In Defense of C2

Computer security is more important than ever. Last year, the FBI identified 23 foreign countries engaged in wagingeconomic war with the US. All 23 countries used computer espionage to gain strategic economic information from UScorporations. WarRoom Research found that the average Fortune 500 company lost more than half a million dollars fromreconstructing data and rebuilding damaged systems after computer attacks. Other studies have found that between 85percent and 95 percent of computer attacks are inside jobs, either by employees or by people who gained knowledge fromemployees. In short, US corporations are the target of the next Cold War, an economic war being quietly waged with toolsand techniques left over from downsized spy networks of the last Cold War.

Fortunately, the computer industry has an arsenal of defensive weapons. One of the best weapons is the formalcomputer security classifications, especially the National Computer Security Center's (NCSC's) Orange Book. (Thesidebar, "C2 Security: Some Background," page 156, describes the Trusted Computer System EvaluationCriteria--TCSEC--including the Rainbow Series, the Orange Book, and C2-level security.)

Although originally intended for military applications, the Rainbow Series has always been a public document. Somebusinesses and computer vendors have adopted C2--any rating below C2 has little security--as theirsecurity standard; Microsoft and Novell tout C2 as a selling point for their network operating systems. Although someindustry professionals debate the value of the Orange Book and C2 in particular, I believe C2 is a useful standard--ifyou know what you're dealing with.

You can adapt the Rainbow Series to most business systems and security models. The Rainbow Series does not definespecific parameters for system creation or security levels. The security ratings are not equivalent to ratings such asthe Department of Defense's secret and top secret. This fact means that you can use any internal systemof security ratings already in place, just as you can assign the domain names of any structure when you design anetwork.

The Rainbow Series outlines security theory and design, instead of laying out specific requirements; rather thanbecoming dated, the rating scheme improves with time as users test the ratings in real-world situations. For instance,auditing is extremely important for the higher ratings, but the standards specify only the type of action thatthe user must record in an audit--not a format for an audit log. Although critics say that this feature can leadto a lack of interoperability among systems at a given rating, I believe this flexibility in reporting formats isuseful: It doesn't restrict manufacturers from developing better auditing tools or lock systems into formats from themid-1980s.

Although C2 is the most useful security rating for many businesses, some situations require a B-level or anotherC-level rating. Companies securing critical financial data frequently use systems with B-level security. In othersituations, such as where making data available is more important than limiting access, a C2 rating is too restrictive.

Understanding the differences between C-level and B-level security is helpful. Discretionary protection inthe C level means that every object has an associated user who has discretionary control over who can access the object.Mandatory access in the B level means that all objects have an assigned security level that is mandatory foraccessing that object. In other words, if an object is rated at R&D Level 1, no one can access the object withoutthat level of access. Even the creator of that object cannot grant access to that object to anyone at a lower securityrating. Businesses determine the appropriate rating as part of a well-planned security policy.

Retrofitting security into any system, particularly a computer system, is more difficult than creating a securesystem originally. Thanks to C2, manufacturers have specific formal security standards to which they can developoff-the-shelf network operating systems.

NCSC had enough foresight to realize that although a vendor designed a product to be secure, administrators caninstall or use products in an insecure manner. Therefore, NCSC evaluates each product separately at a given level, usingthe TCSEC criteria for that product (e.g., the Lavender Book for databases, the Red Book for networks, the Blue Book forsubsystems). Manufacturers sometimes have cited evaluation by one book when in fact their system requires evaluation byseveral books.

You can test and certify at a given level only an installed system. This process is time-consuming andexpensive, but evaluation of an installed system guarantees that the system functions the way it is intended to functionin its real-world state.

C2 has the following characteristics:

Most corporations agree that these features are necessary. Where and how businesses implement these securityfeatures is part of a well-planned security policy based on real business data and accounting.

Given the new threats to corporations by economic espionage, drawing on the experience of the National SecurityAgency seems a logical approach to security. Perhaps the best legacy of the Cold War is the experience gained insecuring computer systems from the same spies who are now eyeing US corporations.