Defense in depth as a concept goes beyond the protocol to an architecture and orientation of protecting information. One of the goals of this book is a holistic treatment of the perimeter. This includes not just routers, firewalls, and VPNs, but policy, system hardening, intrusion detection, and software architecture. In the final major section of our discussion of defense in depth, we want to revisit the problem of information leakage and also restate the case for encryption.
The Problem of Diffusion
One fascinating security problem is the diffusion of information. An organization might have three levels of information confidentiality: top secret, secret, and confidential. Sooner or later, a classified piece of data ends up on a system or network that is not rated for that level of information.
Today, business can be characterized by intense competition, where a single misstep in information control can be disastrous. We label critical information proprietary, but laptops can be lost and systems can become infected with the Sircam worm and send random files out onto the Internet. AOL versions 6 and 7 both occasionally decide to attach some file that has been recently sent in an email message to someone else. If you're lucky enough to realize this is happening, and you have a slow-enough connection, you can cancel the email; however, if you have a broadband connection and the file is small, it's impossible to stop the email and retrieve the file. It turns out that it is nearly impossible to prevent information diffusion, but we can develop architectures to minimize the problem. Some of the problems we need to design and plan for to minimize diffusion include backdoors, wireless devices, remote controlware, email, and social engineering.
When PCs first started being deployed, modems were controllable problems. They were slow, expensive, and external, so you could find them by walking through your organization. You would think your top firewall and network administrators would know not to leave a modem on a critical system on auto-answer, but administrators can be the worst culprits. After all, it is a lot easier to roll out of bed, dial up the organization, fix whatever is wrong, and go back to sleep than to drive in to fix the problem. Defensive measures include wardialing your own phone numbers with ToneLoc (a free tool) or PhoneSweep from Sandstorm (if you need to use commercial software).
802.11 wireless access points (WAPs) bring a whole new dimension to the problem. At less than $200 each, WAPs will end up all over your organization whether you prohibit them or not. They do not require much skill to set up, and they are simple to eavesdrop on with tools such as AirSnort or any packet sniffer if the data is in the clear. If you are going to run wireless, consider the wireless intrusion detection and prevention tools available from AirDefense and AirMagnet.
The best advice is to get a wireless card with an external unidirectional antenna, download a copy of Kismet (available from http://www.kismetwireless.net/), and walk your perimeter on a regular basis before someone else does. Kismet runs on Linux, but if you are a Windows user, you can run it from Knoppix, a bootable CD-ROM version of Linux available from www.knoppix.org.
The term remote controlware is made up, used to describe the suite of products ranging from Symantec's pcAnywhere (which can be identified by access to port 22, 5631, or 5632) to the HTTP tunneling service available from www.Gotomypc.com. Policy and security awareness training are your primary tools for managing these types of technologies.
If you don't think you have a problem with information leakage via email, try scanning just your email headers for a month. If you want to collect information to demonstrate the problem with diffusion to your management, this can be one of the most powerful ways to do it. Many times, your management will agree to allow you to copy just the subject lines because that is part of the header, the equivalent of the outside of an envelope. You will quickly learn that a lot of sensitive information is sent via email. In addition to policy and awareness training, one old trick is to create a fake acronym and add it to particularly sensitive documents. After all, no one will notice one more acronym. Then you can add this as a string to your IDS so that it alerts if the word you have created crosses your perimeter. Think of it as marker dye for tracking information diffusion.
We have made a case for understanding a bit about how diffusion of information happens in the organization. Although we have offered a number of technical solutions, the best answer is an active and powerful security awareness program. Most security awareness programs consist of a canned brief and a poster or mouse pad with a catchy slogan. We need to do better than this, and we can. The users in our organizations are not stupid; they can set up a modem in auto-answer mode and deploy a wireless access point. The best security awareness program is one that treats the users as peers. Get involved! Perhaps your information security officer is not the most technical person in the organization; if that is the case, help him out. With permission from your manager and security officer, set up a wireless access point and demonstrate AirSnort. In most awareness programs, you see the users nodding off, eyes fixed and brains in a wait state. When you show someone decrypting what people normally think are private communications, the lights go on. After that, users will think twice before using a WAP in the office or at a conference without a VPN. The more your users know, the more capable they will be of making educated decisions. That said, information diffusion happens. There are just too many ways information can become exposed. This final section of the chapter and this book is a reminder of the importance of cryptography in defense in depth.
Cryptography and Defense in Depth
Here's a question for you: What is free for personal use and reasonably priced commercialware, provides defense in depth instantly, is exhaustively reviewed, yet underused? One answer would be Pretty Good Privacy (PGP). PGP is a bit cumbersome to use, and the web of trust needs to be established in advance of need, but for a community of 2 to 200, it's quite serviceable.
Many organizations have implemented Public Key Infrastructure (PKI) by now, but they don't use their solution for encrypting email. As we travel we hear horror stories of users with two-factor authentication, leaving the token component in their USB drive and going home for the evening as a regular practice (that way they don't lose their tokens).
Can PGP and PKI interoperate? Yes, to some extent. PGP can import an X509 certificate as a legacy RSA signature. However, beware: PGP 7 and PGP 8 do not protect the secret key portion of the imported certificate.
To view a set of step-by-step instructions by Ridge Cook for organizations that must have PGP/PKI interoperability, visit http://www.mccune.cc/PGPpage2.htm#X.509.
Microsoft has often been flamed during its history for its cryptography and security practices, yet Windows 2003 Server shipped with Kerberos, IPSec, and encrypting file system support for certificates as part of the operating system. We have the tools we need; we just need to implement them. One government organization in Crystal City, Virginia implemented VPNs from the desk of government officials to the printers. This kept an insider who was not trustworthy from intercepting and reading sensitive data off the network. We should think about this example. Encrypting data at rest and in transit takes a bit of work and a bit of discipline to manage the keys, but it is the most bombproof way to implement defense in depth.