Крючков Фундаменталс оф Нуцлеар Материалс Пхысицал Протецтион 2011
.pdfInformation Protection Association, account for 39% of computer system faults. A physical influence can be staged with the aid of high-tech electronic devices that are capable of intercepting hardware signals and stealing so information. It is possible to disable signals and compromise hardware systems by insertion of data intercepting devices in workrooms. A database can be destroyed by elementary influences, such as fire or flooding of hardware. This case does not necessarily require any influence on the room or the hardware which stores data. It will be enough, say, to set fire to a neighboring room more accessible to outsiders.
Less obvious are organizational and legal influences of threats. These influences include personnel’s or executive staff’s failures to abide by regulatory requirements or delays with adoption of regulations and rules. A failure to fulfill or absence of regulatory requirements leads frequently to other influences of threats coming into being. Threats may also come from purchases of outdate equipment, unauthorized restriction of access to data and so on.
Prevention, suppression or neutralization of threats to information security is implemented through information security features based on developed and introduced countermeasures to various information security threats. Information security features include organizational, technical, cryptographic and software means designed to protect limitedly accessible data, as well as the software and hardware in which this is realized. Besides, these also include information protection efficiency controls.
Efficient and all-round protection of information against potential threats requires a variety of countermeasures to said threats and techniques to be used to prevent these from being enabled. Threats can be prevented, suppressed or neutralized by organizational, legal, physical protection and software/hardware methods.
Organizational and legal methods primarily suggest development of a set of regulatory legal acts and bylaws to govern information relations of guides and procedural regulations for information security support purposes. These regulations form the basis on which an information security licensing system is established, and information security techniques and facilities are standardized. In turn, organizations need to form and provide operations of the sensitive and confidential data security systems. These systems are subject to certification and qualification based on information security guide requirements. A major procedure involved in the development of automated NM A&C systems is generation of personnel job descriptions and regulations governing personnel behaviors
381
in various situations. Operations require these instructions to be strictly observed.
Physical protection of rooms, communication lines, data transmission channels and information carriers must be organized to prevent information from being physically infiltrated, stolen or intercepted. Physical protection is highly instrumental to information security. We shall see when looking into the classification of computerized NM A&C systems that it is exactly physical protection that enables base software certified to information security class 3 to be used for NM accounting purposes.
Finally, design and creation of computer networks immediately requires employment of softwareand hardware-based countermeasures to information security threats. These countermeasures have increased roles in overt data transmission channels. In a brief account, the following measures are used:
∙avoidance of unauthorized access to data;
∙prevention of special influences leading to destruction, elimination and corruption of information or malfunctions of equipment using information technologies;
∙detection of inserted software and hardware bugs;
∙use of data security features, including cryptographic ones, for transmission of information over communication channels.
Planning of countermeasures to purposeful information security threats need to take into account that, despite an increased publicity given by media to outside attacks on computer systems, much greater security damage may come from internal security violations. The data provided by a computer crime research center [10] says 70% of security violations in 2002 took place within organizations, having been often caused by discontented staff members. So crucial in this respect is a bona fide manning policy and correct distribution of personnel responsibilities to avoid cases of security depending on one person.
8.4. Standards on information security in automated NM A&C systems
There is rather an extensive list of Rosatom’s documents pertaining to information security in automated systems of the ministry’s enterprises and organizations. These are listed in the industry standard on equipment of NM accounting and control systems [1]. As such, the industry standard contains provisions that deal with security of information both in terms of data access security and reliability of data storage. This section will consider Russian standards in the field of information access security
382
expected to guide developers of NM A&C systems in designing data security features. The prime document that establishes the classification of NM A&C systems and governs requirements to information access security in these is a guide of Russia’s State Technical Commission (Gostekhkomissiya) and Ministry for Atomic Energy (Minatom) entitled “Requirements to Information Access Security in Aut omated Nuclear Material Accounting and Control Systems”, approved in January 1997 [9]. This document also contains requirements to certification of information security features for such systems and qualification requirements to NM A&C systems.
The document was developed based on the 1992 information security guides of Russia’s Gostekhkomissiya [4–8]. Preceden ts exist when computerized NM A&C systems were qualified based on these criteria rather than on the 1997 requirements. Finally, it was on 1 January 2004 that a new standard, ISO/MEC 15408–99 [11–13], developed based on the international Common Criteria, was put into operation in Russia. This was an important step in the development of an information security regulation framework because it introduced up-to-date approaches and requirements to security of information systems in Russia. Prospectively, steps towards harmonizing domestic and international requirements in the field will make it possible for Russian software developers to enter foreign software market. Still, the introduction of new standards does not make the requirements of Gostekhkomissiya’s guides null and void.
In near term, the state of art in the field of regulatory computer security requirements is thought to be greatly influenced by the Federal Technical Regulation Law that took effect on 1 July 2003. Hereinafter, we shall discuss in brief the concerns and tasks arising out of the newly adopted law.
8.4.1. Requirements to information access security in automated NM A&C systems
This document has been developed by the Russian Federal Nuclear Center – All-Russian Research Institute for Experim ental Physics (RFNCVNIIEF) and the Pacific Northwest National Laboratory (PNNL), the USA, as part of an agreement to upgrade physical protection, accounting and control of nuclear material in Russian Federation. The document’s prime objective is to form a regulatory framework for certification, subject to information security requirements, of automated NM A&C system software developed based on Microsoft’s commercial software products. The
383
document introduces a classification of automated NM A&C systems, defines requirements to information access security features depending on the class of the NM A&C system and, finally, specifies certification and qualification requirements to information security features.
Classification of NM A&C systems
Classification of NM A&C systems is introduced for the purpose of developing and employing valid measures to achieve the required level of information security. The security class is determined by the NM A&C system user and developer with involvement of information security experts. The following system features are used as criteria in establishing the class of security:
∙presence in the NM A&C system of information of different secrecy levels;
∙level of the user authority for access to classified information;
∙procedures and conditions for the deployment and operation, and the physical security status the NM A&C system computers.
Based on the estimates for these factors, the requirements establish three security classes for automated NM A&C systems. The highest of these is Class 1.
Class 3 includes NM A&C systems which are characterized by:
∙the presence of information of strictly one secrecy level;
∙all access subjects (except the administrator) having equal rights (powers) of access to the NM A&C system information;
∙all NM A&C computes installed within a controlled area and having no external physical information communications (leading to beyond the controlled area).
Class 2 includes NM A&C systems which are characterized by:
∙the presence of information of several secrecy levels;
∙subjects of access having different rights of access to the NM A&C system information;
∙all NM A&C system computers installed within one or more controlled areas and having no open external physical information communications.
Class 1 includes NM A&C systems which are characterized by:
∙the presence of information of several secrecy levels;
∙subjects of access having different rights of access to the NM A&C system information;
384
∙ the NM A&C system computers installed within a controlled area and having external physical information communications with computers other than in NM A&C system.
All currently certified base software falls only into Class 1. Table 8.1 presents software products certified for use in computerized NM A&C systems.
Table 8.1
Base software certified for use in computerized NM A&C systems
Software type |
Description |
Operating systems |
MS Windows NT 4.0 Workstation |
|
(Russian) with the SP 3 or SP 5 update |
|
package |
|
MS Windows NT 4.0 Server with the SP |
|
3 and SP 5 update package |
|
MS Windows NT 4.0 Server Enterprise |
|
Edition with the SP 5 update package |
Database management systems |
Microsoft SQL Server, version 6.5., with |
(DBMS) |
the SP 4 or SP 5а update package |
|
Oracle7 Server and Workgroup Server, |
|
version 7.3.4.0.0 |
|
Oracle8i Enterprise Edition, version |
|
8.1.7.0.0 |
The major problem that hampers the evolution of computerized accountancy at this state of the Federal Information System development is the absence of base software certified higher than to Class 3. An NM A&C system falling into Class 3 is expected to contain information of only one secrecy level. Still, the industry’s enterprises often use materials of different secrecy levels. In this case, the fulfillment of Gostekhkomissiya’s requirements is expected to lead to either the creation of not less than two segregated local area networks to account for materials of different secrecy levels or to all materials having their secrecy level raised to the maximum. The former case entails a dramatic increase in the network creation cost, while the latter makes it much more difficult for personnel to handle material of originally low secrecy level. Finally, the last, but not the least, requirement demands that the whole of the enterprise to be based within one site. This requirement is not applicable to large-sized fuel cycle enterprises. The only solution in this case is to build computerized system
385
components at separate sites and establish communication between these by dispatching information on carriers by special hand delivery.
Therefore, the task at hand is to have base software certified to information access security class 2. Class 1 NM A&C systems will be needed in the event where it is necessary to transmit information over open information channels. This requirement is now part of the Federal Information System (FIS) development program for the period up to the year 2010.
Requirements to information access security systems depending on the NM A&C system classes
The requirements of Gostekhkomissiya identify four subsystems of the Information Access Security System (IASS). These are:
∙an information access control subsystem;
∙a logging and accounting subsystem;
∙a cryptographic subsystem;
∙an integrity support subsystem.
Certification and qualification requirements are specified for each subsystem depending on the NM A&C system class. Table 8.2 lists the requirements with respect to classes for various components of these four subsystems. “+” means the existence of respective r equirements to the given class, and “–“ means the absence of such requiremen ts.
386
|
|
|
|
Table 8.2 |
||
|
|
|
|
|
|
|
|
Subsystems and requirements |
A&C system |
|
|||
|
|
|
classes |
|
||
|
|
III |
|
II |
I |
|
1. Access control subsystem |
|
|
|
|
|
|
1.1. Identification, authentication checks and control of access |
|
|
|
|
|
|
subjects: |
|
|
|
|
|
|
∙ |
when logging into the operating system |
+ |
|
+ |
+ |
|
∙ |
when getting access to the DBMS |
+ |
|
+ |
+ |
|
∙ |
when getting access to the OS objects (workstations, |
+ |
|
+ |
+ |
|
servers, networks, domains, communication channels, ports, |
|
|
|
|
|
|
storage areas, peripherals and network components, processes, |
|
|
|
|
|
|
disks, volumes, catalogs, files, etc.) and to the DBMS subjects |
|
|
|
|
|
|
(files, tables, indices, records, entry fields, diagrams, |
|
|
|
|
|
|
procedures, etc.) |
|
|
|
|
|
|
|
|
+ |
|
+ |
+ |
|
1.2. Control of transmitted (received) data in the network |
– |
|
+ |
+ |
|
|
1.3. Limitation of processes to access data |
– |
|
+ |
+ |
|
|
1.4. Control of information flows |
– |
|
+ |
+ |
|
|
2. Logging and accounting subsystem |
|
|
|
|
|
|
2.1. Logging and accounting of: |
|
|
|
|
|
|
∙ |
login/logout of access subjects into/of the system |
+ |
|
+ |
+ |
|
(workstation, server) |
|
|
|
|
|
|
∙ |
output of printed (graphic) documents |
+ |
|
+ |
+ |
|
∙ |
launch (closure) of all programs (processes, assignments) |
+ |
|
+ |
+ |
|
∙ |
access of software (processes, programs, tasks, |
+ |
|
+ |
+ |
|
assignments) to secured files and catalogs |
|
|
|
|
|
|
∙ |
access of software (processes) to network fragments and |
– |
|
+ |
+ |
|
components (domains, servers, workstations), ports (lines, |
|
|
|
|
|
|
communication channels), peripherals and network devices, |
|
|
|
|
|
|
and processes |
|
|
|
|
|
|
∙ |
access to the DBMS objects (files, tables, indices, |
+ |
|
+ |
+ |
|
records, entry fields, diagrams, procedures, etc.) |
|
|
|
|
|
|
∙ |
changes in access subject powers and access object status |
– |
|
– |
+ |
|
∙ |
created secured access objects |
– |
|
+ |
+ |
|
∙ |
all network data exchange breakdowns |
– |
|
+ |
+ |
|
∙ |
the establishment of communication between remote |
– |
|
– |
+ |
|
processes |
|
|
|
|
|
|
387
Table 8.2 (continued)
Subsystems and requirements |
A&C system |
|||
|
|
classes |
||
|
III |
|
II |
I |
2.2. Accounting of information carriers |
+ |
|
+ |
+ |
2.3. Cleaning (zeroing, initialization, depersonalization) of |
– |
|
+ |
+ |
vacated computer and outside accumulator storage areas |
|
|
|
|
2.4. Alarms of attempted compromises |
– |
|
– |
+ |
3.2. Use of certified encryption-based safeguards |
– |
|
– |
+ |
4. Integrity assurance subsystem |
|
|
|
|
4.1. Software and processed data integrity assurance |
+ |
|
+ |
+ |
4.2. Connection integrity assurance |
– |
|
– |
+ |
4.3. Data transmission and delivery proofing |
– |
|
– |
+ |
4.4. Physical protection of rooms, computers and information |
+ |
|
+ |
+ |
carriers |
|
|
|
|
4.5. Presence of the information security administrator |
– |
|
+ |
+ |
(service) in the A&C system |
|
|
|
|
4.6. Periodic testing of the IASS |
+ |
|
+ |
+ |
4.7. Presence of the IASS recovery facilities |
+ |
|
+ |
+ |
4.8. Use of secure communication lines |
– |
|
+ |
+ |
4.9. Use of certified fire walls |
– |
|
– |
+ |
4.10. Use of certified security features |
+ |
|
+ |
+ |
Requirements to certification of the IASS depending on the NM A&C system classes
Certification of information security features (ISF) is understood as the establishment of the ISF conformity to a set of requirements that ensure protection of data of the respective secrecy level. The procedures for carrying out mandatory ISF certification and the organizations authorized to carry out certification are described in detail in the section “Development and Commissioning of Computerized NM A&C Systems”. This section presents certification requirements to different subsystems of an A&C system depending on the class thereof. The requirements for a higher class automatically include the requirements for a lower class.
Below, we set forth requirements for class 3 A&C systems. The requirements to components of an access control subsystem demand the following:
388
∙identification and authentication of the users logging into the operating system;
∙identification and authentication of the users during the access to the database management control system (DBMS);
∙identification of servers, workstations, peripherals and network components by physical addresses;
∙identification of subjects and objects by names;
∙identification of the database objects by names.
We shall explain some of the concepts. The identification process consists in that the system identifies the user. To this end, the user logging in to the system enters his/her identifier (login). Authentication verifies the trustworthiness of the user, that is, the fact that the identifier has been entered by the user himself/herself. To this end, a password (a secret word) known only to the user is entered. The requirements of Russia’s Gostekhkomissiya establish that a password should comprise not less than 8 characters. Besides this requirement, recommendations exist based on long-term practices. Specifically, it is recommended that passwords should use not only letters but other symbols as well. Characters should be entered with different cases selected. A password must by no means be a meaningful word or contain personal information. All this is expected to make it more difficult to crack the password electronically. The password length of 8 characters was chosen in view that it takes about half a year to guess a combination of 8 characters by a simple search method using an up- to-date computer. The password validity normally expires over this time. At present time, because of increasing computer capabilities, the recommended password length is not less than 10 characters. User passwords should be accessible only to specially authorized personnel (administrators). The password expiry date is to be fixed with passwords to be changed from time to time.
A subject of a system is any system process initialized by the user and run in the user interests. An object of an operating system and a database object is any resource in the OS or the DBMS. This is discussed in more details in the “Base Software” section.
The following requirements are imposed on components of the logging and accounting subsystem. The following events are subjected to logging:
∙user login/logout into/out of the operating system, as well as logging of the operating system loading and programmed shutdown;
∙launch/closure of all programs;
∙attempted access of software to secured files and catalogs;
389
∙access to database objects.
Logging facilities should be accessible only to the administrator and include for him/her respective facilities for viewing and reviewing stored events by the above parameters and archiving these.
The following should be indicated during logging:
∙time and date of the user login/logout into/out of the system and of the system loading/shutdown;
∙the identifier of the user initializing the process;
∙the result of the action (successful or unsuccessful – unauthorized).
When files or database objects are accessed, specification of the access object and the code of the operation requested for are also logged.
The integrity assurance subsystem should ensure:
∙integrity of the IASS software and database.
∙integrity of the IASS database in the DBMS through isolation of this from users and online recovery on the part of the administrator.
No class 3 A&C systems have a cryptosystem.
Hereinafter, requirements to class 3 A&C systems are set forth. An access control subsystem should:
∙identify communication channels by physical addresses;
∙control the access of subjects to secured OS resources in accordance with the access matrix based on a discrete principle;
∙control the access of subjects to the DBMS objects in accordance with the access matrix by sampling, modification, insert, deletion and other operations;
∙limit user access to secured objects using only strictly specified processes;
∙realize a mandate principle of access control;
∙control information flows using the subject and object secrecy attribute;
∙transmit data over the network together with secrecy attributes which should be secured.
Unauthorized operations on networked data and unauthorized duplication of data should be safely identified as an error and logged respectively.
We shall clarify the requirement of the access control mandate principle. Theoretically, there are two basic principles (or models) to control access to resources. These are a discrete model and a mandate model. When the discrete principle of access to objects is realized, each object contains an access control listing, i.e. a list of users with a permit of access. An access matrix is specified for each user, that is, what action exactly the given user
390