Regular columnist ADAM FIRESTONE returns today with a slightly different topic than his usual fare. In addition to his expertise with weaponry, Adam is also a font of knowledge about computers and cyber crime. Whether it’s for writing research or for the protection of your own computer, this post is a must-read!
Information is the most critical, and the most destructive weapon of the 21st century. Weapons, ranging from rifles to missiles have achieved a level of sophistication that allows shooters to not only select a particular target, but to choose WHERE on the target the weapon will impact. The real issue is not the destruction of the target, but the timely provision of identification, location and characterization information about the target to the shooter. Information is the critical link in the kill chain. In this article, we’ll discuss information allowing you to craft plot support mechanisms centered on preventing (or allowing) unauthorized access to critical information.
The scene is very familiar to those who write thrillers or romantic suspense: The hero or the villain needs to find information that is stored somewhere on an adversary’s computer network. A hacker’s skills come into play, and between social engineering, sniffing traffic sent using the Hyper-Text Transport Protocol (HTTP) and password cracking, a workstation login and password are stolen. The attacker gains access, and suddenly the data floodgates are open. The network is laid bare, and every resource is now available.
The disturbing thing about this scenario is that it isn’t especially fanciful or far-fetched. In my day job as the director of defense and government solutions for a global middleware company, I spend a good deal of time counseling clients about these very topics. The remainder of this discussion will explain some basic computer system security concepts from both historical and technical perspectives in a manner that is, I hope, useful for the writer community.
On May 26, 2010, US Army Private First Class (PFC) Bradley Manning was arrested in Iraq on suspicion of having passed classified material to the website WikiLeaks. He was charged with a number of offenses, including the unauthorized communication of national defense information and aiding the enemy. Manning had been assigned to a unit based near Baghdad. In connection with his duties, Manning had access to databases used by the military to store, exploit and disseminate classified information. His arrest came after the Department of Defense (DoD) received information that he had downloaded and passed classified data to Wikileaks, including videos of airstrikes on Baghdad on July 12, 2007 and Granai, Afghanistan in 2009, a quarter of a million US State Department diplomatic cable and approximately half a million Army war logs. This information represented the largest set of classified documents ever to be leaked.
While Manning’s actions, if proven at his trial (which is scheduled to begin in mid-2013), are undoubtedly a violation of the non-disclosure agreements (NDA) that he signed in conjunction with his security clearances, and may constitute treason, they are not the most damning part of the whole Wikileaks debacle. The real issue is that the systems to which Manning had access remained a virtual big box store of government information with few, if any, checks on access. A less technical analogy may be helpful in understanding the nature of the problem.
Imagine that you own an office building. This office building has many floors. Each floor contains dozens of offices, and each office belongs to a different tenant company. It’s safe to say that an employee from the travel agency renting office 314 really has no reason to have access to office 546, which is rented by a religious articles import-export firm.
Now let’s imagine that at each of the entrances to the building, there is a security guard. The guard’s instructions are to ask for the photo-identification card that you issued to each legitimate tenant, and to ensure that the photograph on the card matches the person requesting access to the building. Once the guard verifies that the person providing the identity card is in fact the person described on the card, the person is granted access to the building.
Now here’s the kicker: Once past the guarded entrance, there are no locks anywhere in the building. Not on the office doors, not on the restrooms, not on the utility closets, not on the wiring and phone closets. Nowhere. Once you’re in, you’re in. You can go to any floor and into any office. It’s a free for all.
Sounds crazy, right? No landlord – and no sane tenant – would knowingly sign up for such an arrangement. Yet this sort of one-time, perimeter-only security is exactly what most computer information systems have, including those used by the government and the military. And it was exactly the sort of security used on the systems on which Bradley Manning worked. This is called “authentication only” security. AUTHENTICATION is the act of proving that you are who you say you are. There are three primary ways of authenticating to an information system: Know, Have, Are.
• Know: The most common authentication method is to provide a shared secret that only the system and the user know. Typically this takes the form of a username/password combination.
• Have: For additional security, the system my require the user to present a physical item to which only a bona fide user would have access. Examples of this are smart cards with embedded digital certificates, RSA SecurID tokens or a mobile phone running the Google Authenticator application. (The SecurID token and Authenticator app provide rotating numerical combinations that must be entered within a certain time period to corroborate the username/password combination.)
• Are: The highest levels of authentication security require some form of biometric verification in addition to usernames/passwords and physical items. This may take the form of a voice print or fingerprint or retinal scan. While the technology for these is getting better all the time, there are still reliability issues that make many organizations reluctant to adopt biometric verification mechanisms.
No matter how secure the authorization mechanism is, it’s still only perimeter protection. Under the information assurance rules protecting the sorts of systems on which Bradley Manning worked, passwords had to be changed frequently (anywhere from every 30 to 90 days), and they had to meet stringent length (often twelve or more characters) and complexity (mandatory use of both uppercase and lowercase letters, numbers and special characters) requirements.
Obviously, it wasn’t enough.
The answer is to incorporate automated AUTHORIZATION mechanisms into the security paradigm. Authorization mechanisms ensure that an authenticated user has access only to those system resources (i.e., data and capabilities) pertinent to their job, rank, organization or some combination of other attributes. Currently, there are two dominant forms of automated authorization technology in use, RBAC and PBAC/ABAC.
Most systems (especially those premised on Microsoft Windows technology) use something called Role Based Access Control, or RBAC. RBAC assumes that there are a finite number of organizational roles (loosely analogous to jobs/tasks), and that access to system resources is predicated on a user’s allocation to one (or more) of these roles. The practical problem with RBAC is that the initial set of roles winds up offering too much – or not enough – access for a particular user’s needs.
The remedy is to create a new, tailored role for specific user needs. The unfortunate results of this practice are either an unmanageable proliferation of roles (a system administrator’s nightmare!) or role overlaps that negate access control efforts and create an insecure condition. As a result, there are usually only two or three roles created in most RBAC systems: User, Supervisor and System Administrator. The consequence of this paucity of roles is that there is, effectively, little or no access control.
The response to RBAC from the computer security community was the development of open, community standards supporting what is referred to as “policy based access control” (PBAC) or “attribute based access control” (ABAC). The key standard supporting PBAC/ABAC is the eXtensible Access Control Markup Language (XACML). Under a PBAC/ABAC scheme faithful to the XACML standard, instead of having a plethora of roles, each request for access to a system resource results in an evaluation of the user’s personal characteristics against a pre-defined access control policy for the resource in question. Returning to our office building analogy, the implementation of an automated authorization mechanism might look like this:
Once past the perimeter guard, a tenant goes to an information desk.
At the desk, the tenant presents her identity credentials and specifies the office to which she’d like to go. The attendant looks up the policy for that office, which might say something along the lines of “admit people who are full time employees of XYZ Company and have a title of manager, director, vice president or C-level employee.” The attendant then looks up the tenant’s attributes corresponding to her identity credentials. If the tenant’s employer is “XYZ Company,” her status is “full time employee” and her title is “Manager, Technical Development,” the tenant is given an access card that will grant her access to the desired office. If a key attribute is wrong (let’s say the tenant’s status is “part-time” or “consulting” employee), the tenant is not given the access card, but is instead provided with the phone number of the XYZ Company security manager to whom she can air her grievances.
So how does authorization provide augmented security in real life? Let’s place authorization in the context of the Manning/Wikileaks case. As a result of the authentication-only, perimeter security paradigm implemented on the system on which he worked, Manning had untrammeled access to not only Army information directly pertinent to the his unit’s (2nd Brigade Combat Team (BCT), 10th Mountain Division) operations, but to Army- and Department of Defense-wide intelligence and State Department diplomatic information as well. Had an authorization system been in place, it is likely that Manning would only have had access to information directly pertinent to 2nd BCT operations, thus limiting the damage he could do. In sum, authorization schemes implement “need to know” capabilities that complement the “access” capabilities of the authentication mechanisms.
It gets better though. In order to really defeat a combination of authentication and authorization mechanisms, an attacker would not only need the username/password combination (for “know-only” authentication) but would have to be able to hack into and change data in either the secured user store, the secured access control policy store or both. It’s a FAR more daunting – and time consuming – task.
At this point, you’re probably thinking “Well, if it’s that simple and effective, why doesn’t everyone implement authorization mechanisms?” The answer has two parts: Knowledge and expense. Many architects, developers and systems engineers simply aren’t aware of either the standards or the tools that implement them. For those that are aware, the combination of software licensing fees and the perceived development effort costs associated with implementing PBAC/ABAC mechanisms are often seen as insurmountable.
The answer – both for your plotline and for real world system architecture is the emergence of open source software engines based on open standards designed expressly to support identity management and security. Open source means that the software is available for download and use free of charge. Open standards mean that there are no proprietary interfaces that would stymie the integration of these tools into existing systems. More importantly, these tools are intended to interoperate with existing system components. For example, one of the most popular user information stores available is Microsoft’s Active Directory (AD). One of the more popular open source identity and access management engines, the WSO2 Identity Server, comes with out of the box support for AD interoperability.
Let’s do the author’s summary:
• Authentication only security means that once the bad guy steals a username and password, the system is completely at his mercy.
• Authorization systems can provide additional security by limiting authenticated users’ access to those resources consistent with their jobs.
• RBAC systems are difficult to maintain because of the potential plethora of roles and the security-frustrating effects of role overlap. More importantly, RBAC system are usually implemented with only two or three roles, thus not really providing any access control at all.
• PBAC/ABAC systems are more powerful, finer grained and more easily managed than RBAC systems. They are also more secure and resistant to hacking.
• Powerful, standardized and cost-free identity management software is now readily available.
With luck, you now have all the information you’ll need to accurately and believably enable or frustrate your heroines, heroes and villains. Happy hacking!
Have you ever been hacked?
Join us on Friday, March 1 when Donnell Ann Bell offers Tips Before Hiring an Editor
Bio: Adam Firestone brings more than 25 years of experience with weapon systems including small arms, artillery, armor, area denial systems and precision guided munitions to Romance University. Additionally, Adam is an accomplished small arms instructor, editor, literary consultant and co-author of a recently published work on the production of rifles in the United States for Allied forces during the First World War.
Adam has been providing general and technical editing services to authors and publishing houses specializing in firearms books since the early 2000s. Additionally, Adam provides literary consulting services to fiction authors including action scene choreography, technical vetting and technical editing. In this line of experience, Adam has had the fortune to work with well known authors including Shannon McKenna and Elizabeth Jennings.
Check out Adam’s blog here: http://adamfirestoneconsultant.blogspot.com/
- Adam Firestone Discusses Packing Iron: Tactical and Practical Concerns for Characters Who Carry Guns
- Q&A with Weapons Expert ADAM FIRESTONE
- Adam Firestone: Arms Acquisition and Transfer as Plotline Buttress
- Adam Firestone: Looks Can Be Deceiving
- Traveling with a Gun, by Weapons Expert Adam Firestone