International Security Forum Newsletter (Quarterly), ISSS, Fall
1992, Bethesda, MD
New Directions in Proactive Network Security
Debra S. Isaac
ADP Security Officer, Code 1220.2
Naval Research Laboratory
4555 Overlook Ave SW
Washington D.C. 20375
Dr. Bruce C. Gabrielson
Locus, Inc.
Alexandria, VA
Pushing to a New Level
Network security issues have emerged at the forefront of a host
of
automated data processing concerns in recent years. As
interconnects between operating systems with immensely different
security capabilities have become commonplace, protecting the
weakest link in the chain has become a major problem. To protect
these ever wider area networks, those with the responsibility for
maintaining the security of their data have by necessity been
forced to go to ever greater lengths to determine the hardness of
their protective measures. One such scheme is to assume the roll
of a would-be hacker/cracker, and then try various means to gain
access to the protected information. The assumption of this roll
has led to the creation of a new breed of "good guys" who have
developed advanced tools and methodologies that can quickly find
and fix security problems in most network topologies.
At least one DoD organization has taken the lead to develop both
the new breed of investigator and the advanced tools necessary to
protect the security of sensitive networks. The Naval Research
Laboratory's ADP Security Office, Code 1220.2, provides a system
testing and evaluation (ST&E) program for all of the computer
based
systems at NRL, and also for organizations that sponsor
activities
at NRL. These "building block" systems include local and wide
area
networks, stand alone networks with remote terminals, and
Command,
Control, Communications, Computer and Intelligence (C4I) systems.
The ST&E program includes testing in a number or areas, one of
which is the configuration and security of all information that
can
be gathered remotely by a potential unauthorized user through
direct or indirect means.
Tools of the Trade
One of the more interesting activities to emerge from the
ongoing ST&E effort at NRL has been directed towards the
development of a proactive software program which enables
security
managers to crack into their secure networks. A proactive
program
is one that actively seeks to attack its target rather than wait
for something to develop. Once into a network using the
proactive
program and approach methodology, the security manager can then
assume the roll of an adversary and operate' in a passive or
active
manner to monitor or otherwise perform manipulative functions.
In
playing such a roll, the system security manager not only insures
high visibility for his activities within the organizational
structure, but it also insures quick and full fledged attention
to
correcting any of the many potential loopholes within the system
architecture.
The proactive program coupled with organizational support offers
a
multi-layered approach to system testing. The techniques and
tools
were initially developed by researchers at the Naval Research
Laboratory to help security personnel analyze the vulnerability
of
the many interconnected networks at the lab. Combining software
tools with the skills and experience of a dedicated staff
provides
the capability to do extensive system testing and evaluations of
computer systems over any type of network.
Current testing is composed of both passive and active activities
that enable evaluators to collect information about each of the
computer systems connected to the network, including specific
information of value to a potential adversary. This information
helps identify ways that individual systems or the entire network
could be rendered useless at a specific date/time by an opponent
with direct or indirect access to the network.
Passive activities include collecting network information passing
by a network monitor between a specific set of sources or
destinations, and then using the information to find valid
account
passwords and usage habits. This information would be helpful to
a potential opponent trying to use the network and computer
systems
without being detected, or copying source codes for software
applications under development when it is being printed or
transferred to an archive or backup system.
Active activities can include launching an offensive attack
against
one or more of the computer systems on the network in a attempt
to
shutdown communications or interoperability over the entire
network. This attack could be directed from within or external
to
the system. Another active activity could be making an
unauthorized entry into a computer system posing as a valid user
in
an attempt to corrupt software that is being developed, or to
place
a virus or other malicious code into the system. In either
situation, although the network might be recoverable, its mission
functions could well be hampered or otherwise reduced for some
period of time. The tests can be organized according to the
seriousness of the system, with levels ranging from a simple
check
for known holes in UNIX and other operating systems across the
network, to the full fledged attack of remote machines including
net-bombardment, downloading of sensitive data, etc.
What Can A Proactive Security Program Do For Your System?
The justification to establish a proactive security program is
straight forward. For organizations worried about the
vulnerability of their C3I or C4I networks, finding the hole in
their system has always been the ultimate goal of the hardness
team. Computer security teams, normally with sponsor approval,
are
required to use a dedicated evaluation effort, including whatever
tools are available, to test the vulnerability and security of
their systems. The advantages of knowing what can happen ahead
of
time far outweigh the results of what could happen if a potential
adversary gained access to a protected or sensitive system.
Finding a network's potential vulnerabilities, hidden viruses or
any other intruder problem areas is difficult, but once found,
these threats to a system can usually be eliminated
expeditiously.
However, unless a dedicated effort to find the holes is
established, there will always be the question of just how good
"good" is.