Text

_ _ _ _ - - _ _. _ _. _ _ _ _ - _ _ _.

].

'r' _',_j.

1

.I~

]-y c--

,-mt;rf,7.-

eq,

, ' h.1,[ - [ ' ~

[]

/

n.-

c

--c 5

t

\\

Fall 1996 e NUREG/BR-0237, Vol.1, No. I NR6=f:::::::=4 NEWS 1

i Security in Today's Electronic White House Communications infrastructure ReportsOn A new electronic communications in-new dimensions. An increasingly mo-Espionage l

frastructure (ECI) is developing at bile work force, plus the requested or j

today's organizations, and it seems required access to information systems At least 12 countries actisely target i

possible that, for once, information by other external entities, necessitates I LS. proprietary economic information security concerns may be taken into secure remote-aaess services.

and critical technologies, according to i

account in implementations. As more a new White House report on indus-

""' ' enV mnments are m*

companies use the Internet in conjunc-trial espionage. Another 26 countries tion with their intranets to build the comgwd of.muhiplatform technolo-hase been involved in suspicious in-gies. As the ECl is built across these ECl that stores, processes, transmits cidents that may involve industrial in-and delivers the information at the core !nu a

in Man or telHgence collection, the report say s.

i of their business, security and audit mteroperability and network manage-These countries have shown par-services become essential to survival ticuhtr determination. and in most j

and competition. Information-security cases a willingness to use illegal professionals must get involved in cre-and covert means, to collect U.S.

ating, evaluating and deploying the economic and technological in-security, audit and control capabilities formation, the report concludes, l

l for the ECl at their company.

This is the second Annual Report Changes.

to Congress on Foreign Economic Collection and Industrial Espio-The s. tate of the information-tech-nage. It was submitted by the nology industry is rapidly changing President to Congress, after because of the deploy ment of the being prepared by the ECl for business. LANs and WANs National Counterintelligence l

abound in both large and small com-Center.

I panies. These LANs and WANs are SISSL M -

being transformed into intranets and As many os 38 countries are involved i

in suspicious incidents of industriol then rapidly connected to the Intemet intellegence collection.

securay in commumcanon, I

l in order to build this ECl. It is hap-whae House on Iisponage

.I i

pening faster than past technology de-ment pros e critical. This has spawned Nau W ns.

.2 ployment because of the law cost, seseral new standards to surface in Au; j

or oncern.

technical knowledge and availability order to secure, audit and control the ma se'rnces.

.4 i

of the many enabling components. In multiplatform ECI. Just in the last y ear, I;iectrome commene

.4 l

addition to the change and the rapid vendors and industry groups have Renos Revinse leam 4

{

pace of connectivity and deployment started discussing potential standards

"#[, "["'"" "") ~

~j j

w ithin the information-technology en-for e-mail, authentication, directory RSA and Japan's NU.

.4 I

{

vironment, securing, auditing and con-and naming services, key and certifi-j trolling the heterogeneous ECI in any cation management and enen)ption if gou hase computer securit.s quntions j

corporation brings challenges with services.

contact: 1.ouis Numkin e 301-415-590t> or i

h ontinued on not page)

I,ouis Grosman W 301 -4 l 5-5K2t'.

i i

• N RC C O M PU TE R S E C URIT Y!

e 9701060167 970106 PDR NUREG BR-0237 R PDR

(Security in Today's Electronic communications infrastructure Auditors Express Concem ffCM OUf fl$9$

continuedfrom page 1)

Auditors see a large and growing Remember your password:

Solutions.

risk t inform ti n systems, ac-Protects all your data cording to a survey conducted by Should be kept private J

Information-security professionals Andersen & Co. Inc. in Chicago, Should be changed regularly must get aggressively involved in the 111. The consultancy surveyed 51 Should not be written down development of the ECl at their com-internal and information-systems panies and champion the develop-auditors and found significant con-r m

ment of the security framework. Areas cern about the level of risk in-to focus on include the enterprise volved with remote access and

~

(

e-mail, cross-platform authentication Internet access, in particular.

Q y

and application integration from a se-f curity and audit perspective. Several g

@o f

mature technology solutions should I

be reviewed before building this appmpdam contmh h the bels framework.These include trusted sys-f risk, many reported progress m, o

tems with C2 and higher assurance implementing such eontals.When levels; hardware and operating sys-asked what their orgtnizations

'w have done to control various tech-tems for the desktc,p, network and mainframe; operating-system capa-nologies,only 25 percent said that Navy Wins bihties for access control, audit and they hadimplemented controls for other controls; and firewalls with a Internet access, and only 42 per-The U.S. Navy needed a switching de-well-defined perimeter. Emerging cent said that they had imple-vice to physically separate access to mented controls for remote access classified material from nonclassified technologies and advancements t data and systems. Even fewer computer networks (including the

)

should also be explored when build-ing the ECI security framework. Re-have controls m place for voice INTERNET). Military security con-cent developments are certain to m il, PBX systems, cellular com-straints prevented electrome switches change the current firewall paradigm munications or groupware and from being used.

and, thus, are worth reviewing. Also, workflow systems. See chart below.

Repeated physical connect-discon-the directory and public-key infra-nect operations placed abnonnal wear structure must be developed with the Auditor Survey and tear on computer cable connec-ECI in mind. Strong authentication Risk-Controls Comparison tors and caused many system failures.

services for enterprise end remote Mr. S Bouthillier, a Navy security of-1 1'

'3 users will be required. A secure ECl Laptopmotebook corrputers ficer found a viable cost-effective so-will likewise demand encryption ser-1i lution by redesigning a commercial t.

i t

vices that provide integrity, confiden-Remote access to data and systems A-B computer network switch and us-tiality and nonrepudiation.

a no oven shielding fabric to Fortunately, recent developments will cenuiar communications reduced electro-magnetic crosstalk to help in the quest to define, develop below levels specified by NSA stan-t and deploy security for an ECI. For O

voice r il and PBX systems E

instance, examine some alternatives tested and is the only one approved such as authentication services; NDS, I

1 i

1 for classified-unclassified network CMC and SSOSS technology direc.

intemet access connections throughout DOD.

tions from Novell; Microsoft Security

[

j i'

'i The switch costs about $300 plus Framework and CAPI technology di-Groupware and wo kflow systems gggg 4 g.

rections; and industry-directory and patent for Mr. Bouthillier is currently public-key-management technology.

4 4

pending.

,,s This article was written by Car / Allen O M "'

O ^ %"**

For details on the highly secure elec-and appeared in InfoSecurity News 0 "n*co"*s"5 0 over tronic switch mentioned in " Navy magarme.

i nd Wins" Fax 516 294-2649.

N; Security Solutions Un/wigul undon. nmas n that companies call m a con sultant for help j; by Peter R. Stephenson is because they efte. mistrust ven-A G L B P F T O P dors.These fears sometimes seemjus-C R O S S T A L K

] Lately I have received several requests tified. During a recent evaluation of I R A L E C 1 M E l to help evaluate security solutions.

enterprise-security products for a cli-C N E R T l O C Z

} Typically, a prospective client calls ent, I found that, in most cases, the

} wanting me to help p:ck a product t vendor presenters knew little about j

j secure the corporate network. But upon security in a real corporate environ-B P S R A H P F D l questioning, the caller confesses that 1

ment. They also had gaping holes in the company has conducted no nsk as-R R R D A R L E V their knowledge of their own prod-

• * "," ' d 8

d" C

Y" S CO Y C W L E C ucts and often misrepresented the tecture prepared no overview of f..e j

functionality of those products.

R A U S c h E T S

network and written no security pohey.

X Q l O A Z D T I

l Essentially, somebody's boss heard The presentation of product says a i about the dangers of hooking up to the lot about the quality of the company.

First. locate these words abore. then l Internet and told this unfortunate I frequently disqualify vendors that seeifyou knowtheirmeaning. Allwords l lackey to go out and buy something to cannot provide competent presenters have been usedin this issue.

i protect the network, to show their product. If these pre-i sentations reflect the company as a 11 1,S Crosstalk ECl i Eraluation tips. Over the years, I

} have come up with some approaches whole, I will likely, have difficulty intranet McAfee Usenet with implementation and support BPS: b per second (it takes 8 to l to product evaluations. Perhaps they later' transait I character-

! can be of help to you.

f First, base your evaluation on a set of Crosstalk: electromagnetic spill over from one circuit to another tantly, the client must do the prepa-A

( standards. Usually th..is meludes the f policy, standards and practices of your ration that comes before the product ECI: electronic communications

organization. Failing that, use a phase. Good security products all infrastructure have one thing in common, whether Intranet

An internal network using j simple standard like C2. Base your j evaluation on how well the product Wey are firewalls, acGss-control sys-Internet protocols tems or encryption devices: they en-McAfee: major antivirus manufacturer

} meets your chosen standard and use force security policy. If you do not others are IBM and Symantec

a structured evaluation approach. Sec-have a policy and you have not iden-Usenet

The Internet's e-mail system

{ ond, make clear to the vendor m ad-tified sensitive security interfaces m e.""";

vance the basis upon which you will make your selection. Desenbe your that need protection, you cannot, with confidence, select a suite of se-Data Backup network, environment and require-curity products to help you.

ments clearly. Tell the vendor that you Why it is important to back up your will be making a technical as well as There is one more message for this data? Suppose a computer virus infects an operational decision and you group of organizations: security will your PC or Workstation or your hard expect the vendor's presenter to be change the way you do business. Ob-drive " crashes." Now imagine you competent enough to answer techni-viously you want to change as little had no means to recover your lost cal questions. If your organization is as possible, but change is inevitable.

critical information-you had to reen-corporate, insist that the presenter You will also experience the need to ter all lost d.ata. That would be terri-have experience in the corporate compromise. Some functions that bly time consuming. But,if you had environment. Insist also upon cus-you do or want to do may not be con.

backup copies of all your critical data, tomer references. Third, make a pilot sistent with good security practices.

recovery would be much simpler.

part of the overall implementation Competent products will enforce it is important to realize that the NRC plan and make sure this is acceptable good practices, and you may need to Local Area Network (LAN) does not to the vendor. Today's enterprise sys-work a bit at finding an acceptable automatically backup the files found tems are quite complex; a canned middle ground between security and on your hard drive. Automatic back-demo in a conference room will not functionality. Never blame a security ups are made only of files stored on tell the tale in your, or any, real envi-product for doing what it was de-the server. Therefore, it is your ind.

r nment. Final purchase of the prod-signed to do (provide security) or vidual responsibility to backup impor-uct for global implementation should when it places a barner m the way tant data stored on your hard drive.

be dependent upon a successful pilot.

of a dangerous practice.

i i

)

visa services Reno Calls For c'

.e Visa International and VeriSign Inc.

Computer Attack iVirusl Update

• will team to provide digital-authen-Respnse Tem mv tication services for Internet access y

g;

g and electronic commerce, using the Secure ElectromcTransactions (SET)

Attorney General Janet Reno

. hard drives.was posted to sevessis protocol. VeriSign will provide announced a proposal for a rapid-LUsenetgroupsandmaybespreadd response team to react to attacks made ing without detection. The Hassi SET-compliant digital certificates to on computer networks and commu-LKrsnaivirus was scheduled tos Visa members, meluding card-holders and banks, nications systems. The plan requires

. trigger:on TAugustl22nd and0 approval from Congress.

September; 22nd,' ESeverall The system is designed to prevent The proposal calls for an interagency

an svh %y p ?

merchants from stealing credit card uP ates to h% may d

organization, headed by the Federal numbers at the point of transaction Accordin I

B ureau of Investigation, to prepare to sBulletid,#g to a repon in Vis during online purchases. Merchant quickly respond to terrorist attacks on nationally vital systems, including the igerdates aPCinfected withHsuw{

handling of credit caids is a current problem with traditional credit card Internet. Reno has expressed concern Krsna will display theimaseggs, use, resulting m hundreds of millions 0

in the past about the ability of over-

"HDEuthenasia by Demon Band of dollars in fraud accordmg to some seas hackers to infiltrate and disrupt

peror: Hare Krsna, norslhaseF'e estimates. Under the Visa /VeriSign the telecommunications systems on 5The virus ' willi hin attemptM t

system, the merchant would use only which the government, financial in-erase all hird drives on the s@

the digital certificate and the stitutions and other industry depend.

E tem.Two other recent ytresss aut[

customer s public keyin venfying the drawing attention as weROTS card-holder's identity and m check-ing their available credit.

Tentacle 1 polymorphic s '?

!chaasea *iada**"ica'* c J Senate Hears Hacking Testimony cLaroux virus, although'mo:t ($wf 3,,uc,we,3,epo,ted to b,d,.mie Electronic Commerce J

c

~

The Senate's Permanent Investiga.

Excel macro varus,,a ', A $

A task force representing more than tions Subcommittee followed an 250 electric utilities, public utilities eight-month probe into the topic of and utilities cooperatives has an-computer security with hearings on nounced a plan to develop a system Capitol Hill. The subcommittee fo-a a@@ W for Internet-borne secure electronic cused on the effects of hacking on the commerce. The Joint Transmission banking industry.

R3A Data Security Inc, contin-Services Informatior Network (JTSIN) hopes to have the system in A survey initiated as part of the probe urd its back-door approach to de-place later this year.The group claims found that major banks and corpora-feating the U.S. government's gg that this will be the largest venture to tions suffered approximately 5800 date between multiple corporations milhon m losses last year alone. These m

M for the exchange of confidential data e sts are hidden from view, accord-encryption chips based on RSA 5"

over the Internet.

6i th technology. By manufacturing JTSIN was createdin response to Fed-on the federal fonns that they are by the products in Japan, the part-eral Energy Regulatory Commission law required to submit.

ners skirt U.S. export controls.

requirements for real-time informa-RSA. 4 Redwood City, Calif.,

Without reliable threat-assessment tion networks through which utilities vocal opponent of U.S.

data, we can neither conduct mean-will provide information about i

d transmission-grid capacity over the ingful risk management nor structure key escrow.The products, which Internet. The task force hu, enlisted a coherent national response to this use 56-bit encryption keys, are TradeWave Corp., BSG Alliance /IT issue, As part of a hearing s opening st tement, Sen. Sam Nunn said, 'This expected to be on the market by Inc.and Cegelec ESCA to develop the g g; is one area where we cannot afford to

~

be operating in the dark."