fixed set of operations (for example read, write, and execute)
|
From page 29... ...
· Operational support tool~Every system must provide tools to assist the user and the security administrator in verifying the security state of the system. These include tools to inspect security logs effectively, tools to provide a warning of unexpected system behavior, tools to inspect the security state of the system, and tools to control, configure, and manage the off-line data and code storage and hardware inventory.
|
From page 30... ...
To date and by default, the principal vehicle in the United States for raising the level of practice in computer and communications security has been the National Computer Security Center's Orange Book and its various interpretations. Although
|
From page 31... ...
The C2 and B1 ratings describe systems that provide base-line levels of acceptable discretionary security (C2) and systems that provide minimal levels of acceptable mandatory multilevel security (B1~.20 However, the Orange Book is not adequate to meet the public's longterm needs, largely because it is incomplete.
|
From page 32... ...
positions. The committee supports a move already under discussion to conduct simultaneous evaluations of products against the Orange Book and international criteria to improve the understanding of the relationships among different criteria and to enhance reciprocity.
|
From page 33... ...
Until GSSP can be articulated and put in place, industry needs some guidance for raising the security floor in the marketplace. The Orange Book's C2 and B1 criteria provide such guidance, which should be
|
From page 34... ...
The committee urges vendors to incorporate emerging security standards into Weir product planning and to participate more actively in the design of such standards. In particular, vendors should develop distributed system architectures compatible with evolving security standards.24 Further, vendors and large-system users should make the setting of security standards a higher priority.
|
From page 35... ...
· Restrict general access to software development tools and products, and to the physical environment. · Develop generally available components with well-documented program-level interfaces that can be incorporated into secure software.
|
From page 36... ...
There is a dramatic shortage of people qualified to build secure software. Universities should establish software engineering programs that emphasize development of critical and secure software; major system users should likewise provide for continuing education that promotes expertise in setting requirements for, specifying, and building critical software.
|
From page 37... ...
Implementing it would require mat organizations and professionals concerned with security get the word out, to organizations that customarily serve and inform teachers and directly to teachers in communities. Recommendation 4 Clarify Export Control Criteria, and Set Up a Forum for Arbitration The market for computer and communications security, like the computer market overall, is international.
|
From page 38... ...
The requirement for case-by-case review of export licenses for trusted systems with Orange Book ratings of B3 and above adds to the cost of such systems, because sales may be restricted and extra time is needed to apply for and receive export approval There nr~cr`~ rlic~r`~'r~^ :~ ~ ., ~ ~ __ ~ __ _ 1 _ _ COMPUTERS AT RISK < _ ~ _~V~ ,~=u~ry wren c~eve~op~ng more secure systems; vendors do not want to jeopardize the exnortabilitv calf their mainline ~mmrrl~rriO1 I_ ings.27 _ _J ~^-^ ~ ~V~ ~ he committee recommends that Orange Book ratings not be used as export control criteria. It also recommends that the Department of Commerce, in conjunction with the Departments of Defense and State, clarify for industry the content of the regulations and the process by which they are implemented.
|
From page 39... ...
A key role for NSF (and perhaps DARPA) , beyond specific funding of relevant projects, is to facilitate increased cross-coupling between security experts and researchers in related fields.
|
From page 40... ...
It is important that contemporary projects, both inside and outside universities, be encouraged to use state-of-the art software development tools and security techniques, in order to evaluate these tools and to assess the expected gain in system security. Also, while academic computer security research traditionally has been
|
From page 41... ...
Examples include tools to check the security state of a system, models of operational requirements and desired controls, and threat assessment aids. · Nonrepudiatio~To protect proprietary rights it may be necessary to record user actions so as to bar the user from later repudiating these actions.
|
From page 42... ...
· Programming language research: New paradigms require new security models, new design and analysis techniques, perhaps additional constructs, and persuasion of both researchers and users that security is important before too many tools proliferate. · Software development environments: Myriad tools (e.g., theorem provers, test coverage monitors, object managers, and interface packages)
|
From page 43... ...
Recommendation 6 Establish an Information Security Foundation The public needs an institution that will accelerate the commercialization arid adoption of safer and more secure computer and communications systems. To meet that need, the committee recommends the establishment of a new private organization a consortium of computer users, vendors, and other interested parties (e.g., property and casualty insurers)
|
From page 44... ...
In the longer term, a major activity of the ISF would be product evaluation. The complex and critical nature of security products makes independent evaluation essential.
|
From page 45... ...
Without aggressive action to increase system trustworthiness, the national exposure to safety and security catastrophes will increase rapidly. CONCLUSION Getting widely deployed and more effective computer and communications security is essential if the United States is to fully achieve the promise of the Information Age.
|
From page 46... ...
12. For example, a description of a magnetic door sensor that is highly selective about the magnetic field it will recognize as indicating "door closed" can indicate to attackers that less sophisticated sensors can be misled by placing a strong magnet near them before opening the door 13 ~ w ~ ~5 r r ~ ~ C7 ~ For example, the GAO recently noted in connection with the numerous penetrations of the Space Physics Analysis Network in the 1980s that, "Skillful, unauthorized users could enter and exit a computer without being detected.
|
From page 47... ...
This effort appears to place relatively limited emphasis on assurance and evaluation, both of which the committee deem important to GSSP and to an ideal set of criteria. The seed for that effort was a project within American Express Travel Related Services to define a corporate security standard called C2-Plus and based, as the name suggests, on the Orange Book's C2 criteria (Cutler and Jones, 1990)
|
From page 48... ...
31. For vendors, related topics would be trusted distribution and trusted configuration control over the product life cycle.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.