Plain Talk about Security

                   Plain Talk About Security
                  By:Thomas V. Sobczak, Ph.D.
                           ACC, Inc.

Everyone selling computer security, i.e., measures adopted to guarantee freedom or
secrecy of action, in today's market appears to mislead to the buying public.  They sell
incremental pieces of a security puzzle.  To be security the solution must be all inclusive.
However, selling an integrated security solution reduces the revenue potential available to
sellers.  Software solutions' providers sell products that when assembled might or might
not be security.  If proponents of embellished advertising were half right in their claims than
hacking, data diddling, intrusion, etc. would be impossible.  Disaster happens daily.  Each
case provides new and better excuses from the seller and a request to upgrade to a more
secure product.  Look at the ads for security and see why you need hip boots.

Systems Integrators are the first line of deception.  Most Integrators have arrangements
to resell or market a provider's security product line.  They never tell you that the product
they offer may not be best in your situation.  Worse, they bill you to customize the round
peg to fit the square hole.  My comments may irritate prophets of the cult of security.  Not
all integrators or even any integrators are evil.  They have fallen into the trap of believing
the hype they preach.  Can anyone guarantee total security?

Integrators let us spend money.  First they recommend a risk analysis of current
operations.  Anyone who has had a risk analysis should look at it.  Did your integrator tell
you about the inherent weaknesses in your operating system?  Did he tell you about the
bugs that they list on most hacker web sites and BBS?  Did he point out the insecurity of
back doors and trapdoors left by lazy programmers?  Did he list the known bugs in your
applications?  A good integrator will tell you about bugs too costly for a software producer
to fix.  They have ignored and treated these as anomalies when they happen.  Unless you
do your own due diligence you will never know if your problem is a failed product and not
a security glitch.

Did your integrator offer to attack your system (for more money) to find holes in your
security?  They use fancy terms like "Tiger Team" or "Red Team."  Attackers know holes
have existed since the operating system or application was released.  These "cracks in
your armor" are general knowledge in the hobbyist/hacker community.  You should receive
a report of weaknesses found during the attack.  In one case in a thousand they may
detect a new weakness.  Imagine the money you would save if the attack preceded the risk
analysis.  The attack will determine the risks that you should address.

Companies cannot afford unbeatable security.  Smart companies address readily
identifiable problems because most of the aggressors will use them to breach a system.
We give hackers more credit than they deserve.  As many as 90% of  those engaged in
hacking are copyists who learn from or copy the technique of brilliant peers.  In the real
world there are too few brilliant hackers.  Brilliant Hackers seek challenging seemingly
impenetrable targets.  Copyists use their results to attack similar systems.

Security as it is marketed today appears to consist of anti-virus, access control, encryption,
anti-virus, backup/recovery, audit, firewalls, anti-virus, network monitors, etc.  It would be
wonderful if they integrated all security features in a seamless schema written and
encrypted to prevent any violation of product integrity.  Imagine an encrypted shell
controlling your operating system.  Further, imagine a future integrated security program
burned into your BIOS chip on a PC and the O/S load area of larger computers.  An
outsider, or for that matter an insider, cannot enter a protected machine without proper
authorization.  For whatever reason, security providers have not moved to full integration.
You as a data owner are a victim to failed security.  Incremental pieces create more
revenue than an integrated system.

When I first wrote about Access Control in Security World Magazine in the early 1970's,
it involved an ID and Password.  Today, solutions providers, seeking a competitive edge,
have attached sufficient bells and whistles to make their product different in the competitive
marketplace.  These additions caused the invention of firewall hardware.  Bells and
whistles became so numerous as to use up precious memory.  The price of security
overhead became unbearable.  Firewall Security requires a separate server.

Access Controls are worthless in many companies.  Trusted employees who trust each
other give away access.  Years ago as I walked through Readers Digest Association I
pointed out to the than Comptroller, that seventeen, yes seventeen, VDU's had the ID and
Password listed on a post-it attached to the VDU case. 

Worse, I called the USAF at the WPAFB Computer Center and asked for the Computer
Room.  I told the man answering the phone that I needed the dial-in line to DEC service.
Not only did I get a line but my reward was superuser status.  No one thought to find out
if I was authorized to access the USAF DEC equipment.  

I had to spam SDI to convince them that they were open to hackers.  It required an article
in Federal Computer Week to gain credibility.  The experts said it couldn't be done.  I did
it following instructions posted on a BBS.  All the foregoing were reported to the
appropriate agency.

Do not get the impression that access control is a waste of time.  My point is that access
control and all security must be created against a policy supported by management.
Integrated Computer Security software must be configurable to the corporate security
policy adopted by your company/agency.  If security does not match policies you are in big
trouble.  Users need rules against which to judge their actions.  Management needs a base
line to judge adherence..

The next potential "savior" in the computer security universe is encryption.  Encryption is
necessary and worthwhile if you can control it.  MIT Athena created Kerberos.  The ticket
giver couldn't be beat, so hackers killed it.  If they could not read your data, neither could
you.  Academia helps to weaken encryption.  Students in the Midwest broke the DES by
chaining supercomputers together.  They posted the conversion mechanism on a BBS.
This begat double DES and now triple DES.  Another group in the Pacific Rim broke the
RSA encryption by chaining computers from Singapore to Australia to New Zealand.  In
many companies accomplished users modify encryption to "lock out" administrators.  If
they leave or die that data is lost to the company.

Encryption is important but beware that when someone cannot locate the key, they may
stuff the key hole.  The future may benefit from some interesting experiments.  A small
New York firm created an encryption system and packet monitor that allows data
transmission without human access in the chain.  Further, they identify and track those
attempting to intrude.  Their solution is extreme.  They terminate the offending device by
assuming control of its operating system and formatting all drives.  This is virus/code as
a weapon.  Information Warfare is real.  During Operation Desert Storm, I offered an
operations officer at SO/LIC the opportunity to hack Iraqi C2.  It was a Thompson CSF
backbone running under COSMOS.  In the same conflict, American forces had to contend
with "friendly fire" from Nerds at Fort Sill (the Fort Sill Virus).  I didn't watch CNN.  I
communicated daily with four individuals in Kuwait.  They provided insight that I passed to
SO/LIC.

Virus Detection has limitations.  If you purchase best virus detector marketed today, it is
obsolete and incomplete when you install it.  In the time between when the anti-virus
product was completed, produced and sent to market, dozens if not hundreds of new virus
can appear making the solution obsolete.  It is incomplete because it does not do the entire
job.  About 85% of supposed virus attacks get traced back to poor programming.  An anti-
virus detector should identify and log changes to the system.  Look at your problem log and
see that most errors happen because it is easier to test on-the-fly than to desk check.  How
many times have you found that programmers updating a DBMS forgot to erase older
versions.  Large DBMS were easily identified as you monitor memory usage.  How many
smaller, more personal DBMS or duplicate files do you have unnecessarily using memory?

A secondary problem in virus detection is the fact of the mythical virus.  If your market
segment is flat, invent a virus.  Hype it to the world.  The media loves to cry wolf.  Just think
of the waste of money the Columbus Day, Michelangelo, and WIN95 CHS cost.  American
capitalism is an enemy of true security.  When a real problem appears how many will think
of it as just another cry of "wolf".

Backup/Recovery is necessary but a considered a nuisance.  Users, with the best of
intentions, do not have the time to back up their data.  If users spent as much time backing
up their systems as they do finding reasons not to backup, few would have problems.
Backup and recovery products become easier to use as their cost increases.  Than, the
it-will-never-happen-to-me syndrome occurs.  Users do nothing to save money.  Did your
integrator explain the ramifications of lost data or did he sell you a disaster recovery plan?

Backing up may not help you.  I can recall a dastardly programmer who when denied a
raise modified commercial software code so the when the "write" was called, it "read."  The
backup tapes were as blank as when first loaded.  This went on for months, long after the
programmer quit.  It would have been found had someone thought to print the first few
blocks of the back up tape before it went to storage.  In good conscience, the monitors
thought they had good security, i.e., they backed up daily.

Auditing poses another opportunity not just to secure but to monitor how things get done.
Most auditing software is straight forward.  -BUT- when a delinquent wants to hide his trail
he destroys or modifies the audit tapes.  I can recall a large financial institution that kept
its audit tapes in a secure locked area.  The tapes were rotated quarterly.  Unfortunately,
no one looked at the tapes.  A miscreant inserted a program into the check processing
system to transfer dropped rounded off float to a checking account was not noticed until
the perpetrator got sick.  A branch officer found an account growing by about $10,000 a
day without any record of a deposit.  Once each week, in prior weeks, the money was
removed from the account as cash and redeposited in an unknown bank.  No one could
venture to guess how much was taken.  The lawyer for the suspect arranged a deal in
which the suspect was not prosecuted because he destroyed the code and would not
recreate it or share it with anyone. When one think's about the theft, he will notice that
rounded float was written off by the bank.  The Financial Institution did not lose anything
as books balanced.  Who says crime doesn't pay.

Addressing network monitors, network management and Internet scanners would make
these comments a book.  Internet scanners are an outgrowth of sniffers.  One sniffer at
Lawrence Livermore National Laboratory captured fourteen thousand ID/PW.  Follow-on
sniffers from South America and Israel did as much damage.  LLNL is home to both
Department of Energy and USAF security. 

Students have corrupted network tools by their experimentation.  The University of Texas
claimed credit for the modification that allowed smart programmers to by pass Novell's
logon.exe.  The Internet is inundated with network hacking tools that have as their basis
well intentioned network management software.  Many students evolve into hackers.
Some of the same hackers now wear a "white hat" and sell you solutions to problems they
created.  Can you trust them?

Computer Security is important.  Computer security as currently marketed is a hodge-
podge of products that might or might not work in an integrated fashion.  Vaporware and
smoke abound.  It is time for those who claim security expertise to stand up and be
counted.  We don't need another for-profit association, society or club.  We don't need
more magazines that blow smoke and create new buzz words in their advertisements.
What we need is an integrated security software solution that incorporates solutions to all
known deficiencies to mend holes in the corporate security curtain.  Remember that
working agreements between security providers do not work.  Each participant coverts
knowledge considered proprietary by the others.  They sign well intentioned agreements
that fail because no side trusts its associate.

Security experts and their firms do not share solution knowledge to the same degree that
hackers share knowledge of weaknesses.  In our current economy, computer security
providers merge and acquire.  Supposed security companies become involved in Network
Management, Utility Software, Performance Monitors, Y2K, etc.  They appear to be
hedging their bets about security.  Rather than be a specific expert in a narrow venue, they
become a variety provider for computer software.  The big question is can you trust your
security broad scope provider to stay focused to lead the computer security market?

Companies gain knowledge about computer security requirements and solutions by diligent
research.  Research is time consuming and boring because you must dig nuggets out of
soil previously mined.  It is hard to get started. Yet, research helps you identify conditions
that affect your computers, software and staff.  As you understand the nuts and bolts of
operating systems and application software you identify problems and anomalies directly
applicable to your business.  Getting smarter focuses you.  You can reduce your
investment in security, without losing control, by implementing that which is specific to your
operations.  Rather than depend on an outsider who may love you but also loves your
money, you can stand up for yourself.  Knowledge gives you self confidence.  If youy
choose to use an outsider you can be assured that your knowledge will govern his
perspective.

My research has specialized in PC's, Workstations and UNIX mid-range devices.  We
possess more than 175,000,000 bytes of intrusive and injurious code.  We have spent
twelve years learning to understand the psychology and tools of an aggressor.  We have
created what I consider the better mouse trap.  My solution is a security policy based in
code integrated segments.  It works well but as in all things it will require upgrade to meet
the challenges of ever changing technology.  If anyone is interested in learning more about
a total integrated solution, E-mail me at tvsconsult@netzero.net