Security Considerations For Classified Systems

Whether it be a classified military system, or a corporate secret of enormous value, securing important systems has never been more difficult. Digitization has touched all facets of modern systems and applications. This has increased the attack surface considerably more as compared to the simpler times when physical security was enough to keep the secrets safe. In this article we examine what all could go wrong in protecting important systems and some other security considerations.

Formal studies for protecting classified systems have been done for a long time. Various models of security have emerged from these studies – particularly important are the Bell–LaPadula model and the Biba Integrity model. Security breaches are often caused because of undefined behavior between the transition of the system from one state to another. Formal proofs are written by modelling the working of the system and its interaction with other interfaces as a finite state machine. The Bell–LaPadula state machine model is often used in military applications. It focuses on data confidentiality and controlled access of classified information. It classifies a system and other systems at its interface as subjects and objects; and defines some rules that control the flow of information between these systems. The Biba Integrity model, on the other hand, is focused more on the integrity of the data between state transitions. The main objective of this model is to define a set of rules such that a subject cannot corrupt the data in a higher-level subject, and cannot itself be corrupted by a lower-level subject.

A big security concern is of allowing physical access to such systems. Many times the weakest link in the chain is where there is some human intervention required. People who are allowed access to a system are often required to go through an extensive background check beforehand, and are provided special training for it. It does not take away the human-error factor though. An attacker can employ various kinds of techniques to exploit this link, ranging from sophisticated social-engineering to simply dropping a flash-drive loaded with malware in a parking lot. Physical access to important systems must always be guarded behind multi-factor biometric authentication. There are plenty of options for different types of authentication mechanisms for access controllers today. It is a good idea to integrate the access logs with a real-time monitoring system as well.

The most critical systems in organizations are often kept air-gapped. This means that the system is not connected to any external system, and there is no direct data-link between the system and any other interface. Air-gapped systems are often found in critical infrastructure of banks and military, where developers are required to work on the code with the help of printed manuals (any other device not allowed in vicinity). Air-gapped systems have long been thought to be safe from the increased attack surface that comes with a network connected device. Several researches in recent years, however, have given rise to a new kind of attacks on such systems, called side-channel attacks. Even if air-gapped systems are not connected to the outside world via a network, there are other ways to extract information from the machine. Many kinds of side-channel attacks have been proposed and some of them have been realized as well. For example, all computers emit electromagnetic radiation, which can be used by sophisticated attackers to find patterns in this radiation to get critical information out of the air-gapped system. This side-channel mechanism was the basis of the infamous Airhopper attack. Other side-channel attacks include using the analysis of heat coming out of the machine, or using ultrasonic audio. Any source that can convey some information about the classified system to the outside world in any form is a source of vulnerability. This is proven by the fact that researchers have even been successful in finding data using a computer’s blinking LED, as well as the sound of the CPU’s fan.

Needless to say, no system is bulletproof. More side-channel attacks will keep getting invented in the coming years. All we can do is to keep up with the cutting edge research in infosec and modify our current toolchains and security protocols to take them into account.  It is a good idea to reduce the scope of human intervention in such critical systems as much as possible, and set up proper access controllers in place before providing access.

Leave a Reply

Your email address will not be published. Required fields are marked *