risk analysis and electronic surveillance
TRANSCRIPT
August 1997 Computer Fraud & Security Bulletin
UIS security has released UIS-Patrol, which audits networks under the VAXIVMS environment for security holes, and generates appropriate DCL commands to fix them. A summary reporting feature is included which enables a system manager to review the system security status. Other features include checking of the operating system, file security, passwords, inappropriate access hour and types and general accounts. For more details contact Bill Osteraas on +l 617 861 6262.
COMMUNICATIONS SECURITY
Risk Analysis and Electronic Surveillance
Owen Lewis
Eloka Services, UK
There are particular risks to security in the electronic handling of information. Some of this risk results from natural phenomena associated with all electronic circuitry. Detail on the exploitation of these natural phenomena for the covert acquisition of information is not widely published, yet there is information in the public
domain to warn of the serious risks that arise from them.
The UK Government, through the
Communications and Electronics Security
Group, has briefed interested financial
institutions on the nature of this security threat
and allowed TEMPEST standard BTR 01/210 to
be established. Last year, CFSgave coverage to
some aspects of the risks of passive electronic
surveillance in the August 1990 issue.
This article categorizes the threats to
information systems from electronic
surveillance, offers a basic perspective with
which threats may be gauged according to the value of the target information and concludes
with a linked categorization of countermeasures.
An awkward threat
There are three main ways by which information can be abstracted by electronic surveillance. Firstly, equipment may be
connected (tapped) directly into a legitimate
communication channel. This is essentially what
a hacker will do but with an important difference.
Whereas a hacker must interact with the system
to elicit information, an electronic eavesdropper
passively collects all the communications
passed in the channel(s) tapped into. Collation
and analysis of the take may happen in near real
time or may be performed later in a separate
operation. Secondly, where information is
deliberately communicated through the ether, as
with a wireless LAN or by wireless link between
remote sites, it can be intercepted by an
eavesdropper.
Thirdly, information is involuntarily radiated
from all circuitry, including cables, through which
it passes in electronic form. Unless measures
are taken to prevent such an occurrence, this
radiation allows the collection of information to
be made without any connection to the target
system, albeit at limited ranges. Dependent on a
variety of factors, the receiving point may have
to be within millimeters of the source or may
perhaps be kilometers away. Even in a cypher
protected system, plain text should be obtainable
from the points at which information passes into
or out of the system. Where collection has to be
made close to the source, the take can be
covertly retransmitted to a convenient point
elsewhere in the premises or outside, using a
‘bug’.
Vulnerabilities of encryption
The prime means of protection against the
first and second categories of threat is the
encryption of information while it is in
transmission. Not all cypher systems have the
same strength and the real possibility of
defeating a cryptographically protected system is worth noting.
01991 Elsevier Science Publishers Ltd 7
Computer Fraud & Security Bulletin August 1991
Commercially available cypher systems start with the password encryption of data files offered in some major software packages. (N.B.
password protection systems that only control application or file access, without encyphering
the files, should not be considered as security
measures but rather as limited means of
privacy.) Files collected in password encrypted
form can, using an appropriate software tool, be
decrypted within minutes. This form of attack
usually relies on establishing patterns of
repetition in a sufficient sample of encyphered
text. Accordingly, such a cypher cannot be
considered a sufficient security measure in itself
against a skilled attack.
At the other end of the commercial online
cypher scale is the ANBS Data Encryption
Standard (DES). Though approaching twenty
years old, this system is still rated by the US
Government as ‘munitions’ technology and its
legal end-user supply is limited to financial
institutions and other customers of similar
standing in a restricted list of countries. This
system relies for its protection on a 56 bit key. In
a known plain text attack, the crypt0 analyst must
try up to 256 key combinations to establish which
one gives the known text. In 1977, Diffie and
Hellmann published an article calculating that
with late seventies’ technology, it would be
possible to construct a computer for $20 million
that would exhaustively determine a DES key in
7.2x1 04seconds (approximately20 hours). Their
claims were not disputed by the authors of DES
who counter claimed, probably quite correctly at
that time, that the level of difficulty (expense) in
breaking DES would prevent DES from being the
weakest link a system’s security. Given the rate
of development of computer technology and
falling real costs, such a computer might now cost no more than $5 million. In any event, $20
million is not what it once was!
Where a good cypher system (e.g. DES) is used, the third category of electronicsurveillance is particularly worrying. This form of attack may obtain an amount of plain text information from a single location -a significant security breach in
itself. If that take is then used as known plain text to break out the DES key used across a large, possibly global, network, then the technical complexity and expense in obtaining information from many points in the target system is greatly reduced. The protection given by the cypher is
grossly eroded.
Characteristics of electronic surveillance
Examination of precedent can be a useful
yardstick in determination of resource allocation
to diminish risk and it is often so used. For some
risk (e.g. fire) there is a substantial body of
evidence as to the statistical likelihood of
occurrence and of the diminution or avoidance
of loss achieved by known countermeasures.
This is not the case for electronic surveillance.
Some techniques of electronic surveillance are
undetectable and all, except the most primitive,
should avoid detection other than by appropriate
technical searches. Statistical studies of
computer security failures report that the
incidence of electronic surveillance is virtually nil.
For information risk analysis, uncritical reliance
on established precedent will be fatal. Unlike fire,
detection of electronic surveillance is rare.
Electronic surveillance complicates risk
analysis because of two particular features.
Once the requisite surveillance means are
deployed and a satisfactory system for collation,
analysis and reporting is established, the flow of
purloined information will continue for as long as
desired or until a change in the targeted system
invalidates some part of the surveillance. In such
circumstances, every time valuable information
is handled electronically it will be compromised.
The haemorrhage of information is either
completely undetectable or will not be detected
by normal physical and software access
controls, transaction accounting or systematic
auditing.
A sensible balance
Comprehensive electronic surveillance requires a highly trained team, using expensive equipment, possibly working round the clock for
8 01991 Elsevier Science Publishers Ltd
August 1991 Computer Fraud 8; Security Bulletin
an indefinite perfod. The necessary difficulties and expense in mounting such a covert effort mean that great advantage must be expected for the outlay to be made worthwhile. However where no specific precautions are taken, information is available by the use of relatively simple techniques requiring only limited resources. Between these two extremes, as counter electronic surveillance measures are taken, the complexity and expense of a surveillance effort rises exponentially.
Risk analysis requires establishment of the
level of value that various types of information have, in terms of damage that could be caused by their compromise. These levels of damage need then to be assigned a monetary value. A logarithmically incremental scale, as used in Courtenay analysis, is most useful because it avoids the need to attempt overly precise valuation. Some information is relatively easy to quantify in monetary terms directly, e.g. investment in an R&D project. Less easy to quantify might be the loss of confidentiality in a professional advisor’s sensitive dealings with his
clients. However, in cases where no countermeasures have been implemented, there is a clear possibility of personal liability for top management who ignore unacceptable risk in
the face of a body of evidence.
Electronic surveillance risk
Not all information needs protection from electronic surveillance. The following are suggested as basic ground rules. Firstly, all forms of information processing and transfer
must be determined, as a failure of security in any one may invalidate security in the others. All means except manuscript transcription and the communication of information by the
transportation of physical media, are susceptible to some application of electronic surveillance. Secondly if, through risk analysis, managers can identify a financial risk beyond that which their organization can prudently bear, then some countermeasures to electronic surveillance must be included in the overall protection package. As with any countermeasures, these may not aim to
01991 Elsevier Science Publishers Ltd
eliminate all risk but rather to retain risk within acceptable limits.
The following is offered as a basis for assessing electronic surveillance threat according to the determined value of target information:
Level 1. Where risk to be diminished is assessed at less than $300 000, then countermeasures to electronic surveillance are likely to form only a small part of the overall information security arrangements.
Level 2. Between a risk level of $300 000 and $30 million a comprehensive counter electronic surveillance plan should be developed as an integral part of the overall security architecture.
Level 3. At a risk level in excess of $30 million, a painstaking and thorough threat assessment and critical examination of countermeasures will be required. A potential target at this level would warrant a comprehensive, determined and long term information collection effort through electronic surveillance.
Level4. Above the $300 million risk level, the security weaknesses in electronic hardware - including communications security devices themselves - need to be well understood and compensated. Also, the real level of security provided by commercially available cyphers needs careful assessment.
Countermeasures for risk diminution
The levels suggested are not definitive but
allow the development of a reasoned approach
by any concern considering its security of
information.
Level 1. At this level the target should be too small to warrant permanent electronic surveillance. However, a target in this range may attract electronic surveillance from an adversary if valuable information can be gained in a short period. The main defences will be good physical and software access controls, defensive
9
Computer Fraud & Security Bulletin August 7991
installation layout and information handling procedures with limited technical checking (sweeping) for the operation of taps and bugs.
SECURE SYSTEMS MANAGEMENT
Level 2. Perhaps worth a limited long term surveillance or a large short term attack. A rider must be that the adversary would need either already to possess the means, both in terms of equipment and personnel, to carry out a large scale attack or be able to employ a contractor who can. Regular electronic sweeping should be instigated. The actual electromagnetic radiation profile of premises should be determined and defensive measures tailored accordingly. File encryption should be routine for all valuable information with consideration given to some selective encryption facilities for speech and fax transmission.
Level 3. An adversary might expect an excellent return for long term electronic surveillance. A formal information security policy must be formulated and specifically address all types of threat. A developed security plan will direct the execution of that policy. Detailed security instructions minute the plan’s implementation. A key part of the information security planning is the devolution of responsibility to staff posts not more than one or two levels above that nominated for implementation of specific measures. Classify documents (i.e. finite pieces of information) concerning high value/sensitive items. Handling of such information should be specifically restricted to identified staff posts and particular means of processing, storing and communication. At least part of these means should be TEMPEST protected and have good cryptographic protection.
Level 4. At this level of risk, it must be considered whether commercially available technical countermeasures to electronic surveillance are entirely adequate for the purpose envisaged by the user and, if they are not, how they can be made so. The subject organization’s interest may be best served by establishing its own team with facilities for design, testing and limited production of both software and hardware for some of its own needs. OEloka Services Limited 199 1
Computer Crime vs. Internal Control Systems
Silvano Ongetta Price Waterhouse Milan, Italy
If the United States, a country which has
always been in the forefront in the automation of
productive processes, can be taken as an
example of what happens in the area of computer
crime, then we can only expect difficult times with
respect to the security of data.
We are fortunate, however, to be able to
study the phenomenon, to learn from the
negative experience of others and make
preparations for an adequate defence. We have
to act promptly because, even here in Italy, the
problem of computer crime is assuming
enormous proportions both in terms of economic
loss and frequency. Each is no longer a case to
be studied by a small group of specialists in the
field of data security, but has also become a
news item.
The news media often openly reports
computer crimes in abundant detail. I say this in
jest, it looks as though the media is almost trying
to promote its perpetration.
Certain specialized computer magazines
even carry a regular column on these crimes.
The problem is there and requires our attention,
also because the issue is probably greater, since
experts maintain that what becomes news is only
the tip of the iceberg.
Very often, in fact, the companies which have been damaged by computer frauds do not report what happened and prefer not to divulge the news. This is to avoid alarming their clientele and explicitly admitting that their data security system is not very reliable.
10 01991 Elsevier Science Publishers Ltd