Presented at ISSS EXPO92, November, 1992, Washington D.C.
Security Protection For Government Networks
Ms. Debra S. Isaac
ADP Security Officer
Naval Research Laboratory
4555 Overlook Ave. SW
Washington D.C. 20375-5000
Dr. Bruce C. Gabrielson, Mr. Les Aker, Mr. Jeff Humphrey
Kaman Sciences Corporation
2560 Huntington Ave
Alexandria, VA 22303-1410
Networking allows virtually all types of systems (e.g. PCs, workstations, and mainframes) to communicate with one another. Networks exist in forms ranging from a few interconnected PC's to massive global wide systems. As access to various systems via networks becomes even more widespread, it is evident that any coordinated centralized security control program will encounter difficulty. With more networks interconnect, the, chances greatly increase that a legitimate user from one system can find an open path to another network, and from there into still other networked computer systems where he/she has no authorization.
A security professional can view these interconnected networks in one of two ways: as a separate system in and of itself that may require some form of security protection, or simply as a "road" on which to travel from one computer system or terminal to another system. How one views the network determines how one approaches its security problems. Technological evolution has made the "road" concept the most common perception and by far the most significant concern for security.
Computer crackers' motivations are as diverse as the crackers themselves. The threat from outside unauthorized access by system crackers is an ever present thorn in the side of the system security professional. Recent years have seen an increase in the ranks of system crackers, pirates, etc. with crackers by far the most dominant. Part of the reason for this increase is that access to international networks have become a part of everyday life. This "road" then offers the means to make any system on the network a prime target for those with an interest in cracking.
A typical strategy used to gain access would include the following: Download a copy of the encrypted password file. These password files are of little use to the average person. The cracker uses one computer, that he/she has gained access to run their password breaking programs against,many password files from the various systems where they want to gain access. [As an aside here, a unix based system will supply the password file to a person who has not logged on to the system.] The cracker's plan is simple: Start the program running; come back occasionally and pick up the latest broken passwords. He/she then uses the broken passwords to gain access to the new systems. [Even the root or system admin password can be broken this way]. The network gives the hacker many more systems to attempt to access with little effort. In addition, the computing power of machines today gives a cracker broken passwords in minutes or hours, instead of months or years.
The DoD protects their AIS assets through a Risk Management Program. The program consists of several elements or processes. The major process is Accreditation, the formal acceptance of the risk, which involves a documented risk analysis, a contingency plan and a security test and evaluation for each system. This formal process, in theory, is to take place before the system is placed in an operational status. By implementing the various procedures and analyses, vulnerabilities will be identified and corrected prior to the operational stage in a system's life cycle. The process is a viable format for security if the systems were subsequently implemented in the same environment in which they were tested, or if the process wasn't so generic, or even if technology wasn't so dynamic. However, with the advent of networked computers, the vulnerability of one system cascades onto other systems due to no fault of their own.
Currently there are still a few professional system administrators. They do their job well, but are for the most part the exception to the rule. They are a part of our computing past. Today, almost everyone who uses a personal computer or workstation needs to be more than keyboard literate. Users must know the operating system, the network topology, the application's software, and more. Obviously, that is not always going to happen, for no other reason than systems are becoming easier to use, and a special technical ability to use them is not always necessary. As personal computers and workstations continue to proliferate and increase in user-friendliness, there will be less and less need for "professional system administrators".
The key to helping the vast majority of part-time system administrators is to give them immediate and continuing access to very specific information related to possible security problems with their systems. Each potential problem that is identified must be followed with a list of ways to test for the existence of the problem, and a fix for it as easily as possible. This removes the time consuming burden of researching problems and helps these administrators make consistent security enhancing changes. When all of the system administrators in a large distributed facility are following the same security guidelines, and implementing security enhancements in a uniform way, the security of the entire network is improved.
It is much easier to fix a flaw in the system than it is to repair the damage done by a cracker both in terms of human resources and dollars. For example, let's assume that the system administrator had determined that a cracker has gained access to a system. How much must the system administrator now do to deny him/her continued access? Shut down the account he/she was using? He/she probably established another account, a legitimate one for him/herself as soon as he/she gained any privileges. Shut down all accounts issued in the time frame he/she was logged into the system? [he/she probably has a back door executing to keep his/her access going]
With either of the above options, he/she could have a program executing that will destroy the system files, data files, or both, when his/her account is delete. To be prudent, the system administrator must assume that this cracker has multiple mechanisms in place to protect him/herself. Therefore, the system administrator must completely reload the system, taking an exorbitant amount of resources and time.
Most of the security problems on a system are easily fixed. Since crackers normally have a list of things to look for, these same problem areas should be evaluated and corrected by the system administrator. Problems such as bad passwords, incorrect system setup, unsecured default system parameters, etc. can be identified and corrected before a cracker can exploit them. Removing the vulnerability once an incident has occurred is difficult because it requires a complete understanding of how the breach occurred. There is also the risk of alerting the cracker that he/she has been discovered thereby allowing the system to be damaged before it is secured and the cracker is denied access.
Passive activities include collecting network configuration and interconnect information during network mapping. Searches can be directed as one specific computer in a network or entire network structures. Another collection scheme monitors information passing between a specific set of sources or destinations and then uses the information to find valid account passwords and usage habits. This information would be helpful to a potential opponent trying to use the network and computer systems without being detected, or copying source codes for software applications under development when it is being printed or transferred to an archive or backup system.
Although active activities are possible, they are seldom employed, and then only under very structured control. An active activity could include launching an offensive attack against one or more of the computer systems on the network in a attempt to shutdown communications or interoperability over the entire network. This attack may be directed from within or or external to the system. Another active activity could be making an unauthorized entry into a computer system posing as a valid user in an attempt to corrupt software that is being developed, or to place a virus or other malicious code into the system. In either situation, although the network might be recoverable, its mission functions could well be hampered or otherwise reduced for some period of time.
Active tests are organized according to the seriousness and nature of the system. Levels Of testing range from Level 0, a check for known holes in the operating systems across the network, to Level 7, the full fledged attack of remote machines including net-bombardment downloading of sensitive data, etc.
An interesting point from this test was that the entire test program started by cracking only one host name. From that single system a "hack tree" was built with the 72% success rate. In another test over a six month period, of over 1000 hosts tested, 9.8% had sensitive enough problems that fixes were required. More important, access was achieved in over 30% of the machines where it was attempted. it is important to note that miscellaneous testing accounts for a significant amount of successes, especially in the latter stages of testing most of the annoying problems have been cleared up. By that time certain characteristics and trends have started to emerge which provide useful information about systems in general.
After attempting large numbers of systems, the following approximate breakdown by percent can be formulated concerning the way access was achieved. 16.45% had bad passwords gained from earlier testing; 1.26% had easily guessed passwords; 4.43% had mountable file systems (yielding access), 14.55% had problems associated with (xhost); 22.15% were problems with /etc/hosts.equip); 37.97% were trusted hosts of problem machines; 63% were problems with (tip); and finally 2.53% of the problems were with user account (.roosts).
The advanced techniques and methodology of the Security Test & Evaluation Program at NRL has proven itself to be an effective success. Many systems directly under our control have been penetrated, resulting in problem identification, corrective actions. The analysis methodology and tools developed have led to constant testing and system upgrading to meet our most stringent network security requirements.
 Decentralized: The computer equipment operating functions, applications, and responsibility for them are spread throughout the organization.
 Dispersed: The computer equipment is spread throughout the organization, but operating functions, applications and support is the responsibility of a centralized function.
 Distributed: A single logical system with the physical components spread throughout the organization.
 Hacker/Cracker: A cracker is a person who breaks or attempts to breach security on a system, while a hacker is the terminology used to identify a "good" computer programmer.
 DoD Directive 5200.28, Security Requirements for Automated Information Systems (AISs), March 21, 1988.