ICIW2008: Afternoon Keynote

Are the System Security Watchmen Asleep?
Dr. Roger Schell, Aesec Corporation, Palo Alto, CA

  • Executives are frequently clueless about security
    • rely on professionals to be their watchmen
    • “acceptable risk” based on gross misperception
  • serious failure by security professionals
  • “watchmen” responsible for likely disasters
  • air gap between domains is secure – but crippling
  • multi-level security slows or prevents info sharing
  • misguided mgt response
    • accredit and deploy low insurance platforms
    • ignore that low assurance is unevaluatable
    • exacerbate risks with plans to get well
  • watchmen – sound the alarm
    • subversion threat is serious and growing
    • unconscionable use of overly weak solution
    • verifiable protection technology languishes
  • cross-domain solutions
  • challenge is CDS connectivity
  • connection of disparate domains is multilevel
  • Cyber warfard subversion likely
    • tiger teams are subversion tool of choice
    • adversaries can use 30+ years experience
    • buy IT solution from your mortal enemy?
  • Trojan horse attacks
    • hidden functionality in application
    • application user is unwitting agent
    • current networks’ open vast opportunity
    • 3000+ products online have easter eggs in them, all benign, doesn’t mean all will be benign
  • Trap Door attack
    • malicious code in platform
    • can be remotely activated/deactivated
    • efficacy and effectiveness demonstrated
  • summary of subversion process
    • infrastructure subversion
    • execution of artifice software
    • (optional) “two card loader”
    • access to unauthorized domain data
  • weakest link in flawed solutions
    • single flawed interface exposes whole net
    • “secure application” is non-computable
  • “secure” pixie dust components
    • vested interest research “sand boxes”
    • hard problems for MLC systems remain
    • CDS can be no better than platform it is on
  • flaws in solutions missed
    • false security from isolated components
    • accreditations cannot responsibly judge flaws
    • only a veriftably secure CDS is evaluatable
  • impact indications and warning
    • vendor downloadable product subverted
    • intrusion can replace traditional espionage
    • SW subversion steals credit/debit card data
    • military recognition of subversion
  • Sorry state of defense today
  • sharing data across desparate domains need MLS
    • isolation obstructs missions
    • any low connection => MLS
    • class A1resists subversion
  • share but resist subversion
  • proven methods evaluated and deployed TCB
    • mature, proven trusted systems technology
    • “rainbow series”
  • verifiably secure: Class A1/EAL7
    • only this class excudes malicious software
  • proven solution: security kernel
  • illustrative MLS demonstrations
    • multilevel secure web server
    • multilevel ftp server
    • covert communications proxy
  • validated verifiable technology
    • blacker
    • hsrp
    • chots guard
    • cots trusted oracle 7
    • saclant client/server
    • affpb crypto-seal guard
  • more opportunities
    • mls networked windows
    • mls network attached storage
    • guards & filters
    • real-time exec
    • verifiably secure mls linux
    • identity management
    • mls handheld network devices
  • cost/benefit of evaluated protection capabliities
    • more cost, more benefit
  • conclusion
    • subversion threat is serious and growing
    • unconscionable use of overly weak solutions
    • verifiable protection technology languishes
    • customers aren’t telling vendors security is a priority
Posted in UncategorizedTagged

Leave a Reply

Your email address will not be published. Required fields are marked *