Network Security
February
Managing Network Security - Part 3: Network Security as a Control Issue Fred Cohen Over the last few years computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programmes has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. How organizations succeed Organizations do not run themselves. They are run by top-level managers whose job it is to exercise controls so as to bring about success. Like a truck travelling down a highway, the boss uses powers of observation and technological aides to view how things are going, understand the situation, and make adjustments to keep things going in the right direction. The better the and view, understanding, controls, the better the boss will be able to control the organization, and the better (we hope) the organization will operate. Now comes the information age. The very nature of the way we work is changing, and over a period of only a few years, the value of the elements of our organizations has shifted. In the inventory, industrial . age, manufacturing and available cash were the major elements
12
with financial value that management had to control. But as the information age came, more and more of the value of moved organizations into information assets. As Jim Schweitzer so clearly observes in his wonderful book Protecting Business Information: The information value represented in business operations and product and strategy plans reports, which include technical, financial and operational data, is probably equal to the value of the company less the value of physical (That is) the assets... selling price of plants and equipment. Consider management control over information assets relative to financial assets. Chances are, top management knows the financial details quite well. They cannot only tell you how much they have, but where it comes from, where it
7 997
goes, and how they are certain of these facts. The reason they can do this is that if they are doing their job well, they exercise effective control over financial assets, The same is probably true of physical assets. Top management knows where the plants are, how much inventory is in place, and they have at least a general idea of how materials move through the organization, where they come from and where they go to. Odds are, most of the top management has even visited most of the large plants at one time or another, been given a tour, and talked to the key managers. But if you ask similar questions about information assets, chances are that top management doesn’t even know where to begin to answer. What is the value of our information? Where is it stored and how is it moved around? Where does it come from and where does it go? How do we ensure that it is what and where we think it is? Have they ever been given a tour of the corporate network, seen what goes where, been told about the components involved? If management can’t answer these questions in the same level of detail as they can for financial or physical assets, it means that the information assets are out of control, and that means that they are unable to guide the organization as effectively as they could if those assets were under control. There is one saving grace in any new age. The competition is probably just as out of control of their information assets as you are. Just like the beginning of the industrial age, management today has the reigns of a romping bull, and it will take some time before control is regained. But
01997
Elsevier Science Ltd
February
Network Security
7 997
providence favours those who get there first.
Getting control Getting control over your information assets is essentially an information security effort. It involves getting a handle on the value of information, classifying it, marking it, and making decisions about how to handle it It includes knowing and controlling what information goes where when, providing appropriate levels of assurance about the integrity, availability and confidentiality of information, and creating control processes to allow management at all levels to manipulate, examine and understand the information environment. All of these functions have been and continue to be at the heart of information security. But the changes in the overall work environment resulting from the increased use of information technology are closely tied to the way computer networks allowed the control to be localized, in many cases directly to the desktop. While central computers under the tight control of data processing shops were relatively easy to control, the distribution of computation has made central control a thing of the past. The nature of the information environment has changed, making it harder and more complex to control, and increasing the burden on management to find new ways of guiding their organizations. One of the most common methods used to deal with the distribution of information processing is to delegate control through data ownership. In the ownership model of distributed computing, information and
01997
Elsevier
Science
Ltd
technology are owned by the people who create and use it This works very well for solving the problem of micro-managing a widely distributed network. But it also introduces some difficult challenges.
two masters degrees worth of graduate-level courses in the field and five years of professional experience, and like other types of professionals, require ongoing professional education to stay up-to-date.
In many cases, the data owners don’t know how to carry out many of their ownership responsibilities, in large part because they haven’t been properly trained in the control issues, and aided by inadequate coordination. To address the coordination challenge, many organizations introduce centralized network coordination people. An organizational E-mail expert might be tasked with making sure E-mail works properly. The centralized E-mail expert then coordinates with local experts within each of the sub-organizations, who in turn coordinate with even more local experts. This forms an E-mail virtual-organization (we’ll call it a vorg for now) consisting of a body of people, most of them working part-time on the E-mail issues. The same technique is used to manage network address assignment and connectivity, to solve telephonic communication problems and so on.
Most data owners can decide that they want E-mail or Microsoft mail, and the mail vorg can probably implement the interface. Few data owners can make prudent decisions about the value of their information assets to the overall organization, how it should be classified, what system of marking to use, how to effectively control access, and the hundreds of other similar decisions required in order to have an effective asset control programme.
It all sounds great until you realise that the information protection function needed to ensure control crosses all of these boundaries. Unlike E-mail, information protection cannot be learned by a skilled programmer in a few weeks at a few seminars and managed part-time along with payroll programming. The function of ensuring overall organizational control is tougher than that. Most people who are effective at information protection have many years of experience on the field. Those who have achieved certifications have roughly the equivalent of
The E-mail vorg can’t make security decisions alone because these decisions require coordination with the telecommunications vorg and the personnel vorg, and so on. In order to properly control this interwoven collection of vorgs within the larger organization, we need you’ve got it - another vorg.
The infosec vorg The infosec virtual organization has the unusual challenge of crossing both the data ownership organizations and the technical vorgs. Few, if any, other vorgs face this challenge, and it can be daunting indeed. That’s why proper internal support and structure is required. In my experience with large organizations, I find that it is sometimes useful to use a chess analogy to discuss the organizational issues involved in creating such a vorg. I talk about kings and queens as being too
13
Network Security
high in the organization to be involved with infosec at an operational level, and pawns as being too far down the ladder to have a substantial impact. it’s usually the knights, bishops, and rooks that make things happen. In a large organization, there are many knights and bishops. They are typically top-level technical people with responsibilities over systems, networks, technical support of business functions and so on. While these are the people that make most of the technical decisions and get much of the most critical work done, they cross cannot typically organizations very easily and almost never have enough power to overcome objections or decisions of local bishops and knights within another part of the organization. The bishops and knights with technical interest, knowledge and responsibility for information protection normally form the technical core of the infosec vorg, but they are normally only effective when supported by a rook. In most large organizations there are relatively few rooks. They are typically at least one level above the top technical people on the organization chart and are rarely more than three levels below the CEO. They usually have titles with words like director or corporate vice president in them. They are almost never the chief information officer, the chief scientist, or the head of internal audit, but they typically have the ear of these people when they wish to be heard. The reason you need a rook to champion the infosec vorg is that this is the only way to prevent local knights and bishops within other vorgs or data owner areas from over-riding
14
all infosec
decisions.
February
When a rook is involved, it usually takes another rook to counter them. Since there are relatively few rooks, they tend to know each other, and they tend to work together regularly. To strictly over-rule a rook requires a king or a queen, so in practice, they are rarely over-ruled, and over-ruling them involves substantial risk for the person who interrupts the busy king or queen to settle what they will perceive as a local dispute. Having said all these good things about rooks, there are a few cautions. In choosing a rook to champion the infosec vorg, it is vital to select someone who is secure in their job, has the respect of most or all of the other rooks, and has some interest in information protection. These conditions prevent having the rug pulled out from under the infosec vorg whenever a dispute arises or the company is undergoing what has euphemistically come to be called rightsizing. Ideally, the infosec vorg is championed by a top-level information protection expert hired for the specific function of information protection. If your organization has taken this enlightened approach, the rook will be calling the bishops and knights together to form the vorg or more likely already has. If you have had an effective vorg for a long enough time, the rook has either become that top-level information protection person, one has been hired, or one of the people in the vorg who works for or closely with the rook has become the de facto expert. So the infosec vorg normally consists of a few bishops and knights who concentrate on information protection issues most often from corporate headquarters and/or a few of the
7 997
larger divisions, a rook at headquarters who champions the cause and ultimately heads up corporate infosec, a set of other knights and bishops co-opted part-time from data owner organizations, and at least one representative from each of the vorgs that participate in implementing infosec-related decisions.
How the infosec vorg operates In normal operation, the infosec vorg meets about quarterly to discuss large-scale issues, remain in touch, and coordinate changes in large-scale structure. These meetings usually also include exchanges of information such as new techniques being put in place and new requirements and new systems coming online. As part of the meeting, expertise with particular products, technologies and techniques are exchanged, new contact points are provided, and long-term progress is made. New people are also introduced to the group on an ongoing basis, an occasional celebrity visit from the rook is made, and on rare occasions, the Cl0 or a newly appointed company official may show up. In some more advanced infosec vorgs there may even be a long-term outside infosec consultant and a special-topic speaker at meetings. Members of the vorg commonly communicate regarding areas of overlap. For example, the infosec vorg member who is also in the E-mail vorg will likely have regular with the communications vorg telecommunications member and they will likely coordinate communications security issues related to E-mail on an ongoing basis, calling on other infosec vorg members when
01997
Elsevier Science Ltd
February 7997
Network Security
needed. Similarly, vorg members will likely be on many project teams and act as day-to-day points of contact between the infosec vorg and the project team. In emergency conditions, such as a case where a widespread incident occurs within the company, many or most of the infosec vorg members may get involved in real-time. The rook who underwrites the infosec vorg will either head up the vorg personally or be kept up-to-date by one or more vorg members on a periodic basis, may request written reports and cost
justifications from time to time, and may handle budgeting for the vorg if it becomes a sufficiently formal vorg within the company. The rook will also periodically call on vorg members to clarify matters, help settle disputes and perform other vorg-related activities. On some occasions, the rook may also want to use the vorg for visibility or provide the vorg with visibility.
Summary The movement toward a highly distributed environment has been reflected in a highly distributed management control process. This
Internet - Virusnet? Dr David Aubrey-Jones Reflex Magnetics Ltd The Internet phenomenon is well known, and its growth in the last two years has been staggering. Everyone, it seems, is dashing headlong to embrace the Internet and any benefits it might offer, afraid of being left behind. Even Microsoft failed to anticipate the full extent of the Internet’s growth, and is now engaged in frenzied activity to correct this. Today many appear to believe that most computer viruses are spread from the Internet, and a number of Hollywood movies have done nothing to lessen this idea. However, is this really true, and what are the real threats that we face? The Internet worm At 6 pm on 2 November 1988 an incident occurred for which most computer experts were totally unprepared. A program was released on to the Arpanet which within a few hours had crippled the Internet, at that time mainly restricted to government, research Universities. and Operators all over the USA noticed that their computers were slowing
01997
Elsevier
Science
Ltd
down and having their resources monopolised. The MIT Artificial Intelligence Lab, the Rand Corporation in Santa Monica, the University of California, the Department of Defense computer network, the Lawrence Livermore National Lab, the University of Maryland, the NASA Ames Laboratory, the Los Alamos National Library in New Mexico and the MIT Media Laboratory in Massachusetts were just some of the sites hit. At first it was thought
management process often consists of virtual organizations vorgs. lnfosec vorgs rule by consensus, good will, moral persuasion and strategic placement and planning. They derive their power from momentum, the weight of their aggregate force within the organization, and the strength of their champion. lnfosec vorgs provide management with control by providing an ability to effect large-scale changes, providing an ability to collect and aggregate information from the entire organization, and providing expertise to analyse and make prudent decisions based on that information.
that a hacker was at work, but later that fateful night the horrible truth was revealed. It was a program, a virus. It was realised in the early hours of the morning that the virus was being spread by electronic mail, and the immediate solution appeared to be to sever all mail connections. This action then made it more difficult for separate sites to cooperate and pool their expertise to fight the virus. It was after 5 am before any real solution was found, and interim methods were then issued that would halt the virus. Later when the virus was fully analysed it was discovered with relief that the sole aim of the virus was to propagate. The great fear, that it carried a destructive payload, was unfounded. It was at first estimated that over 6000 computers on the Internet had been infected and the clean-up costs could be as high as $186 million. A post mortem later revised the figure to about 2000 computers at a total cost nearer $1 million, dramatically lower.
15