- Email: [email protected]
Risk analysis and electronic surveillance
August
Computer Fraud & Security Bulletin
1997
UIS security has released UIS-Patrol, which audits networks under the VAXIVMS environment for security holes, and generates appropriate DCL commands to fix them. A summary reporting feature is included which enables a system manager to review the system security status. Other features include checking of the operating system, file security, passwords, inappropriate access hour and types and general accounts. For more details contact Bill Osteraas on +l 617 861 6262.
An awkward threat There are three main ways by which information can be abstracted by electronic surveillance. Firstly, equipment may be connected
(tapped)
directly into a legitimate
communication channel. This is essentially what a hacker will do but with an important difference. Whereas a hacker must interact with the system to elicit information, an electronic eavesdropper passively
collects
all the communications
passed in the channel(s) tapped into. Collation and analysis of the take may happen in near real time or may be performed later in a separate operation.
COMMUNICATIONS SECURITY
Secondly,
where
information
is
deliberately communicated through the ether, as with a wireless LAN or by wireless link between remote
sites,
it can be intercepted
by an
eavesdropper.
Risk Analysis and Electronic Surveillance
Thirdly, information is involuntarily radiated
Owen Lewis Eloka Services,
from all circuitry, including cables, through which UK
it passes in electronic form. Unless measures are taken to prevent such an occurrence, this
There are particular risks to security in the electronic handling of information. Some of this risk results from natural phenomena associated with all electronic circuitry. Detail on the exploitation of these natural phenomena for the covert acquisition of information is not widely published, yet there is information in the public domain to warn of the serious risks that arise from them.
radiation allows the collection of information to be made without any connection to the target system, albeit at limited ranges. Dependent on a variety of factors, the receiving point may have to be within millimeters of the source or may perhaps be kilometers away. Even in a cypher protected system, plain text should be obtainable from the points at which information passes into or out of the system. Where collection has to be made close to the source,
The UK Government, through the Communications and Electronics Security Group,
has
briefed
interested
financial
covertly elsewhere
retransmitted
the take can be
to a convenient
point
in the premises or outside, using a
‘bug’.
institutions on the nature of this security threat and allowed TEMPEST standard BTR 01/210 to be established. Last year, CFSgave coverage to some aspects of the risks of passive electronic surveillance in the August 1990 issue. This article categorizes the threats to information systems from electronic surveillance, offers a basic perspective with which threats may be gauged according to the value of the target information and concludes
Vulnerabilities
of encryption
The prime means of protection against the first and second categories encryption of information
of threat is the while it is in
transmission. Not all cypher systems have the same strength and the real possibility of defeating a cryptographically protected system is worth noting.
with a linked categorization of countermeasures.
01991
Elsevier Science Publishers Ltd
7
Computer Fraud & Security Bulletin
August 1991
Commercially available cypher systems start with the password encryption of data files offered in some major software packages. (N.B.
the files, should not be considered as security
itself. If that take is then used as known plain text to break out the DES key used across a large, possibly global, network, then the technical complexity and expense in obtaining information from many points in the target system is greatly reduced. The protection given by the cypher is
measures
grossly eroded.
password protection systems that only control application or file access, without encyphering but rather
as limited
means
of
privacy.) Files collected in password encrypted form can, using an appropriate software tool, be
Characteristics
decrypted within minutes. This form of attack usually
relies
on establishing
patterns
of
repetition in a sufficient sample of encyphered text. Accordingly,
such a cypher
cannot
be
considered a sufficient security measure in itself against a skilled attack.
cypher
scale
Standard
is the ANBS
(DES).
Though
Data Encryption
approaching
twenty
years old, this system is still rated by the US Government
as ‘munitions’ technology and its
legal end-user supply is limited to financial institutions and other customers of similar standing in a restricted list of countries. This system relies for its protection on a 56 bit key. In a known plain text attack, the crypt0 analyst must try up to 256 key combinations to establish which
Examination of precedent can be a useful to diminish risk and it is often so used. For some risk (e.g. fire) there is a substantial evidence
as to the statistical
published an article calculating that
body of
likelihood
of
and of the diminution or avoidance
of loss achieved
by known countermeasures.
This is not the case for electronic surveillance. Some techniques of electronic surveillance are undetectable and all, except the most primitive, should avoid detection other than by appropriate technical
searches.
Statistical
studies
of
computer security failures report that the incidence of electronic surveillance is virtually nil. For information risk analysis, uncritical reliance on established precedent will be fatal. Unlike fire, detection of electronic surveillance is rare.
one gives the known text. In 1977, Diffie and Hellmann
surveillance
yardstick in determination of resource allocation
occurrence
At the other end of the commercial online
of electronic
Electronic analysis
surveillance
because
complicates
of two particular
risk
features.
with late seventies’ technology, it would be possible to construct a computer for $20 million
Once
that would exhaustively determine a DES key in 7.2x1 04seconds (approximately20 hours). Their
analysis and reporting is established, the flow of
claims were not disputed by the authors of DES who counter claimed, probably quite correctly at that time, that the level of difficulty (expense) in breaking DES would prevent DES from being the weakest link a system’s security. Given the rate of development
of computer
technology
and
falling real costs, such a computer might now cost no more than $5 million. In any event, $20 million is not what it once was! Where a good cypher system (e.g. DES) is used, the third category of electronicsurveillance is particularly worrying. This form of attack may obtain an amount of plain text information from a single location -a significant security breach in
8
the requisite
surveillance
means
are
deployed and a satisfactory system for collation, purloined information will continue for as long as desired or until a change in the targeted system invalidates some part of the surveillance. In such circumstances, every time valuable information is handled electronically it will be compromised. The
haemorrhage
of information
is either
completely undetectable or will not be detected by normal
physical
and
software
access
controls, transaction accounting or systematic auditing. A sensible
balance
Comprehensive electronic surveillance requires a highly trained team, using expensive equipment, possibly working round the clock for
01991
Elsevier Science Publishers Ltd
August 1991
Computer Fraud 8; Security Bulletin
an indefinite perfod. The necessary difficulties and expense in mounting such a covert effort mean that great advantage must be expected for the outlay to be made worthwhile. However where no specific precautions are taken, information is available by the use of relatively simple techniques requiring only limited resources. Between these two extremes, as counter electronic surveillance measures are taken, the complexity and expense of a surveillance effort rises exponentially. Risk analysis requires establishment of the level of value that various types of information have, in terms of damage that could be caused by their compromise. These levels of damage need then to be assigned a monetary value. A logarithmically incremental scale, as used in Courtenay analysis, is most useful because it avoids the need to attempt overly precise valuation. Some information is relatively easy to quantify in monetary terms directly, e.g. investment in an R&D project. Less easy to quantify might be the loss of confidentiality in a professional advisor’s sensitive dealings with his clients. However, in cases where no countermeasures have been implemented, there is a clear possibility of personal liability for top management who ignore unacceptable risk in the face of a body of evidence. Electronic
surveillance
risk
Not all information needs protection from electronic surveillance. The following are suggested as basic ground rules. Firstly, all forms of information processing and transfer must be determined, as a failure of security in any one may invalidate security in the others. All means except manuscript transcription and the communication of information by the transportation of physical media, are susceptible to some application of electronic surveillance. Secondly if, through risk analysis, managers can identify a financial risk beyond that which their organization can prudently bear, then some countermeasures to electronic surveillance must be included in the overall protection package. As with any countermeasures, these may not aim to
01991
Elsevier Science Publishers Ltd
eliminate all risk but rather to retain risk within acceptable limits. The following is offered as a basis for assessing electronic surveillance threat according to the determined value of target information: Level 1. Where risk to be diminished is assessed at less than $300 000, then countermeasures to electronic surveillance are likely to form only a small part of the overall information security arrangements. Level 2. Between a risk level of $300 000 and $30 million a comprehensive counter electronic surveillance plan should be developed as an integral part of the overall security architecture. Level 3. At a risk level in excess of $30 million, a painstaking and thorough threat assessment and critical examination of countermeasures will be required. A potential target at this level would warrant a comprehensive, determined and long term information collection effort through electronic surveillance. Level4. Above the $300 million risk level, the security weaknesses in electronic hardware including communications security devices themselves - need to be well understood and compensated. Also, the real level of security provided by commercially available cyphers needs careful assessment. Countermeasures
for risk diminution
The levels suggested are not definitive but allow the development of a reasoned approach by any concern information.
considering
its security
of
Level 1. At this level the target should be too small to warrant permanent electronic surveillance. However, a target in this range may attract electronic surveillance from an adversary if valuable information can be gained in a short period. The main defences will be good physical and software access controls, defensive
9
Computer
Fraud & Security Bulletin
installation layout and information handling procedures with limited technical checking (sweeping) for the operation of taps and bugs. Level 2. Perhaps worth a limited long term surveillance or a large short term attack. A rider must be that the adversary would need either already to possess the means, both in terms of equipment and personnel, to carry out a large scale attack or be able to employ a contractor who can. Regular electronic sweeping should be instigated. The actual electromagnetic radiation profile of premises should be determined and defensive measures tailored accordingly. File encryption should be routine for all valuable information with consideration given to some selective encryption facilities for speech and fax transmission. Level 3. An adversary might expect an excellent return for long term electronic surveillance. A formal information security policy must be formulated and specifically address all types of threat. A developed security plan will direct the execution of that policy. Detailed security instructions minute the plan’s implementation. A key part of the information security planning is the devolution of responsibility to staff posts not more than one or two levels above that nominated for implementation of specific measures. Classify documents (i.e. finite pieces of information) concerning high value/sensitive items. Handling of such information should be specifically restricted to identified staff posts and particular storing and of processing, means communication. At least part of these means should be TEMPEST protected and have good cryptographic protection.
August
7991
SECURE SYSTEMS MANAGEMENT Computer Crime vs. Internal Control Systems Silvano Ongetta Price Waterhouse Milan, Italy If the United States, a country which has always been in the forefront in the automation of productive
processes,
can be taken
as an
example of what happens in the area of computer crime, then we can only expect difficult times with respect to the security of data. We are fortunate, however, to be able to study
the phenomenon,
negative
experience
to learn of others
from the and make
preparations for an adequate defence. We have to act promptly because, even here in Italy, the problem
of computer
crime
is assuming
enormous proportions both in terms of economic loss and frequency. Each is no longer a case to be studied by a small group of specialists in the field of data security, but has also become a news item. The
news
media
often
openly
reports
computer crimes in abundant detail. I say this in jest, it looks as though the media is almost trying to promote its perpetration. Certain
specialized
computer
magazines
even carry a regular column on these crimes. Level 4. At this level of risk, it must be considered whether commercially available technical countermeasures to electronic surveillance are entirely adequate for the purpose envisaged by the user and, if they are not, how they can be made so. The subject organization’s interest may be best served by establishing its own team with facilities for design, testing and limited production of both software and hardware for some of its own needs. OEloka Services Limited 199 1
10
The problem is there and requires our attention, also because the issue is probably greater, since experts maintain that what becomes news is only the tip of the iceberg. Very often, in fact, the companies which have been damaged by computer frauds do not report what happened and prefer not to divulge the news. This is to avoid alarming their clientele and explicitly admitting that their data security system is not very reliable.
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
1997
UIS security has released UIS-Patrol, which audits networks under the VAXIVMS environment for security holes, and generates appropriate DCL commands to fix them. A summary reporting feature is included which enables a system manager to review the system security status. Other features include checking of the operating system, file security, passwords, inappropriate access hour and types and general accounts. For more details contact Bill Osteraas on +l 617 861 6262.
An awkward threat There are three main ways by which information can be abstracted by electronic surveillance. Firstly, equipment may be connected
(tapped)
directly into a legitimate
communication channel. This is essentially what a hacker will do but with an important difference. Whereas a hacker must interact with the system to elicit information, an electronic eavesdropper passively
collects
all the communications
passed in the channel(s) tapped into. Collation and analysis of the take may happen in near real time or may be performed later in a separate operation.
COMMUNICATIONS SECURITY
Secondly,
where
information
is
deliberately communicated through the ether, as with a wireless LAN or by wireless link between remote
sites,
it can be intercepted
by an
eavesdropper.
Risk Analysis and Electronic Surveillance
Thirdly, information is involuntarily radiated
Owen Lewis Eloka Services,
from all circuitry, including cables, through which UK
it passes in electronic form. Unless measures are taken to prevent such an occurrence, this
There are particular risks to security in the electronic handling of information. Some of this risk results from natural phenomena associated with all electronic circuitry. Detail on the exploitation of these natural phenomena for the covert acquisition of information is not widely published, yet there is information in the public domain to warn of the serious risks that arise from them.
radiation allows the collection of information to be made without any connection to the target system, albeit at limited ranges. Dependent on a variety of factors, the receiving point may have to be within millimeters of the source or may perhaps be kilometers away. Even in a cypher protected system, plain text should be obtainable from the points at which information passes into or out of the system. Where collection has to be made close to the source,
The UK Government, through the Communications and Electronics Security Group,
has
briefed
interested
financial
covertly elsewhere
retransmitted
the take can be
to a convenient
point
in the premises or outside, using a
‘bug’.
institutions on the nature of this security threat and allowed TEMPEST standard BTR 01/210 to be established. Last year, CFSgave coverage to some aspects of the risks of passive electronic surveillance in the August 1990 issue. This article categorizes the threats to information systems from electronic surveillance, offers a basic perspective with which threats may be gauged according to the value of the target information and concludes
Vulnerabilities
of encryption
The prime means of protection against the first and second categories encryption of information
of threat is the while it is in
transmission. Not all cypher systems have the same strength and the real possibility of defeating a cryptographically protected system is worth noting.
with a linked categorization of countermeasures.
01991
Elsevier Science Publishers Ltd
7
Computer Fraud & Security Bulletin
August 1991
Commercially available cypher systems start with the password encryption of data files offered in some major software packages. (N.B.
the files, should not be considered as security
itself. If that take is then used as known plain text to break out the DES key used across a large, possibly global, network, then the technical complexity and expense in obtaining information from many points in the target system is greatly reduced. The protection given by the cypher is
measures
grossly eroded.
password protection systems that only control application or file access, without encyphering but rather
as limited
means
of
privacy.) Files collected in password encrypted form can, using an appropriate software tool, be
Characteristics
decrypted within minutes. This form of attack usually
relies
on establishing
patterns
of
repetition in a sufficient sample of encyphered text. Accordingly,
such a cypher
cannot
be
considered a sufficient security measure in itself against a skilled attack.
cypher
scale
Standard
is the ANBS
(DES).
Though
Data Encryption
approaching
twenty
years old, this system is still rated by the US Government
as ‘munitions’ technology and its
legal end-user supply is limited to financial institutions and other customers of similar standing in a restricted list of countries. This system relies for its protection on a 56 bit key. In a known plain text attack, the crypt0 analyst must try up to 256 key combinations to establish which
Examination of precedent can be a useful to diminish risk and it is often so used. For some risk (e.g. fire) there is a substantial evidence
as to the statistical
published an article calculating that
body of
likelihood
of
and of the diminution or avoidance
of loss achieved
by known countermeasures.
This is not the case for electronic surveillance. Some techniques of electronic surveillance are undetectable and all, except the most primitive, should avoid detection other than by appropriate technical
searches.
Statistical
studies
of
computer security failures report that the incidence of electronic surveillance is virtually nil. For information risk analysis, uncritical reliance on established precedent will be fatal. Unlike fire, detection of electronic surveillance is rare.
one gives the known text. In 1977, Diffie and Hellmann
surveillance
yardstick in determination of resource allocation
occurrence
At the other end of the commercial online
of electronic
Electronic analysis
surveillance
because
complicates
of two particular
risk
features.
with late seventies’ technology, it would be possible to construct a computer for $20 million
Once
that would exhaustively determine a DES key in 7.2x1 04seconds (approximately20 hours). Their
analysis and reporting is established, the flow of
claims were not disputed by the authors of DES who counter claimed, probably quite correctly at that time, that the level of difficulty (expense) in breaking DES would prevent DES from being the weakest link a system’s security. Given the rate of development
of computer
technology
and
falling real costs, such a computer might now cost no more than $5 million. In any event, $20 million is not what it once was! Where a good cypher system (e.g. DES) is used, the third category of electronicsurveillance is particularly worrying. This form of attack may obtain an amount of plain text information from a single location -a significant security breach in
8
the requisite
surveillance
means
are
deployed and a satisfactory system for collation, purloined information will continue for as long as desired or until a change in the targeted system invalidates some part of the surveillance. In such circumstances, every time valuable information is handled electronically it will be compromised. The
haemorrhage
of information
is either
completely undetectable or will not be detected by normal
physical
and
software
access
controls, transaction accounting or systematic auditing. A sensible
balance
Comprehensive electronic surveillance requires a highly trained team, using expensive equipment, possibly working round the clock for
01991
Elsevier Science Publishers Ltd
August 1991
Computer Fraud 8; Security Bulletin
an indefinite perfod. The necessary difficulties and expense in mounting such a covert effort mean that great advantage must be expected for the outlay to be made worthwhile. However where no specific precautions are taken, information is available by the use of relatively simple techniques requiring only limited resources. Between these two extremes, as counter electronic surveillance measures are taken, the complexity and expense of a surveillance effort rises exponentially. Risk analysis requires establishment of the level of value that various types of information have, in terms of damage that could be caused by their compromise. These levels of damage need then to be assigned a monetary value. A logarithmically incremental scale, as used in Courtenay analysis, is most useful because it avoids the need to attempt overly precise valuation. Some information is relatively easy to quantify in monetary terms directly, e.g. investment in an R&D project. Less easy to quantify might be the loss of confidentiality in a professional advisor’s sensitive dealings with his clients. However, in cases where no countermeasures have been implemented, there is a clear possibility of personal liability for top management who ignore unacceptable risk in the face of a body of evidence. Electronic
surveillance
risk
Not all information needs protection from electronic surveillance. The following are suggested as basic ground rules. Firstly, all forms of information processing and transfer must be determined, as a failure of security in any one may invalidate security in the others. All means except manuscript transcription and the communication of information by the transportation of physical media, are susceptible to some application of electronic surveillance. Secondly if, through risk analysis, managers can identify a financial risk beyond that which their organization can prudently bear, then some countermeasures to electronic surveillance must be included in the overall protection package. As with any countermeasures, these may not aim to
01991
Elsevier Science Publishers Ltd
eliminate all risk but rather to retain risk within acceptable limits. The following is offered as a basis for assessing electronic surveillance threat according to the determined value of target information: Level 1. Where risk to be diminished is assessed at less than $300 000, then countermeasures to electronic surveillance are likely to form only a small part of the overall information security arrangements. Level 2. Between a risk level of $300 000 and $30 million a comprehensive counter electronic surveillance plan should be developed as an integral part of the overall security architecture. Level 3. At a risk level in excess of $30 million, a painstaking and thorough threat assessment and critical examination of countermeasures will be required. A potential target at this level would warrant a comprehensive, determined and long term information collection effort through electronic surveillance. Level4. Above the $300 million risk level, the security weaknesses in electronic hardware including communications security devices themselves - need to be well understood and compensated. Also, the real level of security provided by commercially available cyphers needs careful assessment. Countermeasures
for risk diminution
The levels suggested are not definitive but allow the development of a reasoned approach by any concern information.
considering
its security
of
Level 1. At this level the target should be too small to warrant permanent electronic surveillance. However, a target in this range may attract electronic surveillance from an adversary if valuable information can be gained in a short period. The main defences will be good physical and software access controls, defensive
9
Computer
Fraud & Security Bulletin
installation layout and information handling procedures with limited technical checking (sweeping) for the operation of taps and bugs. Level 2. Perhaps worth a limited long term surveillance or a large short term attack. A rider must be that the adversary would need either already to possess the means, both in terms of equipment and personnel, to carry out a large scale attack or be able to employ a contractor who can. Regular electronic sweeping should be instigated. The actual electromagnetic radiation profile of premises should be determined and defensive measures tailored accordingly. File encryption should be routine for all valuable information with consideration given to some selective encryption facilities for speech and fax transmission. Level 3. An adversary might expect an excellent return for long term electronic surveillance. A formal information security policy must be formulated and specifically address all types of threat. A developed security plan will direct the execution of that policy. Detailed security instructions minute the plan’s implementation. A key part of the information security planning is the devolution of responsibility to staff posts not more than one or two levels above that nominated for implementation of specific measures. Classify documents (i.e. finite pieces of information) concerning high value/sensitive items. Handling of such information should be specifically restricted to identified staff posts and particular storing and of processing, means communication. At least part of these means should be TEMPEST protected and have good cryptographic protection.
August
7991
SECURE SYSTEMS MANAGEMENT Computer Crime vs. Internal Control Systems Silvano Ongetta Price Waterhouse Milan, Italy If the United States, a country which has always been in the forefront in the automation of productive
processes,
can be taken
as an
example of what happens in the area of computer crime, then we can only expect difficult times with respect to the security of data. We are fortunate, however, to be able to study
the phenomenon,
negative
experience
to learn of others
from the and make
preparations for an adequate defence. We have to act promptly because, even here in Italy, the problem
of computer
crime
is assuming
enormous proportions both in terms of economic loss and frequency. Each is no longer a case to be studied by a small group of specialists in the field of data security, but has also become a news item. The
news
media
often
openly
reports
computer crimes in abundant detail. I say this in jest, it looks as though the media is almost trying to promote its perpetration. Certain
specialized
computer
magazines
even carry a regular column on these crimes. Level 4. At this level of risk, it must be considered whether commercially available technical countermeasures to electronic surveillance are entirely adequate for the purpose envisaged by the user and, if they are not, how they can be made so. The subject organization’s interest may be best served by establishing its own team with facilities for design, testing and limited production of both software and hardware for some of its own needs. OEloka Services Limited 199 1
10
The problem is there and requires our attention, also because the issue is probably greater, since experts maintain that what becomes news is only the tip of the iceberg. Very often, in fact, the companies which have been damaged by computer frauds do not report what happened and prefer not to divulge the news. This is to avoid alarming their clientele and explicitly admitting that their data security system is not very reliable.
01991
Elsevier Science Publishers Ltd