Wild, wild west: in the fight against cybercrime, weapons have short shelf lives.If you purchased a brand new computer today with all the latest security software and plug it into the Internet, how long would it be before the first hacker probed it?
About four hours.
Even the latest innovations to protect networks are not enough to counter cybercrimes.
"Unfortunately, it's still a bit of a wild West," says Tim McKnight Timothy Eric McKnight, along with Anatoli Melechko, Michael Guillorn, Guy Griffin, and Michael Simpson, developed a method of transfecting cells using carbon nanofibers. Arrays of vertically-aligned carbon nanofibers are modified with DNA and pressed into cells and tissue. , vice president and information security officer for Northrop Grumman Northrop Grumman Corporation (NYSE: NOC) is an aerospace and defense conglomerate that is the result of the 1994 purchase of Grumman by Northrop. The company is the third largest defense contractor for the U.S. Information Systems.
"You're having to fight hackers with very little governance and law," he adds. Cybercriminals have the upper hand because the cost of planning and executing a cyberattack is cheap and it's difficult to identify the attackers.
U.S. networks are the targets of choice.
"We're the most vulnerable nation on the Earth because we're the most dependent," John "Mike" McConnell, former director of national intelligence and a senior vice president at Booz Allen Hamilton Booz Allen Hamilton, Inc., referred to as Booz Allen is one of the oldest strategy consulting firms in the world. The firm formerly had two consulting divisions: WCB (Worldwide Commercial Business, also known as “The Commercial Side”) and WTB , says at a conference organized by the Security Innovation Network.
President Obama in a May speech pinned America's economic prosperity to the security of its digital infrastructure. "It's now clear this cyberthreat is one of the most serious economic and national security challenges we face as a nation. It's also dear that we're not as prepared as we should be," he warned.
On July 4, about 170,000 computers in 74 countries were linked, unbeknownst to their owners, in a botnet--a collection of malicious software robots that run autonomously. The botnet was commanded by unidentified assailants who attacked government websites in South Korea and the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . Nearly all U.S. federal agencies, including the White House, were hit by the denial-of-service attack "DoS" redirects here. For other uses, see DOS (disambiguation).
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. .
"I think we're really at a crisis point where we have no confidence in the security of our information," Amit Yoran Amit Yoran was the National Cyber Security Division director within the United States Department of Homeland Security.
He took up the post in September 2003 and resigned in October 2004. , former director of the United States Computer Emergency Readiness Team The United States Computer Emergency Readiness Team (US-CERT) is part of the National Cyber Security Division of the United States's Department of Homeland Security. , (US-CERT (United States-Computer Emergency Readiness Team) The group charged with protecting the U.S. Internet infrastructure by coordinating defense against and response to cyberattacks. ), and Department of Homeland Security's national cybersecurity division, tells National Defense.
Homeland security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security
Department of Homeland Security
executive department - a federal department in the executive branch of the government of the United States officials worry most about a "digital Pearl Harbor Pearl Harbor, land-locked harbor, on the southern coast of Oahu island, Hawaii, W of Honolulu; one of the largest and best natural harbors in the E Pacific Ocean. In the vicinity are many U.S. military installations, including the chief U.S. " attack on the nation's cyber-infrastructure. The July 4 attack could be a harbinger of things to come, they say.
"I believe we are being set up. We are being probed constantly," says Robert Rodriguez, chairman and founder of the Security Innovation Network. "The adversaries are innovating faster than we are because they don't have corporate governance Corporate Governance
The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and budget and privacy issues. They move at warp speed warp speed
An extremely rapid speed or state of activity: "A young pronghorn antelope teased a yearling wolf, shifting into warp speed and leaving the wolf in the dust when it tried to pursue" ."
Many of the technologies that have been developed in the last decade to protect networks--firewalls, intrusion detection systems and anti-virus products--assume that networks have perimeters, points out Yoran, who is now chief executive officer of NetWitness Corp., a security software provider. But in the current digital world, there are none.
"You can't build a fort," he says. 'You can prevent really simplistic sim·plism
The tendency to oversimplify an issue or a problem by ignoring complexities or complications.
[French simplisme, from simple, simple, from Old French; see simple attacks by putting up these castle walls. But in today's environment ... it's literally impossible to define what your enterprise network looks like today, let alone build a castle around it that leaves your organization nimble and agile enough to accomplish its mission."
Another problem is that friends and foes all operate in the same Internet. Like the shipping lanes of the seas, it could take decades to establish borderlines in the digital world. "It's taken hundreds of years to define those treaties and those boundaries," says Rodriguez. "We haven't come close to defining the Internet routes and the policies." Until those are established, defending networks will remain an ad hoc For this purpose. Meaning "to this" in Latin, it refers to dealing with special situations as they occur rather than functions that are repeated on a regular basis. See ad hoc query and ad hoc mode. process where even the best defensive measures turn into a sieve through which cybercriminals can slip.
"Our solutions are perishable. The shelf life of a solution is fairly short," says Per Beith, director of global network operations at Boeing Co., which is attacked by some 500,000 viruses a month.
To demonstrate how vulnerable networks can be, a team of Northrop Grumman engineers purchased a brand new computer with the latest security software and linked it to the Internet. Within four hours, a hacker had "pinged" or probed the system. Within a week, a "rootkit"--a form of malicious software--had been installed on its hard drive. Within two weeks, the computer was enslaved by servers that were traced to Canada, Singapore and another unidentified location, and used to attack a computer in Poland.
This happens because there is a large gap between the time a vulnerability is discovered and the release of a software patch to protect a system, says McKnight of Northrop Grumman. In many cases, it takes vendors weeks and even months to provide a patch, which may not even work.
If perpetrators are discovered in time, the harm can be mitigated. "There's a window of opportunity between the time a system is compromised and the time that the organization is impacted," says Yoran of NetWitness. A better approach is to address advanced threats, such as attacks that are targeting applications, he says.
An example would be an Adobe attachment or image file in an email. Within the metadata tags of the PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. , would-be attackers could embed exploit codes that literally take control of a system, or establish a command-and-control shell back out to somebody in a remote location who wants to have access to a system, he explains. "When you're dealing with advanced threats, you don't know Don't know (DK, DKed)
"Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. what you don't know," Yoran says. "Getting this type of independent, forensically valid observation point to help you start answering questions is quite compelling."
The Independence Day denial-of-service attacks did not affect sites that had kept up-to-date with patches, says Lee Holcomb, director of Lockheed Martin's center for cybersecurity innovation. He estimates that 80 percent of today's problems result from simply not patching systems or following appropriate guidelines for network security.
This is relatively easy to achieve for home PC users. But entities with high value assets, such as financial institutions, or government contractors, are exposed to more sophisticated attacks from savvier adversaries.
Yoran believes that many of the malicious activities are happening on the inside of networks after intrusions have already occurred. It is nabbing those types of activity that is causing the most headaches for security professionals.
Northrop Grumman has set up a new cyber-operations facility in Maryland where teams monitor more than 10,000 servers for about 105,000 clients. The center has been compared to a CSI CSI Crime Scene Investigator
CSI CompuServe, Inc.
CSI Commodity Systems, Inc.
CSI Commodity Systems Inc. (Boca Raton, FL)
CSI Crime Scene Investigation (CBS TV show)
CSI Christian Schools International forensics See computer forensics. laboratory.
"It really brings together a comprehensive picture of the threat intelligence," says McKnight. The goal is not only to detect intrusions and react to the consequences, but also to analyze malicious software and codes, and break them down so that information security efforts can start to be more proactive.
Catching up to the perpetrators is difficult. "We're not dealing with the big worms and viruses like we did three, four, five, seven, 10 years ago. Now it's all quiet and sophisticated attacks that have to be broken down and analyzed at a forensic level," he says.
McKnight, a former FBI agent, says these forensics investigations are not easy because the attacking software continually evolves. Eventually, technologists will have to focus on the resiliency of networks to stay up and running while under attack.
Other companies, such as Boeing, also are applying the concept called "defense in depth," which aims to deploy protective measures in layers across networks. Much like securing a home, where locks on doors and windows are hut the first layer of defense, further measures, such as monitoring systems, cameras and guards, can be added to provide additional security.
Cyberdefense begins and ends with the individual computer user, Beith says. Training operators to act defensively against potential threats, and then adding layers of security--hardware, software, intrusion detection systems, and monitoring systems--can help protect networks.
Boeing also is developing simulations to replicate the network environment in the virtual world. There, engineers can test the network for potential vulnerabilities and design countermeasures.
Lockheed Martin For the former company, see .
Lockheed Martin (NYSE: LMT) is a leading multinational aerospace manufacturer and advanced technology company formed in 1995 by the merger of Lockheed Corporation with Martin Marietta. is working on several technologies to combat cyber-attacks, says Curt Aubley, chief technology officer of NexGen operations and solutions. A system called Ironclad ironclad, mid-19th-century wooden warship protected from gunfire by iron armor. The success of the ironclad when first employed by the French in the Crimean War sparked a naval armor and armaments race between France and Great Britain. enables networks to have "trusted end points" so there is no data leakage. Another technology called Nimbus allows real-time command and control of cloud computing. A DASHnet self-healing capability gives a network the ability to chase down perpetrators and conduct forensic investigation.
Besides improved technology, a sea change in the perception and policies of cybersecurity is needed, experts note.
The mentality of "it won't happen to me" is pervasive, Rodriguez says. Holcomb, a former chief technology officer for the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security
executive department - a federal department in the executive branch of the government of the United States , says that during his time at DHS DHS Department of Homeland Security (USA)
DHS Department of Human Services
DHS Department of Health Services
DHS Demographic and Health Surveys
DHS Dirhams (Morocco national currency) , many companies, even those that provide critical infrastructure for the nation, were not willing to spend a penny more for security than their competitors. "This has continued today. They don't invest, and won't, until something happens," he says. "There needs to be better transparency and metrics in this area. It's hard to measure the significance of the threat and the problem."
More collaboration between the government and industry will help to advance the security of the nation's networks, experts agree.
"If we do that effectively, then I think we truly can be more timely in our reaction and hopefully get to the point where we can be more proactive in how we respond to these threats," says Beith.
McConnell says that nations will have to agree to some international standards to make the global cyber-infrastructure more secure. "We'll have partnerships that we didn't imagine just a few years ago. That's how I see the future," he says. IT systems must have built-in cyberprotection, which potentially will be a huge market, he adds.
Already, new standards put forth by the National Security Agency are driving companies to provide better encryption methods to protect data in transit. But ensuring that all companies are meeting those higher standards will be a challenge.
Most companies employ strong encryption and decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. measures, but use weaker methods to send those keys to and from endpoints. "That's a little bit like having a steel door to your house, but putting the key to that door in a little tin box next to it. I don't have to cut through the steel door to the vault. I can just cut through the tin box and get your key out," says Bill Lattin, chief technology officer for Certicom, the company that pioneered a new key distribution technique called elliptic curve topography.
ECC (1) (Error-Correcting Code) A type of memory that corrects errors on the fly. See ECC memory.
(2) (Elliptic Curve Cryptography) A public key cryptography method that provides fast decryption and digital signature processing. uses smaller key sizes to achieve the same level of security as older methods, such as RSA (1) (Rural Service Area) See MSA.
(2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. , an algorithm for public-key cryptography. An ECC key size of 256-bits is equivalent to an RSA key size of 3,072-bits. Increasingly ECC is being incorporated into software products from Microsoft and Sun, and into devices, such as Blackberries.
EMAIL COMMENTS TO GJEAN@NDIA NDIA National Defense Industrial Association
NDIA New Doha International Airport (Qatar) .ORG