- Email: [email protected]
Computer security
cose 2208.qxd
08/12/2003
15:56
Page 664
Computer security: mapping the future Compsec 2003 in review Stephen Hinde IS Audit Editor
‘Computer security: mapping the future’ was the theme of the twentieth Compsec conference, with a subtext of future threats, future tools. There were two main changes for this year. The first was that it was a two-day, two-stream conference running in parallel with the Biometrics and ID Smart conferences — five streams of presentations in all. The other change to Compsec was that the presentations were from speakers who bore the scars. These were, in the main, practitioners who had been there, done it, and got the T-shirt and scars to show for it. It was refreshing to hear speakers give an honest warts-and-all description of how they did something. Dame Pauline Neville-Jones, chair of QinetiQ and the international Governor of the BBC, set the scene of the future, with a thoughtprovoking opening keynote presentation that posed a series of questions. She said that information technology is the nervous system of society, and that globalisation was created by it. B2B (business-to-business) has been good, but B2C (business-to-consumer) has been slower to take off and eGovernment has trailed far behind. The key reason for the slowness of uptake has been trust, or rather the lack of it. Trust is crucial. All freedoms depend on trust. Without it the technology will not be fully embraced. There needs to be trust in security, confidentiality and privacy. And what does the future look like for computer security? It all depends on whether the speaker was either the type of person who thinks a glass is half full or the type who thinks it is half empty. Peter Kaye, security adviser to the Bank of England, said “technology has always been a two-edged sword — an enabler and a challenge as the bad guys abuse”. We need to ask ourselves if
664
Computers & Security Vol 22, No 8
the balance is swinging in favour of the good guys or the bad guys. Jay Heiser suggested history teaches us that humans have consistent agendas; it is the attack rules that change. He went on to say that the technological threshold for hackers is becoming lower as new attack tools are developed that have ease of use, power and parasitic ability, and are made available on the Internet. For example, you can find virus-writing wizards on the Internet. As the technical threshold reduces, so the numbers of potential attackers increases. The entry requirements are lower. As long as there are no dramatic changes in motivation, there will be no dramatic changes in the population of people that cause computer crime. However, in a period of strategic transition from relative certainty to relative uncertainty, we are seeing an emerging threat spectrum — cyber crime, terrorism, direct action and mass protest. The Eighth Annual 2003 CSI/FBI Computer Crime and Security Survey reported that the risk of cyber attacks is as high as ever for organisations, despite the continued deployment of security technologies. Based on the responses of 530 information security practitioners, the theft of proprietary information and denial of service attacks head the list of financial losses sustained; dollar losses of US$65 643 300 for denial of service, up 250% from the results for 2002. And while 56% of respondents reported unauthorised use of their systems, only a small percentage reported their incidents to law enforcement, reducing the odds of attackers being caught and prosecuted.
Toasters and fading boundaries Richard Ford thought that the future threats are blended worms, spam, and toasters. Yes, the
0167-4048/03 ©2003 Elsevier Ltd. All rights reserved.
cose 2208.qxd
08/12/2003
15:56
Page 665
Stephen Hinde Computer security: mapping the future
kitchen utensil that seems only to turn out anaemic or burnt toast. His concern was that, as more and more household, office and other devices become networked computers, there will be significant risks in terms of entry points to the network and to privacy.
deliberate attack. And when a network breaks it breaks big-time — just look at the recent power failures in North America and Europe (see the last issue of Computers & Security: ‘Nimbyism, dominoes and creaking infrastructure’).
Neville-Jones believed that trust will be further tested by the next stage of computing development — mobile computing — a pervasive computing paradigm. Short-lived mesh networks may result in two networks being connected unless there is good security. As organisations’ networks expand to include mobile computing, so the boundaries between the organisations’ network and the cloud symbol of the Internet are becoming blurred. The fixed perimeter of a mainframe computing centre was clear, obvious and physical. That boundary line expanded to encompass dumb terminals — still a recognisable computing centre with physical presence and perimeter, but with cables to dumb terminals in offices. Then we had on-line terminals and then PCs. Each new development expanded the numbers of peripherals that were linked to the computer centre. The Internet enabled connectivity between a device (PC) and a third-party external device. Physical wire accesses points to/from an organisation’s computer network that may or may not be secure and controlled. Mobile computing allows that connectivity to be through the ‘ether’, i.e. through radio waves that can be intercepted by others with low technology.
In addition, there will be increasingly widespread Internet outages. These will be temporary — like a snow day — and are more likely to be caused by accident than by sabotage. It is important that business continuity planning assumes there will be failures of the Internet.
The complexity of the Internet and the interconnectivity of corporate and government networks, and indeed households, is making them vulnerable. We are all interconnected. Your vulnerabilities represent a threat to me. With creeping Internet connectivity, laptops bring disease from the home into the office. There are unexpected interactions and complexities. The complexity and the operation of a complex network will break and fail on its own. Hackers are superfluous to this natural state. Accidents are often worse than a
The inside threat According to Jay Heiser, analyst at TruSecure, hackers may be skilful but otherwise not much of a threat. On the other hand, a disgruntled system administrator may be less skilful but otherwise the most significant threat. The FBI survey reported that the average cost of a successful attack by a malicious insider (US$2.7m) is nearly 50 times greater than the cost of an external attack (US$56 000). Furthermore, it is estimated that over 80% of information security incidents for the past four years are the result of insiders. Another survey reported that insiders represent 70% of all attacks on the corporate enterprise. Furthermore, the insider is unchallenged from 99% of security systems. To assist us in defending our organisations we must first understand: What are the goals of malicious insiders? What action do they perform?
Stephen Hinde Stephen Hinde, FCA, FIIA, MIIA, is currently Information Protection Manager for the BUPA Group. Prior to joining BUPA, Stephen was Head of Internal Audit, UK & Europe for Fosters Brewing Group and held senior positions in audit with Unilever, Brooke Bond Group and Rediffusion Group. Stephen qualified with KPMG before moving to Ernst & Young. Stephen is editor of Information Systems Auditor, and was the founding editor of Computer Audit Update in 1988. Stephen is a Past President of the Institute of Internal Auditors - United Kingdom and Ireland. He currently or has been chair or member of various computer audit and computer security, research, education or training committees of the Institute of Chartered Accountants in England and Wales, of the Institute of Internal Auditors – United Kingdom and Ireland, of the Institute of Internal Auditors Inc., and the European Confederation of Institutes of Internal Auditing. He currently is Secretary of the United Kingdom Information Security Forum. Stephen has lectured around the world and written books and articles on computer security, data protection, and computer audit.
What targets need to be monitored? What behaviour is malicious? Furthermore, we need to understand that attacks can be conducted against the document as a unit; against a group of documents; inside the document; or against the document’s
665
cose 2208.qxd
08/12/2003
15:56
Page 666
Stephen Hinde Computer security: mapping the future
environment. One speaker referred to a comment from a senior manager in an organisation who suggested that the organisation should take the hit and pay the bill when hit rather than waste time and money in trying to protect the organisation. I last heard this viewpoint in the early days of disaster recovery planning. It does depend on surviving the attack and having enough money left to pay. It probably also depends on a single attack, rather than a series of attacks. Ex-employees pose one of the most significant threats to a company — with bad-blood redundancies, heat-of-the-moment resignations and sackings all likely to lead to damaging recriminations. From intellectual property thefts, such as stealing contacts and customer leads, to physical thefts such as hardware, an outgoing employee can leave their former organisation with a far greater headache than simply worrying about having to manage with fewer staff or filling a vacated position. Stories of disgruntled bosses walking out of offices with their laptop in a briefcase — and taking with them numerous files of business-critical data — are commonplace, leaving companies needing to implement solutions to crack down on such leaks. According to research by TNS, 67% of respondents said they would take information that would help them with their next job. More worrying is the finding that only 27% of UK companies have security policies in place to ensure that employees cannot damage a company when they leave. Clearly companies are failing to implement even the simplest measures, such as removing access to shared networks upon termination of a contract. Furthermore, companies should not expect any loyalty from those staff still with the company. A staggering 79% of respondents said that they would forward sensitive company information to a former colleague if requested, even if that ex-colleague was now working for a rival firm.
666
Blended worms and reaction timeliness Many speakers thought there will be increasingly harmful worms and that the possibility of malware that causes significant levels of damage must be considered. Blended/combined worms such as SQL Slammer had a significant effect on network congestion. Last January’s SQL Slammer worm was the biggest Internet worm of the period, infecting some 200 000 computers running Microsoft’s SQL Server software by targeting a six-month-old vulnerability in Microsoft Windows 2000 in order to spread itself. Sections of the Internet slowed substantially, and some Bank of America ATM machines in the US were affected. The worm is thought to have spread to 90% of all vulnerable servers in the first 10 minutes after it had been released on the Internet. Malware is becoming increasingly parasitic. Self-replication is not enough; resource theft is the new virus writer challenge. The response to the August 2003 blackouts in America were hindered by Blaster. Hackers and virus writers have all the time in the world to think, plan and deploy. The defence is rushed. It is a reactive response to a given situation and against the clock. Feedback makes it non-linear. The speed of spread and the damage of viruses have increased through the four ages of viruses. Gap vulnerability to exploit shortening is now less than two weeks. Zero-day worms (i.e. worms that hit with no prior warning of the vulnerability) are not far away. With such short time-spans in which to respond, should we automate responses? This could be a risky strategy. We need to be sure that the medicine is not worse than the disease. Sophos has reported an increase in the number of new viruses detected in the first six months of 2003, up 17.5% on the same period last year, suggesting that virus writers are unaffected by January’s conviction and jailing of Simon Vallor, the author of three mass-mailing worms.
cose 2208.qxd
08/12/2003
15:56
Page 667
Stephen Hinde Computer security: mapping the future
Since January 2003, the single most prevalent virus was the Bugbear-B worm, which accounted for almost 12% of reports to Sophos. Its older sibling, Bugbear-A, generated a further 2.5% of inquiries. By morphing its contents every time it forwards itself — and by spoofing the e-mail address of the person who sent the virus — Bugbear-B has been the most prevalent and irritating virus so far this year. Generating almost 10% of inquiries was the Sobig-C worm. This worm, which posed as a support e-mail from Microsoft’s Bill Gates, reached number two in the charts, even though it had a limited window for infection; it was programmed to fall dormant just one week after it was released. In all, five Sobig worms have been released this year. Combined, the shortlived Sobig worms have had the biggest impact on business networks this year. Eight of the viruses in the top 10 are able to spread by more than one method, using a combination of e-mail, IRC (internet relay chat), network shares, and/or P2P (point-to-point) file-sharing platforms. Virus writers are no longer relying on just e-mail to propagate their malicious code, so computer users are advised to deploy desktop anti-virus protection, which can detect malicious code regardless of its method of spreading.
Epidemiological protection Martin Sadler, lab director, described an innovative approach to the problem of patching by HP Laboratories in Bristol. They considered the biological approach. They looked at the epidemiology of how viruses spread. They found that there was an increasing speed of spread in an increasingly short time. An answer is therefore to slow down the speed of spread. But how to achieve this? The answer is a virus throttle to slow down PCs. The basic virus throttle works as follows: it intercepts requests to connect to other hosts;
it keeps a short list of recently made connections (a ‘working set’); if a request is in the working set, process as normal; if a request is not in the working set, add to ‘delay queue’; at regular intervals, take one request off the delay queue and process it; if the delay queue gets very big, stop all new connections and alert the IT staff. When tried in the laboratory with SQL Slammer, it tried to make about 800 connections in a second. On a throttled machine, processing was stopped in 0.02 seconds, so there were no new connections. Martin said that virus throttling is not noticeable on network response times, as networks are full of delays!
Software patching — an increasing problem Not every vulnerability is significant. Last year there were 4000 vulnerabilities reported, but only 20 were exploited. They need to offer interesting capabilities to be exploited by the current threat population. One speaker postulated that “Patching is like applying a band-aid for a major trauma. There is a need to deal with multiple vulnerabilities, not just one patch.” When a security patch alert is issued, you can either postpone the ‘real work’ to apply the patches or postpone applying the patch and hope that this vulnerability will not be exploited before you get around to applying the patch. When you postpone patching, as many people do, you are accepting insecurity as a way of life. This is a situation that hackers want and expect. They know that people delay patching so, when a security problem is announced, they target it, knowing that it is unlikely to be fixed immediately. A clear example of this situation
667
cose 2208.qxd
08/12/2003
15:56
Page 668
Stephen Hinde Computer security: mapping the future
happened with the SQL Slammer worm, which affected an estimated 35% of the world’s SQL servers by exploiting a security risk in SQL Server 2000. A fix for this problem was issued in July 2002!
Viruses to the rescue! HP had tried to patch approximately 0.25 million devices that it knew about. It considered the ability of viruses to reach all PCs. A virus was written to exploit the same vulnerability as Blaster. This was deployed internally two days before Blaster and was used to shut down PCs that had not been patched. Steps were taken to ensure that the virus did not escape into the wild. HP was not affected by Blaster — simple technique that worked, but a case of thinking outside the box.
IDS — the quiet defence IDS stands for intrusion detection systems and not Ian Duncan Smith, the leader of the UK Conservative Party who was kicked out by his fellow members of parliament at the beginning of Compsec week, leading to newspaper headlines about the ‘demise of IDS’. The number of security events detected by companies in the first quarter of 2003 jumped nearly 84% over the preceding three months, according to a report from Internet Security Systems. The increase in events, which can include minor probes for holes in network security as well as major attacks, stems mainly from an increase in worms and automated attack software. The study tallies the network events detected by ISS sensors deployed by some 400 clients around the world and outlines potential malicious online activity. ISS also found that online vandals are putting more effort into exploiting existing flaws than finding new ones. According to ISS data, 606 vulnerabilities were made public in the first three months of the year, while 752 new threats were identified. The company considers threats
668
to be programs or code that make exploiting vulnerable systems easier. Hackers are also using unknown flaws to attack systems. In March, the military detected that a previously unknown vulnerability in Microsoft’s Windows 2000 operating system was being exploited by online intruders. Microsoft released a patch for the security hole five days later, but the incident acted as a reminder that there is a whole host of security flaws of which companies are not aware. According to Richard Ford, one of the editorial board members of Computers & Security, IDS is another log that you do not read in the morning. And one can see why. John Adebayo described the IDS implementation at UBS. Initially some 100 000–150 000 events per month were being reported! They refined the IDS system and got it down to 10 000 per month. Further refinement brought it down to 5000 per month. That is still an average of nearly 170 every day. That is 170 items that need to be reviewed and actioned, as appropriate.
Detection and jurisdiction We have moved from an industrial world to a networked world, in which knowledge is value, i.e. an asset that can be stolen and sold via virtual trans-national organisations. The threat could come from a teenager the other side of the planet and be an unintended consequence of an action. You may not be the intended target but nevertheless you could become the victim. We have seen this in viruses that have a scatter-gun attack vector. We saw it recently in the UK court case, where the port of Houston, Texas was crippled by an attack caused by a love-struck youth. Just before the conference started, he was found not guilty after using the trojan defence – someone else did it through my computer. The jury accepted this defence, even though there was no evidence that the individual’s computer had been hacked into.
cose 2208.qxd
08/12/2003
15:56
Page 669
Stephen Hinde Computer security: mapping the future
Peter Sommer, senior research fellow at the London School of Economics, reassured us that, despite the succeed of the three recent wellreported trojan defences, most of the trojan defences (primarily used in paedophilia trials) have failed. Peter also talked about the Catch 22 of reportage to the police. Organisations do not report to the police due to their perceived lack of resources for investigations (although I appreciate that bad publicity and issues of reputation are probably the main drivers). However, the police do not receive a higher budget for training, investigation, and so on, since cyber-crime is not reported. We need to find ways of enabling the police to keep up. The creation of new offences will not help. Capture and conviction are the deterrents, not the theoretical size of the punishment. Richard Ford thinks that laws are made for the white hats, and that we need laws for the black hats and also to think like black hats. We need to think what can go wrong. Prevention is better than post facto criminal investigation. There is a gap between legislators and technologies. Legislators need to be more aware. They need to understand the implications of
new technologies. It is not that crimes will have changed much in nature, but that the range of possibilities for committing them and the difficulty of protecting against them and tracking down the felons will increase manifold. The law may need to change focus from relying on regulating the behaviour of the user to limiting and licensing the capabilities (i.e. the functionality) of the network. Some way of tracking changes of behaviour of intelligent networks will be needed to ensure that they stay within their licence. Decisions will be needed on the location of liability of intelligent networks. How do we improve? Neville-Jones believes it starts in school. School children need to be equipped for life, including morals, ethics, confidentiality, privacy and security. We need to get propositions of security into the public debate. Dialogue will lead to greater confidence and less legislation and regulation. Of the sixteen Compsecs I have attended, this was the best to date — two days of excellent, thought-provoking, real-world-based practitioners giving us a glimpse of their maps of the future.
669
08/12/2003
15:56
Page 664
Computer security: mapping the future Compsec 2003 in review Stephen Hinde IS Audit Editor
‘Computer security: mapping the future’ was the theme of the twentieth Compsec conference, with a subtext of future threats, future tools. There were two main changes for this year. The first was that it was a two-day, two-stream conference running in parallel with the Biometrics and ID Smart conferences — five streams of presentations in all. The other change to Compsec was that the presentations were from speakers who bore the scars. These were, in the main, practitioners who had been there, done it, and got the T-shirt and scars to show for it. It was refreshing to hear speakers give an honest warts-and-all description of how they did something. Dame Pauline Neville-Jones, chair of QinetiQ and the international Governor of the BBC, set the scene of the future, with a thoughtprovoking opening keynote presentation that posed a series of questions. She said that information technology is the nervous system of society, and that globalisation was created by it. B2B (business-to-business) has been good, but B2C (business-to-consumer) has been slower to take off and eGovernment has trailed far behind. The key reason for the slowness of uptake has been trust, or rather the lack of it. Trust is crucial. All freedoms depend on trust. Without it the technology will not be fully embraced. There needs to be trust in security, confidentiality and privacy. And what does the future look like for computer security? It all depends on whether the speaker was either the type of person who thinks a glass is half full or the type who thinks it is half empty. Peter Kaye, security adviser to the Bank of England, said “technology has always been a two-edged sword — an enabler and a challenge as the bad guys abuse”. We need to ask ourselves if
664
Computers & Security Vol 22, No 8
the balance is swinging in favour of the good guys or the bad guys. Jay Heiser suggested history teaches us that humans have consistent agendas; it is the attack rules that change. He went on to say that the technological threshold for hackers is becoming lower as new attack tools are developed that have ease of use, power and parasitic ability, and are made available on the Internet. For example, you can find virus-writing wizards on the Internet. As the technical threshold reduces, so the numbers of potential attackers increases. The entry requirements are lower. As long as there are no dramatic changes in motivation, there will be no dramatic changes in the population of people that cause computer crime. However, in a period of strategic transition from relative certainty to relative uncertainty, we are seeing an emerging threat spectrum — cyber crime, terrorism, direct action and mass protest. The Eighth Annual 2003 CSI/FBI Computer Crime and Security Survey reported that the risk of cyber attacks is as high as ever for organisations, despite the continued deployment of security technologies. Based on the responses of 530 information security practitioners, the theft of proprietary information and denial of service attacks head the list of financial losses sustained; dollar losses of US$65 643 300 for denial of service, up 250% from the results for 2002. And while 56% of respondents reported unauthorised use of their systems, only a small percentage reported their incidents to law enforcement, reducing the odds of attackers being caught and prosecuted.
Toasters and fading boundaries Richard Ford thought that the future threats are blended worms, spam, and toasters. Yes, the
0167-4048/03 ©2003 Elsevier Ltd. All rights reserved.
cose 2208.qxd
08/12/2003
15:56
Page 665
Stephen Hinde Computer security: mapping the future
kitchen utensil that seems only to turn out anaemic or burnt toast. His concern was that, as more and more household, office and other devices become networked computers, there will be significant risks in terms of entry points to the network and to privacy.
deliberate attack. And when a network breaks it breaks big-time — just look at the recent power failures in North America and Europe (see the last issue of Computers & Security: ‘Nimbyism, dominoes and creaking infrastructure’).
Neville-Jones believed that trust will be further tested by the next stage of computing development — mobile computing — a pervasive computing paradigm. Short-lived mesh networks may result in two networks being connected unless there is good security. As organisations’ networks expand to include mobile computing, so the boundaries between the organisations’ network and the cloud symbol of the Internet are becoming blurred. The fixed perimeter of a mainframe computing centre was clear, obvious and physical. That boundary line expanded to encompass dumb terminals — still a recognisable computing centre with physical presence and perimeter, but with cables to dumb terminals in offices. Then we had on-line terminals and then PCs. Each new development expanded the numbers of peripherals that were linked to the computer centre. The Internet enabled connectivity between a device (PC) and a third-party external device. Physical wire accesses points to/from an organisation’s computer network that may or may not be secure and controlled. Mobile computing allows that connectivity to be through the ‘ether’, i.e. through radio waves that can be intercepted by others with low technology.
In addition, there will be increasingly widespread Internet outages. These will be temporary — like a snow day — and are more likely to be caused by accident than by sabotage. It is important that business continuity planning assumes there will be failures of the Internet.
The complexity of the Internet and the interconnectivity of corporate and government networks, and indeed households, is making them vulnerable. We are all interconnected. Your vulnerabilities represent a threat to me. With creeping Internet connectivity, laptops bring disease from the home into the office. There are unexpected interactions and complexities. The complexity and the operation of a complex network will break and fail on its own. Hackers are superfluous to this natural state. Accidents are often worse than a
The inside threat According to Jay Heiser, analyst at TruSecure, hackers may be skilful but otherwise not much of a threat. On the other hand, a disgruntled system administrator may be less skilful but otherwise the most significant threat. The FBI survey reported that the average cost of a successful attack by a malicious insider (US$2.7m) is nearly 50 times greater than the cost of an external attack (US$56 000). Furthermore, it is estimated that over 80% of information security incidents for the past four years are the result of insiders. Another survey reported that insiders represent 70% of all attacks on the corporate enterprise. Furthermore, the insider is unchallenged from 99% of security systems. To assist us in defending our organisations we must first understand: What are the goals of malicious insiders? What action do they perform?
Stephen Hinde Stephen Hinde, FCA, FIIA, MIIA, is currently Information Protection Manager for the BUPA Group. Prior to joining BUPA, Stephen was Head of Internal Audit, UK & Europe for Fosters Brewing Group and held senior positions in audit with Unilever, Brooke Bond Group and Rediffusion Group. Stephen qualified with KPMG before moving to Ernst & Young. Stephen is editor of Information Systems Auditor, and was the founding editor of Computer Audit Update in 1988. Stephen is a Past President of the Institute of Internal Auditors - United Kingdom and Ireland. He currently or has been chair or member of various computer audit and computer security, research, education or training committees of the Institute of Chartered Accountants in England and Wales, of the Institute of Internal Auditors – United Kingdom and Ireland, of the Institute of Internal Auditors Inc., and the European Confederation of Institutes of Internal Auditing. He currently is Secretary of the United Kingdom Information Security Forum. Stephen has lectured around the world and written books and articles on computer security, data protection, and computer audit.
What targets need to be monitored? What behaviour is malicious? Furthermore, we need to understand that attacks can be conducted against the document as a unit; against a group of documents; inside the document; or against the document’s
665
cose 2208.qxd
08/12/2003
15:56
Page 666
Stephen Hinde Computer security: mapping the future
environment. One speaker referred to a comment from a senior manager in an organisation who suggested that the organisation should take the hit and pay the bill when hit rather than waste time and money in trying to protect the organisation. I last heard this viewpoint in the early days of disaster recovery planning. It does depend on surviving the attack and having enough money left to pay. It probably also depends on a single attack, rather than a series of attacks. Ex-employees pose one of the most significant threats to a company — with bad-blood redundancies, heat-of-the-moment resignations and sackings all likely to lead to damaging recriminations. From intellectual property thefts, such as stealing contacts and customer leads, to physical thefts such as hardware, an outgoing employee can leave their former organisation with a far greater headache than simply worrying about having to manage with fewer staff or filling a vacated position. Stories of disgruntled bosses walking out of offices with their laptop in a briefcase — and taking with them numerous files of business-critical data — are commonplace, leaving companies needing to implement solutions to crack down on such leaks. According to research by TNS, 67% of respondents said they would take information that would help them with their next job. More worrying is the finding that only 27% of UK companies have security policies in place to ensure that employees cannot damage a company when they leave. Clearly companies are failing to implement even the simplest measures, such as removing access to shared networks upon termination of a contract. Furthermore, companies should not expect any loyalty from those staff still with the company. A staggering 79% of respondents said that they would forward sensitive company information to a former colleague if requested, even if that ex-colleague was now working for a rival firm.
666
Blended worms and reaction timeliness Many speakers thought there will be increasingly harmful worms and that the possibility of malware that causes significant levels of damage must be considered. Blended/combined worms such as SQL Slammer had a significant effect on network congestion. Last January’s SQL Slammer worm was the biggest Internet worm of the period, infecting some 200 000 computers running Microsoft’s SQL Server software by targeting a six-month-old vulnerability in Microsoft Windows 2000 in order to spread itself. Sections of the Internet slowed substantially, and some Bank of America ATM machines in the US were affected. The worm is thought to have spread to 90% of all vulnerable servers in the first 10 minutes after it had been released on the Internet. Malware is becoming increasingly parasitic. Self-replication is not enough; resource theft is the new virus writer challenge. The response to the August 2003 blackouts in America were hindered by Blaster. Hackers and virus writers have all the time in the world to think, plan and deploy. The defence is rushed. It is a reactive response to a given situation and against the clock. Feedback makes it non-linear. The speed of spread and the damage of viruses have increased through the four ages of viruses. Gap vulnerability to exploit shortening is now less than two weeks. Zero-day worms (i.e. worms that hit with no prior warning of the vulnerability) are not far away. With such short time-spans in which to respond, should we automate responses? This could be a risky strategy. We need to be sure that the medicine is not worse than the disease. Sophos has reported an increase in the number of new viruses detected in the first six months of 2003, up 17.5% on the same period last year, suggesting that virus writers are unaffected by January’s conviction and jailing of Simon Vallor, the author of three mass-mailing worms.
cose 2208.qxd
08/12/2003
15:56
Page 667
Stephen Hinde Computer security: mapping the future
Since January 2003, the single most prevalent virus was the Bugbear-B worm, which accounted for almost 12% of reports to Sophos. Its older sibling, Bugbear-A, generated a further 2.5% of inquiries. By morphing its contents every time it forwards itself — and by spoofing the e-mail address of the person who sent the virus — Bugbear-B has been the most prevalent and irritating virus so far this year. Generating almost 10% of inquiries was the Sobig-C worm. This worm, which posed as a support e-mail from Microsoft’s Bill Gates, reached number two in the charts, even though it had a limited window for infection; it was programmed to fall dormant just one week after it was released. In all, five Sobig worms have been released this year. Combined, the shortlived Sobig worms have had the biggest impact on business networks this year. Eight of the viruses in the top 10 are able to spread by more than one method, using a combination of e-mail, IRC (internet relay chat), network shares, and/or P2P (point-to-point) file-sharing platforms. Virus writers are no longer relying on just e-mail to propagate their malicious code, so computer users are advised to deploy desktop anti-virus protection, which can detect malicious code regardless of its method of spreading.
Epidemiological protection Martin Sadler, lab director, described an innovative approach to the problem of patching by HP Laboratories in Bristol. They considered the biological approach. They looked at the epidemiology of how viruses spread. They found that there was an increasing speed of spread in an increasingly short time. An answer is therefore to slow down the speed of spread. But how to achieve this? The answer is a virus throttle to slow down PCs. The basic virus throttle works as follows: it intercepts requests to connect to other hosts;
it keeps a short list of recently made connections (a ‘working set’); if a request is in the working set, process as normal; if a request is not in the working set, add to ‘delay queue’; at regular intervals, take one request off the delay queue and process it; if the delay queue gets very big, stop all new connections and alert the IT staff. When tried in the laboratory with SQL Slammer, it tried to make about 800 connections in a second. On a throttled machine, processing was stopped in 0.02 seconds, so there were no new connections. Martin said that virus throttling is not noticeable on network response times, as networks are full of delays!
Software patching — an increasing problem Not every vulnerability is significant. Last year there were 4000 vulnerabilities reported, but only 20 were exploited. They need to offer interesting capabilities to be exploited by the current threat population. One speaker postulated that “Patching is like applying a band-aid for a major trauma. There is a need to deal with multiple vulnerabilities, not just one patch.” When a security patch alert is issued, you can either postpone the ‘real work’ to apply the patches or postpone applying the patch and hope that this vulnerability will not be exploited before you get around to applying the patch. When you postpone patching, as many people do, you are accepting insecurity as a way of life. This is a situation that hackers want and expect. They know that people delay patching so, when a security problem is announced, they target it, knowing that it is unlikely to be fixed immediately. A clear example of this situation
667
cose 2208.qxd
08/12/2003
15:56
Page 668
Stephen Hinde Computer security: mapping the future
happened with the SQL Slammer worm, which affected an estimated 35% of the world’s SQL servers by exploiting a security risk in SQL Server 2000. A fix for this problem was issued in July 2002!
Viruses to the rescue! HP had tried to patch approximately 0.25 million devices that it knew about. It considered the ability of viruses to reach all PCs. A virus was written to exploit the same vulnerability as Blaster. This was deployed internally two days before Blaster and was used to shut down PCs that had not been patched. Steps were taken to ensure that the virus did not escape into the wild. HP was not affected by Blaster — simple technique that worked, but a case of thinking outside the box.
IDS — the quiet defence IDS stands for intrusion detection systems and not Ian Duncan Smith, the leader of the UK Conservative Party who was kicked out by his fellow members of parliament at the beginning of Compsec week, leading to newspaper headlines about the ‘demise of IDS’. The number of security events detected by companies in the first quarter of 2003 jumped nearly 84% over the preceding three months, according to a report from Internet Security Systems. The increase in events, which can include minor probes for holes in network security as well as major attacks, stems mainly from an increase in worms and automated attack software. The study tallies the network events detected by ISS sensors deployed by some 400 clients around the world and outlines potential malicious online activity. ISS also found that online vandals are putting more effort into exploiting existing flaws than finding new ones. According to ISS data, 606 vulnerabilities were made public in the first three months of the year, while 752 new threats were identified. The company considers threats
668
to be programs or code that make exploiting vulnerable systems easier. Hackers are also using unknown flaws to attack systems. In March, the military detected that a previously unknown vulnerability in Microsoft’s Windows 2000 operating system was being exploited by online intruders. Microsoft released a patch for the security hole five days later, but the incident acted as a reminder that there is a whole host of security flaws of which companies are not aware. According to Richard Ford, one of the editorial board members of Computers & Security, IDS is another log that you do not read in the morning. And one can see why. John Adebayo described the IDS implementation at UBS. Initially some 100 000–150 000 events per month were being reported! They refined the IDS system and got it down to 10 000 per month. Further refinement brought it down to 5000 per month. That is still an average of nearly 170 every day. That is 170 items that need to be reviewed and actioned, as appropriate.
Detection and jurisdiction We have moved from an industrial world to a networked world, in which knowledge is value, i.e. an asset that can be stolen and sold via virtual trans-national organisations. The threat could come from a teenager the other side of the planet and be an unintended consequence of an action. You may not be the intended target but nevertheless you could become the victim. We have seen this in viruses that have a scatter-gun attack vector. We saw it recently in the UK court case, where the port of Houston, Texas was crippled by an attack caused by a love-struck youth. Just before the conference started, he was found not guilty after using the trojan defence – someone else did it through my computer. The jury accepted this defence, even though there was no evidence that the individual’s computer had been hacked into.
cose 2208.qxd
08/12/2003
15:56
Page 669
Stephen Hinde Computer security: mapping the future
Peter Sommer, senior research fellow at the London School of Economics, reassured us that, despite the succeed of the three recent wellreported trojan defences, most of the trojan defences (primarily used in paedophilia trials) have failed. Peter also talked about the Catch 22 of reportage to the police. Organisations do not report to the police due to their perceived lack of resources for investigations (although I appreciate that bad publicity and issues of reputation are probably the main drivers). However, the police do not receive a higher budget for training, investigation, and so on, since cyber-crime is not reported. We need to find ways of enabling the police to keep up. The creation of new offences will not help. Capture and conviction are the deterrents, not the theoretical size of the punishment. Richard Ford thinks that laws are made for the white hats, and that we need laws for the black hats and also to think like black hats. We need to think what can go wrong. Prevention is better than post facto criminal investigation. There is a gap between legislators and technologies. Legislators need to be more aware. They need to understand the implications of
new technologies. It is not that crimes will have changed much in nature, but that the range of possibilities for committing them and the difficulty of protecting against them and tracking down the felons will increase manifold. The law may need to change focus from relying on regulating the behaviour of the user to limiting and licensing the capabilities (i.e. the functionality) of the network. Some way of tracking changes of behaviour of intelligent networks will be needed to ensure that they stay within their licence. Decisions will be needed on the location of liability of intelligent networks. How do we improve? Neville-Jones believes it starts in school. School children need to be equipped for life, including morals, ethics, confidentiality, privacy and security. We need to get propositions of security into the public debate. Dialogue will lead to greater confidence and less legislation and regulation. Of the sixteen Compsecs I have attended, this was the best to date — two days of excellent, thought-provoking, real-world-based practitioners giving us a glimpse of their maps of the future.
669