Chey Cobb - Black Hat

advertisement
Why Government Systems
Fail at Security
Chey Cobb
chey@computer.org
February 15, 2001
1
My Background
 Whoami
– Firewall certification lab
– Anti-virus testing lab
– Web security since 1994
– DoD systems architectures
– Intelligence systems security architectures
– Senior technical security advisor for IC
– Security program manager
2
Recently Retired
 There’s no such thing as “too young” to
retire!
3
Why THIS Topic?
 Security needs to be discussed in the open
– What is discussed behind closed doors tends to
stay behind doors.
 Credibility
– No matter how you explain things to
management, they tend not to believe you –
until they see the same thing in the public
forum.
4
Don’t Make the Same Mistakes
 In many ways, the private sector is doing security
much better than top secret facilities
– Keeping secrets while sharing data and systems and
providing public access.
 In government, people tend to think firewalls and
IDS are a “cure” for security
– AIDS
• Promiscuous connections to multiple systems
• There is NO cure
5
3Ds
Disillusioned
Disgusted
Disappointed
… and did I mention
DISGUSTED?
6
War Stories
 Chief of security was an English major
whose last job was in HR.
 Software developers didn’t know what a
“hardened OS” is.
 NSA teams didn’t know that web servers
have many vulnerabilities.
7
War Stories … 2
 Keyboard strings as passwords.
– “Too much trouble to change it.”
– “I use it on all my accounts.”
– “It’s so obvious nobody would think I use it.”
 Logging-off off at the end of the day was
considered “adequate” security.
 Root passwords on major systems had not
been changed in 10 years.
8
What Does A Security Officer
Do??
 Fight...
 Ask your security officer what his/her last
few big fights were about:
– Of the last 10 fights, 9 involved internal
politics.
– The 10th fight was probably horribly mundane.
9
The Word is $$$$$
 Gov’t thought they were saving money
going to COTS.
 Gov’t can’t match the wages of good
security personnel.
 Gov’t can’t afford to keep their systems
updated.
 Is Corporate America that much different?
10
Security Decision Maker
You can only pick two!
11
Case In Point
 Firewalls and Intrusion Detection are “new”
to many facilities
– They had to chose two from the triangle …
guess which two?
– Sysadmins are not sent for training.
– Security officers don’t get their own monitoring
systems.
– In some circles, routers are still considered to
be firewalls.
12
New Technologies?
 The procurement process is “broke”
– It can take up to FIVE years for a “new” system
to be purchased and installed
 Engineering and Acquisitions Don’t Talk
– In some offices, Acquistions buys the
technology before consulting Engineering.
– Engineering is stuck with creating systems out
of bargain basement clear-outs
13
Why Haven’t All Government
Systems Been Hacked?
They are well hidden
–But “Security through Obscurity”
will bite them eventually.
14
Government Security Policies
 Took FIVE years to get them written.
 Took another year to get the agencies to all agree
to use them.
 Policies have different interpretations on key
issues by the different agencies and organizations.
 Director of Central Intelligence Directive 6/3
“Protecting Sensitive Information within
Information Systems
– http://www.fas.org/irp/offdocs/dcid_6-3_20manual.htm
15
Sidebar
 John Deutsch Case
– In the unclassified version of his hearings he stated that
he “was not aware of the computer security rules”.
– He did not know that sending mail on the Internet with
the name of cia_deutsch@aol.com would be a problem
 He was the HEAD of the CIA … (a/k/a DCI) …
– His office WROTE the policies and he signed off on
them.
– Is it possible that in fact he did know?
 … and now he has been PARDONED?
16
Are They Wearing Blinders?
 GAO ordered exercise called “Eligible Receiver”
to test the security of government systems (1997).
 Found basic vulnerabilities in every single system
they touched:
–
–
–
–
–
Rooted systems
Launched DoS attacks
Disrupted phone systems
Read and ALTERED e-mail
Most of this was done from the Internet
 People in Top Secret facilities do not believe this
report.
17
1998 GAO Investigation
 http://www.gao.gov/AIndexFY98/category/Inform.htm
 Survey of security officers found:
– 66% stated didn’t have enough time or training
to do their jobs.
– 53% stated that security was an ancillary duty.
– 305 of 709 were totally unaware of what they
should be doing (43% for those of you who
have not had enough caffeine yet).
– 57% had no security training.
18
2000 Investigation
 AIMD-00-295, Information Security: Serious and
Widespread Weaknesses Persist at Federal
Agencies
– www.gao.gov/docdblite/summary.php?accno=576618&
rptno=AIMD-00-295
 Reported:
– Computer security fraught with weaknesses
– Physical and logical access controls were not
effective in preventing or detecting systems
intrusions and misuse
– Installation commanders give systems security a
low priority
19
GAO Summary
 More needs to be done … including
instituting routine risk management
activities aimed at ensuring that risks
are understood; that appropriate
controls are implemented
commensurate with the risk, and that
these controls operate as intended.
 DUH!
20
What’s It Mean?
 The wrong people are allowed to make
decisions about information security.
 The people who are making the decisions
either don’t know or don’t care.
 There are no incentives to do things
correctly and no repercussions for doing
things wrong (Deutsch Pardoned!)
21
A War Story
 Reviewed proposed system architecture approx 10
months prior to its initial testing.
 Architecture included FTP.
 Developers insisted that they needed 65,000+
ports open in the firewall to handle FTP.
 Told them to scan the ports during testing and
come back with a better answer.
 Also told them to harden the OS – Solaris (What’s
OS hardening?)
22
War Story … cont.
 The equipment showed up for testing installation
and they still wanted 65,000+ ports.
 I denied them permission to install.
 Developers complained it would take too long to
change the code.
 Project manager said it would cost too much.
 Three months of fighting with them (which they
could have spent fixing the code).
 Over-ruled by a Director who said she would
“accept the risk” – and then she retired.
23
Did You Know …
Germany requires ALL banks to
use hardened, “trusted” OS’s for
ALL systems
24
Accepting the Risk
 Fancy way for management to say “get the
hell out of the way.”
 NO technical expertise and they want
“simple” explanations.
 When you try to explain the implications of
their actions, they get pissed off.
 They’ll accept the risk, but they sure as hell
won’t put it in writing.
25
News Flash
 Last year a hacker connected via the
Internet to a printer at the Navy’s Space and
Naval Warfare Center and rerouted a
document to a server in Russia.
 The Program Manager had accepted the risk
to connect sensitive systems to the Internet.
 Did anything happen to the Program
Manager?
26
Security is Soooooo Inconvenient
 NRO didn’t allow cell phones, two-way pagers,
unclassified laptops, or PDAs into the building
– Cell phone microphones can be opened remotely, even
when the system is turned off
– Classified data can be sent out of the building via textbased pagers
– Unclassified laptops and PDAs can store classified
material
 THEN the Director got a new cell phone …
27
Security is Soooooo Inconvenient
#2
 A junior sysadmin was found to installed
several hacking tools on major networks.
 Senior management decided NOT to have
the root passwords changed because it
would:
– Take too long.
– Would notify the general populace that
“something” had happened.
– Would interfere with normal operations.
28
Let the CIO Handle It?
 Each agency has its own CIO.
 Agencies and offices are loath to create
MOAs or MOUs.
 MOAs and MOUs are ignored.
 NSA CIO had no idea how hugely
interconnected they were – until everything
“died” for four days last year.
29
Who Handles Incident Response?
 Air Force CERT? (afcert)
 Navy CERT? (navcert)
 NSA? (noc)
 CIA?
 NRO?
 DIA?
 Keystone Kops?
30
Educate the Populace?
 4,000 in one office.
 Average length of time at the office is two
years.
 $$$? (… sigh …)
 Most are computer illiterates who can’t
even change passwords without help.
31
Inspector General’s Office?
 Nice folks … but
– Understaffed
– Inexperienced
– Far too little technical expertise
 Corrections they request are ignored – or
lies are told.
32
Presidential Directive?
 Been there – Done that
– PDD-63, Protecting America’s Critical
Infrastructures
– By 2003, a “reliable, interconnected, and secure
information systems infrastructure.”
– Federal Government to serve as a “model” for
country
– Umpteen dozen new offices and positions
33
Hire More People?
 Military billets are the cheapest
 Average tour is 2 years
 Pay scale is approximately 1/3 of market
rate
 More people does not ensure better security
34
Solutions?
 Honey Nets and Honey Pots
 Training, training, training for sys admins
and security officers
 Vulnerability labs within agencies should
create their own listserver to share findings
 Cancel ALL subscriptions to PC Magazine!
 Stop looking at strong fortress walls and
enforce common sense security within the
walls
35
Corporate is Better
 Take satisfaction in the fact that Corporate
America is doing better than Government
 You can more quickly take advantage of
new technologies and react to new threats
 More educational opportunities
– You don’t have to worry about revealing secret
associations with companies
36
Windows 2K?
 Not any better or any worse than what you
have
 … but the Government doesn’t know that!
 Default installations are always a risk
 Who said that letting the OS make decisions
for you would be a Good Thing?
37
</End Of Rant>
 Questions?
38
Download