Kelly Engineering Analysis

Abstract:

This scenario is designed to explore the issues of response technology for information networks. The main goal of the scenario is to explore the space of possibilities for response for a fairly typical medium-sized computer network. This is done in several phases to reflect situations of different intensity and to stress various aspects of the response space. Time is limited in each move to foster idea generation - at the expense of in-depth analysis - and to get people thinking in terms of a real-world situation rather than abstract concepts.

Outline

• The Kelly Engineering Analysis Group
• Kelly's Global Information Network
• Cyber-Threats to Kelly
• The 1998 Vulnerability Study
• The Consequences of Attacks
• Some Detected Incidents
• We are starting to detect
• How do we respond?

The Kelly Group

The Kelly group's core business is engineering analysis for high tech industry. From bridge design verification to circuit simulation to molecular analysis, Kelly provides world-class analytical capabilities. Over the past 25 years, Kelly has grown from a small start-up to a 25 billion dollar firm with satellite offices in 25 countries and more than 20,000 users.

Kelly's main information operations consist largely of feeding huge design files from client systems into about 200 centralized design verification systems. Collected data is analyzed by a set of major interlinked data centers in the U.S. - primarily to find design flaws and assess limitations of designs. There is also a substantial quantity of video and computer aided design (CAD) conferencing with client designers, and many small joint ventures with major clients and competitors are connected to the Kelly network. Results of analysis are typically passed back to clients as lists of flaws, and this normally takes far less time and space than the collection and analysis process.

Kelly's global network consists largely of legacy systems collected over the past 25 years. This includes just about every sort of technology from its time. Large portions of the Kelly network are poorly documented, and cost limits equipment upgrades, overhead for support, and so forth. Big aging mainframe computers run age-old analysis code that was custom built for those machines in their heyday, while new servers have been added over time for all manner of functions - each a special case.

Almost every version of every operating system is in use at Kelly, and because of the high cost, these systems are not updated for security holes on an ongoing basis. It is all Kelly can do to keep most of it working most of the time.

Kelly has a Network Operations Center (NOC) that provides network control via off-the-shelf router control tools. There are about 2,500 routers, switches, hubs, and similar pieces of networking equipment in use throughout the world in Kelly. While the NOC is tasked with controlling the network and its switching and routing components, servers are managed by ‘business unit owners and other nodes are run by individual users. There is no central response process, but reports can be made to the NOC and will be forwarded by the NOC as they see fit. All manner of telecommunications systems are in use, with a wide variety of CPUs, embedded systems, networks, and generally any other information technology that has ever been used is somewhere in Kelly. There is even a small PDP-8 shop still running in Pittsburgh, and rumor has it that card punches are still used for data entry in some countries.

Cyber-Threats to Kelly

As a result of a story in the Wall Street Journal about attacks on computer networks, top management at Kelly recently sponsored a threat assessment by a start-up corporate intelligence firm with several ex-Air Force officers as principals. They found the following elements of a threat environment:

• Multinational corporate intelligence was considered a serious threat, especially from competitors (many of whom have access to Kelly computers via joint ventures).
• State-sponsored intelligence and terrorists were considered threats both from a standpoint of physical destruction of information systems and infrastructure (in one case a whole country was cut off from the network for almost a year due to civil unrest) and from a standpoint of trying to exploit weaknesses in the Kelly network for intelligence gathering (Kelly has some classified government contracts as we will see below).
• Because Kelly uses information systems for billions of dollars of financial transactions per year, insiders are considered a threat, particularly from the point of view of financial theft or extortion.
• Planted corporate spies are a serious concern because a large portion of Kelly's value lies in its information assets - particularly its engineering analysis codes.
• Hackers and crackers from the Internet are considered a potential threat largely because they have been in the media a lot lately and the people doing the analysis figured they had to include it. Kelly does use the Internet for much of its emerging low-bandwidth communications, and doesn't know precisely what is and is not connected to where.
• Some of Kelly's analysis is for classified systems, and as a result, high-grade threats apply to Kelly. The threat assessment didn't specify this notion further.

The 1998 Vulnerability Study

A vulnerability study was done using another small startup firm run by a guy who claims not to be an expert in information security (his honesty was a large part of the reason he was chosen). This top-level assessment showed the following results:

• Internal systems are vulnerable (the soft inside syndrome). In essence, anyone who can gain access to any internal Kelly systems and has access to tools from the Internet can easily take over large portions of the Kelly network.
• Linkage to corporate partners is done via commercial off-the-shelf (COTS) firewalls. While the configurations of these firewalls was not verified, it is likely that there are some errors, however, the far more serious limitation is their lack of content controls and the fact that they are used largely to transmit design files and other similar information that contains executable content.
• It appears highly likely that there are unknown (to the team doing the assessment) Internet connections from computers within Kelly. Several connections were identified during the study, however, this seems to be an ad-hoc list, and did not include possible connections from users at desk-tops, cell-links, and connections that might run through partners.
• Inter-site communications are pretty secure. They use dedicated links and those links are encrypted with banking-quality encryption devices (this was chosen because international legal requirements allowed these systems to be used worldwide for Kelly's business).
• Inadequate funding and priority is given to meet identified security needs, but no major losses have been identified to date.
• It seems likely that Kelly would not be aware of attacks if they were ongoing unless they created major losses. In combination with the identified weaknesses and threat profiles, it seems likely that Kelly is being attacked at some level and is unaware of it.

A strong desire was expressed by this firm to do a more in-depth analysis because they suspected that there was ongoing criminal activity within Kelly, but management decided not to do the follow-up because the proposed cost was on the order of several hundred thousand dollars, and because they did not really believe that any of Kelly's 20,000 global employees could be disloyal to the company.

The Consequences of Attacks

An internal committee was asked to identify the possible negative consequences of attacks against Kelly's information systems without regard to the threats or the likelihood of events, and taking into account everything from major global collapse (e.g., Y2K problems) to local attacks by hackers from the Internet. They came up with the following major concerns.

• Adverse publicity relating to large scale incidents at Kelly could result in a loss of confidence by major clients who might transfer some or much of their analysis business to competitors.
• Major information leaks could result in the total loss of federal contracts which account for 25 percent of sales, and 50 percent of pre-tax profits.
• In some cases, there is a potential for liability for deaths resulting from major flaws in designs not found during analysis. Examples include large chemical processing plants, bridges, nuclear reactors, and so forth. Liabilities for some errors and omissions are uninsurable and could run into the billion dollar range.
• Global service outages would cost on the order of 100M dollars per day, most of which is not replaceable or reschedulable because Kelly runs at or near capacity and because, when systems are down, workers still get paid. It is estimated that 5 days of continuous outage would essentially put Kelly out of business, and Kelly would likely never recover from such an outage.

Some Detected Incidents

Over the past year or two, the following incidents have been detected within Kelly, essentially as a result of individual effort by select systems administrators and, in some cases, by dumb luck.

• At least one case has been found where the classified and unclassified networks were cross-connected. This could have resulted in the leakage of classified information, but inadequate audit information was available to determine what damage, if any, actually occurred.
• A contractor violated need-to-know (NTK) access controls during off-hours by dialing in to a co-worker's account. Since NTK is considered discretionary, no disciplinary action was taken other than a private discussion with a supervisor about proper behavior.
• In an audit examination of an AS/400 system, it was found that a vice president always logged in correctly - something that no other user seemed able to accomplish. Upon further examination, it was found that the VP had encoded their password into their PC - which was not otherwise password protected. The VP was gently asked to not do this and compliance was verified by several subsequent failed login attempts.
• A contractor who was no longer assigned to work at Kelly continued accessing Kelly systems over a period of time. This was eventually detected on an audit and the contractor was notified that this was inappropriate. No records of what they had done during these accesses was available.
• There have been many incidents in client networks that are connected to Kelly via the firewalls, but Kelly is not aware of any of these affecting Kelly itself.
• An unauthorized Internet connection to the unclassified network was detected by accident when a user showed a firewall administrator that he could indeed go to an Internet pornography site (http://www.whitehouse.com/) despite purported access controls.
• Some internal analysis tools were found at a hacker web site as "warez" (illegal copies of software stored on Internet systems without the knowledge or consent of the owners of those systems). The cause of this was never traced.
• Computer viruses are found on a regular basis, even in the classified network. In some cases, macro viruses are known to have entered the facility via email through the firewalls, while in other cases, floppy disks are suspected as the mode of transmission.

Some Additional Information

The following additional information has been provided by the internal security committee at Kelly:

• Kelly is starting a program of intrusion detection using COTS intrusion detection systems (IDS) and detections are starting to roll in, but there are inadequate resources to deal with detections, most of which have been found to be false positives. As a result, the systems are currently tuned so as to limit the number of detections to the number that can be investigated by the part-time efforts of systems administrators who are running the IDSs as part of their other duties.
• It has been found financially infeasible to prevent insiders from attacking Kelly. As a result, a corporate decision has been made to use reactive defenses as the core method of internal information protection at Kelly.
• Kelly is also moving toward switched technology (e.g., ATM) and believes that this will help them mitigate much of the harm related to current network attacks. Kelly is working with vendors to integrate IDSs into their normal operating environment, but internal content analysis seems to be very hard to do and it has become a stumbling point for this technology.
• Kelly management has grudgingly budgeted $10M per year to this effort. This is only 4 hundredths of one percent of total budget, but management sees it as 1 percent of net and as having a negative return on invetment. It is unlikely to be funded further, and this is roughly the same as the corporate physical security budget for major facilities.

Things to keep in mind

A major question to be addressed is how Kelly can cost effectively respond to attacks rather than try to prevent them.

• Kelly now detects more than 100 items of interest per day.
• More detections are expected as IDS technology becomes more widely used in Kelly.
• How does Kelly cull the wheat from the chaff in their response process?
• Kelly believes they will detect 10,000 items of interest per day worldwide in 2000.
• How does this culling process scale and distribute?
• How does the culled data get correlated to indicate the nature of the attack?
• How does Kelly respond when they think it's a real serious attack?
• What are the range of response options?
• What will work in the Kelly environment?
• How does Kelly keep costs as low as possible?

And then...