June 6th, 2003, 04:32 AM
Insecure Government Computers!!
(Someone I know is doing an ezine for a class project, so I threw this together for them and thought that some of you may find value in it.)
It's true, many government systems are defaced, DDoSed are otherwise damaged... or are they?
Did you ever stop to think about why these systems are not patched or with some even maintained at all? Why some defacements linger for days or even weeks?
Odds are you just wrote this off as our stupid government and used oxymoronic clichés like "military intelligence" and such, right? I know that some of you do, I have see it myself. ;) It's ok to think that, why wouldn't you? Everything about computer security and hacking says that if your system gets hacked you must be an idiot or just plain lazy right? Perhaps by the end of this you will know better. ;)
Computer security is broken down in to three parts: Confidentiality, Integrity, and Availability collectively referred to as CIA. Government systems have suffered from all three type of these attacks. Some of you may recall the stolen space shuttle/space delivery vehicle plans that were compromised from the NASA website. This of course represents confidentiality. Defacements fall under integrity or both integrity and availability if the defacement renders the site useless. DDoS is of course a fine example of availability. All threats and vulnerabilities (known as Disclosure, Alteration, and Destruction... DAD) their respective controls and safeguards are defined against the CIA as well as the overall organizational policies.
So now that we know the basic pyramid of computer security, let's get into more specifics. Risk management is exactly what it sounds like, managing risk. How does one manage risk? The simple answer is by cost. First a risk assessment needs to be done, this involves several important steps:
For each threat Asset X and each threat Y:
1. Determining your X's value aka Asset Value (AV), this is a dollar amount.
2. Determining the potential damage to the AV by Y, this is called Exposure Factor (EF), and is a percentage.
3. Determining the dollar value of a single successful compromise, called Single Loss Expectancy (SLE), this is a dollar amount equal to AV*EF
4. Determining the frequency for with Y will occur in a give time span, typically annually called the Annual Rate of Occurrence (ARO).
5. Determining the total loss inflicted by Y to X per year, the Annual Loss Expectancy (ALE).
Add up all your ALEs and you know how much you will lose per year from damage by threats. :) This is your total risk.
Once you have your total risk, you need to decide if it is something you can or cannot live with. If you have a home computer full of music and porn and not much else, confidentiality attacks may represent no risk at all, because there is no cost. Even if a million people a day see your secret porn, this creates no cost for you. Integrity? Well yeah if your computer data is destroyed or altered, be it from an accidental delete, malicious hackers, or a comet hitting your den these will all have costs attached to them. So what to do? You can't have your porn getting erased. Some risk mitigation is called for. :)
Asset Porn : Threat hackers : Type Integrity/Alteration
AV=$1000 (you make $10 at your local radio shack so you figure this is what your time is worth, and it will take you 100 hours to download it all again)
EF=100% ("I can't believe they deleted it all! those monsters!")
ARO=365 (You are just that unpopular, you prolly go around spouting how windows is better than Linux)
That's right, $365,000 a year lost in porn. You decide this is way way too high for you. So now it is time to find a way to either lower your EF. So, anything that costs less than 5,000 is going to save you money. Perhaps a CD burner to make backups.
Safeguard : CD Burner + Blank CDs
And now your exposure factor drops substantially, now when your porn is hit you don't loss everything, you lose the 10 minutes it takes you to put in the CD and copy it back...
EF=0.16% (10 minutes compared to 100 hours)
With one change you mitigated over 99% of your risk and saved over $364,000!. Can we do more?
What if we switch to a trusted operating system like WGS's STOP? A single STOP system costs ~$80,000, let's have a look:
ARO=1 (we'll estimate high on this for simplicity sake heh)
Woohoo! We dropped the ALE well over 99% again! This time we saved $582.40, but at a cost of $80,000! so we actually lost over 99% of our investment! Clearly this was a bad choice.
What does any of this have to do with government security?
Let us consider www.whitehouse.gov, what assets do the have? It is unlikely the site has any confidential data, so this AV would likely be very near $0. As far as integrity goes, the site delivers no executable content that may damage clients (as apache.org does for example) and the site sells nothing so the potential losses to both integrity and availability are nil. If the site is down or defaced, they lose no revenue and it's not like you are going to go to a competing executive branch of the US government. With AVs and EFs so low, it is no wonder these sites are insecure, it would cost more to secure them than it would to leave them as they are! This may seem silly, but remember, spending an unneeded $100,000 a year on security is the same as losing $100,000 to threats.
Money gone is money gone, doesn't matter if it goes to vendors, admins, consultants, hackers, competitors, or up in smoke.
June 6th, 2003, 05:19 AM
June 8th, 2003, 04:39 PM
**Moved from Misc Security to Tutorials**