News

USIS Washington File

18 May 2000

Byliner: CERT'S Cross on Internet Security

(Says Internet vulnerable to sabotage) (2300)
 
(Following is an article published May 18 in the Economic Perspectives
journal of the U.S. State Department. No restrictions on
republication. The complete journal can be found at
http://usinfo.state.gov/journals/ites/0500/ijee/ijee0500.htm)

The Vulnerability of the Internet
By Stephen E. Cross

(The author is the director of the Software Engineering Institute.)

Vulnerabilities associated with the Internet put government, the
military, commerce, and individual users at risk. The Internet is a
complex, dynamic world of interconnected networks with no clear
boundaries and no central control. Because the Internet was not
originally designed with security in mind, it is difficult to ensure
the integrity, availability, and privacy of information.

This is important because use of the Internet is replacing other forms
of electronic communication, and the Internet itself is growing at an
amazing rate. Concurrent with the growth of the Internet, intruder
tools are becoming increasingly sophisticated and also becoming
increasingly easy to use and widely available. For the first time,
intruders are developing techniques to harness the power of hundreds
of thousands of vulnerable systems on the Internet.

Here are just a few examples of security breaches that have been
reported in the press. In addition to these examples, the CERT/CC
handles reports of breaches at e-commerce sites daily.

-- An attacker obtained 100,000 credit card numbers from the records
of a dozen retailers selling their products through Web sites. The
credit cards had limits between $2,000 and $25,000, putting the
potential cost of theft at $1,000 million. The attacker was caught
when he tried to sell the card numbers to an apparent organized-crime
ring that turned out to be the Federal Bureau of Investigation.

-- Intruders gained unauthorized access to proprietary information on
the computer network of a major U.S. corporation. The company was not
able to identify the techniques used by the intruders. The company
shut down its Internet connection for 72 hours as a precaution,
denying access to legitimate users and cutting customers off from
information that the company normally makes available through the
Internet.

-- In a case of cyber-extortion, an intruder stole 300,000 credit card
numbers from an online music retailer. The intruder, who described
himself as a 19-year-old from Russia, sent an e-mail to the New York
Times bragging he had accessed the company's financial data through a
flaw in its software. The intruder later used the card numbers in an
attempt to blackmail the retailer into paying $100,000 in exchange for
destroying the sensitive files. When the company refused to comply,
the intruder released thousands of the credit card numbers onto the
Internet in what turned out to be a public relations disaster for the
company. Security experts still do not know how the site was
compromised or the full extent of how the break-in affected the site's
customers. Credit card companies responded by canceling and replacing
the stolen card numbers and notifying affected cardholders by e-mail.
E-commerce analysts say many similar attacks go unreported.

-- In March 2000, in the most serious systematic breach of security
ever for British companies, a group of intruders based in the United
Kingdom broke into the computer systems of at least 12 multinational
companies and stole confidential files. The group issued ransom
demands of up to $15.7 million in exchange for the return of the
files. Scotland Yard and the FBI are investigating the break-ins and
are scrutinizing e-mail traffic between England and Scotland. They
believe the group is highly professional and may be working for
information brokers specializing in corporate espionage.

It is obvious from these examples and the ongoing activity of the
CERT/CC that there is much work to be done to secure our electronic
networks adequately to meet the needs of the expanding e-commerce
marketplace. However, measures can be taken to reduce the risk of
security breaches that can be so devastating to businesses seeking to
establish a foothold in the electronic marketplace.

ATTRACTIVENESS OF THE INTERNET TO ATTACKERS 

Compared with other critical infrastructures, the Internet seems to be
a virtual breeding ground for attackers. Although some attacks seem
playful (for example, students experimenting with the capability of
the network) and some are clearly malicious, all have the potential of
doing damage by denying the ability to transact business on the
Internet. Attacks enable intruders to gain privileged access to a
system so that it effectively belongs to them. With their unauthorized
privileges, they can, for example, use the system as a launch platform
for attacks on other sites or as one node in an attack using
distributed-system intruder tools, which allow intruders to involve a
large number of sites simultaneously, focusing all of them to attack
one or more victim hosts or networks. Still other attacks are designed
to reveal sensitive information, such as passwords or trade secrets.
Examples of specific attack strategies can be found in CERT
advisories, published online by the CERT/CC at http://www.cert.org/.
Unfortunately, Internet attacks in general, and in particular
denial-of-service attacks - attacks that prevent legitimate users of a
service from using it - remain easy to accomplish, hard to trace, and
of low risk to the attacker.

Internet attacks are easy because Internet users place unwarranted
trust in the network. It is common for sites to be unaware of the
amount of trust they actually place in the infrastructure of the
Internet and its protocols. Unfortunately, the Internet was originally
designed for robustness from attacks or events that were external to
the Internet infrastructure - that is, physical attacks against the
underlying physical wires and computers that make up the system. The
Internet was not designed to withstand internal attacks - attacks by
people who are part of the network. And now that the Internet has
grown to encompass so many sites, millions of users are effectively
inside.

Internet attacks are easy in other ways. It is true that some attacks
require technical knowledge - the equivalent to that of a college
graduate who majored in computer science - but many successful attacks
are carried out by technically unsophisticated intruders. Technically
competent intruders duplicate, share, and package their programs and
information into user-friendly form at little cost, thus enabling
naive intruders to do the same damage as the experts.

THE DIFFICULTY OF TRACING INTERNET ATTACKS

Through the use of a technique known as "IP spoofing," attackers can
lie about their identity and location on the network. Information on
the Internet is transmitted in packets, each containing information
about the origin and destination. A packet can be compared to a
postcard - senders provide their return address, but they can lie
about it. Most of the Internet is designed merely to forward packets
one step closer to their destination, with no attempt to make a record
of their source. There is not even a "postmark" to indicate generally
where a packet originated. It requires close cooperation among sites
and up-to-date equipment to trace malicious packets during an attack.

Moreover, the Internet is designed to allow packets to flow easily
across geographical, administrative, and political boundaries.
Consequently, cooperation in tracing a single attack may involve
multiple organizations and jurisdictions, most of which are not
directly affected by the attack and may have little incentive to
invest time and resources in the effort. The attacker enjoys the added
safety of the need for international cooperation in order to trace the
attack, compounded by impediments to legal investigations.

Because attacks against the Internet typically do not require the
attacker to be physically present at the site of the attack, the risk
of being identified is reduced. In addition, it is not always clear
when certain events should be cause for alarm. For example, what
appear to be probes and unsuccessful attacks may actually be the
legitimate activity of network managers checking the security of their
systems. Even in cases where organizations monitor their systems for
illegitimate activity, which occurs in only a small minority of
Internet-connected sites, real break-ins often go undetected because
it is difficult to identify illegitimate activity. Furthermore,
because intruders cross multiple geographical and legal domains, an
additional cloud is thrown over the legal issues involved in pursuing
and prosecuting them.

IMPACT OF SECURITY BREACHES
As illustrated by the examples cited at the beginning of this article,
security breaches can cause a loss of time and resources as personnel
investigate the compromise, determine potential damage, and restore
the systems. The systems may provide reduced service or be unavailable
for a period of time. Sensitive information can be exposed or altered,
and public confidence can be lost. After a successful computer system
intrusion, it can be very difficult or impossible to determine
precisely what subtle damage, if any, was left by the intruder. Loss
of confidence can result even if an intruder leaves no damage because
the site cannot prove none was left.

Particularly serious for business are denial-of-service attacks and
the exposure of sensitive information. The goal of denial-of-service
attacks is not to gain unauthorized access to machines or data, but to
prevent legitimate users of a service from using it. A
denial-of-service attack can come in many forms. Attackers may "flood"
a network with large volumes of data or deliberately consume a scarce
or limited resource. They may also disrupt physical components of the
network or manipulate data in transit, including encrypted data. Once
an overt denial-of-service attack has been resolved and the service
returned, users generally regain trust in the service they receive.
But exposure of sensitive information makes an organization highly
susceptible to a loss-of-confidence crisis.

RECOMMENDED SOLUTIONS
The problem is serious and complex, and a combination of approaches
must be used to reduce the risks associated with the ever-increasing
dependence on the Internet and the possibility of a sustained attack
on it. Effective solutions require multidisciplinary cooperation that
includes information sharing and joint development of comprehensive
solutions, as well as support for a long-term research agenda.

-- Collect, Analyze and Disseminate Data on Information Assurance: The
nature of threats to the Internet is changing rapidly and will
continue to do so for the foreseeable future. The combination of
rapidly changing technology, rapidly expanding use, and the
continuously new and often unimagined uses of the Internet creates a
volatile situation in which the nature of threats and vulnerabilities
is difficult to assess and even more difficult to predict.

To help ensure the survivability of the Internet, and the information
infrastructure as a whole, it is essential that law enforcement
organizations and incident response teams continuously monitor cyber
security threats and vulnerabilities and identify trends in intrusion
activity, and make this information widely available throughout the
Internet community.

-- Support the Growth and Use of Global Detection Mechanisms: One way
to gain a global view of threats is to use the experience and
expertise of incident response teams to identify new threats and
vulnerabilities. The CERT/CC, for example, provides assistance to
computer system administrators in the Internet community who report
security problems. When a security breach occurs, staff members help
the administrators of the affected sites to identify and correct the
vulnerabilities that allowed the incident to occur; work with vendors
to inform them of security deficiencies in their products, help them
to develop workarounds and repairs for security vulnerabilities, and
facilitate and track their responses to these problems; and coordinate
the response with other sites affected by the same incident.

Because major reporting centers for computer security information,
such as the CERT/CC, gather large amounts of data, they can identify
trends and coordinate the development of solutions to newly developing
problems.

Internet service providers, too, should develop security incident
response teams and other security improvement services for their
customers. Many network service providers are well positioned to offer
security services to their clients. These services should include
helping clients install and operate secure network connections as well
as mechanisms to rapidly disseminate vulnerability information and
corrections.

-- Support Education and Training to Raise the Level of Security: Most
users of the Internet have no more understanding of the technology
than they do of the engineering behind other infrastructures.
Similarly, many system administrators lack adequate knowledge about
the network and about security, even while the Internet is becoming
increasingly complex and dynamic. To encourage "safe computing,"
governments should fund the development of educational material and
programs about cyberspace for all users, both adults and children, and
invest in awareness campaigns that stress the need for security
training for system administrators, network managers, and chief
information officers.

-- Support Research and Development: It is critical to maintain a
long-term view and invest in research toward systems and operational
techniques that yield networks capable of surviving attacks while
protecting sensitive data. In doing so, it is essential to seek new,
fundamental technological solutions and to seek proactive, preventive
approaches, not just reactive, curative approaches.

CONCLUSION
The Internet has proven to be an engine that is driving a revolution
in the way business is conducted. Because of the tremendous
interconnectedness and interdependence among computer systems on the
Internet, the security of each system on the Internet depends on the
security of all other systems on the network. Cyber security efforts
must focus on reporting and monitoring threats and vulnerabilities,
education and training, and research and development.
____________________

The Software Engineering Institute (SEI), a federally funded research
and development center at Carnegie Mellon University sponsored by the
U.S. Department of Defense, is the home of the CERT(r) Coordination
Center (CERT/CC; URL: http://www.cert.org). Since it was established
in 1988, the CERT/CC has worked with the Internet community to respond
to computer security events, raise awareness of computer security
issues, provide training, and conduct research into technical
approaches for identifying and preventing security breaches.

CERT and CERT Coordination Center are registered in the U.S. Patent
and Trademark Office.

(Distributed by the Office of International Information Programs, U.S.
Department of State. Web site: http://usinfo.state.gov)

	

		page 8