Security Protection For Government Networks - Isaac, Gabrielson, Humphrey, Aker

Presented at ISSS EXPO92, November, 1992, Washington D.C.

Security Protection For Government Networks

Ms. Debra S. Isaac
ADP Security Officer
Naval Research Laboratory
4555 Overlook Ave. SW
Washington D.C. 20375-5000

Dr. Bruce C. Gabrielson, Mr. Les Aker, Mr. Jeff Humphrey
Kaman Sciences Corporation
2560 Huntington Ave
Alexandria, VA 22303-1410
Introduction

Security for computers and networks has not managed to keep pace with the technological evolution. Information System (IS) professionals have continuously straggled to protect the assets of the organization. New methodologies have emerged from time to time to assist the security professional in his/her pursuit of the "secure" computer. This paper explores various methodologies, including some of those used by the Naval Research Laboratory's Computer Security Office.

Network Threats

Decentralized[1], dispersed[2] and distributed[3] computer systems have quickly become the non-n for most organizations. Of the many advances in technology that have created this diverse computing environment, the one that stands out most is the network. Networking computers offers many distinct advantages, but at the same time it has created new threats to computer systems.
Networking allows virtually all types of systems (e.g. PCs, workstations, and mainframes) to communicate with one another. Networks exist in forms ranging from a few interconnected PC's to massive global wide systems. As access to various systems via networks becomes even more widespread, it is evident that any coordinated centralized security control program will encounter difficulty. With more networks interconnect, the, chances greatly increase that a legitimate user from one system can find an open path to another network, and from there into still other networked computer systems where he/she has no authorization.
A security professional can view these interconnected networks in one of two ways: as a separate system in and of itself that may require some form of security protection, or simply as a "road" on which to travel from one computer system or terminal to another system. How one views the network determines how one approaches its security problems. Technological evolution has made the "road" concept the most common perception and by far the most significant concern for security.

Crackers and The Motivation to "Get Inside"

The most important threat created by networking that security professionals must face is that of the hacker/cracker. The vulnerability of the hacker/cracker[4] is relatively new and very real in today's complex network environment. A cracker is an outsider who tries through his/her knowledge of the operating system and network protocols to gain access to a system. Crackers can generally be divided into three categories: the destructive cracker is often attempting to insert viruses, trojan horses, time bombs, and worms; the most common cracker wants to use a system for free, or to find out if it has any interesting software he/she can acquire; the directed cracker wants to find out everything he can about the operation or business for personal use or sale to others.
Computer crackers' motivations are as diverse as the crackers themselves. The threat from outside unauthorized access by system crackers is an ever present thorn in the side of the system security professional. Recent years have seen an increase in the ranks of system crackers, pirates, etc. with crackers by far the most dominant. Part of the reason for this increase is that access to international networks have become a part of everyday life. This "road" then offers the means to make any system on the network a prime target for those with an interest in cracking.

Typical Strategies Employed by "Crackers"

Crackers use various approaches, and search many sources of information in their seemingly untiring efforts, to gain access to networked systems. Sources of cracking information are readily available in the public domain, including target information from hacker bulletin boards. Among the most common techniques used to gain access include: trying factory shipped default accounts that contain known passwords, accounts with no passwords, and stealing the encrypted password files from a computer system. Other less common means include: access by cross-referencing account information from other machines; exploiting known holes in specific operating systems; intercepting user's ID's provided in response to a user query by using a null password; applying common user-ID's such as test, operator, and sysop. Some of the tools available include publicly distributed password breaking (cracking) programs and rapid telephone number dialers which can relentlessly seek access to a network through any active modems which answer with identifying tones.
A typical strategy used to gain access would include the following: Download a copy of the encrypted password file. These password files are of little use to the average person. The cracker uses one computer, that he/she has gained access to run their password breaking programs against,many password files from the various systems where they want to gain access. [As an aside here, a unix based system will supply the password file to a person who has not logged on to the system.] The cracker's plan is simple: Start the program running; come back occasionally and pick up the latest broken passwords. He/she then uses the broken passwords to gain access to the new systems. [Even the root or system admin password can be broken this way]. The network gives the hacker many more systems to attempt to access with little effort. In addition, the computing power of machines today gives a cracker broken passwords in minutes or hours, instead of months or years.

Typical DoD Strategies for Protection

Computer security professionals within the Department of Defense have automated information system (AIS) security requirements[5] that must be complied with for virtually all networked systems under their control. The requirements basically state users having legal access to an AIS must be held accountable for their actions on the AIS. Both security requirements and levels of trust are applied to these systems, with the overall responsibility for their protection entrusted in each organization's ADP Security Officer.
The DoD protects their AIS assets through a Risk Management Program. The program consists of several elements or processes. The major process is Accreditation, the formal acceptance of the risk, which involves a documented risk analysis, a contingency plan and a security test and evaluation for each system. This formal process, in theory, is to take place before the system is placed in an operational status. By implementing the various procedures and analyses, vulnerabilities will be identified and corrected prior to the operational stage in a system's life cycle. The process is a viable format for security if the systems were subsequently implemented in the same environment in which they were tested, or if the process wasn't so generic, or even if technology wasn't so dynamic. However, with the advent of networked computers, the vulnerability of one system cascades onto other systems due to no fault of their own.

Typical Strategies Employed by All Administrators

There are as many different strategies for protection as there are system administrators. Generally, some combination of password and file protection mechanisms are always used. More advanced techniques may include not allowing connections to the system from the network if the connection is coming from a modem; compartmentalizing areas within the network, logging suspicious activity (such as denied access attempts); specified file access detection and logging, limiting sign-in screen information so as not to disclose system type, etc; the use of encrypted passwords, callback devices, random password generators, access cards and keys.
Currently there are still a few professional system administrators. They do their job well, but are for the most part the exception to the rule. They are a part of our computing past. Today, almost everyone who uses a personal computer or workstation needs to be more than keyboard literate. Users must know the operating system, the network topology, the application's software, and more. Obviously, that is not always going to happen, for no other reason than systems are becoming easier to use, and a special technical ability to use them is not always necessary. As personal computers and workstations continue to proliferate and increase in user-friendliness, there will be less and less need for "professional system administrators".
The key to helping the vast majority of part-time system administrators is to give them immediate and continuing access to very specific information related to possible security problems with their systems. Each potential problem that is identified must be followed with a list of ways to test for the existence of the problem, and a fix for it as easily as possible. This removes the time consuming burden of researching problems and helps these administrators make consistent security enhancing changes. When all of the system administrators in a large distributed facility are following the same security guidelines, and implementing security enhancements in a uniform way, the security of the entire network is improved.

Simple Flaws and Fixes

All operating systems have bugs that can be exploited, either maliciously or accidentally. When bugs are identified, it is management's responsibility to ensure they are fixed as soon as possible. Although this may seem costly, the ramifications of not fixing a problem are much more costly.
It is much easier to fix a flaw in the system than it is to repair the damage done by a cracker both in terms of human resources and dollars. For example, let's assume that the system administrator had determined that a cracker has gained access to a system. How much must the system administrator now do to deny him/her continued access? Shut down the account he/she was using? He/she probably established another account, a legitimate one for him/herself as soon as he/she gained any privileges. Shut down all accounts issued in the time frame he/she was logged into the system? [he/she probably has a back door executing to keep his/her access going]
With either of the above options, he/she could have a program executing that will destroy the system files, data files, or both, when his/her account is delete. To be prudent, the system administrator must assume that this cracker has multiple mechanisms in place to protect him/herself. Therefore, the system administrator must completely reload the system, taking an exorbitant amount of resources and time.
Most of the security problems on a system are easily fixed. Since crackers normally have a list of things to look for, these same problem areas should be evaluated and corrected by the system administrator. Problems such as bad passwords, incorrect system setup, unsecured default system parameters, etc. can be identified and corrected before a cracker can exploit them. Removing the vulnerability once an incident has occurred is difficult because it requires a complete understanding of how the breach occurred. There is also the risk of alerting the cracker that he/she has been discovered thereby allowing the system to be damaged before it is secured and the cracker is denied access.

The NRL Approach

The Naval Research Laboratory (NRL) in Washington D.C, is the United States Navy's premier research facility for advanced scientific studies. To insure the safe and secure operation of these resources, advanced ST&E protection measures have been developed which have applications n many sensitive computer based environments. The NRL Computer Security Office :s tasked with providing this program for all of the computer systems under NRL control, and for organizations that sponsor activities at NRL. To satisfy our task objectives, the NRL computer security team uses a dedicated pro-active evaluation effort, including some unique tools we have developed, to test the vulnerability and security of virtually any network based system. These pro-active programs actively seek to attack their target rather than wait for an intrusion from outside to occur.

Test Techniques

The testing employed at NRL is composed of both passive and active techniques that enable the collection of information about each of the computer systems connected to the network, including specific information of value to a potential adversary. This information helps identify ways that individual systems or the entire network could be rendered useless by an opponent with direct or indirect access to the network.
Passive activities include collecting network configuration and interconnect information during network mapping. Searches can be directed as one specific computer in a network or entire network structures. Another collection scheme monitors information passing between a specific set of sources or destinations and then uses the information to find valid account passwords and usage habits. This information would be helpful to a potential opponent trying to use the network and computer systems without being detected, or copying source codes for software applications under development when it is being printed or transferred to an archive or backup system.
Although active activities are possible, they are seldom employed, and then only under very structured control. An active activity could include launching an offensive attack against one or more of the computer systems on the network in a attempt to shutdown communications or interoperability over the entire network. This attack may be directed from within or or external to the system. Another active activity could be making an unauthorized entry into a computer system posing as a valid user in an attempt to corrupt software that is being developed, or to place a virus or other malicious code into the system. In either situation, although the network might be recoverable, its mission functions could well be hampered or otherwise reduced for some period of time.
Active tests are organized according to the seriousness and nature of the system. Levels Of testing range from Level 0, a check for known holes in the operating systems across the network, to Level 7, the full fledged attack of remote machines including net-bombardment downloading of sensitive data, etc.

Statistics on Our "Cracking"

The NRL implemented security test program has been highly successful in locating and identifying vulnerabilities in the protected on base networks under our control. At one Navy facility, 72% of the machines tested over a five day period were found to have problems.
An interesting point from this test was that the entire test program started by cracking only one host name. From that single system a "hack tree" was built with the 72% success rate. In another test over a six month period, of over 1000 hosts tested, 9.8% had sensitive enough problems that fixes were required. More important, access was achieved in over 30% of the machines where it was attempted. it is important to note that miscellaneous testing accounts for a significant amount of successes, especially in the latter stages of testing most of the annoying problems have been cleared up. By that time certain characteristics and trends have started to emerge which provide useful information about systems in general.
After attempting large numbers of systems, the following approximate breakdown by percent can be formulated concerning the way access was achieved. 16.45% had bad passwords gained from earlier testing; 1.26% had easily guessed passwords; 4.43% had mountable file systems (yielding access), 14.55% had problems associated with (xhost); 22.15% were problems with /etc/hosts.equip); 37.97% were trusted hosts of problem machines; 63% were problems with (tip); and finally 2.53% of the problems were with user account (.roosts).

Conclusion

As DoD security managers, we must revisit our priority list for the computer resources under our responsibility. We must, in the light of ever increasing threats, continuously re-evaluate our position on security. We must be prepared to make hard decisions that will have a significant impact on the users we support. We must be prepared to allocate resources, either now to fix problems as they are identified, or later to fix systems that have been brought "to their knees" by outside intruders.
The advanced techniques and methodology of the Security Test & Evaluation Program at NRL has proven itself to be an effective success. Many systems directly under our control have been penetrated, resulting in problem identification, corrective actions. The analysis methodology and tools developed have led to constant testing and system upgrading to meet our most stringent network security requirements.
[1] Decentralized: The computer equipment operating functions, applications, and responsibility for them are spread throughout the organization.
[2] Dispersed: The computer equipment is spread throughout the organization, but operating functions, applications and support is the responsibility of a centralized function.
[3] Distributed: A single logical system with the physical components spread throughout the organization.
[4] Hacker/Cracker: A cracker is a person who breaks or attempts to breach security on a system, while a hacker is the terminology used to identify a "good" computer programmer.
[5] DoD Directive 5200.28, Security Requirements for Automated Information Systems (AISs), March 21, 1988.