Path: utzoo!attcan!uunet!husc6!rutgers!att!ulysses!smb From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin) Newsgroups: comp.protocols.tcp-ip Subject: Re: Virus - did it infect "secure" machines Message-ID: <10863@ulysses.homer.nj.att.com> Date: 16 Nov 88 14:59:44 GMT References: <881107224915.20c01427@Sds.Sdsc.Edu> <10846@ulysses.homer.nj.att.com> <713@tetra.NOSC.MIL> Organization: AT&T Bell Laboratories, Murray Hill Lines: 38 In article <713@tetra.NOSC.MIL>, budden@tetra.NOSC.MIL (Rex A. Buddenberg) writes: ..... > Link encryption, end-to-end encryption, multi-level secure systems, > necessary segregation and personnel management/training/leadership > are all important parts of a classified system and none can do the > job alone. You raise some good points that are worth stating another way: DoD does not trust computer security that much; their policies rely on administrative measures to complement technical ones. Thus, computers containing classified material are not connected to unclassified networks. If a link must be established across such a net (such as the public phone network), link-layer encryption of the appropriate strength is used; that way, security is guaranteed by the encryption unit, a much smaller, simpler, and hence more trustworthy device than an entire computer system. The Orange Book is well-known; there's a little-cited companion book that deserves equal attention. It could be called the Yellow Book; it's title is something like ``Technical Rationale for Applying the Computer Security Criteria'', and it explains (among other things) how strong a system must be for a given mix of user classification levels and data sensitivity. I don't have the book (and hence the charts) handy, but one example is worth mentioning: for data classified as TOP SECRET -- MULTIPLE COMPARTMENTS (a compartment is something like ``atomic submarines'', ``cryptology'', etc.), even an A1 system may not have users with less than a SECRET clearance on it. Put another way, if uncleared users have access to the system, even an A1 security rating does not permit storage of highly-classified data on that machine. That book makes another point: the computer's security is rated higher if it was developed only by cleared personnel. There is the assumption, of course, that security clearances are in some way related to trustworthiness, but too often the question of ``who wrote the code'' is overlooked. Often, people are the weakest link in the security chain; if members of Congress can be bought (or at least rented), what do computer operators or janitors in computer rooms cost? (Aside: as someone I know once remarked about ABSCAM, ``I always knew politicians could be bought; I didn't realize that I could afford one.'') --Steve Bellovin