|
Items in cart [1] |
Questions? Call 888-624-8373 |
| Copyright © 2009. National Academy of Sciences. All rights reserved. Terms of Use and Privacy Statement |
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 416
Page 416
50
Thoughts on Security and the NII
Tom Perrine
San Diego Supercomputer Center
Statement of the Problem
The rapid introduction of the Internet into U.S. (and global)
society has challenged the knowledge, ethics, and resources of the
culture. Educational activities, both traditional and in many new
forms, are rapidly making information about the Internet and
personal computing and communication widely available. The ethical
considerations are being addressed by organizations such as the
Electronic Frontier Foundation (EFF) and the Computer Professionals
for Social Responsibility (CPSR). There is also a renewed emphasis
on ethics in the technical communities, as well as a growing
understanding of technical issues in legislation and law, as these
areas struggle to adapt to and codify new issues raised by emerging
technologies.
The Internet has many of the characteristics of a frontier,
including a dearth of security and law-enforcement services. This
discussion focuses on the security mechanisms that must be
developed over the next 5 to 10 years to make the Internet (and its
successors) a safe computing and communications environment for
individuals and to protect the commercial interests of the
businesses beginning to establish themselves on the Internet.
Background
The Internet is becoming an increasingly popular medium for
delivering products, services, and personal communications.
Unfortunately, none of these commercial or personal activities were
anticipated by the original design of the Internet protocols or by
the architecture of the new class of common carriers, the Internet
service providers (ISPs).
The Internet has become a new frontier for many Americans. Like
any frontier, most of the inhabitants are peaceful, interested only
in exploration and settlement. But, like any frontier, a minority
of inhabitants are more interested in exploiting the more peaceful
inhabitants. Another inevitable consequence of a frontier is the
(initial) inability of law enforcement to keep pace with the rapid
expansion in the number of inhabitants. If all of this sounds like
the American Old West, it is not a coincidence.
Networking and computing as communications services have created
new problems, and put a new spin on old problems, in the security
and law-enforcement resources of the American society. These
problems can be addressed on three levels: threat and protection
models, deterrents, and law-enforcement resources.
Threat and Protection Models
All security practices depend on the development of a "threat
model," which details foreseeable risks and threats. Then a
"protection model" is developed to address the perceived threats
and risks, tempered by additional factors such as law, policy, and
costs. Traditional models of both threats and protection have had
flaws that have increased the cost of secure computer systems and
networks.
Threat models that have been developed for computer and network
security in the past have reflected a "laundry list" of potential
threats, with no regard for the cost (to the attacker) of any
particular attack method. In
OCR for page 417
Page 417
other words, all threats have been considered equally likely,
even if the cost of producing an attack might be prohibitive. If a
threat is considered "possible," it must be addressed by the
protection model.
Protection models have not been without their problems, as well.
Historically, most attempts at building secure computer systems and
networks have followed the "castle" model: build high, thick walls
with a few well-understood gates. This paradigm is reflected in the
terminology used in information security: firewall, bastion host,
realm, password, domain, and Trojan horse.
This mind-set limits the ideas that can be discussed and thus
the tools that will be developed. Furthermore, approaches focused
on prevention are limited to the scope of the modeled threats and
typically are strictly reactive to demonstrated examples of these
threats. But, to date, no sufficient threat models have been
developed. This approach is the epitome of passive defense, which
is not a viable strategy in the long term as advances in offensive
technologies will always overwhelm a static defense. To go beyond
this focus on prevention to encompass investigation and
prosecution, we need to consider alternate modes of thought about
information security.
Deterrents
A deterrent is anything that deters a person from performing
some undesirable action. It can be as simple and direct as a
padlock, or as indirect as strict punishments if a person is caught
and convicted.
Traditional, technical, computer and network security has
focused on building better "locks," stronger "doors," and so on.
Until recently, crimes committed via computer or network were
almost impossible to prosecute. The laws were silent on many
issues, the courts (including juries) were uneducated concerning
computers and networks in general, and law enforcement for such
white-collar crimes was seen as less critical than that for violent
crime.
With more awareness of the Internet, the spread of home
computers, and increasing reliance on computing resources for
day-to-day business, there has been a popular push for more legal
deterrents (laws) and for better education for judges, attorneys,
and law-enforcement personnel. As a result of increased media
attention to the Internet and more computers in homes, schools, and
business, it is now no longer impossible to get a jury capable of
understanding the cases.
Law-Enforcement Resources
Law-enforcement resources will always be at a premium, and
crimes against property will always (rightfully) be of less
importance than violent crime. As a result, computer and network
crimes will always be competing for resources against violent
crimes and other, more easily prosecutable ones. In other words,
only the largest, most flagrant computer crimes will ever be
considered in a courtroom.
Analysis and Forecast
Over the next 5 to 7 years, the Internet will most likely become
the de facto national information infrastructure (NII). Talk of
hundreds of channels of TV, videophones, and so on will continue;
but it is access to people and data on demand that has driven and
will continue to drive the growth of the Internet. The Internet is
here, and it works. New technologies such as integrated services
digital network (ISDN) and asynchronous transfer mode (ATM),
higher-speed links, and new protocols such as "IPng" (Internet
Protocol—Next Generation) will become part of the Internet
infrastructure, but it is unlikely that a separate, parallel
network of networks will be constructed.
The problems of making the Internet a safe computing environment
will require significant research and development in the areas
discussed above: threat and protection models, deterrents, and
law-enforcement resources.
OCR for page 418
Page 418
Threat and Protection Models
Tsutomu Shimomura (San Diego Supercomputer Center), Whit Diffie
(Sun Microsystems), and Andrew Gross (San Diego Supercomputer
Center) have recently proposed a completely new approach to
computer and network security. This new model actually combines the
threat and protection models into a new model referred to as the
confrontation model.
A new research activity at the San Diego Supercomputer Center,
undertaken as a cooperative venture between academia, government,
and industry, will soon begin exploring an approach to information
security based on confrontation in which we engage the intruder by
using winning strategies within the scope of policy. Hence, we call
our model the confrontation model. As alluded to above, many of our
ideas come from conflict-type situations such as might be found in
business, intelligence work, law enforcement, and warfare, and so
we draw on all these areas for ideas and examples. The research for
this new paradigm will require developing both strategies and
tactics.
Using the paradigm of an intrusion as a confrontational
situation, we can draw from centuries of experience in warfare. The
network and other infrastructure are the "terrain" upon which our
"battles" are fought. From a tactical viewpoint, certain resources
will be more valuable than others (e.g., fast CPUs for analysis,
routers to change the topology of the terrain, and critical hosts
near the activity for intelligence gathering). We need to know the
terrain, make it easy to monitor, and use it to our advantage
against intruders. Once we understand the terrain, we can plan
infrastructure changes that allow us to control it or position
ourselves strategically within the terrain, and thus make it easier
to counter instrusions.
Executing strategies within the terrain is complicated by the
need to adequately identify an intruder's intent. Confused users
may at first appear to be hostile, while real intruders may try to
hide within the terrain. To represent this, traditional threat
models must be amended to incorporate the extended terrain.
A proactive approach is needed that simultaneously considers the
"terrain" in which the engagement is occuring, the disposition of
resources to counter intrusions most effectively, and a
cost-benefit analysis of countermeasure strategies. Such an
approach to information security proved successful in the
apprehension of wanted computer criminal Kevin Mitnick. Note that
all conflict occurs within the scope of policy. Such policies
include criminal law and its rules of evidence. In business, they
include contract law, civil procedure, and codes of business
ethics.
In addition to understanding the "warfare" context, there is
also a need to communicate with and become part of existing
law-enforcement structures. Instead of trying to adjust law
enforcement to fit the peculiarities of computer crime, we need to
adjust the way we think about computer security to more accurately
match the law-enforcement model to facilitate prosecution of
computer crimes.
Deterrents
New deterrents will be developed over the next 5 to 7 years.
Many of these will be in the form of stronger doors and locks.
These technical advances will come from research in many different
areas and can be expected to proceed at a rapid pace.
It is expected that such proactive technical measures, leading
to identification and prosecution of intruders, will be an
effective deterrent. If intruders are aware of the risk they incur
when attempting to compromise computer systems and networks, they
may modify their behavior.
More important, however, are the societal deterrents: ethics and
law. A more vigorous campaign of educating business and the public
will need to be undertaken. This education will need to focus on
privacy rights, intellectual property rights, and ethics in
general. It is not unreasonable that every computer education
course of study include an ethics component. This is already
starting to happen in many engineering and computer science
curricula.
The law of the land will require updating, not wholesale change,
to accommodate the digital landscape. However, instead of knee-jerk
reactions to highly publicized events (child pornography on
computers, etc. that have resulted in laws dealing specifically
with the Internet and computers, we need expansion or
reinterpretation
OCR for page 419
Page 419
of existing laws in the light of computers and networks. If
something is already illegal, why should there be a separate law
making such an act illegal when a computer or network is
involved?
Increasing the ability of existing enforcement structures to
initiate and carry through successful prosecution of crimes that
happen to involve computers and networks will indirectly increase
the deterrence to commit such crimes. This will require educating
existing judical personnel, as well as changes in policies and
procedures, and increased resources as well.
Law-Enforcement Resources
As already noted, law-enforcement resources will always be at a
premium. There will never be enough law-enforcement resources to
fully investigate every crime, and crimes against property,
including computer crime, will always (rightfully) be of less
importance than violent crime. But this limitation primarily refers
to government law-enforcement resources.
As on the American and other frontiers, one solution will almost
certainly be resurrected: private security forces. Just as the
American frontier had its Pinkerton agents and Wells Fargo
security, the Internet will soon have private investigative and
security organizations. In fact, the Internet already has the
equivalent of private security agents: the consultants and
companies that deal with computer and network security. These
agents perform such work as establishing "safe" connections to the
Internet for companies and providing security software,
intrusion-detection, and auditing software and hardware, and so
on.
But what about the investigative side?
As part of the research on a confrontation model mentioned
above, there is growing commercial interest in private
investigative services to perform intrusion analysis and evidence
gathering, for use in civil or criminal proceedings. The
confrontation model will lead to technical solutions (tools) that
will be available to both governmental and private investigative
services.
A recent Defense Advanced Research Projects Agency (DARPA) Broad
Area Announcement (BAA) stressed the desire to commercialized
computer security services, including the detection of intrusions
and the tracing of intrusions to their source (perpetrator). At
least two existing companies are investigating entering this
field.
Recommendations
The government must support open, public security standards and
mechanisms. It must remove inappropriate impediments to
private-sector development of security technologies, including
encryption. This approach will require support of research
activities, legislative changes, and increased awareness of how
digital communications change the law-enforcement landscape.
Research Activities
The government must foster more research into new protection
strategies, and this work must be done in conjunction with the
private sector. The computer industry is well aware of the problems
and is (finally) being driven by market forces (consumer demand) to
increase the security of its products.
However, the computer industry does not always have access to
the proper theoretical groundwork, and so academia and government
must find ways to cooperatively develop open standards for security
software and hardware. This will inevitably lead to more joint
research efforts, which may require revisiting the current
interpretations of some antitrust laws.
As part of cooperative research and development, testbeds need
to be built to provide a better understanding of the battleground.
This understanding will enable us to predict the types of intrusion
strategies that can be expected and will allow us to develop
appropriate counterstrategies. A better understanding of intrusions
will allow us to better predict the intruder's intent. Given what
we believe the intent to be, we then need
OCR for page 420
Page 420
mechanisms to identify an appropriate response, appropriate for
the chosen policy. For instance, if we identify an intent to access
critical resources, then the response may need to support more
comprehensive data collection to facilitate prosecution.
To be a viable platform for analyzing the confrontation
paradigm, any proposed testbed must be a collection of hardware and
software systems that encompass the complexity and extent of
today's networking infrastructure. The testbed will be a
heterogeneous collection of vendor computer platforms, network
routers, switches, firewalls, operating systems, and network
applications. These are the terrain in which a confrontation
occurs.
Understanding the range of intrusions is required to build
credible defenses. Insight must be developed for both the feasible
intrusion mechanisms and the types of countermeasures that should
be pursued. This insight must quantify the cost of an intrusion,
the cost of the countermeasure, and the level of risk that is being
reduced. A cost-benefit analysis is needed to understand the best
possible response. A testbed serves as a tool to quantify the risk
associated with providing desired services and allows the
development of mechanisms to reduce that risk. Once the risks are
quantified, it should be possible to create systems of graduated
resilience as a function of the provided services.
The testbed will be used for "war games," actual intrusion
attempts against both current and emerging technology. One person
can develop an intrusion mechanism and distribute it widely on the
network, resulting in a widespread problem that puts our entire
infrastructure at risk. An equally wide distribution of defensive
abilities is needed to counter this. Evaluation of successful
intrusions from the games will show where effort should be put to
best bolster system security. The system bolstering can be in the
form of cryptography, better programming standards, and a better
understanding of the actual system functionality. Vulnerabilities
can be created when a developer's perception of the function of the
system differs from its actual function.
As a product of the analyses done in the security testbed,
prototype mechanisms will be developed. An application of the
confrontation paradigm was used by Shimomura and Gross to analyze
the flaws exploited in the intrusion of Shimomura's computers on
December 25, 1994. Their analysis resulted in an understanding of
the "address-spoofing" technique that was used. The tools, most of
which they developed on the fly, focused on two areas: noninvasive
examination of the preserved system state of the compromised
computers and packet-trace analysis. Understanding the initial
intrusion mechanism and the goals of the intruder required
analyzing the situation with minimal disruption to the traces left
by the intrusion. These tools enabled an appropriate response to
this particular intrusion. Other intrusions may require a different
tool set.
It is important to note that although tools exist to examine the
integrity of a suspected compromised host (for example, TRIPWIRE),
they all rely on computing cryptographic checksums. This
computation requires reading all the critical files, which destroys
all access time stamps in the file system. In some cases, it may be
appropriate to have a toolset that examines the system kernel
memory and all on-disk structures noninvasively, preserving all
available information for further analysis (and as evidence).
The confrontation paradigm provides a framework that can be used
to understand intrusions. The actual mechanisms may be built from
scratch, such as reconstructing data sets that were "deleted" from
a disk. Or they may be built by modifying existing security tools
such as logging mechanisms. For example, logs of packets seen on a
network were constructed to reproduce all the simultaneous
sessions, either keystroke by keystroke or at least packet by
packet. (These tools are capable of correlating the simultaneous
activities of multiple sessions to trace their interactions on a
target computer system or network.) Playback of the sessions in
real time was helpful in understanding what the intruder was trying
to accomplish and his relative level of sophistication. Analysis of
other intrusion mechanisms may require the construction of a
different set of tools. In this case, loss of packet logs
necessitated a more subtle and thorough analysis.
Analysis tools have been developed that extract relevant log
records from centralized log facilities. Sophisticated pattern
matching tools were built to monitor for suspicious or unusual
events. Such pattern matching tools constitute a software
implementation of the knowledge that was acquired. The particular
implementation is only valid for a specific set of tactics.
OCR for page 421
Page 421
Legislative Activities
The state legislatures and Congress must become more aware of
the impact of digital technologies on the citizens, residents, and
businesses of the United States. This will necessarily include
education, briefings, and technical information from researchers
and users of the Internet.
All computer and network security methods rely on cryptographic
technologies in one form or another. Congress must remove
impediments—such as the current classification of all
cryptographic technologies as munitions—to domestic production
of cryptographic methods. If the technologies cannot be exported,
then U.S. companies are at a disadvantage in the world market.
Recognition of digital communications as ''protected speech" as
defined in the Constitution would significantly clear the currently
muddied waters and greatly simplify the legislative and
law-enforcement burden.
"Jurisdiction" is also a current problem. Consider the case of
Kevin Mitnick: He was a fugitive from the Los Angeles area,
allegedly intruded into computers in the San Francisco area, but
was actually in Seattle and Raleigh.
Law-Enforcement Landscape
The law-enforcement landscape is going to change. Along with new
technologies for fighting computer crime will come an increased
burden for investigation. Education of law-enforcement agents to
include computer crimes and methods will help, but it seems
inevitable that private computer security investigators will play
an increasing role in the prevention, detection, and investigation
of computer-related crimes.
Additional Resources
Hafner, Katie, and John Markoff. 1991.
Cyberpunk. Simon and Schuster, New York.
Farmer, Daniel, and Eugene H. Spafford,
"The COPS Security Checker Systems," Proceedings of the
Summer USENIX Conference, pp. 165–170, June
1990.
Stoll, Clifford. 1989. The Cuckoo's
Egg. Doubleday, New York.
Tzu, Sun. 1963. Art of War. Oxford
University Press, Cambridge.
Representative terms from entire chapter:
network security
