Chapter 11
Principles of security
The need for an integrated view of security has been emphasized throughout this book: security management cannot be separated from network and system administration because security requires a fully systemic approach. However, it is important to identify some principles of security management in isolation, in order to better understand them and underline their importance. In this and the next chapter, we dissect security into its constituent parts.
Security is about protecting things of value to an organization, in relation to the possible risks. This includes material and intellectual assets; it includes the very assumptions that are the foundation of an organization or human–computer system. Anything that can cause a failure of those assumptions can result in loss, and must therefore be considered a threat. In system administration terms this often means a loss of data or availability in the computing system, but that is really just the tip of the iceberg. The number of ways in which this can occur is vast – making security a difficult problem.
In order to have security, we must sacrifice a certain level of convenience [171] for a measure of discipline. This promotes systems with predictable behavior, where one can arrange to safeguard the system from unpleasant occurrences. To develop computer security by assuring predictability, we have to understand the interrelationships between all of the hosts and services on our networks as well as the ways in which those hosts can be accessed. A system can be compromised by:
•Physical threats: weather, natural disaster, bombs, power failures etc.
•Human threats: cracking, stealing, trickery, bribery, spying, sabotage, accidents.
•Software threats: viruses, Trojan horses, logic bombs, denial of service.
Protecting against these issues requires both pro-active (preventative) measures and damage control after breaches. Our task is roughly as follows:
•Identify what we are trying to protect.
•Evaluate the main sources of risk and where trust is placed.
•Work out possible or cost-effective counter-measures to attacks.
424 |
CHAPTER 11. PRINCIPLES OF SECURITY |
Security is an increasingly important problem. In recent years the number of attacks and break-ins to computer systems has risen to millions of cases a year. Crackers or hackers1 have found their way inside the computers of the Pentagon, the world’s security services, warships, fighter plane command computers, banks and major services such as electrical power grids. With this kind of access the potential for causing damage is great. Computer warfare is the next major battlefield to subdue; it is going on now, as you read these words: it is here, like it or not. It is estimated that the banks lose millions of dollars a year to computer crime.
Security embraces other issues such as reliability. For instance, many computers are used in mission-critical systems, such as aircraft controls and machinery, where human lives are at stake. Thus reliability and safety are also concerns. Real-time systems are computer systems which are guaranteed to respond within a well-defined time limit when a request is made of them. This is a kind of quality of service (see section 10.8). That means that a real-time system must always be fast enough to cope with any demand which is made of it. Real-time systems are required in cases where human lives and huge sums of money are involved. For instance, in a flight control system it would be unacceptable to give a command ‘Oh my goodness, we’re going to crash, flaps NOW!’ and have the computer reply with ‘Processing, please wait...’.
Security is a huge subject, because modern computer systems are complex and the connectivity of the Internet means that millions of people can try to break into networked systems. In this chapter we consider the basic principles of security. Having studied this, you might wish to read more about security in refs. [131, 126, 61, 45, 279].
11.1 Four independent issues
For many, security is regrettably perceived as being synonymous with network privacy or network intrusion. Privacy and intrusion are two particular aspects of security, but the network is not our particular enemy. Many breaches of security happen from within, or by accident. If we focus exclusively on network connectivity we ignore the threats from internal employees (e.g. the janitor who is a computer expert and has an axe to grind, or the mischievous son of the director who was left waiting to play in mom’s office, or perhaps the unthinkable: a disgruntled employee who feels as though his/her talents go unappreciated).
Software security is a vast subject, because modern computer systems are complex. It is only exacerbated by the connectivity of the Internet which allows millions of people to have a go at breaking into networked systems. What this points to is the fact that a secure environment requires the control of all parts of a system, not merely at specific access points like login terminals or firewalls.
1It is sometimes considered incorrect to call intruders hackers, since hacker has several meanings; in computer communities, hackers are usually thought of as legitimate programmers.
11.1. FOUR INDEPENDENT ISSUES |
425 |
Principle 56 (Security is a property of systems). Security is a property of entire systems, not an appendage that can be added in any one place, or be applied at any one time. It relies on the constant appraisal and re-appraisal (the integrity) of our assumptions about a system. There are usually many routes through a system that permit theft or destruction. If we try to ‘add security’ in one place, an attacker or random chance will simply take a different route.
If we stretch our powers of abstraction even to include loss by natural disaster, then system security can be summarized by a basic principle.
Principle 57 (Access and privilege). A fundamental prerequisite for security is the ability to restrict access to data. This leads directly to a notion of privilege for certain users.
The word privilege does not apply to loss by accident or natural disaster, but the word access does. If accidental actions or natural disasters do not have access to data, then they cannot cause them any harm. Any attempt to run a secure system where restriction of access is not possible is fundamentally flawed.
There are four basic elements in security:
•Privacy or confidentiality: restriction of access.
•Authentication: verification of presumed identity.
•Integrity: protection against corruption or loss (redundancy).
•Trust: underlies every assumption.
Some authors include the following as independent points:
•Availability: preventing disruption of a service.
•Non-repudiation: preventing deniability of actions.
They can also be considered simply as issues of integrity of a service (availability) and the imperviousness of accountability logs (non-repudiation).
The most important issue to understand about security is a basic tenet that is widely unappreciated:
Principle 58 (Security is about trust). Every security problem boils down to a question of whom or what do we trust?
Once we have understood this, the topic of security is reduced to a litany of examples of how trust may be exploited and how it may be improved using certain technological aids. Failure to understand this point can lead to embarrassing mistakes being made.
We introduce the somewhat ill-defined notion of ‘security’ to describe protecting ourselves against parties whom we do not trust. But how do we solve this problem? Usually, we introduce some kind of technology to move trust from a risky place to a safer place. For example, if we do not trust our neighbors
426 |
CHAPTER 11. PRINCIPLES OF SECURITY |
not to steal our possessions, we might put a lock on our door. We no longer have to trust our neighbors, but we have to trust that the lock will do its job in the way we expect. This is easier to trust, because a simple mechanical device is more predictable than complicated human beings, but it can still fail. If we don’t entirely trust the lock, we could install an alarm system which rings the police if someone breaks in. Now we are trusting the lock a little, the alarm system and the police. After all, who says that the police will not be the ones to steal your possessions? In some parts of the world, this idea is not so absurd.
Trust is based on assumption. It can be bolstered with evidence but, just as science can never prove something is true, we can never trust something with absolute certainty. We only know when trust is broken. This is the real insight of security – not the technologies that help us to build trust.
Example 15. One of the big problems with security mechanisms is that they hinder people sometimes from taking part in legitimate activities. They are then frequently turned off out of misunderstanding or annoyance, leaving a system unprotected. It is therefore important to educate the managers of security systems about procedures and practices surrounding a secured system. If there is a way to proceed, it should be by an approved channel; if a pathway is blocked, then it should be for a good reason that is understood by all parties.
11.2 Physical security
For a computer to be secure it must be physically secure. If we can get our hands on a host then we are never more than a screwdriver away from all of its assets. Disks can be removed. Sophisticated users can tap network lines and listen to traffic. The radiation from monitor screens can be captured and recorded, showing an exact image of what a user is looking at on his/her screen. Or one can simply look over the shoulder of a colleague while he or she types a password. The level of physical security one requires depends on the sophistication of the potential intruder, and therefore in the value of the assets which one is protecting.
Cleaning staff frequently dust monitors and keyboards, switch off monitors and computers by accident and even pull plugs on computers to plug in their machinery. If a computer serves a valuable purpose, or is vulnerable to accidental input, it is not only attackers we have to protect against. Cleaning staff have keys to the building, so locking an office door will not help here.
Assuming that hosts are physically secure, we still have to deal with the issues of software security which is a much more difficult topic. Software security is about access control and software reliability. No single tool can make computer systems secure. Major blunders have been made out of the belief that a single product (e.g. a ‘firewall’) would solve the security problem. The bottom line is that there is no such thing as a secure operating system. What is required is a persistent mixture of vigilance and adaptability.