Julie JCH Ryan
Copyright 1998
I'm here tonight to report on the state of practice in information security in industry, and while this isn't nearly as exciting as proving that God exists, it's still pretty important.
Simply put, the state of practice is abysmal.
Why? Due to a confluence of events. First, the integration of information technology proceeds much faster than prudent. It's remarkably easy to automate processes, and the efficiencies achieved through that automation have contributed mightily to the situation at hand. When you're competitors have been able to reduce inventory lag time through use of automation, you simply cannot afford to stay with manual processes-that's a recipe for going out of business, probably through bankruptcy. After all, who would buy an out moded business that lost market share to the competition through inefficiencies?
Second, the speed with which dramatic increases in the basic capabilities of information technology have and continue to spring upon us.
Remember plan a 20 megabyte hard disk was all the storage in the world? There was no way you could ever fill up that much space! And even complex applications at on a single diskette, with room to store files as well. That was only a little over a decade ago. Today, the standard off the shelf machine comes with over 100 times that much hard disk memory and the applications that run on a desktop micro computer outperform the applications that built the atomic bomb.
Third, information technology is cheap.
For less than five thousand dollars, you can buy a really hot machine with an impressive suite of applications that can make you look like a pro. You confronts the collected intelligence of mathematicians through spreadsheet automated functions, have a virtual secretary check both your grammar and spelling through automated word processing functions, and even make like an artist through the magic of clip art. You can manage your money, create wills and other legal documents, and document your family tree.
Think about what it would take to do all these things without software assistants: it would take time, education and / or money-probably a lot of money. Of these, the premier resource these days is time. Time is money, money is time. Do any of you have enough time to do everything you need or want to do? I just took a vacation to Montana with my husband, and my laptop. While on the trip, I used that laptop to do two things: first, I developed this presentation. Second, I created, from scratch, an expert decision support system to assist students in choosing courses to complete a masters degree at my other university. All of this took approximately 8 hours over a four day period, thanks to the technology I had available. The laptop I used was an ordinary, run of the mill, 2000 dollar model with no special or extraordinary capabilities.
As an aside, I had never thought of Montana as a hotbed of technology. My vision was that of Ted Kaczinsky. However, waiting for the plane to board in Kalispel, I noticed that just about every other person coming through security had a laptop-young people, old people, people in suits, people in jeans. One view of information technology that this is that of technology as an equalizer.
Back to the subject matter, though, these three conditions-ease of use, dramatic capability increases, and low barriers to entry in terms of cost-have combined to create a situation where the application of information technology to everything is rampant.
Now considered what it takes to develop an understanding of second and third order effects of a technological capability, as well as unintended consequences. How long did it take us to realize the effects of widespread use of antibiotics? How about the connection between cars, roads, and urban blight? Not to mention suburban sprawl. Simply put, it is very difficult to analyze and predict all the effects and consequences of any technology.
It is several orders of magnitude harder to understand those effects and consequences when the speed with the technology is adopted, adapted and improved is 3 to 5 times faster than our ability to analyze the existing generation of technology. This explains why the state of practice in information security is abysmal; in this presentation, I'd like to show you want can be done about that state of affairs.
Consider the problem that CitiBank had. Here is an enormous financial institution will used to be complexities and challenges of operating internationally in today's environment where somewhere around 3 trillion dollars is electronically transferred everyday. You would think an institution like this would know from security-after all, people have been robbing banks through one means or another since there have been banks.
They certainly thought they knew security. The impact on their business would be catastrophic if customers began to believe that their money was not safe. Saying that CitiBank put a priority on security of funds is not an understatement. You can imagine the shock and horror then, when all of a sudden, they noticed that money was going missing. It wasn't ending up where it was supposed to go. Imagine trying to explain that to another bank or customer expecting funds transfers. There were security measures in place to prevent theft of electronic money-strong encryption, two person control of transaction ( one person to generate and another to execute the transaction). It seemed inconceivable that any person or persons could have figured out how to hijack the transactions. And yet that is exactly what happened.
From news sources, it appears that approximately 10 million dollars was stolen. Eventually, CitiBank recovered all but approximately 400 thousand of that. And CitiBank learned some powerful lessons about human ingenuity, second order effects, unintended consequences, and information security.
How could this happen? The human intellect is an extraordinary thing. Combine imagination with skill and knowledge, and it is just as likely that a human will figure out how to invent a new to as it is that he will figure out how to short cut societal norms and processes.
So, here we have it: A very smart Russian named Levin, living in St. Petersburg, Russia, hacked CitiBank through SprintNet. Once he was in, he hijacked funds transfers and redirected them to accounts in many different cities. There, accomplices would pick up the money. It didn't take CitiBank long to figure out what was going on. After all, there was an inherent immediate warning alarm-funds transfers are from someone and to someone. It is safe to assume that the to someone is generally expecting the transfer. And when it didn't show up as promised or scheduled, they might be a tad concerned. Maybe even to the point of politely inquiring as to where the one million is that they were expecting and needed immediately.
And once they had figured out what was going on, they immediately took steps to stop it. This, of course, included getting, Comrade Levin to a country with an extradition treaty.
Solving the problem turned out to require human ingenuity and skill as well. CitiBank had, as previously noted, security features in place. They had to figure out how Levin was getting around these features, and they also had to figure out how he was making the system do what he wanted it to do. Short of being able to stop the intrusions, they needed to be able to detect his activities so they would be able to counter them eventually. And to really complicate matters, they needed to do all of this in a manner consistent with correct evidence collection procedures so that they could successfully prosecute him if and when they could arrest him.
It turned out that if you new where to look, you could spot the illicit transfers. An in-depth analysis revealed tell-tale characteristics that only the illicit transfers carried-the side effect of the methods that Levin was using to perform the transfers. Using that knowledge, CitiBank was able to insert software to detect those transfers and to generate alerts. And, of course, CitiBank used the knowledge gained to upgrade their security posture.
So what's the big deal? A guy robbed a bank. People have been doing that since there were banks. The fact of the matter is that we humans aren't exactly what you'd call trust-worthy. Anything of value is fair game, and just about everything is of value.
I would like to read you a news article from the Toronto Globe and Mail from the second
of June.
(article 02 Jun 98 CANADA: REPORT ON COMPUTERS - LOOSE LIPS SINK CHIPS. Special to The Globe and Mail) (related
article)
You know that this is not an incidental problem when a major newspaper not only reports the story but also includes helpful tips on how to prevent it from happening to you.
The fundamental question that we must all face is: how much can you afford to lose? It's not whether you will lose something, but how can you contain the inevitable loss to what you can afford-in terms of time, resources, intellect, and money.
This notion pervades our societal structures. Look around and you see all sorts of protective mechanisms in place, for both individuals and larger communities. Things like safe-deposit boxes and mace or pepper spray provide the individual with some measure of protection. Those pictures of your great-grandparents arriving at Ellis island simply can't be replaced-would you risk them by keeping them outside of a fire-proof safe? Additionally, there are communal institutions to provide a standard of security that enable us to function productively and without inordinate fear. The police maintain a standard of order, the Secret Service protects the integrity and value of our currency.
Given this underlying texture of security mechanisms, it is fairly obvious that there is only one element in the equation that has changed. People's proclivities to lie, cheat, and steal haven't changed, and other people's reaction to such actions haven't changed either. The thing that has changed is the underlying technology base.
One of my favorite pastimes is to observe the evidence of technology advances on every day life. Every time a technology catches on, you see signs of it popping up in really unusual places. For example, the next time you went at any broadcast media-newspaper, magazine, billboard, TV-make a mental note of how many URLs you see. On the off-chance there is someone here who doesn't know what a URL is, it is a "Universal Resource Locator" -or web address.
Once you start noticing them, start noticing what kinds and what size of business is advertising their URL. It's a fascinating exercise, particularly when you consider the age of the World Wide Web. This is an application that barely existed 5 years ago. Now it is every where.
My first grand-child was born April 29th. The maternal grandparents could not come, due to illness in the family. Neither could any of the new mother's siblings. Ordinarily, this opportunity for family rejoicing, sharing, and bonding would have been lost forever. But due to the availability of appropriate technology, the entire family on both sides-living every where from Los Angeles to Houston to Germany-had access to the baby pictures by May first. How? First, there was the one hour photo processing, enabled by computer chips. Then I scanned in the best photos, using my flat bed scanner hooked to my Macintosh. Then I transferred the digitized images to my Pentium, where I up-loaded them into a web page I created specifically for the purpose. Little Jake had his own web page within two days of birth, and a family scattered all over the globe shared in the excitement of the moment.
The ease with which the technologies can be used make them hard to resist. It has become increasingly rare for new systems to not include information technologies, and the research folks are looking to incorporate information technology into even more aspects of life-like walls and floors. This explosion of highly integrated information technology into every facet of life also brings with it concerns-security concerns. When information technology is incorporated without much thought as to unintended consequences or second and third order effects, assuring things like content, access, and infrastructure while maintaining confidentiality, integrity, and availability becomes a little dicey.
To greatly complicate matters, all of this rampant information technology is being increasingly interconnected. More information and more valuable and more useful information is being created, stored, shared, collaborated, and exploited. The increasing interconnectivity makes some unique pathways, too, sometimes.
A huge challenge for security consultants is first of all identifying simply how many ports are in a system. How many phone lines? How many are used, legitimately? How many are not supposed to be in use? How many modems? How many network accesses? After that kind of data is collected, a fascinating picture typically emerges-one which, again typically, isn't supposed to be possible. "Did you know that someone could go from A to X to C to M and gain access to B?"
And then a more fundamental question arises, which is simply: what is the value of your information? If someone found out the recipe to Honest John's Extraordinary Cookies, what has Honest John lost? Would be answer be different if the person deleted the recipe? What if it, instead, were the formula to the cure for AIDS? These highlight the tough questions that must be confronted.
Understanding the value inherent in your information is only the first step. Once you realize that you have something that needs to be protected, then you can begin the process of managing your risk.
Note that I said "manage" and not "eliminate." The best you can do in life is minimize-you can't eliminate. There are smart things you can do to minimize or manage your risk. The common sense equivalent of not walking downtown alone at 2 a.m. applies to all facets of life, including information technology.
In information security, we think of risk as being the result of or the combination of several things. First of all, vulnerabilities. If there are no vulnerabilities, then there is no problem-no risk. But everything is vulnerable to a determined opponent. So you have to understand your vulnerabilities, just as you have to understand your threats. Threats are, broadly speaking, bad things. They can include natural disasters, like fires and floods, but are more commonly thought of in terms of humans who have the capability to do you harm. That is not to say you should ignore fires and floods-if you've put your computer center in the basement of a building in the 10 year flood plain, you are simply asking for problems. Countermeasures can help you mitigate threats and vulnerabilities, and understanding the potential impact of loss or damage allows you to apply resources appropriately.
The entire enterprise must be considered when you are assessing risk, and the risk situation should be periodically reassessed. A typical intelligence gathering method for outsiders seeking to compromise an enterprise's security is to gain access to the premises through subterfuge-such as getting a temporary job as a cleaning person. This allows them relatively unsupervised time to look for operating instructions, passwords, and other valuable system access data.
The types of attacks are limited only by the circumstances of your security posture and human ingenuity. If you build a Maginot line, someone will think to go around or above it.
It is like Dorothy and her friends walking through the enchanted forest on the way to see the Wicked Witch of the West ( whose initials, I might point out, are WWW). As Dorothy and the Lion, Tinman, and Scarecrow are walking through the forest, they are on the watch for lions and tigers and bears. Oh my! It never occurs to them to look up and keep an eye out for flying monkeys. Whoever heard of flying monkeys? Hah! And, yet, that is exactly what gets them.
The challenge in the current state of ubiquitous interconnected information technology is to keep an eye out for flying monkeys. Where are you least expecting an attack to come from? From where is an attack "impossible?" I'd recommend you check those places carefully, and keep an eye on them.
Types of attacks that we know about include the obvious-stealing data, changing data, making data unavailable for use-and also the not so obvious-such as threatening to launch a cyber- attack unless protection money is paid. Extortion-same old game, new playing field.
Given all of this, what do we see as the typical response of corporations? Easy-"Well, let's just slap a fire wall on the system to keep the no goodniks out." By the way, that can also provide a convenient way to monitor the activities and email of employees. If there is any physical security, it is typically not coordinated. A network system administrator with little career growth potential handles the fire wall and physical security is handled by folks who rarely even see a computer. They don't talk, either, and if they did talk it is doubtful that they would understand each other. So we have the two ships passing in the night and as a result, significant residual security challenges.
The vision of security most executives have is that of a protected enclave in hostile territory. The perception is that if you secure the perimeters and protect information whenever it ventures outside en route to a destination, typically by encryption but sometimes by crossing their fingers, then everything will be OK.
Unfortunately, that is a somewhat limited point of view. Sure, fire walls can protect you at the gate if they are installed correctly, but the vast majority of problems have an insider component to them. It is really hard to get firms to talk about this, but the best guess we have right now is that somewhere between 70 and 90 percent of the problem is insiders.
Does this mean that protections against outsiders is working? Maybe. But the potential for harm from an insider is very high, even if there is a low probability of that occurring. Simply by their status as trusted individuals, they have knowledge and access that can be devastating if misused or abused.
So, what's wrong with this picture? It's really, really hard to implement effective security to contain insiders. The solutions are hard, complex, and challenging to manage. They irritate honest insiders and can have very detrimental effects on systems in terms of processing overhead. Additionally, fire walls are over-rated. To be effective, they must be implemented correctly and it is easy to make mistakes without knowing it. They can also serve as a chokepoint and / or a single point of failure-both significant security issues.
What is needed is a systematic solution that addresses both the computer / technology security issues and the enterprise operational security issues holistically and in an integrated manner. The goal is to keep people from exploiting a combination of weaknesses-vulnerabilities that together create an opportunity for threat action.
The computer security piece is important because of information technology's ubiquity. Computer programmers write code with flair and zeal, and bristle at the suggestions that they treat programming as engineering rather than art. This leads to vulnerabilities that you have to both live with and contain. The interfaces are a particularly dicey area, especially in heterogeneous systems. Not that that's a bad thing. Heterogeneity can provide some level of protection against cascading problems. An attack against one system may not work against a different system.
The computer security piece must include a mixture of technological solutions and policy solutions. Neither can carry the entire problem set alone. An example of this can be seen in key escrow. The mandatory key recovery scheme proposed is a technology solution to a policy problem. It's not necessarily the best solution, but it is a solution. Unfortunately, sometimes solutions can introduce new problems into systems. This is the situation with key recovery, which by definition introduces significant vulnerabilities into a cryptographically protected system. (ref: an analysis of key recoverable systems)
The enterprise security piece looks at the way operations occur. Going back to the CitiBank example, the operations model was for one person to generate a transaction and another person to execute the transaction. In this case, it is clearly impossible for a valid transaction to have identical times for both persons' actions. An enterprise security feature would check the times and disallow any with identical time stamps.
An umbrella approach to security that addresses both computer security and enterprise security issues holistically provides comprehensive security, even at those delicate and sometimes unpredictable interfaces. It also fits in nicely with the emerging CIO model, viewing knowledge as capital worthy of protection and concern at the highest executive levels.
So the challenge is: how to approach systematic security in a way that forces you to address the scope of the situation comprehensively.
First, you must look at what your real requirements are. This matrix shown here provides a framework for doing that. Filling in each intersecting block forces you to answer the policy questions of:
considering the attributes of confidentiality, integrity and availability.
Once you have identified discretely what needs protection, and what kind of protection is needed (as well as how much and for how long), then you can start to address the ways in which protection can be accorded.
There are a variety of technical means by which protection can be accorded, including password protection, cryptography, firewalls, fences around facilities, locks on doors, badges on authorized personnel, biometrics to verify identification, and isolation of computing resources. Each of these reflects an area of technology in which advances are made every year - no technology area remains static, and these are certainly not. For example, fences around facilities can feature motion detectors or be electrified. Badges can be smart cards.
There are also other measures of protection that are principally aimed at the natural disaster type of threat, such as fire or earthquake.
These types of protection can also afford protection against malicious threat as well, such as arson or bombs.
When picking your protection measures, you must always be careful to avoid conflicts between protective capabilities. For example, fire suppression measures could be sprinklers -- but water and electrical equipment generally don't get along very well when joined together. Or, you may elect to put your computing facilities in the basement for an added measure of protection against unauthorized access -- only to rue the decision when the water main breaks and the basement is flooded.
There are no carved in stone right answers. That is why analytical procedures are so very important. You must consider all the possibilities and then make the best decision, knowing that you do not have perfect information, but doing the best you can anyway. It is the portfolio of solutions that you implement that affords you robust protection. Where one fails or is not quite complete, another can overlap. As a famous sailor once said: "If you can't tie good knots, tie lots of knots." That describes robust security in a nutshell. Having lots of different kinds of security measures gives you protection in depth -- fall back protection in case one or another of your measures fails for one reason or another.
And of course, when your protection measures are breached, then being able to detect that breach and then correct the problem is significant.
Having robust protection is critical to having detection capabilities. Often, detection capabilities rely on the protection technologies, the failure of which indicates the breaching of protection. For example, the lack of a badge is only noticeable if badges are required. A hole in a fence is only noticeable if there is a fence. A busted lock is only noticeable if there is a lock.
However, you have to look in order to notice. That is where mostly policy helps. There is some technology that can help in detection, such as currents running through fences that are broken if the fence is cut, or badges that require biometric confirmation, or automated audit log analysis tools that trigger alarms if security is breached. However, a great deal of detection is a matter of keeping your eyes on the operational environment and looking at what is going on.
Correction is a matter of recovering. This requires that you have thought through "what if" scenarios. Going through such what if scenarios is fundamental to your analysis of Risk -- otherwise your understanding of threats and vulnerabilities would be very lacking. So, while you are going through the risk analysis, you should also be considering the question of:
An example of a what if scenario includes the Oklahoma City bombing. What if some crazy idiot parked a truck full of explosives in front of the building and blew it up? How could I recover operations? In some extreme cases, recovering operations may mean moving your operations to a back up facility. If you are very large, you may be able to afford to have a back up facility. If you are a one-person operation, you might consider having insurance to cover such an event.
It depends on what you are doing: how much protection do you need? This is not unlike doing a risk analysis in your personal life. There is always a possiblity that your house may catch on fire and burn down.
Do you have papers that are so valuable that you can not afford that risk? How do you protect those papers? A typical response is by keeping them in a back up facility with robust fire and security measures -- like a bank safety deposity box.
The joke goes: "where does a 600 pound gorilla sit? Any where he wants to."
We have a 6000 pound gorilla starting to sit down on the web, called financial electronic transactions. These, plus the result societal impacts which we can just guess at, are revamping both the uses of information technology and the need, the desperate need, for comprehensive security capabilities. If we are to civilize this wild wild west, we need to make the roads and the towns safe for commerce and everyday life. Until we achieve that, the outlaws may well rule or at least terrorize.