[ISN] Security Q&A: Safeguarding AT&T's Network

From: InfoSec News (alerts@private)
Date: Thu Mar 15 2007 - 22:21:27 PST


By John McCormick
March 15, 2007

Ed Amoroso, AT&T's chief security officer, is one of the nation's top 
computer security experts. He started his career at Bell Laboratories, 
where he worked on, among other things, Unix security, and since then 
has been involved in various aspects of defending computer networks. 
Today, he's charged with both securing the communication company's 
internal networks and overseeing the development of its computer 
security products. Amoroso is also an adjunct professor at Stevens 
Institute of Technology, where he teaches computer security, and is the 
author of several books on data protection. His latest is Cyber Security 
[1] (Silicon Press, 2006). He sat down recently with Baseline 
editor-in-chief John McCormick.

What are some of the major themes of your most recent book?

The first theme is that most enterprise security groups are pretty 
concerned that the security problem seems to be somewhat unbounded. A 
lot of CIOs will say: "Where is this all going? I [put] up a firewall in 
'95, and then I bought an intrusion detection system in '98, and then I 
bought antivirus and antispam in 2000. And then I bought D-DOS 
[distributed denial of service] protection in 2002. And it seems like 
viruses and worms and botnet attacks and break-ins are just getting 

And the question keeps arising: What can we do as a carrier? What we've 
noticed over the last few years is we can see attacks as they occur. In 
2003, I watched the Slammer worm happening. I was amazed. We just saw 
the anomalies on ports. Since then, we've basically watched in living 
color just about every named attack that you talk about in your 

We also noticed that we have the ability to mediate these types of 
things. We've started introducing firewall and intrusion detection right 
into the network; instead of doing it at the perimeter, we can stop 
different types of things in the network. You tell me what the policy 
is. Instead of a firewall sitting at the edge of your enterprise, we 
join your VPN with firewall equipment and software that sits in the 
[network] clouds, virtualized. So, if you say I don't want [a particular 
service], well, we route your traffic through a complex that knows that. 
And I stop the packet long before it gets anywhere near your enterprise.

And I think that revolutionizes the way networking works.

You also talk about software engineering. What's the problem there?

Software engineering, as a discipline right now, is shamefully broken. 
When you go to the university to study engineering, you see that 
electrical engineering and chemical engineering and mechanical 
engineering are grounded in science.

Computing is all sort of wacky, because computer programming runs the 
gamut. If you're watching TV, a commercial will say, hey, you've got no 
job; you can take up small-appliance repair or hairdressing or computer 
programming. It's almost like computer programming is akin to fixing a 
toaster, in terms of the skills that are needed.

So software, right now, across the board, is somewhat a victim to the 
fact that the software engineering profession needs to have more 
attentiveness. And this is an issue for academia. Even in terms of the 
way businesses are run and operated, we need to rethink the way 
software's developed. We need to start rethinking the way we train 
software engineers.

What do I.T. people spend a lot of their time doing? Patching operating 
systems. Every month their whole place comes to a grinding halt, and 
everybody patches everything in sight[like] putting duct tape on an 

What's the reason? Who's to blame?

You can't really blame any company, or the industry, but it's important 
now for security officers and CIOs to start recognizing that we have to 
start steering the Queen Mary in a different direction.

One way to do it is fewer features. So, you need to be more demanding of 
features. Feature creep is out of control.

Second, the issue of system administration around software is something 
that we should all be somewhat ashamed of. The system administrative 
burden is pretty significant. I'm sure that everyone you know, every 
family member, they're all system administrators. My kids 
systems-administer one of the machines at home. That's kind of an 
amazing burden on people, and it's remarkably easy to mis-administer 
some things.

So, what we see in the AT&T network is that these mis-configurations, 
including modifying patches, result in your computer very easily being 
taken over by a bot controller. Our measurements suggest that on any 
given day, there are a minimum of 10 million machines that are 
exhibiting some type of scanning behavior. They've been taken over. 
There is a bot that exploited a vulnerability that wasn't patched.

So, who do you blame for that? You could blame the system administrator. 
But that's a little hollow.

You could blame the software companies, but that's a little difficult, 
because the software companies are just a reflection of the software 
engineering discipline.

So, what do you do?

You need to just have a collective sigh that this is an immature 
discipline that's got to grow up. And one of the ways it can grow up, I 
believe, is that the carrier can step in and do some things.

For example, a PC that's spewing [out] a bunch of garbage. Your cable or 
DSL [provider] can see that. And they could do volume metrics on your 
PC. I don't mean look at your sensitive data - they could care less 
about that. But look and see, for example, that from 2 a.m. to 6 a.m., 
for the last 300 nights, there's almost no traffic; then all of a 
sudden, they start to see bursts of [computer port] scanning coming out 
of your PC. They could stop it [if it's in] the service-level agreement 
that they have with you.

Why isn't that done today?

It's partly because they know that you, as a customer, would probably be 
nervous about them blocking things. You'd say, "Look, it's not that I 
think you're trying to do anything funny. I'm just afraid I'm going to 
be trying to Google 'dinosaurs' to help my son with his report, and 
you're going to be blocking it or something."

[But] if we can get to the point where a consumer or business people 
feel more comfortable having the carrier do more security, and the 
security ranges from stopping spam to stopping a denial-of-service 
attack to calling you when there's fraud or something, then that's good 
for everybody.

That's a shift in security - and privacy.

If the carrier sees any really nasty traffic being aimed at your PC, 
like a botnet attack, for us to say we're going to characterize that and 
block it and notify you, it's hard to even conceive of any potential 
privacy issue there whatsoever.

When toll fraud was becoming an issue in the '70s, the solution to toll 
fraud was simply that when you made an [initial] international call, you 
would be put into a grouping of people who just made their first 
international call. Let's say you called Albania. That call got put into 
a database. And if [right after that] you made another call to Albania, 
it would trip off an operator who [would] then call you up and say, 
"Hey, do you mean to be calling Albania? We noticed this odd calling 
pattern." And for decades, I don't think they ever had anybody complain 
about privacy in that scenario.

In the Internet era, people have a different concept. A phone bill is a 
list of calls that you've made. How would you feel if your ISP gave you 
a URL bill with the sites that you visited? Nobody would want that. 
People would be aghast at the "privacy" implications.

Our feeling is that the total cost of ownership for a CIO or CSO or 
CISO, at the perimeter, has been rising. There wasn't even a perimeter 
10 years ago, except routers, maybe, doing a little bit of packet 
filtering. We went from that to now, where some banks here in New York 
City have teams of 200 people that do nothing but police the enterprise. 
So, whether you would consider that a problem situation or not, it's 
certainly something that has the attention of a CIO, because the CIO 
would ask, "What am I getting out of this?"

What does a CIO get out of all this?

The first [thing] is that all the equipment that would correspond to 
firewall, IDS filtering, URL, antispam, threat management security, 
information managementall that capital and all those licensees can, in 
some sense, vanish, because by virtualizing that in the network, we keep 
the capital. We keep the hardware.

The second thing is that most CIOs will pick an antivirus tool. And 
usually, there are 10 pluses and four minuses for this vendor, 13 pluses 
and two minuses for this other vendor, and so on. It's more pluses and 
fewer minuses. But there are still minuses there.

A carrier can give you the best of everything, because there's always a 
horse race with vendors. And we can make sure that you're always getting 
the latest and greatestupdates, signatures, any type of configuration 
change that needs to be done on a daily basis.

Has AT&T been offering these services for a while?

Yes, for some time. They're all different services.

And you're using these tools inside the company?

I have an initiative to use all those things to protect us.

AT&T must be a huge target for hackers.

There isn't a carrier on this planet that's not attacked.

How often are you attacked?

You have to go by the definition of "attack." The first thing is that 
anybody who's ever done security and thought about it for more than an 
hour realizes that it's impossible to say "I measure all my attacks," 
because sometimes, there's an attack that you don't see. I mean, it's 
insiders or others [who] might, you know, successfully attack you.

But knock wood: We haven't had a security event that has caused 
significant widespread problems for customers.

Copyright (c) 2007 Ziff Davis Media Inc. All Rights Reserved. 

[1] http://www.amazon.com/exec/obidos/ASIN/0929306384/c4iorg

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 15 2007 - 22:40:00 PST