Computer Security Criteria

Rolf Marvin Bøe Lindgren writes: "For most human endeavors that involve some sort of risk, there are powerful, recognized public interest groups or even government-appointed organizations that investigate and analyze dangers, prescribe guidelines, determine criteria for acceptable risk, etc. This does not seem to be the case for software! I work for a ship classification company. The purpose of such companies are, very simply put, to determine how safe seagoing vessels are, for instance in order that insurance companies can decide insurance premiums. There are, needless to say, numerous conventions and special interest groups to determine safety at sea. That is, as far as I know (and I would very much like to be proven wrong), except the computer systems that the ships use. there are restrictions, laws and regulations involved in just about any object that goes into a ship except the computer system. Everybody seems to know, for instance, that UNIX is safer that Windows, but there are no safety, reliability or security criteria established by any recognized authority that can be used to defend one computer system over another."

"Now, I could ask Slashdot how to go about to form a recognized body, but I have access to competence in that particular matter. What I would rather like to know, is this:

• What might a set of safety criteria be like (I am just now most interested in criteria for computer systems that would address such issues as vulnerability to worms, viruses and crackers)?
• How should one go about to find competent and interested people who would like to be part of a body like I describe, or consultants to one?

Criteria

[DecoDragon]

Have you looked at any of the work done by SANS (http://www.sans.org) or NIST (which is not necessarily what you're looking for, but in the area of providing guidance, http://www.nist.gov)?

SANS has been publishing a series of "consensus" documents, asking for feedback from people on topics such as securing Windows and Unix versions. They've also put together a working group (pay to join).

If you have looked at these sources, I would be interested to hear how they do or do not fit in to what the author of the original question is looking for.

common criterea? protection profiles?

[mattsouthworth]

well, have you checked out these things?

http://www.commoncriteria.org/

http://csrc.nist.gov/cc/pp/pplist.htm

Most secure

[Geekboy(Wizard)]

The most secure method is to apply the KISS method. (keep it simple, stupid) The fewer lines of code, the fewer places an attacker can gain access. Use lots of encryption, (check on theoretical attacks mostly), and use physical safeguards for the system. You possibly want to use OpenBSD, because of the history behind it (4 years with no remote exploits on a default installation), but choose your base carefully. Encrypt all communications (ESP networking) and make sure you have double and triple safeguards. Better be paranoid, than exploited.

Risks

[xphase]

Sorry for not making a huge long rambling post, but you really should check out the Risks Digest

--xPhase

Security

[AlaskanUnderachiever]

Well I know everyone's going to shoot this one down but I personally see a huge amount of time, effort and expense wasted on my own company's systems to protect them from the "scourge of the internet" when, upon detailed inspection, there is no good reason that 95% of these boxes NEED connectivity. Before you go about inspecting the various methods of combating the madness (firewalls, routers, off the wall OS, tying up the PHB, etc.) ask yourself "do our critical systems need connectivity and if so, to what degree?"

Common Criteria is a possibility

Closest is the international Common Criteria . It's the indirect descendent of the old military orange book (you know, C2 certified, etc.). The attempt is to come up with multiple standards for each security critical component. The components are evaluated against the standard. A higher rating means they meet the standard to a stricter engineering criteria.

Some sample standards (or "Protection Profiles") include proxy and packet filtering firewalls.

My sense is the folks overseeing the Common Criteria would like industry groups to sponsor Protection Profile development. For example, banks could come up with profiles for wire transfer components, ATMs, etc. The shipping industry could be another.

BTW, if you visit the Website, there is an interesting line of Common Criteria-branded clothing, for the geek who has everything!

If only it were that simple

[Spamalamadingdong]

Antivirus programs are always out of date by hours if not longer. If you are hit between the time a virus goes into the wild and the time the update is finally ready and installed, you're hosed. The only solution for safety-critical systems is to have a secure wall between programs and data which cannot be breached by viruses or worms arriving from outside on their own, and preferably not without intervention from a qualified service person (fooling a user is one thing, fooling an expert is something else).

This probably means that critical systems on things like ships should not be running any flavor of Windows, nor maybe Linux either. There are a bunch of OS's made for embedded systems, and due to their small size and simplicity they are much smaller, probably faster, and certainly less vulnerable or even completely invulnerable to this kind of attack. If your requirements are that stringent, that's what you should be using.

Not what he's asking....

[Alcimedes]

Um, hate to break it to you, but how the hell do you hack a system that's on a ship and self contained? everyone's talking about virus this and worm that, who gives a crap? my guess is that the ship's navigation systems are secluded from anything that would have outside access.

what i'm guessing he wants to know is something more along the lines of this.Windows NT cripples US Navy Cruiser

in which case, he's really asking which software/OS is the least likely to puke and leave you up a creek without a paddle.

Re:Not what he's asking....

[bluebomber]

It sounded more like he's asking about general classifications of software systems in terms of security. Maybe he's looking for a scale like the following. (I'm pulling this out of my ass, a real classifcation committee would have much better rules, and they would spend longer than five minutes putting such a list together.)

1 - Non Secure

This describes a public terminal (e.g. what you might see in a shopping mall or your local university computer cluster) that is running MSDOS. The keyboard and mouse aren't even locked down.

2 - Half-Assed Security

This describes a public terminal that is securely bolted to the desktop and is locked shut. A log-on prompt appears, but is easily bypassed (e.g. Windows 95, or a Linux box that is bootable via an accessible CDROM or floppy drive). [Alternative: the logon prompt appears but passwords are available by shoulder-surfing, e.g. "employee only" terminals in retail stores.]

Levels 1 and 2 are a black hat's paradise.

3 - Almost Secure(tm)

This describes probably 95% of the unwashed masses connected to the internet. This machine has a firewall and virus scanning installed, but the virus definition might not be up to date, and the firewall isn't what you'd describe as industrial strength. Some security patches may or may not have been applied, but are probably not completely up to date. This machine might present a challenge for your ordinary script kiddy, but an experienced cracker can probably find a way in. Configurations in this category would include most Windows installations, default Linux installations (older Red Hat, I don't think the newer ones start everything up) that start up every service under the sun, and a public web servers that are "sort of" secure but have holes in CGI scripts or are missing security patches. This also describes a lot of corporate wireless networks.

The black hats enjoy level 3 probably more than 1 and 2, just because of the (slight) extra challenge.

4 - Pretty Good Security(tm)

This describes a machine that is physically locked down, but still connected to the network (generally behind an external firewall). Security patches are applied within hours of announcement. Logs are human monitored, and are written either on another machine, or on permanent media (e.g. printer or CDROM). There are no more services running on this machine than absolutely necessary (in other words, a mail server ONLY has ports 25 and 110 open).

In practice, these don't generally get cracked. When it happens, it is usually physical security -- telling someone your password, sending your password via email, etc. A break-in might also be caused from a yet-unpublished remote exploit in one of the major services (sendmail, bind, apache, etc.) These machines are often susceptible to certain types of DOS attacks (when such attacks can't be stopped at the router/firewall).

5 - Unbreakable security

This descrbes a machine that is physically secure (i.e. the hdd is locked down inside a secure chassis), and has no external network connections. It is also shielded from van Eck and other eavesdropping.

You won't get into this machine without weapons, "truth serum", or monetary inducements to certain priveleged individuals. Also worth noting is that this machine isn't really practical for everyday use...

Re:Not what he's asking....

[Sinus0idal]

This isn't any longer the case.

My father is a marine consultant, and I have been to several ships with him, which rely much more heavily than this on computer systems these days.

One specific example-

The charts used to navigate by a ship were running on an NT workstation on the bridge of the vessel. It is no longer a requirement for up to date backup charts to be kept on board. A CD is sent to the ship each week updating the charts to the latest version, but the backup paper charts that are kept are not updated at these regular intervals any longer because of the increased reliance on the NT charting software. The GPS onboard the ship updates the ships current position on the charting software running on the NT workstation so the master can see where they are with respect to the course that has been plotted previously.

This same ship contains a small network, only consisting of 4-5 computers (its only a coastal tanker). One for charting on the bridge, one controlling & monitoring the amount of oil flowing on/off the ship in dock etc.. but..

The ship also has access to email (and consiquently attachments) at sea via Immersat satellite software + (uhh-ohh) Microsoft Outlook. If a member of the ships crew were to open an email attachment apparently from the office, which was in fact a virus, and the network security was not up to scratch, it may have the capacity to shut down not only the ships main course plotting software (sending them to backup paper charts), but to disturb the monitoring of oil/balast on & off the ship in the dock.

There are also proposed inprovements which would in effect link in the course plotting software with the autopilot, thus controlling the ships movements from the PC's course plotting software (unless of course, any evasive action were needed to be taken - the master would switch to manual).

This is only a small example of the problems that could genuinely be caused if a virus infected some of the more modern ships in todays world.

How a defense contractor handles software

[spaten-optimator]

I worked for a famous defense contractor located in Fort Worth, TX. My department was responsible for writing requirements for software that was installed on fighter aircraft.

When using a requirements-based system (where you write requirements for software and then the software is written from the requirements), there are multiple checkpoints. First, the requirements document for the software must meet or pass certain criteria. Second, the software must meet or pass the criteria put forth by the requirements document. Third, the software is rigorously tested.

Now, in fighter planes, the software must be incredibly robust - you don't want planes falling out of the sky - and in defense projects, bureaucracy tends to inflate the whole process.

That being said, requirements are an excellent way to control the quality of software, or an installed computer system.

And this is important! We all remember the movie Hackers, in which the Davinci virus was going to cause a bunch of oil tankers to tip over into the ocean. And we all know how closely that movie parallels reality.

Naive or troll?

[drew_kime]

Computer security in no way affects human life directly.

"Reboot the air traffic control system."

"How long has the reactor control system been down?"

"Try to get the GPS working again before we enter the harbor in this fog."

Any of these sound like non-life threatening situations? And you did notice the questioner is specifically concerned with the third type of situation I mentioned, didn't you?

Re:Naive or troll?

[homer_ca]

This is exactly why UCITA is bad. If firmware in embedded controllers get classified as licensed software that's immunity from liability for a whole class of products. A big business or government agency would have a legal staff checking their contracts so they don't give away immunity to vendors of critical software, but consumer products are another matter, like the ABS brakes on your car.

Talk to the FAA

[blair1q]

The FAA has well-known procedures in place for certifying HW and SW for safety. Look up DO-178B, for instance.

It'd be almost trivial for the shipbuilding industry to adapt them to their somewhat lower-risk environment.

--Blair

Evaluation and Certification

[cplcap]

There is one answer... the US government has published a civilian version of a process that the DoD has been using for a while. It's called the NIACAP (NSTISSC 1000), here.
Simply put: It defines a complete, scaleable, tailorable and relevant process to design, test, certify and maintain a system for use.
IF: 1. Good, well informed individuals identify vulnerabilities during system design and testing,
2. The upper management commits to following the maintenance plan, and
3. The priciples of good system design are followed (i.e. KISS, enforcement of least privilege), then many security issues are non-issues.
IMHO, one of the most important things in certifying a system for a critical app is to get the underlying SW from a reputable vendor, one who identifies "Day 0" exploits immediately, preferrably one on the Common Criteria List, and offers a modularized package to limit the amount of unused but potentially vulnerable code in the system. No system is going to be immediately perfect now and for its entire lifespan, but follow a good maintenance plan and you may even be able to make a M$ system secure!

Depends on the Industry

[Arandir]

It all depends on the industry in question. Take as an example, light bulbs. When you buy a lightbulb for you bathroom light, no one really cares. But when you buy a light bulb for your car headlight, you start running into safety regulations. And when you buy a light bulb for your left airplane wing, the FAA is going to be breathing down your neck.

I help build software for invasive diagnostic medical devices. The FDA (and similar organizations for other nations) is very concerned about the software we use. They don't have a checklist of brands, makes and models of software, since that's not the nature of software. But they do audit our development process. ISO compliance is easy. FDA compliance is hard.

For our next project, some boneheads decided on Win2K and "embedded" Win2K. I personally think the decision is stupid. But it probably won't affect the final quality of the device. Why? Because it won't be a stock Win2K, it will be the embedded version, stripped of everything we don't need. We will be in charge of the hardware it runs on. It will be tested under rigorous protocols. Etc.

The FDA doesn't care that it will have Windows on it. But they will care that it operates safely. That means it can't crash while diagnosing a live patient.

Re:Most secure web server

[Glorat]

Here is another clue I got today from my uni lecturer. If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?

*Up go hands of Linux advocates*

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal

Back to the article, would a measurement take into account this type of situation? Does Mac get a high rating for low rate of incidents or a low rating because it (probably) has more bugs than Linux. Open question

Every ship captain's nightmare

[ahde]

"Captain -- the minesweeper program's crashed again!"

You should be sorry!

[fm6]

Don't you understand the importance of gratifying your own ego? Instead, you remind us of a useful link, and go away! How lazy can you get?

Re:Human Life

[Squeamish+Ossifrage]

Software can't kill people directly, but it controls hardware than can. Also, people frequently depend on systems which include software for life-critical purposes.

Think:

1. 911 call centers
2. Industrial robotics
3. Air Traffic Control
4. Engines with embedded software controls
5. The telephone network
6. The power grid
7. Medical equipment

I'd like to point out that there are documented deaths from software failures in most of these categories.

Your Lecturer is WRONG

[gnovos]

If you wanted to run a secure web server, would you run it on NT, Linux, Solaris or the Mac?

*Up go hands of Linux advocates*

Answer: Mac because it is the least available operating system and as such fewer attacks have been created for it, even if there are hypothetically more bugs. As such, you would be less likely to suffer a problem, all else being equal.

This is short sighted, becuase it does not take into account what you are securing AGAINST. If you are securing against random, non targeted attacks from script kiddies, you might be right, becuase said script kiddies aren't going to spend the time to figure the system out... but if you are trying to secure against a real, concerted attack by agents of a competitor trying to steal your ideas or ruin your business, then you have made a very grave mistake.

When you say "all things being equal", then you are saying that 1 defaced web page is exactly equal to 1 stolen top secret formula, which is preposterous. A hypothetical question can not consider all types of attacks to be equal and still produce a valid and meaningful result.

If you use that logic, then using a completely open and unsecured network would be ok if you sealed the computer in a locked metal box, since it would deter physical attacks by baseball bats (ALL attacks are of equal value, right?). Or you could say that adding the line "WWJD" to the telnet login prompt would be a valid defense since it would lower the instance of attacks by Christians by 80%.

Go set him straight.