Tags: application white list, Atlas Consortium, Baseline Security, Common Criteria, Defence in Depth, DII, Internet Explorer, UK government, Zero Day Exploit
…not as I do, as Mrs V1951 the Elder (my Mum) used to say to me regularly.
I’ve discussed before how I went about organising news feeds when I started my new life as an independent consultant. One of the first blogs I subscribed to was the BBC’s dot.Life blog (now renamed “dot.Rory” to distinguish it from posts by US correspondent Maggie Shiels), written by technology correspondent Rory Cellan Jones. That in turn prompted to to join Twitter to follow Rory’s updates. His position gives him great access to what’s happening particularly amongst the vendors and his articles are thorough, well written and humerous.
However (you knew this was coming, didn’t you?) I have to take issue with a recent post on his blog. The debate over Google’s troubles in China and the vulnerability in Internet Explorer v6 rumbles on and Mr Cellan Jones decided to investigate what advice the UK government is offering to its citizens and how that advice squares with what government departments are doing with their own computer systems. So far, so good.
Both the German and French governments advised their citizens to switch to an alternative browser (Firefox, Opera or Safari for example), implying that the flaw exposed in the attack on Google is common to all versions of the Microsoft browser. However, when questioned the UK’s Cabinet Office, which takes the lead on matters related to digital technology, confirmed that it is directing people to the web site for the Get Safe Online campaign. The advice here is “All web browsers are at ongoing risk to vulnerabilities and as such Get Safe Online’s recommended advice to consumers and small business is always to use the most up-to-date version.” It also suggests that “… there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.”
By comparison, when asked by Mr Cellan Jones, the Ministry of Defence confirmed that, based on advice from the Communications Electronic Security Group, it is considered that IE6 is suitable for use in central government. Later, the Cabinet Office explained further that “A government user working on government systems will benefit from additional security systems unlikely to be available to the average home computer user. These include tools that actively monitor for any malicious attack.”
So, on the face of it, the UK Government is ignoring the advice it gives to its citizens. But is this really as unreasonable as the blog suggests? Let’s look at the issues:
- Context: The Ministry of Defence IT systems form the Defence Information Infrastructure (DII), serving 300,000 users on 150,000 end point systems, spread across more than 2,000 locations (fixed and mobile) world-wide. This massive infrastructure is managed by the Atlas Consortium, under a 10 year contract worth £4.8Bn. While the programme has been criticised for slow progress, a National Audit Office report in 2009 concluded that important benefits are being delivered and (unusual for a government IT project) costs are predicted to be within 3% of the original budget approved in 2005.
- Guidance: The Ministry of Defence and other front line government departments is guided by CESG, which is the UK’s National Technical Authority on information assurance. This same support is also available to other public bodies and private concerns which form the Critical National Infrastructure, through the Centre for the Protection of National Infrastructure (CPNI) and some is available to the general public through the CPNI web site.
- Assurance: Systems and networks designed for use in front line departments (MoD, FCO, Home Office ..) are:
- Built where possible using certified components that have been rigorously tested for correct operation of their security functions, based on the internationally accepted Common Criteria (ISO/IEC 15408);
- Subjected to accreditation, to prove that their security functions are adequate to protect the classified information they will process;
- Restricted Access: Access to these systems is strictly controlled, based on security clearance (granted based on rigorous and repeated vetting checks), “need to know” and finally subject to the formal approval of the system owner. Social engineering played a significant role in the Google attack and this is at least mitigated by these formal processes.
As well as being a front line government department, with special security requirements and the processes and procedures to enforce them, it is also a very large organisation (300,000 users) and faces the same problems as its private sector counterparts:
- Compatibility: These days, the browser is used to access a wide range of applications, many of them missions critical. As Gartner’s Neil MacDonald said in his blog, the application vendors are a big part of the problem in getting organisations to move off of Internet Explorer v6. Often the applications use proprietary mechanisms in IE6, making it difficult or impossible to upgrade to a later browser version, unless you at least upgrade the application as well.
- Inertia: Large organisations are notoriously slow to migrate to later versions. Desktop upgrade programmes are costly, time consuming and riddled with unforeseen complications. That in part is why large organisations didn’t migrate to Vista on the desktop, and why they’ll take their time before moving to Windows 7.
These considerations have to be fed into the change management process. The resulting change (assuming it gets approval) will inevitably delay the already planned packages within the DII programme and will with equal inevitability result in additional costs to the customers (that’s the taxpayer – you and me!).
So, is the Cabinet Office right to claim that the MoD is safe to carrying on using IE6? At least they’re right to draw a distinction between the level of protection achieved through “defence in depth” and what’s available to the average home user. David Lacey, in his recent book “Managing the Human Factor in Information Security”, points out that baseline security measures, a collection of standard proven security controls, is the fastest most reliable (and often cheapest) means for improving security. He compares it with the “trajectory of accident opportunity” described by James Reason in his book “Human Error”. His premise is that multiple, simultaneous failures or compromises would be needed to Allow an attack to be pressed home. Gartner’s Neil MacDonald says that there are 3 lessons to be drawn from the attack on Google:
- Run users as standard not administrator
- Get off IE6 – using Win7 migration to justify budget if necessary
- Use defence in depth at the end point.
In conclusion, for the risk of compromise to materialise, there has to be both vulnerability and the means to exploit it. In the case of the Google attack, neither of these was known until the incident happened – a zero day attack. There also has to be a threat, someone with the means, skills and motive to mount an attack. Again, in the case of Google, this appeared to be a targeted attack. But risk efficiency demands that the cost of the countermeasure be proportionate to the cost of the damage resulting from a successful exploit. For a large organisation (like MoD) replacing the browser isn’t going to pass that test. But careful design and baseline security measures will prevent the hacker from reaching the vulnerable component.
And the last word goes to Neil MacDonald of Gartner again, who points out that application white listing has to become a fundamental part of endpoint security. If a zero day attack is mounted and if the attacker succeeds in dropping malicious code onto the browser, white listing would prevent it from running.