Who's winning the cyberwars? Hackers and terrorists are constantly developing new exploits, which government and industry must defend against. (Computer Security).
But an avalanche of attacks did occur. According to the CERT Coordination Center, which keeps track of reports of security vulnerabilities and incidents, more than 43,000 incidents had already been reported in the first two quarters of this year (the latest data available at press time), compared with a total of 52,658 in all of 2001. These incidents included attacks by worms and viruses that installed backdoors that allowed hackers with remotely control infected computers.
Experts say that the tragedies of 9-11 and the release a week later of a worm called Nimda have helped to focus attention on the need for better cybersecurity This heightened awareness has changed government and corporate attitudes and has led to some improvements in network security in both the public and private sectors. But hackers, too, have made progress over the year. The following report examines the changing threatscape as well as steps taken to defend against these evolving threats. Proactive measures examined include public-private liaisons, the issuance of a national strategy to secure cyberspace, and ongoing cybercrimefighting efforts. This report also assesses efforts by the private sector in terms both of what corporations are doing internally and what technology providers are doing to improve their products.
Evolving threats. Hackers' methods are morphing into something more menacing than they were before, many experts say. Indeed, many are becoming more skillful, and more clever, says Ed Skoudis, vice president of security strategy for Predictive Systems. "What's happening is that the bad guys are getting much better at doing very detailed analysis of source code as well as already compiled code, so they can walk through assembly-language code and find flaws at a level of detail they never could before," he says. One reason for this, he says, is the release of new programs and new techniques that make this type of analysis easier.
But they've also widened their choice of targets. For example, on July 30, someone hacked into the Web site of OpenSSH, a free and widely used security program that encrypts traffic as it moves across the Internet. The hacker installed a Trojan horse (a tool that allows remote access of a computer) into the OpenSSH download, so that anybody who downloaded the program before the Trojan horse was discovered unknowingly installed a back door in that system.
Other incidents in which legitimate tools available for download by users were broken into and corrupted with a Trojan have occurred around the world. For example, in September, the source code for Sendmail, a popular mail-server program, was modified to contain a Trojan. It was more than a week before the compromise was noted and removed from the Sendmail FTP site.
Infrastructure targets. Over the past year hackers have increasingly targeted critical elements of the Internet's infrastructure. "Code that's starting to attack routers, not individual systems, is the problem," says Steven Branigan, vice president of engineering for Lumeta, which provides software to help companies look for vulnerabilities. Branigan explains that routers are becoming more attractive to hackers because they are offering more services than just moving data packets.
Jeff Schmidt, founder and CTO of managed security services provider Secure Interiors, adds that this new focus is part of a transitional phase that many hackers are going through in which they are moving away from what he calls "guns blazing" attacks. These consist of more sophisticated and more damaging attacks aimed at specific targets, he says.
Virus advances. Viruses and worms continue to be a menace for every computer connected to the Internet. David Perry, global director of education for antivirus company Trend Micro, says there are "seven to ten viruses discovered every day, and constant virus infestations going on in the world." Many of these, he says, are not new pieces of malicious code; rather, they are variants on existing viruses and worms. These variants often slip by antivirus scanners until new "signatures," which identify the virus, are updated.
Another challenge is that malicious code writers are finding new ways to infect computer networks without relying on users to open e-mail messages. Perry says that this represents a growing collaboration between hackers and virus writers to create more malicious attacks that can spread in sophisticated ways. For example, Nimda, which exploded across the Internet a week after 9-11, was a "hybrid" worm that could spread in a variety of ways, including through e-mail attachments but also by attacking unpatched versions of Internet Explorer or Microsoft's Internet Information Server (IIS).
GOVERNMENT AND PRIVATE industry have been taking a number of steps to meet the challenge of the ever-evolving hacker threat. These measures also take into account the danger that terrorists may use cybercrime to further their own objectives.
Public-private liaison. On the counter-measure side, the rise of information sharing and analysis centers (ISACs), represents one of the big success stories of the past year, says Ron Dick, director of the FBrs National Infrastructure Protection Center (NIPC). The goal of sharing information between federal law enforcement agencies and those in the private sector is not new. But most experts say that such partnerships became more productive after 9-11.
ISACs now exist in a dozen sectors from financial services to food marketing. They collect cyberthreat and attack information from members, remove identifying information, and share it among themselves and with government groups such as NIPC. They also get information on threats from the same government groups.
Dick says that the movement of information wasn't always a two-way street. When the financial services ISAC was created back in 1999, they put on their Web page and made it very public that they were not going to share information with the government," he says.
The policy was changed in June. They are now one of the 12 ISACs that have signed information-sharing agreements with the government, says Dick. The shift in attitude was the result of government efforts in providing the private groups "with timely and actionable information that they felt was of value to them," he notes.
The Patriot Act helped spur some of these partnerships. For example, the law tasks the director of the Secret Service with developing a national network of electronic crime task forces based on the model of the New York Electronic Crimes Task Force (NYECTF), established in 1995, that brings together public and private resources to fight electronic crimes. Eight such task forces exist now.
Branigan has worked with the NYECTF from its inception. He says that the Patriot Act's recognition of the value of the NYECTF model indicates the growing realization that information sharing is vital to securing the nation's critical infrastructure, most of which is owned and operated by the private sector. "One thing we've been seeing is that this public-private partnership is very valuable," he says. "No one person or government entity can be responsible for security, and truly we're all in this together."
Branigan says that participation in the task force has been open and invaluable. He tells of one meeting in which a representative of a phone company described a fraud scheme. In the scheme, criminals in New York called pay phones in Chicago's airports and played a dial tone into the phone. Travelers who picked up the phones heard the dial tone and entered their calling card numbers, which were collected and decoded by the New York gang. After the presentation, the telephone-company representatives got together and agreed on a technological solution to update their fraud-detection systems and prevent such scams.
Branigan says that having everybody in a trusted venue allowed for a quick resolution, even between competing companies. "This was not a theoretical we should work together" type of meeting," he says. "They saw it was a real issue and found a real solution, showing that they could work together effectively."
During the meeting, law enforcement agents also discussed cases they had been involved in, thus alerting members to new scams and schemes. Branigan credits the atmosphere of candor and trust for the willingness of industry members and law enforcement to share such stories.
National strategy. The new focus on cybersecurity has also led to the recently issued National Strategy to Secure Cyberspace, created by the President's Critical Infrastructure Protection Board. This policy draft, developed with input from a wide range of interested parties, includes recommendations for five groups of users, from home users and small businesses to global enterprises. The strategy relies on voluntary compliance, rather than mandates.
Some groups criticized the lack of enforcement mechanisms, saying that companies would have little incentive to make changes.
But the plan may lead to improvements in the nation's cybersecurity despite its lack of teeth, says Scott Blake, CISSP, vice president of information security for BindView, which provides vulnerability assessment products.
One suggestion aimed at corporations is in line with recommendations long promulgated by security consultants, notes Blake: CEOs should consider forming enterprisewide corporate security councils to integrate cyber-and physical security, privacy, and operational considerations. He says that the strategy could help focus attention on best practices such as this, bringing a level of attention to cybersecurity that has heretofore been absent.
Another recommendation advocates that private-sector security service providers to the federal government meet certain standards and that all security software employed in the federal sector be certified by the National Information Assurance Program (NIAP) a partnership between the National Institute of Standards and Technology and the National Security Agency. Currently, the Defense Department is required to buy only those security products and services that have passed this accreditation process. The impact of these recommendations will become clearer as future drafts of the strategy emerge.
Cybercrime. The government has also increased the resources it devotes to fighting cybercrime. As a result, the number of cybercrime investigations is up across the country, according to Scott Larson, supervisory special agent of the FBI's Washington field office. He says that much of the credit should be given to the new public-private liaisons such as the ISACs (already mentioned) and InfraGard (a public-private information-sharing effort that boasts some 5,000 members across the country and unlike the ISACs, cuts across industry sectors) that share information between the government and the private sector about vulnerabilities and attacks. Companies are now comfortable with the government's ability to handle confidential information and work with them in the case of publicity "and all the other things that go along with conducting an investigation," he says. "I think they also have trust that we have the knowledge and skills to do it."
Predictive Systems' Skoudis, who also teaches courses in hacker techniques, exploits, and incident handling for the SANS Institute, agrees that the government's growing focus on fighting cybercrime is beginning to bear fruit. "Law enforcement has gotten better in their technical skills," he asserts. "We're seeing more of them come out and get some education."
Skoudis says there are two reasons for this focus on continuing technical training. "It's because they value it, number one, but also because they never had money before and now they have some for doing it."
Larson says that the government has taken other aggressive steps in fighting cybercrime. For example, he notes that the U.S. Attorney's office has more assistant United States attorneys (AUSAs) dedicated to cybercrime, which gives the government more resources and people it can go to right away when investigating and prosecuting a Web-based crime, Forty-eight AUSAs in 10 cities are assigned to CHIP (computer hacking and intellectual property) units, almost all of which were set up after a July announcement by Attorney General John Ashcroft. These legal professionals specialize in high-tech crimes and provide national training and advice and coordinate prosecution of computer intrusion and intellectual property cases.
Corporate culture. In the private sector, companies recognize the new threats and the increased importance of network security, but they also face the reality of a slow economy and budget constraints. "The commercial world in post-9-11 is talking a lot more about security, but there's no money there--they haven't increased funding," says Skoudis. Given the economic realities, companies are getting back to the security basics. That approach has translated into a sharper focus on best practices, better executive buy-in, and detailed preparation for incidents.
Best practices. "I think there's been a fundamental change in attitudes from private security and management in understanding the value of security" over the past year, says Kelly J. Kuchta, CPP, chairman of the ASIS International Information Technology Security Council. "That's a fundamental shift, and people are starting to have a real awakening of what we need to do to secure our networks."
Kuchta says that companies are now looking to lock down networks using smart policies rather than expensive equipment. "I don't see that anybody is rushing out and buying the brand new technology. Rather, they're doing the things that they should, such as making sure their service patches are up to date," he says.
Perry adds that the massive corporate cleanup after the Nimda attack may have spurred system administrators to be more vigilant about finding and installing security patches. The fault that allowed Nimda to spread "was built into IIS and was known about for two years when Nimda came out; yet hundreds of thousands of servers were not patched," he says.
While patching is critical, additional defensive solutions also have a place in information security programs. Jim Prevo, vice president and chief information officer of Vermont's Green Mountain Coffee, Inc., says that he has purchased some technological solutions since 9-11 that build on his existing infrastructure, such as upgrading the corporate firewall, getting a virtual private network running for home users, and installing programs to scan e-mail for viruses. "We are continuing to mine the value of the products we have implemented today by utilizing more of the functionality in those applications," he says.
Prevo also notes the importance of strengthening security policies and adopting industry best practices. Many of these best practices come from looking at what other companies are doing, he says (he belongs to an information security mailing list whose members share such practices).
Other experts point to the National Strategy to Secure Cyberspace as a source of best practices, as well as the CERT Coordination Center. In addition, the National Security Agency has released security recommendations for products such as Windows and Cisco routers. Another resource is the Center for Internet Security--a group of businesses, government and law enforcement agencies, professional associations, and individuals that has released its own set of guidelines.
One important area where best practices have become more common is in application deployment, says Chris Wysopal, director of research and development for digital security consultant [a]stake. He says that he's seen many companies putting more effort into securing Web and database servers before they go online. System administrators "are taking the time to lock down the host operating system, applying the patches, and configuring the application so that unnecessary features aren't turned on but the appropriate security settings are," he says.
One reason this has become more common is that it's easier to do: In the face of strong demand, vendors are now providing better security information to their customers. "Vendors are publishing lockdown guides or secure configuration guides for their products. That's one thing that's not really costing anyone," but it certainly improves security, he says. (See sidebar for more on what vendors are doing.)
Also driving businesses to tighten security and adopt best practices are government privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA). "In the healthcare world, we are all under the gun to get compliant with the medical privacy regulations that are coming out of Washington," says Kathryn Lawder, information security administrator for Sharp Healthcare and a member of the ASIS International Information Technology Security Council. "The compliance date for privacy is April 2003," she says. Lawder adds that HIPAAs security regulations are essentially detailed best practices that cover a range of issues including the confidentiality, integrity, and availability of corporate data.
Executive buy-in. While funding may not have improved, executive attitudes have. Prevo says that management's perceptions of security have changed significantly in the past year. "One difference is that we don't have to explain "why" as much," he says. "Everyone understands why we need security and disaster strategies."
Howard Schmidt, vice-chair of the President's Critical Infrastructure Protection Board, agrees that awareness of the critical physical security and cybersecurity issues has spread through every boardroom. "They recognize that implementing security is not just a necessary evil; it's actually a part of the core business processes," he says.
Dr. Phyllis Schneck, chairman of the national executive board of the FBI's InfraGard program agrees that security is finally starting to be a deep concern within the boardroom. She says that she's seen some businesses reorganize their hierarchies to ensure that security is handled centrally by hiring a CSO.
"That position reports to the CEO and covers not only electronic and IT security but also physical security. Under that person is a team of IT experts as well as the facilities and other types of security that are required." Merging IT and physical security not only heightens the importance of protecting corporate assets, Schneck says; it also ensures that security becomes an integral part of the overall corporate culture.
What's next. Experts agree that the focus on security sparked by last year's terrorist attacks and the devastation wrought by worms such as Nimda gave a much-needed boost to the nation's cybersecurity posture. What's needed in the future is a continuation of the work done toward hardening targets, putting best practices in place, and increasing the public-private information flow, they say. "The big challenges of the next year are to continue to keep the enthusiasm up, and focus on cybersecurity issues as a whole as we start moving forward with the new [homeland security] department," says Schmidt.
The insurance industry is also likely to fuel the move toward cybersecurity, says Vincent Polley, who chairs the American Bar Association's cyberspace law committee. He notes that insurance premium increases imposed by underwriters since 9-11 have caused risk managers to play a bigger role in helping their companies focus on important security issues. "I would expect the insurance industry to be one of the leaders in building out best practices," he adds.
Vincent Weafer, senior director of Symantec Security Response, thinks the biggest challenge lies in the information overload. "There's so much information out there in terms of security vulnerabilities, exploits, and attacks that the large enterprises need help to be able to prioritize," he says, while smaller companies don't know where to begin the quest for cybersecurity. He predicts that managed security providers will become increasingly sought out for these services.
As for the future of virus protection, Trend Micro's Perry says he'd like to see measures such as antivirus scanning and spam blocking offered at the ISP level. "You don't ask people to filter their own water or maintain air quality in their neighborhood," he says, so why force them to seek out protection for their computers? In fact, the National Strategy to Secure Cyberspace made a recommendation that this idea be considered; however, most experts say that without legislative action, this is not likely to happen.
Whatever the future holds, cautions the White House's Schmidt, it's important to remember that there is no silver bullet that will ensure better cybersecurity. "We have to be very circumspect about focusing on technology as a solution, because the technology is not the single solution," he says. "It's people, processes, and technology. You wrap those three things up and then you get better security."
RELATED ARTICLE: Supply-side Security
Vendors of computer programs have not been sitting an the sidelines, of course. Their efforts to keep up with the changing threats can be divided into three parts: first, the development of nonsecurity software that has fewer vulnerabilities that hackers can exploit, second, the development of better security programs, and finally, the introduction of more user-friendly products.
Safer software. The world's largest software vendor, Microsoft, has frequently been excoriated for its "get it to market fast" mentality that often results in security holes. But Microsoft is far from the only offender. All products come to market with vulnerabilities. And the problem does not appear to be going away. According to the CERT Coordination Center, 2,148 vulnerabilities were reported in the first half of this year, compared to 2,437 throughout 2001.
Marty Lindner, team leader for incident handling at CERT, thinks that these statistics indicate that more people are reporting vulnerabilities, not that there are more than before. But, he adds, there are not fewer than before either.
In 2002, Microsoft made a public show of putting security on the front bumer. According to a statement by Microsoft chief technical officer Craig Mundie, the software giant has "turned off or reduced more than 30 settings in Windows .NET Server to make it more secure by default" in an effort to address one of the most common criticisms of the company--that products were shipped with all functions turned on, thus putting the onus of locking systems down on system administrators.
While that effort indicates that Microsoft is moving in the right direction, says Lindner, much progress remains to be made. He notes that other software vendors and what he calls "the whole open-source arena" are not yet under as much pressure to create secure products as they should be.
Larry Bridwell, content security program manager with ICSA Labs, says that getting vendors to ship products that are safer in their out-of-the-box, default settings still only represents half the solution; making security functions easier to handle is the other. Speaking of Microsoft, he says, "Their latest versions of Office and Outlook basically install to a fairly tight security. For example, macros will not operate unless they're signed. On the other hand, once you turn one of those functions on, it's almost impossible to find out how to turn it off."
Other vendors are similarly culpable, Bridwell says. For example, he says that many new products include an automatic update feature that regularly attempts to "phone home" to look for newer versions or patches. It took Bridwell more than a day to figure out how to turn off that functionality.
Chris Wysopal of @stake says that many vendors are getting better at turning out more secure software but most of those products are not yet on the market. And, even when these products are available, it will take time before companies replace their legacy systems.
Antivirus advances. Virus writers, as noted earlier, are adept at making minor changes so that their viruses and worms avoid detection. But security firms are learning to adapt as well. One step that many antivirus companies are taking to catch variants more quickly is to identify a "family signature" of a virus that can be combined with its exact ID signature, says Roger Thompson, technical director of malicious code research for TruSecure. "When a new Klez variant comes out, the stronger scanners will pick it up as a generic Klez," he says, referring to an e-mail worm that became one of this year's most widespread infections.
Vendors are also trying to give customers better guarantees of their products' effectiveness and economic worth. For example, in October, Trend Micro took a step toward greater vendor accountability when it announced the antivirus industry's first service-level agreement in which it will pay a penalty if it cannot provide a fully tested pattern file (used to detect the virus) within two hours of a virus being submitted by a customer.
Smarter products. Companies have also been focusing on building easier to use and more integrated products, says Al Potter, network security manager at ICSA Labs. "We're seeing a trend toward security applications that are more tightly integrated with the desktop; they're more available, usable, configurable, and affordable," he says. For example, he says that some vendors are releasing integrated desktop packages that combine antivirus and personal firewall needs in a single product, rather than in two separate programs.
By making software more secure at installation and easier to configure and by improving antivirus programs, vendors hope to help companies adapt to changing threats.
Peter Piazza is assistant editor of Security Management.