One of the most daunting tasks facing governments and corporations today is ensuring the confidentiality, integrity and availability of computer-based information. The strong trend towards more widely distributed data processing has combined with the continued emergence of new threats, and the failure to learn from old mistakes, to present formidable challenge to those of us charged with ensuring data security. In this article we consider these challenges and some possible responses.

Times Past, Present
Five years ago, just before the land offensive was launched in the Persian Gulf War, several hundred allied computers were found to be infected with a virus (self-replicating software code that causes everything from performance degradation to outright loss of data). The first thought of many top brass, appalled that a virus could defeat military security systems, was that this infection was an enemy action, a case of information warfare. In a moment we will return to the subject of information warfare, which has variously been described as "information security with attitude" and "the offensive exploitation of widespread dependency on information technology."

In fact, this particular infection, by a very common virus of a type known to the public for at least five years, was almost certainly self-inflicted. Although relatively easy to detect and remove, the virus was living proof that the widely-used Bell LaPadula model of computer security, based on hierarchical systems of military secrecy, is no match for malicious code (this model allows information to flow from lower levels up to higher levels, and malicious code is happy to go along for the ride).

Almost five years later, in November of 1995, one Christopher Pile pled guilty, under the U.K. Computer Misuse Act of 1990, to charges of virus writing and spreading. He was the first person in Britain to be convicted for such offences, which included distribution of virus "cloaking" code that allowed many other viruses writers to make their creations somewhat harder to detect. According to one company cited by the prosecution, Pile's actions had caused half a million pounds worth of damage. In passing sentence (eighteen months in jail), the judge said, "Those who seek to reap mindless havoc on one of the vital tools of our age cannot expect lenient treatment."

Catching and convicting virus writers represents progress of sorts, but by the autumn of 1995 network managers and system administrators were busy meeting a whole new virus challenge, the malicious macro. Taking advantage of the fact that Microsoft Word has become a de facto standard for word processing in the corporate world, someone released a virus that targets Word users. This virus is not written in complex, low-level computer language, but in easy-to-use macro code, a simplified set of instructions which enables word processing commands to be automated.

A New Threat
While people have, for many years, looked to macros and so-called "smart documents" to increase productivity, the potential for malicious exploitation has always been there. In recent years, macro languages have experienced dramatic increases in power and scope (simply opening a document programmed with WordBasic can trigger powerful operating system commands such as disk formatting). It was inevitable that, when a macro-capable application achieved critical mass in the marketplace, it would be targeted by virus writers.

Despite a concerted effort by AV (Anti-Virus) researchers and AV software vendors the Winword.concept virus has become one of the most "successful" viruses we have ever seen, just six months after it was first detected "in the wild" (this assumes that you measure success for a virus by the number of infections). At the National Computer Security Association we have received calls from companies that have thousands of infected systems. At our recent Firewall and Internet Security conference an official from Microsoft, whom we will refrain from naming, said "At Microsoft we scan ever server, every day [with a anti-virus scanner known to detect this virus], and we are still infected with the macro virus."

Some people point out that this particular virus is harmless since it has no "payload," that is, it does not seek to erase files or do anything else except spread itself. But even a "harmless" virus must be removed from an organisation's systems (often at considerable expense) otherwise you risk transmitting the virus to customers, suppliers, other agencies, or members of the public, which is simply not acceptable. Furthermore, new versions of the Word macro virus that do attempt to inflict damage have already appeared.

In the past, it was possible for information security professionals to assure users that data could not spread, or be infected, by viruses, and that data could not damage data. These statements are no longer helpful because today's smart documents are a hybrid of data and program code which is capable of malicious manipulation. The implications of this cannot be over-stated as the volume of smart documents accessed via the Internet is currently roaring off the scale, with new technologies such as Java and Microsoft objects promising even more powerful tools that may be susceptible to malicious exploitation.

More History Lessons
The Hollywood film War Games was definitely not what George Santayana was thinking about when he said "Those who cannot remember the past are destined to repeat it." But images from the top-grossing movie of 1983, in which a teenager hacks into a top secret U.S. defence computer, may have come back to haunt government scientists when, according to a recent report in the Wall Street Journal, "Hackers armed with free software from the Internet broke into a Los Alamos National Laboratory computer system last week, forcing the lab to upgrade its security."

Incidents like this suggest that those of us charged with protecting the security of computer systems have not learned much during the past thirteen years. The attack on the New Mexico lab, best known for helping develop the atomic bomb, came about a year after authorities jailed Kevin Mitnick, the inveterate hacker who is said to have inspired War Games by hacking into the North American Air Defense Command computers (an exploit which Mitnick has denied).

So, we put some hackers in jail, but others are quick to take their place. We have learned some lessons. The Los Alamos hackers didn't steal or destroy any sensitive documents because they were stored on a completely separate network. But the penetration they achieved is nevertheless cause for concern, not least because the hackers used a password and processing time stolen from the Los Alamos system to attack the San Diego Supercomputer Center, where they destroyed some electronic mail (they also tried, unsuccessfully, to break into the computer of security expert Tsutomu Shimomura, a key figure in the capture and arrest of Mitnick).

If high profile government computer systems are this vulnerable, 13 years after War Games, one is tempted to ask "When will they ever learn?" And the Los Alamos incident was by no means isolated. In January, 1995 Washington Technology reported that attacks by the Defense Information Systems Agency (DISA) on 9,000 Department of Defense computer systems, had an 88 per cent success rate. Less than one in twenty organisations detected the attack, and of those that did, only 5 per cent actually reacted to the attack [Wash].

New Defences, Old Attacks
The Los Alamos attackers used free software that can be run on fairly inexpensive equipment to defeat defences that included firewalls, a "hot" new security technology in which many organisations are now investing, often with unrealistic expectations. A firewall is, to paraphrase leading experts in this field, a system or group of systems that enforces an access control policy between two networks. When a firewall is in place all traffic from inside to outside, and vice-versa, must pass through it. Only authorised traffic, as defined by the local security policy, is allowed to pass through it. The firewall system itself must be immune to penetration. Typically, the two networks in question are an organisation's internal network (trusted) and the Internet (untrusted). But it could also be two segments of an organisation's wide area network (see Avol94, Ches94, Chap95, Ran93, and Stall).

Much of the literature on firewalls concentrates on diagramming the numerous possible configurations of routers, host systems, interfaces, and sub-nets. But it is important not to lose sight of the broad definition of a firewall as a part of a larger security policy that defines the services and access to be permitted. Unfortunately system administrators at a number of organisations reported receiving orders from upper management along the lines of: "Get a firewall!" Such edicts indicate that a lot of people are unclear on the concept. A firewall is not a "silver bullet" solution to security problems. For a start, it does very little to protect you against internal abuse of your systems, the losses from which exceeds those caused by external attacks in all surveys we have seen.

A firewall is only as good as the policy it implements, only effective if installed properly and maintained diligently. Firewall vendors may say their firewall has never been penetrated but strictly speaking, they mean that "one of our firewalls, which we installed and maintained, has never been penetrated." There are people who test firewalls for a living, and some who do it for fun, and both groups will tell you that more than half are penetrated on the first attempt. Consider this comment from physicist Brosl Hasslacher at Los Alamos, "They walked through our firewalls like they weren't there."

One of the most likely explanations is that the systems administrator had not installed the latest "patches" to communications software. Furthermore, viruses and malicious code pass undetected through most firewalls. In other words, there is little point installing a firewall unless you are already enforcing appropriate policies governing the handling of incoming files, including such mundane details as the use of removable media such as floppy diskettes.

Firewalls are also susceptible to denial of service attacks. These are quite different from attempts to gain access to someone else's computer. If you recall the three elements of data security (confidentiality, integrity and availability), denial of service attacks focus on the third of these, availability, and we are likely to see more of them in the future. There are several reasons for this. Cheap, powerful encryption is now widely available, ensuring confidentiality. Public key encryption has solved the problem of key management while enabling digital signatures that ensure integrity. Which leaves availability. For example, by bombarding a firewall, with data packets it is possible to prevent legitimate traffic in or out of the protected network.

If that legitimate traffic is customer orders or the data upon which your just-in-time manufacturing depends, the consequences of such a denial of service attack could be very expensive. And denial of service attacks require far less technical expertise than penetration of systems or cracking of encryption schemes. For example, if you could find out which communications cable carries the bulk of data from one region to another you could execute a denial of service attack that has serious economic and even political implications. This is information warfare, the aggressive exploitation of information technology, a subject of considerable concern to governments everywhere.

Responses and Conclusions
So how do we counter these trends? At the practical level, the answer is not necessarily a massive investment in security hardware and software. Data security is first and foremost a people problem and the behaviour of people can, to a certain extent, be modified. After a realistic assessment of current vulnerabilities you put policies in place, with meaningful penalties for violations and solid rewards for compliance.

If you need help determining vulnerability, organisations such as NCSA can arrange testing. This often reveals the need to install software upgrades and security patches, many of which are available free from vendors. If you need help framing policies there are several good sources, both commercial and governmental. We often find that existing security features are under-used or used incorrectly, so that a large increase in security can be accomplished at little or not additional cost. To stay in touch with new threats you can subscribe to services such as NCSA's IS/Recon, which provides online access to massive amounts of regularly updated security information.

If you do determine that security products are required, there are forums on CompuServe (GO NCSA) and pages on the World Wide Web (http://www.ncsa,com) that can help you find what you are looking for. Some governments provide some standards for secure computing products, but these tend to focus on classified areas, whereas increasing reliance of governments on commercial systems for day-to-day operations has created large exposures in non-classified areas. NCSA tests anti-virus products to make sure they meet objective standards of effectiveness and we will be doing the same for firewalls. If you want to meet with fellow security professionals to discuss the challenges you face, consider attending a conference or participating in a seminar, such as InfoWarCon (Europe) 96 being held in Brussels in May.

At the theoretical layer, the first step to understanding information security is to realise that all technology is neutral, none of it is inherently good or evil. We must not allow ourselves to fall in love with, or become overly dependent upon, new technologies, such as smart documents or universal connectivity, without first considering how someone with a different ethic might abuse them. A valuable tool in this regard is something we call might the "hacker mindset." It is possible, without either endorsing or justifying hacking, to understand the way that hackers think. Previously invisible problems come to light when viewed with this particular blend of technological curiosity and amoral objectivity.

The next step is to realise the full scope of the problems. There is no hyperbole in the observation that "the Internet has changed everything." Dozens of different value systems are now inter-acting as they attempt to gather and distribute the new commodity of global commerce: information. Even as the structure of the enabling technology is evolving, we are a long way from inter-cultural consensus on issues such as privacy, intellectual property rights, and contractual obligations. And never before has such a vast quantity of collective brain power been applied to any subject, whether it is how to penetrate firewalls, crack encryption schemes, or distribute malicious code. We can only hope that similarly awesome intellectual resources can be devoted to defending the data which governments, corporations, and individuals legitimately seek to protect.

References:

[Avol94] Frederick Avolio and Marcus Ranum. A Network Perimeter With Secure Internet Access. Proceedings of the Internet Society Symposium on Network and Distributed System Security, February, 1994.

[Chap95] D. Brent Chapman. Building Internet Firewalls. O'Reilly & Associates, 1995.

[Ches94] William R. Cheswick and Steven M. Bellovin. Firewalls and Internet Security. Addison-Wesley, Reading, MA, 1994.

[Hugh] Larry J. Hughes, Jr. Actually Useful Internet Security Techniques. New Riders Publishing, 1995.

[Ran93] Marcus Ranum. Thinking About Firewalls. In SANS-II Conference, April 1993.

[Stall] William Stallings, Peter Stephenson, and others. Implementing Internet Security. New Riders Publishing, 1995.

[Wash] Washington Technology, January 1995.

[Wack] John P. Wack and Lisa J. Carnahan, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, NIST Special Publication 800-10, 1995.