CSE4884
Network Design and Management
Lecturer: Dr Carlo Kopp, MIEEE, MAIAA, PEng
Lecture 21-22
Network Security vs Information Conflict; Managing
Security in Networks
© 2006, Monash University, Australia
Reference Sources


NOTE: Information Conflict is a new discipline and good
resources are limited.
Prof Dorothy Denning (formerly Georgetown)




COSC 511 Information Warfare: Terrorism, Crime, and
National Security
http://www.cs.georgetown.edu/~denning/cosc511/fall02/index.ht
ml
http://devost.typepad.com/cosc511/
CSE 468 - Information Conflict

http://www.csse.monash.edu.au/courseware/cse468/subjectinfo.html
© 2006, Monash University, Australia
What is Information Conflict? Why Does it Matter?







Information Conflict (IC or IW) is a biological phenomenon and has
existed for as long a life has existed [Kopp-Mills].
Information Conflict involves the use of information to gain a
competitive advantage in a survival game [Kopp-Mills].
Information Conflict has been used by governments, non-state
organisations, commercial entities for millennia but has only been
formally recognised as a discipline since 1995.
The ability to very rapidly and cheaply transfer or distribute large
volumes of information – a feature of the digital era – has increased
the importance of Information Conflict.
Managers must be cognisant of the potential risks which may arise
from IW techniques being used by third parties – against public and
private entities, and individuals.
A systematic information attack by a third party can cripple any
organisation which is dependent on a digital infrastructure.
Large scale use of wireless equipment with poor security increases
risks of IW attacks and site penetration.
© 2006, Monash University, Australia
Taxonomy of IW Categories
© 2006, Monash University, Australia
Taxonomy of IW Categories




Class I IW - Compromising Personal or Corporate Privacy is the
lowest grade of IW, and occurs when a personal account is
compromised and confidential information accessed, such as private
email being read, or phone calls charged to a third party account.
Class II IW - Industrial and Economic Espionage is the next step up,
in which instance government or corporate computers are hacked
into and information covertly stolen.
Class III IW - Info-Terrorism and Denial of Services. The intentional
trashing of another party's computer or network, or denial of service
via other means is usually described as info-terrorism. Whether the
offending party is a malicious hacker, a criminal extortionist, a
genuine terrorist, or a foreign government seeking to take down a
system or systems, the end result falls into the same category.
Military IW - The use of all of the above combined with other military
techniques in order to disrupt an opponent's military operations,
government activity and economy qualifies as military IW. Military IW
is the most destructive category, as it involves both soft and hard kill
techniques.
© 2006, Monash University, Australia
Denial of Service Attacks
© 2006, Monash University, Australia
Denial of Service Attacks





Denial of service attacks are an offensive technique intended to
cripple an organisation by preventing it from using its digital
systems.
Denial of Service attacks are increasingly common especially
involving attacks on websites, and large scale attacks on networked
systems using viruses and worms.
Where an organisation depends on its digital infrastructure such
attacks can produce significant material losses.
Recently documented Denial of Service attacks have been
associated with nation state conflicts, and political, religious or
ideological disputes.
Many attacks are performed by malicious individuals for personal
gratification. This is especially true of virus/worm attacks which are
performed for no material gain but costs hundreds of millions in lost
productivity and repair time.
© 2006, Monash University, Australia
Offensive vs Defensive IW





In any IW engagement there is an offensive player or attacker, and a
defensive player or defender.
Strategic planners and managers will typically play the defender’s
game. Their role is to ensure that the organisation’s infrastructure
can resist IW attacks – starting with Class I, and then Class II and III
IW. Class IV attacks are usually the responsbility of governments.
Given the diversity of ways in which IW attacks can be mounted,
concentrating on established security techniques is not enough – it
will protect against hackers and physical Denial of Service attacks,
but not against viruses and worms or other forms of attack.
If a network depends on websites for billing, notifications and
support, losing that website even temporarily could inflict significant
monetary losses.
Resistance to IW attacks must be planned for from the outset when
developing and planning infrastructure. Attempting to add defensive
measures to production systems can be very expensive.
© 2006, Monash University, Australia
Practioners of IW Technique






Malicious hackers and worm/virus writers inflict damage for
amusement or peer group approval. They can attack globally.
Hackers, Phrackers and Whackers may steal bandwidth by
penetrating networks or manipulating accounts.
Criminals may hack to acquire information, such as credit card
numbers, confidential information etc, or threaten DoS attacks to
extort money from a victim organisation such as a bank or telco.
Industrial and commercial espionage may be performed to steal
proprietary information such as manufacturing techniques for
financial gain.
Espionage against government departments, esp police and military,
may be performed to gain access to national secrets, operational or
technical. Foreign governments or contracted hackers may be
involved.
[Info-]Terrorists may perform DoS attacks to promote their cause by
inflicting economic or political damage. A car bomb deployed against
a stock exchange, national bank, media site or central telephone
exchange qualifies as an IW attack.
© 2006, Monash University, Australia
Moore’s Law, Bandwidth Law vs IW


Moore’s Law predicts monotonic growth in computing power over
time, the Bandwidth Law predicts monotonic growth in network
bandwidth over time. Both laws are well validated empirically [Kopp]
Rapid growth and commodification of hardware and software have
duel effects on IW:

The cost of computer systems and tools capable of use for IW declines
and these become more available, globally.
 The cost of defensive measures and encryption technology declines
over time, making defensive measures more affordable.



It is necessary to look at IW as an evolutionary game – as better
defensive measures are created, better offensive measures evolve
to overcome these.
Strategic planning and budgeting must allow for evolutionary growth
in defensive measures to account for increasing capabilities for IW
over time.
Senior management in many organisations may not appreciate
these issues and will need to educated.
© 2006, Monash University, Australia
Privacy and Copyright Considerations






Individual privacy and corporate client privacy are important
considerations. Legislation exists in most developed nations –
including Australia – intended to protect privacy.
Many types of IW attack violate privacy and the onus is upon the
carrier or provider to protect against such attacks. Failure to provide
proper protection could see a carrier or provider criminally and
commercially liable for damages.
Privacy becomes critical where financial transactions, medical
records and private correspondence are involved.
If a hacker steals such information, he/she may never be caught.
The damaged party could launch legal action against the provider or
carrier on the basis of inadequate protective measures being
implemented, or file charges with a law enforcement agency.
In some nations privacy violation is automatically considered a
criminal offense and carriers or providers are held responsible.
Copyright violations are a special case since the material is
available to the public, but its distribution is controlled. Such
violations have become a major political and commercial issue
globally, especially in the entertainment industry.
© 2006, Monash University, Australia
Copyright and Intellectual Property






Illegal or unauthorised reproduction of digital materials is a major
problem.
With cheaply available networking, hard disk, CD-R and DVD burner
technology, almost any materials can be reproduced, often in bulk
quantities, for little material expense.
This has led to the growth of illegal ‘pirate’ industries which steal and
market digital materials, especially software products, and
entertainment products such as cinema, music and publications.
The result is significant losses to the owners of the intellectual
property in the products.
Weak legislation in some nations allows these to become ‘havens’
for such industries.
It is important that organisations carefully assess the origins of any
digital materials used internally to ensure that these are not pirate
copies.
A good example would be software tools used within an
organisation. Using pirated copies or unwittingly distributing such
materials opens the organisation to civil litigation over copyright
violation or criminal charges.
© 2006, Monash University, Australia
SPAM






SPAM is unauthorised and unsolicited distribution of marketing
materials via email, in bulk quantities. Spammer violate the privacy
of spam recipients.
Spammers will market everything from pornography, discount
pharmaceuticals, junk stocks, dubious home loans, consumer
products, to pirated software and CD/DVD.
Spam is also used to distribute propaganda on behalf of political and
religious movements.
Modern spamming techniques use tools which use digital archives
(usually harvested off the web on CD-ROM) of victim addresses,
and which usually forge the sender address by using another victim
address.
Spam is not illegal in most nations since legislation was injudiciously
adopted which does not require prior consent by the recipient when
being spammed.
It is likely that anti-spam legislation will be adopted in the developed
world over coming years since spam often accounts for a significant
fraction of bandwidth used causing economic losses globally.
© 2006, Monash University, Australia
Privacy on the Web







The internet creates many opportunities for privacy violations.
Many websites use the cookie mechanism to retain state information and
identity information. Cookies allow the web server to recognise systems
accessing a site. In turn this information can be stored to produce profiles of
visitor accesses on a site, and thus divine visitor interests or agendas.
Such information can be used to support marketing activities directed at
visitors. An example is a website which uses such statistics to adaptively
present advertising material to visitors.
Most web servers collect access statistics which allow operators to track
which visitors are making what accesses and when. While this can be used
for legitimate purposes, it also allows profiles of specific visitors to be
produced.
Cookies and server statistics are usually gathered silently and visitors are
unaware of their existence or possible/actual uses.
Website owners often compromise their own privacy by putting materials on
websites which are not intended for distribution, but forgetting to disable
read access.
Online directories now allow gathering of significant materials on individuals
such as addresses, phone numbers, email addresses and other details.
While most users are legitimate, criminals and terrorists also have access.
© 2006, Monash University, Australia
Espionage and Intelligence Gathering





Espionage and intelligence gathering – the second oldest profession
- has a long history. The advent of digital communications has made
some aspects of this craft easier, and some more difficult.
Practicioners may be acting on behalf of governments – illegally or
as part of law enforcement, political movements and parties,
religious movements, commercial organisations or individuals.
Most espionage or intelligence gathering amounts to covert
collection of information or materials without the consent or
knowledge of the victim.
This can be performed by acoustic eavesdropping, visual/video
surveillance, electronic eavesdropping of analogue or digital
channels (SIGINT), hacking into computers (CyberWAR), breaking
into offices, filing cabinets or safes (HUMINT), or by unauthorised
reproduction of accessible materials (HUMINT).
While most intelligence gathering and espionage is performed by
governments against other governments, industrial espionage is
also common. The latter is of interest to managers since it can result
in significant losses. Target information can vary from technical data
on products or processes, to marketing plans, costing information
and tender proposal documents.
© 2006, Monash University, Australia
Surveillance Techniques







Surveillance can be performed using acoustic (microphone ‘bugs’ or
phone tap), visual (film or video camera) or electronic (radio/mobile
phone/wireless network) intercepts.
In most nations surveillance is only lawful if performed by a law
enforcement or intelligence agency ie government entities.
Commercial operators are usually permitted to use video
surveillance of publicly accessible areas ie banks, ATMs, carparks,
foyers etc.
An large scale example of such surveillance is the CCTV network in
London used to apprehend terrorists after the recent attempts to
bomb public transport.
Law enforcement agencies rely heavily on acoustic and visual
surveillance to gather intelligence or evidence.
Managers need to be aware of the potential for unlawful surveillance
and plan infrastructure to make it difficult to perform.
Counter-surveillance technologies may be illegal in some nations –
for instance voice scramblers for telephone links.
© 2006, Monash University, Australia
SIGINT/COMINT – Signals/Communications




The interception of radio signals and communications has been
practiced since the advent of wireless communications. It is mostly
practiced by the military and law enforcement due to the cost of the
complex equipment required.
The advent of cheap radio ‘scanners’ has opened up opportunities
for individuals and organisations to intercept unencrypted or
unscrambled wireless voice traffic.
Intercepts may be targeted, ie a single individual or site is monitored
on a specific channel, or they may be performed en masse by
recording swaths of the radio spectrum for later semi-automated or
manual analysis by human operators.
Wireless channels without strong encryption must be therefore
considered insecure and should never be used to transmit
information which is sensitive – either from a privacy perspective,
commercial perspective, or where sensitive government traffic is
involved. GSM mobile phones are a good example.
© 2006, Monash University, Australia
Network Sniffers






Network sniffers are a vital tool for legitimate traffic analysis and
network maintenance tasks. They can also be used to perform
lawful and unlawful surveillance and monitoring of specific users or
sites on a network.
A sniffer is a software/hardware device which collects and decodes
network packets, and can often reassemble traffic flows.
Network protocols with weak or absent encryption will allow the user
of a sniffer to collect accounts/password information, email traffic,
file transfers and web traffic.
Sniffers with wireless network interfaces allow penetration of
wireless networks without having physical access to a network port
or cable.
Network planning needs to account for unlawful surveillance by
users of sniffer equipment. Active network ports in publicly
accessible areas are not acceptable, and wireless channels must
use the strongest available encryption techniques.
‘Insider attacks’ by staff using sniffer software on internal systems
are a real possibility. Superuser access on computers should be
carefully controlled.
© 2006, Monash University, Australia
Van Eck Radiation






Van Eck radiation is defined as Unintended Emissions (UE) in the
radio-frequency bands.
Computer monitors and to a lesser extent keyboard or poorly
impedance matched network cables will radiate signals as a result
of the digital or analogue modulations they are carrying.
Specialised receivers can be used to collect UE – the typical
example cited is equipment which can reconstruct what is being
displayed on a computer monitor from outside the building housing
the computer.
UE surveillance and intelligence gathering is expensive and usually
limited to governments and law enforcement.
The US NACSIM 5000 Tempest series of standards defines design
specifications and techniques for computer equipment to prevent the
emission of Van Eck radiation.
Managers in government organisations need to understand the risks
arising from UE and ensure that computer equipment used for
classified or highly sensitive material is suitable for such use.
© 2006, Monash University, Australia
Electrical Denial of Service Attacks






The dependency of computer and digital communications equipment
upon electrical power feeds and electrical data cables makes it
vulnerable to electrical denial of service attacks.
Such attacks aim to inject high voltage or radio frequency signals
into mains power or data cables to cause electrical damage or
computer crashes and loss of service.
Example A: a Tazer device with a cable harness and connector
allowing it to inject high voltage into a local area network via a wall
socket can destroy netwrok adaptors in dozens of computers.
Example B: a shortwave radio transmitter connected to mains
voltage power can destroy power supplies in computer or
communications equipment.
The best defence is to deny access to electrical power and data
cables to ensure an attacker cannot connect his equeipment.
Proving such an attack can be difficult.
© 2006, Monash University, Australia
Radio Frequency Denial of Service Attacks






Jamming of radio frequency communications channels has been
practiced for almost a century, usually in wartime. During the Cold
War the Soviets continuously jammed Western radio broadcasts.
Jamming involves transmitting a signal which interferes with the
modulation used by the signal, degrading intelligibility. A wide range
of jamming techniques exist against all known modulation types.
Designers of military communications equipment plan from the
outset to deal with jamming. This is generally not true of commercial
equipment which usually has very poor jam resistance.
Jamming equipment to disrupt mobile phones (GSM, CDMA etc) is
now widely available and is built to prevent terrorists from using
mobile phones to set off bombs remotely.
Wireless 802.11 networks are highly susceptible to jamming due to
the use of short Barker code modulations.
Denial of Service attacks against mobile phones or wireless
networks can be effected quite cheaply using ‘throwaway’
expendable jammers and can be very difficult to prove.
© 2006, Monash University, Australia
Radio Frequency Weapons – Denial of Service







Denial of service can also be effected by radio frequency (RF) weapons
which emit enough RF power to damage or disrupt the function of
computing and communications equipment.
RF radiation can couple into mains and data cabling, or cooling apertures
on equipment, causing equipment to crash or fail permanently with electrical
damage.
HERF guns are portable devices which emits pulsed or continuous wave RF
radiation.
Tesla coils can be used to emit high voltage RF fields with similar effects to
HERF guns. A hidden battery powered Tesla coil can cripple equipment
inside buildings for as long as the battery lasts.
Electromagnetic bombs (E-bombs) can produce damage over areas the
size of city blocks, or greater. E-bombs remain in development for military
applications.
Radio frequency weapons were claimed to have been used during the
1990s for criminal extortion against at least one bank. To date there are no
confirmed reports of E-bombs being used in combat operations, despite
ongoing speculation.
The best defensive measure is electromagnetic hardening of computer and
communications equipment – the electrical equivalent of armour plating.
© 2006, Monash University, Australia
Perception Management and Propaganda






Perception management and propaganda are used to change the
perceptions or views of a target or victim population.
This can be done to advance a political, religious, commercial or
other agenda.
Historically these techniques were most extensively developed and
used by Nazi Germany and later the Soviet Union, but have since
become widely adopted by governments and commercial operators
to market their agendas.
These techniques most frequently involve manipulating information
presented to an audience to conceal key issues and emphasise
intended agendas. The aim is always to present a reality different
from that perceived previously by the target audience.
Open lies are usually used less frequently than half-truths as the
latter are more difficult to disprove. Audience literacy and prior
knowledge can often frustrate even sophisticated or intensive
attacks.
Commercial advertising and marketing materials are frequently
deceptive and aim to seduce victims to increase product sales.
Managers need to be alert when assessing marketing materials.
© 2006, Monash University, Australia
Psychological Warfare (Psywar) Techniques







Psywar is used most frequently in wartime (radio/leaflets), but is
often seen in commercial or political mass media advertising.
Psywar techniques aim to amplify existing anxieties in a target/victim
population to disrupt their behaviour, and disrupt the cohesion of an
organisation or group.
A prerequisite for successful ‘Psyops’ is that the target or victim
population has an existing anxiety or prejudice over some issue.
Statements or claims which reinforce such anxieties or prejudices
will produce distress or anger in the victim population.
Examples are political advertising emphasising issues like job
losses or interest rate increases, or commercial advertising pointing
out bugs or vulnerabilities in computer products. Commercial
foodstuff advertising alleging weight gains, cancer or heart disease
also qualifies as Psywar.
The internet and mass media are the preferred channels for Psywar
attacks.
Most nations have inadequate legislation regulating this area.
© 2006, Monash University, Australia
Censorship





Censorship is a mechanism used to control access to information. It
typically involves denying access or punitive criminal legislation
intended to deter distribution.
In developed nations censorship is mostly directed at entertainment
products with explicit or violent content. In wartime censorship is
used to deny an opponent knowledge of sensitive developments.
Many nations apply political censorship to control public and political
debate. Internet censorship exists in some nations to deny access to
a wide range of materials not deemed suitable for public access.
Censorship is a double edged sword, since it can increase the
attractiveness of the censored material to a potential audience.
Censorship remains a controversial issue in Western democracies
since the criteria used to determine exclusion are often difficult to
achieve consensus on.
Managers operating in a global market or across national
boundaries need to be sensitive to censorship legislation since
criminal law is often used to enforce it.
© 2006, Monash University, Australia
Hacking, Cybercrime, Cyberwar (HCC)







Hacking is the term used to describe unauthorised access to
computer systems. The term originally applied to programmers who
worked on operating system kernels but the media and
entertainment industries popularised the currently accepted use of
the term.
Cybercrime is the use of ‘hacking’ techniques to commit criminal
offences, usually theft of money or intellectual property.
Cyberwar is the use of ‘hacking’ techniques to perform denial of
service attacks or intelligence gathering for political or military
purposes.
HCC relies on poor password security and security ‘holes’ in
computer operating systems.
Phracking (Phone Hacking) is hacking into telephone networks
mostly to steal bandwidth.
Whacking (Wireless Hacking) is hacking into wireless networks
mostly to steal bandwidth.
Hacking remains a controversial issue. In most developed nations it
is a criminal offence, frequently punished by long jail terms.
© 2006, Monash University, Australia
Techniques for Gaining Unauthorised Access







A wide range of techniques exist for ‘hacking’ into computer
systems.
Passwords may be stolen by sniffing, or by entering offices and
reading paper notes. Passwords may also be guessed using robots,
or ‘purchased’ from unethical staff members. Unsecured terminals
left logged in may be exploited.
Trojan horse or backdoor entry code may be inserted into systems
where a hacker has access to the original source code.
Sophisticated attackers may perform identity spoofing by replacing
real network packets with substitutes.
Security holes in some network applications may permit remote
entry by driving the application with messages known to expose the
vulnerability.
Software tools developed for security testing of networks can also
be used to expose security holes for unauthorised entry.
Robust firewalling and system security audits are essential to protect
against unauthorised site entries.
© 2006, Monash University, Australia
Viruses and Worms





Viruses are malicious programs which embed themselves in file
systems, operating systems or applications upon which they
propagate themselves via removable storage media or networks to
other systems.
Viruses may be benign or destructive in effect, and can be used to
compromise security by propagating password files or email address
lists.
Worms are malicious programs which consume system resources to
the point where a system becomes unusable.
Highly integrated mailer and word processor programs are the most
common targets of viruses and worms since they permit easy entry
and propagation between systems. Some proprietary systems are
considered the most vulnerable, cf Linux, BSD and commercial Unix
systems.
Managers and strategic planners need to be sensitive to risks which
may arise from using some commodity software products known to
be susceptible to such attacks.
© 2006, Monash University, Australia
Identity Theft and Fraud







Identity theft is an increasing problem in the computer and
communications industry.
The simplest examples involve theft of mobile phones and credit
cards for profit.
Spammers today mostly forge return and sender email addresses by
using addresses of other spam victims held in digital archives.
Internet newsgroups have also seen identity thefts where hoaxers
pretend to be actual or fictional persons. An example was a hoaxer
on rec.aviation.military impersonating a retiree, who was actually
bedridden in a nursing home suffering from severe stroke
impairment.
Validation of subscriber identity for web accessible services can
present genuine issues, especially where sites are used to effect
financial transactions.
Bogus websites set up to visually emulate actual bank websites
have been used to steal electronic banking passwords, in turn to
fraudulently access accounts.
‘Nigerian scams’ involving impersonations are now of epidemic
proportions in the spammer community.
© 2006, Monash University, Australia
Denial of Service Attacks vs Extortion







Denial of Service attacks can be used as a tool to extort money from
victims.
Organisations which rely on uninterrupted computer operation to
effect financial transactions, or which rely on web servers for client
access, are the most common targets of such attacks.
The attacker will cause repeated service loss and then extort money
by promising to cease attacks.
Cyber attacks - as the attacker may be located on another continent,
in a nation with weak or absent cybercrime legislation, major
problems arise with identifying the attacker, and with prosecuting the
attacker.
Radio-frequency / electrical attacks – the attacker will be
geographically local but may not leave a detectable signature or
footprint permitting law enforcement to apprehend or prosecute.
Usually DoS extortionists prey on organisations with poor expertise
levels in computer/network administration and security.
In general DoS attacks can be difficult to prove and prosecute.
© 2006, Monash University, Australia
Law Enforcement Problems








Law enforcement faces significant challenges when dealing with
offenders in the information Conflict domain.
Jurisdictional boundaries may prevent prosecutions against known
offenders.
Determining the identity of criminal offenders or military / political /
revolutionary movement attackers may be difficult or impossible
given available tools or expertise.
Proving cybercrime may be difficult or impossible. Proving electrical
or radio-frequency attacks may be even more difficult.
Key problems remain with inadequate technical expertise and
forensic skills in many law enforcement agencies, globally.
Legislation for dealing with IW domain offences or attacks may be
weak or inappropriately structured.
Managers need to consider that in the event of an attack or
penetration, law enforcement agencies may have little to offer in
dealing with the problem.
The best strategy is plan systems so that they are inherently
unattractive as targets for criminals or other attackers. Most
frequently ‘softer’ targets will be attacked instead.
© 2006, Monash University, Australia
Managing Network Security





Given the wide range of possible threats to a network
and potentially wide opportunities for such threats to be
realised, security is a major issue in network
management.
Complacency is a major problem in network security
since it encourages threat actors to attack the network.
A network manager must therefore always consider
security in defining a network design and configuration.
Penetration of an unsecured network is not an ‘if’
question, it is a ‘when’ question.
Network managers are usually held responsible when
security breaches occur.
© 2006, Monash University, Australia
Postulate Threats
Motivation
Threats to
Identified
Assets
Internal or External
Capability
Deliberate
Vulnerability
Non-Deliberate
AND
Error/Carelessness
Impacts if
OR
Threat Eventuates
Acts of God/Accidents
Assets
Impacts
Confidentiality
& Privacy
Integrity &
Modification
Availability
Damage &
Destruction
Misuse
& Abuse
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Asset Types
Information
Physical assets
Intangibles
People
*
*
© 2006, Monash University, Australia
© 2006, Monash University, Australia
© 2006, Monash University, Australia
What is the greatest threat to security?
The greatest threat to security is the belief that there is no
threat
Justice Hope
© 2006, Monash University, Australia
Threats


“No threat” to an asset implies “no security problem”
Some assets suffer from multiple concurrent threats eg consider an
executive’s $4000 Laptop computer. It could be:

stolen to be sold ‘in the pub’ (opportunistic theft motivation $100 to
$500)

stolen for specific software / hardware components
(generically targeted but any similar laptop would do - motivation $500+)

stolen for commercial / industrial espionage
(“Fortune 500” companies executive’s laptops -street value $US10,000)
(Laptop specifically targeted $POA - but up to $US100,000, or more)

lost (ie genuinely lost, or possibly stolen by employee or unknown)

destroyed / damaged accidentally or deliberately
(dropped, run over, burnt out by wrong voltage, damaged by water
or chemicals, strong magnetic fields, electrostatic discharge etc)
© 2006, Monash University, Australia
Types of Threats

Threats may be:

Deliberate (hostile intent)


Accidental (no hostile intent)


eg errors and omissions, taking assetts accidentally,
thoughtlessness
Coincidental or Incidental to another act (non intentional)


eg theft, damage, espionage, delaying information or action,
criminal negligence or wilful carelessness
eg physical damage incidental to graffiti, damaged strongbox during
burglary, confidentiality breach when stolen documents dumped,
person injured incidental to an armed hold-up
Acts of God

eg floods, wildfire, earthquake, building collapse, meteor strike
© 2006, Monash University, Australia
Sources of Deliberate Threats

People with ‘Insider’ Information and motivation


very knowledgeable about your organisation, and
often with ‘authorised’ access






Disgruntled Employee, contractor, security guard, maintainer
Careless Employee etc
Other insider (eg office comedian, office ‘payback’)
Ex-employee/contractor/guard/maintainer etc
Possibly disgruntled customer, supplier
Outsiders - Strangers, but with motivation to succeed






Thief, Vandal, or Hacker
Commercial Espionage Agent
(eg on behalf of a competitor, or subcontractor)
Issue Motivated Groups (eg animal liberationists, greenies, ….)
Terrorists - Groups and Sympathisers
Foreign Intelligence Service Agent (Spy)
People with a mental illness or imbalance
© 2006, Monash University, Australia
What is Their Capability?

Near term capability (‘know how’, and ability to perform)


is available, for a price if necessary (but price may exceed
motivation):
High Capability



Medium Capability


Foreign Intelligence Service
Ex Employee (has knowledge of systems & procedures)
Big Money Interests (could buy high capability via ex-employee)
Hackers/Crackers (have some general knowledge of your site)
General Commercial Interests (could buy capability via hackers)
Low Capability
Disgruntled Customer (has minor knowledge, limited access, and
motivation is too low to buy a capability)
© 2006, Monash University, Australia
Threat Capability Enhancement
Internet has many sites servicing
‘capability enhancement’


Some provide information, links to other sites etc
Some sell equipment, devices, tools, videos and education,



Some sell consultant and other services/skills
Search Internet using keywords



usually by mail order
eg ‘lock picking’,
‘spy camera’ (watch out for pornography with this one)
Look at D.I.R.T at
http://www.codexdatasystems.com/cdsnews.html
© 2006, Monash University, Australia
Capability is more than Tools

Be aware and concerned, but not frightened

Capability requires



The Internet sites address tools and knowledge of tools



tools, knowledge of techniques, and skills; AND
knowledge of the target and its environment
but acquisition of a skill requires practice, and
most people do not have discipline to acquire skill
However, professional or highly motivated people can
develop knowledge of target (intelligence gathering) by
collusion with staff, etc, and also skills / techniques
© 2006, Monash University, Australia
Information Systems
Information Systems Provide:
•Easy Storage of information
•Easy Access to Information;
•Easy Analysis of Information;
•Easy Modification of Information; &
•Easy Communication of Information.
These capabilities are just as easily used
against an organisation as they are used to support it.
or
© 2006, Monash University, Australia
Information Security

Information is a strategic resource:



significant portion of budget spent managing IT;
many types of information;
all have security related problems:





confidentiality (secrecy, privacy) - protect information value;
integrity - protect information accuracy;
availability - ensure information delivery when needed
 (often expressed as ‘accessibility of information”); and
freedom from misuse and abuse.
Some information also needs non-repudiation assurance

This may be considered a mis-use issue
© 2006, Monash University, Australia
Threats to Information

Loss of Confidentiality or Privacy

Legal action, either criminal or civil
 Embarrassment & political pressures
 Loss of commercial advantage (eg trade secrets)

Loss of Integrity

Inappropriate decision making
 Loss of accuracy and control

Loss of Availability/Accessibility


Loss of capability to do useful work
Misuse and Abuse of Information

Civil action or legal penalties - both expensive even if you win case
 Loss of reputation

All cause loss of confidence- The real impact is loss of business and
profit
© 2006, Monash University, Australia
IT Threats that Eventuate

Various surveys, with results of the order of:
55% human error, including carelessness
15% accidents and ‘Acts of God’
30% deliberate action by people

Of the above

“55% Human Errors”


“15% accidents and Acts of God”


Almost always employees / legitimate users are involved
Half probably belong in other 85% of threat sources
“30% deliberate acts”

1/3 disgruntled employees / legitimate users

1/3 dishonest employees / legitimate users

1/3 outsider or unknown
© 2006, Monash University, Australia
Countermeasures - Technical Trade Off Tree
Secure
Fast/Easy
Cheap
© 2006, Monash University, Australia
Where are the countermeasures?
Motivation
Threats to
Identified
Assets
Internal or External
Capability
Deliberate
Vulnerability
Non-Deliberate
AND
Error/Carelessness
Impacts if
OR
Threat Eventuates
Acts of God/Accidents
Assets
Impacts
Confidentiality
& Privacy
Integrity &
Modification
Availability
Damage &
Destruction
Misuse
& Abuse
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Asset Types
Information
Physical assets
Intangibles
People
*
*
© 2006, Monash University, Australia
Locations of Countermeasures
LEGEND for red stars
RM
Motivation
Threats to
RT
Identified
Assets
Internal or External
R
C
Capability
Deliberate
RV
Vulnerability
Non-Deliberate
A
D
R
RC
RI
RM
RT
RV
T
Avoidance
Detect Manifestation
Recover Manifestation
Reduce/limit Capability
Reduce Impact
Reduce Motivation
Reduce Threat
Reduce Vulnerability
Transfer Risk (insurance)
AND
RT
Error/Carelessness
Impacts if
OR
Threat Eventuates
Acts of God/Accidents
RT
T
=
=
=
=
=
=
=
=
=
RI
A
Assets
D
Impacts
Confidentiality
& Privacy
Integrity &
Modification
Availability
Damage &
Destruction
Misuse
& Abuse
*
*
*
*
*
*
*
*
*
*
*
*
*
*
Asset Types
Information
Physical assets
Intangibles
People
*
*
© 2006, Monash University, Australia
R
Countermeasures

Countermeasures are selected to



Typical countermeasures are:





reduce or eliminate threats, or
reduce the impact if a threat eventuates.
Strong buildings (eg doors, walls, floors, ceilings, locks on doors)
Strong containers (filing cabinets, locked cash boxes, safes)
Trusted personnel (eg “Authorised Staff Only”)
Procedures (eg formal induction briefings, last person out locks
doors)
NOTE:
‘Security by Obscurity’
(eg hiding keys under the doormat, passwords and safe combinations
written in the form of ‘telephone numbers’ )
is generally discredited as a countermeasure.
© 2006, Monash University, Australia
Countermeasure Selection

Countermeasures are not all equal




some more effective than others against particular threats
some more expensive
some harder to use
Cost-Effectiveness

Most cost-effective are those which avoid or reduce threats




Least cost-effective - ‘transfer risk’ eg insurance
- but sometimes it is all that is feasible
Some countermeasures protect from multiple threats


eg education and training
deterrence can be cheap
and some threats require multiple countermeasures
Use a variety of countermeasure types and categories
© 2006, Monash University, Australia
Principles of Security Design

Principle of Individual Accountability


Principle of Least Privilege


a series of overlapping security barriers such that failure of a
single barrier does not allow an immediate security breach.
Principle of Defence-by-Diversity


the maximum privileges, rights, or capabilities given any entity
are minimum required to perform their legitimate activity.
Also expressed as ‘Need-to-know’ or ‘Need-to-Access’.
Principle of Defence-in-Depth


each person carries responsibility for themselves, and
for activities performed on their behalf with their authorisation.
where the series of overlapping security barriers implement
diverse mechanisms so many skills are required to defeat all
barriers.
Principle of Commonality of Approach

logically parallel barriers or techniques are implemented similarly
to minimise range©of
potential vulnerabilities
2006, Monash University, Australia
Activities to Support Principles

The following activities are required to support the
principles.

Education and Training


Configuration Control


where the individuals and groups are made aware of security
issues, and their role in achieving security.
where the system security is maintained through control of
modifications to the systems
Monitoring and Auditing

where compliance with the policies is verified, and trends are
analysed so that corrective action may be initiated
© 2006, Monash University, Australia
Trusted Systems

‘Trusted Systems’ are required when system performs
critical functions.

The more critical the function, the more trust required.

Similar issues regarding trustworthiness apply to both
safety and security related systems

How far can we trust computer based systems?
© 2006, Monash University, Australia
Trusted Systems?

Passengers on plane at departure gate were
asked:
‘Would you remain on this computer controlled
aircraft knowing that your group had built the
control systems?’
All said ‘No way’, except one woman.
When queried she said:
‘If my group had built the system, we would be
quite safe because this aircraft would not be
able to leave the terminal!’
© 2006, Monash University, Australia
Trusted Systems (3)

Need to consider Total system and environment:

Physical facilities and environment








buildings and containment
essential services (water, electricity, drainage, etc)
Hardware trustworthiness
Firmware trustworthiness
Software trustworthiness
Communications sub-system integrity and reliability
Administration procedures and
Personnel reliability and trustworthiness
© 2006, Monash University, Australia
Security Trustworthy Systems

Generally refers to ‘Computer Systems’ or ‘IT’, but


Some aspects glossed over, particularly in lowly trusted
systems eg




in reality, includes anything closely connected to the IT system
hardware and hardware components of firmware
facilities and containment
physical and electronic aspects of communications
Emphasis on trustworthy IT systems
© 2006, Monash University, Australia
Types of Secure IT Systems

Dedicated:


single task - all personnel authorised to access all info
Security is totally external to the computing elements
Hence computer system need not be trusted
System-High:
multiple tasks - has need-to-know differentiation between users



only minor problems if users see extraneous information
Minor security capability needed, (assumes benign users)
Multi-Level:
some users legally not permitted to access some information



eg classified data at levels higher than some users allowed to access
strong compartmentation between any user and other users,
and between users and information being processed or stored
Proven strong security capability needed
© 2006, Monash University, Australia
Trusted Software

Software implementation of security functionality


Software component of firmware is software
Software trustworthiness has long been an issue.
Problems:

Appropriateness of functional and performance specification



Implementation of specifications


Does design and code truly implement the specification?
Operational and support documentation adequacy



Specification correctly addresses all necessary functions?
Performance specification correct for all circumstances?
Is it usable, or too difficult?
Describes all assumptions and limitations of the implementation?
Provability of trustworthiness
© 2006, Monash University, Australia
Software Assurance Levels

Graduated scale of ratings and approaches

Unplanned ‘bowl of spaghetti’ code
 unreliable, difficult to maintain: $5 per line of code to develop

Structured coding reduces code level errors
 approx $50 per line of code, tested and documented

Specifications in structured language and style
 improves communication between specifier and designer/builder/user

Specifications based on modelling of functionality
 Facilitates appropriate and correct specifications

Formal Specifications using mathematical language
(eg Z, Gypsy, VDM etc) allows rigorous analysis of specifications

Proof-of-correctness of both design and implementation
 up to $1500 per line of code, plus massive delays in project
© 2006, Monash University, Australia
Trusted Systems Evaluations

Evaluations always by Gov’t accredited organisations
USA –performed by NSA National Computer Security Centre (NCSC)
 UK now uses CLEFs – Commercial Evaluation Facility,
overseen by UK Gov’t Authorities CESG and CCTA
 Australia – used to be performed by DSD QC section

Now performed by AISEFs - Australian Information Security
Evaluation Facilities Work overseen by DSD

Other countries operate similarly


NZ, Canada, Germany, France, Netherlands etc
Costs and Delays

Early system evaluations cost 48 person-months & 2 years
 Similar cost/delay across all evaluation levels


Low end systems casually designed, hence difficult to evaluate
Higher grade systems
specified and designed better, but more rigorously investigated
© 2006, Monash University, Australia
Trusted Systems Evaluations (2)

Evaluation applies only to

the exact product specified, installed & operated as directed by
the developer/evaluator



not upgrades, new releases, nor even patched releases
Note: updates have been rated lower than predecessors
EXCEPT those updated IAW approved program


Ratings Maintenance Phase (RAMP) is USA mechanism for
maintaining rating through updates and new releases
Certificate Maintenance Scheme (CMS) is integral part of the UK
ITSEC scheme, reducing re-evaluation costs/ timescales.
A good product, poorly implemented or maintained,
is worse than poor product well implemented
because it gives false sense of security
© 2006, Monash University, Australia
USA -TCSEC – “Orange Book”


Trusted Computing System Evaluation Criteria TCSEC
(1983)
USA Trusted Computer System Evaluation Criteria

National Computer Security Centre (part of DoD/NSA)

First Published 1983 and reissued 1985, in flame orange covers


Single dimension of ratings






A1
Experimental level of high security
B3, B2, B1 Government grade multilevel systems
C2, C1
Commercial grade systems
D
unevaluated, or failed to attain a higher rating
Rating covers functionality & assurance criteria


Nickname “The Orange book”
Derivatives and related publications- known as “Rainbow Books”
Higher ratings => higher functionality and higher assurance
Criteria are oriented to mainframe systems of early 1980s
Most large USA big names (IBM, HP etc) use TCSEC
© 2006, Monash University, Australia
Orange Book Ratings (2)
Division Class
Description
A Division A1
B3 functionality, formal assurance
B Division (Government Multi-level)
B3
B2
B1
Highest
Tough and unfriendly
Low end of formally designed systems
High grade traditional op system
C Division (Commercial)
C2
C1
Good commercial security
Basic security features only
D Division (Unrated)
D
No formal security trust
© 2006, Monash University, Australia
Lowest
Orange Book Ratings
No
Trust
D
Low
Trust
C1
High
Trust
C2
B1
B2
B3
A1
Increasing Security functions and Assurance
Division D encompasses systems
which have not been assessed, or
which have failed to attain higher rating
Most USA mainframe operating systems are C2,
some have B1 capability, either as built or by add-ons.
B2 and above requires security functionality and assurance
to be incorporated in system design, not an afterthought.
© 2006, Monash University, Australia
Orange Book Evaluation Criteria
D
C1
Trustworthiness
Nil
Policies
C2
B1
B3
A1
High
Increasing
Low
Discretionary Policies
Audit trail
System Architecture
B2
Discretionary and Mandatory Policies
Increasing Audit trail Requirements
WEAK, but increasing
architecture requirements
STRONG, but increasing
architecture requirements
Top Level Spec’ns
DTLS
Informal
“shown”
Security Model Validity
Penetration Testing
FTLS
Formal Security model
“proven” valid
Increasing Penetration Testing
Increasing Config Man’t
Change Management
Covert Channel Restrictions
Increasing Covert Channel Restriction
Distribution path from vendor to customer
© 2006, Monash University, Australia
Trusted
Trusted Computing Base (TCB)

TCSEC uses concept of a small TCB acting as the
reference monitor arbitrating between



Users (Subjects) and
Data entities (Objects)
As all access between users and data is via TCB,
then only the TCB needs to be trusted


avoids having to trust each and every application, compiler etc,
PROVIDED that the TCB can be adequately ‘proven’
TCB concept implies that there must be:



identified and authenticated users;
security sensitivity labels associated with data objects; and
an information access policy identifying who may access what
© 2006, Monash University, Australia
TCB implements Access Controls


TCB includes:
Architecture and structure which separates:





User identification and authentication mechanism
Security sensitivity labeling of files and resources
(ports, devices, op system functions etc) - either




‘user’ domains from ‘system’ domains;
users from each other; and
executable code from data.
implicitly - where sensitivity is implied from the parent directory, file
type, file name, file owner, port identification etc; or
explicitly - where sensitivity information is associated with every
resource on the system (like Windows NT File System NTFS).
Enforced controls over access to files & resources
Audit and monitoring capabilities over security functions
© 2006, Monash University, Australia
Access Controls Concepts

TCB must limit access of


resource objects (eg files, ports, system functions) to
authorised subjects (Authorised User’s or system functions acting on behalf
of authorised Users)

Generally by means of a Lattice based model:

Example
Objects
(Files, Ports, etc)
Object 1
X
X X
X X X
accessible by none
Object 2
Object 3
accessible by all Users
X
X
1
2 3
4
X X
accessible by some users
5 6
Subjects (Users)
© 2006, Monash University, Australia
Access Models

Detailed Security policy defines:




Objects and object classes (Files, ports, functions etc)
Subjects (Users, user groups, active functions etc)
Which subjects (eg users) may access what objects
(eg files), and
How they may access them (eg read, write, create, modify, execute,
rename, delete, append, activate etc)

Questions:



Who sets the Lattice model parameters? (Administrator & owner)
Is this flexible and responsive enough? (Barely)
Is one model sufficient for all cases? (No - but usually must suffice)
© 2006, Monash University, Australia
DAC and MAC

Discretionary Access Control (DAC) (ratings C1 and all above )

established by information owner
 sets flags to indicate who may read/write/modify etc the file
 can have default settings (which owner may over-ride) in TCB

Mandatory Access Control (MAC) (ratings B1 and above)

directed by policy statements, ‘hard wired’ into system
usually set in the TCB by Systems Administrator
eg policy statement
 ‘data from R&D area not to be read by finance group’



not able to be overridden by data owner
 should be checked during audits and monitoring activity
 typically applied to nationally classified information

no person may access info classified higher than their clearance
(Bell-LaPadula (BLP) security model)
© 2006, Monash University, Australia
USA ‘Rainbow Books’

Explain, extend, interpret etc the Orange Book


All available from http://www.radium.ncsc.mil/tpep/library/rainbow/
Topics include:

DoD Password Management Guideline,
12 April 1985. (Green Book)



Guidance for Applying the DoD TCSEC in Specific
Environments, 25 June 1985 (Light Yellow Book)
Advisory Memorandum on Office Automation Security Guidelines
A Guide to Understanding Audit in Trusted Systems
1 June 1988, Version 2. (Tan Book)

Trusted Product Evaluations - A Guide for Vendors,
22 June 1990. (Bright Blue Book)

A Guide to Understanding Discretionary Access Control in
Trusted Systems, 30 September 1987. (Neon Orange Book)
© 2006, Monash University, Australia
ITSEC
Information Technology Security Evaluation Criteria
of
France - Germany - the Netherlands - the United Kingdom
1991
© 2006, Monash University, Australia
EU – Information Technology Security
Evaluation Criteria ITSEC

Published 1990, updated 1991


Significant input from USA Orange Book concepts


Based on UK, German & French criteria, and inputs from others
but overcomes the ‘star connected mainframe’ and USA bias
Considers functionality and assurance orthogonally

One axis addresses assurance


Other axis addresses functionality



six hierarchical levels above zero trust (E0 through E6)
10 predefined non-hierarchical classes of functionality
(F1 through F10) - little used in Australia
user may define functionality to suit task
Defines a ‘Claims Language’ to assist evaluation

semi-formalised and structured language, with defined
terminology etc
© 2006, Monash University, Australia
ITSEC Assurance Classes
ITSEC
TCSEC
“E0”
E1
E2
E3
E4
E5
E6
D
C1
C2
B1
B2
B3
A1
Equivalent
Comments
No proven trustworthiness
Low commercial
High commercial
Low multilevel
High multilevel
Formal ‘Proof of Correctness’
© 2006, Monash University, Australia
ITSEC Functionality Classes
ITSEC TCSEC
Equivalent
F1
F2
F3
F4
F5
ITSEC
C1
C2
B1
B2
B3 & A1
ITSEC
Used for
F6
F7
F8
F9
F10
High Integrity
Networking
N/W with Integrity
N/W with Conf’y
Network I&C
Users may define their own functionality
© 2006, Monash University, Australia
User Defined Functionality

The ITSEC standard functionality classes are OK


but do not reflect all situations
A developer may define the functionality they claim, and
have it evaluated to a particular assurance level

eg firewalls, weapons systems, banking systems

Most Australian ITSEC evaluations based on
‘user’ (read ‘vendor’) defined functionality

A rock could rate E6 if appropriate functionality was claimed

Always verify functionality claimed for the evaluation rating.
Eg a firewall is evaluated and advertised as ‘E3’ - but what
does it do at the ‘E3’ level of trustworthiness?
© 2006, Monash University, Australia
Types of Network Threats
Adapted from “Cryptography and Network Security: Principles and Practice”
Second Edition, by William Stallings
© 2006, Monash University, Australia
Network Threats (2)
Passive Threats
(Interception)
Release of Contents
Read plain text
Decrypt and read
Traffic Analysis
activity analysis
characteristics analysis
Active Threats
Interruption
(Availability)
Modification
(Integrity)
© 2006, Monash University, Australia
Fabrication
(Authenticity)
Encrypted Data Stream
Encryption may be considered a protective pipe
Extraneous data can’t enter the stream
Target
Information
Encryption ‘Pipe’
Intelligible information can’t leave the pipe
© 2006, Monash University, Australia
Network Threats (3)

Encryption is main tool used to inhibit network threats

Assuming unbroken encryption:

Release of message contents
 defeated by encryption

Modification of traffic
 Modification is still possible, but result cannot be predicted

Fabrication or Replay of traffic
 Creation of new traffic is defeated
 Replay of previous traffic is defeated in Cypher feedback modes, but not in
Electronic Code Book mode (ECB)

Traffic Analysis
 If headers and body are encrypted, traffic analysis can only be based on
traffic timings, flow rates, and transaction size
 If body only encrypted, header info can be used in traffic analysis
© 2006, Monash University, Australia
Summary

Security is a concept and attitude of mind

Difficult to define


Definition must derive from Management
directives and policy
Security Management is Management of Risks


otherwise security becomes a black hole
Main issues for consideration are:




Assets
Threats to those assets
Countermeasures to those threats
Ongoing management leadership, and support
© 2006, Monash University, Australia
Internet Issues Summary

Most Internet security issues identified are mainly
Internet specific implementations of broader issues

Encryption of VPN and E-mail is an encryption issue


E-commerce requirements for authentication and nonrepudiation are Internet or computer based variants of signatures


Public key encryption mechanisms are addressing the issues
Personnel abusing Internet access are only one specific
manifestation of widespread poor practices:


Internet is only the vehicle
Abuse of company cars, telephones, accommodation, equipment
Concentrate on the real issues:

Perimeter security and internal segmentation (Firewalls)



Use firewalls for virus checks etc
Develop understanding of censorship processes and needs
Develop security awareness and sense of Ethics in all parties
© 2006, Monash University, Australia
Common Reactions (Management)

“It won’t happen to us / our company / me”


Just wait and it will - best to lock the stable door before the horse
bolts
“Security gets in the way - is obstructive”

Frequently true and unavoidable to some extent, but impact can be
minimised with planning, management commitment, and training
 Good security must always be in the context of the business

Lack of written Security Policy and directions


Planned policies and committed management guide everyone
Treating security as black/white issues
eg is all xxx-in-confidence info really the same value?

Graduated scale of values and risks are needed
 Some people are more trustworthy than others, as are some
countermeasures - such as procedures, locks and computers
© 2006, Monash University, Australia
Common Reactions (Implementation)

Addressing Wrong Problem, because it is easier
Assuming most attacks are external (ie “we trust all our people”)
 Non-acceptence that commercial intelligence or sabotage are occurring
in Australia now
 Addressing wrong threats



Implementing Unbalanced Security - eg


eg assuming high risk attacks are violent, high intensity, short duration
(eg terrorists or armed holdup) rather than slow and subtle (eg espionage)
High grade firewalls, but lack of lockable containers or rooms
Ineffectual Security - has all of the costs but little benefits

High grade (and costly) firewalls, intrusion detectors etc, poorly
implemented and not supported
 Good policies and mission statements, but management do not show
support and leadership - ie the policies are not implemented

Failure of aftercare for people, procedures, & equipment
© 2006, Monash University, Australia
Finale

Security has become the major issue following Y2K

Media hype about Internet related security problems has
sensitised management, auditors and legislators to issues but they generally need technical guidance

Deliberate attacks against businesses are increasing
dramatically

Outsourcing of security management to specialist
companies is not necessarily the best way for an
organisation to go.
Employees should be in control of all sensitive activities.

© 2006, Monash University, Australia
Tutorial

Q&A and case studies
© 2006, Monash University, Australia
Descargar

CSE5806 Telecommunications Management Lecturer: Dr …