Computer Security Experts Warn of Growing System Vulnerabilities
As Internet access and machines for the masses are proliferating, cybercriminals and their threats are increasing geometrically.
The spread of information and networking technology into virtually all corners of the globe is spawning new opportunities for criminals and terrorists to wreak havoc through the Internet. The dichotomy of system complexity and ease of individual use has created a target-rich environment across the entire realm of cyberspace.
Several factors are contributing to this trend. As computers and networking become simplified, more and more nonexperts who lack the necessary security knowledge are dabbling in system configuration. Simultaneously, more companies and individuals have increased their use of the Internet for e-commerce, thus providing tempting targets for larceny-minded computer operators.
Meanwhile, the number of Internet security incidents doubles each year. The advent of wireless personal network access offers even greater potential for criminals both to access vulnerable systems and to cover their tracks to evade law enforcement tracing efforts.
Tasked with keeping track of Internet security threats and proposing solutions is CERT, located at the Software Engineering Institute at Carnegie Mellon University, Pittsburgh. CERT was originally established in December 1988 as the computer emergency response team to serve as a point of contact for members of the Internet community to deal with security problems. Since then, CERT has grown to approximately 70 full-time experts who cover aspects of security ranging from research and training programs to vulnerability warning and incident response.
In 1989, CERT’s first full year of operation, it received a total of six incident reports. In 1999, more than 9,000 security incidents were reported. Rich Pethia, director of the CERT centers, expects that number to double by the end of 2000, which is a trend that he foresees continuing for several years. This cyberspace threat, a variation on the geometric increase theme of Moore’s Law, is due to both the rapid growth in the Internet community and the increased reliance on information access for personal and business use.
Much of CERT’s activities involve understanding vulnerabilities and Internet technologies, working with product vendors to fix these vulnerabilities, alerting the Internet community to take necessary protective steps, and helping administrators of victimized sites diagnose and understand each attack and deter future ones.
Nonetheless, protection must be established from the inside out. Pethia emphasizes that government and industry organizations must have their own internal “first line of defense” against the new types of cyberattacks now emerging.
A recent computer crime and security report conducted for the Federal Bureau of Investigation (FBI) by the Computer Security Institute of San Francisco noted that 90 percent of surveyed large corporations and government organizations detected computer security breaches over the past year. Seventy percent reported a variety of serious security breaches beyond common problems such as viruses, laptop theft or employee network abuse. More of these serious incidents are coming in over the Internet. A total of 273 respondents could quantify fraud-related financial losses of more than $265 million—an average of almost $1 million per organization.
In addition to the few headline-making e-mail viruses, CERT officials are seeing a broad range of security incidents. Denial-of-service attacks especially are increasing and occurring on a regular basis. Pethia states that CERT receives up to six such reports each week, and some of these attacks knock their targeted sites off line for several days.
Rather than random scatter shots, these denial-of-service attacks are definitely targeted, Pethia continues. “For some reason, somebody wants to put another organization temporarily out of business. Today, unfortunately, there are effective ways to do that,” he emphasizes.
This trend became serious in 1995 and has grown to cause significant problems for many organizations. “We don’t spend a lot of time trying to understand who the bad guys are or their motives, but it is pretty clear that there is some more serious activity going on today than just a year ago,” he relates.
Many denial-of-service attacks encompass both shutting down a company’s e-commerce World Wide Web site and accessing a firm’s data processing infrastructure. Most attacks aim at preventing Internet use by a company, but other attacks gain privileged access to a company’s systems to damage its files or steal intellectual property.
CERT currently is receiving more than 300 reports each week. Because the organization cannot provide individual responses to each report, it engages in a triage assessment to establish response priorities. Pethia explains that the highest priority cases are those that can be life-threatening. These might involve tampering with patient records at medical facilities, for example. Equal in priority to these cases are those involving national security and defense. Any attacks aimed at military organizations or imperiling U.S. security are rated as highly as direct threats to life, Pethia warrants.
Next on the list are attacks on the Internet infrastructure. This encompasses activities that might cause widespread degradation or loss of service. After Internet attacks come widespread attacks against individual organizations. These would include e-mail viruses such as the Love Bug, which affected numerous sites without inhibiting overall Internet operation. Lower on the priority scale are attacks on sites or groups of sites where the attackers have attained privileged access to a government or corporate network.
Concurrent with these responses, CERT is keeping alert for new vulnerabilities or forms of attacks. When either is discovered, CERT issues advisories to the Internet community. Pethia relates that the organization receives about four new vulnerability reports daily. As with site attacks, CERT employs a process for establishing priorities with its advisories. Eight different factors help determine whether an advisory should be issued. For example, a combination of the likelihood that a vulnerability would cause significant damage if exploited and the likelihood of a vulnerability actually being exploited may impel CERT to issue an advisory.
The CERT director describes two significant challenges among the many facing computer security efforts today. One of the biggest is that the exploding use of Internet technology is outracing the number of technical experts that truly understand how to configure and manage secure systems properly. “We just don’t have enough qualified people to meet the demand for people who understand how to secure and operate these systems in a reliable way,” he states.
This shortage is exacerbated by the way technology is becoming extremely easy to use, he adds. Consequently, a greater number of people are putting together a variety of functional system configurations. However, unlike trained computer experts who formerly were the only technicians capable of system configuration, most of these people lack the technical expertise to secure their systems properly. The result is a growing number of complex computer systems that lack necessary security.
Another challenge emerges from system complexity. Pethia states that, while the computer industry has focused on engineering for ease of use, it has not paid enough attention to engineering for ease of secure administration. “Industry must recognize that it is building products for a user base that, in terms of technical skill, is very different from the user base we had 10 years ago,” he explains. “We must do a better job of building these systems so that they are not so difficult to secure and to keep secure over time.”
This will require a fundamental change in the way that industry builds its products, Pethia continues. The challenge for the major technology vendors is to look at the security problem in a different light. “It starts with the operating systems and the network software. If you look at all the various configuring options that are available today—and as you begin to build systems that are made up of software components from a number of different vendors—we need to do a better job of helping people understand how to configure these systems so that they are not leaving themselves open to some form of attack.”
Even with a simple precaution such as producing default configurations that enable, rather than disable, system security features would be a significant step in the right direction, he offers. Systems would come out of the box in a secure state rather than requiring someone to secure them.
“It’s not just that we can avoid many of these problems,” he declares. “In my opinion, we must avoid these problems because we simply cannot bring a large enough number of people up the learning curve.”
As Pethia sees it, the goal is to evolve computer security to a state similar to that of the operation of an automobile. These vehicles, as built today, do not require an automotive engineer or a master mechanic to operate safely and reliably. Conversely, today’s computer systems require “almost a master technologist” to operate securely. Bringing computer systems down to this level of safety is probably at least five years away, he offers.
Meanwhile, the explosion in technology is going to continue, and the next three to five years will bring a major increase in the number of security problems. As homeowners incorporate broadband access such as digital subscriber line (DSL), a host of new opportunities will emerge in the form of seldom-protected, always-on machines. Attackers could focus on breaking into these home machines and using them as platforms for attacking others.
The proliferation of wireless Web access also will complicate security challenges. Tracking down cybercriminals and terrorists will be far more difficult when they operate from mobile platforms.
CERT does not work at tracking down cybercriminals. Instead, it focuses on the technology and vulnerability side of security threats. “We leave the investigation up to the investigators,” Pethia explains. If the reporting organization requests law enforcement help, CERT will facilitate communication between the victim and investigators, which usually involves the FBI for commercial intrusions.
This reluctance to independently notify law enforcement comes under CERT’s rule of confidentiality. The organization treats all of the information from reporting groups as privileged and not to be shared without consent. In rare occasions where CERT officials believe that law enforcement needs to be informed—such as when dealing with an intrusion that might be indicative of a broader threat—these officials will seek to persuade the reporting organization to alert the authorities. Pethia allows that CERT has been successful in 99.9 percent of these types of cases.
Not only is CERT itself not immune from attacks, the organization is a daily target for cybercriminals. “I don’t think an hour goes by without someone trying to attack us,” Pethia says. “To our knowledge, no one has ever been successful.”
As the Internet has broadened its reach, the types of organizations reporting intrusions also have increased. Both fraud and denial of service are increasing, and this trend is likely to continue. “I don’t think there is any type of problem that we see in decline,” Pethia declares.
“The attackers are having a field day right now,” he continues. “Very often, when people come to the Internet, they don’t understand the risks and threats, and they come ill-prepared.” Pethia notes that many attackers target newly established sites on the Internet as the most vulnerable and view them as opportunities.
CERT offers two types of training courses for managers and technical staff. One area covers incident response, and the other involves helping system administrators to understand the necessary steps for protecting their systems. CERT also publishes a series of documents on best practices and tips.
It is vital for managers to understand their systems and identify the critical operating areas that need protection, Pethia states. Trying to protect every asset at the same level probably is unaffordable, he notes. Instead, managers should determine the sensitive data that needs protection, especially the corporate assets that must be guarded against theft or alteration. This analysis also should encompass the systems and functions that are both vulnerable to denial of service and are necessary to keep the business up and running.
“Organizations must treat the security problem as seriously as they would any other threat against the operation of their systems,” Pethia emphasizes. Security must not be a background activity but instead an integral part of an organization.
Managers also must establish policy to meet these needs and communicate this policy to all levels of management and users. This includes establishing clearly defined roles and responsibilities. In addition, key personnel must understand the technical steps that constantly must be taken to secure a system.
As for CERT, Pethia shares that it is looking to increase the number of its personnel. This might be possible through increased funding or new sources of financial assistance from the private sector, he suggests.