Home · About · A-Z Index · Search · Contacts · Press · Register · Login Plenary - Boundaryless Information Flow: Keeping IT Secure Day 2: Tuesday 4th February 2003

Conference Home Page Proceedings Index Securing Information Flow on Critical Networks Boundaryless Information Flow: Creating the Framework Terry Blevins, Eliot Solomon Cyber Risk Management and National Strategy to Secure Cyberspace Emily Q. Freeman Secure Internet Communications, and Why Yours Probably are Not Bill Cheswick Saving Private Data – Act 2 Conference Home Page Proceedings Index

Securing Information Flow on Critical Networks Introduction Mike Lambert, CTO, The Open Group Mike introduced this session by reminding the audience of the comment that had been made yesterday, that security was a systemic and architectural issue rather than simply a technical add-on. He welcomed Eliot Solomon to the stage. Top Boundaryless Information Flow: Creating the Framework - A progress statement and call for action Eliot Solomon, Eliot M. Solomon Consulting, Inc. Terry Blevins, The Open Group Eliot began by saying that he hoped that this presentation would be the start of a mission, to create a  Boundaryless Information Flow Reference Architecture. The Mission is to create a reference IT architecture for enterprises that make Boundarylessness a strategic objective, to put TOGAF to work in a family of targeted architectures embodying the expertise of the forums and the experience of the members, and to create new products for The Open Group to strengthen the organization and aid its mission What is the requirement?  Business managers need to be able to explain how their IT architecture is aligned to the corporate strategy;  to be able to show how to cost-effectively address enterprise-wide IT, and to assist in planning and managing corporate information usage.  Meanwhile, technical managers need guidance on managing IT planning and growth, on the identification of optimal and sub-optimal solutions.  They need guidelines on product selection and certification, and on the certification of IT professionals. End-user deliverables therefore would include some or all of the following: Boundaryless Information Architecture Kit Guide to TOGAF and the Family of Architectures Boundaryless Information Architecture Business Rationale, Scenarios, and Use Cases Reference Architecture Common System Architectures Together with Boundaryless Solution Support Services, such as Standards Information Solutions Recommendations Certification Programs If we take as the goal to deliver the Reference Architecture, the project would need to follow a plan such as: Winter 2003 (here at Burlingame) Introduce project, enlist participation Spring 2003 Deliver the project plan Scope of the architecture and the project Commit Company and other resources Identify the common systems architectures that will be delivered Summer 2003 Drafts of Common System Architectures, Business Rationale Fall 2003 Drafts of “Guidance on Solution Choices,” Business Scenarios Revised versions of Common System Architectures Winter 2004 Acceptance of all documents for Publication Opening of the BIF-SIB Commence next branded architecture project Eliot then turned to the topic of applying TOGAF so that the theory becomes practice.  In the Universe of Architectures, the various architectures involved - business, network and communications, data and system - need to converge. What we do at The Open Group is Systems Architectures, which become increasingly specific, from Foundation Architectures, through Common System Architectures, Industry Architectures, to Organization Architectures. The Business Continuum The challenge for architects is matching form to function, relating theory to practice, aligning IT strategy with business strategy, and making the choices that make the difference, such as trading costs and benefits, balancing competing objectives, and achieving differentiated results from common elements. As an example of the sort of choice involved, Eliot considered the trade-off between flexibility (e.g. relational database, ad hoc queries, dynamic client server, customer focus, build-to-order) and capacity (structured database, pre-structured queries, static queues, least cost). However, all good things come at some cost: the key to good architecture is to know where to spend money for the best effect, and achieving boundarylessness demands careful choices, to make sure the cost is appropriate and to achieve the right set of benefits. The goal now is to put TOGAF to work to make boundarylessness attainable, by identifying common system architectures that support boundarylessness, and where appropriate, to provide alternatives that make different trade-offs for the goal. Eliot went on to suggest how the work involved in producing the reference architecture could be shared across the various forums of The Open Group: The Customer Council could work on a Stakeholder Analysis and the Business rationale for Boundarylessness.  It would carry out requirements-related work such as documenting the use cases and strategic rationales that define or call for a Boundaryless Information Flow architecture.   The Technical Forums and Work Areas could work on the Common component architectures and Solutions selection guides.  They would document the Document Common System Architectures, produce the Master Architecture Description, and Identify “Sub architectures”, and how they could recombine, and would identify the choices best suited for boundaryless architectures and solutions. The Boundaryless Architecture Team could take on the development of Master documentation, and regular review meetings - this is not a new forum, but a cooperative activity between existing forums.  It would be a cross-functional, all-company group that leads the creation of the Boundaryless Information Flow Reference Architecture products.  It would coordinate the efforts of the various forums, track progress and facilitate the allocation of resources. The activity would involve, of course, working with other organizations: other standards organizations, vertical Industry groups, and technology affinity organizations. Questions Q: Walter Stahlecker: We should see this as an opportunity to broaden our reach and should be looking for new members to become active participants. Q: Scott Lewis, IBM: I applaud the initiative from a middleware perspective, and I would emphasize that the focus should be on the boundarylessness issues. Q: Carl Bunje, Boeing: The Customer Council is an opportunity to feed requirements into the pipeline. Top Cyber Risk Management and National Strategy to Secure Cyberspace Emily Q. Freeman, ARM, AU, Vice President-Western Region & Executive Director of Consulting, AIG eBusiness Risk Solutions Emily gave a view of the role of the insurance industry, explaining that she dealt mainly with industries rather than with government agencies, and that her role was in evaluating risks in eBusiness. She briefly described AIG eBusiness Risk Solutions: it was formed in January 2000 as a unit of the American International Group, the largest U.S. based international Insurer, with a mission to evaluate the risks of the new economy and design solutions combining risk management advice, technology and insurance. She commented that we live in a world where risk cannot be eliminated - this is a business risk, and basic risk management principles are involved.  This is a problem involving people, processes and technology, and people are the key issue: either people who want to take the right decision and can't because they don't know how, or people who for malicious reasons deliberately wish to do harm. She briefly summarised the security problem: 90 of companies reported at least 1 successful computer attack (FBI/CSI) $2,000,000 average cost per attack for those which can be quantified (FBI/CSI) $13B in damage from viruses in 1991 (National Strategy to Secure Cyberspace) NIMDA - 86,000 computers affected (National Strategy); $500M damages worldwide (Reuters) Code Red- 150,000 computers affected in 14 hours, billions of dollars in damage (National Strategy) Melissa Virus- Estimated Damages: $80M (Best’s Review) “Love Bug” – Estimated Damages: $10B (Best’s Review) 2/200 DOS attacks- Estimated Damages: $1.2B (Yankee Group) Not to mention cyber-terrorism “It is very important to concentrate on hitting the U.S. economy through all possible means…look for the key pillars of the U.S. economy. The key pillars of the enemy should be struck…” Osama Bin Laden, December 2001 The key response in the US had been the President’s Draft National Strategy to Secure Cyberspace, released on September 18, 2002 for a 60 day comment period.  Overall the strategy was for a collaboration between federal government and the private sector, and it made 86 Recommendations plus items for “discussions” and programs. The key themes in the US National Strategy were: Private Sector action is critical because 85% of infrastructure is private Cyber-attacks are increasing in frequency and severity But government primary role is to encourage not regulate So, public sector must help, facilitate, persuade and create a friendly environment for private action across multiple industries and services There is no technological silver bullet to cyber-threats A Risk Management approach is required. She quoted an extract from the document: “The potential adversaries have the intent. The tools of destruction are broadly available, and the vulnerabilities of the nation’s systems are many and well known. These factors mean that no strategy can completely eliminate risk, but the nation can and must act to manage risk…”  Cyberspace Threats and Vulnerabilities: A Case for Action. “Individual and National Risk Management” (p. 5), National Strategy to Secure Cyberspace (Sept 2002) The responce is made up of many components - technological and personal, comprising a Total Risk Management Approach.  Moreover, technology alone cannot eliminate security risk - there is no magic bullet.  And, since even the best combination of people, process and technology will not totally eliminate financial risk, insurance is needed as a financial and service safety net. The insurance industry can play a pivotal role in securing cyberspace by creating risk-transfer mechanisms, working with the government to increase corporate awareness of cyber risks and collaborating with leaders in the technology industry to promote best practices for network security. ”  Richard A. Clarke, Chairman of the President’s Critical Infrastructure Board ) She went on to describe the activities of the Private Cyber-Insurance Market.  The first products were created in late 1999/early 2000, with a handful of carriers offering policies of different types and kinds.  Currently one carrier commands 70% of the market but more are coming, and the current market is $100-200M but is expected to grow to $2.5B by 2005 according to the Insurance Information Institute. Programs typically include low cost or free security assessment services (with no obligation to buy), both property, business interruption and legal liability coverages, and post incident support funds.  Traditional insurance cannot help because it was written for a world that no longer exists.   Attempting to fit New Economy Risks into Traditional Insurance is like putting a round peg into a square hole. Examples: CGL- No. Covers only bodily and tangible property. AI/PI section has potential exclusions/limitations in the area of web advertising. Property- No. 99% of courts have said Data isn’t “property”. “Direct physical loss” requirement not satisfied. Crime- Requires intent. Only covers money, securities and tangible property. AIG Cyber Risk Insurance offers six insurance coverages: Web Content Liability covers copyright, trademark infringement, invasion of privacy, deep linking, framing violations etc arising from the content of web site Professional Liability covers acts, errors and omissions in failure to render internet professional services to clients for a fee Network Security third party liability covers legal liability and legal costs for claims arising out of computer attacks caused by failures of security including theft of client information, negligent transmission of computer viruses and denial of service liability Intangible/information property loss covers the cost of recollecting or retrieving data destroyed, damaged or corrupted due to a computer attack; can also cover theft of trade secrets and other information assets Loss of eRevenue covers the cost of lost net revenue arising from a denial of service attack. Especially valuable for e-tailers. Cyber-extortion covers both the cost of investigation and the extortion demand amount. She summarized her talk as follows: The proposed National Strategy to Secure Cyberspace recommends a Risk Management approach to cyber security. Risk management means efficient use of people, process, technology and risk transfer (insurance). Cyber-insurance programs must include security assessment services, robust coverage and post incident support funds. Cyber-insurance coverage can include: Web content liability network security liability, Intangible assets damage & theft protection, business Interruption protection cyber-extortion, express cyber-terrorism emily.freeman@aig.com; www.aignetadvantage.com (the AIG cyber insurance web site) Questions Q: Bob Blakely: How many claims have you had to meet, have you learned from them any best practices, and what happens when all your clients are attacked at once? A: An event affecting multiple customers is a real issue for insurers, so we spread the risk by reinsuring.  We also keep track of our own risks.  So far as claims are concerned, we are selective in the people we will insure, but some things are to do with the fundamentals of security.  We have also seen the damage that can be done by insiders.  It is important to test applications before they are launched.  There have also been a lot of claims relating to privacy. Top Secure Internet Communications, and Why Yours Probably are Not Bill Cheswick, Chief Scientist, LUMETA Corporation Bill began by describing the goal of good security: getting to a point where it is possible to relax, with good reason - not dropping one's guard, but being sufficiently secure not to be concerned.  This is a mixture of defenses and good practice - sometimes by keeping things sufficiently simple that the threat can do no harm. He presented a list of passwords that he had sniffed from the wireless network in the last 24 hours [this slide is not included in the presentation on this web site!].  Fundamentally these were POP3 passwords.  What might have provided a defense against this intrusion?  He suggested two possibilities: APOP authentication: this at least requires dictionary attack to discover the password, and several of these would be resistant to all but brute force attacks POP3 can use SSL/TLS transport, which would fix this - but does your ISP offer the service? - does the client support this access? Why do breaches like these happen?  There may be various reasons: Technical: good solutions may be unavailable Economic: the solution gets in the way of getting the job done Psychological - “security is inconvenient”; “this account isn’t important”; “nobody wants to attack me” There are fundamentally two requirements for secure communications: secure endpoints, where only authorized users have access to clients and servers, and only trusted software is running, and a secure link between the endpoints, which are either physically secure (intranets) or by using cryptography. Cryptography He then turned to the topics of cryptography and cryptology.  Cryptography deals with the technology for concealing the traffic.  It is hard to design your own cryptographic protocols, even if you think you know what you are doing - there have been numerous public embarrassing failures.  The good news is that today’s strong encryption may be immune to attack even by motivated government agencies.  But you don’t go through security, you go around it - to the end point.  The weak point may not be a technical defect - Bill referred to 'rubber hose cryptography', where you beat the key out of somebody. Cryptology deals with the use of cryptography in the larger context - considers personal security and the potential weaknesses of end points as well as the communication links.  For instance, it's no good to use SSL to protect a credit card number, but the credit card database is on a weak computer. He suggested that technology that is probably good enough would include: IPsec, except that it doesn’t work through NAT (can be a problem in hotel rooms) SSL v3 Ssh v2 Authentication technologies such as Kerberos Authentication tokens such as SecureID and SecureNet key Things which are probably not good enough include: WEP MS-PPTP Plain text Any proprietary, secret protocol If the cryptography is good enough, you can focus on the endpoints.  Thanks to Moore’s law, there is plenty of computing power available for strong cryptography on client hosts, though Server hosts may need hardware assist for heavy traffic loads. Resistance to cryptography - it takes time and expertise to set up, and cryptographic authentication may take an extra user step.  This is something that needs to be changed; people expect to use a key for their hotel room and their car, but they don't use devices such as the USB cryptography device that encodes all communications from a PC. Securing the Endpoints The real problem is that the endpoints are computers and they are running untrusted software.  Having a trusted computing base is about having reliable hardware, boot mechanism, operating system, libraries, applications, software source, and software updates. Microsoft/Intel as a TCB - Bill expressed the view that in currently available versions this environment did not provide the middle three requirements.   Reliable operating system Reliable libraries Reliable applications Hence we are building our houses on sand: using insecure operating systems and applications, poor security models, and complex standards (for example, X.509, SNMP MIBs, and LDAP all use ASN.1). Routing Leaks 'Leaks' in an otherwise secure network can occur for a variety of reasons, such as host leaks - a weak machine that links to the inside network and to the outside world: Mis-configured telecommuters connecting remotely VPNs that are broken DMZ hosts with too much access Business partner networks Internet connections by rogue managers Modem links to ISPs Microsoft Bill's view is that strong host security is possible, but not with Microsoft, yet.  However, the security focus announced in Feb. 2002 seems to be real.  Microsoft is carrying out a massive retraining effort, a huge code review effort, and the work is already reported to be having an effect.  But they have a long way to go. He suggested that useful developments from Microsoft could include: Sandboxes for network servers Default settings that are secure No foreign macros No executable code in .ppt, .doc, .xls Prominent buttons on IE to enable/disable scripting and other such features A TCB that can’t be changed casually by any process with “admin” privileges The ability to tunnel the smb protocol through an ssh TCP tunnel Documentation and adherence to a standard of remote file system support that can be implemented freely without reverse engineering Complete and accurate documentation of NTFS for the same purpose IPsec that can use a shared secret, which is simpler than the current certificate General useful developments would include: Simple, tested, certified network servers Samba, apache are too large More work on a general TCB Linux, *BSD are working on this Adopt some Orange book requirements and 'I’d like Don Knuth to write the software' and from standards bodies: Rigorous definition of standards Simpler standards, easy enough to implement that we avoid a monoculture Proven reference implementation of the standard - this is where Orange Book A1 certification would be cost-effective Questions Q: Craig Heath, Symbian.  You haven't mentioned TCPA - do you think there is a benefit to humanity from it? A: From a security point of view I like the model. Q: Steve Matthew, Articsoft: One problem is that most standardizers don't want tight standards because it's a commercial activity. A: Yes, I agree. Top Saving Private Data - Act 2 This workshop was staged in two Acts, with nine players providing the action, and each member of the audience as a Board Director bearing ultimate responsibility for the attacked corporation. Act 1 on Monday afternoon had played out a sequence of response scenarios to the discovery of an intrusion, illustrating the various priorities a business must reconcile when facing such situations, and bringing out the need for well-prepared and regularly updated response procedures to manage it well. Act 2 used the outcomes from Act 1, to indicate what considerations well-prepared response procedures need to include. It reviews the business and legal consequences of the intrusion, liability to third parties and defence for any enforcement procedures (under data protection/ privacy laws), and steps to be taken to minimize their own potential losses, and to bring the hacker to justice (or not). It also considers whether to provide details of the intrusion to clients, law enforcement or to an ISAC or other organization, and the possible consequences of doing so, or not doing so. In Act 2, the issues raised included reluctance of organizations to report losses or bring claims for fear of damage to their reputation; their duty/ liability to customers, business partners etc.; the effects of bringing proceedings (or defending claims) – evidential issues relating to discovery/ disclosure etc.; defining and quantifying loss; the role of security policies/audits etc.; and the role of insurance. These issues were brought out in 5 scenes: The Writ - first responses: the StarCorp team take stock of their situation Evidence review – a legal eye view of the decisions made in Act 1 Legal strategy planning – StarCorp assesses the damage and potential litigants What to disclose or not to disclose – the lawyers and others consider the impact of public statements/depositions Final decisions - going to trial (or not?) The Action Jane Hill reminded everyone of the events of the previous day.  Now things have moved on: Meeting 1 The action began with a meeting of the following people: Rocky Wardrop - StarCorp IT Operations Manager  Col. K. A. "Kelly" Rider (ret.) - StarCorp IT Security Manager Lucinda Walls - StarCorp Order-Processing Application Owner  David Auric - StarCorp Public Relations Officer Anna Williamson – StarCorp Corporate Counsel StarCorp had attempted to quash the order that Nebula had obtained giving them access to their backup data.  Nebula are claiming that the information that was taken from their system has lost them a contract, and are taking legal action to recover their loss.  Claim that Johnny had sold information he had taken from their system to a competitor. Lucinda Walls is keen to prosecute Johnny, but in the middle of the discussion Tim appears and disrupts the meeting. Meeting 2 (in Anna Williamson's office) Anna has analyzed Nebula's claim, which alleges that StarCorp's systems were insecure and that they had not followed their intrusion response plan. Was the system secure?  StarCorp has to show that its system was reasonably secure, and that it was operating properly. What about the security policy?  Kelly Rider feels that in the trade-off between running the business and security, security is always the loser.  He can't get any interest in having a security policy review. Johnny was a bright guy with a good background; a few months ago he had been passed over for promotion.  He had been doing a good job for years.  How had he broken into Nebula's systems?  He was an experienced and trusted employee, able to build up his own domain without any close supervision. Rocky felt that StarCorp was no worse than the industry norm, but Anna pointed out that this would have to be assessed by a jury. Potentially the Nebula claim was huge.  Any potential loss could be claimed against their insurers, but it was not clear whether the claim would be paid. Meeting 3, the following day Kelly reported on the backups that had been taken the other day, which had covered all the relevant machines, and this data had been in escrow since that time. A hearing with the judge the following day would decide on what information would be made public. David continued to be concerned about the effect of the publicity on the reputation of StarCorp, but Anna pointed out that information given in evidence would be made public. There had been an audit report the previous year which had revealed some problems in security, and this would probably have to be revealed.   Kelly claimed that all the recommendations had been followed, but Anna was concerned that Nebula would be able to claim that the audit could be used to demonstrate that security was inadequate. It could be demonstrated that Johnny was responsible for the hacking. The audit report had vanished.  Could Johnny have taken it to cover his tracks? In summary, if StarCorp lost the case they would be in serious trouble.  The possibility of a settlement was discussed, but the group was keen to prosecute Johnny, and they did not want to be blackmailed by Nebula. Lucinda asked whether an insurance claim could be made, but Anna pointed out that their loss assessors would come in to examine the background. Nebula Networks refused to accept the offered settlement. Meeting between Brendan Boylan, Kelly Rider and Anna Williamson. The meeting established that Kelly was the security expert in StarCorp; he felt that nobody else really understood the issue. It was conceded that Johnny had hacked into Nebula Network's computer from within StarCorp's offices.  Only Johnny and Kelly and access to the codes needed to do this. In response to questions, Kelly was forced to concede that the Security Plan had required that a complete backup be taken, and that he had not done this.  The letter Kelly had written to Starr, saying that his disaster recovery plan had, during the time of the outage, been dismissed out of hand, had not been made available to Boylan. Rider defended his plan, claiming that it met normal commercial practices - even though it had failed to prevent the hacking that had occurred. Boylan asked about the last security audit and requested the report that had resulted, but it had not been found. Discussion moved on to Johnny.  There had been no review of his background or performance screening since he was recruited.  His performance had been good, but he had not been promoted.  Rider had not been aware of his anger. Anna then asked Rider if he had reviewed the files that Johnny had downloaded from Nebula Networks.  He done so, but his review was not complete.  The files that he had reviewed had not showed that Nebula were likely to win the contract that they had subsequently lost. Anna pointed out that the files hacked from Nebula had shown that they were unlikely to win the contract, and she said that StarCorp would make a counterclaim for their costs. Meeting between Rocky Wardrop, Kelly Rider, Lucinda Walls, David Auric, Anna Williamson Finally, Boylan said that Nebula were willing to settle, and the proposed settlement was agreed. Epilogue Brenda Starr did win the Burlingame Bus Woman of the year, and retired from business Rocky took over as StarCorp CEO Johnny was not available.  He was not prosecuted; he not lectures on security Tim left his job with the Daily Tabloid and is ghost-writing Johnny's biography Dave Auric took over the Daily Tabloid Dave Lounsbury is not chief of cyber security at the White House Anna got a taste for litigation Brendan Boylan was shot on the steps of his local courthouse by a witness he grilled too hard Lucinda and Kelly Rider flew off to Rio together More seriously, there are a lot of problems for StarCorp to sort out. Ian Lloyd, the Director of the Open Group's Active Loss Prevention Initiative, pointed out that the play had been entirely fictitious and that no relationship to any organization or person, living or dead, was intended. Questions Q: Mike Gerbet: What responsibilities are employers supposed to have over the state of their employees? A: Anna: The Financial Service industry reviews its employees to test the state of their financial situation.  It would be unlawful to ask the state of an employee's marriage, but it would be appropriate to ask for information relevant to a person's performance of their job. Q: The play presented the requirement as having 'reasonable' security.  What is the situation in law? A: Reasonable usually compares the cost of doing something with the cost of not doing it.  There is no definition of what reasonable means. Q: Jim Bell, HP: I've seen cases where companies have promised to give their clients the same level of security as they provide for their own data. Q: Emily: Have you any insurance advice that you can give StarCorp? A: There isn't a strong body of case law that defines reasonableness, but in some industries (like Health Care) there are guidelines which could be used in court.  The responsibility of senior managers is to have a clear understanding, before any loss, of their security and insurance situations. Q: Judith Jones: Given that Rider's security plan was being ignored, what could he have done to resolve the problem? A: Rider is ineffective, and if you are persistently failing to convince the Board of the problem you need to change something.  Bringing in very expensive outside expertise can create a convincing aura.  Neither Rider nor Lucinda actually considered working together to resolve the problem.  The problem that the business response plan was incompatible with the Nebula contract was not addressed. Q: In a situation where something complicated like this happens in the real world, would companies commonly shortcut their legal situation? A: In the US, it is very difficult to keep anything out of the public eye, and this commonly brings companies to agree a settlement. Q: Do you know of a CIO's guide to Active Loss Prevention? A: There are going to be a lot of activities in the ALP Initiative to follow up on this event, maybe this is a possible outcome. Q: In the scenario, there was a civil case between the two companies, and a criminal case involving the police.  The connections between these two cases are very hard to manage in practice. A: It is hard to manage, but not impossible, and it's more manageable than you might think. Q: For each panel member, what's the main lesson you've learned: Walter Stahlecker: Teamwork is key. Steve Jenkins: Rocky is ineffective because he is in an adversarial relationship; he needs to get his objectives shared by other people. Eliot Solomon: I can't relate well to David Auric, but external communications needs to be ahead of the game.  Publicity would not necessarily be a bad thing if they had handled the situation properly. Ola Clinton: Before a crisis happens there needs to be a plan for what would happen in a situation, rather than formulating the responses during the crisis. Wes Kinnear: Nebula should never have brought the case. Dave Lounsbury: The business of dealing with evidence is in the real world extremely disruptive: this was one of the few areas that was underplayed. Sally Long: In a real situation I would have been wanting to work on this together, and I'd even have been willing to work with Kelly! Top