Notesale: Turn your study into money

Document Preview

Extracts from the notes are below, to see the PDF you'll receive please use the links above

---

Chapter 1
What is Computer
Security?

The meaning of the term computer security has evolved in recent years
...
Traditionally, computer facilities have been physically
protected for three reasons:
• To prevent theft of or damage to the hardware
• To prevent theft of or damage to the information
• To prevent disruption of service
Strict procedures for access to the machine room are used by most organizations, and these
procedures are often an organization’s only obvious computer security measures
...
Nonetheless, most computer facilities continue to protect their physical
machine far better than they do their data, even when the value of the data is several times
greater than the value of the hardware
...
Information
security is the subject of this book
...
Most computer crimes are in fact committed by insiders,
and most of the research in computer security since 1970 has been directed at the insider
problem
...
1 SECRECY, INTEGRITY, AND DENIAL OF SERVICE
Throughout this book, the discussion of computer security emphasizes the problem of protecting
information from unauthorized disclosure, or information secrecy
...

There are two reasons for this seemingly one-sided point of view, one historic and one
technical
...
This
tradition has persisted even in commercial applications, where classified information is not the
concern and where integrity, not secrecy, is often the primary goal
...

Fortunately, techniques to protect against information modification are almost always the
same as (or a subset of) techniques to protect against information disclosure
...
In the rare cases where the
techniques differ, that fact will be pointed out explicitly
...

Denial of service can be defined as a temporary reduction in system performance, a system crash
requiring manual restart, or a major crash with permanent loss of data
...
As in the case of data integrity, one
reason for the lack of concern is historic: secrecy has been the primary goal of governmentfunded security programs
...
While great strides
have been made since the early 1970s toward ensuring secrecy and integrity, little progress has
been made in solving denial of service because the problem is fundamentally much harder:
preventing denial of service requires ensuring the complete functional correctness of a system—
something unlikely to be done in the foreseeable future
...
Most of the techniques for building secure
systems, however, also help you build more robust and reliable systems
...
This book will indicate when those techniques apply
...
To help you remember this, memorize the computer security researcher’s favorite (tonguein-cheek) phrase: “I don’t care if it works, as long as it is secure
...
2 TRUSTED SYSTEM EVALUATION CRITERIA
The U
...
Department of Defense has developed its own definition of computer security,
documented in Trusted Computer System Evaluation Criteria (Department of Defense 1985),
also called “the Orange Book” after the color of its cover /and hereafter shortened to “the
Criteria”)
...
The
seven levels of trust identified by the Criteria range from systems that have minimal protection
features to those that provide the highest level of security modern technology can produce (table
1-1)
...
The National Computer

4

Security Center, the official evaluator for the Defense Department, maintains an Evaluated
Products List of commercial systems that it has rated according to the Criteria
...
It focuses primarily on general-purpose operating
systems
...
The Trusted Network
Interpretation identifies security features not mentioned in the Criteria that apply to networks
and individual components within networks, and shows how they fit into the Criteria ratings
...
Trusted System Evaluation Criteria Ratings
...
The
requirements are cumulative, moving from class D to class A1
...
In order to attain such a high rating, a system has to be designed with
security as its most important goal
...
The Evaluated Products List is short because the Criteria is
relatively new and evaluations take a long time
...

While most of the technical concepts in the Criteria are covered in this book, we will pay
little attention to its rating scale
...

REFERENCES
Department of Defense
...
DoD Trusted Computer System Evaluation Criteria
...
28-STD
...
C
...
(U
...
Government Printing Office
number 008-000-00461-7
...
This document discusses many of the computer security
concepts covered in this book
...
1987
...
NCSC-TG-005
...

George G
...
: National Computer Security Center
...


6

Chapter 2
Why Systems Are
Not Secure

Despite significant advances in the state of the art of computer security in recent years,
information in computers is more vulnerable than ever
...
We would be fighting a losing
battle, except that security need not be an isolated effort: there is no reason why a new
technology cannot be accompanied by an integrated security strategy, where the effort to protect
against new threats only requires filling in a logical piece of a well-defined architecture
...
This
chapter explores some of the classic reasons why the implementation of security lags behind its
theory
...
1 SECURITY IS FUNDAMENTALLY DIFFICULT
Why are computer systems so bad at protecting information? After all, if it is possible to build a
system containing millions of lines of software (as evidenced by today’s large operating
systems), why is it so hard to make that software operate securely? The task of keeping one user
from getting to another user’s files seems simple enough—especially when the system is already
able to keep track of each user and each file
...
But how many
large operating systems are correct and bug-free? For all large systems, vendors must
periodically issue new releases, each containing thousands of lines of revised code, much of
which are bug fixes
...
The industry seems resigned
to the fact that systems will always have bugs
...


7

What is adequate for most functions, however, is not sufficient for security
...
But a single
security “hole” can render all of the system’s security controls worthless, especially if the bug is
discovered by a determined penetrator
...

As a result, securing a system has traditionally been a battle of wits: the penetrator tries to
find holes, and the designer tries to close them
...
Anyone entrusting
sensitive
...
If the information is valuable enough to a
penetrator to warrant the effort, there is little reason to assume that the penetrator will not
succeed
...
The important factor is not the
likelihood of a flaw (which is high), but the likelihood that a penetrator will find one (which we
hope is very low)
...

The key to achieving an acceptable degree of security is the systematic use of proper
techniques
...
At worst, they provide a false sense of security that renders the
users more susceptible than ever to the real threats
...
2 SECURITY IS AN AFTERTHOUGHT
Despite the publicity about computer security in the press, computer and software vendors have
rarely taken the trouble to incorporate meaningful security measures into their systems
...

It is unfair to fault vendors entirely for this lack of attention to security
...
Since few customers are willing to pay extra for security,
vendors have had little incentive to invest in extensive security enhancements
...
These customers include not only the government but some
banks, manufacturers, and universities
...
The most notable of these are CGA Software
Products Group’s TOP SECRET, Uccel Corporation’s ACF2, and IBM’s RACF, all for IBM’s MVS
operating system
...
These packages and enhancements are
commercially viable despite their significant purchase and administrative costs
...
These systems include DEC’s VMS and Honeywell’s Multics
(Organick 1972; Whitmore et al
...
Control Data has also incorporated security
enhancements into its NOS operating system
...
Gemini Computers offers the GEMSOS operating system, also based on a security
kernel (Schell, Tao, and Heckman 1985)
...
But the examples also show that demand is fairly weak
and can easily evaporate if the features should have an adverse impact on cost or any other
functions
...
3 SECURITY IS AN IMPEDIMENT
A common perception among users is that security is a nuisance
...

Vendors often implement security enhancements in response to specific customer demands
...
Vendors commonly adopt the attitude that a customer who
wants security badly enough should be willing to live with the inconvenience
...
Because
of inherent limitations in the system, fixing security problems often requires restrictive
procedural controls: limited access from remote terminals; restricted physical access to local
9

terminals
...
Many of these controls do not
substantially increase the security of the system, but they do foster the notion that security is
painful
...

2
...
Fads in the computer security area
can have a serious negative effect on the overall progress toward achieving good security,
because progress stops when people think they have the answer
...

One misconception (fortunately short-lived) involved data encryption; that is, encoding
information using a password or secret key so that it cannot be deciphered by unauthorized
individuals
...
Few of
the penetration techniques used by various “tiger teams” charged with finding security holes in
systems would be thwarted by encryption
...
Nonetheless, simplistic statements are still
occasionally encountered that claim that securing an operating system is unnecessary if all the
files are encrypted
...
2 discusses the legitimate role of encryption in communications
and the relationship of encryption to computer security
...
The idea is that you telephone a computer
from your home or office terminal and identify yourself (via a password) to the modem on the
remote computer through your terminal
...
The modem then looks up your home telephone number in a list,
and calls you back
...
Call-back devices are attractive
because they do not require any modification to the system being protected—a classic example
of add-on security
...
You may decide that it is never
necessary to change passwords or to enforce any control over the types of passwords people use
...
You may forget that half of your security problem is a matter of
keeping your users isolated from each other—not keeping outsiders out
...
Does your system have a connection to
a commercial network from which users can log in? Can you trust all other systems with which
your system communicates? If one of your users accesses your system via a modem on a
personal computer, how do you ensure that the personal computer has not been penetrated by an
outsider via that modem? Considering the problems that call-back modems cannot solve and
10

weighing the cost of these devices against simple measures such as better password control, it is
hard to see their value
...
Because passwords are so good at
controlling a user's access to the system, they are often used for other types of access control
access to certain applications in a system, access to certain files, or freedom to carry out certain
operations
...

But passwords are inappropriate for many of these applications, especially when a single
password is issued to several people (for access to a common file, for example
...
If a break-in by an insider occurs, it is impossible to tell who is at fault
...

Another misuse of passwords involves the requirement on some systems that the user at a
terminal reenter the password periodically—supposedly to ensure that the intended user and not
an intruder is at the terminal
...
First, repeated entry of
the password greatly increases the risk that someone will be looking over the user’s shoulder
when the password is entered
...
Section
6
...
1 lists additional ways in which passwords may be misused
...
The danger of using such ad hoc solutions to address isolated problems is
that one can lose sight of the fundamental problems
...
5 THE PROBLEM IS PEOPLE, NOT COMPUTERS
Many organizations believe that computer security technology is irrelevant to real-world
problems because nearly all recorded cases of computer abuse and fraud are non-technical
...
Hence, as long as relatively easy, non-technical ways exist to
commit a crime, technical controls will be viewed as superfluous
...
As we shall discuss in section 3
...
It is distressing, for example, to hear claims that attacks
by former employees represent personnel problems that the computer cannot solve, when the
system can easily be instrumented to defend itself against this threat
...


11

Consider, too, what will happen when procedural controls are strengthened to the point that
technical penetration becomes the path of least resistance
...

Probably because the computer industry is still in its infancy, sufficient knowledge of
computers to exploit technical flaws seems to be rare among the dishonest
...
) But as knowledge of computers becomes
more common, we cannot assume that only a few honest citizens will possess the requisite skills
to commit a major crime
...

One of the primary arguments that computers cannot prevent most cases of abuse is based on
the observation that computer crimes committed by insiders usually do not involve a violation of
internal security controls: the perpetrator simply misuses information to which he or she
normally has access during, the course of normal work responsibilities
...
But on closer
inspection, we often find that people routinely gain access to more information than they need,
either because the system’s security controls do not provide adequately fine-grained protection or
because implementing such protection within the architectural constraints of the system is too
inconvenient or costly
...
The technical solutions are not apparent because an
organization’s way of doing business is often influenced by the design (and limitations) of its
computer system
...
6 TECHNOLOGY IS OVERSOLD
There has long been the perception that true computer security can never be achieved in practice,
so any effort is doomed to failure
...

The reasons for the supposed failure of these developments are varied:
!
!
!

!

Programs originally intended for research have been wrongly criticized for not fulfilling
needs of production systems
...

Funding for the programs has been unpredictable, and requirements may change as the
programs are shuffled among agencies
...

Developments are often targeted to a specific model of computer or operating system,
and inconsistent levels of funding have stretched out programs to the point where the
original target system is technologically obsolete by the time the program is ready for
implementation
...

Vendors do not release such preliminary systems, postponing their “Version 1
...
Government
programs are highly visible, and any problems (even in early versions) tend to be viewed
by critics as inherent characteristics
...

Several large government procurements have specified the use of security technology that
was thought to be practical at the time but was in fact based on research still in the
laboratory
...
Industry
has understood for a long time that developing a new operating system involves far more
than a one-time expense to build it; rather, a high level of continuous support is required
over the life of the system
...

Not able to commit to open-ended support, the government has largely ceased direct
funding for secure operating system development, concentrating instead on specific
applications and various seed efforts
...


REFERENCES
Ashland, R
...
1985
...
” In Proceedings of the 8th
National Computer Security Conference, pp
...
Gaithersburg, Md
...

A description of mandatory controls proposed for Sperry (now Unisys) operating systems
...
; Lynch, K
...
1986
...
” In Proceedings of the 9th National Computer Security Conference, pp
...

Gaithersburg, Md
...

A description of the security enhancements offered by Digital Equipment to upgrade security
on its VMS operating system
...
J
...
“SCOMP: A Solution to the Multilevel Security Problem
...
Reprinted in Advances in Computer System Security, vol
...
R
...
185–92
...
: Artech House (1984
...

Organick, E
...
1972
...
Cambridge, Mass
...

A description of Multics—at that time implemented on a processor without hardwaresupported protection rings
...
R
...
F
...
1985
...
” In Proceedings of the 8th National Computer Security
Conference, pp
...
Gaithersburg, Md
...

A description of a security kernel for the Intel iAPX 286 microprocessor offered by Gemini
Computers
...
; Bensoussan, A
...
; Hunt, D
...
; and Stern, J
...
“Design for
Multics Security Enhancements
...
Hanscom AFB, Mass
...
(Also available through National Technical Information
Service, Springfield, Va
...
)
A description of the enhancements incorporated into Multics to support mandatory security
controls

---