Why agencies need to consider the source (code)

Chris Miranda, vice president of the Telecommunications Studies Center for LGS Innovations, makes the case to agencies that analyzing software before and after ...

Our work days revolve around our networks, and any interruption in our ability to access data and systems can have a crippling effect on operations. Network administrators need to ensure we have the data we need when we need it, can easily share data with colleagues regardless of location and above all make sure our networks are secure.

Chris Miranda
Chris Miranda

A  2013 annual crime report from the FBI states there has been a nearly 50 percent increase in reported monetary losses due to cybercrime since 2012, and with multiple data breaches in the news, network administrators must look to leave no stone unturned when protecting the integrity of their networks and data.

It has become widely accepted that no single technology or device can fully secure a network, but even with a defense-in-depth strategy including firewalls, demilitarized zones (DMZs), intrusion detection systems and intrusion prevention systems, can we be confident all network security issues are being addressed?

With the global nature of today’s supply chain, hardware and software are being outsourced to countries around the world. We have put our trust in equipment manufacturers who often outsource this work to the lowest bidder. This opens our networks up to a vulnerability, which if overlooked, can lead to potentially disastrous consequences.

The software that runs our networks is particularly susceptible to vulnerabilities — both intentional and unintentional. Unless you have analyzed the source code and binary yourself (and good luck getting the vendor to let you get your hands on that), there is no way to ensure that your networking equipment will not leave you vulnerable to backdoor threats.

There is a real need for software-level independent verification and validation (IV&V) to ensure that the network equipment being used is secure at every layer.

The federal government and commercial organizations often depend on commercially available infrastructure components for operations and security, creating concerns regarding source and dependency. A sampling of threats we have investigated on behalf of government customers include:

  • Equipment vulnerabilities: Flaws contained in software, recommended and default system configuration, processes/best practices and system documentation. A bug in a software binary may cause the processor to perform an unexpected action, typically resulting in a crash (common examples include buffer overflow and over/under indexing arrays). System configuration vulnerabilities may allow open access to protected information, and vulnerabilities in procedures or documentation may result in non-secure administrator passwords.
  • Exploits: Concepts or code that take advantage of vulnerabilities to gain initial access to the operations of a system.
  • Embedded malware: Code loaded onto a system to inflict damage, collect data, change the functioning of the system or launch attacks at other systems.
  • Backdoors: Code intentionally designed into a system that bypasses normal authentication checks in order to give access or control. Examples include field debugging capabilities, secret keystrokes, special login sequences or hidden login user IDs.

While formal certifications provided by organizations such as Common Criteria, Federal Information Processing Standards (FIPS), and Joint Interoperability Test Command (JITC) provide some level of security for equipment, a trusted IV&V process is also necessary to provide an in-depth analysis of the software behind the equipment, assessing it for potential threats.

IV&V: Does it really need to be independent?

While we think we know our own networks better than anyone, this familiarity may lead to a biased perspective of our security posture. Every network needs to be verified and validated against vulnerabilities, exploits, malware and backdoor threats, but what’s the advantage of having these security measures performed outside the organization?

An independent verification and validation of each network layer creates an end-to-end security solution with each point in the network being analyzed for new risks, threats or attack vectors. At the same time, the security of the management, control and end-user planes of the network also require attention. Security vulnerabilities may exist in multiple locations throughout the network and need to be analyzed in order to provide an effective security plan.

Multiple levels of security assessments can be customized for particular types of equipment, and a thorough network architecture evaluation provides a structured framework that forces consideration of all known possible threats and attacks in the infrastructure, services and applications security layers.

From operational testing to public domain searches to static analysis, threat sweeping evaluates the network from the inside out using detailed knowledge of embedded firmware and software. Because the equipment vendor must provide access to source code and a build environment for this analysis, it is imperative that source repositories are maintained in a highly secure environment with strict access control mechanisms. This analysis encompasses:

  • Binary code analysis
  • Chain of custody of delivered firmware and software
  • Source code analysis
  • Enhanced manual inspection for backdoors and other vulnerabilities

Proactive security — because network integrity is about more than just wiping out bugs

No one wants to operate exclusively in a reactive mode, especially when an evaluation of potential features could help with the proactive security stance of a system. A trusted IV&V partner can assist in the definition, requirements and implementation of value-add capabilities including software diversification techniques, active monitoring for anomalous behavior and proactive inventorying of release levels.

Ongoing involvement in network assurance missions helps to effectively discover new vulnerabilities and develop leading-edge tools and best practices, all while remaining focused on securing equipment firmware and software. Effective collaboration between the equipment vendor and the IV&V partner is key to a customized engagement that brings an enhanced security profile to network products.

Chris Miranda is the vice president of the LGS Innovations Telecommunications Studies Center, where he is responsible for special customized projects to investigate the overall integrity of telecommunications products, systems and architectures. Chris has more than 30 years of experience designing and developing wireless and wireline communication systems, computer systems, peripheral control products and real-time system architectures. Questions or comments on the article? Email Chris at cmiranda@lgsinnovations.com.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Graphic By: Derace LauderdaleCybersecurity

    Rethinking continuous risk metrics to fortify federal cybersecurity

    Read more
    (Getty Images/iStockphoto/metamorworks)Artificial intelligence (AI) concept showing a brain on a computer screen

    AI emerging as a not-so-secret business development weapon for government contractors

    Read more
    Amelia Brust/Federal News NetworkFederal Workforce

    Correction to connection: Making federal performance review season less spooky

    Read more