

Discover more from Wrong Speak Publishing
Ransomware Trojan Horse Attacks Could Have Been Predicted
The Department of Defense’s 1987 Orange Book Explains How
In the past 10 years, a lot of personnel have entered the cybersecurity field. In most cases, their route to this field has been a security certification. This article argues that the Department of Defense rainbow series of books for information security is still relevant today for informing the expertise of information security professionals. This rainbow series is composed of 27 Department of Defense books for information security hence the rainbow series. One book, in particular, the orange book is still being used as a reference for security. The orange book may seem ancient but the Chinese have used it to classify their new desktop operating system.
The ransomware (Trojan horse) attacks on windows operating systems could also have been predicted by the orange book, due to window's discretionary access control.
Some of the titles of the rainbow series:
NCSC-TG-001 [Tan Book]
A Guide to Understanding Audit in Trusted Systems [Version 2 6/01/88]
NCSC-TG-002 [Bright Blue Book]
Trusted Product Evaluation - A Guide for Vendors [Version 1 3/1/88]
NCSC-TG-003 [Orange Book]
A Guide to Understanding Discretionary Access Control in Trusted Systems [Version 1, 9/30/87]
NCSC-TG-004 [Aqua Book]
Glossary of Computer Security Terms [Version 1, 10/21/88]
NCSC-TG-005 [Red Book]
Trusted Network Interpretation [Version 1 7/31/87]
NCSC-TG-006 [Orange Book]
A Guide to Understanding Configuration Management in Trusted Systems [Version 1, 3/28/88]
The orange book has a classification of security from minimum to maximum. The D-level security was a minimum and the A-level was a maximum. The listings of the security classifications of the orange book follow:
DOD SECURITY CLASSIFICATIONS FROM THE ORANGE BOOK
● D Minimal protection reserved for systems that fail evaluation
● .C1 Discretionary protection (DAC) system doesn’t need to distinguish between individual users and types of access
● C2 Controlled access protection (DAC) system must distinguish between individual users and types of access; object reuse security features required
● B1 labeled security protection (MAC) sensitivity labels required for all subjects and storage objects
● B2 Structured protection (MAC) sensitivity labels required for all subjects and objects; trusted path requirements
● B3 Security domains (MAC) access control lists (ACLs) are specifically required; the system must protect against covert channels
● A1 Verified design (MAC) formal Top-Level Specification (FTLS) required; configuration management procedures must be enforced throughout the entire system lifecycle
● A1 Self-protection and reference monitors are implemented in the Trusted Computing Base
And the orange book ratings have a major demarcation of security levels between C2 level and B1 level and between the B3 level and the A1 level of security.
The C2 level vs B1 level
The C2 level is discretionary access controls the B1 level starts mandatory access controls. At the C2 level, somebody in payroll could take a payroll file, copy it over, and let people from other departments see the payroll information. The B1 level introduces mandatory access controls. That means that a user in the payroll department and payroll resources such as data sets would have some type of token attached to their IDs and data sets. At the C2 level, someone in payroll could copy a payroll file and distribute it to everyone in other departments. With mandatory access controls that would be impossible because the token on the payroll file will still be on the copied file thus preventing someone from outside payroll to be able to view it.
The B3 level vs the A1 level
The demarcation between the B3 level and the A1 level is that it has a verified design.
The orange book was the first attempt to compartmentalize the security between users in a multi-user environment. The operating system has to be capable of a virtual environment. However, the physical hardware CPU also has to be evaluated with respect to this virtualization. The virtualization of the physical hardware is beyond the scope of this article.
As a side note, the IBM z/os operating system has been considered by many people to have the strongest security. However, this operating system can run with Hercules emulator software on an intel server. The physical hardware of the IBM CPU has been designed from the ground up to create a virtual environment for its users. Running the z/os operating system with Hercules emulation on an Intel server negates this virtual capability.
Some people think that the orange book is obsolete and that it no longer matters, well recently the Chinese have developed their own desktop operating system based on a Linux-type kernel. They rated the operating systems at a B2 level of security. That's high-level security that makes it difficult for outside nations to hack into them. In my opinion, China is already bolstering the information resources for a potential information war with the United States. Unfortunately in the West and most information security resources, this new operating system has gone unnoticed.
Our dependence on Windows-type systems has made it easier to hack into them. Windows is the most widely used desktop operating system and a hack into them has wide far-reaching effects (C2).
This means Government and businesses have to put a lot of resources into alleviating the hack. China’s new desktop operating system has a security rating of B2. This rating means that information is compartmentalized, mandatory access controls vs discretionary access control. A hack into one desktop operating system is not a hack into all of them.
Department of Defense orange book is still valid today and the understanding of discretionary access controls and mandatory access controls has significant importance with respect to security and virtualization. The concept of mandatory access control vs. discretionary access controls is not taught in a lot of security certification training today. A practical example of discretionary access controls vs. mandatory access controls is that under discretionary access controls a user can click on some malware and it can affect other users. Mandatory access controls give a higher rate of security with respect to malware.
Addendum:
https://fas.org/irp/nsa/rainbow/tg003.htm
below from orange book published in 1987
6. AN INHERENT DEFICIENCY IN DISCRETIONARY ACCESS CONTROL................. 5
6.1 A FUNDAMENTAL FLAW IN DISCRETIONARY ACCESS CONTROL................ 5
6.2 AN EXAMPLE OF A TROJAN HORSE...................................... 5
7. AN OVERVIEW OF DAC MECHANISMS.......................................... 7