Date: 05 Apr 1994 15:45:37 -0600 (MDT) From: Chris McDonald Subject: Information Systems Security Update, # 94-06 To: orvis@icdc.llnl.gov Content-transfer-encoding: 7BIT [To]: cmcdonal@wsmr-emh34.army.mil [Cc]: krvw@agarne.ims.disa.mil Apparently-To: orvis@icdc.llnl.gov # 94-06 1. March product test reports included: (a) PT-57, Norton Utilities for Macintosh; (b) PT-62, FlameFile (Macintosh); and (c) PT-66, Safelock (Macintosh). Further redistribution is encouraged as are any comments and critiques. 2. NCSC has issued another guideline, "Security Testing and Test Documentation in Trusted Systems", July 1993, NCSC-TG-023, version-1. Obviously the title gives away the primary intended audience (i.e., vendors and evaluators). The publication date is misleading since the Director of NCSC did not provide his signature until January 1994. Even if you are not part of the intended audience, the document will give you an insight and appreciation into the existing evaluation process. 3. GAO has issued a strange report, "Communications Privacy: Federal Policy and Actions", GAO/OSI-94-2, November 1993. In response to a request from the Chairman, Committee on the Judiciary, House of Representatives, GAO was to have examined federal policies to determine if there is any negative effect on U.S. corporations' abilities to protect themselves against economic espionage. The "strange" aspect of the report in my opinion is that the answer to the central point of examination is never given. The report recounts the digital telephony proposals, the Clipper chip controversy, and the restraints on the export of encryption technology without too many value judgments. However, we learn little as to the effect of such items on economic espionage directed against U.S. corporations. There is a statement on page 9 which perhaps explains the reason for this: "The FBI declined to provide briefings on economic espionage, digital telephony, and encryption issues for our 1992 testimony and for this report". As always, once can obtain one free copy by calling (202) 512-6000, or by faxing a request with your return address to (301) 258-4066. 4. The May edition of "MacWorld" has an article entitled "Are You Breaking the Law?". The author, James Martin, addresses a series of questions on software copyright with some interesting results. 5. In late March, 1994 ASSIST sent out a notice on the availability of a Joint Security Commission (JSC) Report on security, and made it available for anonymous ftp from a registered NIC or DNS host (i.e., 137.130.234.30 in the path /pub/pubs.policy.regs/jsc_rpt.txt or jsc_rpt.zip). ASSIST noted that the report recommended it be "appointed the executive agent for computer security incident response for the DoD, Intelligence Community, and government-wide". Without commenting on this recommendation I would like to comment on three other items in the report pertaining to information systems security. These, as always, are my own personal opinions and do not reflect those of my agency. a. The report states that "countermeasures are frequently out of balance with the threats". While this statement is not specifically directed against any particular security discipline, the report laters comments on the fact that "research in the DoD and Intelligence Communities has been focused almost exclusively on providing solutions to protection of classified assets". I made a similar observation on a forum on the NCSC host dockmaster after the passage of PL 100-235. I was promptly "flamed" by a well-known researcher from the TIS corporation--a firm which has products on the Evaluated Products List. While I thought the individual had made an incorrect technical assessment, the attitude he displayed, minus the personal sarcasm, was fairly typical of those individuals whom I have met who are involved in trusted systems. For this reason it is curious to me that the report recommends that NSA be the "executive agent for information systems security research and development for both classified and unclassified information for the Department of Defense and the Intelligence Community". The Commission is asking a lot of people to dramatically change their attitudes and methodologies. b. The report comments on the lack of a "central data base" containing security-related events. While there is a discussion on the pros and cons associated with the classification of such information, this important issue is never resolved. Some of you may remember that I wrote and presented a paper on this subject for an ISSA conference (i.e., "The Comedy of Secrecy"). Without resolving the matter of classification the report recommends that the "Secretary of Defense and the Director of Central Intelligence jointly establish and maintain an information systems security threat and vulnerability data base". There is some equivocation as to who should have access to this data base outside of the Defense and Intelligence community organizations. The report is silent on the matter of sharing information with academia and with other government agencies, other than to suggest cooperation. For those of you who currently receive threat information and incident event data, you might ask yourself from which sources and at what classification level you now receive the best and most timely material. c. The report recommends "the DoD and the Intelligence Community establish an information systems security professional development program as part of the overall development of security professionals." There is no mention of the already established Certified Information Systems Security Professional (CISSP) initiative. As a CISSP, I have been disappointed that DoD has shown little interest in acknowledging those who do obtain certification. If you wish to acknowledge "people" as a resource, yet another attempt to create a professional development program is not very meaningful in this "person's" mind. The Stillwell Commission of the 1980s made a similar recommendation. I would encourage those with an interest to download the report. In the same vein perhaps a re-read of the "Computers at Risk . . ." study would help to place this latest effort in perspective.