This article was published earlier in: HSA H.Silver and Associates (UK) Ltd., Information Warfare conference, London 13-14th, 1997

The Internet technology is rapidly being deployed, both in non-military and military environments. The reasons for the latter is that the current military environment is driven by cost reduction on one hand and trying to obtain an information advance over opposing forces on the other. New commercial-off-the-shelve (COTS) products and open standard Internet technologies are introduced in the daily military operations, especially in the peacekeeping arena.
A new Internet technology hype is intranet, where Internet technologies are applied to internal information networks.

Information security both in military and non-military environments, can sometimes be of utmost importance. The Internet environment is known for many information security threats. This paper discusses the main security issues in connecting infrastructures to open networks; the myths of firewalls and which lessons can be learned from earlier security breaches. This in the view of Information Defense.

Keywords: hacking, hackers, Internet, Intranet, information defence, information security, information warfare, firewall, COTS, PABX, telephone infrastructure

Introduction

Background

Seventy years ago, the predecessor of the TNO-FEL was established by the Netherlands Government to investigate "lethal beams".
The current research areas of TNO-FEL with 500 employees are: Operations Research and Business Management, Command & Control and Simulation, Telecommunications and Defence Electronics, and Observation Systems.

With respect to Information Warfare and Information Defence, TNO-FEL has many years of experience on the various subtopics of the broad Information Warfare and Defence arena.
Recently, we started a co-ordinated program on information (warfare and) defence, bringing together all our expertise which includes: command and control, electronic warfare and electronic defence, information security (a.o. firewall security, PABX security, threat and vulnerability analysis, evaluation criteria), infrastructure hardening, simulation and information infrastructure aspects of emergency management in the Netherlands.

Internet security

Intranets and Extranets

As intranet is a marketing invention, there are many definitions for the term "intranet". The term "extranet", the intranet extended to cooperative forces or friendly customer relations, makes the confusion even worse. The easiest way to clarify the confusion is to split the information services based upon Internet technologies from the networking infrastructure. In the following, the organization's own network infrastructure in the broadest extent, including mobile and telephone communications, will be regarded as being part of the intranet.

As intranet is a marketing invention, there are many definitions for the term "intranet". The term "extranet", the intranet extended to cooperative forces or friendly customer relations, makes the confusion even worse. The easiest way to clarify the confusion is to split the information services based upon Internet technologies from the networking infrastructure. In the following, the organization's own network infrastructure in the broadest extent, including mobile and telephone communications, will be regarded as being part of the intranet.

In the Intranet development curve we distinguish three levels of intranets: Basic Intranets (LAN connectivity of workstations with Email and WWW applications), Enhanced Intranets (multimedia information services and simple transactions, WWW generated from upon underlying database) and Advanced Intranets (complex transaction processing and organization critical processes). The first enhanced intranets are currently being installed; advanced intranets are expected around the year 2000.

Internet security and firewalls

Information security management is about taking calculated risks. Bad things (might) happen ! (ref: Murphy's law). Management is finding the balance between usability and information advance on one hand and the risk that a security threat becomes reality on the other hand. Note that "information security" encompasses not only the (military) confidentiality aspects, but also integrity, and availability.

Organizations look like fools when newspapers report that hackers have intruded their systems. Firewalls are sold by salespeople as the remedy for this hacker problem. How is it possible that systems of large, sensitive organizations like the US Air Force, Universal Studios, the Polish Government, Coca-Cola and ministries of several countries were hacked. Most of these organizations were "protected" by firewalls. Why did these firewalls fail?

Salespeople sell firewalls as the ultimate technical solution to connect an organization in a secure manner to public networks. Anyone should be able to find "his jewels" on the Internet, isn't it ? The model used is that of the organization should look like a castle protected by high walls surrounded by a deep castle-moat and a single entrance with a well-protected drawbridge: the firewall.
The function of the firewall is a single point of control for allowing or rejecting direction and type of information flows ("services") to and from the organization. There are several different firewall architectures. Prices range from US$ 8.000 up to US$ 250.000. This does not include many hours of consultancy or own hours of toil, sweat and tears.

Most of the time, the salesperson neglects to tell the IT-management that firewalls will solve only a small part of the security problem.

• To most organizations it is unclear which organization interests need to be protected. Neither a security policy nor a security plan exists.
• · Firewall installation and maintenance requires much toil and extensive technical knowledge. The staff configuring the firewall must have in depth knowledge of all communication protocols which must are (partially) allowed to pass through, as well as rudimentary knowledge of all other protocols that need to be rejected.
• · Firewalls are applications that use the network layer software supported by the operating system. Both the firewall software and the network services/ operating system contain bugs and "features" that allow hackers to bypass the firewall easily.
• · Most firewalls cannot protect you against all side effects of viruses, trojan horses and active code (Java, Javascript, ActiveX) hidden in electronic mail, net news and WWW-pages. They are not designed for that. For example, attachments of an Email might contain macro-viruses. The new Netscape Communicator supports the construction of Email messages in the form of web pages. Active code e.g. Java or Javascript may be included and passes the firewall unhindered.
• · Daily, new possibilities and applications appear on the Internet. Users explore these applications long before the firewall security manager become aware of them. Firewalls are doomed to lag behind the new risks as a consequence of these new possibilities.
• · Programming errors in the web client, e.g. in the Netscape browser or Microsoft's Internet Explorer, allow others to extract files from your PC or internal network during your browsing. Firewalls cannot protect you against these situations.
• Web clients can bring down information services by triggering software errors in web servers. Even Microsoft's own information servers went down recently.
• · Active daily management of firewalls is a necessity. The staff responsible for the maintenance of the firewall need to keep up-to-date with new technical developments, hacking threats and computer incident response messages. These need to be classified and, if necessary, result in preventive actions. The knowledge about a security hole in an operating system or network service found by hackers spreads around the globe in seconds.

Internal threats

The stern reality of Internet security

A security study by the US Defense Information Systems Agency involving over 38.000 Defense systems showed that one could enter two-third of the systems in an unauthorized way. Only 1 out of 150 system managers reported a breach of security. The US Government Accountancy Office (GAO) estimates for these systems that hackers "knock on the door" over 250.000 times per year.

Dan Farmer, one of the authors of SATAN, used SATAN to politely scan the security of a selection of web sites. Roughly one-third of the sensitive web sites showed large security weaknesses, meaning that one could get unauthorized access within 12 seconds (typing 2 to 3 commands). This is shown in the table under "red". Another third of the web sites could be broken into by more experienced hackers ("yellow indicator"). Interestingly enough, a random selection of web sites showed far better security level. A full report can be found at http://www.trouble.org.

Web site type	Number of web sites	%vulnerable	%yellow	%red
Banks	660	68.3%	32.7%	35.6%
Credit companies	274	51.1%	30.7%	20.4%
Government	47	61.7%	23.4%	38.3%
Papers	312	69.6%	30.8%	38.8%
Sex clubs etc.	451	66.1%	40.6%	25.5%
Total sensitive	1734	64.9%	33.9%	31.1%
Control group	469	33.5%	15.8%	17.3%

Almost weekly, new examples of hacked systems of sensitive organization are reported in news media. Some examples this year: "Department of Misjustice" (US Department of Justice), "Central Stupidity Agency" (CIA), a lively sex movie on the US Air Force home page, "The death squad home page" (the Los Angeles Police Department), "Hackpospolita Polska, Centrum Disinformacyjne" (the information web site of the Polish government), "a smoking ET" (Amnesti International) and at the Universal Studio's web site the "Lost World" logo with dinosaur was replaced by a "Duck World" logo.
On September 12th the Coca-Cola company found the statement "You'll begin to look what you drink, to look into your Big Mac… and then you'll begin to understand that you are sheeps." on their home page. On October 31st, Microsoft Office'97 pages were replaced by a "Halloween" page. On average, 40 hacked websites per month are reported by the hack 'stamp collector' www.hacked.net. Password files of many sites, including those of over 200 Dutch systems were found on a system in Italy.
The latest hacks, but surely enough not the last ones. It concerns organizations that should know better. The question to you is how secure are your systems and networks?

By the way, a study by the Carnegie Mellon university, showed that the average probability of a system being involved in an Internet security incident is once per 15 years. However, for high sensitive military and government sites, the odds are far worse, especially now hackers are equipped with automated tools.

Intranet and extranet security

Intranet, the network infrastructure of the organization in the broadest sense outreaches far beyond the "castle walls":

• Managers (including high-ranking officers) take lap-tops to home and dock them at their office desk.
• Users, especially managers, read their Email via a, often against the security policy, (GSM) telephone - modem connection.
• (unsecured) teleworking.
• Fax servers coupled to internal networks by people bypassing the security department.
• Computer-telephony integration (CTI).
• Video-teleconferencing.
• Voice mail and Email boxes being listened to/read at distant locations via insecure lines.
• Floppy disks that come and go.
• Remotely maintained systems and PABXes.
• Etceteras.

All these new developments and trends result in a vague border between the outside and the inside of an organization. In future, this will be even more questionable. All these backdoors undermine the security model of the single firewall access to and from the organization.

Figure 2: fuzzy borders of the organization, the firewall "green lawn"
seems to have a sign "keep off the grass".
It might be in use as one of the many connectivity means.

The intranet and extranet developments are a hype. Looking at the insecurity of Internet connections as discussed before and the way organizations couple their internal networks to the outside world, one can conclude that internets are passed left, right, at the back and the front by the users. To remind you, in the organization or better said in the intranets about 80% of all security incidents take place.

Apart from the classical information technology security incidents, intranets and extranets are vulnerable to the following:

• The management pays no attention to information security, security is not a topic "intra" their ears.
• No threat and vulnerability analysis takes place. This causes security measures to become unrelated like loose sand. As can be expected from Murphy's Law, the most vulnerable weak spots will not be covered by security measures.
• No preventive security measures will be taken at all.
• In case of a computer emergency, no incident response team exists to take immediate and effective response.
• · Intranet and extranet services intend to make it easier for the users within the organization to access information for doing their work more effectively. Users should become familiar to the wealth of information, thus why bother them with security. That users, hired people and not authorized people have access to the organization's strategic and tactical information (the "jewels") is overlooked. Reducing authorizations afterwards is a hell of a job as users claim that they need the information sources for their job. As the intranet is not built based upon an information model, it is hard to refuse those authorizations.
• · Intranet technology looks so new, that organizations bypass their own IT department as they are slow (discussing security and responsibilities). They hire an external company to build the intranet. Security will be implemented in one of the last phases (if there is some money left).
• Developers claim that Intranet technology requires dynamic code, as Java or ActiveX. Unfortunately, the combination of active code for intranet and user access to the Internet is deadly for the security of the intranet.
• Network and system maintenance staff responsible for the technical information and the daily management are already overloaded. Security, most of the time, has the lowest priority, let alone that the system managers have time to learn and understand the security issues of a technologies.
• Users install modem cards in their office systems giving them access from home or via GSM telephone to their Email. That hackers scan all phone numbers of the organization for backdoor modem accesses is overlooked.

The telephone intranet and extranet

Conclusion: ""Do you know a better way to bring your sensitive information to the outside world than by using Intranets?"

The sooner you realize all these aspects and risks, the sooner you can start with the only way out: "integral information security".

The Solution

• Developing a security policy.
• · Developing a threat and vulnerability analysis and based upon that a realistic, well balanced security plan.
• Coaching the users to a higher level of security awareness.
• Proper (labor intensive) management of firewalls and an open eye to backdoor entrances to the organization.

The technical aspect of information security is relatively small. Organization, procedures, education and security awareness requires the utmost exertion, but their pay-off is the highest.

Secure use of the Internet and intranet technologies is very valuable for both military and commercial organizations, it might give you an information advantage. But be sure that you have good first and second line defenses against the world of mostly internal (and some external) security threats and vulnerabilities.

Literature:

1. An Analysis of Security Incidents On the Internet 1989-1995; John D. Howard; April 7, 1997. http://www.cert.org/research/JHThesis/ or http://www.info-sec.com/internet/howard/
2. Who's reading your Email, Richard Behar, Fortune February 3, 1997, pp 29-36
3. Information security web links maintained by the author: /instit/fel/intern/wkinfsec.html
4. Information security web links maintained by the author: /instit/fel/intern/wkinfsec.html
5. Information Warfare and Information Defence web links maintained by the author: /instit/fel/intern/wkinfdef.html
6. A collection of collected hacked webpages as well as a registration of hacks: http://www.hacked.net