Computers & Security, 11 (1992) 699-702

Update on Open Systems Security George Black 11 Tidenham Gardens, Croydon CR0 SLn; UK.

New software products coming on to the market promise a substantial improvement in the security of open systems. But it is doubtful whether they will achieve their purpose unless there is a change in attitudes to computer security, par- ticularly among top managers. Commercial computer users have long felt that a secure open system was a contradiction in terms and for that reason, among others, have been reluctant to go the whole way towards endorsing an open systems strategy.

Most large organizations still only trust non-critical functions to open systems, but they are becoming keener to commit themselves to open systems because of the huge savings that may be achieved.

This year few people working in IT can have failed to notice the strong ‘downsizing’ movement, away from mainframes towards minicomputers and networks of smaller machines, many of which are running Unix, the engine of open systems.

This shift in itself may suggest a growing security problem. A UK report this year by management consultancy KPMG showed that while only 18% of mainframes were inadequately protected, for minicomputers the proportion was 34%. Password control was much slacker on minicomputer sites. However, another study by the UK’s National Computing Centre found that users viewed Unix sys- tems as less vulnerable than minicomputers generally and much less so than personal com- puters.

Which types of machine are most at risk may become irrelevant as more and more networks comprise mainframes, minis and PCs. Ac- cording to Diana Billingham, security division manager for Ho- skyns, a new range of problems is cropping up as users try to ration- alize security controls across mainframe and client/server dis- tributed environments. Most are trying to bolt on security to sys- tems after they are installed, which is bound to be difficult, she says.

Only a minority tackle security at the outset as they should.

Unix’s openness, its primary virtue in the trusting, sharing academic environment of the US in the 1960s in which it was born, un- doubtedly made it a potential hazard in the commercial world. It gained a bad reputation for security because its user community of C programmers contained so many enthusiastic hackers and the size of the network gave them such scope. It is arguable that no proprietary operating system would have with- stood such a heavy attack any better.

However, Unix did have inherent weaknesses. Originally it treated security as an add-on, unlike pro- prietary operating systems which built it in. Unix users had to estab- lish their own security when setting up the system and of course some made mistakes or did not bother.

A few years ago the Unix password structure might designate a junior member ofsystems staff as a ‘super-

0167-4048/92/$5.00 0 1992 Elsevier Science Publishers Ltd 699

George BlacklUpdate on Open Systems Security

user’ so that he or she could look into the personal files of other em- ployees or could bring the system down by running programs that filled all the available space.

That is no longer the case. A lot of money has been invested in tight- ening up the operating system, with major enhancements from Berkeley University and elsewhere. ‘Roles’ are more closely defined and levels of authorization are clearer.

But there are still other problems in establishing a safe Unix environ- ment. Many Unix sites are multi-vendor - in adopting Unix the users’ aim was to gain f?eedom of choice - and their suppliers may have implemented security features differently. For instance, whereas IBM’s AIX automatically reports on any attempt to break into the system, some other Unix implementations merely prevent repeated log-ins.

The next version of ‘standard’ Unix, Unix Systems Laboratories’ System V Release 4.2, which will reach the market late this year, should help to reduce the scope for confusion. It incorporates as stand- ard the security features of Release 4.1 Extended Security This made possible a genuinely secure open operating system for the first time and reorganized the kernel of Unix to make it easier for suppliers to get it tested and certified under the US Defence Department procedure.

From a practical point of view, the release of SVR4.2 will put in place the building blocks for a secure open system. Morris Schwartz, sales and marketing director for USL, says they issued a challenge to

hackers last year to break into 4.1ES and so far no-one has suc- ceeded. But he concedes that there is still a lot of work to be done before there can be complete con- fidence in Unix in a networked environment.

Security standards have yet to be set at several levels above the operating system, an issue being addressed by industry groups such as the IEEE’s POSIX committee, X/Open and the European Computer Manu- facturers Association.

Among the next major challenges is the delivery of safe databases. At present most of the commonly used databases are still not secure, but the suppliers are working on the problem and the first secure versions are reported to be immi- nent. The International Standards Organization is also trying to for- mulate the rules for them. This is a key topic, since it is estimated that 75% of hacking is perpetrated by those who have authorized access to the system, not by outsiders.

Keith Clements, principal consult- ant in open systems at Unisys, thinks that it is vital to improve audit trails on hacking attempts. Although such trails already exist in Unix, he believes they could be made more sophisticated by the application of artificial intelligence techniques which would interpret the audit data and make it easier to track down the culprits.

Vendors from both of the leading associations of Unix suppliers, Unix International and the Open Software Foundation, are seeking to encourage more users to mi- grate by offering tools to build

around the oprating system to make the network more secure.

The OSF vendors are now incor- porating Distributed Computing Environment (DCE) Security Ser- vices in their products. Tony Kingston, a marketing manager for Digital, which is an OSF member, thinks that DCE Security Services will become a de facto standard because so many vendors will be supporting it.

However, Nick Price, technical di- rector for Unix Internatonal in Europe, feels that the differences between UI and OSF have been sensationalized by the trade press and are not significant. “In practice users do not need to worry about which camp their supplier is in, as we are moving closer together,” he says. He regards W’s Atlas and OSFS DCE as compatible, or at least overlapping, open systems fi-ameworks.

To achieve industry standards for open systems security there has to be more effort at defining require- ments. The only user which has been specific on this subject so far is the US Defence Department in its Trusted Computer Systems Evaluation Criteria, the so-called Orange Book.

But many in the industry believe this is an unhelpful standard for commercial users. Unix is now being certified by the US Defence Department at B2 level, on a scale of A to D, but it is argued by some experts that this level of security makes the system too hard to use in a commercial environment. Rod O’Shea, Unix marketing manager for NCR UK, says he would advise customers to think very carefully

Computers & Security, Vol. II, No. 8

before deciding to implement Unix at a B2 level.

Seeking to create an alternative to the Orange Book, the European Commission, supported by the UK Department of Trade and Industry, set up in 1990 an organization called ITSEC (Information Tech- nology Security Evaluation Criteria) to try to define levels of security against which the claims of suppliers for their products could be assessed.

ITSEC is now certifying all sorts of software products from main- frames to personal computers through appointed agents. Its scope is broader than the Orange Book and its procedure is reported to be a lot cheaper and quicker. This is important to users, since they ulti- mately have to pay for the costs of certification through higher prices for their systems.

There are some signs that ITSEC could become the world authority on systems security, so that in a few years it may be possible for users to fulfill virtually all security needs with products that have an ITSEC label. However, the European Commission has so far not pro- moted ITSEC enough to enable it to reach this position.

The UK Ministry of Defence (MOD) has taken the initiative in specifying a secure open system for its CHOTS (Corporate Head- quarters Office Technology System) project. CHOTS, based on ICL and Hewlett-Packard hardware running Unix System V, has been installed at two pilot sites for the past year and is due to go into around 40 sites by the middle of the decade.

The E250 million project was de- vised by the MOD to produce a secure system, based on Unix and Government Open Systems Inter- connection Profiles (GOSIP), of a type which did not yet exist. It is perhaps the most important test case worldwide for the concept.

CHOTS’ chief system architect Brian Moore of ICL says that al- though security policies in business differ from those in defence the tools and techniques are the same. Thus CHOTS’ secure OS1 trans- port service could also be used by a banking network. IT directors in commercial firms should be stu- dying CHOTS to learn the lessons that could apply to them. The MOD has effectively paid a large part of their R&D costs for them.

As CHOTS shows, systems ven- dors are very much customer- driven on security products. They want users to give them more guidance, because they will not put in a lot of development effort only to find that the new facilities are not wanted after all.

So far private sector users have been slow to react. Most of them have accepted the weaknesses of Unix philosophically and regarded it as their duty to be inventive in tailoring it to their own situation.

It is time for a more collective approach. Each industry sector has to formulate its common needs and present them to manufacturers and to ITSEC. Working together in this way they could create a market in open systems products, making it possible to mix and match in the way that open systems believers have long hoped, and thereby per-

haps bring the costs of systems down sharply.

There are moves in this direction. Barclays Bank is one of the leading UK financial services organizations which is committed to Unix. It has adopted Unix for its branch ser- vices systems and looks set to move its electronic mail on to an OSF Unix environment. The bank aims to set up an independent security group which will represent the views of financial sector users to the industry.

Other user groups are emerging which are seeking to pressure sup- pliers into agreeing standards for security. Some UK users have begun to channel their concerns through the UK National Com- puter Users’ Forum (NCUF).

NCUF is an umbrella organization comprising bodies as diverse as the IBM Computer Users Association, the government’s Central Com- puter and Telecommunications Agency and the Institute of Char- tered Accountants.

Its working group on security, chaired by Cliff Evans of Kodak, intends to lobby the vendors to persuade them to offer all opera- ting software, including Unix, in a form that has “all known security doors closed”. It will also ask ven- dors to provide a separate automatic procedure to guide users through security features as easily as possible.

The group is also asking for recom- mendations on Unix security &om the universities, where greatest ex- perience of the system exists, through the UK Inter University Computing Committee.

701

George BlaMJpdate on Open Systems Security

But NCUF has limited muscle. Its work is all done by unpaid vohm- teers and its only income is from the less than 30 members which pay an annual subscription ofA a year. NCUF hopes to gain inter- national support for this initiative, but so far has had little encourage- ment, says Evans.

Even when clear standards emerge, users will not benefit unless they can first put their own houses in order. It remains an unfortunate truth that most computer users, whether of proprietary or open systems, do not really value security as highly as they should because it creates too much trouble for them in the short run. The damage caused by lack of security has not yet been severe enough to con- vince most senior managers to invest in the sort of solutions pion- eered by CHOTS.

Eddie Bleasdale, a veteran com- puter designer turned industry consultant, runs the London-based Open Systems Project training operation. One of his courses, put on several times a year, concerns open systems security and features an international authority on the subject, Professor Eric Foxley of Nottingham University, author of the successful book “Unix for Super-users”.

Bleasdale regrets that there are only one third as many applicants for this course as for some others. “This shows the deplorably low

priority which the industry gives to security,” he argues.

“Security is possibly the most im- portant aspect of a distributed computing system, yet it is also the most difficult to sell to system de- signers. It is an indictment of the implementers of Unix-based sys- tems that security is not being given the importance it deserves.”

Bleasdale contends that Unix is as secure as any other operating sys- tem and that the problem lies with administrators who are not pre- pared to ensure that their systems are run properly

Ken Gorf, marketing director of Amdahl Europe, which sells 15% of its mainframes with a Unix-based UTS operating system, says that many commercial users run un- warranted risks, and mostly with physical rather than logical system security.

The prevailing corporate culture certainly makes it hard for secure open systems to be introduced and made to work. At least one UK retail company is said to have tried a Unix minicomputer system and gone back to a mainframe because of the security problems which it encountered.

The trend is against security, mainly because there are now far more computer users who grew up in the unrestricted world of PCS than those who are still accli- matized to the old regulated mainframe environment.

Chris Hook, deputy principal con- sultant in IT security at the National Computing Centre, says that senior managers cannot dele- gate the decision to enforce security to their systems managers, because they do not have the auth- ority to carry it out across the whole organization. “It is a business problem, not a computer prob- lem,” he insists.

He points to a number of ways in which managements can show that they take the security issue seri- ously, in preparation for adopting open systems. As many larger com- panies now do, they can make any form of breach of security a disci- plinary offence within the terms of employees’ contracts. They can also run an awareness campaign, such as the oil company Conoco has done in the UK. It highlighted the sub- ject in its company newsletter and made it clear that the rules applied to everyone, including the mana- ging director. This was backed up by a barrage of propaganda in various forms, using everything from posters to coffee mugs re- minding people to back up their data.

These may seem like small things, but they are likely to have at least as much impact in making an open systems security policy effective as the continuing debate about indus- try standards.

George Black is afieelance ITjournal- ist specialising in open systems.