International Security Forum Newsletter (Quarterly), ISSS, Fall 1992, Bethesda, MD

New Directions in Proactive Network Security

Debra S. Isaac
ADP Security Officer, Code 1220.2
Naval Research Laboratory
4555 Overlook Ave SW
Washington D.C. 20375

Dr. Bruce C. Gabrielson
Locus, Inc.
Alexandria, VA

Pushing to a New Level

Network security issues have emerged at the forefront of a host of automated data processing concerns in recent years. As interconnects between operating systems with immensely different security capabilities have become commonplace, protecting the weakest link in the chain has become a major problem. To protect these ever wider area networks, those with the responsibility for maintaining the security of their data have by necessity been forced to go to ever greater lengths to determine the hardness of their protective measures. One such scheme is to assume the roll of a would-be hacker/cracker, and then try various means to gain access to the protected information. The assumption of this roll has led to the creation of a new breed of "good guys" who have developed advanced tools and methodologies that can quickly find and fix security problems in most network topologies.

At least one DoD organization has taken the lead to develop both the new breed of investigator and the advanced tools necessary to protect the security of sensitive networks. The Naval Research Laboratory's ADP Security Office, Code 1220.2, provides a system testing and evaluation (ST&E) program for all of the computer based systems at NRL, and also for organizations that sponsor activities at NRL. These "building block" systems include local and wide area networks, stand alone networks with remote terminals, and Command, Control, Communications, Computer and Intelligence (C4I) systems. The ST&E program includes testing in a number or areas, one of which is the configuration and security of all information that can be gathered remotely by a potential unauthorized user through direct or indirect means.

Tools of the Trade

One of the more interesting activities to emerge from the ongoing ST&E effort at NRL has been directed towards the development of a proactive software program which enables security managers to crack into their secure networks. A proactive program is one that actively seeks to attack its target rather than wait for something to develop. Once into a network using the proactive program and approach methodology, the security manager can then assume the roll of an adversary and operate' in a passive or active manner to monitor or otherwise perform manipulative functions. In playing such a roll, the system security manager not only insures high visibility for his activities within the organizational structure, but it also insures quick and full fledged attention to correcting any of the many potential loopholes within the system architecture.

The proactive program coupled with organizational support offers a multi-layered approach to system testing. The techniques and tools were initially developed by researchers at the Naval Research Laboratory to help security personnel analyze the vulnerability of the many interconnected networks at the lab. Combining software tools with the skills and experience of a dedicated staff provides the capability to do extensive system testing and evaluations of computer systems over any type of network.

Current testing is composed of both passive and active activities that enable evaluators to collect information about each of the computer systems connected to the network, including specific information of value to a potential adversary. This information helps identify ways that individual systems or the entire network could be rendered useless at a specific date/time by an opponent with direct or indirect access to the network.

Passive activities include collecting network information passing by a network monitor between a specific set of sources or destinations, and then using the information to find valid account passwords and usage habits. This information would be helpful to a potential opponent trying to use the network and computer systems without being detected, or copying source codes for software applications under development when it is being printed or transferred to an archive or backup system.

Active activities can include launching an offensive attack against one or more of the computer systems on the network in a attempt to shutdown communications or interoperability over the entire network. This attack could be directed from within or external to the system. Another active activity could be making an unauthorized entry into a computer system posing as a valid user in an attempt to corrupt software that is being developed, or to place a virus or other malicious code into the system. In either situation, although the network might be recoverable, its mission functions could well be hampered or otherwise reduced for some period of time. The tests can be organized according to the seriousness of the system, with levels ranging from a simple check for known holes in UNIX and other operating systems across the network, to the full fledged attack of remote machines including net-bombardment, downloading of sensitive data, etc.

What Can A Proactive Security Program Do For Your System?

The justification to establish a proactive security program is straight forward. For organizations worried about the vulnerability of their C3I or C4I networks, finding the hole in their system has always been the ultimate goal of the hardness team. Computer security teams, normally with sponsor approval, are required to use a dedicated evaluation effort, including whatever tools are available, to test the vulnerability and security of their systems. The advantages of knowing what can happen ahead of time far outweigh the results of what could happen if a potential adversary gained access to a protected or sensitive system. Finding a network's potential vulnerabilities, hidden viruses or any other intruder problem areas is difficult, but once found, these threats to a system can usually be eliminated expeditiously. However, unless a dedicated effort to find the holes is established, there will always be the question of just how good "good" is.