Slashdot Mirror
Computer Security Criteria
Rolf Marvin Bøe Lindgren writes: "For most human endeavors that involve some sort of risk, there are powerful, recognized public interest groups or even government-appointed organizations that investigate and analyze dangers, prescribe guidelines, determine criteria for acceptable risk, etc. This does not seem to be the case for software! I work for a ship classification company. The purpose of such companies are, very simply put, to determine how safe seagoing vessels are, for instance in order that insurance companies can decide insurance premiums. There are, needless to say, numerous conventions and special interest groups to determine safety at sea. That is, as far as I know (and I would very much like to be proven wrong), except the computer systems that the ships use. there are restrictions, laws and regulations involved in just about any object that goes into a ship except the computer system. Everybody seems to know, for instance, that UNIX is safer that Windows, but there are no safety, reliability or security criteria established by any recognized authority that can be used to defend one computer system over another."
"Now, I could ask Slashdot how to go about to form a recognized body, but I have access to competence in that particular matter. What I would rather like to know, is this:
- What might a set of safety criteria be like (I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?
- How should one go about to find competent and interested people who would like to be part of a body like I describe, or consultants to one?
Have you looked at any of the work done by SANS (http://www.sans.org) or NIST (which is not necessarily what you're looking for, but in the area of providing guidance, http://www.nist.gov)?
SANS has been publishing a series of "consensus" documents, asking for feedback from people on topics such as securing Windows and Unix versions. They've also put together a working group (pay to join).
If you have looked at these sources, I would be interested to hear how they do or do not fit in to what the author of the original question is looking for.
well, have you checked out these things?
http://www.commoncriteria.org/
http://csrc.nist.gov/cc/pp/pplist.htm
Sorry for not making a huge long rambling post, but you really should check out the Risks Digest
--xPhase
The following sentence is TRUE. The previous sentence is FALSE.
Closest is the international Common Criteria . It's the indirect descendent of the old military orange book (you know, C2 certified, etc.). The attempt is to come up with multiple standards for each security critical component. The components are evaluated against the standard. A higher rating means they meet the standard to a stricter engineering criteria.
Some sample standards (or "Protection Profiles") include proxy and packet filtering firewalls.
My sense is the folks overseeing the Common Criteria would like industry groups to sponsor Protection Profile development. For example, banks could come up with profiles for wire transfer components, ATMs, etc. The shipping industry could be another.
BTW, if you visit the Website, there is an interesting line of Common Criteria-branded clothing, for the geek who has everything!
Backup systems have to be in place, and why captains have to be able to navigate manually. Just like how yachts have to have motors in case sails break, etc... and to be able to safely navigate in ports.
The threat of virii could be minimal because the physical security of the ship's navigation systems should be locked down. No internet access, no floppy disk drives, closed systems, etc.
However, there have been failures. I remember a Navy Submarine running Windows NT or something, and it crashed (the OS, not the sub). They had backup systems, of course, but they looked pretty stupid. Windows NT Crash on Navy ship
The key point here is that you can test systems anyway : running for long periods of time, checking memory leakage, hardware failure periods, etc... and bugs that come up are corrected for free, usually, when you're talking about expensive navigation systems.
Sure, you can lose money for being out of action for a few hours, but that could happen due to any number of other mechanical failures too, so you just calculate some kind of percentage chance of failure based on past history of the navigation system?
Conversion Rate Optimisation French / English consultant
The FAA has well-known procedures in place for certifying HW and SW for safety. Look up DO-178B, for instance.
It'd be almost trivial for the shipbuilding industry to adapt them to their somewhat lower-risk environment.
--Blair
Yes! Exactly. There are several standards for the evaluation of computer security. The more accepted today is the Common Criteria of Information Security Evaluation (Common Criteria for short) and the good old Rainbow series from the US Gov't. Particularly the RED book for the evaluation of trusted computer systems and the orange book for the evaluation of trusted networks. There are many more, but the problem is not so much that we need these standards, but that many companies are not willing to go to the expense of implementing them. This leads to shotty software because no organization or company is paying to check out all of the possible flaws in their systems.
Wherever you go, there I am...
Someone mod this up. I can't believe the parent post is +5. Many, many lives depend on secure, stable computer systems. Moreover, look for future terrorism to be computer terrorism--that may wake people up to our computer-controlled reality.
visit the hwky website for a lyrical genius infusion.
There is one answer... the US government has published a civilian version of a process that the DoD has been using for a while. It's called the NIACAP (NSTISSC 1000), here.
Simply put: It defines a complete, scaleable, tailorable and relevant process to design, test, certify and maintain a system for use.
IF: 1. Good, well informed individuals identify vulnerabilities during system design and testing,
2. The upper management commits to following the maintenance plan, and
3. The priciples of good system design are followed (i.e. KISS, enforcement of least privilege), then many security issues are non-issues.
IMHO, one of the most important things in certifying a system for a critical app is to get the underlying SW from a reputable vendor, one who identifies "Day 0" exploits immediately, preferrably one on the Common Criteria List, and offers a modularized package to limit the amount of unused but potentially vulnerable code in the system. No system is going to be immediately perfect now and for its entire lifespan, but follow a good maintenance plan and you may even be able to make a M$ system secure!
"If you know yourself but not the enemy, for every victory gained you will also suffer a defeat." -Sun Tzu
I think you mean the F-16 fighter. It's aerodynamicly unstable and needs constant correction from the autopilot to maintain a course. The instability also makes it maneuverable, so the design has advantages too. The SR71 was built in the early 60s before all this digital crap.
Implementing a system with an air gap is definitally a good security measure. However, it is really only practical for certain systems. On a ship, an air gap might be applicable for systems that run the ships controls (i.e. engines, environmental controls, etc). These systems may be very important for ship safety and have no need to be in contact with the outside world.
Then there is the navigation and communication systems. These are very important for a ship but may require limited access to the outside (GPS, etc). This should be completely seperate from the air gapped systems above and of course implement all other possible security measures (firewall, etc).
On a modern ship there will likely be a third level of systems used for personal communication. Web browsing, Email and the like are not vital to the safety of human beings onboard the ship an thus do not require as stringent security.
Using a multiple-system and multi-tiered security model like this may affer the best combination of security, price, and convenience due to not having to secure everything to the highest order.
-- Find the Truth...
Simply do any Google search on "FDA 21 CFR" and you'll find hordes of information that you can use.
This isn't any longer the case.
My father is a marine consultant, and I have been to several ships with him, which rely much more heavily than this on computer systems these days.
One specific example-
The charts used to navigate by a ship were running on an NT workstation on the bridge of the vessel. It is no longer a requirement for up to date backup charts to be kept on board. A CD is sent to the ship each week updating the charts to the latest version, but the backup paper charts that are kept are not updated at these regular intervals any longer because of the increased reliance on the NT charting software. The GPS onboard the ship updates the ships current position on the charting software running on the NT workstation so the master can see where they are with respect to the course that has been plotted previously.
This same ship contains a small network, only consisting of 4-5 computers (its only a coastal tanker). One for charting on the bridge, one controlling & monitoring the amount of oil flowing on/off the ship in dock etc.. but..
The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock.
There are also proposed inprovements which would in effect link in the course plotting software with the autopilot, thus controlling the ships movements from the PC's course plotting software (unless of course, any evasive action were needed to be taken - the master would switch to manual).
This is only a small example of the problems that could genuinely be caused if a virus infected some of the more modern ships in todays world.
The actual department of the U.S. National Institute of Standards and Time is CSRC I would point you to the Computer Security Expert Assit Team and their guidlines
Their audit and risk checklists are quite extensive.
I worked for a financial software company which needed to assure its clients that our software was secure. The way we did this was approach a security consulting company, like ISS, pay them a reasonable fee, give them access to the source and engineers, and produce a report of their findings. We then shared that report with our customers, with comments about how we're addressing the various vulnerabilities. This provided the practical level of assurance that our customers needed.
The Common Criteria:
here and here.
Which supersedes the Orange Book:
here and here.
"This message is composed of 100% recycled electrons."
I think a large part of evaluating this topic would be software fault-tolerance. Mostly, I think that the methods in this area are full of crap, and there are some papers out there to back me up. Search for papers by Leveson for the nay sayers and Avizeinis for the proponents. These are papers describing methods of developing fault tolerant software systems. I think you would like to say that a software system that will keep running in adverse conditions is better than one that won't. Hardware fault tolerance is much better in the reliability area, and N-way redudancy makes more sense there, since you're protecting against faults other than design faults. Software's problems are design faults, and so the fault is likely to be replicated N-times. A good book on this topic, extremely technical in nature is edited by M. R. Lyu "Software Fault Tolerance".
The FAA method is probably better in general. Test EVERY line, full call path, every branch etc. Its a real pain and makes software SUPER expensive. I think tools like Balista would be a big help, if people used them. But then you still have to test against a well defined spec; and I would love to see one of those for the software that I write....
I would hope that you have the leverage to increase the use and methods of tools like ballista and maybe make passing an independant test get a better discount on insurance. It appears that there some good links already, but the Software Engineering Institute at CMU does research in this area, mostly for US DoD, but I'm sure they have lots of lofty ideas, if not good practice. HP and IBM have also done some interesting work, but its been a while since I was looking into this topic.
You might find my Secure Programming for Linux and Unix HOWTO useful. It's a set of guidelines for writing secure programs, including writing web applications, clients, viewers (including word processors), setuid/setgid programs, and so on. It's focused on Linux and Unix, but most of the general principles apply to all systems.
- David A. Wheeler (see my Secure Programming HOWTO)
Start with:
Bruce Schneier at Counterpane Systems
Ross Anderson at Cambridge
and especially: Nancy Leveson at MIT
A google search will generate contact information. Good luck!
There has been a lot of work on establishing standards for safety critical systems. search google or try http://www.afm.sbu.ac.uk/safety/ as a start
Bruce Schneier's Secrets and Lies : Digital Security in a Networked World. Many of your questions will be answered, and you will walk away from the reading with much better questions.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun