ee579u/10 #1 spring 2004 © 2000-2004, richard a. stanley ee579u information systems security and...

Spring 2004© 2000-2004, Richard A. Stanley

EE579U/10 #1

EE579UInformation Systems Security

and Management10: Security Management Problems

Professor Richard A. Stanley


EE579U/10 #2

Overview of Today’s Class

• Review of last class

• Security management problems


EE579U/10 #3

Last time…

• Security management is the “glue” that binds the entire security effort together.

• Absent proper and adequate management, it doesn't matter how well the other bits and pieces work

• This is probably the hardest part of all, because it remains difficult to compute the ROI


EE579U/10 #4

Why Are We Here?

• To manage systems security in an effective manner, right?

• We have studied all the technologies and tools, so nothing can go wrong, right?

• Wrong!– There are lots of things that exist that can make

our jobs harder and more challenging


EE579U/10 #5

• FBI counterintellingence agent Robert Hanssen convicted for espionage

• What can we learn from this?– He wasn’t caught because he was careless

– He knew all the tricks used to catch spies

– He was arrogant (Philby book)

– He did “exceptionally grave” damage to the nation, and is probably directly responsible for at least two people being executed

• So what does that have to do with system security?

Spies at Work


EE579U/10 #6

Where to Hide Things?

• In a difficult to find location?

• In a safe deposit box?

• In a dead drop?

• How about in plain sight?

• And…why are we hiding them, anyway?


EE579U/10 #7

One Worry

• This is a stegosaurus

• We need to worry about steganography


EE579U/10 #8

Steganography• “Covered writing”

– from the Greek steganos and graphos– steganos = covered (or roofed)– graphos = writing

• Includes such arcana as invisible ink, hollow heels in shoes, open codes

• A real problem for systems security, as we shall see


EE579U/10 #9

Null Cipher Example

News Eight Weather: Tonight increasing snow. Unexpected precipitation smothers eastern towns. Be extremely cautious and use snowtires especially heading east. The highways are knowingly slippery. Highway evacuation is suspected. Police report emergency situations in downtown ending near Tuesday.

Newt is upset because he thinks he is President.

Decodes as:


EE579U/10 #10

Actual WWII Null Cipher

Apparently neutral's protest is thoroughly discounted and ignored.

Isman hard hit. Blockade issue affects pretext for embargo on

by products, ejecting suets and vegetable oils.

Pershing sails from NY June 1.

Decodes as:


EE579U/10 #11

Another Example

S0:

S1:

Result:


EE579U/10 #12

Interesting, but So What?

• What if we were to replace the least significant bits of a complex data file with information we wanted to transmit secretly?

• File compression– Lossless (e.g., GIF, BMP)– Lossy (e.g. MPEG, JPEG)

• Downgrading information--how can you be sure what you downgraded?


EE579U/10 #13

King’s College,Cambridge (UK)

The image in whichanother image willbe hidden using steganography


EE579U/10 #14


EE579U/10 #15


EE579U/10 #16


EE579U/10 #17

Stego Summary

• Careful comparison of the two King’s College photos shows the stego image is slightly less sharp than the original

• Careful examination of the Pentagon aerial photos shows the recovered image is slightly less sharp than the original

• BUT…you knew what to look for


EE579U/10 #18

Stego Implications

• How can you be sure that what has been downgraded does not hide other information?

• Steganography can be used as a covert channel that is very hard to find

• Steganography also provides a tool that can be used to watermark a complex file


EE579U/10 #19

Fortunately, Steganography is so complexand hard to implement that is not likelythe average hacker or crook would be

able to exploit it.

Equally fortunately, we have discovered that the moon is made of green cheese.


EE579U/10 #20


EE579U/10 #21

Some Stego Tools

• OutGuess

• Information Hiding Homepage

• Steganography Tools

• Invisible Secrets


EE579U/10 #22

Other Stego Uses

• Covert information distribution– eBay images have been found which contain

stego information believed to be messages to terrorist cells

– Much of the imagery on the Internet contains stego data, which could be executables

• Don’t get too cute -- why would you suddenly start trading pictures with someone?


EE579U/10 #23

Some Thoughts

• What about Bell and Lapadula’s model?– No write down?– No read up?

• The Internet thrives on visual imagery. What does this imply for security based on what we have studied tonight?

• Why did it take 15 years to catch Hanssen? How long would it find to uncover stego?


EE579U/10 #24

Another Problem

How do you counter these?


EE579U/10 #25

Security Domains Security

Management Practices

Security Architecture and Models

Access Control Systems & Methodology

Application Development Security

Operations Security

Physical Security

Cryptography

Telecommunica-tions, Network, & Internet Security

Business Continuity Planning

Law, Investigations, & EthicsSource: CISSP CBK

EE578EE579SEE579TEE579U


EE579U/10 #26

“The Myth of Cyberterrorism”

• Article by Joshua Green, November 2002 http://www.washingtonmonthly.com/features/2001/0211.green.html

• Offers the premise that “There is no such thing as cyberterrorism--no instance of anyone ever having been killed by a terrorist (or anyone else) using a computer”

• Let’s take a look at this assertion to see if it really makes sense


EE579U/10 #27

Green’s Thesis

• Only death by computer “counts” as cyberterrorism

• Acknowledges that cybersecurity is a “serious problem,” but believes “it’sjust not one that involves terrorists”– Alleges $15B damage to global economy in

2001 due to viruses, worms, etc.

• Does this make sense?


EE579U/10 #28

Consider This...• “...nuclear weapons and other sensitive military

systems [are] not physically connected to the Internet and are therefore inaccessible to outside hackers”

• “It’s impossible to hijack a plane remotely, which eliminates the possibility of a high-tech 9/11 scenario in which planes are used as weapons”

• So what? Does this mean cyberterror is not to be worried about?


EE579U/10 #29

What About Critical Infrastructure?

• Green agrees that non-military systems are “less secure” than government systems

• “Most hackers break in simply for sport”– Even if this were true, is it cause for comfort?

• Dismisses the threat because “most serious cybersecurity breaches...tend to come from insiders”– We know this already– Is this reason not to worry?


EE579U/10 #30

Examples• Robert Hanssen, worst spy in US history

– Dismissed by Green because insider knowledge made his espionage possible, and he was a “rogue employee,” not a terrorist

– Is this a meaningful definition?

• “Two years ago, an Australian man used an Internet connection to release a million gallons of raw sewage along Queensland's Sunshine Coast after being turned down for a government job”– Green believes this is not terrorism, but another rogue employee

– Perpetrator was former employee of sewage plant, therefore somehow not a terrorist


EE579U/10 #31

US Naval War College Study• Simulated massive attack on national critical

infrastructure– Failed to crash the Internet, but caused sporadic damage– Estimated that “terrorists hoping to stage such an attack

‘would require a syndicate withsignificant resources, including $200 million, country-level intelligence and five years of preparation time.’”

– This level of funding is available to terrorist groups, as is the intelligence. The 9/11 attacks are now believed to have involved more than two years of planning.

– Does this make you rest easier?


EE579U/10 #32

Al Qaeda Computers

• Contained “structural and engineering software, electronic models of a dam, and information on computerized water systems, nuclear power plants, and U.S. and European stadiums. But nothing suggested they were planning cyberattacks, only that they were using the Internet to communi-cate and coordinate physical attacks.”


EE579U/10 #33

An Example• Worcester Airport attacked, shut down by teenage hacker

using Internet connection (March 10, 1997)• “… [the] youth temporarily disabled a loop carrier system,

which combines multiple phone lines for transmission over a single fiber-optic cable.

• “By targeting the loop carrier system, the confessed hacker wiped out telephone access to the airport's control tower, fire department, airport security, and weather service, as well as private airfreight firms for six hours. The attack also downed the airport's main radio transmitter and the circuit that lets incoming aircraft switch on runway lights.”


EE579U/10 #34

Example, Continued• The same hacker also

– disrupted telephone service to Rutland, MA– “...attack[ed] ... the branch of an unidentified major

pharmacy chain … on four separate occasions from January through March of last year [1997]. The hacker

– acquired the names, contact information, and prescriptions for the pharmacy's customers, but neither altered nor distributed that information” But could have!

• Only chance prevented these events from becoming disastrous

• Is this terrorism? [Source: Paul Festa, “DOJ charges youth in hack attacks” CNET News.com, March 18, 1998]


EE579U/10 #35

Some Thoughts

• Concern about over-hyping a threat is a valid issue• But that does not mean that the threat is not real• History provides some very discomforting

examples• Narrowly defining “terrorism” may allow it to be

dismissed in an academic discussion, but it does not diminish the actual threat.– This sort of approach actually plays into the hands of

those who seek to exploit existing systems


EE579U/10 #36

Historical Examples• Prior to the 9/11 attacks, “experts” dismissed the

possibility that airliners could or would be used as flying bombs– History was that hijackers would not harm passengers if their

demands were met, so crew were to “go along”– However, in 1995, terrorists were arrested in the Philippines

with plans to hijack many aircraft and crash them into buildings. These plans were well-known, even in the press, 6 years before they were implemented

• Pearl Harbor provides similar lessons• Tragedy usually results from a failure to think “outside

the box”


EE579U/10 #37

Observations• There is a fine line separating healthy paranoia

from hysteria• Technologists need to be skeptical and to look

beyond simple history in applying technology• If history teaches us anything, it is that we are all

too often well-positioned to fight the last war, and poorly situated to deal with the current situation

• Problems do not disappear by redefining them so that they appear to be less significant


EE579U/10 #38

Now What?

• Policy is essential, but how do you know if it is working, and how well?

• You need to do an audit– Not a once in a lifetime event– Need to be regular, but aperiodic– Follow the financial industry guidelines– May want to follow standards


EE579U/10 #39

Audit Types and Purposes Types of audits

Global security audits Verification audits Compliance audits

Intrusive audits, or “Tiger Teams” Who should perform? Internal audit staff Audit performed by a trusted outside party Accredited external audit team


EE579U/10 #40

Planning an Audit: 1

Policy review and analysis• Choosing the methodology and time frame to use for the audit• Obtaining senior management approval and consent for the level

of the audit and the auditors• Contract• Legal liabilities• Rules of conduct, including forbidden areas• Data collection planning• Scope of work to be undertaken (e.g., how extensive an audit is

to be performed?)• Managing expectations • Dealing with problems (e.g., what if no issues are found in the

allotted time?)


EE579U/10 #41

Planning an Audit: 2

Comparing the system described in the policy to the system that actually exists How to find the differences What to do about them? How will they affect the audit?

The final audit plan Approval


EE579U/10 #42

Conducting an Audit: 1 Obtain information about the system to be audited

Policy analysis Actual system scans and evaluations

Collect and protect audit data Work methodically and professionally at all times Tools available to help in the audit Develop and adhere to the data collection plan (e.g., take screen shots)

Keep the customer informed Reports as agreed in the plan Immediate reporting if something big is found The customer’s ability to fix the problem exceeds the auditor’s need to

crow about finding it Keep findings confidential Don’t leap to conclusions


EE579U/10 #43

Conducting an Audit: 2

Follow-up / retesting Prepare the audit report

Executive summary Vulnerabilities and/or problems found Several small things can add up to a large problem Business impact Recommendations


EE579U/10 #44

Evaluating Audit Results

Assess the severity of the findings Depends on the organizational security policy and business model Deciding if external help is needed to deal with the findings (e.g., are

we able to understand and deal with the findings?) Do the findings corroborate the perceived threats?

Is a change to the security policy needed? Does this warrant another audit before proceeding further?

Rank problems: what to fix first; where to stop? Match vulnerabilities and problems to legal liability issues Determine if further, perhaps more extensive auditing is warranted Evaluate what, if any changes to security policy are warranted

based on findings


EE579U/10 #45

Dealing With Problems: 1

Workstation problems Physical access controls Environmental controls Object controls Data validation and auditing Data file controls Output controls Performance


EE579U/10 #46

Dealing With Problems: 2

Software problems Licensing issues Version and configuration control Update control

Business continuity problems Disaster events and probabilities Alternative sites Testing business continuity plan


EE579U/10 #47

Audit Standards & Tools BS 7799 / ISO 17799

Good starting point for policies and audits Compliance not trivial Agreed-upon international standard COBRA tool automates compliance checking

COBIT (Control Objectives for Information and related Technology) Generally accepted IT control objectives Developed and recognized by the ISACA (Information Systems

Audit and Control Association), the international IT auditors’ professional organization

Includes audit guidelines Developing your own standards


EE579U/10 #48

ISO 17799 Overview• Business Continuity

Planning• System Access

Control• System Development

and Maintenance• Physical and

Environmental Security

• Compliance• Personnel Security• Security Organization• Computer & Network

Management• Asset Classification

and Control• Security Policy


EE579U/10 #49

Audit Review

• Necessary element to ensure compliance with security policies

• Many approaches to performing

• Standards-based approach has merit, but requires rigorous compliance

• Recent financial escapades illustrate the need for frequent, thorough system audits


EE579U/10 #50

Copyrights in the Digital Age

• Once a digital copy of a copyrighted work “gets loose,” how to control its dissemination?

• A very real issue for media such as eBooks, CD-ROMs, etc.

• The Digital Millennium Copyright Act attempts to deal with this problem


EE579U/10 #51

Digital Millennium Copyright Act (DMCA)

• Passed by Congress October 28, 1998• Expands the protection of copyrighted

works on the Internet and in digital form– “Black Box” Provisions

• Limits the liability of on-line service providers for infringement of copyrighted works– Safe Harbor” Provisions


EE579U/10 #52

DMCA “Safe Harbor”

• Service providers, upon payment of $20 fee and meeting reporting requirements, can qualify for liability protection against copyright infringement– “Service provider” is defined broadly as “a

provider of online services or network access, or the operator of facilities therefor”

• Providers must not interfere with “standard” measures used to ID and protect copyrights


EE579U/10 #53

DMCA “Black Box”• DMCA makes circumventing protective

technologies, such as encryption and passwords, a violation of the law

• Removing, changing, or altering “copyright management information” also a violation

• Even if your copyrighted work is not actually copied, a person could be liable for attempting to do so, or for giving others the tools and access to do so


EE579U/10 #54

DMCA Observations

• This is a major extension of copyright law!

• Penalties for “black box” violations exceed the penalties in 17 USC for infringement

• There is little, if any, case law yet

• Does this violate the “fair use” doctrine?

• Feared placing a damper on research into cryptography and cryptanalysis


EE579U/10 #55

ElcomSoft, Dmitry Sklyarovand the DMCA

• Sklyarov a Russian programmer who, with his company, developed a way to defeat the encryption on Adobe eBooks, allegedly to make backup copies or to be read audibly

• Sklyarov arrested July, 2001 in Las Vegas, and charged with violating the DMCA– Four circumvention counts, one conspiracy– No copyright infringement counts

• Sklyarov acquitted on all counts, December 2002


EE579U/10 #56

Technological Solutions?

• Copy protection schemes are as old as magnetic media, and most have not worked as planned

• Newest approach is Digital Rights Management


EE579U/10 #57

Digital Rights Management

• Provides controlled delivery of digital media content such as eBooks, etc.

• Enables– Content protection– Secure content distribution– Content authenticity– Transaction non-repudiation


EE579U/10 #58

Types of DRM Rights• Time-based

– License expires at specific time or after stipulated period of use

• Object-based– Rights attach to an object

• Transferable– Rights able to migrate across platforms, etc.– Can control copying amount, frequency


EE579U/10 #59

DRM Specification Languages

• Three primary languages used presently:– eXtensible Rights Markup Language n (XrML) – Open Digital Rights Language (ODRL)– Extensible Media Commerce Language

(XCML)

• Languages intended to communicate rights information, not enforce protection


EE579U/10 #60

Issues

• Interoperability– Consumers want digital media that is easily

read on multiple platforms• Standards a problem (cf. VHS vs. Betamax)

– Content providers want to protect content and also make content available to as many consumers as possible

• Also interested in standards• Lower costs if only one media standard evolves


EE579U/10 #61

DRM Functional Architecture

DRM Architecture

IP Asset Creation

Create Rights

Validate Rights

IP Asset Usage

IP Asset Management

Trading

Repository

Tracking Mgmt.

Permission Mgmt


EE579U/10 #62

DRM Rights Expression Model

Obligations

Rights Holders Permissions

Constraints

Pay charge

Register

Copy

Print

Count

Time


EE579U/10 #63

Securing Content

• Encryption– Called “containment” in DRM

• Marking– Placing a watermark or other marker to indicate

that the media is copy protected

• Neither of these approaches is foolproof• DMCA provides legal remedies, but may

not stand the test of court scrutiny


EE579U/10 #64

Summary - 1

• The existence of secure tools and protocols is not a guarantee of security

• Human spies are a real problem, and hard to catch• Steganography is one way for information to leak

out of a system• Steganography can be very hard to find, but it is

very easy to implement at low cost• New, helpful devices can make security much

harder than it used to be


EE579U/10 #65

Summary - 2

• Policy is essential to establishing a secure computing system

• Audits are needed to verify the policy• Good auditing is as hard as good policy• Digital technology raises difficult new

challenges to the copyright laws• DRM seeks to protect copyrighted material• DMCA deals with defeating copy protection


EE579U/10 #66

Homework: 1

• Using the Internet, conduct a survey of steganography tools available for download, and -- to the best of your ability based on the descriptions provided -- compare and contrast them.

• How would you protect your IT system against steganography leaks, both looking inwards and looking outwards?


EE579U/10 #67

Homework: 2

• Read the Joshua Green article discussed at the beginning of the lecture, found at (http://www.washingtonmonthly.com/features/2001/0211.green.html). Write a short essay (400-800 words or so) explaining your opinion on Mr. Green’s thesis and analysis. Do not be afraid to be original or to express an opinion you believe may be contrary to the professor’s.

ee579u/10 #1 spring 2004 © 2000-2004, richard a. stanley ee579u information systems security and...

Documents

stanley slide

stanley steganography

stanley interesting

steganography slide

work slide

challenging slide

roi slide

time security management