markowsky: using the castle metaphor in cybersecurity ... · using the castle metaphor to...
TRANSCRIPT
Using the Castle Metaphor to Communicate Basic Concepts in Cybersecurity Education
G. Markowsky and L. MarkowskyDepartment of Computer Science, University of Maine, Orono, Maine, USA
Abstract - This paper explores how to use the castle as a metaphor to help students and non-technical users understand some basic concepts of cybersecurity. Castles are symbols of security that are familiar to and easily understood by most people. Important defensive structures for many centuries, castles were designed and built using much ingenuity and effort and are not the simple-minded structures that many people imagine them to be. This paper describes the design of castles in detail and shows that many of the techniques used by castle designers are still relevant today and can provide a concrete embodiment of important cybersecurity concepts.
Keywords: security, security architecture, cybersecurity education, active defense, intrusion detection and prevention systems
1 Introduction Castles have long inspired people of all ages. To many people they embody the idea of security. In this paper we examine some of the ways that the castle can be used as a metaphor to teach basic concepts of cybersecurity to a general audience.
In [1], McDougal suggests that there are valuable lessons to be learned from studying the defensive systems of castles and presents some strategies based on these lessons. In this paper we study the defensive systems of castles in more detail and make more detailed comparisons to cyber defense. We also point out the dangers of having too simple an understanding of castles and thereby not benefiting from the lessons learned from the hundreds of years of experience acquired by castle builders.
2 A simple view of castles
Figure 1 shows the cover of the February 22, 2010, issue of InformationWeek [2]. Note how primitive the castle is – just a simple wall surrounding three people who are armed with bows and arrows. The castle shown in Figure 1 is more of a liability than an asset since the people in the castle have no windows to look out of and no platforms along the wall that can be used to defend the castle. Also there is a strange figure suspended over the castle by a crane not shown in the picture.
Real castle walls are not simple structures, but intelligently designed defensive systems. Castle walls have
Figure 1. Simplistic View of a Castle
platforms from which the defenders could resist the attackers and get some shelter. The model of the castle in InformationWeek is essentially a model of a prison for the people inside the walls.
There are at least two additional problems with the castle in Figure 1. First, the castle is pictured sitting in the middle of a featureless plane. Real castles typically were placed in strategic locations so that they either controlled some passage or at least had a good view of the surrounding area. Another problem is that the image is reused in the article with the word “outflanked” superimposed on the image. This is completely nonsensical since a circular castle has no flanks and cannot be outflanked. The care with which castles were located and designed leads us to the first lesson in cyber defense: have an overall plan. You should not build defenses in isolation. Like a castle builder, you should understand who your enemies are and how you are likely to be attacked.
People often can’t think of “enemies” that they might have in cyberspace. It is possible to have both enemies of a personal nature as well as impersonal enemies for whom you and your organization are targets of opportunity. Businesses should be concerned with all competitors: local, national and international. They should also be concerned about insider threats originating from disgruntled employees and jealous colleagues. Individuals should be concerned with cyberthieves, botnet masters, partners and ex-partners. Even “friends” can be a source of trouble.
3 Real castlesCastles have a great deal of individuality because they
were built: (a) in places that are geologically very different from one another; (b) at different times; (c) for different purposes; and (d) by people having widely varying resources and time. The photos shown in Figures 2 and 3 highlight the defensive systems of Malbork Castle in Poland.
Figure 2. Part of the Outer Wall of Malbork Castle
Figure 2 shows one of the towers that defends the castle's outer wall. Notice the slits, called arrow loops, for firing arrows at attackers who are near the wall. Notice also that the castle's outer wall is designed so that water is drained to the outside rather than the inside of the wall.
Figure 3. A Guarded Entrance at Malbork Castle
Figure 3 shows one of the entrances to Malbork Castle. Notice the windows and other openings that overlook the approach to the entrance that enable the castle's defenders to attack enemies approaching the gate from a relatively protected location. Finally, notice that the entrance has gates at both ends. A portcullis is shown in the foreground and the gate at the far end is shown swung open to the left.
The modern firewall functions much like a main wall of a castle. Castle builders understood that any opening in a wall introduces a weakness into that wall. At the same time, it is
not reasonable to build a castle without doors and windows. In the same way, a firewall must have doors and windows so that the computer can communicate with other systems over a network. Openings in the firewall are often known as ports. Services (such as web services and e-mail) have ports that must be kept open in order to be useful.
While castle builders knew the value of entrances, they also understood the vulnerabilities that entrances introduce. Consequently, there were mechanisms to ensure that any attempt to force entry would be strongly resisted. Castles typically had small entrances called postern gates that could be used to escape or to communicate with a boat landing. They often had disguised gates that could be used for raids against the enemy. These gates needed additional defenses to discourage the enemy from following the raiding party too closely back into the castle. A common form of protection was a machicolation. This is basically a collection of slits in the ceiling of an entry way that would permit the defenders to drop objects or pour liquids on anyone in the entry way.
We do not advocate such aggressive defense for the average user. For one thing, attacks of various sorts are illegal and the average user does not want to risk violating the law in defending a system. At the same time users should realize that openings need to be defended. For that reason good firewalls have special rules that define what information flow is allowed through a port. One place where the average user can take some defensive action is to make sure that there are strong passwords on any wireless devices that are deployed including on the control screens. Do not run devices using just the default passwords – this is like having a castle and leaving the door unlocked.
Table 1. Some Castle-related Terms
The many castle-related terms in Table 1 further illustrate the complexity of castles. These terms describe some of the more common features associated with castles.
For a more complete list of terms, see http://www.castlesontheweb.com/glossary.html.
4 The overall plan: defensive zonesThe book by Macaulay [3] contains many wonderful
illustrations showing how a castle would be designed and built. Many of the steps in designing a castle correspond directly to the steps necessary in designing a secure network.
First, the builder of the castle must decide the purpose and roles of the castle. Some castles were part of a town complex, while others were more like fortresses. They also differed greatly in size and complexity, but all used layered defensive zones. In general, a castle might be part of a larger master plan that basically provided for four defensive zones as illustrated in Figure 4.
Figure 4. Layered Defensive Zones
The four typical defensive zones shown in Figure 4 – the unfortified town, the fortified town, the outer ward, and the inner ward – were often separated by three sets of walls that differed in purpose and structure. The first set of walls that an attacker might see were the town walls. These would be substantial walls with many towers. The walls would have platforms for the defenders to stand on to enable them to engage the attackers from above.
The first protected zone would be the fortified town zone, which would include all the land enclosed within the town walls, but which would be outside the outer castle wall. The outer ward would be the zone consisting of all the territory within the outer wall, but outside the inner wall. The inner ward, of course, would be the part of the castle that would be within the inner wall. Of course, a castle could have more walls than two. Even within the inner ward there could be additional fortified towers and keeps (inner strongholds) for additional security.
Castle designers had no desire for the enemy to get within their castles. Nevertheless, their designs allow for the possibility that the enemy would get in. Like secure networks with layered defensive systems, they made sure that each time the enemy got past one set of defenses, the enemy would encounter yet another set of defenses.
In addition to planning at the town level, castles were often part of a larger plan. In particular, Fedden makes the following observation [4; p.31]: “The Crusader castles would have been formidable enough as isolated units. They acquired additional strength in being linked by an elaborate system of communication with neighbouring strongholds.” Communication at that time was via carrier-pigeon and signaling.
5 Details of castle designThere are many interesting details in castle design. For
example, castle walls were typically not straight. They had a slanted section near the bottom called a batter.
Figure 5. Concentric Walls With A Batter
Figure 5 shows that typically the inner wall would be taller and sometimes thicker than the outer wall. Notice the sloped section of each wall. This was called the batter and it was angled for two reasons. First, any ram hurled against the base of the wall would find itself deflected somewhat so that the full force of the ram would not strike the wall. Second, anything dropped by the defenders from the overhangs, called hoardings, at the top of the wall would be deflected onto the attackers.
Castle designers also introduced such features as drawbridges, twisted passageways, and planks that connected different sections of the wall. These planks could be removed so that if one section of wall was taken, the attackers could not easily get to other sections.
Some particularly interesting details showing the intricacies of castles can be found in [4]. For example, [4; p. 29]: “A besieger wishing to force the entrance at Krak would have had to proceed up a covered passageway and negotiate three elbow turns, at least one portcullis, and four gates furnished with machicolation.”
We should note that the drawbridge has an analog in cyber defense: “pull the plug.” In particular, it is not necessary to be connected to the Internet at all times. Users should consider cutting their connection to the Internet when there is no need for it.
It is interesting to note that an ancient security device survives to this day – the password. Since ancient times, people have employed passwords to distinguish friend from foe and to limit access to people who were trusted. Like modern passwords, castle passwords were modified on a regular basis, and different passwords might be used to access different locations within the castle.
6 Conquering a castleAttacks against castles succeeded primarily for the
following reasons:
1. Lack of Manpower
2. Psychological Pressure
3. Famine
4. Siege Weapons
5. Insiders and Trojan Horses
Some castles were too large to be defended by the garrison, or troops, that they had at the time of attack. For cyber castles, the lesson here is to make sure that you have enough staff to operate your castle’s defenses. In particular, there should be at least one person who is concerned with the cyber castle’s defenses. You might need many more people than one, but zero is never an adequate number.
Other castles fell because of the psychological pressure resulting from being surrounded. Fedden describes two instances [4; p.35-36] in which well-defended castles surrendered because of psychological pressure well before there was any physical necessity to surrender. Closely related to psychological pressure on defenders is the use of ruses of various types, including forged letters. Interestingly enough, ruses of various sorts are used today by scammers of all sorts to gain entry into networks and systems.
Famine was eventually successful in a number of castle attacks, and to defend against this threat, some castles had supplies that would last up to five years. For example, [4; p.10]: “The vast cellars at Margat were constructed to hold a thousand men’s provisions for a five-year siege.” There were not many armies that were willing to wait that long for success. Maintaining a large host in the field for a very long time is not something that most attackers were willing to do.
A number of siege weapons were useful to besiegers of castles. Some of the common weapons and tools were scaling ladders, earthen ramps, siege towers, rams, and bores. Of special interest was the technique of mining under walls and towers and then causing the mines to collapse along with the walls and towers. This technique was defeated by placing the castle on solid rock or in a body of water so the attackers could not mine. Occasionally, castle defenders dug their own mines to intersect those being dug by the enemy.
Another class of weapon that needs to be mentioned is artillery. The term artillery predates the use of gunpowder and refers to various devices like the trebuchet that could hurl large objects against the castle walls and into the castle. It is interesting to note that one of the defenses against artillery was to install artillery in the castle to be used against the artillery of the attackers. With the advent of gunpowder, the castle evolved into the fortress which no longer was used as a primary residence.
Castles, like computers and networks, have also been victims of insider threats. In [5], the authors of this paper surveyed supercomputer cluster operators and found that 9% of survey respondents reported that someone had tried a
physical approach to disrupt computation or to steal data, and 5% were unsure of whether this had happened. Similarly, 8% of respondents reported that someone had tried to bribe or otherwise co-opt one of the cluster staff into helping with compromising security, and 13% were unsure whether this had happened.
Finally, attackers have long used ruses to fool defenders into letting them within the walls. The most famous example of such a stratagem was the Trojan Horse. Interestingly, this name applies to a variety of malware that is commonly encountered, underscoring the link to the classic stratagem.
7 Weapons for the Linux cyber castleMany analogies can be made between traditional castles
and Linux "cyber castles," but significant differences exist as well. First, defending a Linux castle does not endanger the lives of the system and security administrators. Also, Linux administrators can audit their computer systems and networks and can even attack their own systems (or on clones of production systems) without fear of damaging the castle.
7.1 Design of the castle and surrounding grounds
The overall design of the castle grounds, the layout of the town wall, the outer and inner walls, and the location and protection of the castle entrances together are analogous to implementing a secure network topology and enforcing an effective security policy. The topology will dictate which systems and services will be available within the "town wall" of the network and what must lie within the "outer" and "inner" walls, and like their traditional counterparts, these concentric walls often become better fortified and more restrictive towards the center.
7.2 Town wall
An iptables/NetFilter firewall and PortSentry can be used to implement a strong, active, outer defense enclosing all Internet-facing servers as well as the internal network. Nessus can be used to scan for vulnerabilities, Snort can be used to monitor the town for intrusion or attempted intrusion, and Wireshark can be used to monitor network activity.
7.3 Outer wall
Internet-facing servers can be placed in a DMZ, and hosts providing services can confine those services within chroot jails or virtual machines such as xen. Services can be further locked down using application-specific configuration files and application-specific security tools, such as ModSecurity for Apache web servers.
7.4 Inner wall
Mounting filesystems with minimal access, such as disallowing suid or write access, and performing filesystem security assessment using Tripwire provides a secure base. Also, as noted earlier, insider threats are a real danger for castles of every sort. Monitoring system logs for unusual behavior using a log scanner such as Logcheck can help to
spot an insider threat. Access control lists, or ACLs, can be configured within some services such as Exim (a mail server), or BIND (a domain name server). Of particular interest are Mandatory Access Control systems such as SELinux and AppArmor, which provide fine-grained access control on a particular host. Using MAC systems can both limit the damage done by successful intrusions and prevent some intrusion attempts from ever becoming successful.
7.5 Guarded entrances and postern gates
TCP-wrapped services, configured using hosts.allow and hosts.deny, can be restricted to particular IP addresses or subnetworks. Dynamically configurable authentication, implemented using PAM, and VPNs also guard the entrances to the Linux castle. A known, protected IP address or physical access to a machine can provide a trusted back door into the system, and finally, backup tools such as BackupPC, Bacula, and fwbackups can provide an escape route in the unfortunate event that the castle has been successfully attacked and must be abandoned.
8 Critical infrastructureOne area that can benefit tremendously from applying
even simple castle defense principles is critical infrastructure protection. The Q & A with Joe Weiss [7] makes it clear that even the simple principle of putting up castle walls still needs to be implemented more widely. Critical infrastructure builders provide many entrances into their structures and would benefit from thinking more deeply about protecting these entrances. Joe Weiss [7] describes the use of Bluetooth to provide utility workers with easy access to electrical reclosers (circuits that can connect and disconnect parts of the electrical grid), but this Bluetooth connectivity is provided without enough consideration of what this access could do in the wrong hands. Critical infrastructure, even more than most networks and systems, must be designed to prevent easy access by people who should not have access.
One of the forces working against implementing cybersecurity measures in critical infrastructure systems is the worry that such measures would interfere with the infrastructure’s ability to deliver services. An analogous problem was faced by the creators of castles in that they needed to allow commerce and communication while simultaneously providing a high level of security. The fact that castles flourished for many years provides us with an example that it is possible to balance these competing demands.
9 ConclusionMuch can be learned from studying the way traditional
castles were designed, constructed and defended. Because they are concrete and easily understood, castles can also provide a valuable metaphor for introducing concepts of cyber defense to students and non-technical users. This paper has presented some of these analogies.
Among the lessons that can be drawn from our review of castles and castle warfare are:
• Start with a good overall plan for the castle and all other entities that must be defended.
• Elements of the defense must be active. A completely passive defense will not survive the challenges and repel attackers.
• The cyber castle must be adequately staffed.
• Use defense in depth and make sure that the inner defenses also support the outer defenses. Be sure to have the equivalent of drawbridges and removable planks. Identify points in the security topology that can be used to quickly isolate zones from the network and from from other zones.
• Make sure that the cyber castle has a solid foundation.
• Use every means possible to make the attacker's job more challenging.
• Know your attackers. It is important to get some idea of the sophistication of your primary attackers.
• Find a balance between security and service. Castle designers faced this problem and found many successful solutions.
10 References[1] McDougal, Monty D., Castle Warrior: Redefining 21st
Century Network Defense, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, Oak Ridge National Laboratory, 2009, http://www.isiconference.org/2009/ MontyMcDougal_Raytheon.pdf
[2] Davis, Michael A., Time for a New Strategy, InformationWeek, Feb. 22, 2010, Cover and pp. 29-34, http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=223000132
[3] Macaulay, David, Castle, Houghton Mifflin Co., NY, 1977.
[4] Fedden, Robin, Crusader Castles, Art & Technics, London, 1950.
[5] Markowsky, G., Markowsky, L., Survey of Supercomputer Cluster Security Issues, Proceedings of the 2007 International Conference on Security & Management, pp. 474-480.
[6] Trost, R., Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century, Pearson Education, Inc., Boston, MA 2010.
[7] Elinor Mills, Joe Weiss, crusader for critical infrastructure security (Q&A), CNET News, May 10, 2010.