- Email: [email protected]
Threat assessment and risk analysis
Computer Fraud & Security Bulletin
use trusted NFS sockets to ensure that data transferred across the networks retain all security attributes. For more details phone: +1 5084935111. Sun Microsystems has replied with the launch of the SunOS CMW (Compartmented Mode Workstation) operating system, which was also designed to meet Bl security standards and is currently under evaluation. Unfortunately, at time of going to press, further details on this system were not available. For further information phone: +l 415 968 6292.
November 199 1
COMPUTER SECURITY Threat assessment
and risk analysis Martin Smith MBE
A computer security policy must be based above
all else
on a sound
and accurate
assessment of the threats against the computer system and its host organization, together with a proper and sensible analysis of the risks. There is no simple way to avoid this initial effort, and the quality of all subsequent work depends on it.
In the database market lnformix claims to have beaten Oracle in the race to demonstrate a Unix version of its secure relational database system. The software has been designed according to the US ‘Lavender Book’ specifications for secure databases and is currently under US evaluation, as is its Oracle rival. Ingres, meanwhile, have. opted for evaluation of their database product under the European ITSEC standards.
Introduction An old navigator sat next to the young, brash pilot straight from flying school. “Two degrees to starboard”, instructed the navigator to keep them on course. “We don’t need to fly that accurately”, replied the pilot. “We can sort ourselves out nearer our
Siemens Nixdorf’s SecTOS secure operating system is also under evaluation under ITSEC, at the E2/FC2 functionality and assurance levels, and is believed to be the first operating system product specifically designed to meet the new standards. Increased protection is provided through enhanced identification and through authentication mechanisms, fine-grained access control, and through accounting and audit procedures. For more information contact Paula Schmidt on +44 (0)344 862222.
destination.”
The Nippon Telegraph and Telephone Corporation has now closed its somewhat underpublicized two year challenge to encryption analysts to break its FEAL-8 crypt0 system. The challenge was apparently set up after an analyst claimed that the system “could be broken on a PC in two minutes”. It seems that no-one came forward to enter the competition, despite a prize of Yl 000 000 (about $7500) and the delighted corporation has now closed the competition. For further comment, or details of FEAL-8, contact Yoshimasa Hashimoto on: +81 (0)3 3509 3101
After a few moments, the navigator said, “Now give me twelve degrees to starboard.”
The old navigator sucked on his pencil again. He was naturally reluctant to trust anyone. He did not intend to trust this man. “OK. Give me ten degrees to port.” Now the pilot was happy. He could see the point of such a major change to course, and he could manage it. The plane banked gracefully onto the new heading.
The morals to my story are as follows. Firstly, always believe those older and wiser than yourself, they are probably right. Next, old age and cunning will always overcome youth and enthusiasm. But most importantly, wherever you are going, your heading must be as spot on as you can make it, and the old nav knew this. He had got lost on many trips before.
01991
Elsevier Science Publishers Ltd
November
Computer Fraud & Security Bulletin
1991
Those human activities we call everyday life must also be run on the correct heading. Any slight deviations from course will eventually become massive diversions from which it will not always be possible to recover and which could leave us totally lost. Preparing a security policy to protect electronic data is no different. The policy must set out on the correct heading if it is to stand any chance of success, and to do that it must be based on the secure foundation of an accurate assessment of the threats and a proper and sensible analysis of the risks. Unless there is such a firm base for subsequent plans, then the security of that asset can never be satisfactorily assured. The importance
of computer
security
The new information technology methods allow the storage, retrieval, manipulation and dissemination of vast amounts of data. With increasing networking between systems the capacity to interchange information is now almost limitless. But we must not allow ourselves to become blinded to the infallibility of this apparent panacea; the more of our operations that we trust to its insatiable grasp, the greater our dilemma if that technology fails us in any way. The need for sound computer security has never been greater, and it is growing all the time. Whilst there is no room for complacency, encouragingly there seems to be a growing recognition of at least the need to care for electronic data within computer systems. A recent MORI poll for Securicor showed clearly that the greatest worry to senior managers was indeed the security of their computer data. Nearly half of those questioned recognized the fundamental part that computer systems now play in the running of their businesses, and accepted the need for computer security. Worryingly, though, of those who expressed their concern in the poll, most were in general quite satisfied with existing measures to control the risks. This is in spite of a host of reports, surveys and investigations over a number of years by a variety of learned and independent
01991
Elsevier Science Publishers Ltd
authorities which have highlighted the deplorable state of computer security standards in industry and commerce today. Whilst there has been some store placed in the technical aspects of the solution - TEMPEST, software and hardware security, encryption, virus vaccines - and while stereotyped but scant attention is sometimes paid to disaster recovery, there remains a long way to go before the standards of computer security can be thought of as acceptable. The management remain issues largely unaddressed and little thought seems to have been given to the issues that lie ahead. There is then a dichotomy between perception and reality. On the one hand business managers are rightly worried about the safety and security of their computing facilities. At the same time, though, they are doing little to defend themselves and seem content that all is well in the garden. This epidemic of complacency is in itself perhaps the greatest danger of all to computers. It is likely that many of those asked in the survey are unaware of the true extent of the risks to computers. The threats against, and the weaknesses and vulnerabilities of, computers are many and varied and often far from obvious. Breaches of security are far more prevalent than commonly realized, and disasters are not infrequent. But only recently have these received wider publicity and then only when the victims have been prepared to disclose their misfortunes. The nature and extent of the dangers are thus, mostly, shielded from public view. Other managers will be computer-illiterate and ignorant of the real consequences to the well-being of their organizations following any loss, corruption or unavailability of their electronic data, for whatever reason. Some will sincerely but foolishly believe that it ‘will never happen to them’, and others will simply bury their heads in the sand. A great number will be unaware of the proper countermeasures, or will have been frightened into believing that the only remedies will be expensive, or highly technical, or both. Sadly, few will recognize the true
Computer Fraud & Security Bulletin
November 1991
dangers and take adequate steps to counter the risks.
operations of any computer system. They are inevitable and are caused by carelessness, lack of training, excessive enthusiasm and misunderstanding. There is usually no criminal intent or maliciousness. It is simply, as Murphy’s Law says, that if something can be done wrong, it will be. O’Reilly’s Law says that Murphy was an optimist!
It is quite without parallel that otherwise cautious and competent managers will have recognized a huge business risk but then failed to take sensible and adequate precautions, yet this is what is happening with computer security today. What Is risk?
(c)
Risk is the result of threats, weaknesses and vulnerabilities. The risk to the safety and security of a particular computer system’s electronic data is made up of these three elements. Risk can be reduced. Our efforts to reduce that risk is what we call computer security.
software, the greater the chance of error. Software testing, no matter how thorough, will never be able to eradicate errors; all one can hope to do is reduce their numbers and consequences.
Over the years, however, the demarcation lines between the various forms of information and PCs, telephones, technology -mainframes facsimiles, video, audio-have become blurred. Our task in securing each type is thus made even more difficult.
Utility Failures. Utilities - electricity, water (for air conditioning), communications links, disposables such as stationery - usually depend on the reliability of third party suppliers, and may be the subject of unavoidable interruptions.
The Threats to Computers Those menaces which threaten any computer system can be grouped into two main types - deliberate, or unintended. (1)
Unintended Threats. Unintended threats to computer systems include natural hazards and accidents: (a)
(b)
Equipment Malfunction. Computer systems are intricate and delicate. There will always be mechanical and electrical faults to plague computer operations. The worst type of these are the simple, intermittent ones that are not immediately apparent and difficult both to trace and repair. Often, the damage to data and operations will have occurred before the fault is revealed. Human Error. Operator and programmer errors represent the greatest threat to the smooth
Software Bugs. Software will always include errors. The more involved the
(4
(2)
Natural Hazards. Fire, water, smoke, insects and vermin, earthquakes, hurricanes, electrical storms and a host of other ‘Acts of God’ can each threaten computer systems.
Deliberate Threats. Information, and the ability to store, process and communicate it, are essential corporate assets. There are those who, for a variety of motives, will wish either to obtain unauthorized access to your information, or to alter it, or to deprive you of it. lnformation?echnology represents an effective source of information, and thus an attractive target for those intent on mischief. (a)
Industrial Espionage. Possession of rival’s information is invaluable. Industrial espionage applied to the computing environment can produce rich, usually undetected, pickings.
01991
Elsevier Science Publishers Ltd
November 199 I
(b)
Disenchanted and Dishonest Employees. The greatest threat to any computer system is not from sophisticated attacks mounted from without, but from low-tech insider-crimes committed by disenchanted employees, and those with an eye to the main chance are the next greatest threat to the safety and security of any computer system. They may be after the fast buck, or they may simply be acting out grievances or frustrations. They may, indeed, be acting on behalf of some third party denied authorized access to the system. There is no doubt, though, from all the surveys and case histories over recent years, that insiders, defined as those with authorized access to the computer system, are by far the most likely to attack that system and are able to inflict the greatest damage. As we give increasing computing power to the more computer-literate user, using PCs in the relaxed atmosphere of the modern office, with software tools that enable those users to construct with relative ease their own tailor-made programs the equivalent of which would have taken a team many months to develop, we must not be surprised if they get tempted.
(c)
Vandals and Hooligans. The modern vandal can create havoc and cause unknown damage without recourse to the stick or the stone. Viruses, and vindictive hacking, are but two examples of computer vandalism. Again, though, the insider intent on such vandalism will be able to cause the greatest damage.
(b)
The Criminal. Computer crime is big business, even though accurate estimates of the totals involved are difficult to come by. Computer crime can produce massive profits with little chance of detection, and then the
01991
Computer Fraud & Security Bulletin
Elsevier Science Publishers Ltd
possibilities of either successful prosecution or significant punishment are slim. It still represents the ‘perfect crime’, and the trends must be towards computer crime and away from the more direct robberies which involve a greater degree of risk to the criminals themselves. There is also a glamour associated with computer crime nobody really gets hurt, and it deserves the computer right! -which mitigates in favour of the computer criminals. Remember, too, the criminal will be more highly motivated than the defender, and will probably invest more money in attacking than any organization will invest in defending. The Weaknesses Computers
and Vulnerabilities
of
Computers display inherent weaknesses and vulnerabilities. Compared to data held in traditional form such as paper files, computer data is relatively transient and fragile. It is more likely to be lost, or corrupted, or rendered inaccessible, than that same information held on paper, and the very characterfstics of computers places that same data at greater risk.
(‘1
Data is invisible. One can see the written word, and one can check and inspect paper records. Data held on magnetic tape or disk or stored and processed within a computer system network, cannot be seen and is therefore much more difficult to trace and account for. But perhaps more significantly, because we cannot see, or feel, or kick electronic data, the real risk to it, and hence to business, is still not being grasped by senior management, computer staffs, security specialists, the legal profession, the police or the insurance industry.
(2)
Data is accessible. Privacy is more difficult to maintain over electronic data. Paper files can be physically controlled, but despite the claims of those who support the infallibility of software security, it is perhaps safer to assume that data held on a computer
9
Computer Fraud & Security Bulletin
November 1991
system is available to all those with authorized, or even unauthorised, access to that system. Access to computer fields can even be from remote terminals, and networking is burgeoning. The controls over the unauthorized acquisition of paper documents are easier to enforce and much more reliable. (3)
can hold so mucn more, and then collate and manipulate it so much more easily. A collection of innocuous paper files, if held together on a computer system, can quickly become much more valuable.
(7)
Data can be stored in very compact form. Paper files are bulky; the loss or destruction of a paper file will result in the loss of a much smaller volume of data than the loss or destruction of a floppy disk, or tape, which could contain the equivalent of many thousands of paper documents. It is relatively easy to dump electronic files onto magnetic media and remove it from the premises; imagine doing the same with a paper registry.
(4)
(5)
(6)
10
Data can leak. Although often overstated, there is a definite possibility that electronic data can be detected from a distance by the inadvertent emission of electromagnetic radiations. The TEMPEST effect could lead to compromise, but the effort of capturing, and the risk of detection, would restrict this attack to only the most sensitive or valuable data. Paper files, on the other hand, just sit there. Data can be inadvertently retained on storage media. It is possible that data can be retained on magnetic media, and surreptitiously recovered at a later date, rather like pencil marks can be read on paper even after careful erasure. Even more dangerous, though, is the incomplete overwrite of magnetic media, with whole portions of data remaining even though users believe they have removed it. Paper is only used once, and then easily destroyed in a shredder. Data can be aggregated. A collection of data is often more valuable than its component parts. Paper documents may contain the same information as that held within a computer system, but the computer
Technological Advancements. Information technology is racing ahead. Seemingly each day new products appear, conceptual breakthroughs are announced, and gadgets become cleverer and smaller. At the same time, though, the unsexy subject of computer security is finding it hard to even hold its own ground. Like the hare and the tortoise, the gap between grows greater with each passing minute. Since the hare in this example is unlikely to wait for the tortoise to catch up, and with computer security still seeking support and recognition, we have to accept that the gap will continue to increase between those security standards we would wish, and those we have to settle for. There will thus be a general vulnerability we can do little about.
(8)
Networking. As systems become increasingly networked and data is rapidly interchanged between sites, or even organizations, control over the privacy of that data becomes much more difficult, and can even become impossible unless strict measures and procedures are enforced. Custody of paper files is much easier to control.
(9)
System Integration. Allied to networking is the increasing trend towards system integration, such as the Integrated Services Digital Network (ISDN) with many different types of information on a single communications channel. Other developments such as Smart Cards and Electronic Points of Sale (EPOS) will also mix different sorts of data on a common ‘system’. Sensitive or valuable data requires adequate protection wherever and however it is stored or processed, but it is increasingly possible that such data will be as accessible as the less sensitive data with which it is held. It is important to raise overall
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
November 199 1
security to the highest necessary standard (System High), and not let it fall to the lowest possible level (human nature!) Data Processing. As we move away from the mainframe environment, with its centralized computing function housed in secure conditions and tended with loving care by professional IT personnel, to the PC on the desk in the office looked after by someone with a 2-day MS-DOS course behind them, the dangers to data increase alarmingly. Many of the security features required by mainframes are at least just as necessary - perhaps more so - on PCs,
computer security required to counter these dangers, and the standards currently being achieved in industry, commerce Government throughout the world.
and
(10) Distributed
which nowadays could hold considerably more data and have greater manipulative powers over that data than did the mainframe of only a decade ago. At the same time, there has been a growth in computer literacy amongst the workforce of most organizations - those with a little knowledge but sufficient to make a real mess of things, alongside those with enough knowledge to subvert those systems for a variety of dishonest reasons.
(1’)
The mystique of computers. That said, the computer is still, to the majority of us and certainly amongst the senior generations that still run industry and commerce today, a complete mystery. Those to whom we entrust computers are, often, able to operate unsupervised by their bosses and the opportunity for corrupt practices to abound is proportionately greater.
(12) Security
Standards. Despite much talk, there are still no common standards for either computer security practices or products. Until such standards appear and are universally accepted and enforced, then it will never be possible to achieve satisfactory levels of computer security.
Thus, with the threats against computers together with their weaknesses and vulnerabilities, there is considerable danger to our electronic data. At the same time, there is a dangerous gap between the standards of
01991
Elsevier Science Publishers Ltd
What is risk analysis? Computer security involves reducing the risk to our electronic data. We must find ways of protecting the confidentiality, integrity and availability of that data from the threats, weaknesses it.
and vulnerabilities ranged against
But what exactly are those threats, weaknesses and vulnerabilities for a particular system? I have described the range of risks to computers in general, but every organization is unique, and changing all the time. Indeed, every computer is different. There will be those systems essential to operations or those holding highly sensitive data, whilst other systems will be of relatively lesser import. There will be those to which access is strictly limited to a few trusted workers, and those open to all including outsiders. The relevance of a computer system may change with time, or depend on whichever role it is performing. Thus for each system at a given location at a given time performing a given function, the overall threat to the electronic data will differ and the countermeasures need to be tailored accordingly if we are to achieve efficient, adequate security at the most effective cost. To do otherwise is to be on the incorrect heading. And so, in order to determine the appropriate defence; we need to analyse the risk to a given computer system. And every time, since each system, each organization, is unique. This is fundamental if the solution is to be correct. The needs and plans of any dynamic organization will naturally change with time, and the security policy must adapt accordingly. Any risk analysis and associated defence must be able to accommodate such changes, but this is not to detract from the importance of original accuracy. Risk analysis is an art, not a science. It is a finger in the wind, a feel for events. It uses intuition and luck. It depends on a deep and
11
Computer Fraud & Security Bulletin
November 199 1
comprehensive study of the organization concerned, its aims, its morals, its direction and its history. It depends, too, on a thorough understanding not only of the risks to computers but also the risks to the organization. It requires a knowledge of the available defence, and thus
history and lifestyle, and perhaps apply some standard tests before making a diagnosis based on experience and observations. The doctor will recommend a treatment and monitor our progress back to health.
a background in security methodology is useful, perhaps more so than computing skills.
I wish I could describe a foolproof and standardized method of risk analysis. If I knew such a method, I could make a fortune. But I do not believe such a method truly exists. There are techniques which can be adopted to assist in the process, but ultimately it comes down to the skill of the practitioner. Those skills are not easily
Risk analysis is best performed standing back a distance - to see the wood, not just the trees. Some say it is best performed by an outsider, but perhaps only those intimate with an organization can best assess its vulnerabilities and needs. A team may be the answer, with outside expertise advising and guiding the organization’s management staff. Risk analysis is not just about computers. It is as much, perhaps more, about the people who surround them. Such people are less predictable than a piece of hardware, which complicates the task in hand. There have been many attempts to produce objective methods of risk analysis and some of these are. marvellous tools to assist. There can be no substitute, however, for subjective judgement, experience and commonsense. There must always be a place for the hunch, the feeling in the water, the sense of unease and the inkling of foreboding. But set against these is needed a sense of proportion, the wealth of experience and the store of knowledge that only comes from informed judgement. There will be inherent strengths of an organization as well as weaknesses, and these need all to be balanced to conclude an appropriate level of risk, and a proper perspective. It may be that some risks can be displaced (insurance), or removed, or avoided, or even accepted. But at least those decisions will have been made with the best facts available, and in relation to that system, in that place at that time working within the restraints and confines of that organization. The risk analyst can best be likened to the medical practitioner. Our doctors sometimes call us forward for regular checks, but more often we go to see them when we feel or suspect a problem. The doctor will talk to us, study our
12
learned, nor are they easily taught. But a good risk analyst will know when he or she has a workable method, and it’s likely that method will be unique to that person. It is unlikely, however, to be quick or easy. Good risk analysis requires careful consideration of all the pressures on, and resources offered by, the organization in question, and will begin at the fence and end at the source code of the operation system. It may even start further out, in the organization’s sphere of influence, to include rivals and peers in the same business. All I can say, though, is that I have my own method. It involves much talking, and even more listening. It requires me to draw on my experience in the field of security, incorporating all facets of security. I need to understand the organization concerned, and I must have sufficient knowledge of information technology in all its guises to draw on the greater knowledge of the organization’s own staff about their system. In harness with the ‘home team’, together we need to explore the wealth of experience and knowledge we are able to pool. In most cases, the resident staff themselves have all the answers, but may not be able to crystallize it into a cogent assessment of the risk. That will naturally fall out from what is, in effect, an investigation, a diagnosis, a review. The simple act of thinking will usually produce the answers, and it is important that effort is willingly and conscientiously applied, and the time is set aside. With the business pressures we all feel in the modern market place, it is inevitable that security falls to the bottom of the list. There is no measure
01991
Elsevier Science Publishers Ltd
November
Computer Fraud & Security Bulletin
199 1
of successful security other than nothing untoward has happened. Thus, management is often loath to commit resources to such an intangible, and even less likely to continue an expensive effort. We are often willing to drive more carefully only after a traffic accident, and then only until the memory dims. We are none of us keen before the event, only afterwards when it might be too late. But then, only afterwards when it might clear the dangers and the extra effort may follow. This is the continuing conundrum of security -which comes first, the precautions or the cure? The role of the computer industry is to ensure that our clients take steps to prevent disaster rather than have to respond with a cure. Since security is a form of insurance, it does not contribute directly to, but instead (at least in the short term) takes from, the profits of the organization. We need to convince senior management of the need for appropriate defence against the risks to the computing function, and this will include illustrations of the consequences to the organization should system security be breached in any way. But a major part must be to explain those risks, and suggest a suitable policy of defence to counter them. Risk analysis will allow us to do this. Thus risk analysis is fundamental to corporate computer security wherever in the story you choose to start. I finish with my original assertion; A computer security policy must be based above all else on a sound and accurate assessment of the threats against the computer system and its host organization, together with a proper and sensible analysis of the risks. There is no simple way to avoid this initial effort, and the quality of all subsequent work depends on it.
EC DATA PRIVACY LEGISLATION The view from France Ariane Mole The French Data Protection Authority, the Commission Nationale de I’lnformatique et des
01991
Elsevier Science Publishers Ltd
Libertes (CNIL), welcomes the European Communities’ initiative of a draft directive on data protection, to harmonize the use of information of a personal nature within the community, and thus ensure the free flow of data. Indeed, the different levels of data protection in the Community are a threat to privacy as well as a potential obstacle to the development of the Community’s data processing industry: the differences between the various countries underlinsthe
need for a mandatory text.
The draft establishes principles such as fairness, relevancy, accuracy, the right to deletion, the principle of augmented protection for the computerization of sensitive data, the individual right of access and correctfon, the principle of security, and finally, the principle of providing a right of appeal and penalties in the event those provisions are violated. Such rules constitute the foundation of any existing data protection law. Moreover, the draft directive covers “every situation in which the processing of personal data involves risk to the data subject.” It covers both public and private sector, and automated as well as manual files. The CNIL strongly supports such an extensive scope Indeed, the most sensitive data are often stored in non computerized files, and were they not to be included, there would be substantial opportunity for the principles to be ignored. Often, the computer systems point to manual records. Therefore, the CNIL approves the text in principle. But it also fears the damage that might be done to data protection if the draft were adopted in its present form. The draft appears to be far too concerned with economic considerations, and lacking in foresight given the on-going nature of technological innovation. The level of safeguards which it affords private life is also lower than that currently available in France since the data protection act of 8 January 1978 (‘loi relative a I’informatique, aux fichiers et aux libertes’). Basically, the following points raise concern: the need for transparency, the technology challenge, the risk of data matching, the cost of security, and the rules organizing the transfer of data to third countries.
13
use trusted NFS sockets to ensure that data transferred across the networks retain all security attributes. For more details phone: +1 5084935111. Sun Microsystems has replied with the launch of the SunOS CMW (Compartmented Mode Workstation) operating system, which was also designed to meet Bl security standards and is currently under evaluation. Unfortunately, at time of going to press, further details on this system were not available. For further information phone: +l 415 968 6292.
November 199 1
COMPUTER SECURITY Threat assessment
and risk analysis Martin Smith MBE
A computer security policy must be based above
all else
on a sound
and accurate
assessment of the threats against the computer system and its host organization, together with a proper and sensible analysis of the risks. There is no simple way to avoid this initial effort, and the quality of all subsequent work depends on it.
In the database market lnformix claims to have beaten Oracle in the race to demonstrate a Unix version of its secure relational database system. The software has been designed according to the US ‘Lavender Book’ specifications for secure databases and is currently under US evaluation, as is its Oracle rival. Ingres, meanwhile, have. opted for evaluation of their database product under the European ITSEC standards.
Introduction An old navigator sat next to the young, brash pilot straight from flying school. “Two degrees to starboard”, instructed the navigator to keep them on course. “We don’t need to fly that accurately”, replied the pilot. “We can sort ourselves out nearer our
Siemens Nixdorf’s SecTOS secure operating system is also under evaluation under ITSEC, at the E2/FC2 functionality and assurance levels, and is believed to be the first operating system product specifically designed to meet the new standards. Increased protection is provided through enhanced identification and through authentication mechanisms, fine-grained access control, and through accounting and audit procedures. For more information contact Paula Schmidt on +44 (0)344 862222.
destination.”
The Nippon Telegraph and Telephone Corporation has now closed its somewhat underpublicized two year challenge to encryption analysts to break its FEAL-8 crypt0 system. The challenge was apparently set up after an analyst claimed that the system “could be broken on a PC in two minutes”. It seems that no-one came forward to enter the competition, despite a prize of Yl 000 000 (about $7500) and the delighted corporation has now closed the competition. For further comment, or details of FEAL-8, contact Yoshimasa Hashimoto on: +81 (0)3 3509 3101
After a few moments, the navigator said, “Now give me twelve degrees to starboard.”
The old navigator sucked on his pencil again. He was naturally reluctant to trust anyone. He did not intend to trust this man. “OK. Give me ten degrees to port.” Now the pilot was happy. He could see the point of such a major change to course, and he could manage it. The plane banked gracefully onto the new heading.
The morals to my story are as follows. Firstly, always believe those older and wiser than yourself, they are probably right. Next, old age and cunning will always overcome youth and enthusiasm. But most importantly, wherever you are going, your heading must be as spot on as you can make it, and the old nav knew this. He had got lost on many trips before.
01991
Elsevier Science Publishers Ltd
November
Computer Fraud & Security Bulletin
1991
Those human activities we call everyday life must also be run on the correct heading. Any slight deviations from course will eventually become massive diversions from which it will not always be possible to recover and which could leave us totally lost. Preparing a security policy to protect electronic data is no different. The policy must set out on the correct heading if it is to stand any chance of success, and to do that it must be based on the secure foundation of an accurate assessment of the threats and a proper and sensible analysis of the risks. Unless there is such a firm base for subsequent plans, then the security of that asset can never be satisfactorily assured. The importance
of computer
security
The new information technology methods allow the storage, retrieval, manipulation and dissemination of vast amounts of data. With increasing networking between systems the capacity to interchange information is now almost limitless. But we must not allow ourselves to become blinded to the infallibility of this apparent panacea; the more of our operations that we trust to its insatiable grasp, the greater our dilemma if that technology fails us in any way. The need for sound computer security has never been greater, and it is growing all the time. Whilst there is no room for complacency, encouragingly there seems to be a growing recognition of at least the need to care for electronic data within computer systems. A recent MORI poll for Securicor showed clearly that the greatest worry to senior managers was indeed the security of their computer data. Nearly half of those questioned recognized the fundamental part that computer systems now play in the running of their businesses, and accepted the need for computer security. Worryingly, though, of those who expressed their concern in the poll, most were in general quite satisfied with existing measures to control the risks. This is in spite of a host of reports, surveys and investigations over a number of years by a variety of learned and independent
01991
Elsevier Science Publishers Ltd
authorities which have highlighted the deplorable state of computer security standards in industry and commerce today. Whilst there has been some store placed in the technical aspects of the solution - TEMPEST, software and hardware security, encryption, virus vaccines - and while stereotyped but scant attention is sometimes paid to disaster recovery, there remains a long way to go before the standards of computer security can be thought of as acceptable. The management remain issues largely unaddressed and little thought seems to have been given to the issues that lie ahead. There is then a dichotomy between perception and reality. On the one hand business managers are rightly worried about the safety and security of their computing facilities. At the same time, though, they are doing little to defend themselves and seem content that all is well in the garden. This epidemic of complacency is in itself perhaps the greatest danger of all to computers. It is likely that many of those asked in the survey are unaware of the true extent of the risks to computers. The threats against, and the weaknesses and vulnerabilities of, computers are many and varied and often far from obvious. Breaches of security are far more prevalent than commonly realized, and disasters are not infrequent. But only recently have these received wider publicity and then only when the victims have been prepared to disclose their misfortunes. The nature and extent of the dangers are thus, mostly, shielded from public view. Other managers will be computer-illiterate and ignorant of the real consequences to the well-being of their organizations following any loss, corruption or unavailability of their electronic data, for whatever reason. Some will sincerely but foolishly believe that it ‘will never happen to them’, and others will simply bury their heads in the sand. A great number will be unaware of the proper countermeasures, or will have been frightened into believing that the only remedies will be expensive, or highly technical, or both. Sadly, few will recognize the true
Computer Fraud & Security Bulletin
November 1991
dangers and take adequate steps to counter the risks.
operations of any computer system. They are inevitable and are caused by carelessness, lack of training, excessive enthusiasm and misunderstanding. There is usually no criminal intent or maliciousness. It is simply, as Murphy’s Law says, that if something can be done wrong, it will be. O’Reilly’s Law says that Murphy was an optimist!
It is quite without parallel that otherwise cautious and competent managers will have recognized a huge business risk but then failed to take sensible and adequate precautions, yet this is what is happening with computer security today. What Is risk?
(c)
Risk is the result of threats, weaknesses and vulnerabilities. The risk to the safety and security of a particular computer system’s electronic data is made up of these three elements. Risk can be reduced. Our efforts to reduce that risk is what we call computer security.
software, the greater the chance of error. Software testing, no matter how thorough, will never be able to eradicate errors; all one can hope to do is reduce their numbers and consequences.
Over the years, however, the demarcation lines between the various forms of information and PCs, telephones, technology -mainframes facsimiles, video, audio-have become blurred. Our task in securing each type is thus made even more difficult.
Utility Failures. Utilities - electricity, water (for air conditioning), communications links, disposables such as stationery - usually depend on the reliability of third party suppliers, and may be the subject of unavoidable interruptions.
The Threats to Computers Those menaces which threaten any computer system can be grouped into two main types - deliberate, or unintended. (1)
Unintended Threats. Unintended threats to computer systems include natural hazards and accidents: (a)
(b)
Equipment Malfunction. Computer systems are intricate and delicate. There will always be mechanical and electrical faults to plague computer operations. The worst type of these are the simple, intermittent ones that are not immediately apparent and difficult both to trace and repair. Often, the damage to data and operations will have occurred before the fault is revealed. Human Error. Operator and programmer errors represent the greatest threat to the smooth
Software Bugs. Software will always include errors. The more involved the
(4
(2)
Natural Hazards. Fire, water, smoke, insects and vermin, earthquakes, hurricanes, electrical storms and a host of other ‘Acts of God’ can each threaten computer systems.
Deliberate Threats. Information, and the ability to store, process and communicate it, are essential corporate assets. There are those who, for a variety of motives, will wish either to obtain unauthorized access to your information, or to alter it, or to deprive you of it. lnformation?echnology represents an effective source of information, and thus an attractive target for those intent on mischief. (a)
Industrial Espionage. Possession of rival’s information is invaluable. Industrial espionage applied to the computing environment can produce rich, usually undetected, pickings.
01991
Elsevier Science Publishers Ltd
November 199 I
(b)
Disenchanted and Dishonest Employees. The greatest threat to any computer system is not from sophisticated attacks mounted from without, but from low-tech insider-crimes committed by disenchanted employees, and those with an eye to the main chance are the next greatest threat to the safety and security of any computer system. They may be after the fast buck, or they may simply be acting out grievances or frustrations. They may, indeed, be acting on behalf of some third party denied authorized access to the system. There is no doubt, though, from all the surveys and case histories over recent years, that insiders, defined as those with authorized access to the computer system, are by far the most likely to attack that system and are able to inflict the greatest damage. As we give increasing computing power to the more computer-literate user, using PCs in the relaxed atmosphere of the modern office, with software tools that enable those users to construct with relative ease their own tailor-made programs the equivalent of which would have taken a team many months to develop, we must not be surprised if they get tempted.
(c)
Vandals and Hooligans. The modern vandal can create havoc and cause unknown damage without recourse to the stick or the stone. Viruses, and vindictive hacking, are but two examples of computer vandalism. Again, though, the insider intent on such vandalism will be able to cause the greatest damage.
(b)
The Criminal. Computer crime is big business, even though accurate estimates of the totals involved are difficult to come by. Computer crime can produce massive profits with little chance of detection, and then the
01991
Computer Fraud & Security Bulletin
Elsevier Science Publishers Ltd
possibilities of either successful prosecution or significant punishment are slim. It still represents the ‘perfect crime’, and the trends must be towards computer crime and away from the more direct robberies which involve a greater degree of risk to the criminals themselves. There is also a glamour associated with computer crime nobody really gets hurt, and it deserves the computer right! -which mitigates in favour of the computer criminals. Remember, too, the criminal will be more highly motivated than the defender, and will probably invest more money in attacking than any organization will invest in defending. The Weaknesses Computers
and Vulnerabilities
of
Computers display inherent weaknesses and vulnerabilities. Compared to data held in traditional form such as paper files, computer data is relatively transient and fragile. It is more likely to be lost, or corrupted, or rendered inaccessible, than that same information held on paper, and the very characterfstics of computers places that same data at greater risk.
(‘1
Data is invisible. One can see the written word, and one can check and inspect paper records. Data held on magnetic tape or disk or stored and processed within a computer system network, cannot be seen and is therefore much more difficult to trace and account for. But perhaps more significantly, because we cannot see, or feel, or kick electronic data, the real risk to it, and hence to business, is still not being grasped by senior management, computer staffs, security specialists, the legal profession, the police or the insurance industry.
(2)
Data is accessible. Privacy is more difficult to maintain over electronic data. Paper files can be physically controlled, but despite the claims of those who support the infallibility of software security, it is perhaps safer to assume that data held on a computer
9
Computer Fraud & Security Bulletin
November 1991
system is available to all those with authorized, or even unauthorised, access to that system. Access to computer fields can even be from remote terminals, and networking is burgeoning. The controls over the unauthorized acquisition of paper documents are easier to enforce and much more reliable. (3)
can hold so mucn more, and then collate and manipulate it so much more easily. A collection of innocuous paper files, if held together on a computer system, can quickly become much more valuable.
(7)
Data can be stored in very compact form. Paper files are bulky; the loss or destruction of a paper file will result in the loss of a much smaller volume of data than the loss or destruction of a floppy disk, or tape, which could contain the equivalent of many thousands of paper documents. It is relatively easy to dump electronic files onto magnetic media and remove it from the premises; imagine doing the same with a paper registry.
(4)
(5)
(6)
10
Data can leak. Although often overstated, there is a definite possibility that electronic data can be detected from a distance by the inadvertent emission of electromagnetic radiations. The TEMPEST effect could lead to compromise, but the effort of capturing, and the risk of detection, would restrict this attack to only the most sensitive or valuable data. Paper files, on the other hand, just sit there. Data can be inadvertently retained on storage media. It is possible that data can be retained on magnetic media, and surreptitiously recovered at a later date, rather like pencil marks can be read on paper even after careful erasure. Even more dangerous, though, is the incomplete overwrite of magnetic media, with whole portions of data remaining even though users believe they have removed it. Paper is only used once, and then easily destroyed in a shredder. Data can be aggregated. A collection of data is often more valuable than its component parts. Paper documents may contain the same information as that held within a computer system, but the computer
Technological Advancements. Information technology is racing ahead. Seemingly each day new products appear, conceptual breakthroughs are announced, and gadgets become cleverer and smaller. At the same time, though, the unsexy subject of computer security is finding it hard to even hold its own ground. Like the hare and the tortoise, the gap between grows greater with each passing minute. Since the hare in this example is unlikely to wait for the tortoise to catch up, and with computer security still seeking support and recognition, we have to accept that the gap will continue to increase between those security standards we would wish, and those we have to settle for. There will thus be a general vulnerability we can do little about.
(8)
Networking. As systems become increasingly networked and data is rapidly interchanged between sites, or even organizations, control over the privacy of that data becomes much more difficult, and can even become impossible unless strict measures and procedures are enforced. Custody of paper files is much easier to control.
(9)
System Integration. Allied to networking is the increasing trend towards system integration, such as the Integrated Services Digital Network (ISDN) with many different types of information on a single communications channel. Other developments such as Smart Cards and Electronic Points of Sale (EPOS) will also mix different sorts of data on a common ‘system’. Sensitive or valuable data requires adequate protection wherever and however it is stored or processed, but it is increasingly possible that such data will be as accessible as the less sensitive data with which it is held. It is important to raise overall
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
November 199 1
security to the highest necessary standard (System High), and not let it fall to the lowest possible level (human nature!) Data Processing. As we move away from the mainframe environment, with its centralized computing function housed in secure conditions and tended with loving care by professional IT personnel, to the PC on the desk in the office looked after by someone with a 2-day MS-DOS course behind them, the dangers to data increase alarmingly. Many of the security features required by mainframes are at least just as necessary - perhaps more so - on PCs,
computer security required to counter these dangers, and the standards currently being achieved in industry, commerce Government throughout the world.
and
(10) Distributed
which nowadays could hold considerably more data and have greater manipulative powers over that data than did the mainframe of only a decade ago. At the same time, there has been a growth in computer literacy amongst the workforce of most organizations - those with a little knowledge but sufficient to make a real mess of things, alongside those with enough knowledge to subvert those systems for a variety of dishonest reasons.
(1’)
The mystique of computers. That said, the computer is still, to the majority of us and certainly amongst the senior generations that still run industry and commerce today, a complete mystery. Those to whom we entrust computers are, often, able to operate unsupervised by their bosses and the opportunity for corrupt practices to abound is proportionately greater.
(12) Security
Standards. Despite much talk, there are still no common standards for either computer security practices or products. Until such standards appear and are universally accepted and enforced, then it will never be possible to achieve satisfactory levels of computer security.
Thus, with the threats against computers together with their weaknesses and vulnerabilities, there is considerable danger to our electronic data. At the same time, there is a dangerous gap between the standards of
01991
Elsevier Science Publishers Ltd
What is risk analysis? Computer security involves reducing the risk to our electronic data. We must find ways of protecting the confidentiality, integrity and availability of that data from the threats, weaknesses it.
and vulnerabilities ranged against
But what exactly are those threats, weaknesses and vulnerabilities for a particular system? I have described the range of risks to computers in general, but every organization is unique, and changing all the time. Indeed, every computer is different. There will be those systems essential to operations or those holding highly sensitive data, whilst other systems will be of relatively lesser import. There will be those to which access is strictly limited to a few trusted workers, and those open to all including outsiders. The relevance of a computer system may change with time, or depend on whichever role it is performing. Thus for each system at a given location at a given time performing a given function, the overall threat to the electronic data will differ and the countermeasures need to be tailored accordingly if we are to achieve efficient, adequate security at the most effective cost. To do otherwise is to be on the incorrect heading. And so, in order to determine the appropriate defence; we need to analyse the risk to a given computer system. And every time, since each system, each organization, is unique. This is fundamental if the solution is to be correct. The needs and plans of any dynamic organization will naturally change with time, and the security policy must adapt accordingly. Any risk analysis and associated defence must be able to accommodate such changes, but this is not to detract from the importance of original accuracy. Risk analysis is an art, not a science. It is a finger in the wind, a feel for events. It uses intuition and luck. It depends on a deep and
11
Computer Fraud & Security Bulletin
November 199 1
comprehensive study of the organization concerned, its aims, its morals, its direction and its history. It depends, too, on a thorough understanding not only of the risks to computers but also the risks to the organization. It requires a knowledge of the available defence, and thus
history and lifestyle, and perhaps apply some standard tests before making a diagnosis based on experience and observations. The doctor will recommend a treatment and monitor our progress back to health.
a background in security methodology is useful, perhaps more so than computing skills.
I wish I could describe a foolproof and standardized method of risk analysis. If I knew such a method, I could make a fortune. But I do not believe such a method truly exists. There are techniques which can be adopted to assist in the process, but ultimately it comes down to the skill of the practitioner. Those skills are not easily
Risk analysis is best performed standing back a distance - to see the wood, not just the trees. Some say it is best performed by an outsider, but perhaps only those intimate with an organization can best assess its vulnerabilities and needs. A team may be the answer, with outside expertise advising and guiding the organization’s management staff. Risk analysis is not just about computers. It is as much, perhaps more, about the people who surround them. Such people are less predictable than a piece of hardware, which complicates the task in hand. There have been many attempts to produce objective methods of risk analysis and some of these are. marvellous tools to assist. There can be no substitute, however, for subjective judgement, experience and commonsense. There must always be a place for the hunch, the feeling in the water, the sense of unease and the inkling of foreboding. But set against these is needed a sense of proportion, the wealth of experience and the store of knowledge that only comes from informed judgement. There will be inherent strengths of an organization as well as weaknesses, and these need all to be balanced to conclude an appropriate level of risk, and a proper perspective. It may be that some risks can be displaced (insurance), or removed, or avoided, or even accepted. But at least those decisions will have been made with the best facts available, and in relation to that system, in that place at that time working within the restraints and confines of that organization. The risk analyst can best be likened to the medical practitioner. Our doctors sometimes call us forward for regular checks, but more often we go to see them when we feel or suspect a problem. The doctor will talk to us, study our
12
learned, nor are they easily taught. But a good risk analyst will know when he or she has a workable method, and it’s likely that method will be unique to that person. It is unlikely, however, to be quick or easy. Good risk analysis requires careful consideration of all the pressures on, and resources offered by, the organization in question, and will begin at the fence and end at the source code of the operation system. It may even start further out, in the organization’s sphere of influence, to include rivals and peers in the same business. All I can say, though, is that I have my own method. It involves much talking, and even more listening. It requires me to draw on my experience in the field of security, incorporating all facets of security. I need to understand the organization concerned, and I must have sufficient knowledge of information technology in all its guises to draw on the greater knowledge of the organization’s own staff about their system. In harness with the ‘home team’, together we need to explore the wealth of experience and knowledge we are able to pool. In most cases, the resident staff themselves have all the answers, but may not be able to crystallize it into a cogent assessment of the risk. That will naturally fall out from what is, in effect, an investigation, a diagnosis, a review. The simple act of thinking will usually produce the answers, and it is important that effort is willingly and conscientiously applied, and the time is set aside. With the business pressures we all feel in the modern market place, it is inevitable that security falls to the bottom of the list. There is no measure
01991
Elsevier Science Publishers Ltd
November
Computer Fraud & Security Bulletin
199 1
of successful security other than nothing untoward has happened. Thus, management is often loath to commit resources to such an intangible, and even less likely to continue an expensive effort. We are often willing to drive more carefully only after a traffic accident, and then only until the memory dims. We are none of us keen before the event, only afterwards when it might be too late. But then, only afterwards when it might clear the dangers and the extra effort may follow. This is the continuing conundrum of security -which comes first, the precautions or the cure? The role of the computer industry is to ensure that our clients take steps to prevent disaster rather than have to respond with a cure. Since security is a form of insurance, it does not contribute directly to, but instead (at least in the short term) takes from, the profits of the organization. We need to convince senior management of the need for appropriate defence against the risks to the computing function, and this will include illustrations of the consequences to the organization should system security be breached in any way. But a major part must be to explain those risks, and suggest a suitable policy of defence to counter them. Risk analysis will allow us to do this. Thus risk analysis is fundamental to corporate computer security wherever in the story you choose to start. I finish with my original assertion; A computer security policy must be based above all else on a sound and accurate assessment of the threats against the computer system and its host organization, together with a proper and sensible analysis of the risks. There is no simple way to avoid this initial effort, and the quality of all subsequent work depends on it.
EC DATA PRIVACY LEGISLATION The view from France Ariane Mole The French Data Protection Authority, the Commission Nationale de I’lnformatique et des
01991
Elsevier Science Publishers Ltd
Libertes (CNIL), welcomes the European Communities’ initiative of a draft directive on data protection, to harmonize the use of information of a personal nature within the community, and thus ensure the free flow of data. Indeed, the different levels of data protection in the Community are a threat to privacy as well as a potential obstacle to the development of the Community’s data processing industry: the differences between the various countries underlinsthe
need for a mandatory text.
The draft establishes principles such as fairness, relevancy, accuracy, the right to deletion, the principle of augmented protection for the computerization of sensitive data, the individual right of access and correctfon, the principle of security, and finally, the principle of providing a right of appeal and penalties in the event those provisions are violated. Such rules constitute the foundation of any existing data protection law. Moreover, the draft directive covers “every situation in which the processing of personal data involves risk to the data subject.” It covers both public and private sector, and automated as well as manual files. The CNIL strongly supports such an extensive scope Indeed, the most sensitive data are often stored in non computerized files, and were they not to be included, there would be substantial opportunity for the principles to be ignored. Often, the computer systems point to manual records. Therefore, the CNIL approves the text in principle. But it also fears the damage that might be done to data protection if the draft were adopted in its present form. The draft appears to be far too concerned with economic considerations, and lacking in foresight given the on-going nature of technological innovation. The level of safeguards which it affords private life is also lower than that currently available in France since the data protection act of 8 January 1978 (‘loi relative a I’informatique, aux fichiers et aux libertes’). Basically, the following points raise concern: the need for transparency, the technology challenge, the risk of data matching, the cost of security, and the rules organizing the transfer of data to third countries.
13