James A. Lingerfelt, Senior Consultant, IBM, Public Safety and Justice, "Strategies for Countering Threats to Information Technology Assets"by James A. Lingerfelt, fas.org
November 30th -0001
The primary threat to information systems is not the evil super hacker, says Lingerfelt, an expert in technology and strategic planning in law enforcement. "Rather, the greatest dangers to computer systems and data bases are 'trusted' sources." The author emphasizes that "a realistic assessment of security needs and threats, followed by meaningful formulation and implementation of a security plan, can provide effective protection against the vast majority of threats, and at a reasonable cost." He identifies areas that are the most frequent sources of real threats and provides seven basic strategies for planning information technology security.
Law enforcement and criminal justice agencies have an unprecedented opportunity to use information technology (IT) to transform their operations and to provide better, more effective service. However, many agencies are reluctant to pursue the opportunity because they fear that by replacing or supplementing their closed mainframe systems with networked PCs, and implementing automated reports and computer networks, they would expose themselves to attacks by hackers. The high estimated costs of protecting an entire IT system against penetration by super hackers, combined with the damage that could result from the loss of extremely sensitive information, make avoiding the (perceived) risk altogether seem reasonable, despite the gains to be achieved by the use of IT.
It is a fact that because of exponential increases in the use of IT, there is an increased exposure to attacks on information systems, assets, and data bases. However, the feared super knowledgeable computer hacker is rarely the biggest threat. Rather, the greatest dangers to computer systems and data bases are "trusted" sources who often operate in the absence of even minimal attention by police and criminal justice agencies to basic IT security. A realistic assessment of security needs and threats, followed by meaningful formulation and implementation of a security plan, can provide effective protection against the vast majority of threats, and at a reasonable cost.
Perception versus Facts
Many departments have made substantial financial commitments to IT. This has been accompanied by an increase in the number of reports of hacker attacks against police information systems.
There are also increased reports of illegal use of information from police data bases, thefts of police information, and thefts of IT assets belonging to police agencies. The frequency of these reports has discouraged many police agencies from venturing beyond their existing closed systems. However, new business requirements imposed on criminal justice agencies demand that they change the methods by which they acquire, share, and disseminate information.
Operational changes have been initiated as a result of the need to distribute information systems to the field, streamline work processes, distribute information beyond organizational boundaries, or to exchange information with outside agencies and individuals.
Some agencies have responded by using personnel to perform the new duties, thus drawing from the available field force. Others have implemented new "stand alone" systems that provide only the new services, but are not integrated with or complementary to the agency's legacy systems. This only increases the complexity and costs -- in people, time, and money -- of supporting IT.
As already noted, internal threats from sources within the trusted domain cause more damage than intruders. Several incidents caused by internal sources have been documented:An entire department's network was brought down by a virus on diskettes that the department's planning division distributed to collect survey information.
The chief of intelligence overseeing a hierarchical intelligence system taped to his monitor his user ID and password with detailed log-in instructions.
A senior official of a police department sold to organized crime representatives a file containing the description and tags of all undercover cars used by police officers.
A novice network administrator setting up a network at a police department gave every user administrator privileges.
Applications programmers at a major police department were allowed to put a new program code directly into production without methodical testing and review, and the entire system was brought down for 24 hours as the result of the bad code.
A state government set up a web site with no firewalls. Within 24 hours, its user ID and password file were posted on a hacker conference. To the state's credit, it shared the experience with other states and thus helped them avoid the same mistake.Not one of these stories involves a super hacker successfully attacking an agency information system. The last example was a penetration made possible by the worst possible open door. All of the incidents could have been prevented by some basic planning, training, and oversight.
In sum, there is an increased threat of external attack as a result of the increased use of information technology, but the proportionate threat as a piece of the total pie has not changed -- it's just a bigger pie. Increased threat? Yes. Different threat? No.
The increased exposure to computer security threats is due to several causes:New business models: The public sector is mirroring the private sector, with a delay of about five years.
Exponential growth in use of IT: Computers and networks have insinuated themselves into almost every part of our lives.
Reduced costs: Today's technology is inexpensive. Regardless of the metric that is used, costs for basic IT are lower than they have ever been, and the cost of new technology is decreasing faster than it did only a few years ago because of the rapid advances and increased competition.New Business Models
In the transition from centralized to dispersed operations, the headquarters as center of the decision-making and information universe has been replaced by remote independent business units supported by distributed IT.
In IT this shift has meant transition from closed architectures to networks -- intranets and extranets. The distribution of information means more difficulty in protecting assets, monitoring operations, and responding to problems. There are more points of exposure. The good news is that distribution of IT is making huge gains in productivity possible -- with return on investment often occurring in less than one year.
Private sector organizations have begun to focus on core competencies instead of trying to provide all things to all people. Businesses are maintaining much smaller personnel rosters. This allows them to avoid labor problems and logistical problems associated with changes. Only positions that contribute directly to achieving business goals are staffed. Mergers and acquisitions frequently call for outsourcing to deal with support and administrative functions, particularly IT. Criminal justice agencies (and all of government) have begun moving in the same direction to streamline operations, reduce costs, and improve services.
Additionally, retention of good IT personnel has become very difficult. Governments have not been able to compete with private sector salaries to replace lost personnel. This also has increased the use of outsourcing in government.
Increased turnover of executives and managers is another fact of life in organizations today. As companies downsize, or as they raid each other for talent, there is a threat of executives or middle managers taking important intellectual property with them. One such case was successfully prosecuted when the directory structure of a manager's computer files was shown to be identical to that of his previous business unit. Rarely acknowledged or published is the fact that companies that downsize often lose millions of dollars in stolen hardware, software, supplies, and furnishings if employees are given advance notice.
Despite the benefits, outsourcing IT can result in security exposures. A security plan is especially important when mission-critical IT responsibilities will be turned over to contract employees or agency outsiders. The agency may require that certain background investigation requirements be met by all contract employees.
Exponential Growth in Use of Information Technology
Computers and networks have insinuated themselves into almost every part of our lives. Fraud, theft, and dissemination of illegal information and materials are made possible by the computers, networks, and Internet we all use. New kinds of crime are devised and old schemes are given new life.
Fortunately this growth in computer use has produced advances in technology, standards, and identification of best practices. As the lessons of mistakes have improved the technology, we have all benefited. Security practices have also improved in direct response to lessons learned, and a solid set of best practices has emerged. The private sector has paved the path. Most new products (hardware and software) have security functionality designed into them. Whether the functions are used is a different matter.
Regardless of what metric is used, the costs for basic IT are lower than ever. Almost anybody can afford a computer.
Not only does IT cost less, more money is available for IT investment in the public sector than at anytime since the late 1960s and early 1970s. For example, initiatives related to the year 2000 computer problem and to computer crime are providing billions of dollars for the express purpose of upgrading or replacing public sector information systems. This creates a perfect opportunity for criminal justice agencies to include security in the development and implementation of new business processes and IT systems. Trying to retrofit security is too expensive, and it usually doesn't work.
Information Technology Planning
The science fiction book Hitchhikers Guide to the Galaxy has as its first rule:
DON'T PANIC. This is good advice for IT security planning, too. Many organizations have resisted investing in IT because of the persistent and exaggerated belief that they will immediately be besieged by hackers and intruders.
Despite the increased exposure and the increased number of potential intruders, the experience and the tools to build effective defenses are already available and improving all the time. With effective advance planning, it is possible to respond rapidly and appropriately to any attack, preventing most and minimizing the impact of the rest.
Overall IT planning must be done with the big picture in mind: the IT plan should flow directly from the organization's operational plans. The plan should describe business requirements that will fulfill operational goals: it is not an IT wish list. Focus on what needs to be done, not on how it will be done. There are usually many ways to meet a requirement with big differences in cost. There should be a clear justification for every dollar spent. And security must be built into the IT plan from the beginning.
Architectures should be kept simple. This provides a major security advantage. Multiple systems, regardless of how tightly integrated, offer multiple points of access and require multiple security administration and support systems which translate into increased costs.
Seven Strategies to Ensure Information Technology Security
1. ABOVE ALL -- KEEP IT SIMPLE. If the system is too complicated, users will avoid it or try to circumvent it, thus defeating security and reducing its usefulness. Modern security measures can be effective and unobtrusive.
2. DEVELOP POLICIES, PROCEDURES, AND PENALTIES (P3) IN ADVANCE. Design security P3 that are based on user needs, the nature of the applications, and the information being secured. ENFORCE THEM consistently. P3 without teeth are worse than having none.
3. PROVIDE TRAINING IN THE USE OF THE SYSTEM AND EMPHASIZE THE P3. Reinforce training by reviewing and distributing relevant news items -- for example, stories related to cyber attacks or abuses of systems.
4. USE AVAILABLE "OFF-THE-SHELF" SECURITY PRODUCTS AS MUCH AS POSSIBLE, RATHER THAN DEVELOPING SECURITY APPLICATIONS INTERNALLY. This is advisable for several reasons because business needs are relatively straightforward. Criminal justice agencies associate people with other people and people with events, by collecting and sharing information. Standard products based on open standards have been tested and proven, and their customers can be interviewed and learned from. Even if the products are new, the methodologies used in testing can be evaluated and the results reviewed. Most importantly, standard industry products are typically well-documented for users and for IT technical staff. Documentation and testing for security are frequently neglected when applications are developed in-house.
5. COMPARTMENTALIZE INFORMATION, ASSETS AND USERS. PROTECT INFORMATION AND ASSETS APPROPRIATELY ACCORDING TO THEIR VALUE. Confidential intelligence reports should be highly secured. Information that is public and/or easily replaced, however, does not require elaborate security. An objective assessment of information assets will show there is substantially more of the public than the confidential.
Similarly, IT assets (PCs, servers, cables, hubs, etc.) and supplies (software, diskettes, etc.) should be appropriately inventoried and secured. Frequently, agencies receive large amounts of hardware and software (PCs, monitors, network cards, hubs, routers, etc.) without entering the items into an asset control data base, and without checking them carefully to ensure they are what was ordered and that the items are configured correctly and work properly. When items are lost or fail to perform properly, there is no record to prove the loss or that the system is not performing as required. Inventory management is a first step. The second is configuration control.
At the time of delivery, the configuration of every piece of hardware should be set and every piece of software should be properly registered. The inventory will then contain a detailed description of every system's components, hardware, and software and where they are located (right down to the office number and desktop). This information is invaluable in protecting assets, identifying theft or tampering, and conducting effective investigations when problems are detected. Software programs are available that check configuration and report problems to security administrators automatically. These programs also maintain a log of changes or maintenance of the system. As repairs or upgrades are made to systems and maintenance is performed, it is important that such activities are logged. Finally, locks and specialized screws to seal workstations can reduce theft or tampering. Policy should require that all suspected problems be reported for investigation.
Compartmentalizing supplies and assets means treating them more appropriately according to their cost or importance to the mission. Often this area is neglected. For example, agencies lock up inexpensive supplies such as diskettes while critical assets such as a server are unprotected in an open office area, and network cable and hubs run across open walls instead of being encased in conduits and hidden in ceilings.
Compartmentalize users as well. Control the applications and information users have access to and how they can access it. (For example, a user may be permitted to access a restricted file only from certain workstations and at certain times). Control who can create accounts or user IDs on a system. Audit these frequently for dummy IDs or accounts.
Have good audit capabilities in place.
One of the most frequently overlooked security threats relates to system documentation. Documentation of all types is often treated too casually and can be found lying open in unsecured offices. Detailed technical and user information must be protected. It may seem convenient and less expensive to prepare and publish "one size fits all" documentation, but it can be dangerous to system security. Widely distributed end user manuals often contain large amounts of technical information that is useless to the end user, but is very valuable to a hacker. A hacker armed with detailed system information can attack a system with surgical accuracy instead of resorting to more easily detectable brute force attacks. Distribute documentation on a "need-to-know" basis.
Secure documentation, control access to it, and train users how to protect it. Publishing documentation on the network instead of in printed documents is recommended to reduce costs, simplify updates, and provide more protection.
6. BE REALISTIC ABOUT SECURITY ADMINISTRATION. It is not likely that criminal justice agencies, for example, can set up or administer an impenetrable IT security program. Balance realistic security needs against the costs of security. It may be possible to hire the desired level of support to accomplish the same goals. Use in-house staff to do what they realistically can do effectively, and outsource or "resource" the rest. The key is to achieve the results defined by the information security plan.
Many resources are available to meet security needs. They can be outsourced to a private company at competitive costs. As reliance on IT increases and security becomes a greater concern, business is responding by offering high quality IT security services.
There is also value in "resourcing." Resourcing describes what criminal justice agencies and members of the security community can do for each other. Sharing resources, pooling money for joint acquisitions, donated services from universities or from the community -- all are potential ways to close gaps in the security plan.
7. TEST, AUDIT, INSPECT SITES AND INVESTIGATE CONTINUOUSLY AND RANDOMLY. Use a methodology for reviewing and testing code to block back doors into systems. Use automated audit and monitor programs. Use programs that check for changes to a file. Develop and use "Tip" programs as a way of identifying existing or would-be systems attackers. Publicize threats and responses to them. Always take swift, consistent, and appropriate action when violations are detected or reported. Announce disciplinary actions taken in IT security cases widely.
IT security has advanced as rapidly as every other aspect of IT, but it cannot be effective if it is not properly deployed. Security features are available in almost every commercial off-the-shelf application. Firewalls are more powerful and adaptable than ever and are very reasonably priced. Encryption programs are becoming more powerful and easier to implement and maintain. The ability to manage and monitor distributed systems from a single point in the network is improving steadily. Automated monitoring and audit programs to control system use and alert security administrators to attempted abuses are maturing rapidly.
One of the areas of technical advance that is most promising is biometrics -- the ability to identify someone based on a unique physical characteristic (for example, fingerprint, voice, hand geometry, retinal pattern, etc.). Biometric devices make it possible to authenticate users more effectively than ever and will prevent unauthorized persons from accessing a system even if they possess a password.
IBM, in cooperation with Barclays Bank in Europe, is piloting workstation keyboards with an embedded fingerprint reader. The users must be biometrically authenticated before they are allowed access to any part of the system. Flash technology (a search algorithm for images) is fast and accurate. It can search a data base of millions of records (including fingerprint images) to determine whether there is a match. This capability, combined with high speed networks, has great potential for use in ATMs (bank automatic teller machines) and other electronic transaction devices. Flash technology is being used for a fingerprint-based voter registration verification system in Peru. The project has had excellent results and will help prevent voter fraud.
As these technologies continue to evolve, IT security will continue to improve in terms of effectiveness and ease of use.
Original Page: http://www.fas.org/irp/threat/cyber/docs/usia/pj48ibm.htm
Shared from Read It Later