August 1997 Computer Fraud & Security Bulletin

UIS security has released UIS-Patrol, which audits networks under the VAXIVMS environment for security holes, and generates appropriate DCL commands to fix them. A summary reporting feature is included which enables a system manager to review the system security status. Other features include checking of the operating system, file security, passwords, inappropriate access hour and types and general accounts. For more details contact Bill Osteraas on +l 617 861 6262.

COMMUNICATIONS SECURITY

Risk Analysis and Electronic Surveillance

Owen Lewis

Eloka Services, UK

There are particular risks to security in the electronic handling of information. Some of this risk results from natural phenomena associated with all electronic circuitry. Detail on the exploitation of these natural phenomena for the covert acquisition of information is not widely published, yet there is information in the public

domain to warn of the serious risks that arise from them.

The UK Government, through the

Communications and Electronics Security

Group, has briefed interested financial

institutions on the nature of this security threat

and allowed TEMPEST standard BTR 01/210 to

be established. Last year, CFSgave coverage to

some aspects of the risks of passive electronic

surveillance in the August 1990 issue.

This article categorizes the threats to

information systems from electronic

surveillance, offers a basic perspective with

which threats may be gauged according to the value of the target information and concludes

with a linked categorization of countermeasures.

An awkward threat

There are three main ways by which information can be abstracted by electronic surveillance. Firstly, equipment may be

connected (tapped) directly into a legitimate

communication channel. This is essentially what

a hacker will do but with an important difference.

Whereas a hacker must interact with the system

to elicit information, an electronic eavesdropper

passively collects all the communications

passed in the channel(s) tapped into. Collation

and analysis of the take may happen in near real

time or may be performed later in a separate

operation. Secondly, where information is

deliberately communicated through the ether, as

with a wireless LAN or by wireless link between

remote sites, it can be intercepted by an

eavesdropper.

Thirdly, information is involuntarily radiated

from all circuitry, including cables, through which

it passes in electronic form. Unless measures

are taken to prevent such an occurrence, this

radiation allows the collection of information to

be made without any connection to the target

system, albeit at limited ranges. Dependent on a

variety of factors, the receiving point may have

to be within millimeters of the source or may

perhaps be kilometers away. Even in a cypher

protected system, plain text should be obtainable

from the points at which information passes into

or out of the system. Where collection has to be

made close to the source, the take can be

covertly retransmitted to a convenient point

elsewhere in the premises or outside, using a

‘bug’.

Vulnerabilities of encryption

The prime means of protection against the

first and second categories of threat is the

encryption of information while it is in

transmission. Not all cypher systems have the

same strength and the real possibility of

defeating a cryptographically protected system is worth noting.

01991 Elsevier Science Publishers Ltd 7

Computer Fraud & Security Bulletin August 1991

Commercially available cypher systems start with the password encryption of data files offered in some major software packages. (N.B.

password protection systems that only control application or file access, without encyphering

the files, should not be considered as security

measures but rather as limited means of

privacy.) Files collected in password encrypted

form can, using an appropriate software tool, be

decrypted within minutes. This form of attack

usually relies on establishing patterns of

repetition in a sufficient sample of encyphered

text. Accordingly, such a cypher cannot be

considered a sufficient security measure in itself

against a skilled attack.

At the other end of the commercial online

cypher scale is the ANBS Data Encryption

Standard (DES). Though approaching twenty

years old, this system is still rated by the US

Government as ‘munitions’ technology and its

legal end-user supply is limited to financial

institutions and other customers of similar

standing in a restricted list of countries. This

system relies for its protection on a 56 bit key. In

a known plain text attack, the crypt0 analyst must

try up to 256 key combinations to establish which

one gives the known text. In 1977, Diffie and

Hellmann published an article calculating that

with late seventies’ technology, it would be

possible to construct a computer for $20 million

that would exhaustively determine a DES key in

7.2x1 04seconds (approximately20 hours). Their

claims were not disputed by the authors of DES

who counter claimed, probably quite correctly at

that time, that the level of difficulty (expense) in

breaking DES would prevent DES from being the

weakest link a system’s security. Given the rate

of development of computer technology and

falling real costs, such a computer might now cost no more than $5 million. In any event, $20

million is not what it once was!

Where a good cypher system (e.g. DES) is used, the third category of electronicsurveillance is particularly worrying. This form of attack may obtain an amount of plain text information from a single location -a significant security breach in

itself. If that take is then used as known plain text to break out the DES key used across a large, possibly global, network, then the technical complexity and expense in obtaining information from many points in the target system is greatly reduced. The protection given by the cypher is

grossly eroded.

Characteristics of electronic surveillance

Examination of precedent can be a useful

yardstick in determination of resource allocation

to diminish risk and it is often so used. For some

risk (e.g. fire) there is a substantial body of

evidence as to the statistical likelihood of

occurrence and of the diminution or avoidance

of loss achieved by known countermeasures.

This is not the case for electronic surveillance.

Some techniques of electronic surveillance are

undetectable and all, except the most primitive,

should avoid detection other than by appropriate

technical searches. Statistical studies of

computer security failures report that the

incidence of electronic surveillance is virtually nil.

For information risk analysis, uncritical reliance

on established precedent will be fatal. Unlike fire,

detection of electronic surveillance is rare.

Electronic surveillance complicates risk

analysis because of two particular features.

Once the requisite surveillance means are

deployed and a satisfactory system for collation,

analysis and reporting is established, the flow of

purloined information will continue for as long as

desired or until a change in the targeted system

invalidates some part of the surveillance. In such

circumstances, every time valuable information

is handled electronically it will be compromised.

The haemorrhage of information is either

completely undetectable or will not be detected

by normal physical and software access

controls, transaction accounting or systematic

auditing.

A sensible balance

Comprehensive electronic surveillance requires a highly trained team, using expensive equipment, possibly working round the clock for

8 01991 Elsevier Science Publishers Ltd

August 1991 Computer Fraud 8; Security Bulletin

an indefinite perfod. The necessary difficulties and expense in mounting such a covert effort mean that great advantage must be expected for the outlay to be made worthwhile. However where no specific precautions are taken, information is available by the use of relatively simple techniques requiring only limited resources. Between these two extremes, as counter electronic surveillance measures are taken, the complexity and expense of a surveillance effort rises exponentially.

Risk analysis requires establishment of the

level of value that various types of information have, in terms of damage that could be caused by their compromise. These levels of damage need then to be assigned a monetary value. A logarithmically incremental scale, as used in Courtenay analysis, is most useful because it avoids the need to attempt overly precise valuation. Some information is relatively easy to quantify in monetary terms directly, e.g. investment in an R&D project. Less easy to quantify might be the loss of confidentiality in a professional advisor’s sensitive dealings with his

clients. However, in cases where no countermeasures have been implemented, there is a clear possibility of personal liability for top management who ignore unacceptable risk in

the face of a body of evidence.

Electronic surveillance risk

Not all information needs protection from electronic surveillance. The following are suggested as basic ground rules. Firstly, all forms of information processing and transfer

must be determined, as a failure of security in any one may invalidate security in the others. All means except manuscript transcription and the communication of information by the

transportation of physical media, are susceptible to some application of electronic surveillance. Secondly if, through risk analysis, managers can identify a financial risk beyond that which their organization can prudently bear, then some countermeasures to electronic surveillance must be included in the overall protection package. As with any countermeasures, these may not aim to

01991 Elsevier Science Publishers Ltd

eliminate all risk but rather to retain risk within acceptable limits.

The following is offered as a basis for assessing electronic surveillance threat according to the determined value of target information:

Level 1. Where risk to be diminished is assessed at less than $300 000, then countermeasures to electronic surveillance are likely to form only a small part of the overall information security arrangements.

Level 2. Between a risk level of $300 000 and $30 million a comprehensive counter electronic surveillance plan should be developed as an integral part of the overall security architecture.

Level 3. At a risk level in excess of $30 million, a painstaking and thorough threat assessment and critical examination of countermeasures will be required. A potential target at this level would warrant a comprehensive, determined and long term information collection effort through electronic surveillance.

Level4. Above the $300 million risk level, the security weaknesses in electronic hardware - including communications security devices themselves - need to be well understood and compensated. Also, the real level of security provided by commercially available cyphers needs careful assessment.

Countermeasures for risk diminution

The levels suggested are not definitive but

allow the development of a reasoned approach

by any concern considering its security of

information.

Level 1. At this level the target should be too small to warrant permanent electronic surveillance. However, a target in this range may attract electronic surveillance from an adversary if valuable information can be gained in a short period. The main defences will be good physical and software access controls, defensive

9

Computer Fraud & Security Bulletin August 7991

installation layout and information handling procedures with limited technical checking (sweeping) for the operation of taps and bugs.

SECURE SYSTEMS MANAGEMENT

Level 2. Perhaps worth a limited long term surveillance or a large short term attack. A rider must be that the adversary would need either already to possess the means, both in terms of equipment and personnel, to carry out a large scale attack or be able to employ a contractor who can. Regular electronic sweeping should be instigated. The actual electromagnetic radiation profile of premises should be determined and defensive measures tailored accordingly. File encryption should be routine for all valuable information with consideration given to some selective encryption facilities for speech and fax transmission.

Level 3. An adversary might expect an excellent return for long term electronic surveillance. A formal information security policy must be formulated and specifically address all types of threat. A developed security plan will direct the execution of that policy. Detailed security instructions minute the plan’s implementation. A key part of the information security planning is the devolution of responsibility to staff posts not more than one or two levels above that nominated for implementation of specific measures. Classify documents (i.e. finite pieces of information) concerning high value/sensitive items. Handling of such information should be specifically restricted to identified staff posts and particular means of processing, storing and communication. At least part of these means should be TEMPEST protected and have good cryptographic protection.

Level 4. At this level of risk, it must be considered whether commercially available technical countermeasures to electronic surveillance are entirely adequate for the purpose envisaged by the user and, if they are not, how they can be made so. The subject organization’s interest may be best served by establishing its own team with facilities for design, testing and limited production of both software and hardware for some of its own needs. OEloka Services Limited 199 1

Computer Crime vs. Internal Control Systems

Silvano Ongetta Price Waterhouse Milan, Italy

If the United States, a country which has

always been in the forefront in the automation of

productive processes, can be taken as an

example of what happens in the area of computer

crime, then we can only expect difficult times with

respect to the security of data.

We are fortunate, however, to be able to

study the phenomenon, to learn from the

negative experience of others and make

preparations for an adequate defence. We have

to act promptly because, even here in Italy, the

problem of computer crime is assuming

enormous proportions both in terms of economic

loss and frequency. Each is no longer a case to

be studied by a small group of specialists in the

field of data security, but has also become a

news item.

The news media often openly reports

computer crimes in abundant detail. I say this in

jest, it looks as though the media is almost trying

to promote its perpetration.

Certain specialized computer magazines

even carry a regular column on these crimes.

The problem is there and requires our attention,

also because the issue is probably greater, since

experts maintain that what becomes news is only

the tip of the iceberg.

Very often, in fact, the companies which have been damaged by computer frauds do not report what happened and prefer not to divulge the news. This is to avoid alarming their clientele and explicitly admitting that their data security system is not very reliable.

10 01991 Elsevier Science Publishers Ltd