Electronic attackers: computer crimes keep government and industry on the defensive.[ILLUSTRATION OMITTED]
An onslaught of increasingly sophisticated cyber attacks has prompted the government and private sector to step up efforts to share information and secure networks around the country.
Yet the complexity of new malicious code and the elusive nature of cyber attackers have become significant impediments to detecting or preventing most intrusions.
Computer crimes have quickly increased in recent years and have overtaken the ability of the government and the private sector to fully protect their systems.
"We are constantly in the reactive mode," says Jerry Dixson, director of the national cyber security division The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Directorate of National Protection and Programs. at the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security
executive department - a federal department in the executive branch of the government of the United States .
Long gone are the days of young whiz kids “Whiz Kids” redirects here. For other uses, see Whiz Kids (disambiguation).
The Whiz Kids were ten United States Army Air Forces veterans of World War II who became Ford Motor Company executives in 1946.
They were led by their commanding officer, Charles B. hacking into computers to fulfill curiosity or to prove their computer prowess. Today's cyber criminals are as technologically agile, but more perceptive and evasive e·va·sive
1. Inclined or intended to evade: took evasive action.
2. Intentionally vague or ambiguous; equivocal: an evasive statement. .
"Software we found through investigations has gotten really sophisticated. It almost requires a PhD," Dixson says.
The Federal Bureau of Investigation Federal Bureau of Investigation (FBI), division of the U.S. Dept. of Justice charged with investigating all violations of federal laws except those assigned to some other federal agency. identified more than a million computer addresses in June as potential victims of "Bot Net" cyber crime. The FBI defines a Bot Net as a collection of computers that is controlled by a criminal. The attacker gains control of a computer through a piece of malicious software, which infects the system without most owners' knowledge, Dixson explains.
"The majority of victims are not even aware that their computer has been compromised or their personal information exploited," says James Finch James Finch is the owner of the Phoenix Racing team in NASCAR. They field the #1 Miccosukee Chevrolet driven by J. J. Yeley in the Busch Series and the #09 Chevrolet driven by Mike Wallace part-time in the NEXTEL Cup series. , FBI assistant director for the cyber division, in a statement. The crimes were discovered during "Operation Bot Roast Operation: Bot Roast is an operation by the FBI to track down bot herders or hackers who install malicious software on computers through the Internet without the owners’ knowledge, which turns the computer into a zombie computer that then sends out spam to other ," a major initiative created to disrupt intruders and raise public awareness of such attacks, the agency says. The FBI is working with Carnegie Mellon University's computer incident research and development center to notify victimized computer owners.
Malicious codes are one of the most serious threats because of their stealth and the level of financial damage they can inflict, says Ron Ritchey, principal at Booz Allen Hamilton Booz Allen Hamilton, Inc., referred to as Booz Allen is one of the oldest strategy consulting firms in the world. The firm formerly had two consulting divisions: WCB (Worldwide Commercial Business, also known as “The Commercial Side”) and WTB , a technology consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee
business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a .
"There is a lot of money to be made from making new malicious code. Criminals can make $200,000 a year," Ritchey says.
A movement toward browser-based attacks has also emerged, he says. These entail a person's computer being attacked when logged on to an infected website. Dixson says that browser attacks can occur on seemingly innocuous web pages, like news outlets. Users can be compromised if even one line of code is infected on that site.
The intricacy in·tri·ca·cy
n. pl. in·tri·ca·cies
1. The condition or quality of being intricate; complexity.
2. Something intricate: the intricacies of a census form.
Noun 1. of these sophisticated attacks has trumped old ways of securing networks.
"Typical perimeter security such as firewalls are becoming increasingly ineffective," Ritchey warns. Companies are moving to individual computer protection like desktop encryption. "Encryption is going to be the law of the land pretty quickly," he says. Behavioral modeling In behavioral system theory and in dynamic systems modeling, a behavioral model reproduces the required behavior of the original (analyzed) system such as there is a one-to-one correspondence between the behavior of the original system and the simulated system. is also used to detect possible intrusions, by monitoring such activity as high bandwidth consumption, which can signal an impending im·pend
intr.v. im·pend·ed, im·pend·ing, im·pends
1. To be about to occur: Her retirement is impending.
Tracking patterns of strange behavior is a good way to detect an incursion in·cur·sion
1. An aggressive entrance into foreign territory; a raid or invasion.
2. The act of entering another's territory or domain.
3. , but finding the person or group behind the crime is much more difficult. The bad guys can generate attacks faster than they can be detected and traced. "The rate of prosecution is miniscule min·is·cule
Variant of minuscule.
Adj. 1. miniscule - very small; "a minuscule kitchen"; "a minuscule amount of rain fell"
minuscule compared to the rate of attack," Ritchey says. Companies have had some amount of success by making trap doors, such as creating a file with specific corporate data that would attract a criminal, he says.
The government and private sector alike recognize that cyber crime threatens everyone. "We all use the Internet," Dixson says. This thinking has prompted both sides to forge partnerships and increase information sharing See data conferencing. .
A DHS-led computer simulation in 2006, called "Cyberstorm," paired government, private sector and international partners to develop recovery and response plans in the event of a major attack. Microsoft experts served as advisors, Dixson says.
A second Cyberstorm is scheduled for March 2008, he says. Participants in the second exercise will come up with a "what-if" scenario and create a response plan. The main focus will be on telecommunications, Dixson says.
DHS DHS Department of Homeland Security (USA)
DHS Department of Human Services
DHS Department of Health Services
DHS Demographic and Health Surveys
DHS Dirhams (Morocco national currency) also collaborated with private firms when it wrote a computer breach scenario in the National Response Plan, which describes 15 possible domestic incidents and creates a road map for the government to respond and assist local governments, he says.
On the Defense Department side, the Air Force has reached out to the private sector as it develops its new cyber command, the service's future focal point focal point
See focus. for computer warfare. Lt. Gen. Robert J. Elder Jr., commander of 8th Air Force, is in charge of the new organization. He has worked with the banking and finance sector to learn about computer security.
The Air Force has also signaled a desire to work with the private sector to train airmen in cybersecurity. "My guess is we'll have extensive internships with the private sector," says Maj. Gen. Charles Ickes II, Air National Guard special assistant to the deputy chief of staff for operations, plans and requirements. The service plans to engage Guard and Reserve personnel who work at computer firms such as Microsoft and Dell, Ickes explains.
Despite collaborative efforts to protect against computer incursions, the government and private sector face significant operational problems, the Government Accountability Office The Government Accountability Office (GAO) is the audit, evaluation, and investigative arm of the United States Congress, and thus an agency in the Legislative Branch of the United States Government. says in a June report.
GAO criticizes both sides for not always detecting or reporting Internet-based crimes and says that law enforcement organizations have difficulty retaining personnel with such expertise.
Computer crime accounted for $67.2 billion in annual losses for U.S. organizations, says GAO.
While public and private entities have initiated efforts to address these problems, federal agencies can take additional action, the report says.
"There remains a lack of understanding about the true magnitude of cyber crime and its impact because it is not always detected or reported," GAO asserts. "Businesses do not always want to report problems because there is a perception that their information will be disclosed publicly, which could, in turn, cause harm to their business."
Ritchey agrees that companies are not always willing to share private information. They don't want to hand "embarrassing information" to the government, he says, because "having an intrusion looks like a failure."
Dixson, on the other hand, believes that incident reporting is succeeding. "Every year, the number of incidents reported doubles," he says. This information helps law enforcement get a jump-start on catching attackers. Microsoft and the Bot Net Task Force, a public-private effort started by Microsoft, came forward and reported criminal activity to the FBI during "Operation Bot Roast," which helped the agency find some of the criminals, the FBI says. Three people were charged or arrested during the sting for computer fraud and violations.
Information technology personnel who are scared to report attacks further hinder crime reporting, GAO says. They "[ear for their jobs after an incident and seek to conceal the breach from senior management."
But Ritchey disagrees. Within companies, internal reporting is typically good, he says.
Furthermore, the U.S. computer emergency readiness team--the operational arm of DHS's national cyber security division--allows personnel to report incidents without fear of retribution, Ritchey and Dixson both point out. The computer emergency readiness team at DHS coordinates defense and response to computer attacks. It also acts as a clearinghouse for such threats and keeps all data from the private sector confidential with "the assurance that the information will be protected from public disclosure," the team's website says.
Other challenges remain to mitigating computer crime, GAO says, such as the need to improve security for organizations and individual users, as well as raising public awareness about criminal behavior. Dixson notes that the national cyber security division is working with IT companies on software assurance to address this challenge.
To help individual users, DHS is "encouraging folks to use two factor authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. ," Dixson says. Companies could start requiring their clients to use two different electronic credentials when accessing an account, for example. This method, however, entails expensive infrastructure costs, Ritchey says. He notes that companies are struggling with the cost versus benefit of security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
GAO also suggests that law enforcement personnel struggle to prosecute Internet crimes because there is a limited pool of highly trained specialists. Additionally, the report says that law enforcement efforts are hampered by the cross border nature of such crime. Officials have a hard time figuring out the laws and legal procedures of multiple jurisdictions, GAO says.
Analysts acknowledge the immense difficulty of mitigating attacks and providing ironclad ironclad, mid-19th-century wooden warship protected from gunfire by iron armor. The success of the ironclad when first employed by the French in the Crimean War sparked a naval armor and armaments race between France and Great Britain. security. "It will take years to implement security measures," Ritchey says. Yet he doesn't believe attacks will keep increasing over the years because there are significant security measures in place. That doesn't mean the struggle will end, Ritchey predicts. "It definitely is an arms race" between the criminals and the victims.
Email your comments to Bwagner@ndia.org
RELATED ARTICLE: Cyber attacks in Estonia serve as wake-up call.
IN LATE APRIL April: see month. , a wave of cyber attacks began disrupting nationwide network operations in the small Baltic state Noun 1. Baltic State - European countries bordering the Baltic Sea
geographic area, geographic region, geographical area, geographical region - a demarcated area of the Earth of Estonia. The attacks compromised both public and private websites and sent a wave of panic through a country that is known for being especially "wired."
The first attacks coincided with the removal of a bronze statue of a World-War II era Soviet soldier from the town square in the capital city of Tallin. Estonia blamed the computer attacks on the Russian government.
Immediately following the attacks on Estonia's computer networks, a flood of stories hit the Internet that painted a dark and stormy picture of future "cyber-wars" that would result from the incursions.
For computer security experts, these doomsday scenarios were far from reality. The attacks are characterized as "cyber protest or activism," says Dorothy Denning, a computer security expert at the Naval Postgraduate School The Naval Postgraduate School is a graduate school operated by the United States Navy. Located in Monterey, California, it grants primarily master's degrees plus some doctoral degrees to its students, who are mostly active duty officers from U.S. and foreign military services. . They were coupled with street-level protests by ethnic Russians living in Estonia, she notes.
Now that the dust has cleared, analysts believe that the attacks were most likely a result of political tensions between Russia and Estonia over the statue, and not a full-scale cyberwar Refers to hostile attacks and illegal invasions of computer systems and networks. See information warfare. that was meant to physically harm Estonian citizens through electronic attack.
The incident was more of a wake-up call than a threat to global computer security, says Ron Ritchey, principal at Booz Alien Hamilton.
The United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. need not be worried, Ritchey says, because U.S. Internet service providers Internet service provider (ISP)
Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. are much more capable of handling the type of attacks Estonia experienced, called denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. . They involve an attacker overwhelming a network with traffic or disrupting service to specific systems or Internet users.
Others agree that such an attack would have little national impact in the United States. When Estonian computers were first compromised, Capitol Hill asked the Department of Homeland Security if such an attack could happen in the United States, says Jerry Dixson, director of the national cyber security division at DHS. "I only think it could have regional impact," he says.
Although the incident was not seen as a major attack, it still had significant impact on Estonia. The parliament, banking systems and media outlets were compromised, prompting the country to reach out for help.
The "worldwide community helped to protect them" and contain the situation, Ritchey says. The Defense Department sent a team of officials from DHS, FBI and the Secret Service to assist, says Dixson. The team is still analyzing the vast amount of information and will "try to learn something from this."