Network Security: The Need for Enforceable Accountability Services
Articles and Tips: tip
Senior Research Engineer
Security Development Manager
01 Apr 1998
In 1997, the Black Forest Group (BFG) put together a 15-point security document that outlined what major corporations need to implement effective security solutions. This NetNote touches on point # 3 of that document--the need for accountability services.
Accountability has two aspects. On the one hand, it's essential that a workstation reflect the expressed actions of the user; and on the other hand, recorded events must correctly reflect those actions. Yet accountability is often construed to mean accounting for the user's acts for liability purposes, and not necessarily accounting for the veracity of the events recorded in the computer system.
Even with the best digital signature technology and non-repudiation (the act cannot be denied), it's still possible to have a user say, "That's not what I saw on my screen . . . ." Thus, there is a genuine need for enforceable accountability services that protect the company and the end user.
Bullet-Proofing the Audit Trails
Without enforceable accountability and strong integrity, businesses and users who perform electronic operations are at significant risk. While liability for "wrong" acts needs to be assigned to the responsible party, having those acts incorrectly "assigned" is potentially more damaging. Both end-users and their employers bear additional liability when there is any lack of integrity in the audit/identification/authentication services they use, since altered or incorrectly written audit records might erroneously reflect end-user intentions or actions.
Despite a critical need for reliable accountability services, there is a widespread lack of accountability in today's commercial computer systems. This is an issue for system administrators as well as for electronic data processing auditors, since there are presently no discernable methods to examine the end-users' software processes in relation to operating system audit services.
For the most part, neither application nor operating system software provides any outward indication that its tracking capabilities are reliable--in other words, that the audit trail conforms to the reality of events. While many companies ask, "Did the user really do that?" they often overlook the more poignant question, "Did the system accurately monitor and correctly record the activity?" This is simply assumed to be true, and yet for most systems, there is no inherent link to verify it.
Verifiable Level of Trustable Performance
To specify software reliability, companies often test hardware and software performance in an effort to certify such products for internal use. However, few companies have the means to evaluate hardware and software systems at the levels needed to ensure end-users of verified accountability processes. An individual typing at the keyboard is the simplest picture to depict a user's activity, but the unseen part of this picture is how the system tracks that user's activities. Most systems have no verifiable way to establish the link between the actions of the user and the data trails left by the user.
Novell's NetWare operating system offers customers accountability services at the server and at the client, both running under an evaluated architecture known as the Novell Global Security Architecture (NGSA). The NGSA has passed evaluation by the National Computer Security Center (NCSC) in the United States and is currently being evaluated under the Information Technology Security Evaluation Criteria (ITSEC) in the United Kingdom and Germany. The NGSA is rated at Class C2 levels of compliance (or equivalent) for the existing accountability services.
The provisions in hardware and software must also be legally sufficient, with enough accountability to stand up in a court of law. While session records must include a degree of confidence acceptable in a court of law so that liability for errors or malfeasance can be assessed, legal liability in civil cases requires only a reasonable likelihood, while criminal implication requires a high degree of certainty. In either case, it is essential to maintain a minimum configuration at Class C2 level for a reliable authentication in which the user's identity is properly established. (For more information, see the NetNote entitled "The Trusted Workstation: Protecting the Achilles Heel of Network Security" in the March 1998 issue of AppNotes.)
For criminal implication, higher levels of protection such as reliable transactions are needed, which only become available at classes of evaluation above Class C2. Class B2 establishes accountability requirements, while Class B3 or A1 describe the degree of accountability that the users have. For instance, at Class B3 accountability for each user transaction is available.
Audit Integrity Factors
Beyond the question of system performance, the outstanding complaint from audit staffs is that there is no guarantee of audit data integrity. Once recorded, event records should be sufficiently well protected as to prevent alteration at a later date. Since audit records provide evidence, they must be tamper-proof. Actions recorded as traceable to a designated user must show that the integrity of the evidence has been preserved.
To this end, Novell has been successful in separating the network administrator function from the audit administration function, a particularly difficult problem with regard to audit data integrity. Basically, an auditor may want to hold the administrator accountable, and if the administrator can modify or delete an audit record, there is a definite conflict. Historically, this separation of duties has been problematic. Twenty-five years ago, one successful method of hacking into systems was through auditing information. However, today NetWare uses the Access Control Lists (ACLs) found in Novell Directory Services as the first line of defense.
Beyond the separation of access to the audit data, the audit files are encrypted to protect their integrity and maintain data confidentiality. NetWare 5 will use an underlying infrastructure called the Novell International Cryptographic Infrastructure (NICI), which provides a future ability to encrypt audit files. (It is important to note that encrypting audit files in an international product is regulated by import/export regimes to some degree, and the ability to recover different types of information must exist in the product itself, so that files cannot be lost due to error or loss of an encryption key by the owner. NICI provides these abilities.)
For accountability to work, companies must maintain the record of the users' actions along with some degree of confidence surrounding the methods employed. If these do not exist, services such as systems audit will not be trusted by the end-users and audit records will not be acceptable in any court of law. From an employer's perspective, companies must be able to reliably assess any liability for errors or malfeasance on the part of employees or intruders. For instance, in sufficiently sensitive cases, companies would want to know that the audit records correctly indicate system activity up to (and including) a system crash.
If accountability records or services can be tampered with, you cannot reliably assign responsibility. There is no point in having an unreliable accountability service, as it poses a potentially greater danger to end-users, administrators and to the business itself. If any end-user can claim (with some credibility) that the software is insecure, or that the audit files cannot be shown to have integrity, companies will be forced to drop their recourse pursuits and may even face countersuits.
In other words, accountability services without a verifiable level of integrity is worse than no accountability at all.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.