Computer security is more important than ever. Last year, the FBI identified 23 foreign countries engaged in waging economic war with the US. All 23 countries used computer espionage to gain strategic economic information from US corporations. WarRoom Research found that the average Fortune 500 company lost more than half a million dollars from reconstructing data and rebuilding damaged systems after computer attacks. Other studies have found that between 85 percent and 95 percent of computer attacks are inside jobs, either by employees or by people who gained knowledge from employees. In short, US corporations are the target of the next Cold War, an economic war being quietly waged with tools and techniques left over from downsized spy networks of the last Cold War.
Fortunately, the computer industry has an arsenal of defensive weapons. One of the best weapons is the formal computer security classifications, especially the National Computer Security Center's (NCSC's) Orange Book. (The sidebar, "C2 Security: Some Background," page 156, describes the Trusted Computer System Evaluation Criteria--TCSEC--including the Rainbow Series, the Orange Book, and C2-level security.)
Although originally intended for military applications, the Rainbow Series has always been a public document. Some businesses and computer vendors have adopted C2--any rating below C2 has little security--as their security standard; Microsoft and Novell tout C2 as a selling point for their network operating systems. Although some industry professionals debate the value of the Orange Book and C2 in particular, I believe C2 is a useful standard--if you know what you're dealing with.
| Drawing on the experience of the National Security Agency seems a logical approach to security |
You can adapt the Rainbow Series to most business systems and security models. The Rainbow Series does not define specific parameters for system creation or security levels. The security ratings are not equivalent to ratings such as the Department of Defense's secret and top secret. This fact means that you can use any internal system of security ratings already in place, just as you can assign the domain names of any structure when you design a network.
The Rainbow Series outlines security theory and design, instead of laying out specific requirements; rather than becoming dated, the rating scheme improves with time as users test the ratings in real-world situations. For instance, auditing is extremely important for the higher ratings, but the standards specify only the type of action that the user must record in an audit--not a format for an audit log. Although critics say that this feature can lead to a lack of interoperability among systems at a given rating, I believe this flexibility in reporting formats is useful: It doesn't restrict manufacturers from developing better auditing tools or lock systems into formats from the mid-1980s.
Although C2 is the most useful security rating for many businesses, some situations require a B-level or another
C-level rating. Companies securing critical financial data frequently use systems with B-level security. In other
situations, such as where making data available is more important than limiting access, a C2 rating is too restrictive.
Understanding the differences between C-level and B-level security is helpful. Discretionary protection in the C level means that every object has an associated user who has discretionary control over who can access the object. Mandatory access in the B level means that all objects have an assigned security level that is mandatory for accessing that object. In other words, if an object is rated at R&D Level 1, no one can access the object without that level of access. Even the creator of that object cannot grant access to that object to anyone at a lower security rating. Businesses determine the appropriate rating as part of a well-planned security policy.
Retrofitting security into any system, particularly a computer system, is more difficult than creating a secure system originally. Thanks to C2, manufacturers have specific formal security standards to which they can develop off-the-shelf network operating systems.
NCSC had enough foresight to realize that although a vendor designed a product to be secure, administrators can install or use products in an insecure manner. Therefore, NCSC evaluates each product separately at a given level, using the TCSEC criteria for that product (e.g., the Lavender Book for databases, the Red Book for networks, the Blue Book for subsystems). Manufacturers sometimes have cited evaluation by one book when in fact their system requires evaluation by several books.
You can test and certify at a given level only an installed system. This process is time-consuming and expensive, but evaluation of an installed system guarantees that the system functions the way it is intended to function in its real-world state.
C2 has the following characteristics:
- The system must have good documentation at both the user and administration level and have documentation on security testing.
- The system must authenticate all users as unique individuals.
- The system must not allow objects to be reused or recovered once deleted.
- The system administrator must audit all security events.
- The system must protect all objects and processes from all others.
Most corporations agree that these features are necessary. Where and how businesses implement these security features is part of a well-planned security policy based on real business data and accounting.
Given the new threats to corporations by economic espionage, drawing on the experience of the National Security Agency seems a logical approach to security. Perhaps the best legacy of the Cold War is the experience gained in securing computer systems from the same spies who are now eyeing US corporations.
