Computer security is more important than ever. Last year, the FBI identified 23 foreign countries engaged in waging
economic war with the US. All 23 countries used computer espionage to gain strategic economic information from US
corporations. WarRoom Research found that the average Fortune 500 company lost more than half a million dollars from
reconstructing data and rebuilding damaged systems after computer attacks. Other studies have found that between 85
percent and 95 percent of computer attacks are inside jobs, either by employees or by people who gained knowledge from
employees. In short, US corporations are the target of the next Cold War, an economic war being quietly waged with tools
and techniques left over from downsized spy networks of the last Cold War.
Fortunately, the computer industry has an arsenal of defensive weapons. One of the best weapons is the formal
computer security classifications, especially the National Computer Security Center's (NCSC's) Orange Book. (The
sidebar, "C2 Security: Some Background," page 156, describes the Trusted Computer System Evaluation
Criteria--TCSEC--including the Rainbow Series, the Orange Book, and C2-level security.)
Although originally intended for military applications, the Rainbow Series has always been a public document. Some
businesses and computer vendors have adopted C2--any rating below C2 has little security--as their
security standard; Microsoft and Novell tout C2 as a selling point for their network operating systems. Although some
industry professionals debate the value of the Orange Book and C2 in particular, I believe C2 is a useful standard--if
you know what you're dealing with.
| Drawing on the experience of
the National Security Agency seems a logical approach to
security |
You can adapt the Rainbow Series to most business systems and security models. The Rainbow Series does not define
specific parameters for system creation or security levels. The security ratings are not equivalent to ratings such as
the Department of Defense's secret and top secret. This fact means that you can use any internal system
of security ratings already in place, just as you can assign the domain names of any structure when you design a
network.
The Rainbow Series outlines security theory and design, instead of laying out specific requirements; rather than
becoming dated, the rating scheme improves with time as users test the ratings in real-world situations. For instance,
auditing is extremely important for the higher ratings, but the standards specify only the type of action that
the user must record in an audit--not a format for an audit log. Although critics say that this feature can lead
to a lack of interoperability among systems at a given rating, I believe this flexibility in reporting formats is
useful: It doesn't restrict manufacturers from developing better auditing tools or lock systems into formats from the
mid-1980s.
Although C2 is the most useful security rating for many businesses, some situations require a B-level or another
C-level rating. Companies securing critical financial data frequently use systems with B-level security. In other
situations, such as where making data available is more important than limiting access, a C2 rating is too restrictive.
Understanding the differences between C-level and B-level security is helpful. Discretionary protection in
the C level means that every object has an associated user who has discretionary control over who can access the object.
Mandatory access in the B level means that all objects have an assigned security level that is mandatory for
accessing that object. In other words, if an object is rated at R&D Level 1, no one can access the object without
that level of access. Even the creator of that object cannot grant access to that object to anyone at a lower security
rating. Businesses determine the appropriate rating as part of a well-planned security policy.
Retrofitting security into any system, particularly a computer system, is more difficult than creating a secure
system originally. Thanks to C2, manufacturers have specific formal security standards to which they can develop
off-the-shelf network operating systems.
NCSC had enough foresight to realize that although a vendor designed a product to be secure, administrators can
install or use products in an insecure manner. Therefore, NCSC evaluates each product separately at a given level, using
the TCSEC criteria for that product (e.g., the Lavender Book for databases, the Red Book for networks, the Blue Book for
subsystems). Manufacturers sometimes have cited evaluation by one book when in fact their system requires evaluation by
several books.
You can test and certify at a given level only an installed system. This process is time-consuming and
expensive, but evaluation of an installed system guarantees that the system functions the way it is intended to function
in its real-world state.
C2 has the following characteristics:
- The system must have good documentation at both the user and administration level and have documentation on
security testing.
- The system must authenticate all users as unique individuals.
- The system must not allow objects to be reused or recovered once deleted.
- The system administrator must audit all security events.
- The system must protect all objects and processes from all others.
Most corporations agree that these features are necessary. Where and how businesses implement these security
features is part of a well-planned security policy based on real business data and accounting.
Given the new threats to corporations by economic espionage, drawing on the experience of the National Security
Agency seems a logical approach to security. Perhaps the best legacy of the Cold War is the experience gained in
securing computer systems from the same spies who are now eyeing US corporations.