Slashdot Mirror
Computer Security Criteria
Rolf Marvin Bøe Lindgren writes: "For most human endeavors that involve some sort of risk, there are powerful, recognized public interest groups or even government-appointed organizations that investigate and analyze dangers, prescribe guidelines, determine criteria for acceptable risk, etc. This does not seem to be the case for software! I work for a ship classification company. The purpose of such companies are, very simply put, to determine how safe seagoing vessels are, for instance in order that insurance companies can decide insurance premiums. There are, needless to say, numerous conventions and special interest groups to determine safety at sea. That is, as far as I know (and I would very much like to be proven wrong), except the computer systems that the ships use. there are restrictions, laws and regulations involved in just about any object that goes into a ship except the computer system. Everybody seems to know, for instance, that UNIX is safer that Windows, but there are no safety, reliability or security criteria established by any recognized authority that can be used to defend one computer system over another."
"Now, I could ask Slashdot how to go about to form a recognized body, but I have access to competence in that particular matter. What I would rather like to know, is this:
- What might a set of safety criteria be like (I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?
- How should one go about to find competent and interested people who would like to be part of a body like I describe, or consultants to one?
I would venture to guess the reason there are so many regulatory bodies involved in overseeing the safety of such things as highways, seagoing vessels, planes, food, etc. and not software, is that in the former situation human life is directly at risk while in the latter human life, is at best, indirectly at risk and usually not at risk at all.
yes i run a goth/punk/emo porn site.
"How do you find people willing to pontificate about what makes one system more secure than another," he naively asked Slashdot. Then came the deluge.
visit the hwky website for a lyrical genius infusion.
Have you looked at any of the work done by SANS (http://www.sans.org) or NIST (which is not necessarily what you're looking for, but in the area of providing guidance, http://www.nist.gov)?
SANS has been publishing a series of "consensus" documents, asking for feedback from people on topics such as securing Windows and Unix versions. They've also put together a working group (pay to join).
If you have looked at these sources, I would be interested to hear how they do or do not fit in to what the author of the original question is looking for.
I work for a ship classification company.
Big ship..
Little ship..
Big ship..
Medium size ship..
http://twitter.com/onion2k
well, have you checked out these things?
http://www.commoncriteria.org/
http://csrc.nist.gov/cc/pp/pplist.htm
The most secure method is to apply the KISS method. (keep it simple, stupid) The fewer lines of code, the fewer places an attacker can gain access. Use lots of encryption, (check on theoretical attacks mostly), and use physical safeguards for the system. You possibly want to use OpenBSD, because of the history behind it (4 years with no remote exploits on a default installation), but choose your base carefully. Encrypt all communications (ESP networking) and make sure you have double and triple safeguards. Better be paranoid, than exploited.
Sorry for not making a huge long rambling post, but you really should check out the Risks Digest
--xPhase
The following sentence is TRUE. The previous sentence is FALSE.
First and formost, keep the computer system closed. Do not hook it up to any outside networks. No networks, no phone lines, no serial connections. That will elimiate quite a bit of risk for attack.
If that is not an option, then run the outside network connection through a very tight firewall.
~Sean
Well I know everyone's going to shoot this one down but I personally see a huge amount of time, effort and expense wasted on my own company's systems to protect them from the "scourge of the internet" when, upon detailed inspection, there is no good reason that 95% of these boxes NEED connectivity. Before you go about inspecting the various methods of combating the madness (firewalls, routers, off the wall OS, tying up the PHB, etc.) ask yourself "do our critical systems need connectivity and if so, to what degree?"
Find out about my new childrens book: SS Death Camp Criminal Batallion Go To Monte Carlo For The Massacre
Closest is the international Common Criteria . It's the indirect descendent of the old military orange book (you know, C2 certified, etc.). The attempt is to come up with multiple standards for each security critical component. The components are evaluated against the standard. A higher rating means they meet the standard to a stricter engineering criteria.
Some sample standards (or "Protection Profiles") include proxy and packet filtering firewalls.
My sense is the folks overseeing the Common Criteria would like industry groups to sponsor Protection Profile development. For example, banks could come up with profiles for wire transfer components, ATMs, etc. The shipping industry could be another.
BTW, if you visit the Website, there is an interesting line of Common Criteria-branded clothing, for the geek who has everything!
This probably means that critical systems on things like ships should not be running any flavor of Windows, nor maybe Linux either. There are a bunch of OS's made for embedded systems, and due to their small size and simplicity they are much smaller, probably faster, and certainly less vulnerable or even completely invulnerable to this kind of attack. If your requirements are that stringent, that's what you should be using.
Scientists restrict study to entire physical universe; creationist
And I work for a railroad that moves a half-million people a day. I like to think they're not too dissimilar industries - when my computers shut down, the railroad stops running. I'm guessing that when your computer stops, the ship stops moving. That it doesn't sink or explode (i.e. there are hardware items that relieve excess pressure, etc.)
There are some differences. My trains have low-level hardware (based around gobs of vital relays) that will stop them from running into each other. I doubt ships have anything like this.
The standards for what you or I do are drastically different from what someone writing software for an airplane's fly-by-wire system has to do. There, if the computer stops or starts doing the wrong thing, it falls out of the sky. Scary stuff.
So, it depends on what the computer controls, but you haven't given us this information.
Um, hate to break it to you, but how the hell do you hack a system that's on a ship and self contained? everyone's talking about virus this and worm that, who gives a crap? my guess is that the ship's navigation systems are secluded from anything that would have outside access.
what i'm guessing he wants to know is something more along the lines of this.Windows NT cripples US Navy Cruiser
in which case, he's really asking which software/OS is the least likely to puke and leave you up a creek without a paddle.
Later the EU produced their Green book which looked at availability as well, this is kind of good for information systems but it doesn't really cover real-time control systems.
A long time ago, I worked on real-time control systems. We divided our systems into control/measurement, supervisory and at the top, information systems. At the lowest level, we are talking hard real-time and simple enough to be very reliable. They had to be as they were typically sitting by a man-sized chemistry set. The supervisory systems gave the pretty interfaces, they could crash, but generally they didn't. These were for control rooms, and whilst bypassing them was possible, it wasn't easy. The top level system ran all kinds of complicated software applictions that could and would occassionally crash. Apart from the crudest electrical standards for the stuff in the plant and the control room, there were no evaluation criteria.
I worked for a famous defense contractor located in Fort Worth, TX. My department was responsible for writing requirements for software that was installed on fighter aircraft.
When using a requirements-based system (where you write requirements for software and then the software is written from the requirements), there are multiple checkpoints. First, the requirements document for the software must meet or pass certain criteria. Second, the software must meet or pass the criteria put forth by the requirements document. Third, the software is rigorously tested.
Now, in fighter planes, the software must be incredibly robust - you don't want planes falling out of the sky - and in defense projects, bureaucracy tends to inflate the whole process.
That being said, requirements are an excellent way to control the quality of software, or an installed computer system.
And this is important! We all remember the movie Hackers, in which the Davinci virus was going to cause a bunch of oil tankers to tip over into the ocean. And we all know how closely that movie parallels reality.
--
Disclaimer: The above statement probably includes half-truths, because real truth is too complicated.
Computer security in no way affects human life directly.
"Reboot the air traffic control system."
"How long has the reactor control system been down?"
"Try to get the GPS working again before we enter the harbor in this fog."
Any of these sound like non-life threatening situations? And you did notice the questioner is specifically concerned with the third type of situation I mentioned, didn't you?
Nope, no sig
The FAA has well-known procedures in place for certifying HW and SW for safety. Look up DO-178B, for instance.
It'd be almost trivial for the shipbuilding industry to adapt them to their somewhat lower-risk environment.
--Blair
Design bases means that information which identifies the specific functions to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design. These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis (based on calculation and/or experiments) of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.
The same logic underlies all design. At some point you have to have engineers you trust and they should be versed in the "state of the art" and all applicable studies.
In the nuclear industry we can and do rely on vendor studies. Who else but GE is going to know the maximum power levels that are safe with their reactors? They built a full scale model and proved it.
In the software industry, as you have noticed, things are a little less clear. First, Microsoft is an unethical company. (gotta go before finishing!) You and me both know that Windows is an unstable system. It changes all the time and those changes break programs. Some would even say that Windows is unstable without any changes, and indeed sites that use it typically see 30 day uptimes and no better. Anyone who would relly on such a thing for something that in is in any way needed to protect the public safety is incompetent. How that might be worked into a ship is a matter of judgement. I would not use it except as a game platform in the rec room or to look after some system that is superfuous.
Friends don't help friends install M$ junk.
I recall that a while ago some navy ships were stopped dead in the water due to computer failure, so there are legitimate concerns. Most ships have a large number of fallback systems - notably crew - that can recover from most problems.
Large ships also benefit from a reasonable physical security structure - limited bridge and engine room access for crew - that help computer security
In light of a natural physical isolation, limiting the net access of the navigation computers is a natural and effective security boost.
Most of the 'essential' computer systems that are currently used are not OS based, but embedded. It would be silly to worry about the electronic fuel pump in your car getting a worm. These embedded systems are often virus proof because they use ROM program space. Any bugs are the result of programmer error and insuficient testing
So, I suspect that only high-level systems like navigation are vulerable to worms. Now, let's take a look at possible damage
Massive failures can be caused by hardware, so there must be a backup system regardless of the software that you choose
The same redundant systems can also be used to keep the master system honest
In general good policy and management is more important that what software is used.
Maybe now that companies are offering hacker insurance some standards and guidelines will develop?
On the other hand...when has the computer industry ever mirror any real world industry? We still don't have the equivalent of the Consumer Product Safety Commission nor is there product liability, recalls, or defect-related lawsuits.
If there were, Microsoft would make the Ford/Firestone fiasco look like nothing.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
There is one answer... the US government has published a civilian version of a process that the DoD has been using for a while. It's called the NIACAP (NSTISSC 1000), here.
Simply put: It defines a complete, scaleable, tailorable and relevant process to design, test, certify and maintain a system for use.
IF: 1. Good, well informed individuals identify vulnerabilities during system design and testing,
2. The upper management commits to following the maintenance plan, and
3. The priciples of good system design are followed (i.e. KISS, enforcement of least privilege), then many security issues are non-issues.
IMHO, one of the most important things in certifying a system for a critical app is to get the underlying SW from a reputable vendor, one who identifies "Day 0" exploits immediately, preferrably one on the Common Criteria List, and offers a modularized package to limit the amount of unused but potentially vulnerable code in the system. No system is going to be immediately perfect now and for its entire lifespan, but follow a good maintenance plan and you may even be able to make a M$ system secure!
"If you know yourself but not the enemy, for every victory gained you will also suffer a defeat." -Sun Tzu
It all depends on the industry in question. Take as an example, light bulbs. When you buy a lightbulb for you bathroom light, no one really cares. But when you buy a light bulb for your car headlight, you start running into safety regulations. And when you buy a light bulb for your left airplane wing, the FAA is going to be breathing down your neck.
I help build software for invasive diagnostic medical devices. The FDA (and similar organizations for other nations) is very concerned about the software we use. They don't have a checklist of brands, makes and models of software, since that's not the nature of software. But they do audit our development process. ISO compliance is easy. FDA compliance is hard.
For our next project, some boneheads decided on Win2K and "embedded" Win2K. I personally think the decision is stupid. But it probably won't affect the final quality of the device. Why? Because it won't be a stock Win2K, it will be the embedded version, stripped of everything we don't need. We will be in charge of the hardware it runs on. It will be tested under rigorous protocols. Etc.
The FDA doesn't care that it will have Windows on it. But they will care that it operates safely. That means it can't crash while diagnosing a live patient.
A Government Is a Body of People, Usually Notably Ungoverned
Here is another clue I got today from my uni lecturer. If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?
*Up go hands of Linux advocates*
Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal
Back to the article, would a measurement take into account this type of situation? Does Mac get a high rating for low rate of incidents or a low rating because it (probably) has more bugs than Linux. Open question
Click on 'classifications', then try to use any of the links on the left, register of vessels and such. The link for that is file:///registerofvessels. Needless to say, that link doesn't work too well on a public internet.
"Captain -- the minesweeper program's crashed again!"
Don't you understand the importance of gratifying your own ego? Instead, you remind us of a useful link, and go away! How lazy can you get?
The actual department of the U.S. National Institute of Standards and Time is CSRC I would point you to the Computer Security Expert Assit Team and their guidlines
Their audit and risk checklists are quite extensive.
- The machine could not malfunction in a way which would harm the patient, and
- The machine would not report erroneous data which could lead to harm from subsequent mis-treatment of the patient.
How you'd demonstrate such things given the legendary instability of Windows, I have no idea.Scientists restrict study to entire physical universe; creationist
If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?
*Up go hands of Linux advocates*
Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal.
This is short sighted, becuase it does not take into account what you are securing AGAINST. If you are securing against random, non targeted attacks from script kiddies, you might be right, becuase said script kiddies aren't going to spend the time to figure the system out... but if you are trying to secure against a real, concerted attack by agents of a competitor trying to steal your ideas or ruin your business, then you have made a very grave mistake.
When you say "all things being equal", then you are saying that 1 defaced web page is exactly equal to 1 stolen top secret formula, which is preposterous. A hypothetical question can not consider all types of attacks to be equal and still produce a valid and meaningful result.
If you use that logic, then using a completely open and unsecured network would be ok if you sealed the computer in a locked metal box, since it would deter physical attacks by baseball bats (ALL attacks are of equal value, right?). Or you could say that adding the line "WWJD" to the telnet login prompt would be a valid defense since it would lower the instance of attacks by Christians by 80%.
Go set him straight.
"Your superior intellect is no match for our puny weapons!"
The Common Criteria:
here and here.
Which supersedes the Orange Book:
here and here.
"This message is composed of 100% recycled electrons."
Many people have brought up the SECURITY question here, myself included. But the issue is SAFETY.
SECURITY asks, will the lock keep out intruders?
SAFETY asks, will the lock allow personnel to pass quickly in the event of an emergency?
SECURITY asks, will the window resist breaking in an intrusion attempt?
SAFETY asks, will the window resist breaking if accidently impacted? Can the window be used as an egress in an emergency? If the window breaks, will the fractured glass cause injury?
SECURITY asks, can intruders compromise the ships navigation or control systems?
SAFETY asks, will failure or compromise of the navigation or control systems have a negative impact on life or property?
SECURITY asks, does the system have permission to perform task A while being restricted from performing task B?
SAFETY asks, are the navigation or control systems able to the specified job in the specified manner?
SECURITY asks, how will access be controlled in the event of a system failure or compromise?
SAFETY asks, how will catastrophic failure be prevented in the event of a single system failure or compromise?
Hopefully, these questions will give you an idea of the kinds of questions a computer systems safety panel would be responsible for answering. Security is concerned with authority, which is NOT the question here. Safety is concerned with protecting the life and health of personnel and the physical integrity of assets.
That being said, Michael should go back and revise the headline to read "Computer SAFETY Criteria."
Give me my freedom, and I'll take care of my own security, thank you.
IEC 61508: "Functional safety of electrical/electronic/programmable electronic safety-related systems".
This standard, which also applies to software (see 61508-3: Software requirements), defines some very stringent requirements for systems that have anything to do with safety, i.e. where a failure of the system could endanger life.
See the IEC's website for more...
Computers for main functions (propulsion, steering, cargo) in a ship have been in use since the mid seventies, and although lagging somewhat behind in the beginning when it came to Rule coverage, all major Shipping Classification Societies today have Rules which cover above use of computers onboard ships. This relates both to hardware and software. E.g.:For DNV (Det Norske Veritas) see Rules Pt.4 Ch.9 (Instrumentation and Automation) Sec.4. This is 2,5 pages of what experience have taught us are the most important aspect concerning computers onboard. However, everything else in Pt.4 Ch.9 concerns computers as well as other technology platforms, the Rules are written to be as technology independent as possible. The gradual increase due to expense Considerations in the use of PC's as workstations, , are something we haven't taken lightly. The hardware needs to prove itself by going through environmental/EMC testing (See Rules Pt.4. Ch.9 Sec.5 and Standards for Certification 2.4), and the software is tested by Approval Test of Application Software, where normal operation as well as reaction to most probable system failures are tested. Admittedly the first Windows versions were not secure, but today's versions are mostly acceptable, that is if you know which precautions to take. Of great concern is young eager software designers who haven`t learned their lessons and read necessary safety documentation before diving into the design phase. It seems DNV as a Classification Society have a similar problem. We would not object if you do some more homework and then revert with your findings! By the way, DNV does have a group working with software analysis as well, as far as I know they are mostly used in the consulting role, for manufacturers developing extremely safety critical systems. One last information: DNV consists of 5400 individual spread all around the world, all trying their best to fulfil our intentions of keeping our customers on the right track with regard to safety matters.
Bruce Schneier's Secrets and Lies : Digital Security in a Networked World. Many of your questions will be answered, and you will walk away from the reading with much better questions.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun