Are the System Security Watchmen Asleep?
Dr. Roger Schell, Aesec Corporation, Palo Alto, CA
- Executives are frequently clueless about security
- rely on professionals to be their watchmen
- “acceptable risk” based on gross misperception
- serious failure by security professionals
- “watchmen” responsible for likely disasters
- air gap between domains is secure – but crippling
- multi-level security slows or prevents info sharing
- misguided mgt response
- accredit and deploy low insurance platforms
- ignore that low assurance is unevaluatable
- exacerbate risks with plans to get well
- watchmen – sound the alarm
- subversion threat is serious and growing
- unconscionable use of overly weak solution
- verifiable protection technology languishes
- cross-domain solutions
- challenge is CDS connectivity
- connection of disparate domains is multilevel
- Cyber warfard subversion likely
- tiger teams are subversion tool of choice
- adversaries can use 30+ years experience
- buy IT solution from your mortal enemy?
- Trojan horse attacks
- hidden functionality in application
- application user is unwitting agent
- current networks’ open vast opportunity
- 3000+ products online have easter eggs in them, all benign, doesn’t mean all will be benign
- Trap Door attack
- malicious code in platform
- can be remotely activated/deactivated
- efficacy and effectiveness demonstrated
- summary of subversion process
- infrastructure subversion
- execution of artifice software
- (optional) “two card loader”
- access to unauthorized domain data
- weakest link in flawed solutions
- single flawed interface exposes whole net
- “secure application” is non-computable
- “secure” pixie dust components
- vested interest research “sand boxes”
- hard problems for MLC systems remain
- CDS can be no better than platform it is on
- flaws in solutions missed
- false security from isolated components
- accreditations cannot responsibly judge flaws
- only a veriftably secure CDS is evaluatable
- impact indications and warning
- vendor downloadable product subverted
- intrusion can replace traditional espionage
- SW subversion steals credit/debit card data
- military recognition of subversion
- Sorry state of defense today
- sharing data across desparate domains need MLS
- isolation obstructs missions
- any low connection => MLS
- class A1resists subversion
- share but resist subversion
- proven methods evaluated and deployed TCB
- mature, proven trusted systems technology
- “rainbow series”
- verifiably secure: Class A1/EAL7
- only this class excudes malicious software
- proven solution: security kernel
- illustrative MLS demonstrations
- multilevel secure web server
- multilevel ftp server
- covert communications proxy
- validated verifiable technology
- blacker
- hsrp
- chots guard
- cots trusted oracle 7
- saclant client/server
- affpb crypto-seal guard
- more opportunities
- mls networked windows
- mls network attached storage
- guards & filters
- real-time exec
- verifiably secure mls linux
- identity management
- mls handheld network devices
- cost/benefit of evaluated protection capabliities
- more cost, more benefit
- conclusion
- subversion threat is serious and growing
- unconscionable use of overly weak solutions
- verifiable protection technology languishes
- customers aren’t telling vendors security is a priority
