With the August 5th & 6th show fast approaching, this will be the last in our series highlighting some of the great presentations that are scheduled to take place at Security BSides Las Vegas.
For those who don’t already know, Security BSides events are organized by-and-for the security community, attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.
We previously featured sessions on vulnerabilities in URL schemes, a talk on conference swag hacking strategies, a session on how to be successful in social engineering attacks, another on attacking Drupal, one titled IDS and NSM: Cut the Sh**!, one on Pwning the Hapless or How to Make Your Security Program Not Suck, and the last was for a talk titled No Info Sec Staff? No Problem.
Next up is a session being presented by Patrick Orzechowski (@shftleft), titled Bridging the Air Gap: Cross Domain Solutions, which will examine how in the commercial realm, we seem to be obsessed with cobbling together security systems to bolt around our data instead of building systems that are aware of what’s supposed to be passing through the network and into our applications.
Orzechowski notes that in the beginning, the only way data could be sent between classification levels was by physically transferring it via media, hence the term: “sneakernet.”
Analysts that wanted to move data from a “secret” system to an “unclassified” system would need to copy the data to a piece of media, scan it for “dirty words” and, if it passed the requisite tests, the data could be considered “sanitized” and moved to a lower classification level.
“At some point folks decided that systems could do this kind of thing, the term ‘trusted computing’ was thrown around, and the ‘CDS’ (Cross Domain Solutions) was born. At its core, the CDS provides those functions that the old sneakernet provided, but it has grown into much more,” Orzechowski said.
“For example, today’s next generation firewalls tout that they are ‘application aware,’ understanding what protocol moves across what port, while the CDS is ‘data aware’ – not only does it know that only XML is supposed to pass from host/port to host/port, it knows what specific XML tags, what data is contained in those tags, and how often the data is passed.”
Orzechowski says CDS acts somewhat like Web Application Firewalls are supposed to work, but are much more type-driven and formal.
“I believe these CDS solutions need to be reviewed and tested as any COTS product should be, not just because they’re what’s used to protect the nation’s secrets, but because they could act as a model for data protection in the commercial world,” Orzechowski explained.
“As we look at adopting the ‘data driven’ firewalling principles adopted by CDS in the commercial side of the industry, we can adopt the best practices employed by systems that are considered COTS.”
Orzechowski believes the idea of an “air gapped” network – whether it be military, infrastructure, or utilities – has gone the way of the dodo.
“There are no more air gapped networks, as shown by Stuxnet,” Orzechowski said. “The concept of Cross-Domain solutions, solutions that are specifically designed to bridge those air gaps, is a very important one, and I think we need to take a closer look at vendors and solutions to make sure these things are keeping our critical networks safe.
The target audience for Orzechowski’s talk are those people in positions charged with protecting the most critical networks: Military, infrastructure, nuclear, etc., but he says the same concepts that apply to CDS for a “critical” network could also be applied to traditional layered networks on the commercial side.
“I want the audience to have a solid understanding of what Cross-Domain Solutions are and how they’re used,” Orzechowski continued. “Hopefully this talk will spur discussion about CDS and CDS-like systems, how they’re implemented, tested for vulnerabilities and maintained. Protecting these critical systems should be a top priority.”
Orzechowski says that obviously the biggest challenge with these systems are potential vulnerabilities or misconfigurations that could ultimately costs lives.
“The idea that a critical infrastructure or highly classified network could potentially be accessed from the Internet should be a scary one for everyone – hopefully these systems, if they continue being deployed, will get safer and more secure,” Orzechowski said.
“On the upside, these systems are amongst the most heavily scrutinized and tested in the industry. On the downside, as we see in security time and again, it takes a major incident for serious action and attention to come to a vulnerable system.”