Analysis of the VSTK/P Product Line In Fulfilling US Federal Requirement DCID 6/3

Preface

This document is a technical analysis of CyberSoft VSTK and VSTKP tools for use with the U.S. Federal DCID 6/3 Directive.

The US federal DCID 6/3 Directive establishes security policy and procedures for storing, processing and communicating classified intelligence information in computers.

This document is written in three parts. The first is a technical overview of tools that may be important in the other two responses. The second is a response to requirements. The third is a competitive response to the Tripwire May 2006 DCID 6/3 sales flyer.

These responses utilize only tools found in the CyberSoft VSTK family of products. The VSTK computer security tool kit contains the CIT, VFind and UAD tools. The VSTKP (professional) computer security tool kit contains everything in VSTK plus the Avatar tool. There are other tools included in these tool kits that are not discussed as part of this analysis. For full details review the technical and training manuals found on www.cybersoft.com and www.cyber.com.

Please note that in the DCID 6/3 requirements analysis we have responded to as many requirements as possible. It is necessary for you to determine the appropriateness of each response to your specific needs. CyberSoft will assist in your needs analysis to the extent possible.

Technical Overview of the CIT tool

The CIT tool can not only protect the baseline configuration of a system, including its log files but is a fantastic aggregate data tool that illuminates otherwise obscure information. An example of this is the modification of log files that might not be noticed but is of importance to the Information Systems Security Officer (ISSO). An example of this is the sulog. If the sulog has been modified then someone utilized privileged access on that system. As an aggregate data tool CIT can detect unauthorized actions by authorized users and is mostly immune to stealth or cloaking technology. This is because CIT operates against the stored file system and every action in a computer leaves a trace in the file system or is otherwise transit.

CIT allows the System Administrator or Security Officer to understand what is happening in a system. It does this by cryptographically digesting the entire contents of a system then providing several reports, one of which highlights what files were added, deleted, modified, flagged or duplicated within the system. This in turn can be used to understand what an end user is doing, intrusion detection, detection of stealth trojanization or infection of a system. It provides critical information to the System Administrator, which will reduce system diagnostic time by a significant factor. In one case, a System Administrator in a government organization was able to determine that their server was hacked, what the hacker modified and added to the system, and restore full operation within a couple of hours.

In addition to the human readable report, CIT produces a machine-readable report, which can be utilized by a threat assessment program like the VFind pattern analysis system to look for attack code (a.k.a. computer viruses, Trojans, worms, etc.). This report is a list of files on the protected file system, which have been added or modified since the last time CIT was run. These are prime candidates for analysis.

Since CIT does not rely upon the system date and time function and it uses cryptographic strength digests, you will know within a specified time window when a file system event took place. That time window is the period of time between any two CIT executions.

The CIT database format is open, and can be viewed by a standard text editor. This means that a collection of databases can be created and used as a diagnostic tool against any system. Such databases can reveal information, such as what revision a system conforms to. It can reveal which operational files were modified, and what the system has been doing. If these databases are downloaded to a central point (see Miniweb), it can be used for almost instant detection of previously unknown attacks against the systems in a network. A centralized collection of operational CIT databases will allow for easy determination of baseline compliance on a network wide basis. Digestion of these databases at the central location can produce almost any kind of report necessary for the maintenance of the systems.

While the CIT program can use remotely mounted file systems for their databases and execution, this only allows for near real time operation in that execution is scheduled. This is a good thing because it allows for an orderly progression and while an event window can be kept secret, or even random, there is still a need for triggered deployment in the event of a serious attack. CIT and all of the other tools in the VSTK can be deployed in real time for centralized distribution using the Miniweb tool. Miniweb can be used to control any product including third party products as long as they can be implemented via a secure web server. The Miniweb program is a high security small web server written from scratch. It includes the ability to use SSL encryption and execute script or Perl programs.

CIT is the best Baseline Configuration Control tool. It allows the security officer to zero in on problems. Since all changes to a system are tracked, it becomes a trivial effort to detect baseline configuration problems. This is especially true if a hacker breaks into a system or an authorized user makes unauthorized changes. It can even detect changes caused by hardware degradation or outside electronic forces such as magnetic pulses or radiation. One more benefit of using CIT as a baseline tool is that it becomes possible to diagnose and correct configuration problems in a substantially shorter period of time than would be possible without the tool.

Using the window of opportunity concept with CIT the ISSO can tell a great deal about what has transpired in a system without use of a log file and without resorting to time stamps. Time stamps are malleable and cannot be trusted since even unprivileged users easily change them. Since CIT is executed on a known schedule then all events that are detected must have happened within that window of opportunity.

Using CIT the ISSO can insure that no changes were made to prior log files for as long as they are stored. In addition, off stored log files can be insured to have not decayed by checking the data against the known md5 hash value.

CIT is recommended to be executed at least nightly. The only limit on how often it can be executed is the amount of time it takes to complete its task. In addition, CIT can utilize multiple databases so that different goals can be accomplished. An example of where this may be important is in an environment where shift work is the norm. When running three shifts a day you may wish to implement 4 different databases for that day. Each shift can have it's own database while the fourth database is the entire system. In this, cycle time for execution is reduced and analysis is focused to where it has highest value.

In conclusion the CIT tool is a fantastic baseline configuration and management tool in addition to being an aggregate data creation and analysis tool used for intelligence analysis. It provides functionality that is useful to both the System Administrator and ISSO.

Technical Overview of the VFind and UAD tools

The VFind tool is a general-purpose rapid parallel pattern analysis program with a fully documented and open programming language called CVDL. As part of the VSTK family of products it is delivered with attack software definition libraries. (Viruses, Trojans, worms, etc.) As part of the Safe Internet Email product VFind is delivered with these and with Unsolicited Bulk Email (UBE/spam) definitions. It runs these two different libraries concurrently with the addition of any end user defined analysis requirements. The customer has the ability to program VFind.

In short, VFind can fulfill any pattern analysis requirement.

The UAD tool works with the VFind tool and can also be used with third party tools. It identifies target files by direct examination of their contents, which is superior to using filename extensions to identify the contents since filenames can be changed. In addition, UAD will recursively render the target file until it has reached a terminal point for all inclusions. This is very unusual and it allows for the finest quality of pattern analysis since you will not have to worry about analysis of a container file, which may hide the contents.

There are significantly more details to these tools. For more information, review the technical and training manuals located at www.cybersoft.com and www.cyber.com.

Technical Overview of the Avatar Tool

The Avatar tool was designed for battlefield use. It can operate in a fully automated or manned mode. Avatar provides self-healing according to a security plan and stored read-only compiled database. Since the Avatar database is read-only it can be stored on read only devices such as remote mounted drives, cdrom, DVD, etc.

The Avatar tool was designed for battlefield use. It can operate in a fully automated or manned mode. Avatar provides self-healing according to a security plan and stored read-only compiled database. Since the Avatar database is read-only it can be stored on read only devices such as remote mounted drives, cdrom, DVD, etc.

Operational capabilities loss and restoration can be constantly tested as a scheduled event by the Avatar tool (VSTKP). This tool can incorporate a romable backup of the system. Using pre-stored digests of protected system files the Avatar system can take preprogrammed actions to restore the system to baseline configuration and full operational capability. Unlike a backup system that may only operate daily, this system can be executed many times per day with restoration only upon need.

Avatar directives are created in text and compiled into the database along with all baseline files that Avatar might need to maintain system integrity. Once compiled the database cannot be changed without destroying it.

Avatar can also be used to upgrade systems. This is because when a new upgraded baseline configuration is defined the old baseline system no longer confirms. Avatar will force the old system to conform to the new baseline.

Technical Overview of the MiniWeb Tool

The MiniWeb Tool is a small web server created by CyberSoft to be a small high security web server. It is not open source. MiniWeb provides for some of the most important server features such as the ability to run scripts or Perl programs. It also provides SSL functionality for encrypted web connections.

MiniWeb is multithreaded but is limited to the number of simultaneous connections it will accept. This provides significant protection against web-based denial of service attacks. In addition, MiniWeb uses a very small amount of memory, CPU and disk space. It is ideal for use in appliance systems such as firewalls and routers where these resources are limited.

Response to Technical Requirements of DCID 6/3

Audit1

The CIT tool produces a report that in itself is an audit report of file system activity. To a certain extent this report can provide the location of file system events by filename, a timestamp independent window of opportunity time frame for the events and the ability to insure the protection of legacy third party audit trails.

If any legacy audit trail (today -1 to -n days) is determined to have been modified, added, deleted by the CIT tool then that audit trail is no longer trustworthy and should be restored from backup. In addition, the detection that this file system event took place is significant.

If any legacy audit trail is determined by CIT to have been duplicated that is a significant security event that needs to be reviewed by an ISSO. Duplication of an audit trail on a system may be an indicator of a prelude to an attack.

Audit2

The CIT tool can be considered a passive attack detection tool. (Monitoring) Since it illuminates all file system events of significance a trained analyst can determine if subtle attacks have taken place. This provides the ISSO an addition tool beyond the abilities of known attack software. If the attacker uses an unknown attack method or software to gain control of the system such control is of limited value if they do not make modifications to the file system. In this way, not only can the ISSO or ISSM perform intrusion attacks themselves but utilize the activities of any attacker to reveal them.

In addition to the CIT tool the VFind/UAD tools can be used to determine if the system contains hostile code such as viruses, Trojans, hacker tools, etc.

The THD tool can be used to determine if PATH designated attacks are being employed on a system. Since PATH designated attacks do not need content, only the proper filename and execution permission, this is one of the few tools that detect this type of attack.

Audit3

The CIT tool can be used to assist in the reduction of audit trail analysis in that only audit trails that were modified require analysis. The CIT tool can illuminate this fact.

The VFind tool is a general-purpose parallel pattern analysis system that can be programmed by the customer. Audit trail analysis files can replace virus analysis files. This analysis can review many audit files quickly for significant events. Since the analysis patterns can make full use of the CVDL language very complex analysis can be accomplished beyond that which would be available with simple tools. See the CVDL tutorial for language details.

I&A2

Depending upon how authenticator data is stored on the file system the CIT tool will be able to detect changes.

I&A4

The CIT tool can be utilized to insure that modifications to the password storage file has or has not taken place.

ParamTrans

The VFind and UAD tools can be used as part of the transit system to insure Parameter Transmission labels are both accurate and explicitly or implicitly associated with the data. This is accomplished by replacement of virus analysis files with ParamTrans analysis files.

Recovery

The CIT tool can be used to determine in what way a system was modified and therefore returned to full baseline control. In addition, this information may not only detect that restoration is required but in what manner the system baseline was compromised. This can be combined with the VFind tool to further determine if the compromise was by a known method.

This tool can utilize canned baseline databases. In this way, the system can be compared to an idealized baseline and quickly assure that system recovery is done in a trusted and secure manner.

Storage

Use of the VFind and UAD tools can insure that information stored on open storage (or other) areas does not contain data that is proscribed for open storage. This can be accomplished by replacement of the virus patterns with patterns that identify data not approved for open storage. While it is possible to write patterns that detect data that is not approved for open storage that in itself is approved for open storage it is suggested that this analysis either be performed at a transit point that is trusted as a guard or that data be returned from the open storage pool to a non-open storage pool for analysis.

Doc2, Doc3, SysAssur1

CyberSoft VSTK/P products are fully documented in both technical documentation delivered with the product or in training manuals, which are both, delivered with the product and made available free on the CyberSoft web sites. These documents can be added to the set of documents required to fulfill the Doc2 requirement.

SysAssur2

The CIT, VFind and UAD tools can be utilized to insure baseline conformance of the software and firmware that performs operating system or security functions. In some cases, hardware conformance configuration can be insured where such hardware affects the file system. (Existence of hardware drivers, etc.)

Test3

The CIT, VFind and UAD tools can be utilized as part of additional testing including baseline conformance. The Avatar tool can be utilized as part of a self-repair function of a system.

By utilizing an Avatar database geared toward a test bed, test bed recreation and certification can be managed in minutes instead of many hours.

Backup1

Backups can be enhanced by the use of the CIT tool, which can identify specific files that need to be restored from backup. In addition, the MD5 digest of the backup media can be used to both determine that the backup has not been modified and as a form of serial number.

Backup3

Use of the CIT MD5 hash code on the on-site backup and the off-site backup can insure that these are an exact copy.

Backup4

Annual restoration of backup data can be tested for accuracy by including the CIT database on the backup. Once the full restore is made a test of the restore can be accomplished by running the CIT tool. Any files identified by CIT, which are added, modified or deleted, are in error.

The CIT tool can aid in the rapid restoration of a system by identifying just those files that need restoration. It can also provide a non-time stamp method of determining which files need to be stored as backup for incremental backups. This is actually a very important feature if the backup system uses the time stamp for incremental backups.

Backup5

Operational capabilities loss and restoration can be constantly tested as a scheduled event by the Avatar tool (VSTKP). This tool can incorporate a romable backup of the system. Using pre-stored digests of protected system files the Avatar system can take preprogrammed actions to restore the system to baseline configuration and full operational capability. Unlike a backup system that may only operate daily, this system can be executed many times per day with restoration only upon need.

n addition, by replacement of the Avatar database with a newer version of the database a system can be upgraded to the latest version of the operational system.

Avatar was designed for use in lights out operations.

Backup6

Restoration of a CIT database along with system files can be used to insure proper restores.

CM1

The ability to determine if modifications to the configuration management have been made is provided by both the CIT and Avatar tools.

CM2

Storage integrity can be determined by use of the CIT tool, which can identify if the backups were modified.

The CIT database can be used to determine the security relevant software and firmware products, their names, makes and versions/release numbers.

The CIT, Avatar and VFind/UAD tools assure storage integrity.

CM3

Avatar can implement test beds in a short period of time allowing for full CM testing. The Avatar tool can insure implementation of the CM baseline while the CIT tool will insure that it has been implemented according to documented standards.

The CIT and Avatar system insure that is it not technically or procedurally feasible to make changes to the Security Support Structure outside of the CM process within the execution parameters of the tools.

Integrty1

The CIT and Avatar tools fully fulfill this requirement. It should be noted that there are simple known methods to defeat parity and Cyclical Redundancy Checks (CRCs), while cryptographic hashes are impractical to overcome. The CIT and Avatar tools currently use MD5. While there is a mathematical theory that may lead to collusions of hash codes it is not practical to implement such an attack. In addition, CyberSoft is willing to implement additional cryptographic hashing algorithms. Once done the customer has the option to use one or multiple hashing algorithms. There is no publicly known method of overcoming multiple cryptographic hashing algorithms in tools like CIT and Avatar.

Integrty2

CIT and Avatar provide storage integrity protection but does not provide locks or data hiding encryption.

Integrty3

It is noted that CIT can be implemented as an independent non-repudiation method at a transit. This in effect would be the same as providing a registered mail where a cryptographic relationship between the non-repudiated sender, receiver, the time and date and other parameters, as selected, is created. This relationship would be stored as a series of one-way cryptographic hashes. It is noted that this will require additional implementation that is not included with the CIT tool. If interested please inquire.

MalCode

The VFind and UAD tool provide full malicious code detection using the "virus" VDL library. This system includes a VDL (pattern signatures) update system, which is web based and transparent to most firewalls. In addition, the update system can be pointed to a customer owned server that contains the update as simple files.

Verif1

The CIT tool along with a fully configured baseline CIT database will confirm the correct installation of all security files. (Mechanisms are in place.) This can make testing by the DAA Rep quick and easy.

Change1

The CIT tool can be executed against each user's home directory and be configured to provide the user a report of every file that has been added, deleted, modified, duplicated or otherwise flagged.

Change2

The Avatar database is read only and can be implemented in hardware such as cdrom. In addition, the CIT database is an audit trail of MD5 hash codes of every file under protection. It is noted that CIT can be used to protect other CIT and Avatar databases.

Validate

Once a system has been fully validated and a baseline configuration created the CIT tool can be used to test for proper implementation of the baseline while Avatar can be used to enforce the proper baseline.

Trans2

The CIT tool can be used to create a cryptographic hash code of data prior to transmission. That hash code can then be verified against the received data to insure that what was sent is what is received.

Avail

The Avatar tool can provide self-healing for a system that is otherwise functional.

Maint

It is noted that the VSTKP tool kits can be used as part of extensive maintenance procedures and may reduce both time and costs of these procedures.

Cont1

It is noted that the CIT, VFind/UAD and Avatar tools can play important roles in any contingency/disaster recovery plan.

DOS

The VFind/UAD tool is a critical part of any denial of service attack plan since they will detect well-known, detectable and preventable denial of service attacks by system resident software. (Viruses, Trojans, Worms, Logic Bombs, etc.) It should be noted that many denial of service attacks are not SYN or TCP/IP - UDP based but software based. Often the denial of service is an inadvertent part of the attack software and without a detection tool is the first indication that a system is under software attack.

The CIT tool can be used to determine if a new unknown attack has been added to a system. The Avatar tool can be used to self-heal a system in which a controlled file was replaced by an attack program.

Comparison of Information Assurance Brief (May 2006) DCID 6/3 by Tripwire, Inc. with the CyberSoft VSTK/VSTKP tool kits (January 2007).

Note: CyberSoft Operation Corporation performed this comparison. Proofs of all CyberSoft claims are contained in standard issued CyberSoft technical and training manuals available free and on www.cybersoft.com and www.cyber.com.

Conclusion: While the Tripwire tool and the CyberSoft CIT and Avatar tools are all excellent, they are different. The Tripwire and CIT tools have a significant amount of overlap and in the case of this analysis the overlap appears to be 100% of the Tripwire functionality contained in the CIT and/or Avatar tool. CIT is included at no additional cost as part of the VFind Security Tool Kit along with virus/attack software scanning and other computer security tools. The Avatar tool is included at no additional cost as part of the VFind Security Tool Kit Professional product.

If you are already purchasing the VSTKP tool kit for virus analysis you are getting all of the functionality (and more) of the Tripwire product, as documented in the Tripwire DCID 6/3 brochure, for free.

Note: The material in this comparison is directly quoted from Tripwire's information assurance brief, copyright 2006 by Tripwire, Inc.

Comparison

TRIPWIRE: Meeting Requirements with Tripwire.
Tripwire delivers change detection and file integrity for mission-critical systems.

CYBERSOFT: The CIT tool delivers change detection and file integrity for mission-critical systems.

TRIPWIRE: It creates a baseline of system and configuration files, detects changes, and then reports on these changes. CYBERSOFT: The CIT tool creates or can utilize a canned baseline of system and configuration files, detects changes, and then reports on these changes. The CIT database and reports are both machine and human readable.

TRIPWIRE: Tripwire enables IT staff to determine the what, when, how, and who of change detection. CYBERSOFT: The CIT tool enables the IT staff to determine the what, when, how and who of change detection. CyberSoft believes the "who" is an indirect determination for both products. In addition, the CIT tool provides data reduced reports for the ISSO/System Administrator that can be used for aggregate data analysis and system maintenance. See the CIT section of Training Manual #1 for more details.

TRIPWIRE: This can be used for:

  • Change detection and verification in a change management environment
  • Meeting certification and accreditation requirements.
  • Satisfying information assurance directives for maintaining system integrity
  • Verifying the integrity of other security products, detecting if they've been compromised.

CYBERSOFT: CyberSoft's CIT tool provides the same functionality.

CyberSoft Comments: In addition, the CIT tool can be used to determine if a system is operating with the latest software versions by analysis of the CIT database. Finally, the Avatar tool provides response by self-healing, not just reporting.

TRIPWIRE: DCID 6/3
The US federal directive establishes the security policy and procedures for storing, processing, and communicating classified intelligence information in information systems. For purposes of this Directive, intelligence information refers to Sensitive Compartmented Information and special access programs for intelligence under the purview of the DCI.

Under Key terms, defined in the manual, Tripwire is primarily applicable to references to Integrity. Integrity is defined in the manual is protection against unauthorized modification or destruction of information. There are three integrity levels of concern (Basic, Medium and High.)

CYBERSOFT: DCID 6/3
CyberSoft's CIT and/or Avatar tools provide the same functionality.

CyberSoft Comments: Synopsis of these paragraphs is the existence of the DCID 6/3 Directive and the fact that the Tripwire (and CIT/Avatar) tools apply to the Directive.

Tripwire: Integrity System Security Features And Assurances

Tripwire: INTEGRITY - BASIC

TRIPWIRE: Requirement a.2.[CM1]b. Description
Procedures to assure the appropriate physical and technical protection of the backup and restoration hardware, firmware, and software, such as router tables, compilers, and other security-related system software.

TRIPWIRE:Tripwire is commonly used to "guard the guard" and monitor the configuration, applications, and underlying OS of security software and applications. In this way, Tripwire provides 3rd party validation that security applications and their configurations have not been tampered with or compromised without your knowledge.

CYBERSOFT: CyberSoft's CIT tool provides the same functionality.

Tripwire: INTEGRITY - MEDIUM

TRIPWIRE: Requirement a.3.[Change1]a. Description
Mechanisms that notify users of the time and data of the last change in data content.

TRIPWIRE:Tripwire can identify who, when, and how changes occur. Also provides a trail of evidence to show what happened, when it was discovered, and when it was resolved.

CYBERSOFT: CyberSoft's CIT tool provides the same functionality.

CyberSoft Comments: Using CIT "who" is provided as a function of file location. Example, any files in Joe's home directory are defined as Joe's files. When is anytime within the window of opportunity. That is between CIT runs. How is defined as what files were added, deleted, modified, duplicated or flagged. The "trail of evidence" is easily accomplished by both the report and the CIT database of cryptographic hash values. When multiple databases are saved then an audit trail spread over a long period of time can be accomplished. When it was discovered and resolved is a function of when.

TRIPWIRE: Requirement a.3.[Change1]b. Description
Procedures and technical system features to assure that changes to the data or to security related items are:

* Executed only by authorized personnel. * Properly implemented.

TRIPWIRE:Tripwire integrates change audit data with change management systems & by performing the rollback directly or providing a manifest to drive third-party restoration/provisioning systems.

CYBERSOFT:The CyberSoft's CIT and Avatar tools provides the same functionality.

CyberSoft Comments: The change audit is provided by the CIT tool, which also provides assurance that the system is "properly implemented". Rollback can be provided either by CIT with third party backup/restore software or stand-alone by self-heal using the Avatar tool. The CIT and Avatar tools only indirectly provide "executed only by authorized personnel", in that they insure the system's proper implementation (baseline control) is maintained. In a well-maintained system execution authorization is a function of DAC/MAC permissions.

Tripwire: INTEGRITY - HIGH

TRIPWIRE: Requirement a.3.[Change2]a. Description
A secure, unchangeable audit trail that will facilitate the correction of improper data changes.

TRIPWIRE:Tripwire integrates change audit data with change management systems & processes so you can determine authorized vs. unauthorized production changes. Tripwire also provides the means to verify/validate planned change once it's been implemented.

CYBERSOFT:CyberSoft's CIT and Avatar tools provide the same functionality.

CyberSoft Comments: One of the best things about the VSTK family of tool kits of which CIT and Avatar are members, are that all of the products are tools. They are not monolithic programs and can easily be incorporated into scripts and programs or integrated with third party software.

The change audit is provided by the CIT tool, which also provides assurance that the system is "properly implemented". Correction can be provided either by CIT with third party backup/restore software or stand-alone by self-heal using the Avatar tool.

TRIPWIRE: Requirement a.3.[Change2]b. Description
Transaction based systems that implement transaction roll-back and transaction journaling, or technical equivalents.

TRIPWIRE: Tripwire enables rollback to an authorized state either by performing the rollback directly or providing a manifest to drive third-party restoration/provisioning systems.

CYBERSOFT:CyberSoft's CIT and Avatar tools provide the same functionality.

TRIPWIRE: Requirement a.10.[Recovery] Recovery procedures and technical system features that assure that system recovery is done in a trusted and secure manner. If any circumstances can cause an untrusted recovery, such circumstances shall be documented and appropriate mitigating procedures shall be put in place.

TRIPWIRE: Tripwire baseline information is used to test disaster recovery capability to validate that systems reproduction from disaster recovery procedures actually match the current production systems they were meant to replicate.

Should an actual emergency or disaster occur, archived Tripwire baseline information can be used to validate that the deployed systems actually correspond to the pre-emergency state of the systems.

CYBERSOFT: CyberSoft's CIT and Avatar tools provide the same functionality.