Earl Crane
August 2000
Master
of Information Systems Management
Introduction
This
paper is a case study of A-OK, Inc. It has been prepared for use by students and
faculty at Carnegie Mellon University. The purpose of this paper is to profile
the information security aspects of a cutting-edge Internet security startup as
they pertain to the material taught in the course titled “Introduction to
Information Security Management”, number 95-752.
Information
security management is really risk management, or the reduction of risk to
obtain some form of control. It is nearly impossibly to eliminate security
threats, and it would be foolish to assume we could do so.
Therefore, this paper will focus on the information management issues and decisions considered by A-OK in the evolution of their company and services. Issues addressed will include the following: physical security as it deals with installation, storage, safety, and access of their hardware and network connections; encryption methods used by A-OK to protect valuable information, and their unique alternative Psygnature Passphrase method; object oriented security issues, including access control lists, operating system security; network security, including firewall, intrusion detection, and network availability; and finally the security policy in use, such as an intrusion plan, access granted, and legal implications.
What is not covered in this paper is an in-depth technical analysis of the security systems implemented at A-OK. This paper takes no position, directly or indirectly, as to the reliability, safety, integrity or “hardness” of the A-OK network. Such an opinion could only be made after a more in-depth analysis with thorough network integrity testing. This paper will, however, make general statements as to the management decisions made as they support or contradict class instruction.
A-OK,
inc.
A-OK was originally founded in 1996 as the Internet Revenue Network. Currently a privately held company in Los Angles, CA, it has 15 employees. They are still in the development stages, refining their business model to the changing Internet market. Most of their current work is concentrated on software development.
A-OK is a payment processing network and software developer for identity management and secure network access. A-OK’s service provides eCommerce merchants with a secure payment processing solution and customer verification. A-OK permits customers to perform secure online transactions with credit cards and ATM cards.
They key selling point of the A-OK network to merchants is the security they provide to consumers. A-OK markets their name and company as an indication of trust, and hope to build that trust with consumers and merchants alike, giving them a safe place to conduct business online. Naturally, security management plays a key role in helping them to reassure their clients that A-OK can provide the level of security they promise.
“Fully 94% of
executives from [the Information Technology association of America] put security
issues at the top of the list. IDC estimates that network security consulting
and management services will top $1.6 billion in 2002. Growth in this market was
fueled last year by Y2K worries, and this year by hackers and virus strains.”
-Neil
Strother,
Managing
Editor
ZDNet AnchorDesk
To help reduce online consumer’s concerns, and promote good online privacy policies, A-OK markets itself as a privacy advocate. They hope to increase brand awareness of the A-OK name in relation to safety and security online. By increasing the awareness and comfort of online transactions, they will build trust among consumers to use the A-OK service and feel confident shopping online.
They key behind the A-OK system is the A-OK Authentication SystemÔ (patent pending). It is a web based user authentication system that does not require any special software to be downloaded to the local computer. Also, the login uses a “Psygnature”, which is a visual memory mnemonic, which relies on words, pictures and memories to create the passkey for login. Their theory is that by using multiple memory devices to authenticate, customers can use a longer key, which is more difficult to crack through a brute force method.
A-OK
Authentication SystemÔ
The A-OK system has several components that work in conjunction to provide a secure online transaction. This section will provide a brief overview of each component, but will save the implementation for a later section. The components of the A-OK system are:
· Merchant Site
· A-OK Sentry
· A-OK wallet
· A-OK Sessioner
Merchant Site
Merchants can deploy A-OK within their existing shopping cart application on their website. It requires little effort on the part of the merchant to implement A-OK, and gives their customers the ability to use credit cards and ATM cards on their site. Customers initiate a purchase with authentication from the A-OK Sentry.
A-OK Sentry
The A-OK sentry acts as the front end to the transaction process. It authenticates the user and grants them access to data stored in their personal information manager (PIM) on A-OK servers. All transactions are web based, so there is no data stored on the local hard drive. This means customers can use any machine, on any platform, with a compatible web browser. The sentry stores shipping, billing, and contact information.
The sentry does not store credit card information. Instead, credit card data is transferred directly from the merchant to the payment network. This makes it easier for A-OK to integrate with an existing network, because the merchant and the payment network do not need to change the way they operate. In addition, A-OK is removed as a middle transaction manager, which reduces the risk of interception.
User authentication is done through means of a Psygnature Passphrase, a digital signature that uses memory mnemonics to encode the user’s password. The Psygnature technique was developed and patented by A-OK as a means of storing a longer password in our memory that we would usually be able to remember. The psychological details will be discussed later in the paper.
A-OK Wallet
The sentry communicates with the A-OK wallet, stored on A-OK servers, through a 128bit SSL encryption. The wallet contains sensitive user information like addresses and contact information, and is built with an open architecture to allow additional features. The wallet can only be accessed by the customer, as it is encrypted in a hardened box on A-OK servers that can not be accessed by A-OK. The wallet sends the customer’s information back to the merchant site for shipping information, and on to the next step of the A-OK system, the A-OK Sessioner.
A-OK Sessioner
The sessioner acts as the back end processor for the A-OK network. The sessioner runs on A-OK servers. The purpose of the sessioner is to authenticate the user’s digital signature, collect their keys from the certificate authority, and pass them along to the payment network. All transactions are performed over secure leased lines, or through an encrypted VPN.
Security
Management at A-OK, Inc.
This section covers how security management aspects at A-OK relate to the material taught in the course.
Physical
Security
Physical security is a risk that can easily be underestimated. Many people can understand the threat of theft, and the need to lock down a machine. But if an intruder is able to gain physical access to a machine, they can usually do much more damage than just destroying it. With the proper tools, an intruder can defeat most passwords and locks, granting them access to the entire system. If an intruder has a bootable copy of Unix on a floppy, and they reboot an NT machine into Unix with the floppy in the drive, all the security safeguards under NT are removed. Or an intruder might simply remove the computer’s hard drive and take it with them for further analysis.
Data theft is not the only concern with physical security. If all the servers for a company are located in one building, without backup power supplies or network connections, they could be put out of service by cutting their power, cutting the phone lines, turning on the sprinkler system or disabling the AC to the computer room. These are just examples, but if a device exists in the physical world, it is vulnerable to physical threats.
Much of the physical security concerns at A-OK are outsourced to their collocation provider, Level (3) Communications, Inc. Each collocation site at Level (3) includes: (from www.level3.com)
·
Closely coupled to the core of
Level 3's advanced Global network
·
Climate-controlled space
(state-of-the-art air flow technology)
·
Closed-circuit video surveillance
·
Access cards and palm scan
identification
·
Unescorted access for authorized
users 24 x 7
·
Uninterrupted power source
·
24 x 7 network monitoring
·
Customer work areas and equipment
staging areas for easy installation and maintenance
·
Equipment receiving and storage
controls for tracking and securing customer equipment
·
Direct access to Level 3 network
services
·
Open facility — many other
carriers are able to deliver service to customers directly within the Level 3
facility, enabling diverse routing and easy communications supplier choice
·
AC and/or DC power
·
Grounding to main buss bar
·
Overhead cable ladder
·
Shared UPS for power failure
Level (3) specializes in physical security, and they appear to have a secure physical setup. Though Level (3) can provide many options of physical security, customers need to take advantage of them, like having multiple redundant network connections and power supplies for their servers.
Physical security also includes checking on a company. Level (3) is responsible for checking their employees for a history of criminal activity, and are liable for any damage done by employees to customer equipment. A-OK is still small enough, at only 15 employees, to rely on personal relations.
In the case of A-OK,
their data is stored on an HP XP256, a large disk storage array capable of
storing 9Tb of data. A pair of redundant processors
perform cache-control, backup, maintenance and volume management. Redundant
power supplies, fans and disk controllers ensure there is no one single point of
failure. All equipment, including storage drives, network cards and processors
are hot swappable. Each disk array can support multiple fiber connections to the
Level (3) network.
Another
consideration of physical security is where the backup data is stored. A-OK
contracts with Level (3) to backup data once a week from their servers, which is
stored at an off site location. On the recommendation of Deloitte & Touche,
they also may store a copy of all sentry activity on a WORM drive in the cage.
Encryption
Though security administrators can try their hardest to make a network impenetrable, they sometimes don’t catch every weakness. Those are usually the vulnerabilities that intruders break in through, and may attempt to steal or change sensitive data. The purpose behind encryption is to render any data intercepted useless, and any data modification frivolous, by making the data unreadable. Encryption acts as one more safeguard in a multiple layered security structure.
Encryption in the A-OK network takes place at several locations. First, all data stored on the servers are password protected and encrypted inside an Oracle database. Oracle offers the Advanced Security option on their database which A-OK uses. Users can choose RSA’s RC4 or DES as their encryption algorithm, and they have the ability to specify bit length. In addition, any user modifications to the database must have a Kerberos key. There is less of a likelihood that a cracker could compromise a database properly using Oracle’s encryption routines. Unfortunately, encryption doesn’t protect against deletion. If an intruder were to delete the database, A-OK would have to rely on their backup policy to restore their records.
The second use of encryption is the transfer of customer data, and the authentication of the Psygnature Passphrase. The Passphrase uses a 128-bit encryption algorithm, and the data transferred also uses a 128-bit SSL encryption schema. The high bit length makes it difficult to decrypt the key to plaintext, but also puts a higher load on the SSL server. As a means to compensate for the higher load, all Passphrases are stored in a hardened storage device from Compaq, named Atalla.
Atalla
Internet Security Processors perform all cryptographic processing within a
physically secure shell. Any tampering automatically triggers measures that
"zeroize" data such as passwords, keys, and algorithms. Keys and other
sensitive data never appear in cleartext form, and thus remain safe from
attacks.
-Compaq.com
The use of a hardware solution to perform cryptography,
versus a software based solution, frees up server cycles for other processes.
The Atalla ISP is a PCI card that fits into an existing server, so it makes
upgrade and implementation very easy. However, as the Passphrase is stored
inside the Atalla, that also means that it is very difficult to extract a
user’s Passphrase if they forget. This will be discussed further in the policy
section of this paper.
Operating
System
Who has control over what data inside the system is a primary concern in integrity and privacy issues. Access control lists are one of the most common ways to grant file access to only the authorized parties.
The A-OK network uses HP’s XP256, which runs HP-UX, the HP version of Unix. HP-UX uses an ACL schema called JFS ACL. The differences between JFS ACLs and standard Unix ACLs is minimal, and not covered in the scope of this paper. Therefore, ACL will refer to both generic ACLs and JFS ACLs.
The XP256 does not perform any web serving or passphrase authentication, as that will be taken care of by an HP UX server of which type is still undetermined. The XP256 has an onboard processor to handle load balancing, efficiency processing, and error checking. It also has a terminal, called a service processor, for maintenance by an HP technician. None of the data stored on the local hard drives are accessible from the local processors. However, if one is close enough to the disk array to access the local terminal, there are other ways they could get the data they want.
The rest of the internal A-OK network uses Windows NT machines with standard username and password login. Their internal network is safeguarded behind a firewall, but using NT may leave them open to standard network attacks. As the focus of this paper is on the A-OK transaction network, their internal network will not be evaluated.
Password
Security
Password security is one of the most misunderstood security aspects among average users. Uneducated users will choose a password that is easy to guess, familiar to them, or can be looked up in a dictionary attack. Much to the annoyance of network administrators and security professionals, the average user is slow to understand the principles behind choosing a “good” password. Often, good passwords are too difficult or too long for average users to remember.
A-OK has come up with a solution to this problem, by redefining how a user remembers and enters their password. Their solution, called a Psygnature Passphrase, combines visual cues, personal memories, and a standard password into a very long password, that is difficult to guess. They get around the previous limitation of password length by use of a memory mnemonic. (See appendix A)
When a user logs on to A-OK, they are prompted by a series of different authentication routines. By using the memory mnemonic, the user is able to remember more bits of information in each memory cue. Though the password is no more difficult to remember than a standard password, it can be many times longer. The longer a password, the more difficult it is to crack by brute force.
Another advantage to the Psygnature Passphrase method of authentication is it’s not a standard password routine, so some forms of password grabbing won’t work. For example, a dictionary password will unlikely be successful. Also, because the authentication is over a 128bit SSL connection, packet sniffing is unlikely to yield the password. Finally, though the sentry prompts the user with personal cues to help them remember the password, it is unlikely that an intruder would be able to reconstruct the correct Passphrase from the visual cues.
One concern with the Passphrase is the complexity, and the difficulty that some people may have remembering, regardless of the visual cues. This will be discussed more thoroughly in the security policy section.
Application
Security
The subject of application security deals with most software applications that run on top of an operating system. In this case, the A-OK sessioner, sentry, Oracle database and IDS fall under the realm of application security.
Applications can only come from two places, built in-house or from an outside vendor. In house applications tend to be more expensive, more customized, and more buggy. Therefore, it’s important to have controls on the development process to ensure that proper software engineering procedures are followed. For the purposes of security, that includes testing and removal of all trap doors and secret entrances to the software.
This is particularly relevant to A-OK, because their sentry and sessioner software is built in-house. Peer reviews of software is usually a good way to check code for bugs and security holes. A-OK is small enough that all the programmers know each other, and can perform reviews of each other’s work. For example, A-OK has made certain that there is no skeleton key password to open up any of their Passphrase accounts. Any such device would be a serious security lapse.
Applications built by an outside vendor, such as Oracle or HP, require a certain amount of trust instilled in the vendor. Because the customer is usually not involved in the creation of the software, they can not ensure any back doors written into the software by the vendor’s employees have been removed. Vendor certification is a means to reassure a client company they are purchasing software from a reliable vendor. One way is to go with a large and well-known company, like HP or Oracle. Another way is to research and review the software independently, and allow the client to make their own decision about the reliability of the software.
Another concern to A-OK’s application security is that of infectious software. Viruses and Trojan Horses that make their way onto the A-OK network could have devastating results, ranging from deleting client records to installing a Trojan Horse to perform a salami attack on client accounts. The best way to prevent from these such attacks are to have good control on what software is installed on the internal network, periodic reviews of network drives for any suspicious activity, and strong network security to guard against the outside world. As the A-OK network is built around privacy, their chances of an infection in their internal network are minimal so long as they maintain good policy. Their chances of infection on the A-OK back office is even less, since all external communication is done over leased lines, through multiple firewalls, IDS, and requires user authentication for access. However, this confidence may be a threat in itself.
One unique feature of the A-OK network is an automatic update process among all their servers. A-OK stores all their data on multiple disk arrays across the country, each in a Level(3) installation. When a customer wants to access their profile, their request is sent to the nearest geographical server. Each server synchronizes data with all other servers every 5 minutes, to maintain the most up-to-date records.
If a security hole is compromised on one server, and the data is manipulated or ruined, will the new bad data sync and spread the bad data across the entire A-OK network? Possibly, but if the intruder corrupts the data file such that it is unreadable, the synchronization will not take place. i.e. Deleting one data file will not delete all data files. However, if the data is manipulated in one server, as may happen in a salami attack, it may spread the bad data across the network. In this case, A-OK relies on their other systems, like IDS, to indicate there is a problem. Then they review the log files, as all sessioner and sentry transactions are logged. There does not appear to be any internal checksum or integrity check among the A-OK sessioner, other than the MD5 update checksum in the Oracle database. Though the Oracle checksum may be sufficient, this threat should be investigated further.
Strong network security can guard against most of the common hacking toolkit attacks, like BO2K, whisker or nmap. This will be covered more thoroughly in the next section.
Network
Security
Network security is important for any company that supports, uses, or interacts with any sort of a telecommunications network. For a company like A-OK, whose primary business is eCommerce transactions over the public internet, network security is of utmost importance. A-OK has recognized this, and responded by going to outside help to build their security infrastructure.
Counterpane
Internet Security, inc.
The most prominent player in A-OK security is Counterpane Internet Security, inc. Counterpane has placed themselves as a leader in the field of managed security monitoring. A-OK has hired Counterpane as their Internet security experts, to help them harden and maintain their network infrastructure.
Counterpane acts as A-OK’s security consultants, advising them in network security implementation decisions. A-OK has contracted out many of their network security management responsibilities, so they can concentrate on software development.
Counterpane monitors A-OK’s network on a continual basis, both through log reviews and an intrusion detection system. They also build and monitor the A-OK firewall system. Though this is a more expensive option than A-OK building their own, it assures them their network is secured and maintained by a team of experts. They take responsibility for maintaining network availability under attacks, like a denial of service, black hole, or server spoofing. There are a number of attacks that could threaten A-OK’s network, but with Counterpane they can develop strategies to safeguard their networks. (See appendix B)
In the case that any suspicious activity is noticed by the Counterpane IDS, they monitor the activity and inform A-OK. In addition, every attempt to login with the sessioner is logged and reviewed with an IDS or script. Though A-OK is still in charge of their network, they operate under the advice of Counterpane.
Counterpane also reassures insurance providers, like Lloyd’s of London. Lloyd’s of London has partnered with Counterpane to offer $100million in security insurance for any of Counterpane’s customers. Without Counterpane’s service to reassure insurance providers, security insurance would be prohibitively expensive. This was the case with A-OK, and the legal and management issues involved with insurance will be discussed later.
Finally, Counterpane periodically tests the network integrity of their systems by using tiger teams, to try to break into the A-OK network. Constant review and testing of their network security keeps security professionals on their toes. A-OK has taken an interest in this method of protection, and plan to use their own tiger team testing method. They plan to offer some of their systems up to the public, to see if they can be hacked. The hope is that it may help them find vulnerabilities in their own network. The concern with this method is that A-OK will learn about a vulnerability at the same time as the hacker. To counter this, A-OK will rely on constant monitoring of their open systems, and possibly only opening up part of their system at a time, without exposing the full product.
Level(3)
Communications, inc.
The other key company in A-OK’s network safety structure is Level(3) Communications, inc. Level(3) is responsible for their hardware upkeep, availability and backup. We covered their physical security earlier, but now will address the services they offer and threats they protect against from a network perspective.
Starting from the outside world working in, Level(3) offers an external firewall option to all their customers. A-OK has opted for this service, which puts one more barrier between them and an intruder in the layered security model.
Each of A-OK’s servers are connected by a leased line to the outside world. A leased line provides additional protection because the data is not transferred on the public network, but over a private line. Though leased lines are much more expensive, A-OK decided that it would be worth the cost to ensure privacy. Most financial institutions use leased lines to carry their financial data, and would expect any transaction enabler like A-OK to be capable of providing the same level of security.
Leased lines connect each XP256 server between the Level(3) installations to the financial settlement network and Verisign, their certificate authority. Leased lines make eavesdropping more difficult, but a determined intruder might still be able to tap into the telecommunications network and retrieve packets due to Van Eck radiation. Fiber solves this problem.
Security
Policy
The conclusion of this course, and of this paper, can be summed up in this section on security decisions made from a management perspective. At this time, none of the hardware has been bought for the A-OK network. The software is still in development, and many of the security decisions discussed in this paper have been tried on paper but not implemented. Most of their time has been spent designing their network and software development. This section will include four parts to cover the policies in A-OK as they relate to security.
1. Management decisions
2. Legal considerations
3. Privacy issues
4. External certification
Management
Several months ago, A-OK made a dramatic management decision that changed the direction of their company. They decided to no longer store customer credit card data, and stop acting as a gateway to the financial network. Instead, they decided to let the merchant and financial network operate the same way they always have, but use A-OK to verify customers and pass that verification off the financial networks. Their action reduced the liability risk carried by A-OK, and made it easier for the financial networks to accept A-OK services. They chose to work with the gateway providers, instead of against them.
A-OK’s decision represents an important concept in information security management, that of risk management. By reducing the value of the information stored, they reduced their risk if they were compromised. By doing so they are able to spend less on network security, and focus more of their resources on software development. This is an important tradeoff that every security firm must manage, that of value of the data vs. level of security.
At this time, there is no formal plan outlining the procedures to keep A-OK aware of new patches, updates, software, vulnerabilities, or advisories. A-OK will monitor their vendors for suggestions on upgrades and patches, but the primary responsibility has been delegated to Counterpane. As discussed above, this was a risk/cost tradeoff to trust that duty to Counterpane. If the cost of internally monitoring and maintaining the corporate network is more than the cost of hiring an outside firm, that decision is sometimes outsourced.
Legal
As A-OK’s primary business is financial transactions, there are multiple legal considerations. As has already been discussed, insurance for a company like A-OK is of primary concern. Their decision to use Counterpane brings them more than just security experts, but also insurance coverage from Lloyd’s of London. Insurance coverage makes A-OK a more appealing client for merchants and financial networks. However, Counterpane is not the only factor that affects their insurance coverage.
The A-OK system offers non-repudiation, which means that a client can be proven legally bound to repay debts when called, such as credit card accounts. Non-repudiation is important for clients that agree to use the A-OK network, so they can settle debts. The way A-OK can prove non-repudiation is through their security policies and implementation, to demonstrate their network is secure. In addition to the sessioner writing to the XP256, each transaction will be copied onto a separate Write Once Read Many(WORM) drive, and onto an offsite storage facility like Iron Mountain. If implemented, this system will create a secure means of guaranteeing solid proof for non-refutation to stand up in court.
Finally, in the case that a credit card may be reported as lost or stolen, A-OK follows the standard PKI revocation procedure as defined by their certificate authority, Verisign. This is an acceptable method used by current online merchants and the financial network. When a credit card is reported as lost, and the message is issued from the financial network, it gets passed to the certificate authority. When the CA revokes a customer’s certificate, which happens instantly, A-OK can no longer pass their key to the financial network. If the financial network does not receive a verifiable key from the customer during a transaction, the transaction will not complete.
Privacy
Perhaps one of the most popularized issues on the Internet is the issue of privacy. A-OK takes a hard stance on privacy, by making it impossible for A-OK to view any records of their customers. All customer records can only be accessed with the customer’s private key, which is stored in the Atalla box by Compaq. Because the box will zero itself whenever it detects an intrusion, it’s nearly impossible to retrieve the customer’s key, their Passphrase.
If a client loses their Passphrase, they may have to be issued a new one. An alternative is that Compaq may have some method of extracting data, after receiving a notarized letter from the customer. However, this means data retrieval is possible, which is a security risk.
Both methods provide a large amount of privacy, but as we have seen before, with more security comes more cost. In this case, the cost is in time, customer service and convenience. This is and example of when management must make a decision about the necessary level of security, and its results.
Any method of key retrieval may fall pray to the social engineering skills of a creative hacker. That concern can be prevented by constructing policies whereby data retrieval requires multiple proofs of identity. Instead, A-OK looked at internal key escrow, but decided it was too complex to manager. However, key escrow between the customer and/or a third party may be a feasible alternative.
Certification
To ensure the proper security policies are in use at A-OK, external certification often provides a good means of verification. In addition to the certification already discussed from Counterpane, A-OK also uses the Internet security group at Deloitte & Touche.
D&T has acted as a sounding block for the development of A-OK’s private key management infrastructure. They helped A-OK by generating a report that spotted all the security concerns they saw with A-OK’s network. One suggestion was the previously mentioned triple-storage solution, where the sessioner writes to the XP256, a WORM drive, and an offsite facility for each transaction. D&T will also perform an audit every quarter, plus whenever there is a dispute, to verify A-OK’s level of security maintenance.
Appendix A
The A-OK Psygnature creation process
Appendix B
The services offered by Counterpane.
Sources
A-OK Strategic Business Profile, April 2000
Robert “Bud” James, CTO, A-OK Inc.
David Benson, CIO, A-OK Inc.