320 likes | 513 Views
GOV991: Sybase and Computer Security. John Kendrick Senior Consultant jkendric@sybase.com August 15-19, 2004. Sybase and Computer Security. Sybase and Computer Security. Why is there a need for Computer Security? Increased hacker threat. Industrial espionage.
E N D
GOV991: Sybase and Computer Security John Kendrick Senior Consultant jkendric@sybase.com August 15-19, 2004
Sybase and Computer Security Why is there a need for Computer Security? • Increased hacker threat. • Industrial espionage. • Malicious insider threat, intent on theft or destruction. • Potential for attacks from terrorists or hostile nation states.
Sybase and Computer Security How do we provide Computer Security? • Assume we have a Company intranet with connectivity to the Internet. • Defend the boundaries – firewalls – walls are ‘hardened’. • What happens when firewalls are ‘breached’? • Harden the interior machines. • What does this mean? • What causes vulnerabilities? • Vulnerability predictors (software complexity). • Secure the link (TCP/IP) connections between machines.
Sybase and Computer Security How do we defend the boundary? • Filtering routers and Firewalls • Filtering routers will not allow certain TCP/IP port numbers from being used. • Example: port 20 for telnet not allowed, ftp posts 21 and 22. • Secure the router. • Firewalls • Allow more complex filtering at the Application Level Protocol. • Dial in access • Allow or not allow. • How does remote user authenticate?
Sybase and Computer Security Secure the connections between machines. • Establish Virtual Private Networks • Utilizes link level encryption outside the ‘network’ that is protected. • VPNs can be external or internal to the Company intranet. • Generally think of VPNs utilizing ‘in the clear’ or non-encrypted communications when communicating within the network. • Client to Host Secure Socket Level (SSL) encryption • Utilizes Public Key Infrastructure (PKI) certificates to authenticate server to client and client to the server. • PKI must provide authentication that Certificate is valid, (not forged and not on the Certificate Revocation List (CRL).
Sybase and Computer Security How do we ‘harden’ the interior machines? • Determine the threats. • Misuse of applications and data by those without sufficient privilege. • Malicious code. • Do you know where that software came from (outsourcing)? • Open source software. • Commercially produced software may have significant ‘off-shore’ components due to outsourcing. • ‘Trojan horse’, ‘Trap doors’, etc. • Placed on unsuspecting computers. • May monitor activity on the machine and forward information, steal cryptologic keys, forge certificates or expose plain text. • May be activated by a unique event or ‘key’.
Sybase and Computer Security How does the user or customer respond to security posture? • User buy-in is important, without it the policy may not be adhered to by the people who are being ‘protected’. • Get user buy-in early. User representatives for the initial system requirements gathering should be included in the security discussions. • Security concerns are frequently seen by users as onerous, and hindering their jobs.
Sybase and Computer Security Security should be ‘built into’ the system, starting with the requirements phase. • ‘After the fact’ security hardening is less effective. • Fundamental design issues that impact security and can not be patched. • Design/coding flaws are weaknesses that can be attacked. • Software is very complex compared to other engineered systems. • No two parts are exactly alike. • Software differs tremendously from computers, buildings, or automobiles, where there are many repeated elements. • Feature rich software is more complex, and additional complexity means more latent bugs that can be exploited. • Process Capabilities Maturity Model (CMM) can help. • Does not guarantee results - but can help quality. • Important that ‘process’ does not become the ‘product’.
Sybase and Computer Security • Complex software contains more ‘latent bugs’. • As software complexity rises, vulnerabilities increase. • Different rough measures of software complexity: lines of code, cyclomatic complexity (number of decision statements), number of function points. • Most cyber defenses try to counter hackers and not professionals. • Most hacker attacks DO NOT intend destruction. • Tests of corporate sites showed that 98% of 350 sites could be breached* • Government Red Teams succeed “every single time”** [using hacker tools] ---------- * PC World Communications, “Cyberterrorism Scenarios Scrutinized”, 23 August 2002 ** Richard Clarke, “Cyberwar!”, PBS Frontline, April 2002.
Sybase and Computer Security What Additional Security Requirements are required for Databases in an Enterprise System? • Will there be data sources that all users are not allowed to see? • Will some users be trusted more that others (in National Security terms called classification level)? • Are some users with the same level of trust not be allowed to see some information but not others (need to know)?
Sybase and Computer Security What International Standards Exist for Computer Security?* • The Common Criteria (CC) for Information Technology Security Evaluation defines general concepts and principles of IT security evaluation and presents a general model of evaluation. It presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. CC is used to certify vendor supplied software. • Somewhat like an international version of the “Orange Book” Trusted Computer Security Evaluation Criteria (TCSEC) evaluations. --------------- *http://csrc.nist.gov/cc/
Sybase and Computer Security What are Federal Government Reactions to Increased Cyber Threat?* • NTISSIP-11 • DCID 6/3 • DoD Std 8500.2 • FIPS 190 & FIPS 200 (from NIST) • FIPS 140 (from NIST) -------------- * http://www.niap.nist.gov/cc-scheme/index.html
Sybase and Computer Security What Is NTISSIP-11?* • NTISSIP-11 is a national security community procurement policy governing IT products. • Mandates that starting 1 July 2002 – only COTS Identification/Authentication enabled products that have been CC evaluated to EAL 2 may be acquired for use on national security systems. • NTISSIP–11 does not affect “non-national” security systems. Purchases of IT products for the Department of Homeland Security will be affected. • All cryptographic portions of products must be Certified as FIPS-140 compliant. ----------- *http://www.niap.nist.gov/cc-scheme/nstissp_11_revised_factsheet.pdf
Sybase and Computer Security What is the DCID 6/3?* • Document that spells out security requirements for systems within the Intelligence Community. • Levels are called ‘Protection Levels’ and are numbered from 1 (lowest level of security assurance) to 5 (highest level of security assurance). • DCID 6/3 establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in Information Systems (ISs). For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI. Certifications at the various protect levels apply to applications and not vendor supplied software modules. ------------- *http://www.fas.org/irp/offdocs/DCID_6-3_20Policy.htm
Sybase and Computer Security What is Dod Std 8500.2?* • Federal Procurement Standard mandating obtaining minimum of Common Criteria Evaluated Assurance Level 2. • Replaces Dod Std 5800 series. ---------- *http://www.niap.nist.gov/cc-scheme/policy/dod/d85002p.pdf
Sybase and Computer Security What are FIPS-199 and FIPS-200? • Procurement standards drafted by the National Institutes of Standards and Technology (NIST) for all non-Dod Federal Government agencies. • FIPS 199 standards for security categorization of federal information systems.* • FIPS 200 minimum security controls for federal information systems (Final 2005).** ------------- *http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf **http://www.nist.gov/public_affairs/releases/compsecurityguide.htm
Sybase and Computer Security What is FIPS-140?* • NIST standard for Certification of Encryption in commercial products. • FIPS 140-2 is used by federal organizations when they specify that cryptographic-based security systems are to be used to provide protection for sensitive or valuable data. • This standard is recognized by the U.S., Canada and the United Kingdom. Laboratories within each country can evaluate and recommend FIPS-140 certifications for products that are accepted in all three countries. ---------- *http://csrc.nist.gov/cryptval/140-2.htm
Sybase and Computer Security What Function does the Common Criteria provide?* • Common-Criteria (CC) is meant to be used as the basis for evaluation of security-properties of IT-products. • CC is comprised of a series of evaluation levels that are used to evaluate a target profile. • CC is required for use of all software in Federal National Security systems including the Intelligence agencies, and military Command and Control. This rule is becoming more strictly enforced. • CC should not be confused with “Protect-Levels”. ------------ *http://csrc.nist.gov/cc/CC-v2.1.html
Sybase and Computer Security Are the Common Criteria Used Only in the United States?* • Common Criteria – International standards that are recognized by other countries. • Allows evaluations of products obtained in different countries to be recognized within other signatory countries. • Examples: Oracle Version 9i and Oracle Label Security have been evaluated in the UK, and the evaluation is recognized in the U.S.** • Sybase is having ASE, ASA and IQ evaluated at SAIC in Maryland.*** ------------ *http://niap.nist.gov/cc-scheme/ccra-participants.html **http://www.niap.nist.gov/cc-scheme/vpl/vpl_type.html ***http://www.niap.nist.gov/cc-scheme/in_evaluation.html
Sybase and Computer Security Common Criteria Signatory Countries* • Australia, New Zealand, Canada, United Kingdom, United States, France, Germany, and Japan. These countries have their national scheme for interpretation and have laboratories that perform evaluations. • In each country there is a Accreditation Authority that decides which laboratories within the country may accredit products based on the Common Criteria. • Austria, Finland, Greece, Israel, Italy, The Netherlands, Norway, Spain, Sweden, Hungary and Turkey do not have national schemes for interpretation but accept evaluations from laboratories from the countries listed above. --------------- *http://niap.nist.gov/cc-scheme/ccra-participants.html
Sybase and Computer Security National Accreditation Authorities* • U.S. NIAP – National Information Assurance Partnership – jointly run by NIST and NSA. • Canada CSE (Communications Security Establishment). • Australia – DSD (Defense Signals Directorate). • New Zealand – GCSB (Government Communications Signal Bureau). ------------ *http://niap.nist.gov/cc-scheme/ccra-participants.html
Sybase and Computer Security National Accreditation Authorities (continued)* • United Kingdom – Certification Body Secreteriat - jointly run by Communications-Electronics Security Group and Department of Trade and Industry. • France - Direction Centrale de la Securite des Systemes d’Information (DCSSI). • Germany - Bendesamt fuer Sicherheit in der Informationstechnik (BSI). ---------- *http://niap.nist.gov/cc-scheme/ccra-participants.html
Sybase and Computer Security Common Criteria Certification – The Competition • ORACLE* • Oracle 9i completed EAL 4 . • Oracle Label Security for 9i completed EAL 4. • Oracle partnered with Red Hat Linux to get Red Hat Version 3 EAL 2 completed. • IBM** • IBM DB/2 EAL 4+ (in evaluation). • IBM WebSphere EAL 2 (in evaluation). • IBM WebSphere MQ EAL 2+ ( in evaluation). • IBM WebSphere Portal EAL 2 (in evaluation). --------- *http://www.niap.nist.gov/cc-scheme/vpl/vpl_type.html **http://www.niap.nist.gov/cc-scheme/in_evaluation.html
Sybase and Computer Security Common Criteria Certification – The Competition (continued) • BEA Systems* • BEA Systems WebLogic Application Server Version 7 submitted for EAL 2 -- being evaluated at CygnaCom in Virginia. Listed as “in evaluation” on the NIAP web-site. -------------- *http://www.niap.nist.gov/cc-scheme/in_evaluation.html
Sybase and Computer Security Common Criteria Evaluation Status – Sybase* • ASE 12.5 in evaluation EAL 4 at SAIC. • ASA in evaluation for EAL 3 at SAIC. • IQ in evaluation for EAL 3 at SAIC. • Replication Server (not in evaluation) but pre-evaluation activities are underway for EAL 2 with SAIC. ------------ *http://www.niap.nist.gov/cc-scheme/in_evaluation.html
Sybase and Computer Security Evaluation Assurance Levels – Descriptions* • EAL 1 – Functionally tested. • EAL 2 – Structurally tested. • EAL 3 – Methodically tested and checked. • EAL 4 – Methodically designed, tested, and reviewed. • EAL 5 – Semi-formally designed and tested. • EAL 6 – Semi-formally verified, designed and tested. -------------- *http://csrc.nist.gov/cc/CC-v2.1.html Jim Campbell and John Kendrick, Sybase, Inc. briefing titled: “Federal Security Requirements” from which some of the material herein has been duplicated.
Sybase and Computer Security Protection Profile and Security Target Evaluation* • TOE – Target Operating Environment. • Protection profile – An implementation-independent set of security requirements for a category of TOE’s that meet specific consumer needs. • Security Target – A set of security requirements and specifications to be used as the basis for evaluation of an identified TOE. ---------- * http://csrc.nist.gov/cc/CC-v2.1.html
Sybase and Computer Security A CyberTerror 9/11 could happen! Will YOU be ready? We’re from Sybase – We’re here to help.
Sybase and Computer Security Contact information: John Kendrick Senior Consultant Sybase Professional Services jkendric@sybase.com 443-562-0532 (cell)
Sybase and Computer Security Acknowledgements: • Jim Campbell, Principal Consultant, Sybase, Inc. with whom I produced a briefing titled: “Federal Security Requirements” from which some of the material herein has been duplicated. • Ideas and knowledge gained from briefings at the bi-monthly Information Assurance Technology Forum sponsored by the National Security Agency. • My Sybase management team: George Holland, Robert Smith and Joe Wooden who have encouraged and supported my efforts in the Computer Security area.
Sybase and Computer Security Useful Links: • http://www.niap.nist.gov/cc-scheme/ • http://www.iatf.net/ • http://www.cesg.gov.uk/site/iacs/ • http://www.x12.org/ • http://www.cert.org/ • http://www.securityfocus.com/ • http://slashdot.org/ • http://www.secureprogramming.com/