- Email: [email protected]
Managing network security: In your face information warfare
Network Security
September 7999
Managing Network Security: In Your Face Information Warfare Fred Cohen Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of orotection and seeks to reconcile the need for security with the limitations of technology.
A shooting war I read last month that the US DOD recently figured out that it’s at war. It shouldn’t be a big surprise - after all, people have been talking about information war ever since Al Gore declared it in the early 1990s. That’s when Al declared information war on the world by telling everybody that the US was going to use the Internet to expand global influence, gain economic advantage and exploit our information technology advantage to spread democracy and US imperialism around the world. Of course he didn’t use those exact words, but that’s more or less what he seemed to mean by it and that’s more or less what the result has been. So what’s the big surprise? After eight years of the US domination, the rest of the world is starting to catch up! Is it any surprise that suspected Russian attackers are breaking into US DOD sites to take plans of US command and control and weapons systems designs? The warning has only been out in the DOD for four years or so. That’s when they published statistics indicating that, on
8
average, every DOD computer was successfully attacked once per year. Now, they have ‘just discovered’ that they were broken into six months ago and that the Russians had been taking weapons information ever since then, And why did it take them six months to figure it out? Because it was a person who noticed that a print job was taking a long time and bothered to look into it. That’s security! So now I guess it has come into the open. There’s a real shooting war underway in information technology, and the Y2K situation has introduced the opportunity of a lifetime for the world’s information warriors. You didn’t think I was going to miss the opportunity to take a shot at Y2K projects - did you? After all, this is probably one of the last issues where I can declare a Y2K possibility.
How did I sneak Y2K into this? Of course,Y2K was the chance of a lifetime for information warriors. Folks from all over the world have been contracted to do Y2K work
on critical systems of all sorts all over the world. Those folks come from all of the countries I count among my closest historical allies - like Pakistan, India, China, Japan, the ex-soviet states, France, the US, UK, Germany, and the list goes on and on. If you are offended by the list, don’t be. I think that list includes enough countries that are at odds with each other that they will likely notice that the same kinds of software attacks that their folks made in the systems of other countries were made by people from other countries in their systems. Yes - that’s right. In the global village, Indian programmers worked on code that eventually made its way into Pakistani information infrastructures - but don’t worry - the Pakistani programmers also got to code software that went into the Indian Y2K fixes too. Now I’m not just being an idle speculator here. I have spoken with folks who know in detail about incidents wherein Trojan horses have been detected in fixes to critical infrastructure software being ‘upgraded’ for Y2K. They also told me some of the countries involved, that the ones that were caught were caught by accident, and that there is no systematic check for this, so there are probably lots of others out there that are yet undetected. Now if I was going to plan a nasty attack on critical infrastructures via computer networks, I would certainly take the opportunity to plan my attacks when I was given insider programming access. By the way... none of your Y2K upgrades involve any software written by people you don’t completely know and trust - do they? They do? Ouch! And - as an aside - if I were going to do a nicely co-ordinated attack that
0 1999 Elsevier
Science
Ltd
September
Network Security
7 999
was hard to track down or defend against, I would probably select the period surrounding Y2K to spring it.
Feeding the frenzy NowI don’t want to raise a panic over this information warfare and Y2K thing. After all, over-reaction will likely cause more problems than any technical attack would cause, wouldn’t it? Not if you happen to live in an area where you will freeze to death, or in an area that depends on a strong economy for economic wellbeing. But why get all in a tiff about a once-in-a-lifetime event like Y2K? How about getting concerned about the 20 000 new virus strains introduced in the last four months? You would think that the fact that several of these strains have entered sites that were supposed to be ‘secure’ from a standpoint of holding critical data of one form or another would trigger someone to stand up and take notice - wouldn’t you? No! After all, the virus problem doesn’t make a dent when compared to the other crimes of the Internet like child pornography, scams of every sort and description, pyramid schemes, good oldfashioned stalking crime, theft of trade secrets, insider information being released by employees and, gee, it almost seems like there’s a war going on out there and nobody noticed! So - when a crime goes down in the ‘real world’ - you call the police - right? I guess that means we can call the cybercops to our rescue - right? Well...you can call! Or better yet...E-mail them! Where’s the local cyber-police station? I looked at the Livermore, CA (where I live) police Web site to
0 1999 Elsevier Science
Ltd
find crime statistics on computer crime in my area. Out of thousands of crimes per year, there wasn’t a single computer crime in the listing of reported crimes, It also seems there is no way to report a crime via E-mail. The United States Department of Justice has a list of ‘types of computer crime’ and lots of good information, and any crime with provable losses in excess of a few hundred thousand dollars might get their attention. They list Computer intrusion (i.e. hacking), Password trafficking, Copyright (software, movie, sound recording) Piracy, Theft of trade secrets, Trademark counterfeiting, Counterfeiting of currency, Child pornography or exploitation, Internet fraud, Internet harassment, Internet bomb threats and Trafficking in explosive or incendiary devices or firearms over the Internet. In every case, the local FBI office is a good contact point. I guess things like taking out the power grid or the phone system just don’t make it.
InCOtWlgi
Getting back on track for this month’s article, I should point out that a six-month lag between a break-in and a detection is pretty common in my experience. For example, I know of at least three cases in the last year with this characteristic pattern. And the same situation arose in the DISA study publlshed about five years ago and cited as the basis for the numbers of attacks on Defence Department sites. In those studies, there was a break-in detected that had been going on for at least six months as well. The secret, by the way, to the sixmonth duration is that lots of people and organizations only keep back-up tapes for six
months, so any attack that lasted longer would be called sixmonth’s duration. Now that I am on the back-up thing, I figure I should also mention that I recently visited an ISP that claims to emphasize security as one of their benefits, but it turned out that they couldn’t reproduce audit information from as little as two months ago. It seems that they take monthly back-ups and could produce the audit trails that happened to be on those systems when the systems were backed up, but for other audit trails - those that were removed on a weekly or daily basis to limit file space consumption, there were no back-ups. Unless you detected the activity within a few weeks, odds were not very good that any audit trails would be there to track down the source of the attack. In doing digital forensics something I do more and more of these days - this sort of lack of information and lack of consistency reflects a real problem, For example, there might be missing exculpatory evidence, or the time frame of interest might not be covered. But, in addition to the lack of forensic evidence, there is the notion that it would be nice to know if you are under attack or at least be able to figure out when the attack started, how long it lasted, and what was involved once you find out you are under attack.
In your face The information warriors are getting bolder and bolder, to the point where it’s hard to explain it away as anything but a shooting war. The bad guys are in your face. They are taking your
Network Security
information. money. They information. destroy your and destroy
They are taking your are destroying your Eventually, they may ability to do business your economy.
So what can you do about it? Not very much without some real serious management support and a few key decisions about what has priority in your organization and that’s what we really aren’t getting. Getting good decisions on information protection seems like pulling teeth. There was a time when people in information protection complained that senior management didn’t use computers and therefore didn’t understand what we were talking about with this information security thing. Now, the situation is worse. uses Senior management computers and doesn’t want to be restricted from doing things that are inherently dangerous. For example, I know of many large companies where top management uses their desktop PC to dial out to America On Line (AOL) during the day so they can check their stock values and make trades.
September
First problem - what are they doing working on their personal financial portfolio on company time? That’s called time card fraud and it is normally considered illegal - a form of theft. Second problem - AOL creates an IP tunnel between the PC and the Internet. This means that the senior management is creating a possible firewall bypass, and of course they have access to lots of sensitive company data, some of which is on their PC! Third problem - the use of the dial-out line for this activity makes if far more difficult to track what they do and implement intrusion detection on their systems, Fourth problem instead of not caring, they actively work to keep unsafe features, making it far harder for security to get the job done. We are losing the information war - mostly because we are losing the hearts and minds of our own people. The will to fight is overwhelmed by the will of the users to have fun and do what they will with information technology. It’s like kids in a candy shop - telling them that it will ruin their teeth and they will
SAFE Bill “Ambushed” Wayne Madsen Although Congressman Bob Goodlatte has picked up an impressive 257 co-sponsors for his Security and Freedom through Encryption (SAFE) Act - a Bill that would loosen current US export controls on encryption and prohibit the establishment of a mandatory key recovery regime in the United States - he faced extremely strong opposition from the House Intelligence Committee on 9 June. Goodlatte was forced to answer a string of questions and comments for well over one hour. One congressional observer said that requiring another sitting member of congress to endure such a long testimony is unusual since most congressmen testifying on behalf of their legislation to other committees often merely read pro forma statements and engage in light banter with their colleagues. Such was not the case with Goodlatte.
10
7999
get fat is not an effective way to stop them from overeating.
Conclusions I think I have visited a wide enough range of areas today, so I just want to close by reiterating that there is a shooting war on in the cyber-world, and for the most part, those with the power to do something about it don’t care enough to act decisively. There’s nobody to call for help other than one of those high priced consultants who is already helping others to the point where they can likely only sell you their assistant at a hefty fee. You are on your own! About the author: Fred Cohen is a Principal Member of Technical
Staff at Sandia
Laboratories
and
a
Director
of
Associates
in Livermore
executive
consulting
group
Fred
specializing
protection.
Notional
Managing
Cohen
and
California, an
and education in information
He can be reached
by
sending E-mail to fc@a//.net or visiting http://all.net/.
The Intelligence Committee had arrayed a list of witnesses largely SAFE. opposed to They represented the Clinton administration, law enforcement community, intelligence-related businesses, and even the Jewish organization B’Nai B’Rith. Committee Chairman Porter Goss, himself a former CIA official, said SAFE will harm counterespionage, counter-intelligence, counter-terrorism and counterproliferation. He added, “these are more important than market share computer for US companies...making money should not be the only goal of US industry.” Goss indicated that his
0 1999 Elsevier
Science
Ltd
September 7999
Managing Network Security: In Your Face Information Warfare Fred Cohen Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of orotection and seeks to reconcile the need for security with the limitations of technology.
A shooting war I read last month that the US DOD recently figured out that it’s at war. It shouldn’t be a big surprise - after all, people have been talking about information war ever since Al Gore declared it in the early 1990s. That’s when Al declared information war on the world by telling everybody that the US was going to use the Internet to expand global influence, gain economic advantage and exploit our information technology advantage to spread democracy and US imperialism around the world. Of course he didn’t use those exact words, but that’s more or less what he seemed to mean by it and that’s more or less what the result has been. So what’s the big surprise? After eight years of the US domination, the rest of the world is starting to catch up! Is it any surprise that suspected Russian attackers are breaking into US DOD sites to take plans of US command and control and weapons systems designs? The warning has only been out in the DOD for four years or so. That’s when they published statistics indicating that, on
8
average, every DOD computer was successfully attacked once per year. Now, they have ‘just discovered’ that they were broken into six months ago and that the Russians had been taking weapons information ever since then, And why did it take them six months to figure it out? Because it was a person who noticed that a print job was taking a long time and bothered to look into it. That’s security! So now I guess it has come into the open. There’s a real shooting war underway in information technology, and the Y2K situation has introduced the opportunity of a lifetime for the world’s information warriors. You didn’t think I was going to miss the opportunity to take a shot at Y2K projects - did you? After all, this is probably one of the last issues where I can declare a Y2K possibility.
How did I sneak Y2K into this? Of course,Y2K was the chance of a lifetime for information warriors. Folks from all over the world have been contracted to do Y2K work
on critical systems of all sorts all over the world. Those folks come from all of the countries I count among my closest historical allies - like Pakistan, India, China, Japan, the ex-soviet states, France, the US, UK, Germany, and the list goes on and on. If you are offended by the list, don’t be. I think that list includes enough countries that are at odds with each other that they will likely notice that the same kinds of software attacks that their folks made in the systems of other countries were made by people from other countries in their systems. Yes - that’s right. In the global village, Indian programmers worked on code that eventually made its way into Pakistani information infrastructures - but don’t worry - the Pakistani programmers also got to code software that went into the Indian Y2K fixes too. Now I’m not just being an idle speculator here. I have spoken with folks who know in detail about incidents wherein Trojan horses have been detected in fixes to critical infrastructure software being ‘upgraded’ for Y2K. They also told me some of the countries involved, that the ones that were caught were caught by accident, and that there is no systematic check for this, so there are probably lots of others out there that are yet undetected. Now if I was going to plan a nasty attack on critical infrastructures via computer networks, I would certainly take the opportunity to plan my attacks when I was given insider programming access. By the way... none of your Y2K upgrades involve any software written by people you don’t completely know and trust - do they? They do? Ouch! And - as an aside - if I were going to do a nicely co-ordinated attack that
0 1999 Elsevier
Science
Ltd
September
Network Security
7 999
was hard to track down or defend against, I would probably select the period surrounding Y2K to spring it.
Feeding the frenzy NowI don’t want to raise a panic over this information warfare and Y2K thing. After all, over-reaction will likely cause more problems than any technical attack would cause, wouldn’t it? Not if you happen to live in an area where you will freeze to death, or in an area that depends on a strong economy for economic wellbeing. But why get all in a tiff about a once-in-a-lifetime event like Y2K? How about getting concerned about the 20 000 new virus strains introduced in the last four months? You would think that the fact that several of these strains have entered sites that were supposed to be ‘secure’ from a standpoint of holding critical data of one form or another would trigger someone to stand up and take notice - wouldn’t you? No! After all, the virus problem doesn’t make a dent when compared to the other crimes of the Internet like child pornography, scams of every sort and description, pyramid schemes, good oldfashioned stalking crime, theft of trade secrets, insider information being released by employees and, gee, it almost seems like there’s a war going on out there and nobody noticed! So - when a crime goes down in the ‘real world’ - you call the police - right? I guess that means we can call the cybercops to our rescue - right? Well...you can call! Or better yet...E-mail them! Where’s the local cyber-police station? I looked at the Livermore, CA (where I live) police Web site to
0 1999 Elsevier Science
Ltd
find crime statistics on computer crime in my area. Out of thousands of crimes per year, there wasn’t a single computer crime in the listing of reported crimes, It also seems there is no way to report a crime via E-mail. The United States Department of Justice has a list of ‘types of computer crime’ and lots of good information, and any crime with provable losses in excess of a few hundred thousand dollars might get their attention. They list Computer intrusion (i.e. hacking), Password trafficking, Copyright (software, movie, sound recording) Piracy, Theft of trade secrets, Trademark counterfeiting, Counterfeiting of currency, Child pornography or exploitation, Internet fraud, Internet harassment, Internet bomb threats and Trafficking in explosive or incendiary devices or firearms over the Internet. In every case, the local FBI office is a good contact point. I guess things like taking out the power grid or the phone system just don’t make it.
InCOtWlgi
Getting back on track for this month’s article, I should point out that a six-month lag between a break-in and a detection is pretty common in my experience. For example, I know of at least three cases in the last year with this characteristic pattern. And the same situation arose in the DISA study publlshed about five years ago and cited as the basis for the numbers of attacks on Defence Department sites. In those studies, there was a break-in detected that had been going on for at least six months as well. The secret, by the way, to the sixmonth duration is that lots of people and organizations only keep back-up tapes for six
months, so any attack that lasted longer would be called sixmonth’s duration. Now that I am on the back-up thing, I figure I should also mention that I recently visited an ISP that claims to emphasize security as one of their benefits, but it turned out that they couldn’t reproduce audit information from as little as two months ago. It seems that they take monthly back-ups and could produce the audit trails that happened to be on those systems when the systems were backed up, but for other audit trails - those that were removed on a weekly or daily basis to limit file space consumption, there were no back-ups. Unless you detected the activity within a few weeks, odds were not very good that any audit trails would be there to track down the source of the attack. In doing digital forensics something I do more and more of these days - this sort of lack of information and lack of consistency reflects a real problem, For example, there might be missing exculpatory evidence, or the time frame of interest might not be covered. But, in addition to the lack of forensic evidence, there is the notion that it would be nice to know if you are under attack or at least be able to figure out when the attack started, how long it lasted, and what was involved once you find out you are under attack.
In your face The information warriors are getting bolder and bolder, to the point where it’s hard to explain it away as anything but a shooting war. The bad guys are in your face. They are taking your
Network Security
information. money. They information. destroy your and destroy
They are taking your are destroying your Eventually, they may ability to do business your economy.
So what can you do about it? Not very much without some real serious management support and a few key decisions about what has priority in your organization and that’s what we really aren’t getting. Getting good decisions on information protection seems like pulling teeth. There was a time when people in information protection complained that senior management didn’t use computers and therefore didn’t understand what we were talking about with this information security thing. Now, the situation is worse. uses Senior management computers and doesn’t want to be restricted from doing things that are inherently dangerous. For example, I know of many large companies where top management uses their desktop PC to dial out to America On Line (AOL) during the day so they can check their stock values and make trades.
September
First problem - what are they doing working on their personal financial portfolio on company time? That’s called time card fraud and it is normally considered illegal - a form of theft. Second problem - AOL creates an IP tunnel between the PC and the Internet. This means that the senior management is creating a possible firewall bypass, and of course they have access to lots of sensitive company data, some of which is on their PC! Third problem - the use of the dial-out line for this activity makes if far more difficult to track what they do and implement intrusion detection on their systems, Fourth problem instead of not caring, they actively work to keep unsafe features, making it far harder for security to get the job done. We are losing the information war - mostly because we are losing the hearts and minds of our own people. The will to fight is overwhelmed by the will of the users to have fun and do what they will with information technology. It’s like kids in a candy shop - telling them that it will ruin their teeth and they will
SAFE Bill “Ambushed” Wayne Madsen Although Congressman Bob Goodlatte has picked up an impressive 257 co-sponsors for his Security and Freedom through Encryption (SAFE) Act - a Bill that would loosen current US export controls on encryption and prohibit the establishment of a mandatory key recovery regime in the United States - he faced extremely strong opposition from the House Intelligence Committee on 9 June. Goodlatte was forced to answer a string of questions and comments for well over one hour. One congressional observer said that requiring another sitting member of congress to endure such a long testimony is unusual since most congressmen testifying on behalf of their legislation to other committees often merely read pro forma statements and engage in light banter with their colleagues. Such was not the case with Goodlatte.
10
7999
get fat is not an effective way to stop them from overeating.
Conclusions I think I have visited a wide enough range of areas today, so I just want to close by reiterating that there is a shooting war on in the cyber-world, and for the most part, those with the power to do something about it don’t care enough to act decisively. There’s nobody to call for help other than one of those high priced consultants who is already helping others to the point where they can likely only sell you their assistant at a hefty fee. You are on your own! About the author: Fred Cohen is a Principal Member of Technical
Staff at Sandia
Laboratories
and
a
Director
of
Associates
in Livermore
executive
consulting
group
Fred
specializing
protection.
Notional
Managing
Cohen
and
California, an
and education in information
He can be reached
by
sending E-mail to fc@a//.net or visiting http://all.net/.
The Intelligence Committee had arrayed a list of witnesses largely SAFE. opposed to They represented the Clinton administration, law enforcement community, intelligence-related businesses, and even the Jewish organization B’Nai B’Rith. Committee Chairman Porter Goss, himself a former CIA official, said SAFE will harm counterespionage, counter-intelligence, counter-terrorism and counterproliferation. He added, “these are more important than market share computer for US companies...making money should not be the only goal of US industry.” Goss indicated that his
0 1999 Elsevier
Science
Ltd