Nebraska University Consortium on Information Assurance

1
Nebraska University Consortium on Information
Assurance

• Information Assurance
• Where Weve Been and Where We are Going
• Prepared for the
• Greater Omaha Chapter
• AFCEA
• October 25, 2007
• Blaine Burnham

2
IA Been There, Done That

• Outline
• First things First
• What is Information Assurance?
• Is Information Assurance a NEW idea?
• Why is there Information Assurance?
• What are the Parts
• Why is it so Difficult?
• What have we learned and when?
• What happened and why?
• Where are we now and why?
• Where are we going from Here?

3
IA Been There, Done That

• What is Information Assurance?
• The Players
• Users
• Information Objects
• Expectations
• The Field
• Context
• Threat
• The Game
• Attenuate the threat to an acceptable level of
  risk

4
IA Been There, Done That

• Is Information Assurance a NEW idea?
• Very Old Concept / Practice
• People have Needs Information has Value
• Well developed solutions
• Pre literate The Oral Tradition
• Literate India ink, multiple copies, notaries
• People have long developed instincts
• How do you know if your car is stolen

5
IA Been There, Done That

• Why is there Information Assurance?
• In the computing environment the needs and value
  persist, the Instincts Fail
• How do you know if your data is stolen, changed?
• The Environment is not an extension of what we
  are use to
• The physics of information is different
• Information Binding
• What is it and how does it work
• Oral Tradition
• Paper
• Electronics
• Something very different must happen to enable us
  as a culture / society to get to what we need!

6
IA Been There, Done That

• What are the Parts
• A Taxonomy
• Policy
• Membership
• Boundary
• Secure System Management
• Damage detection and recovery
• Secure System management
• Composition and Separation
• Assurance

7
IA Been There, Done That

• Why is it so Difficult?
• First we need to understand what is happening
  the physics of information has changed
• We need to understand that Security is a Gobal
  System property
• Need to secure the whole system
• A Non Observable Property
• Generally can not tell if it is working correctly

8
IA Been There, Done That

• What have we learned and when?
• Automation of Protected Information in the late
  1060s ( USAF)
• Was this a good idea?
• Is the Information Adequately Protected?
• Is the Information Equivalently Protected?
• How would you decide?
• Tiger teams
• Not Good News

9
IA Been There, Done That

• What have we learned and when?
• Need to better understand the problem and begin
  codifying approached to solutions
• Rand Study ( the Ware Report) 1970 gets it right.
• http//www.rand.org/publications/R/R609.1/R609.1.h
  tml
• Points out the problem and general direction to
  remedies with amazing insight
• Probably the most serious risk in system
  software is incomplete design, in the sense that
  inadvertent loopholes exist in the protective
  barriers and have not been foreseen by the
  designers.

10
IA Been There, Done That
11
IA Been There, Done That

• What have we learned and when?
• How to get it Done
• The Anderson Report (72)
• An Advanced development and Engineering program
  to obtain an open-use, multilevel secure
  computing capability is described
• Gets it right
• Introduces the concept of the reference monitor
• The second of the two protection mechanisms we
  have
• Recommends extensions of use for the other
  protection mechanism CRYPTOGRAPHY
• Whoop!
• Work done piecemeal over the next 15 years
• Multics showed How (early 70s)
• DEC came Close (early 80s) See Morries book
• http//nucia.unomaha.edu8080/dspace/bitstream/123
  456789/61/1/gasserbook.pdf
• Gemini got it right

12
IA Been There, Done That

• What have we learned and when?
• SS (74) Design Analysis and Understanding
• In the absence of such methodical techniques,
  experience has provided some useful principles
  that can guide the design and contribute to an
  implementation without security flaws
• The DEFCON experience and the relation to the SS
  Principles
• SS got it right
• 100 References
• http//www.cs.virginia.edu/evans/cs551/saltzer/

13
IA Been There, Done That

• What happened and why?
• The Money went Away
• And so did the people
• No funding for academic research
• No funding for graduate students
• No continuity of people
• No continuity of knowledge
• For three generations of researchers
• So It is not in the schools yesterday and today
• The knowledge is not with the vendors!!!

14
IA Been There, Done That

• What happened and why?
• Early 80s qualified that specified the core
  technology Trusted OS
• The Orange Book and TPEP
• Build very smart CS designers researchers and
  evaluators in the Government and FFRDCs
• The Vendors more or less clueless start to hire
  from Government
• Clear opportunity for consultants and several
  very good consulting firms appear ( TIS, Sytek,
  SCC )
• Consulting turns out to be a badly leveraged
  business model
• Consulting firms turn to products to improve
  business model
• Consulting firms caught in the ambiguity of
  honesty and sales
• Consulting firms melt down and become product
  firms and work for hire.
• Good / Great advice give way to product marketing
• Which Products the LHF guards, firewalls,
  IDS
• Careful design and thoughtful engineering gives
  way to marketing snakeoil
• We have lots of stuff and in the main most of it
  is only marginally helpful
• Heavily weighted toward reactive response
• Symptomatic relief not systemic solutions
• A Tremendous market position for the Vendors

15
IA Been There, Done That

• Where are we now and why?
• The Buffer Overflow accounts for 85 of attacks.
• C Sucks. Yet Language of Choice for O/S and
  Services
• Huge bloated OSs that are internally completely
  fragile
• More recent released with 65000 known problems
  Oh Well!!
• We know better
• Patch and Pray is the Mantra
• We accept this behavior in NO other segment of
  our society
• We know better
• No Coherent view of Secure System Architecture
• Societally Unacceptable
• We know better

16
IA Been There, Done That

• Where are we now and why?
• No prevalent Understanding of Foundations
• Moving toward Phrenology and Rattles
• We know better
• Hostage to the 18month wonder and the last
  Salesman
• A plethora of products of dubious value, clouded
  pedigree, rarely interoperable
• Seriously Muddy Thinking
• A flood of books that leave a lot to be desired

17
IA Been There, Done That

• Where are we now and why?
• Muddy thinking (example)
• The Books
• New Book - just today
• Computer Security Fundamentals / Eastton
• FYI Old Encryption
• PGP is more that ten years old. Some readers
  might wonder whether it is old and outdated.
  Cryptography is unlike other technological
  endeavors in this regard older is better. It
  is usually unwise to use the latest thing in
  encryption for the simple reason that is is
  unproven. An older encryption method, provided
  it has not yet been broken, is usually a better
  choice because it has been subjected to years of
  examination by experts and to cracking attempts
  by both experts and less honorably motivated
  individuals. This is sometimes hard for computer
  professionals to understand since the newest
  technology is often preferred in the computer
  business.
• There is so much wrong with this statement that
  it hard to know where to start.

18
IA Been There, Done That

• Where are we now and why?
• The Law a Segue
• Piecemeal at Best
• Banking Secrecy Act
• Cable TV Privacy act of 1984
• Electronic Communications Privacy Act
• Fair Credit Reporting Act
• Family Educational Right ot Privacy Act
• Privacy Act of 1974
• Right to Financial Privacy Act of 1978
• Video Privacy Protection Act of 1988
• GLB
• HIPAA
• SOX
• Online Personal Privacy Act 2002 ( not passed)

19
IA Been There, Done That

• Where are we now and why?
• The Law a Segue
• Piecemeal at Best
• Anti Spyware Act
• DMCA 1998
• Computer Security Act of 1987
• Paperwork Reduction Act of 1995
• Information Technology Management Reform Act of
  1996
• Federal Information Security Act of 2002
• NSD 42
• PDD63
• Counterfeit Access Device and Computer Fraud and
  Abuse Act of 1984
• USA PATRIOT Act
• Homeland Security Act of 2002
• This is nuts.

20
IA Been There, Done That

• Where are we going from Here?
• Much greater penetration of computers into
  societal fabric
• Everything that costs over 100 with be IP
  addressable
• Phones
• Viruses and assorted hacks underway as we speak
• The Fly-by-wire automobile
• The unprotected consolidation of information
• The Matrix
• MATRIX Project a pilot effort to increase and
  enhance the exchange of sensitive terrorism and
  other criminal activity information between
  local, state, and federal law enforcement
  agencies. Looks a lot like TIA
• And the losses from same
• Personal data on 32,000 Americans is stolen from
  Seisint
• ChoicePoint revealed that scam artists had gotten
  access to personal data on about 145,000 people

21
IA Been There, Done That

• Where are we going from Here?
• More gimmicks and gadgets
• Information Security Products
• Google 30,700,000
• More marginal advice
• Information Security Consultants
• Google 4,900,000
• Much greater risk
• We are going to insist on computer enabling the
  foundational processes of the country
• E-voting

22
IA Been There, Done That

• Where are we going from Here?
• People will have to exercise there political
  muscle to start to rectify the problem
• Software Liability
• Professional Standards
• Demand Much Greater Accountability
• It is a societal issue that needs to be treated
  as such