Incident of the Week • New logging functionality with insufficient access control • Accessible to any application with internet access (i.e., almost all of them) • Patching the issue is delayed because the patch needs to be tested with all carrier partners
Designing a Secure Process: The Smart Grid Source: NISTIR 7628 Cyber Security Strategy
Information Flow Security • Information flow model • Formal Model – Formalise allowed/disallowed data flows – Bell-LaPadula (Confidentiality): No high security component of the system may communicate to a lower security component – Biba (Integrity): High integrity data must not be contaminated with lower integrity data • Enforcement
Assurance
Securestick: USB Stick with internal encryption Automatic Key deletion after three wrong password attempts None of that was actually implemented
Assurance • Aimed at purchaser / end user • Assure the buyer that the system is as secure as advertised
A bit of History TCSEC (1985): Guidelines to evaluate the security of computer systems used in military settings. Mainly focuses on multilevel security: – Bell LaPadula model – Reference Monitor Implementation
Test Criteria • Configuration Management – For TCB • Trusted Distribution – Integrity of mapping between master and installations • System Architecture – Small and modular • Design Specification – vary between classes • Verification – Vary between classes • Testing • Product Documentation
Security Levels: • Rating combines both security capabilities and assurance level--both go up as the rating goes up. • Levels: – Class D: Minimal Protection – Class C1: Discretionary Security Protection – Class C2: Controlled Access Protection – Class B1: Labeled Security Protection – Class B2: Structured Protection – Class B3: Security Domains – Class A1: Verified Design
Weaknesses • Too narrow: Designed with specific architecture and security goals in mind – Data protection on information processing – Designed for multilevel security systems • Mixing protection goal with validation level – Not possible to have high assurance on low targets • Test fixed configuration – E.g., Window NT, no applications installed, no networt
Federal Information Processing Standards (FIPS) • Framework for evaluating Cryptographic Modules • Still in Use (Compulsory for US Government use) • Addresses – Functionality (e.g., white list of cryptographic algorithms) – Assurance – Physical security
Weakness: • OpenSSL certified under FIPS-140 – Certification obtained Feb 2007 • Process took five (!) years – Certified version is 0.9.7, 3 years old • Problems – Process slow – Public comments process used by competitors to derail certification • Whitelist of cryptography needs change of FIPS standard for anything that’s new. – Inappropriate primitives used because of that – E.g., ZigBee use of MMO-AES, Street Lighting • Sometimes leads to no security at all
Common Criteria • Intended for both commercial and government use • Process can be applied to the security characteristics of any IT product. • Evaluations can be performed by any certified lab & accepted by all countries • Security Capabilities stated in a “Protection Profile” (PP) (User view of needs) – Usually defined as a generic for a product class – May be modified for a specific product into a “Security Target” (ST) (Vendor view of what they sell) • Product to evaluate is the “Target of Evaluation” (TOE) • Assurance rating is the “Evaluated Assurance Level” (EAL) – CC calls this a “grounds for confidence” – EAL rating is 1 to 7 (high)
Evaluation Assurance Levels • Basic Assurance – EAL1: Functional Test – EAL2: Structural Test – EAL3: Methodical Test and Check – EAL4: Methodical Design, Test, and Review • Medium Assurance – EAL5: Semiformal Design and Test • High Assurance – EAL6: Semiformally Verified Design and Test – EAL7: Formally Verified Design and Tested ed
Issues with Common Criteria • Time and cost of evaluation • Re-evaluations for patches, new versions, etc. • Does the PP really match the user requirements? – E.g., Smart Meter communication module • Environment, policies enforced by people not included • Configuration is not part of the evaluation – Impact of weak default configurations • International acceptance of rating can be rejected in any country for “national security” reasons. Effectively, NSA still evaluates products for classified use, and they want EAL 5 or better. • Potential for corruption – The test lab is paid by the vendor
“The CAPP provides for a level of protection which is appropriate for an assumed non-hostile and well- managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well funded attackers to breach system security. The CAPP does not fully address the threats posed by malicious system development or administrative personnel. CAPP-conformant products are suitable for use in both commercial and government environments.”
Issues with the TOC • Only applies to a specific set of patches – i.e., you’d have to run a system with outdated patches • Excludes any installed software – Same issue as TCSEC
Assurance of Implementations In 2008, the FBI found counterfeited Cisco routers in numerous government installations. They never published if they posed a real security risk.
Assurance of Implementations How do I know what I bought is actually the same that got certified ? • Vendors cutting costs by reducing functionality – Save memory, processing power, components,… • Undocumented new versions or patches – Certified versions are usually rather old • Malicious Backdoors (e.g., Hardware Trojans) – The US did that, so why shouldn’t China ? • Counterfeits – Bought product only shares label with original
Assurance of Implementations Remote attestation: Remotely measure the configuration of a system • Usually needs extra hardware from trusted vendor (e.g., TPMs) • Measures boot sequence or memory contents • Will detect (some) software changes – Malicious changes still possible, e.g., hide malicious code in the graphics card
Assurance of Implementations Unique Hardware to give devices a secure identity • Secure smartcard from a trusted vendor – Secure version of a serial number • Uncloneable physical properties of the devices – E.g., SRAM startup, timing, … • Values can be queried remotely, or used to protect critical code – Code encryption – Software leashing
Assurance of Implementations This is an active field of research, and still a lot of work to be done As for all building blocks, the technological building blocks need to be integrated into architecture and policies
Policies
What went wrong here ?
Access Control Why is a junior IT worker not blocked from copying the entire database ?
Key Management • Key Generation – No individual should have access to critical keys • Key Distribution – How do we securely get keys to where they’re needed – This is one of the biggest issues on security management • Key Usage – Wrong use of keys can break whole systems – Historic Example: Lorenz Cipher • Key Retirement – Deleting data is non-trivial
More Policies • PC Usage Policy – E.g., accidential sharing of hospital data via bittorrent • Data Usage – What data do we really need to do our business ? Everything else can be a liability • Usability of all this – Every policy and mechanism that inhibits users will be circumvented – This will be covered next week
Kerckhoffs ’ Principle • The system must be practically, if not mathematically, indecipherable; • It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience; • Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents; • It must be applicable to telegraphic correspondence; • It must be portable, and its usage and function must not require the concourse of several people; • Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.
How to spot a charlatan
Revolutionary Breakthrough
Revolutionary Breakthrough Would you trust a ‘completely new way of flying’ because the Given the many respectable vendor says ‘none of our people working in that area, planes has crashed yet’ ? including organisations like the Plus, how do they know ? NSA, what do you have that they don’t ? Note: Ingenious new approaches are rare in security. Even more rare: The approach goes directly into a product.
Recommend
More recommend