Kenneth R. van Wyk wrote:
On Monday 17 January 2005 14:55, Crispin Cowan wrote:
I participated in a workshop on on insider attacks several years ago. We
identified 2 kinds of insider attacks:
(Was this Mike Skroh's (DARPA) workshop out at RAND? If so, I also
participated in this. In fact, it's where I met you, Crispin.
Yes, that was it.
So we agree that more secure systems such as RBAC and Immunix do help to
address the problem of insider attackers. What they don't do is address
the problem of authorized insiders abusing their authority. That is
where this new class of products comes in: they track the movement of
sensitive organizational data by /content/ rather than by access
control, and complain when content crosses a barrier that it should not.
Understood, and at least much of this new class of products is based on
statistical analysis of event logs. Certainly, products simplify that
scenario, but it can also be done without add-on products.
Some are more than just statistics, and are using signatures on phrases
& passages of text. Obviously that is easy to bypass (just encrypt it,
or even trivial transformations) but as with a lot of defenses, the
attackers are often not too bright, and so simple defenses often work.
There is also a new class of products that do access control and logging at
the PC client level, so that things like USB stick access can be (nominally)
controlled and logged, FWIW. I'll bet that a determined, authorized
adversary can find ways of circumventing, though...
Boot from removable media, and you are running a different OS, and all
access controls are shot. To prevent that, you have to get control over
the machine's boot sequence. If you disable booting from removable
media, then you also cripple auto-updates of the OS.
Because the end-game of covert channel prevention always leads to an
anal cavity search :)
ACK....and ick!
So, where's the Software Security lesson in all of this? IMHO, it's to ensure
adequate application-level event logging and data access control
capabilities.
I think the main lesson of the underwear attack is Marcus Ranum's rule
that you cannot use technology to fix social problems. If an insider
really wants to export your data, they are going to succeed. So be nice
to your staff; it's not just the moral thing to do, it is the smart
thing to do.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com
