[ISN] Cybersecurity's Leaky Dikes

From: InfoSec News (isnat_private)
Date: Mon Jul 08 2002 - 04:17:48 PDT

  • Next message: InfoSec News: "Re: [ISN] Apple: Taking OS X security seriously -- finally"

    By Alex Salkever 
    JULY 2, 2002 
    While interest is rising in protecting computer networks, too often
    the tools aren't powerful enough to keep hackers out As head of the
    National Infrastructure Protection Center's office in Pittsburgh, FBI
    supervisory agent Dan Larkin mans a sentinel post on the front lines
    of the war against cybercrime. Rather than M-16s, his soldiers tote
    powerful computers, which they use to unmask hackers who break into
    networks and steal valuable information. They also try to intercept
    so-called script kiddies, who launch damaging denial-of-service
    attacks that flood Web servers with bogus queries and freeze company
    online operations.
    Rising interest in cybersecurity, spurred in part by the terrorist
    attacks of September 11, has vaulted Larkin and his 110 FBI cohorts
    staffing the NIPC into a much more visible role. Only problem is, the
    demands on them have outrun the capability of the tools available to
    do the best job possible.
    True, software exists that can quickly mirror-image the hard drive of
    a confiscated computer, thus making it possible to dissect evidence
    without damaging the original material, says Larkin. Try to do
    something more sweeping, however, such as sifting through the massive
    logs of data that record activity on every computer network, and
    Larkin's cops might as well be on foot patrol. The tools for
    heavy-duty cybersleuthing remain rudimentary -- causing a
    "considerable amount of frustration" within Larkin's team at its
    inability to do more.
    GROWING WISH LISTS.  It's a familiar sentiment. The lack of
    log-sifting tools is just one of the obstacles that frequently
    short-circuit computer cops, forcing them to spend on average 23% of
    their time per investigation poring over logs, according to a survey
    of 151 cops released on June 18 by Dartmouth College's Institute for
    Computer Security Studies.
    Other items on the investigators' wish lists include technology to
    better track computer criminals' unique Internet protocol addresses,
    plus tools to quickly map the topology of computer networks to learn
    where breaches may have occurred. Such capabilities are a must if FBI
    agents and others are to successfully investigate increasingly complex
    cyberattacks, says Larkin.
    The new focus on security of every kind has prompted more and more
    companies to get serious about locking down their networks. And tools
    to bar the network gates have become more affordable and more widely
    accepted by both the private and public sectors. Yet the virtual
    threats continue to evolve, in part because hackers are developing
    more sophisticated tools as well.
    "LOSING GROUND."  Increasingly, high-level assailants are finding ways
    to camouflage their cyberattacks. That includes sending destructive
    data in numerous fragments that only assemble only once they arrive at
    their ultimate targets inside firewalls and intrusion-detection
    systems -- thus breaching conventional security.
    Other tools of destruction now sport code that morphs regularly,
    making it doubly hard for automated security software to verify that
    an attack is in progress. "The tools [with which to defend networks]
    are getting better, but systems we are trying to protect are becoming
    so complex that we're all losing ground," says Bruce Schneier, chief
    technology officer for Counterpane Internet Security in Cupertino,
    That shows up in the statistics. According to the CERT Coordination
    Center, a government-funded cybersecurity clearinghouse and research
    group at Carnegie Mellon University in Pittsburgh, companies and
    organizations reported 26,829 security incidents during the first
    quarter of 2002. That compares with 52,658 for all of 2001, and 21,756
    in 2000.
    RISING DAMAGES.  At the same time, the number of software security
    vulnerabilities -- bugs in code that can allow intruders to break in
    or hackers to crash networks -- reported to CERT has soared. In 1995,
    the group received 171 vulnerability notifications. That figure rose
    to 2,437 in 2001, and to 1,065 in the first quarter of 2002 alone.  
    "It's simply a case of low-quality security in a lot of our software,"  
    says Rich Pethia, director of CERT.
    Worse yet, the cost of hacker attacks appears to be rising. According
    to the 2002 "Computer Crime & Security Study," released on Apr. 7 by
    the FBI and the Computer Security Institute in San Francisco, some 90%
    of the 503 respondents from large corporations and government agencies
    said they had suffered some sort of cyberattack or security breach in
    the past 12 months. The average financial toll from these has risen to
    $2 million per instance in the latest survey, from $500,000 in 1997.
    Those self-reported losses may be low, as companies frequently are
    loath to reveal the true cost of security lapses. With awareness now
    higher than ever, companies have started spending more on
    cybersecurity. Despite the rising risks, "most big companies still
    spend more on catering each year than they do on cybersecurity,"  
    laments the security manager at a multibillion-dollar corporation.
    VULNERABLE FROM THE START.  The roots of the security threat reach
    back to the early days of the Internet. The languages and protocols
    that allow so many disparate systems to talk to each other were never
    designed for security, says Peter Neumann, a pioneer in secure
    computing systems and a principal scientist at SRI International, a
    private research lab in Menlo Park, Calif. That's because the systems
    built back then were designed for a small, known community, not a
    global village that logs on continuously.
    This endemic weakness has become increasingly evident in recent
    months. Researchers have discovered glaring vulnerabilities in some of
    the most basic building blocks of data communications, such as the
    ANS.1 protocol used for everything from remotely managing power plants
    and nuclear reactors to passing basic instructions to switches and
    routers on a network. At the same time, researchers are spotting more
    problems in all types of application software.
    Such revelations have added even more impetus to corporate efforts to
    shore up cybersecurity. According to tech consultancy Gartner
    Dataquest, the worldwide security software market should hit $4.3
    billion in 2002, up 18% from 2001's $3.6 billion. That's at a time
    when companies are reining in virtually all other types of tech
    MISFIRING WEAPONS.  While everyone acknowledges that security software
    and hardware are improving, the current crop of products still leaves
    a lot to be desired, according to experts such as the FBI's Larkin.  
    Just ask Bruce Hughes. As a manager at prominent computer security
    certification and testing company ICSA Labs, Hughes test-drives and
    rates dozens of virus-prevention and other software tools each year.
    Hughes lauds the increased availability and affordability of
    computer-security products. "If someone had said eight years ago that
    you could walk down to Staples and buy a high-powered firewall for
    $200, people would have laughed," he says. At the same time, "some
    security products are getting much more difficult to use," he adds.  
    "With so many options, you can easily forget to change the
    configuration or skip right over something you could have configured."
    Worse still, even some computer-security techniques remain
    problematic. Cryptographic programs designed to mask information or
    communications far too often have glaring flaws that make it easy to
    crack their codes, according to ICSA tests. That seems particularly
    galling, since the cryptographic standards behind these programs have
    been around for years and have been put through rigorous academic and
    real-world testing. "Even the stuff that you think is easy you screw
    up all the time," says Counterpane's Schneier.
    BUILDING IN SAFEGUARDS.  In fact, Schneier and others contend that the
    best cybersecurity weapon remains the gray one between the ears --
    that dependence on automated software will never eliminate the need
    for brainpower. "Counterpane uses human judgment. We have a system
    that has people involved. That's the only way to deal with
    complexity," he says.
    Still, it's no surprise that information-technology staffs are
    agitating for better-made software. This is key, says CERT's Pethia,
    because the basic code of so many of today's software products was
    built before cybersecurity was a burning issue. Microsoft (MSFT ),
    Oracle (ORCL ), and Apple (APPL ), among others, have stepped up their
    efforts to write security protection into their products. Eliminating
    vulnerabilities from the widely used software these companies produce
    will give specialized security products a better chance to succeed,
    says Pethia.
    The cybersecurity front has had some bright spots. Many companies now
    demand that partners or suppliers they link to electronically have
    strong cybersecurity. Insurance companies are even forcing the issue,
    by requesting more stringent audit and security measures from the
    companies they deal with.
    Moreover, some of the tools on Larkin's wish list appear to be in the
    wings. The first generation of highly advanced log-management
    software, from companies such as Network Associates and Network Flight
    Recorder, is hitting the shelves right now.
    CYBERSECURITY CORPS.  Perhaps most important, the federal government
    finally seems to have grasped the importance of cybersecurity.  
    President Bush has provided less than $100 million for research and
    development on such security so far, but he has proposed hundreds of
    millions for cybersecurity efforts in his fiscal 2003 budget,
    including $11 million for the creation of a government cybersecurity
    corps, which would pay the university tuition of students who agree to
    do an as-yet-undetermined number of years of government cybercrime
    work after graduation.
    Bush has also proposed to upgrade the FBI and other government law
    enforcement bodies, a chunk of which is bound to go toward
    cybersecurity. For Larkin and his Pittsburgh charges, that's a vast
    improvement over the days when computer security was an ugly stepchild
    of law enforcement. Still, it's only a start on what will surely be a
    long and possibly tortured effort to improve security technologies,
    give humans better tools, and keep bad guys in cyberspace at bay.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 08 2002 - 06:48:13 PDT