Information security challenges of network centric enterprise

Information Security Challenges
In The Network Centric Enterprise

Juha Mattila

A lecture given in IPICS Winter School 2004 at Oulu University

Abstract

This paper introduces similar approach to evaluate network Centric Warfare and Real Time Enterprise operations information security. The theory of networked entities potential gain of effectiveness by square of the number of entities does include a negative approach. As the gain of effectiveness in increasing exponentially, the vulnerability of the information bases in the networked society is increased as well. The evaluation of security risks should cover both risks of the network and the environment. An example is introduced to cover both challenges in one logical method for evaluating the risks for information assurance in networked operations.

Keywords

Network Centric Warfare, Real Time Enterprise, Information Security, Information Assurance, Risk Management

1. Introduction

Data, information and knowledge have become the force multiplier both in military and business society. Both societies are gaining in resources cost-efficiency, production capability and survivability in battlefield as in commercial environment.

Military society is calling this phenomena as Network Centric Warfare, NCW where as business society is calling it as Real Time Enterprise, RTE.

Real Time Enterprise, RTE [1] is defined by Gartner Group as: “The RTE is an enterprise that competes by using up-to-date information to progressively remove delays to the management and execution of its critical business processes.” The RTE sets strategic business targets for reducing end-to-end cycle times in the process areas that are most critical to its particular business strategy. This might be in operational, day-to-day areas, such as the order-to-cash cycle. It may also be in high-impact, strategic areas, such as mergers and acquisitions, or new product development. There are a number of these different target areas. We refer to them as the “cyclones” of RTE. By focusing on time reduction in these areas, waste and inefficiency can be sucked out of the organization.

Network Centric Warfare, NCW [2] is an approach to the conduct of warfare that derives its power from the effective linking or networking of the warfighting enterprise. It is characterized by the ability of geographically dispersed forces (consisting of entities) to create a high level of shared operationspace awareness that can be exploited via self-synchronization and other network-centric operations to achieve commanders' intent.

Linking operationspace entities together will greatly increase productivity by allowing us to get more use out of our operationspace entities. The commercial experience has shown how information can substitute for material and how to move information instead of moving people. These substitutions generate considerable savings in time and resources and result in increased value in the form of combat power for a given level of investment.

When the value of information is raising, the vulnerability is increasing as well. A Networked enterprise (business or military) has a larger vulnerable surface than normal organization. Simultaneously the threats have become severe and those who launch malevolent operations are more numerous and spirited than before.

2. HOW NETWORKING AND REAL-TIME OPERATIONS ARE BENEFICAL

The theory of linking entities with each other to gain productivity is provided by Metcalfe's Law [3]. Metcalfe's Law describes the potential value of a network graphically explained in figure 1. It states that as the number of nodes in a network increases linearly, the potential "value or "effectiveness" of the network increases exponentially as the square number of nodes in the network.

Figure 1: Metcalfe´s law.

N´(N-1) or N²-N

Each node in a network on "N" nodes is capable of initiating "N-1" interactions

Total number of potential interactions between nodes in the network is:

Network with N=3 has 3´2=6 Potential Information Interactions

The source of potential value is a function of the interactions between the nodes. For every "N" node in a network, there are "N-1" potential interactions between the nodes as demonstrated in figure 2. Therefore, the total number of value creating interactions is: N´(N-1), or N²-N. For large N, the potential value scales with N², or "N squared."

Figure 2: Fully meshed interconnections in a 3 node network.

The existence of the network enables the interactions between nodes to be information intensive. We can observe that information has the dimensions of relevance, accuracy, and timeliness. Therefore, an upper limit in the information domain is reached as information relevance, accuracy, and timeliness approach 100 percent. Of course, organizations may not be able to achieve these 100-percent conditions. Consequently, the objective in the commercial sector is to approach these upper bounds faster than a competitor.

The extent to which a network's productivity exceeds the sum of the productivity of its parts (ie. Metcalfe´s law) depends upon two things:

1. The first is the gain that can be achieved by simply sharing resources (information) among the nodes. To illustrate this point, consider an example (over-simplified to make the point) in which organizations or individuals are distributed globally, each having a relatively small probability of possessing a given piece of information that is needed to make a plan successful. Let us say that this probability is 5 percent. If the planner only has access to organic information, he would only have a 5 percent chance of generating a successful plan. If the planner has access to the information that is available to a second organization, the chance he would get the information he needed to make the plan successful would be about 10 percent. In general, for n sources the answer is [1-.95ⁿ]. For n=5, the probability of having the information necessary to develop a successful plan is .226; for n=10 it is .401; and for n=25 the odds start to look much better at .723. Obviously, not all organizations have an equal probability of having the needed information. This actually works in our favor, provided we use our knowledge about which organizations and individuals are most likely to have the information needed. Given the development of reach-back capabilities, anchor desks, and smart information collection plans (or agents), we can, using the power of a network, turn a very low probability of having the information we need to a relatively high probability event.
2. But there is also hypothesis that unlocking the full power of the network also involves our ability to affect the nature of the decisions that are inherently made by the network, or made collectively, rather than being made by an individual entity. This may not be immediately clear since these collective decisions are often implicit, and therefore not very visible. The difference of the behaviour of networked entities differs from the behaviour of individual entities.

3. RISKS IN NETWORKING AND REAL-TIME OPERATIONS

With all the productivity and efficiency networking and information sharing has counterproductive sides as well. Networked operation is vulnerable for compromise - the more data you share, the greater the chance of compromise. To be a full part of the network means revealing your location in some way; it may be wise not to do everything in the 'open'. There may be some virtues in keeping some elements from the net, and retaining tight hierarchical control of certain critical need-to-know elements. The efficiency of Metcalfe's Law has a counterpart. Beach's Law [4] of Vulnerability (demonstrated in figure 3) is stating that: the number (N) of devices an organization has connected via networks results in (N squared) the risk of having information corrupted.

Figure 3: The Beach´s law.

There is inherent in network-centric warfare the need to accept the electronic representation of operationspace given by the communication grid as reliable. Thomas Barnett [5] makes a telling point when he remarks that:

I am concerned that [network centric warfare] will drive all participants to an over reliance on the common operating picture as a shared reality that is neither shared nor real. That gets me to the question of the common operating picture's 'realness', for it suggests that the picture will be less a raw representation of operational reality than a command-manipulated virtual reality.

One of the trends [6] in the information threat environment today is the increasing power and subtlety of the attacks being launched. The sophistication of attacks has increased over the last decade. As a corollary, so has the risk to the enterprise associated with each new escalation in the hacker wars. On the other hand the skills required to generate self-propagating malevolent software, such as worms like MyDoom and Blaster, is becoming simpler. Very little, if any, technical or security knowledge is required to generate these programs. Development technology and “black hat” toolkits have evolved to the point where it is possible to generate a custom Trojan in a matter of minutes – with ease of use features like point and click selections to define whether or not to delete the files on the user’s hard drive.

Many security systems and technologies have been deployed to prevent intruders from accessing high value systems. First came firewalls – and then the mail worms, the web buffer overflows, the

RPC exploits marched right through the open ports to wreak havoc on their targets on the inside. IDS arrived, but didn’t actually stop anything, and then IPS and the race is continuing!

No matter what technology is deployed it will have a flaw, a way to be defeated, or will be so untrusted to be functionally useless. There’s always a workaround. There’s always a signature that the protection system doesn’t know about. There’s always a new user the anomaly detector hasn’t been baselined yet. A Mission site based threat assessment is demonstrated in figure 4.

Figure 4: an operations space of traditional information operation.

You cannot patch every system perfectly – at least, not in a timely, cost-effective manner. You cannot patch against social engineering (i.e. persuading an insider to do something for opponent that an outsider can’t). You cannot patch against a careless or corrupted employee placing a wireless access point inside your network, completely bypassing your perimeter defenses. You cannot patch a system against weak physical security. You cannot patch against someone emailing your customer list to a competitor. You cannot patch systems you are unaware of, such as embedded databases or web servers. If your engineering group uses a product like Ghost to re-image test machines, any patches you apply could be here today, gone tomorrow. So, one of the biggest mental hurdles to overcome when thinking about risk mitigation and prevention planning is accepting the fact that it is impossible to get 100% of your vulnerabilities removed using a patching approach.

In the near future, few weapons systems, mills, production plants, enterprise resources management systems and associated mission areas or markets will be entirely stand-alone. They will have some electronic connectivity with other supporting or supported systems and networks. Some of these connections may be authorized, but the specifics are unknown to System Administrators or other key personnel on the network. For example mil-network connectivity permits any "mil.domain" addressee to have an access. These complex interconnections create situations of shared risks and vulnerabilities[7]. One example of these interconnections and the change of information security threat environment is presented in figure 5.

Figure 5: a networked operations space of information operation.

This new dimension of information vulnerability has required additional measures to ensure the integrity of military and real time enterprise information systems since the value of information cannot be measured solely within the context of a stated level of classification. These defensive Information Operations (IO) measures collectively are termed Information Assurance (IA).

As new systems are developed or purchased directly off the shelf (COTS), the role of testing, particularly the role of Operational Testing (OT), in assessing information vulnerabilities must be examined for adequacy. Not only must the new system's vulnerabilities be evaluated in the context of stated requirements, but the addition of any new system to the overall information assurance posture and architecture must also be evaluated.

The objective is to provide a standard policy for designing and conducting operational evaluations that encompass the entire defensive IO process. As a minimum, this includes analysis of system capabilities in the areas of Protection, Detection, Reaction, Neutralization, Recovery, and Reconstitution. Figure 6 depicts these basic layered defensive IA processes as compared to attack processes.

Figure 6: an Information Assurance analysis concept.

There are two main categories of IA vulnerability testing: vulnerability assessments and penetration testing.

Vulnerability assessments are broad system-wide analyses to identify all potential Information Warfare (IW) points of access into the system. This assessment is primarily a paper study but includes examinations of hardware, software, interconnectivity, and Tactics, Techniques, and Procedures (TTPs) associated with the system.

Penetration testing typically will use information from the vulnerability assessment to identify selected points of access in the victim system to exploit. The exploitation will potentially have an impact on overall mission accomplishment. "Red Teams" are typically formed and organized to exercise penetration testing.

Operational testers use Measures of Effectiveness (MOE) as the yardstick to assess the demonstrated ability of a system to meet stated requirements. The MOEs are typically derived from needed system characteristics. These MOEs would be the traditional information security quality points:

0. Availability of information to the intended users.

0. Integrity of the information.

0. Confidentiality of the information.

These three MOEs can be evaluated against the characteristics of information functionality and criticality.

For example the functionality categories may be messages, databases, and command and control. The categories of information criticality can be derived from the Command, Control, Communications and Information (C³I) policy for IA: Mission Essential, Mission Support, and Administrative.

Figure 7: an example of information assurance evaluation.

The operational testing and analyzing (OTA) could combine the data gathered in assessing the performance of the system against these MOEs in the functional and criticality categories and levels defined above to provide an assessment of how effectively the system can perform its mission in a hostile IW environment. This assessment is depicted in figure 7.

The OTA evaluation should be able to quantify the ability of the system to protect, detect, and recover from IW attacks. The OTA should compare these results to the analysis done from the aggressor point of view. The Aggressor would analyse the situation from cost-effective approach – with what effort can I gain the profit. In this equation the following variables:

• Motivation or need of the aggressor (Motivation, M)
• How much resources and which means of execution the aggressor might posses (Executionability, E)
• How the aggressor may penetrate, gain access or send his means of malevolence (Accessibility, A)
• How vulnerable ones system is to the aggressors means of malevolence (Vulnerability, V)

An aggressors´ profit (P) may therefore be represented symbolically by the equation depicted in figure 8.

P = M x E x A x V

Figure 8: Aggressors logic for information attack.

An exploit with a high degree of danger, such as a rapidly spreading worm or a high-risk buffer overflow, will have a high value for threat T =E x A. A lower risk attack, such as a port scan, will have a lower threat value. So part of judging risk is to understand the likelihood of any one particular threat or class of threat being used against that particular target.

The enterprise’s baseline risk exposure can be simply calculated as the sum of all the individual risk values for all the hosts. This approach automatically indicates where the highest risk factors are in your IT infrastructure, and can be used to target your patch management processes to those areas of your infrastructure.

Finally, the OTA should provide an assessment of the impact of the IA vulnerabilities on the overall mission accomplishment.

4. CONCLUSION

Both Network Centric Warfare and Real Time Enterprise concepts are changing the military and business operations. Information has become more valuable asset in production and several threats have occurred because of the added value and importance of information and its process. Business and military operations do face threat of logical information offensive operations. The Risk Management methods have been mainly limited to platform or site based functions and structures. Networked community do present a need for new method of information assurance evaluation. By combining traditional methods and evaluating the entire operations space as analytically as possible, one can form a reasonable picture of threats and risks included in networking one´s assets with partners and other entities.

REFERENCES

[1] Mark Raskino: Start Planning Now for the Real-Time Enterprise. 3 October 2002, Gartner Research

[2] VAdm Arthur K. Cebrowski, USN, and John J. Garstka, "Network Centric Warfare: Its Origin and Future," Proceedings of the Naval Institute 124:1 (January, 1998), 28_35.

[3] George Gilder's Telecosm: Metcalfe's Law and Legacy, Forbes ASAP 152: Supplement (September 1993), 158_166. Metcalfe's Law is named after Robert Metcalfe, who invented the staple networking topology, Ethernet. Metcalfe's Law of the telecoms states that the potential value of a network is "n" squared, with "n" being the number of nodes on the network.

[4] Gary Beach, Publisher's Note, CIO Magazine, 1 April 1998, http://www.cio.com/archive/040198_publisher.html

[5] Thomas P.M. Barnett, The Seven Deadly Sins of NetworkCentric Warfare, p. 39.

[6] OpenService, Inc. White Paper: Real-Time Enterprise Risk and Vulnerability Management

[7] Robert Burrows & Colonel Terry L. Mitchell, USA & Jeffrey R. Ball & Anil Joglekar & Edward A. Schneider, Jr.:Issues In Operational Test and Evaluation (Ot&E) of Information Assurance Vulnerabilities ; Institute for Defense Analyses, 1801 N. Beauregard Street, Alexandria, Virginia 22311