This
article was published earlier in: HSA H.Silver and Associates (UK)
Ltd., Information Warfare conference, London 13-14th, 1997
By: H.A.M. Luiijf
M.Sc. Eng. (Delft)
TNO Physics and Electronics Laboratory
P.O. Box 96864, 2509 JG Den Haag, The Netherlands
The Internet technology is rapidly being deployed, both in non-military
and military environments. The reasons for the latter is that the
current military environment is driven by cost reduction on one
hand and trying to obtain an information advance over opposing forces
on the other. New commercial-off-the-shelve (COTS) products and
open standard Internet technologies are introduced in the daily
military operations, especially in the peacekeeping arena.
A new Internet technology hype is intranet, where Internet technologies
are applied to internal information networks.
Information security both in military and non-military environments,
can sometimes be of utmost importance. The Internet environment
is known for many information security threats. This paper discusses
the main security issues in connecting infrastructures to open networks;
the myths of firewalls and which lessons can be learned from earlier
security breaches. This in the view of Information Defense.
Keywords: hacking, hackers,
Internet, Intranet, information defence, information security, information
warfare, firewall, COTS, PABX, telephone infrastructure
Introduction
From the viewpoint of Information Defense the objective of this paper
is to scare you about the insecurity of systems and networks that
use Internet technologies. On the other hand, as soon as one understands
the security issues and uses the technology in a well-balanced secure
way, these (relatively new) wonderful technologies can be applied
to increase the speed of information dissemination and intelligence
gathering. From the view of Information Warfare (IW) these technologies
help in obtaining an information advantage over opposing forces. Particularly
during peacekeeping operations this might help to prevent escalation
of conflicts.
Background
The TNO Physics and Electronics Laboratory (TNO-FEL)
is part of the Netherlands organization for Defence
Research TNO, which is the main R&D organization for the Netherlands
Ministry of Defence.
Seventy years ago, the predecessor of the TNO-FEL was established
by the Netherlands Government to investigate "lethal
beams".
The current research areas of TNO-FEL with 500 employees are: Operations
Research and Business Management, Command
& Control and Simulation, Telecommunications
and Defence Electronics, and Observation
Systems.
With respect to Information
Warfare and Information Defence, TNO-FEL has many years of experience
on the various subtopics of the broad Information Warfare and Defence
arena.
Recently, we started a co-ordinated program on information (warfare
and) defence, bringing together all our expertise which includes:
command and control,
electronic warfare and
electronic defence, information
security (a.o. firewall security, PABX security, threat and
vulnerability analysis, evaluation criteria), infrastructure hardening,
simulation and information infrastructure aspects of emergency
management in the Netherlands.
Internet security
Internet is daily news. More and more commercial, industry and public
organizations are connecting information servers to the Internet.
A majority of the advertisements nowadays contain a World Wide Web
address ("http://www.some-thing"). This despite the fact that the
World Wide Web technology is only a few years old.
Intranets and Extranets
Intranet, the application of Internet technologies in the internal
information network of an organization is a hype. Launched as a marketing
slogan two years ago, organizations nowadays are scrambling to install
an intranet. Even advertisements offering intranet installation services
can be found in business magazines.
As intranet is a marketing invention, there are many definitions
for the term "intranet". The term "extranet", the intranet extended
to cooperative forces or friendly customer relations, makes the
confusion even worse. The easiest way to clarify the confusion is
to split the information services based upon Internet technologies
from the networking infrastructure. In the following, the organization's
own network infrastructure in the broadest extent, including mobile
and telephone communications, will be regarded as being part of
the intranet.
As intranet is a marketing invention, there are many definitions
for the term "intranet". The term "extranet", the intranet extended
to cooperative forces or friendly customer relations, makes the
confusion even worse. The easiest way to clarify the confusion is
to split the information services based upon Internet technologies
from the networking infrastructure. In the following, the organization's
own network infrastructure in the broadest extent, including mobile
and telephone communications, will be regarded as being part of
the intranet.
In the Intranet development curve we distinguish three levels
of intranets: Basic Intranets (LAN connectivity of workstations
with Email and WWW applications), Enhanced Intranets (multimedia
information services and simple transactions, WWW generated from
upon underlying database) and Advanced Intranets (complex
transaction processing and organization critical processes). The
first enhanced intranets are currently being installed; advanced
intranets are expected around the year 2000.
Internet security and firewalls
"The only secure information system is the one
that is turned off, locked in a safe and buried 5 meters down in a
secret location… and I am not confident of that either"
Information security management is about taking calculated risks.
Bad things (might) happen ! (ref: Murphy's law). Management is finding
the balance between usability and information advance on one hand
and the risk that a security threat becomes reality on the other
hand. Note that "information security" encompasses not only the
(military) confidentiality aspects, but also integrity, and availability.
Organizations look like fools when newspapers report that hackers
have intruded their systems. Firewalls are sold by salespeople as
the remedy for this hacker problem. How is it possible that
systems of large, sensitive organizations like the US
Air Force, Universal Studios, the Polish
Government, Coca-Cola and ministries of several countries were
hacked. Most of these organizations were "protected" by firewalls.
Why did these firewalls fail?
Salespeople sell firewalls as the ultimate technical solution to
connect an organization in a secure manner to public networks. Anyone
should be able to find "his jewels" on the Internet, isn't it ?
The model used is that of the organization should look like a castle
protected by high walls surrounded by a deep castle-moat and a single
entrance with a well-protected drawbridge: the firewall.
The function of the firewall is a single point of control for allowing
or rejecting direction and type of information flows ("services")
to and from the organization. There are several different firewall
architectures. Prices range from US$ 8.000 up to US$ 250.000. This
does not include many hours of consultancy or own hours of toil,
sweat and tears.
Most of the time, the salesperson neglects to tell the IT-management
that firewalls will solve only a small part
of the security problem.
- To most organizations it is unclear which organization interests
need to be protected. Neither a security policy nor a security
plan exists.
- · Firewall installation and maintenance requires much toil and
extensive technical knowledge. The staff configuring the firewall
must have in depth knowledge of all communication protocols which
must are (partially) allowed to pass through, as well as rudimentary
knowledge of all other protocols that need to be rejected.
- · Firewalls are applications that use the network layer software
supported by the operating system. Both the firewall software
and the network services/ operating system contain bugs and "features"
that allow hackers to bypass the firewall easily.
- · Most firewalls cannot protect you against all side effects
of viruses, trojan horses and active code (Java, Javascript, ActiveX)
hidden in electronic mail, net news and WWW-pages. They are not
designed for that. For example, attachments of an Email might
contain macro-viruses. The new Netscape Communicator supports
the construction of Email messages in the form of web pages. Active
code e.g. Java or Javascript may be included and passes the firewall
unhindered.
- · Daily, new possibilities and applications appear on the Internet.
Users explore these applications long before the firewall security
manager become aware of them. Firewalls are doomed to lag behind
the new risks as a consequence of these new possibilities.
- · Programming errors in the web client, e.g. in the Netscape
browser or Microsoft's Internet Explorer, allow others to extract
files from your PC or internal network during your browsing. Firewalls
cannot protect you against these situations.
- Web clients can bring down information services by triggering
software errors in web servers. Even Microsoft's own information
servers went down recently.
- · Active daily management of firewalls is a necessity. The staff
responsible for the maintenance of the firewall need to keep up-to-date
with new technical developments, hacking threats and computer
incident response messages. These need to be classified and, if
necessary, result in preventive actions. The knowledge about a
security hole in an operating system or network service found
by hackers spreads around the globe in seconds.
Internal threats
Research studies by the UK National Computer Center (NCC),
the American Society for Industrial Security (ASIS) and the Computer
Security Institute (CSI; in close
cooperation with the FBI) show that only 20% of the security incidents
is caused by hackers and threats from the outside of an organization.
The other 80% of the incidents originate within the castle
walls of the organization. Thus firewalls give only protection against
less than 20% of the incidents when coupling the internal network
to a public network. Of course, this happens only in other organizations
and not in my organization, many managers wrongfully thought before.
The stern reality of Internet security
Every IT-manager should now be aware of the security threats by hackers
and other risks when connecting systems to the Internet, especially
if it concerns sensitive organizations. Nevertheless, the security
measures taken to protect these connections turn out to be very inadequate.
A security study by the US Defense Information Systems Agency involving
over 38.000 Defense systems showed that one could enter two-third
of the systems in an unauthorized way. Only 1 out of 150 system
managers reported a breach of security. The US Government Accountancy
Office (GAO) estimates for these systems that hackers "knock on
the door" over 250.000 times per year.
Dan Farmer, one of the authors of SATAN, used SATAN to politely
scan the security of a selection of web sites. Roughly one-third
of the sensitive web sites showed large security weaknesses, meaning
that one could get unauthorized access within 12 seconds (typing
2 to 3 commands). This is shown in the table under "red". Another
third of the web sites could be broken into by more experienced
hackers ("yellow indicator"). Interestingly enough, a random selection
of web sites showed far better security level. A full report can
be found at http://www.trouble.org.
Web site type |
Number of web sites
|
%vulnerable
|
%yellow
|
%red
|
Banks |
660
|
68.3%
|
32.7%
|
35.6%
|
Credit companies |
274
|
51.1%
|
30.7%
|
20.4%
|
Government |
47
|
61.7%
|
23.4%
|
38.3%
|
Papers |
312
|
69.6%
|
30.8%
|
38.8%
|
Sex clubs etc. |
451
|
66.1%
|
40.6%
|
25.5%
|
Total sensitive |
1734
|
64.9%
|
33.9%
|
31.1%
|
Control group |
469
|
33.5%
|
15.8%
|
17.3%
|
Almost weekly, new examples of hacked systems of sensitive organization
are reported in news media. Some examples this year: "Department
of Misjustice" (US Department of Justice), "Central Stupidity Agency"
(CIA), a lively sex movie on the US Air Force home page, "The death
squad home page" (the Los Angeles Police Department), "Hackpospolita
Polska, Centrum Disinformacyjne" (the information web site of the
Polish government), "a smoking ET" (Amnesti International) and at
the Universal Studio's web site the "Lost World" logo with dinosaur
was replaced by a "Duck World" logo.
On September 12th the Coca-Cola company found the statement "You'll
begin to look what you drink, to look into your Big Mac… and then
you'll begin to understand that you are sheeps." on their home page.
On October 31st, Microsoft Office'97 pages were replaced by a "Halloween"
page. On average, 40 hacked websites per month are reported by the
hack 'stamp collector' www.hacked.net.
Password files of many sites, including those of over 200 Dutch
systems were found on a system in Italy.
The latest hacks, but surely enough not the last ones. It concerns
organizations that should know better. The question to you is how
secure are your systems and networks?
By the way, a study
by the Carnegie Mellon university, showed that the average probability
of a system being involved in an Internet security incident is once
per 15 years. However, for high sensitive military and government
sites, the odds are far worse, especially now hackers are equipped
with automated tools.
Intranet and extranet security
The stern reality above shows a different picture as the ideal picture
of a castle well protected by a (firewall) draw bridge. And in case
you have a well managed, up-to-date secured firewall, why would hackers
use that path as backdoors to you stronghold are wide open ? Years
ago, the same concepts were used by the Trojans delivering a horse
statue (with unexpected content). Why use the difficult way, when
organizations open gates for insecure access [4].
Intranet, the network infrastructure of the organization in the
broadest sense outreaches far beyond the "castle walls":
- Managers (including high-ranking officers) take lap-tops to
home and dock them at their office desk.
- Users, especially managers, read their Email via a, often against
the security policy, (GSM) telephone - modem connection.
- (unsecured) teleworking.
- Fax servers coupled to internal networks by people bypassing
the security department.
- Computer-telephony integration (CTI).
- Video-teleconferencing.
- Voice mail and Email boxes being listened to/read at distant
locations via insecure lines.
- Floppy disks that come and go.
- Remotely maintained systems and PABXes.
- Etceteras.
A new trend in society is that the working force is becoming more
loosely connected to organizations. In the year 2015 it is expected
that 25% of the people work at home, being hired to do tasks for multiple
organizations.
All these new developments and trends result in a vague border
between the outside and the inside of an organization. In future,
this will be even more questionable. All these backdoors undermine
the security model of the single firewall access to and from the
organization.
Figure 2: fuzzy borders of the organization,
the firewall "green lawn"
seems to have a sign "keep off the grass".
It might be in use as one of the many connectivity means.
The intranet and extranet developments are a hype. Looking at
the insecurity of Internet connections as discussed before and the
way organizations couple their internal networks to the outside
world, one can conclude that internets are passed left, right, at
the back and the front by the users. To remind you, in the organization
or better said in the intranets about 80% of all security incidents
take place.
Apart from the classical information technology security incidents,
intranets and extranets are vulnerable to the following:
- The management pays no attention to information security, security
is not a topic "intra" their ears.
- No threat and vulnerability analysis takes place. This causes
security measures to become unrelated like loose sand. As can
be expected from Murphy's Law, the most vulnerable weak spots
will not be covered by security measures.
- No preventive security measures will be taken at all.
- In case of a computer emergency, no incident response team exists
to take immediate and effective response.
- · Intranet and extranet services intend to make it easier for
the users within the organization to access information for doing
their work more effectively. Users should become familiar to the
wealth of information, thus why bother them with security. That
users, hired people and not authorized people have access to the
organization's strategic and tactical information (the "jewels")
is overlooked. Reducing authorizations afterwards is a hell of
a job as users claim that they need the information sources for
their job. As the intranet is not built based upon an information
model, it is hard to refuse those authorizations.
- · Intranet technology looks so new, that organizations bypass
their own IT department as they are slow (discussing security
and responsibilities). They hire an external company to build
the intranet. Security will be implemented in one of the last
phases (if there is some money left).
- Developers claim that Intranet technology requires dynamic code,
as Java or ActiveX. Unfortunately, the combination of active code
for intranet and user access to the Internet is deadly for the
security of the intranet.
- Network and system maintenance staff responsible for the technical
information and the daily management are already overloaded. Security,
most of the time, has the lowest priority, let alone that the
system managers have time to learn and understand the security
issues of a technologies.
- Users install modem cards in their office systems giving them
access from home or via GSM telephone to their Email. That hackers
scan all phone numbers of the organization for backdoor modem
accesses is overlooked.
The telephone intranet and extranet
A word or two on the telephone infrastructure of companies. As mentioned
before we regard the PABX and its services as part of the companies
Intranet. In many cases, the telephone infra-structure even extends
across multiple departments in several buildings and/or cities. The
maintenance of the telephone infrastructure and switch (PABX) is the
responsibility of the technical maintenance department within organisations
most of the time. The major change from complete hardware switches
to fully computerised switches with many options went unnoticed by
management. The fact that information security threats and vulnerabilities
now also apply to the telephone system has gone unnoticed as well.
Does your organisation control who and how many people know the access
to the remote maintenance entrance of your telephone exchange? Do
you apply the same strict password mechanisms to the PABX as you are
applying to the access of your company systems via open networks?
Is the re-direct calls service of your PABX secured against misuse
by inside and outside people? (e.g. international *21 service to a
private phone)
Conclusion: ""Do you know
a better way to bring your sensitive information to the outside
world than by using Intranets?"
The sooner you realize all these aspects and risks, the sooner
you can start with the only way out: "integral information security".
The Solution
Are local networks (intranets) that insecure that one should not use
these technologies ? Should users refrain from connecting to the Internet
? Are there no secure solutions ?
As stated earlier, information security management is managing risks.
Risks can only be managed by:
- Developing a security policy.
- · Developing a threat and vulnerability analysis and based upon
that a realistic, well balanced security plan.
- Coaching the users to a higher level of security awareness.
- Proper (labor intensive) management of firewalls and an open
eye to backdoor entrances to the organization.
A good start is to start inside out with the network. Look
at all communication possibilities with the organization, both by
users and (through the eyes of) hackers. Then you are able to estimate
the risks the organization takes. Firewalls, guards and other technical
means are not the ultimate solution. One needs them as a (small) piece
of the total security shield.
The technical aspect of information security is relatively small.
Organization, procedures, education and security awareness requires
the utmost exertion, but their pay-off is the highest.
Secure use of the Internet and intranet technologies is very valuable
for both military and commercial organizations, it might give you
an information advantage. But be sure that you have good first and
second line defenses against the world of mostly internal (and some
external) security threats and vulnerabilities.
Literature:
- An Analysis of Security Incidents On the Internet
1989-1995; John D. Howard; April 7, 1997. http://www.cert.org/research/JHThesis/
or http://www.info-sec.com/internet/howard/
- Who's
reading your Email, Richard Behar, Fortune February 3, 1997, pp
29-36
- Information security web links maintained by
the author: /instit/fel/intern/wkinfsec.html
- Information security web links maintained by
the author: /instit/fel/intern/wkinfsec.html
- Information Warfare and Information Defence
web links maintained by the author: /instit/fel/intern/wkinfdef.html
- A collection of collected hacked webpages as
well as a registration of hacks: http://www.hacked.net
Information:
Luiijf@fel.tno.nl
|