A wave of destructive worms in recent months has focused
attention on the potential vulnerability of the Navy Marine Corps Intranet
(NMCI) and other military networks to malicious computer attacks.
In particular, the Blaster, SoBig, Welchia and other worms
have spurred concerns among many analysts about the unintended security
consequences of the overwhelming worldwide use of and increasing military
reliance on the software products of a single company, Microsoft. The attacks
resulted in the most expensive year ever in terms of malicious code damages.
The worms, viruses and Trojan horses mostly spread
throughout corporate and personal computer systems through security flaws in
the design of products from Microsoft, notably its Windows operating systems,
security experts contend. To date, all branches of the U.S. military have
consciously decided to standardize their enterprise networks on Microsoft
products.
As a result, military network engineers are discovering that
the biggest threat to the integrity of their enterprise systems comes not from
a coordinated cyber war, but rather from malicious code designed to spread as
quickly and thoroughly as possible via Microsoft design flaws.
SoBig.F, the sixth variant of the SoBig worm, became the
most widespread worm in the history of computers in August and September,
simply by traveling through weak points in Microsoft software design. Many
military networks suffered the same congestion generated by SoBig.F as private
sector networks did.
The alleged weak security measures in Microsoft products and
the company’s near-monopoly over key software markets drew the ire of a group
of security professionals, who in September released a Computer and
Communications Industry Association (CCIA) report entitled “CyberInsecurity:
The Cost of Monopoly.”
“Microsoft has very usable, functional software, which is
why their software is so widely adopted worldwide,” said Ken Dunham, malicious
code intelligence manager for iDefense, a cyber security firm based in Reston, VA.
“This has led to a dangerous situation: a large body of computers all using the
same types of software, vulnerable to the same types of attacks, all connected
to one another through the Internet.”
Dunham predicted that military networks would see more of
this problem as they move to standardize on Microsoft products. The infection
of the NMCI demonstrates the situation, he contended.
Network Infiltration
In August, NMCI suffered its first-ever malicious code
incursion when Welchia infiltrated the network.
To complicate matters, Welchia was designed to mitigate the
Blaster worm, thus receiving some media attention as a “good worm.” Blaster
ripped through large corporate networks in August by exploiting a vulnerability
in the way Windows makes a remote procedure call (RPC) in a Distributed
Component Object Model (DCOM) interface. RPC is an Internet-standard protocol
to enable an application on one computer to run code on a remote computer.
Attackers could exploit the flaw to take total control of affected systems. The
author of Welchia launched that worm to patch this DCOM RPC flaw and stop the
spread of Blaster.
While Welchia patched the vulnerability, however, it also
opened a port to allow a malicious actor to gain control over a computer,
according to analysts at iDefense. Welchia successfully invaded NMCI because of
the timing of certain procedures on the network, said Captain Chris
Christopher, staff director of the NMCI office.
“Unfortunately, we did not have the virus signature for the
Welchia worm when it hit us,” Christopher said. “As soon as the signature became
available, we implemented it immediately across the enterprise and we
immediately stopped the infection.”
NMCI relies upon anti-virus software from Symantec, which
periodically releases revised anti-virus definitions to empower its software to
mitigate new worms like Welchia. However, Welchia continued to contact the
network, sending packets to specific IP addresses and waiting for replies. The
pinging generated network traffic that slowed NMCI considerably, but did not
halt operations.
Network technicians spent about 48 hours struggling to
mitigate the effect, which was the equivalent of a denial-of-service attack. In
a denial of service, a malicious application ties up network traffic, thus
making resources unavailable to legitimate traffic.
“It was sort of a timing issue,” Christopher explained. “It
came to us before the anti-virus signature got to us. We had a patch that fixed
the vulnerability that it was looking for, but we have a standardized process
that we follow to test all patches before we deploy them. Welchia got to us
about two days before that patch got there.”
Christopher said NMCI program components are continuing to
conduct a lessons-learned study to understand how Welchia attacked NMCI, and
what they can do to stop similar attacks in the future.
“The good news is that we kept running,” he said. “It did
not bring us down, as reported in some cases in the press or misstated by
members of our own organization. We were able to keep operating. It just
impacted the plumbing. It caused a slowdown. Applications for whom the timing
of a response is very important were timing out, that kind of thing, but in
terms of the network operating, it continued to operate throughout.”
Meanwhile, Navy components under the Navy Network Warfare
Command (NETWARCOM) continue to provide information assurance and defense
against malicious code. The Navy Information Assurance center provides
downloads for anti-virus solutions from Symantec, Trend Micro and
McAfee/Network Associates Technology to support Navy legacy systems.
Defense In Depth
The Navy is not alone in its concerns over malicious code.
In September, the Army announced contract awards to four major vendors in its
Information Technology Enterprise Solutions (ITES) program. Beginning October
1, contractors Dell, GTSI, Hewlett-Packard and Lockheed Martin began offering
network hardware and software under indefinite delivery/indefinite quantity
contracts collectively worth about $500 million.
The Army depends on a mix of anti-virus solutions under
licenses purchased by the Department of Defense. Army computers also use
anti-virus solutions from Symantec, Trend Micro and McAfee. The ITES contract
awards do not change this situation; vendors must continue to work with the
existing anti-virus solutions for now, said Colonel Thaddeus Dmuchowski,
director of the information awareness directorate at the Army’s Network
Enterprise Technology Command (NETCOM).
The Army is using more than anti-virus applications to fend
off malicious code, however. The combined resources of the Army Network
Operations Center (ANOC) and Army Computer Emergency Response Team (ACERT),
collocated at Fort Belvoir, VA, are vital in Army network defense, Dmuchowski
said.
“What we have done with the collocation of the ANOC and the
ACERT, that allowed us to fuse operational issues, intelligence issues and
security issues from all of the security disciplines to develop a real
continuum of computer network operations,” Dmuchowski said. “Instead of just
sitting back to defend when something happens, it allows us to look at the
impacts of what might coming, taking proactive measures such as shutting down
ports, or preparing prepositioned network blocks that we can import very
quickly in the event they are needed.”
Dmuchowski said that many of the lessons learned implemented
by the Army resulted from the attack of the Slammer worm, which ravaged
networks worldwide in January. Slammer spread through a flaw in Microsoft SQL
Server 2000’s Resolution Service, affecting networks of large enterprises,
including Microsoft itself, and causing millions of dollars in damage.
“What we learned from the worms also is that response times
need to be shortened from the time we find out about something to the time we
get whatever patches or corrective actions in place,” Dmuchowski said. “We have
identified that our defenders on the network, everyone responsible for security
of the network, need to be available 24/7, including evenings and weekends. You
notice that many of these worms are not launched during a nine-to-five business
day, Monday through Friday.”
Indeed, reports from iDefense indicate that many of these
worms are authored by foreign nationals, including malicious coding groups in China,
Pakistan, Russia and other countries, and by students, who typically have downtime
on weekends to launch the code. Generally, a coordinated response to malicious
code is more difficult to coordinate when an outbreak occurs outside of the
traditional workweek, say analysts.
Malicious code authors exploit vulnerabilities much faster
than they did only a few years ago, Dunham noted.
“The window of opportunity to patch before threats emerge
regarding new vulnerabilities has dramatically dropped over the past 18
months,” he said. “It used to be around six months before you would see an
exploit appear, on average. We now see an increase in zero-day exploits as well
as an average of only about 100 days for exploits to appear in the wild. In the
case of the recent RPC attacks, we saw vulnerabilities exploited within a five
to 10 day window, not nearly enough time for some large organizations to
protect against such attacks.”
Dmuchowski admitted that different worms, such as Blaster,
SoBig and Welchia, had impacted different components of the Army in recent
months. However, he added, the Army’s defense-in-depth approach is largely
successful in containing most malicious code outbreaks. NETCOM, ANOC and ACERT
have adopted a proactive regime, as prescribed by Army regulations, Dmuchowski
said.
“The Army regulation 100-5, which is how the Army fights,
states that you cannot be victorious if you stay on the defense. You must
quickly transition to the offense,” Dmuchowski said. “The way we are
approaching that in the computer network operation arena is that we are not
sitting back and waiting to be attacked. We are trying to start to do the
threat analysis and take those proactive stances that we can to preposition
blocks or to speed up the timeline on how quickly we fix patches so that we can
fix them prior to their exploitation.”
Standardization Risks
The military cannot afford to rely on anti-virus solutions
alone, Dunham said.
“Relying upon anti-virus solutions is inherently flawed,” he
said. “If heuristics were any good at catching the next virus, we would never
have another big virus outbreak. Even in the case of a worm family like SoBig,
new variants couldn’t be stopped with heuristics. The reality is clear:
Anti-virus software is a good security measure to have in place, but it does
not protect against most new and emerging malicious code threats.”
Dunham noted that solutions such as those provided by
iDefense give computer users advance warning of malicious code outbreaks.
Dunham’s team pinpointed the testing of Welchia 25 days before the worm first
spread. Government CERT teams and Navy Information Assurance provide similar
functions to the networks they service. A number of foreign nations have
aggressively explored the use of different platforms, notably Linux systems, to
thwart malicious code outbreaks.
“There are only a handful of non-Windows type worms, such as
Lion, Cheese, Spida and Slapper,” Dunham said. “There are of course rootkits
and many Trojans on multiple platforms. While Macintosh computers are typically
considered immune to virus attacks, we do find that Macintosh computers often
serve as a vector through which viruses may spread, with infected files being
sent onwards to targeted platforms such as Microsoft Windows.”
Still, alternate platforms are simply not infected by
malicious code designed for Microsoft products. Users of Macintosh computers,
from Apple Computer, do not need to guard against exploits developed for
Microsoft Windows systems.
The military obviously sees the benefits of standardization,
Dunham said. But he urged developers to consider avoiding standard
configurations where possible.
“Obviously interoperability is a huge factor for the
military, so the use of widely adopted, easy-to-deploy Microsoft solutions is a
big plus in standardizing the use of such software,” Dunham explained. “There
are more support groups, more training materials, and more people trained to
work on such programs as compared to alternative solutions.”
Even so, he added, “a multi-tiered approach would benefit
the military most. The military should carefully consider multiple solutions to
help lower the risk of attack, including non-standard setups and configurations
and vendors for more sensitive areas of military networks.”
Christopher argued that the military must keep an eye on
anything that impacts the critical infrastructure of the nation at large. Thus,
the military services would still maintain vigilance on malicious code
outbreaks even if they had chosen to standardize on an alternate platform.
Microsoft Windows accounts for 90 percent of all operating systems on desktop
computers.
“If you have vulnerabilities, the bug doesn’t know if it is
a military or non-military computer,” Christopher said. “In reality, however,
something that is impacting the efficiency of our national IT infrastructure
impacts our capabilities from a military perspective as well. We are, of
course, interested in these things even if they are not affecting us directly.
If they are affecting our industry partners, like Lockheed or Boeing or someone
like that, we are obviously affected by that as well.”
The CCIA report argues that the Microsoft monopoly has
resulted in an international monoculture, where the software giant has failed
to keep its products secure. “The threats to international security posed by
Windows are significant, and must be addressed quickly,” the report contends.
While strongly disputing the report’s conclusions, Microsoft
officials continue to strengthen the security of their ubiquitous software
products. The company in October announced a series of security steps that
included improved patch-management processes, user education and software
updates designed to make software systems more resistant to attack.
The CCIA report cites statistics from mi2g Ltd., a cyber
security firm based in London, that conclude global damage from malicious code
has totaled $107 billion so far in 2003. The SoBig worms alone, the report
adds, were responsible for $30 billion in damages.
Organizations lose money as resources become unavailable and
must spend their money to restore services destroyed by malicious code.
Military organizations are no exception, but Dmuchowski said that the Army will
continue to search for ways to keep costs in line as well.
“As a learning organization, the Army constantly has to
change,” Dmuchowski said. “We take away new ideas and new action reviews that
tell us what to change to make it better. So today’s processes will not be the
same as next month’s processes because different things will change. The hacker
community or the people who want to do us harm are not restricted by money and
are not restricted by timelines. We have to be prepared for just about
everything.” |
