Paradigms II

From: Lohkee (lohkee@worldnet.att.net)
Date: 03/03/02 

From: "Lohkee" <lohkee@worldnet.att.net>
Date: Sun, 03 Mar 2002 19:46:49 GMT

Secure Systems Revisited (DRAFT)
Copyright (C) by Lohkee

Performing the following very basic security evaluation on your system
should not cause any problems with regard to your continued employment.
Conducting the experiments will not harm your system in any way, and they
are not about trying to circumvent security. In many cases you will already
know the answer to a given question without having to actually conduct the
test simply because of knowledge gained from prior experience working on the
system. Obviously, if there is any question at all in this regard, obtain
the appropriate permission before proceeding.

You do not need specialized technical knowledge to conduct any of the tests.
If you have worked on a personal computer for more than two months you will
have probably already performed most them without realizing it. The
following questions assume the use of Windows NT 4.0 or 2000 Professional
(server or workstation); however, they can be easily adapted to any other
operating system capable of providing a rudimentary set of access controls.
It is very important that you conduct each test without any special
administrative "permissions." You want to look at the system from the same
perspective as that of any other "normal" user.

Although it is important to look at the system itself through the eyes of
the average user, it is also very important that you contemplate your
answers (and the issues raised by those answers) very carefully through the
eyes of someone who could be held accountable or otherwise impacted in the
event of a problem arising because these issues were not dealt with.
Sometimes this is difficult to do because we tend to think of our "stuff" as
being of interest only to ourselves. Unfortunately, most "outsider" attacks
take place because some automated hacking tool has identified your system as
vulnerable, not because the attacker has any particular interest in you, or
your organization.

Speaking of stuff, have you ever stopped to consider the overall value of
the information stored on your system? Depending on the employee's rate of
pay and the time it took to create a particular piece of information, the
minimal value of any given file on your network could range from a few
dollars for a simple memo to many thousands of dollars for a comprehensive
report authored by a senior analyst. Regardless of your type of business
you are in, or the size of your organization, the value of the information
stored on your system can be quite considerable. When you start to
contemplate the actual market value of that information, or other more
esoteric factors, such as the potential losses caused by critical
information not being available when needed or losses incurred because of a
breach in confidentiality, the value can climb very dramatically. The
less-than-flattering employee evaluation sitting on your hard disk may not
appear to have a lot of cash value; however, if someone (or something)
wandering around on your network happens by chance to come across that
document and decides to share it with the world, you may very well learn the
hard way that it was actually worth several million dollars. When the
Melissa virus made its rounds, many organizations were quite happily mass
e-mailing large amounts of confidential information to unauthorized
individuals without ever realizing it (more on this later). Like any other
inventory item, information stored on a computer is a tangible business
asset. Do you know how much you have, where it is at, what it is worth, and
who has access to it? Could you even answer these questions? Why not?

Before conducting a basic security evaluation of your system it is important
to have at least a vague idea what security, and a secure environment,
really are. Simply stated, security is about reducing risk by clearly
defining a universe and then controlling what takes place within the
confines of that universe. It is about knowing what you have, where it is
at, who has access to it, and being able to recover it quickly in the event
of a mishap (regardless of magnitude) with minimal downtime or loss.
Defining the universe sounds rather straightforward, and for the most part
it is, at least until you start connecting one system to another. If you
have two stand-alone (no modem or network connections of any kind) PCs it is
fairly obvious that you have two complete and isolated systems. When you
connect those two PCs however, they cease to become systems in their own
right and become two components of a single larger system. A machine is
either a system, or a component of a system. It is also possible for both
conditions to be true, for example: Unless you have built a network, your
home PC is probably an isolated system; however, when you connect to the
Internet, that same PC ceases to exist as a system and becomes just another
component in a much larger system for the duration of that connection.

The most fundamental principal of a secure environment is that of "least
privilege." This principal basically states that a user should have access
only to those resources necessary to perform their assigned tasks. Nothing
else! The basic idea is to reduce risk as much as possible by limiting the
number of possibilities that an adversary might be able to take advantage of
when launching an attack and, if an attack does take place, to limit the
amount of damage incurred as a result of that attack. A secure system will
reflect this philosophy, for example: A secure system will not allow
"normal" users to arbitrarily install software on their workstations as this
would violate the fundamental principal of being able to define and control
the universe (not to mention being an unimaginably stupid thing to do in a
business environment). How can anyone make a rational argument for anything
even remotely resembling a secure system when they really have no idea of
what might be running on a given workstation or how it might be affecting
the network? Contrary to popular misconception, security makes no
distinction between "insiders" and "outsiders." Once someone enters our
universe (regardless of how they arrived or if their entry was authorized)
they are a user and therefore subject to the rules.

I have taken a position that the professional security community has and
will continue to fail because they are operating under the same basic
paradigm as those they try to protect, i.e., "Personal Computer Mentality"
(PCM). You will see the acronym PCM frequently from here on out. Consider
it a red flag and cause to reflect. The answers you provide to the
following questions will become the evidence that I offer in support of my
hypothesis of mass incompetence.

Do you routinely save information on your workstation's local hard disk?
Information includes (but is necessarily not limited to) e-mail messages,
documents, spreadsheets, databases, presentations, images, program source
code, etc.

If it is a common practice for users within your organization to save files
on their workstation's local hard drive, as opposed to storing them within a
personalized folder on a centralized server, it is probable that you will
loose a great deal of valuable information in the event of even a relatively
minor mishap, such as a hard drive failure. In the event of a building
fire, the losses could be quite significant. This possibility would also
exist even if you do have a centralized file server but have configured your
workstations in such a way that users are still able to save information to
their local hard drive. From a practical perspective it is extremely
difficult, perhaps even impossible, to guarantee in an easily provable
manner that information stored within arbitrarily named folders, on numerous
machines, in numerous locations, is being properly backed up and stored
safely offsite on a daily basis. If you are not doing this, how exactly do
you plan to recover quickly in the event of a disaster or other minor
mishap?

Many organizations simply rely on users to backup their personal files.
This is PCM at its very best and generally a sure sign that the organization
is utterly clueless when it comes to security (and that they have no
meaningful ability to recover an unknown quantity of unknown value in the
event of a disaster). In this quixotic scenario the organization quite
happily deludes itself into believing that:

1. Every one of its users is consistently and correctly backing up all of
the information on their workstations.

2. Someone is gathering up numerous floppies, CDs, tapes, etc., and storing
them safely offsite each and every day.

Even if by some miracle this were happening (the added and unnecessary cost
not withstanding), the very notion of intentionally moving information from
a controlled environment onto numerous removable media that will end up
scattered about in people's desk drawers, filing cabinets, and wherever else
things tend to get put, is an incredibly foolish one to say the least. You
have no way of really knowing where all of the information is stored, if the
storage areas are properly secured, who has access to those storage areas,
who has actually accessed the information (the janitor, perhaps), who may
have made copies, etc. Simply stated, you have lost any semblance of
control over that information. If confidential information falls into the
wrong hands you will have little chance of demonstrating "due care" and
could easily find yourself liable for damages. How will you account for
sensitive information stored on hundreds of floppies scattered about in a
pile of rubble that used to be your building? Where will that information
eventually end up after scavengers have picked through the debris? In all
but the smallest of organizations, the cost to provide each employee with
the hardware and removable media necessary to back up their files can be
quite significant. It is an unnecessary expense that ultimately serves no
purpose other than to support a very dangerous practice!

Some organizations walk the fence. They keep all of their "mission
critical" information on a centralized server and then leave users to fend
for themselves. While the organization may indeed be able to survive a
disaster, the overall cost will be much higher because some portion of the
information that was stored on the workstations will have to be manually
re-created and much will be lost. This approach essentially says that an
organization is willing to simply sacrifice an unknown quantity of unknown
value in the event of a disaster. Sounds like a prudent business decision
to me. You can build a fairly powerful "small file" file sever (2Ghz
processor, 2Gb RAM, 120Gb storage) for about a thousand dollars. Suppose
you are paying ten analysts each sixty thousand dollars per year. Whatever
they produce during the year will have cost you six hundred thousand
dollars. Where on earth is the logic in paying six hundred thousand dollars
for information that is not even worth a thousand dollars (which is
essentially what you are doing when you position yourself to arbitrarily
sacrifice that information in the event of a disaster). Notwithstanding the
loss of information, the most obvious flaw with this arraignment is that the
many thorny issues associated with moving potentially sensitive information
from a controlled environment, to one that is uncontrolled, still remain and
must be dealt with.

What about configuration management? Allowing users to save information
(which can also be executable code) to the workstation's local hard drive
makes it virtually impossible to maintain a constant and known configuration
(or to implement any kind of automated configuration validation scheme) as
the hard disk is in a constant state of flux. How can you hope to define or
control a universe when users are allowed to make unannounced and unreported
changes to that definition? It is easily to dismiss these types of changes
as being insignificant; however, in the case of a user arbitrarily loading
executable code, you really have no idea of what might be running on a given
workstation or how it might be affecting your network. Aside from copyright
and licensing issues, or the threat posed by hostile code, the lack of
meaningful configuration management can severely hamper your service
technicians in their troubleshooting efforts and create unnecessary delays
and frustration for your customers. Poor configuration management generally
results in a network that is considerably more expensive to maintain, far
less reliable in terms of downtime, and much slower with regard to response
time.

How about ensuring confidentiality? Can you guarantee that all of your
users are consistently setting the appropriate access "permissions" on all
of their files and folders? How can you verify and document this? Do you
really know who has access to what information? What about folders intended
to store temporary information, the contents of which are generally readable
by everyone who has access to the workstation? Are you really positive that
you know who has access to the confidential information on your network?

How do you know what type of information users are storing on their
workstation's local hard drive? It is almost impossible to review files for
content when they are stored in arbitrarily named folders scattered about on
numerous machines. Copyright or software licensing issues aside, having
even mildly pornographic images or off-color jokes stored on your system can
easily lead to charges of sexual harassment and some hefty financial
settlements. Systematically preventing users from saving files on their
workstation's local hard drive and forcing them to save those files in a
personal directory on a centralized server where they can be easily reviewed
can go a long way towards solving these problems or preventing them
altogether. The notion that users have some kind of a right to privacy
regarding email or other files stored on a corporate computer system is no
more than a fantasy (at least in the United States). This is as it should
be. If the courts ever extended the right to privacy to corporate systems
they would effectively outlaw secure systems in the process. Perhaps its
just me, but it also seems just a little absurd to suggest that an
organization can be held liable for the contents of their systems, if you
are then going to turn around and prevent them from policing those systems!

Systematically forcing users to save all of their information to a
centralized server is an effective and inexpensive means of addressing all
of the above issues. It lends itself very well to the task of documenting
and auditing mission critical procedures (thus ensuring they are actually
getting done in a proper and consistent manner) and can help show that you
have met the standard of "due care" if you ever wind up in a courtroom
because sensitive information was somehow compromised.

Can you save a document to a floppy diskette or other type of removable
media?

The presence of user accessible removable media on a workstation is totally
inconsistent with the concept of a secure environment (and a sure sign that
PCM is alive and well within the organization). It is like drilling
hundreds of holes in a water bucket and then expecting that bucket to
somehow hold water. How on earth can you expect to control the flow of
information when any user with access to a workstation can copy whatever
they want to a floppy diskette? How can you have security if you cannot
control the flow of information? If users have access to removable media on
their workstation it is entirely possible that as you are reading this a
great deal of sensitive information is scattered about on unprotected floppy
diskettes in desk drawers, automobiles, homes, purses, briefcases, and just
about anywhere else people tend to leave things. This is particularly true
if you rely on users to backup their "personal" files. The presence of
removable media on a workstation provides the dishonest employee with a very
easy method of smuggling large amounts of information out of the building
that is virtually impossible to detect (unless of course you plan on
strip-searching all of your employees as they leave the building).

The days of sneaker-net in the corporate environment are long gone. There
is almost always a more secure network-based solution available to a user
who may need for some reason to move information from one system to another.
You should therefore very carefully scrutinize, with an automatic bias
towards denial, any request made by a user to move information from your
network (a controlled environment), to removable media (an uncontrolled
environment). In the rare event such a request must be granted, it should
be accomplished in a strictly controlled manner, at a predetermined
location, with administrative oversight and auditing (in this case a logbook
entry showing the type of information that was transferred to removable
media, who made the transfer, the reason for the transfer, who authorized
the transfer, date and time of the event, and who was given custody of the
media).

Can you open a document that resides on a floppy diskette or other type of
removable media?

If users are able to read from removable media on their workstations, it is
a safe bet they are able to install or execute programs, especially if those
programs do not need to modify the registry or access shared code in order
to run. While the user may be well intentioned, the same is not necessarily
true of the programmer who created the software they are running. There are
a number of readily available programs on the Internet that appear to be
useful or entertaining but, when loaded on the workstation by an otherwise
innocent user, will enable an unknown third party to bypass your firewall
and gain covert access to your network from a remote location. It is naïve
and foolish to believe that users are above being suckered into running a
hostile program. Ask yourself what happened within your organization when
the Melissa, Love Bug, or Anna Kornikova viruses made their rounds.

The ability to run unauthorized programs from removable media will, in some
instances, enable users to easily bypass restrictions imposed by folder and
file permissions. There is little point in denying access to a program on
the workstation hard drive if the user can simply run the same program from
a floppy diskette. While not particularly feasible for large applications,
there are many small administrative utilities used for network discovery
(and hacking) resident on the workstation that fit into this category.
There are also several small programs readily available on the Internet that
will grant a user administrative status on the local workstation without
leaving a trace. A user with administrative access to the local workstation
is just a few simple steps away from gaining "domain admin" or being able to
steal other users passwords.

The bottom line is that you essentially have no idea what is running on a
given workstation or how it might be affecting your network when users can
load programs in an uncontrolled manner. There is no security if you cannot
define and control your environment. It is impossible to define and control
the universe when any user can make arbitrarily changes to the definition.
Eliminating removable media from your environment will greatly increase your
ability to control the flow of information and protect confidentiality, will
help to prevent users from loading unauthorized programs, and, as an added
bonus, reduce the cost of a workstation by about one hundred dollars (not to
mention the money saved by not having to purchase the removable media
itself).

Can you boot your workstation from a floppy diskette?

You can easily test this by inserting a blank diskette in the floppy drive
and then restarting the workstation. If a message appears on the screen
informing you that an operating system could not be found, or the floppy
drive light stays on for more than a few seconds before finally booting, the
workstation has probably been configured to boot from a floppy diskette. If
this is the case then anyone can get to anything on that workstation
regardless of the operating system or any file permissions by simply booting
to DOS and using a disk editor to search for and read (or copy to a floppy)
whatever may be of interest. More importantly, there will be no way to
detect or capture an audit trail of this activity. Operating systems such
as NT do not react well to boot sector viruses. Notwithstanding the idea
that removable media is a very bad idea in a secure environment, CMOS should
be set to boot the system from the hard disk only in order to prevent
boot-sector viruses from trashing your system.

Do you have access to the Internet from your workstation?

Security is about defining and controlling your environment. Connecting a
mission critical production network to the Internet is inconsistent with
this goal and is an inherently very dangerous thing to do. This is not to
suggest that you cannot take advantage of the Internet for inter-company
network traffic or communications, such as e-mail, with "outsiders" (which
we will discuss later on).

First of all, is there really a pressing business need for all employees to
have Internet access? Many organizations feel that Internet access for all
of their employees is critical to success. The evidence strongly disagrees.
I have evaluated audit trails from several very large organizations (10,000
plus users) and have consistently found that, on average, 90% or more of the
accesses made to the Internet by employees were clearly not work related.
Essentially, these organizations were paying in a number of subtle ways,
such as increased infrastructure costs, slow response times, lost
productivity, and higher maintenance costs, just for their employees to play
on company time! Much of the work related activity was questionable in that
most of it could have been accomplished by setting up a web-server on the
internal network and then placing the relevant information there. Arguments
in favor of Internet access for all may be well intentioned and honest, or
they may be just another symptom of PCM. The audit trail will tell the
truth, and one test is worth a thousand expert opinions.

Letting employees play on the Internet may be a perk that you want to offer.
If this is the case, why not set up terminals in a break room or some other
place and let people access the Internet from an isolated machine via a
company funded dial-in account? If you scrounge parts from old workstations
and use any one of the readily available free ISPs, you can set up ten or
twenty workstations for very little cost (WOW, an Internet café at work, how
cool is that?). Removing Internet access from the privacy of a cubicle to a
more public place will cut down on abuse and the amount of work time wasted.
Another added advantage of this approach is that it helps to isolate
inappropriate employee activity from the organization. There is no need to
risk your business in order to give employees a perk. The same holds true
for computer and network technicians. Security is not about saying "NO!" to
new ideas and technologies. It is about finding a safe way to implement
them and thereby minimize risk to the organization.

The risks are many and the consequences can be serious. Employees are
likely to download software to the workstation. This raises all of the
issues outlined above when employees can load software from a floppy disk or
CD ROM. It also adds additional and unnecessary risks. When your employee
goes to an x-rated web or other inappropriate web site, that site knows
where the request came from. If the site chooses to make your access to
their server public knowledge, and they are entitled to do so, it can be
very embarrassing to the organization (especially if you are in the public
sector - "Your hard earned taxes are paying - choose your agency - feds to
browse child pornography on the Internet - film at eleven!"). Inappropriate
messages, posted to Usenet newsgroups by your employees, can be
intentionally misconstrued as the "official" position of your organization.
This could lead to embarrassment, lawsuits, and hefty financial settlements.
Even well meaning newsgroup postings can have unintended consequences. They
can give an adversary easy access to an enormous amount of information about
your infrastructure. Go to "Google" and do a news group search for messages
originating from .gov domain. Many of the addresses are obviously forged,
however, many are from legitimate government sites asking for help with
various software, hardware, and operating systems. You would be surprised
how much sensitive information is given away in the original posting, and
how much more you can get by engaging these people in conversation, under
the pretext of trying to help them solve their problem. The problem is that
most people are friendly and do not expect others to be targeting them.
Without question, the Internet is an excellent resource for help. Protect
yourself by asking for help using an account not connected to the
organization.
Can you send and receive e-mail outside of the organization?

Each user with Internet access increases the risk of an attacker gaining
covert entry to your system (or that confidential information will be made
public). The Melissa virus, for example, infects Microsoft's Word global
startup template (normal.dot), after which, any document created by the user
is infected with the virus and emailed to the first fifty recipients defined
in their Outlook mailing list. If any one of those first fifty entries
happens to be a group (which could consist of several hundred people or even
everyone within the organization as in an "all employee" group), Melissa
then mails the infected document to everyone within that group. If any of
the first fifty entries belong to someone outside of the organization there
is no telling where the document will finally end up, how many people will
have read it, or what they will eventually do with that information. Think
about the documents stored on your workstation. What might be the
consequences if they were to show up on the Internet tomorrow? You might
think that it would never happen to you but if Melissa infected your
organization, it probably already has. Melissa generated millions of
e-mails and each one had a document attached. Did anyone within your
organization even think to analyze the documents (sent items folder on each
infected workstation) infected by this virus to determine their contents and
where they may have went?

Can you make changes to your workstation's network configuration or access
sensitive security files?

Make sure you have a few blank floppy diskettes available. If using NT left
click on the start button and then select RUN from the pop-up menu. Enter
RDISK in the dialog box and then click on OK (If you are using Windows 2000
left click on the start button, select programs, select accessories, select
system tools, and then select backup). Follow the instructions for creating
an Emergency Repair Disk.
If the workstation does not have a floppy drive, or it has been disabled,
Right click on the Start Button, select Explore, and then go to
C:\WINNT\REPAIR. Highlight all of the files within this folder and try
copying them to C:\TEMP. If either of these tests were successful you have
just confirmed that any user can obtain a copy of the workstation's backup
security files. Running a password cracker (and there are some very good
ones freely available on the Internet) will more than likely yield the
passwords for most, if not all, of the local accounts on the machine. Any
user who can gain access to the administrative account on a workstation is
but a few very simple steps away from capturing a domain administrator's
account.

Left click on the start button, select settings, select control panel. Here
you will find a collection of applets designed to configure many different
aspects of the workstation's mode of operation. Some have no security
implications while others can have a profound impact. Try clicking on each
these applets and wandering through whatever tabs they have to offer. If
any of the data fields on a given page are changeable (not grayed out) by a
normal user, you may, depending on the application and parameter, have a
very serious problem on your hands. I have been a little vague here simply
because there are significant differences between NT and windows 2000 with
regard to the contents of the control panel folder (and I have no way of
knowing how the workstation was configured during the installation process).
What you are looking for are applications that imply the ability to add or
delete hardware, add or delete software, change network or Internet
settings, configure the system, or access administrative tools. The
questions you should be asking yourself as you wander around are "should a
user be able to change this setting?" "Under normal circumstances would a
user need to change this setting in order to accomplish their assigned
duties?" and "have I ever needed to change this settings?"

Left click on the start button and then select Run. Try executing any of
the following programs: rdisk, rasadmin, regedit, regedt32, dcomcnfg,
ddeshare, ginasetup, inetins, cmd or musrmgr. All of these programs have
security implications and should be restricted to administrators unless
there are compelling reasons to do otherwise. I should point out that these
are by no means the only files that you need to be concerned with, only a
random sampling taken for the purpose of giving you an idea of what may be
available to your users.

Do you have an active USB port?

Another commonly overlooked source of information leakage are USB ports.
Many vendors offer devices, about the size of your thumb, that function the
same as a disk drive when plugged into the USB port. These drives offer as
much as 256Mb of storage for as little as $400.00 and provide an extremely
difficult to detect method of smuggling large amounts of information.

Are you using Windows 95 or 98 as the operating system of choice on your
workstations?

Many organizations use Windows 95 or 98 as the workstation client and set it
up to access information on a "secure" host via some type of emulation
software. Because the host may be running a secure operating system, and
applications on the host require identification and authentication prior to
granting access, they believe their network to be fundamentally secure.
Nothing could be further from the truth. All the attacker need do is to
download and install a keystroke logger on the workstation. This will
enable them to easily capture any account names and passwords needed to
access the "secure" host.

Based on my experience over the past twenty years, I would be willing to bet
that you answered in the affirmative to most, if not all, of the above
questions (you are definitely in a very small minority if you were able to
answer "no" to all of them). From a security perspective, you are in
serious trouble if you are not a member of that very small minority. You
are essentially running a system that cannot ensure the confidentially,
integrity, or availability of information or other critical resources. Any
security that you may think you have is nothing more than an illusion. If
it is any consolation at all, many major corporations and government
agencies have paid serious money for certified professional security
analysts to perform on-site security evaluations, penetration tests, port
scans, password cracks, etc., and are now sitting in the same boat that you
are! If you have recently paid for a formal risk assessment you may want to
compare the issues documented within the analyst's final report to the
results of the experiments that you have just conducted. It would seem
reasonable to expect that if I could help you identify numerous and serious
vulnerabilities without ever having seen your system, those same
vulnerabilities would have been readily identified and documented by someone
who had performed an on-site evaluation (Unless of course my hypothesis of
mass incompetence caused by PCM has some merit after all).

Obviously I don't a thing about the specifics of your particular system and
a few superficial questions do not a meaningful risk analysis make. There
may also exist within your organization extenuating circumstances of which I
have no way of knowing about, however, if you answered in the affirmative to
any of the above questions I would strongly suggest that you take a good
long hard look at your security program. You may even want to start asking
yourself what exactly it is that you are paying for!

Lohkee!