IT Security A global Perspective

1
IT Security A global Perspective

• Prepared for the
• Greater Omaha Chapter
• AFCEA
• October 25, 2007
• Blaine Burnham

2
IT Security A global Perspective

• Overview
• Criteria
• Education
• Technical Direction
• Summary

3
IT Security A global Perspective

• Overview
• The Ware Report
• The Schell Paper
• A Bunch of Quotes and References

4
IT Security A global Perspective

• QR
• Selected Excerpts and Sources 
• On Platform Security
•  
• Trustworthy Computing is computing that is as
  available, reliable, and secure as electricity,
  water services, and telephony," Gates wrote.
  "Microsoft and the computer industry will only
  succeed ... if CIOs, consumers, and everyone else
  sees that Microsoft has created a platform for
  Trustworthy Computing.
•  
• Bill Gates, February 2002 Memorandum to Microsoft
  employees, as reported in Windows .Net
  Magazine, June 2002, online at http//www.winnetma
  g.com/Articles/Index.cfm?ArticleID24881
•  
• Current security efforts suffer from the flawed
  assumption that adequate security can be provided
  in applications with the existing security
  mechanisms of mainstream operating systems. In
  reality, the need for secure operating systems is
  growing in today's computing environment due to
  substantial increases in connectivity and data
  sharing.
•  
• Peter A. Loscocco, Stephen D. Smalley, Patrick A.
  Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John
  F. Farrell (National Security Agency), in The
  Inevitability of Failure The Flawed Assumption
  of Security in Modern Computing Environments,
  1998, available online at http//www.nsa.gov/selin
  ux/inevit-abs.html
•  
• This trend has unfortunately been enhanced over
  the last five years as cryptography, in the form
  of digital signatures, public key certificates,
  and the like have become the security
  architecture for network based systems of the
  future. This trend totally ignores the
  fundamental fact that such encryption will only
  be as secure as the operating system structure in
  which it sits. The emphasis must then move back
  to the TCSEC/Common Criteria environment and
  reasonable proof that software and hardware based
  encryption structures are fully protected.
  Contrary to accepted ideas, then, the use of
  cryptography actually enhances the need to
  reconsider security functionality and evaluation
  at the operating system and hardware levels in
  line with the Common Criteria (ISO standard
  15408).
•  
• Professor William Caelli, Relearning Trusted
  Systems in an Age of NIIP Lessons from the Past
  for the Future," 2002, online at
  http//cisse.info/CISSE20J/2002/cael.pdf
•  

5
IT Security A global Perspective

• QR
• Selected Excerpts and Sources 
• Current security efforts suffer from the flawed
  assumption that adequate security can be provided
  in applications with the existing security
  mechanisms of mainstream operating systems. In
  reality, the need for secure operating systems is
  growing in today's computing environment due to
  substantial increases in connectivity and data
  sharing.
•  
• Peter A. Loscocco, Stephen D. Smalley, Patrick A.
  Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John
  F. Farrell (National Security Agency), in The
  Inevitability of Failure The Flawed Assumption
  of Security in Modern Computing Environments,
  1998, available online at http//www.nsa.gov/selin
  ux/inevit-abs.html
• This trend has unfortunately been enhanced over
  the last five years as cryptography, in the form
  of digital signatures, public key certificates,
  and the like have become the security
  architecture for network based systems of the
  future. This trend totally ignores the
  fundamental fact that such encryption will only
  be as secure as the operating system structure in
  which it sits. The emphasis must then move back
  to the TCSEC/Common Criteria environment and
  reasonable proof that software and hardware based
  encryption structures are fully protected.
  Contrary to accepted ideas, then, the use of
  cryptography actually enhances the need to
  reconsider security functionality and evaluation
  at the operating system and hardware levels in
  line with the Common Criteria (ISO standard
  15408).
•  
• Professor William Caelli, Relearning Trusted
  Systems in an Age of NIIP Lessons from the Past
  for the Future," 2002, online at
  http//cisse.info/CISSE20J/2002/cael.pdf
•  
• The Problem is Getting Worse
•  
• Though the most recent of the reports was issued
  2 years ago and the oldest 10 years ago, not much
  has changed with respect to security as it is
  practiced. The unfortunate reality is that
  relative to the magnitude of the threat, our
  ability and willingness to deal with threats has,
  on balance, changed for the worse, making many of
  the analyses, findings, and recommendations of
  these reports all the more relevant, timely, and
  applicable today.
•  
• Herb Lin, Senior Scientist, Computer Science and
  Telecommunications Board National Research
  Council, in Cybersecurity Today and Tomorrow Pay
  Now or Pay Later, online at http//www.cstb.org/we
  b/pub_cybersecurity
•  

6
IT Security A global Perspective

• QR
• Selected Excerpts and Sources
• On Professional Attacks
• Until now, "amateurs" - young people with no
  particular motivation or target in mind - have
  undertaken most of the highest-profile attacks on
  the Internet. However, I expect that over the
  coming year and beyond, we will see a rise in
  more professional types of attackers, targeting
  specific crucial online systems. This will
  potentially endanger not only the Internet, but
  also our national security, and ultimately our
  entire way of life.
•  
• Robert Clyde, CTO, Symantec, Exposing the Future
  of Internet Security, in Extreme Tech online at
  http//www.extremetech.com/article2/0,3973,1154114
  ,00.asp

7
IT Security A global Perspective

• QR
• Selected Excerpts and Sources 
• The information security threat is no longer
  properly characterized by the 'caffeine crazed'
  hacker out to prove his or her technical prowess.
  Instead, today's threat is rapidly evolving to
  include, if not feature, well-organized criminal
  syndicates employing sophisticated and structured
  attack techniques.
•  
• John Frazzini, Vice President Operations,
  Idefense Inc., www.idefense.com, as quoted in
  Thomas Glaessner, Tom Kellermann, Valerie
  McNevin, Electronic Security Risk Mitigation in
  Financial Transactions, Public Policy Issues,
  June 2002, World Bank, available online at
• http//wbln0018.worldbank.org/html/FinancialSecto
  rWeb.nsf/(attachmentweb)/E-security-RiskMitigation
  InFinancialTransactionsv4/FILE/E-security-RiskMi
  tigationInFinancialTransactionsv4.0.pdf
•  
• I believe competitors, or organizations working
  for them, are a much greater source of risk than
  your respondents realize. It is unlikely that
  the 151 million loss of proprietary information
  is all due to independent hackers, or even
  disgruntled employees. Such losses are due to
  targeted attacks on the victims by someone with
  strong, financial motivation to succeed.
•  
• Rik Farrow, www.spirit.com, as quoted in Computer
  Security Institute Computer Security Issues
  Trends, 2001 CSI/FBI Computer Crime and Security
  Survey, Spring 2001
•  

8
IT Security A global Perspective

• QR
• Selected Excerpts and Sources 
• Infosecurity Europe Hacker Challenge subverting
  Trusted Solaris
• Argus' world changed in April, 2001 with their
  fifth Hacker Challenge, timed to coincide with
  the Infosecurity Europe conference in London. The
  competition revolved around Argus'
  then-undefeated Pitbull Secure Web Appliance, a
  machine running sophisticated security
  enhancements to the Unix kernel built on the
  "trusted operating system" model cherished by the
  Pentagon.
•  
• The rules of the challenge were simple Argus
  released an account name and password for the
  contest Web server, and invited all comers to log
  in and attempt to escalate their privileges on
  the machine. To win the prize of 35,000 British
  pounds (48,000) an attacker had to modify one of
  two protected Web sites running from the server,
  and be the first to provide Argus with a complete
  and verifiable technical description of the hack.
  The winner, if any, was to be paid by May 15th,
  2001.
•  
• LSD's four-man team set up a makeshift
  laboratory to duplicate the target environment,
  and began devising an attack. Working together,
  they quickly developed a clever tactic that
  hinged on a tricky exploitation of a bug in the
  underlying Solaris x86 operating system. Less
  than 24 hours after the contest began, they'd
  gained complete control of the contest machine.
•  
• Hacking Challenge' Winners Allege 43,000
  Contest Rip-Off in Security Focus, November 26,
  2002, online at http//www.securityfocus.com/print
  able/news/1717

9
IT Security A global Perspective

• QR
• Selected Excerpts and Sources 
• The state of the science of information security
  is quite rich with solutions and tools that
  represent the accumulated knowledge from research
  over more than 30 years. The state of our
  assimilation of that knowledge by information
  security practitioners and understanding of the
  existing science is very poor. The greatest
  achievement in the science of computer and
  network security is the ability to build and
  deploy truly bulletproof systems having
  verifiable protection. And this remains the most
  powerful solution available for many of todays
  hard problems.
•  
• Roger R. Schell, Information Security Science,
  Pseudoscience, and Flying Pigs, online at
  http//www.acsac.org/invited-essay/essays/2001-sch
  ell.pdf
•  
• It has been demonstrated that the technology
  direction can actually be implemented and
  provides an effective solution to the problem of
  malicious software employed by well-motivated
  professionals. Unfortunately, the mainstream
  products of major vendors largely ignore these
  demonstrated technologies. In our opinion this is
  an unstable state of affairs. It is unthinkable
  that another thirty years will go by without one
  of two occurrences either there will be horrific
  cyber disasters that will deprive society of much
  of the value computers can provide, or the
  available technology will be delivered, and
  hopefully enhanced, in products that provide
  effective security.
•  
• Paul A. Karger and Roger R. Schell, Thirty Years
  Later Lessons from the Multics Security
  Evaluation, online at http//www.acsac.org/2002/p
  apers/classic-multics.pdf

10
IT Security A global Perspective

• Criteria
• The Common Criteria
• Harmonization
• NIAP
• NSTISSP 11
• http//niap.nist.gov/cc-scheme/nstissp11_FactSheet
  .pdf
• New Players
• China, Russia, India, Israel
• Implications
• Technology Transfer
• Subversion

11
IT Security A global Perspective

• Education
• Russia
• Great Program
• China
• Huge Numbers

12
IT Security A global Perspective

• Technical Direction
• China
• The Open Source Movement
• The Ongoing migration of assembly and fabrication
• IP rights, China design capabilities worry
  industry, DoDBy Laurie SullivanEBNSeptember 18,
  2003 (243 p.m. ET)
• Russia
• Software
• 06.28.03 Intel to support Russian software
  developers Intel is launching a programme to
  support software developers in Russia. Melissa
  Laird, the general director of Intel's software
  and solutions group, announced the programme
  yesterday at a press conference during the 3rd
  international software developers forum that is
  taking place in St. Petersburg.

13
IT Security A global Perspective

• Outsourcing / Off-Shoring
• Pirated Longhorn sold in Malaysia Malaysia's
  brazen software pirates are hawking the next
  version of Microsoft's Windows operating system
  years before it is supposed to be on sale.
• Widely cited figures predict that by 2015,
  roughly 3.3 million U.S. business processing jobs
  will have moved abroad. As of July 2003, around
  400,000 jobs already had.
• Other research suggests that the number of
  U.S. service jobs lost to "offshoring" will
  accelerate at a rate of 30 percent to 40 percent
  annually during the next five years. Vast wage
  differentials are prompting companies to move
  their labor-intensive service jobs to countries
  with low labor costs For instance, software
  developers, who cost 60 an hour in the United
  States--the country that does the most offshoring
  of jobs--cost only 6 an hour in India, the
  biggest market for offshore services.
• Where is the Accountability and the Oversight
• What is the Development model CODE TO TEST?
  WOW!!!!

14
IT Security A global Perspective

• Summary
• From the point of View of Security the Industry
  is completely out of control and getting worse
• No accountability
• No Recourse
• No Reason to Believe the Situation will Improve
• Far less ability to Assess and Validate
• The Current Systems Architectures Scale Poorly
• We seem to be completely susceptible to the most
  recent salesman