Mr. Chairman and Members of the Permanent Subcommittee on Investigations of the Senate Committee on Governmental Affairs:
My name is Richard Pethia. I manage the Trustworthy Systems Program and the CERT sm Coordination Center (CERT/CC) at the Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania.
Thank you for the opportunity to testify on the role of the CERT Coordination Center in addressing the security of computer information systems and networks. Today I will give you some background on the CERT/CC, describe the trends we have observed while responding to computer security incidents on the Internet, discuss near term steps that I believe can be taken to address today's problems, and consider what the future holds.
The CERT Coordination Center is located at the Carnegie Mellon University Software Engineering Institute in Pittsburgh, Pennsylvania.
The SEI was established in 1984 as a federally funded research and development center in response to the "software crisis." We were established through a competitive procurement process, initiated by the Department of Defense with the approval of Congress. Operated by Carnegie Mellon and sponsored by the Defense Advanced Research Projects Agency (DARPA), the SEI concentrates on technology transition to improve software engineering practice.
Nearly a decade ago, DARPA recognized the growing danger of automated and human-driven attacks on the Internet. Following the Internet Worm incident in November 1988, DARPA charged the SEI with setting up a center to coordinate communications among experts during security emergencies and to help prevent future incidents like the worm. In particular, the CERT/CC mission is to
Since the inception of its response team, the SEI has responded to over 7,600 security incidents affecting tens of thousands of Internet-connected sites. In this role, the SEI helps sites identify and correct specific problems in their systems and policies, notifying and working with law enforcement agencies, notifying and working with the vendor community to correct deficiencies in their products, and coordinating incident response activities with other sites affected by the same incident. In addition to incident response, the SEI warns the community of vulnerabilities and widespread attacks through its advisory service. The CERT/CC at the SEI has issued 119 advisories with direct distribution to over 100,000 sites and secondary distribution to millions of others.
The CERT/CC plays both response and prevention roles. Like a fire department, the response efforts are most widely visible; but, also like a fire department, the prevention efforts have the greatest long-term impact. While my comments today focus on the security incidents and trends we have seen, the plans we are developing for the future, with guidance from DARPA, place increased emphasis on CERT/CC research and development activities.
Security Incident Handling Activities
In its response role, the CERT/CC assists computer system administrators within the Internet who report security problems to us. We help the administrators of the affected sites to identify and correct the vulnerabilities that allowed the incident to occur, and we coordinate the response with other sites affected by the same problem. Our staff also works closely with computer vendors to identify and correct vulnerabilities in their products.
The CERT/CC operates in an environment where intruders form a well-connected community and use network services to quickly distribute information on how to maliciously exploit vulnerabilities in systems. Intruders dedicate time to developing programs that exploit vulnerabilities and to sharing information. They have developed their own publications and they regularly hold conferences that deal specifically with tools and techniques for defeating security measures in networked computer systems.
In contrast, the legitimate, often over-worked, system administrators on the network frequently find it difficult to take the time and energy from their normal activities to stay current with security and vulnerability information, much less design patches, workarounds (mediation techniques), tools, policies, and procedures to protect the computer systems they administer.
In helping the legitimate Internet community work together, we face policy and management issues that are perhaps even more difficult than the technical issues. For example, one challenge we routinely face concerns the dissemination of information about security vulnerabilities. Our experience suggests that the best way to help the community to improve the security of their systems is to work with a group of technology producers and vendors to develop workarounds and repairs for security vulnerabilities disclosed to the CERT/CC. To this end, in the absence of a major threat, we do not publicly disclose vulnerabilities until a repair or workaround has been developed, along with directions on how to install it.
Once those conditions have been met, the CERT/CC issues an advisory to the entire Internet community, explaining the problem and detailing the corrective action to be taken. Appendix A lists the advisories we have released to date.
Forum of Incident Response and Security Teams (FIRST)
From the beginning, DARPA recognized that the scale of emerging networks and the diversity of user communities would make it impractical for a single organization to provide universal computer security response support. The CERT model, therefore, presumed the creation of multiple incident response organizations, each serving a particular user group. The challenge was to develop prevention and response capabilities that are sensitive to the cultural differences among communities, that account for the different nature of vulnerabilities encountered, and that provide solutions to problems that can be effectively adopted by the different communities.
The CERT/CC worked closely with a number of other organizations and agencies to help them create their own incident response teams. DARPA collaborated with the National Institute of Standards and Technology (NIST) to create a facility for interaction between these incident response organizations. That initiative resulted in the Forum of Incident Response and Security Teams (FIRST). Within FIRST, the individual response teams focus on specific constituencies (organizations from government, from industry, and from academe) reflecting the international scope of the Internet. Each response team builds trust within its constituent community by establishing contacts and working relationships with members of that community. These relationships enable response teams to be sensitive to the distinct needs, technologies, and policies. FIRST members collaborate on incidents that cross boundaries, and they cross-post alerts and advisories on problems relevant to their constituents.
More than 50 organizations make up the membership of FIRST. For a full list of current FIRST members, see Appendix B.
The CERT Coordination Center received its first computer security incident report on its first day of operation and has responded to a continuous stream of incidents ever since.
Some incidents are best characterized as pranks or minor vandalism, but others have more serious consequences. For example:
Computer security events occasionally capture public attention and command headlines, such as "High-tech crooks crack Internet security" (USA Today, January 1995); "America Online admits hackers harassing network" (Boston Globe, September 1995); "Hacking theft of $10 million from Citibank revealed" (Los Angeles Times, August 1995); "Hacking away at the Internet's Web" (Washington Post, November 1995); and "Stop! Cyberthief!" (Newsweek, February 1995).
However, these sensational events represent only a small fraction of the events that are reported to the CERT/CC and other incident response teams. In 1989, its first full year of operation, the CERT/CC responded to 132 reported security incidents. By calendar year 1995, the number of incidents reported annually had risen to over 2,400. In addition to the increase in incident reports, we are also seeing the following trends.
In 1988, intruders most often exploited widely known system vulnerabilities, default passwords, and easy-to-guess passwords. These activities continue in 1996. However, more sophisticated intrusions are now common; for example, intruders examine source code looking for new ways to exploit flaws in programs such as those used for electronic mail.
Intruders are abusing poorly assembled or configured systems to exchange pirated software, information on credit card numbers, and information on sites that have been compromised. Among the site information they share are the identities of compromised hosts, accounts, and passwords.
They are becoming more sophisticated and presenting new and increasingly complex methods of attack.
Intruders monitor the Internet looking for new hosts or sites connecting to the Internet. These hosts/sites are often not fully configured before connecting, and are therefore vulnerable to attacks.
Intruders install packet sniffers, programs that capture data (such as user identifications and passwords) from information packets as they travel over the network.
Most recently, intruders have been exploiting vulnerabilities associated with the World Wide Web to gain unauthorized access to systems that have not installed corrections to the vulnerabilities.
They also "spoof" computer addresses, resulting in allowed connections that would not otherwise be permitted.
Of the 346 incidents closed during the first quarter of 1996, 7.5 percent involved these new, sophisticated methods, including packet sniffers, spoofing, and infrastructure attacks (and 20 percent resulted in total compromises of systems, in which intruders gain "super-user" privileges). This represents a significant increase in such attacks.
With their sophisticated technical knowledge and understanding of the network, intruders are increasingly exploiting network interconnections. They move easily through the infrastructure, attacking it all. The intruders have targeted for attack network name servers, network service providers, and major archive sites.
Infrastructure attacks are even more threatening because legitimate network managers and administrators typically think about protecting systems and parts of the infrastructure rather than the infrastructure as a whole.
Not only do automated tools make it easier for sophisticated intruders to find and exploit vulnerabilities, but these tools also enable the less knowledgeable to do the same thing. For example, even technically naive, would-be intruders can scan the Internet looking for new hosts/sites and for particular vulnerabilities. By sharing easy-to-use tools, successful intruders increase their population and their impact.
The intruders hide their existence on hosts through the use of Trojan horse programs, programs that have been altered so that they do more than what is expected. For example, the intruders have altered the login program so that the program still allows users to login to a system, but also allows an intruder login without the activity showing up in the system logs.
Intruders also encrypt output from their intrusions. For example, they have encrypted packet sniffer output logs. This makes it difficult or impossible to determine what information has been captured. Site information and passwords thus remain compromised.
Other Significant Trends
While the intruders are becoming more proficient at their work, other trends that exacerbate the problem are also evident.
As the technology is being distributed, the management of the technology is often distributed as well. In these cases, system administration and mangement often falls upon people who do not have the skill needed to operate their systems securely.
There is no evidence of improvement in the security features of most products. We routinely receive reports of new vulnerabilities. In fact, in 1995 the CERT/CC received an average of 35 new reports each quarter. In the last two quarters, that number has increased to 65 and 92 reports respectively.
Today's software products, workstations and personal computers bring the power of the computer to increasing numbers of people who use that power to perform their work more efficiently and effectively. Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers. Unfortunately, many of these products are still difficult to configure and operate securely. This gap will lead to increasing numbers of vulnerable systems.
Computers have become such an integral part of American business and government that computer- related risks cannot be separated from general business risks. In addition, the widespread use of databases leaves the privacy of individuals at risk. New, valuable government and business assets are now at risk over the Internet.
Customer and personnel information may be exposed to intruders. Financial data, intellectual property, and strategic plans may be at risk.
Increased use of computers in safety-critical applications, including the storage and processing of medical records data, increases the chance that accidents or attacks on computer systems can cost people their lives.
The rush to the Internet, coupled with a lack of understanding, is leading to the exposure of sensitive data and risk to safety-critical systems. Misconfigured or outdated operating systems, mail programs, anonymous FTP servers, or Web sites result in vulnerabilities that intruders can exploit. Even one naive user with an easy-to-guess password increases the organization's risk.
When vendors release patches or upgrades to solve security problems, organizations' systems are not necessarily upgraded. The job may be too time-consuming or complex for the system administration staff to handle.
Because managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources. Exacerbating the problem is the fact that the demand for skilled system administrators far exceeds the supply. Training will solve only part of this problem.
Security audits and evaluations often only skim the surface of the technology, missing major vulnerabilities. Among security-conscious organizations, there is increased reliance on "silver bullet" solutions, such as firewalls and encryption. As these solutions are not foolproof, the organizations are lulled into a false sense of security and become less vigilant.
At the development level, vendors are not seeking comprehensive solutions either. Technology evolves so rapidly that vendors concentrate on time-to-market. Until their customers demand products that are more secure, the situation is unlikely to change.
While the security problem is complex and growing, there are steps that can be taken to mitigate the risks.
The CERT/CC and other response teams have demonstrated effectiveness at discovering and dealing with vulnerabilities and incidents. Ongoing operation and expansion of open, wide area networks will benefit from stronger response teams and response infrastructures.
Many network service providers are well positioned to offer security services to their clients. These services should include helping clients install and operate secure network connections as well as mechanisms to disseminate vulnerability information and corrections rapidly.
Build programs to increase awareness of security issues and share lessons learned among government agencies and industry.
Organizations often are vulnerable because they are not aware of the risks. Organizations that have suffered attacks often are unwilling to discuss their problems for fear of loss of confidence by their customers. Mechanisms should be established to support the sanitizing and disseminating of data on security problems, data that helps the networked community understand the scope and cost of the overall problem.
Network operators need guidance in the form of secure network management models, security assessment techniques, and techniques needed to establish ongoing security improvement programs. These programs must keep pace with rapidly changing threats and technology, must strongly emphasize technology, and must become part of routine practice rather than simple, periodic audits against a static policy.
Building, operating, and maintaining secure networks are difficult tasks and there are few educational and training programs that prepare people to perform these tasks. Ongoing operation of secure networks will require higher levels of skill than are evident today.
Acquisition and operations organizations must recognize the need for, and be encouraged to invest in, technology that is effective at dealing with the security threat.
Acquisition and operations organizations should drive the market for comprehensive security toolkits that support network administrators efforts to operate secure systems. While many tools are available today, these tools do not provide comprehensive solutions to the security problem. Comprehensive toolkits will only be developed when technology users demand them from computer vendors.
Today, there is rapid movement toward increased use of interconnected networks for commerce, research and development, entertainment, education, operation of government, industry, and academic organizations; and support of delivery of health and other human services. While this trend promises many benefits, it also comes with many risks. Techniques for securing systems that have worked in the past will not be effective in the world of unbounded networks, mobile computing, distributed applications, and dynamic computing that we are beginning to see with languages such as JAVA.
To reap the promise of these emerging networks, ongoing research is needed in the areas of security architectures and models for unbounded domains; techniques that allow development and operation of systems that are robust enough to detect and recover from attacks; techniques and mechanisms to identify, repair and deploy corrections to flawed software in operational systems; and operational models and mechanisms that allow detection of wide-spread, distributed attacks, diagnosis of attack techniques, and rapid development and deployment of preventive measures.
Maintaining a long-term view and investing in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data, is critical.
Appendix A: CERT(sm) Advisories
The following advisories have been issued to date. Complete text of the advisories and other security information can be found at http://www.cert.org