Information Security News mailing list archives

Cybersecurity's Leaky Dikes


From: InfoSec News <isn () c4i org>
Date: Mon, 8 Jul 2002 06:17:48 -0500 (CDT)

http://www.businessweek.com/technology/content/jul2002/tc2002072_9216.htm

By Alex Salkever 
JULY 2, 2002 

While interest is rising in protecting computer networks, too often
the tools aren't powerful enough to keep hackers out As head of the
National Infrastructure Protection Center's office in Pittsburgh, FBI
supervisory agent Dan Larkin mans a sentinel post on the front lines
of the war against cybercrime. Rather than M-16s, his soldiers tote
powerful computers, which they use to unmask hackers who break into
networks and steal valuable information. They also try to intercept
so-called script kiddies, who launch damaging denial-of-service
attacks that flood Web servers with bogus queries and freeze company
online operations.

Rising interest in cybersecurity, spurred in part by the terrorist
attacks of September 11, has vaulted Larkin and his 110 FBI cohorts
staffing the NIPC into a much more visible role. Only problem is, the
demands on them have outrun the capability of the tools available to
do the best job possible.

True, software exists that can quickly mirror-image the hard drive of
a confiscated computer, thus making it possible to dissect evidence
without damaging the original material, says Larkin. Try to do
something more sweeping, however, such as sifting through the massive
logs of data that record activity on every computer network, and
Larkin's cops might as well be on foot patrol. The tools for
heavy-duty cybersleuthing remain rudimentary -- causing a
"considerable amount of frustration" within Larkin's team at its
inability to do more.

GROWING WISH LISTS.  It's a familiar sentiment. The lack of
log-sifting tools is just one of the obstacles that frequently
short-circuit computer cops, forcing them to spend on average 23% of
their time per investigation poring over logs, according to a survey
of 151 cops released on June 18 by Dartmouth College's Institute for
Computer Security Studies.

Other items on the investigators' wish lists include technology to
better track computer criminals' unique Internet protocol addresses,
plus tools to quickly map the topology of computer networks to learn
where breaches may have occurred. Such capabilities are a must if FBI
agents and others are to successfully investigate increasingly complex
cyberattacks, says Larkin.

The new focus on security of every kind has prompted more and more
companies to get serious about locking down their networks. And tools
to bar the network gates have become more affordable and more widely
accepted by both the private and public sectors. Yet the virtual
threats continue to evolve, in part because hackers are developing
more sophisticated tools as well.

"LOSING GROUND."  Increasingly, high-level assailants are finding ways
to camouflage their cyberattacks. That includes sending destructive
data in numerous fragments that only assemble only once they arrive at
their ultimate targets inside firewalls and intrusion-detection
systems -- thus breaching conventional security.

Other tools of destruction now sport code that morphs regularly,
making it doubly hard for automated security software to verify that
an attack is in progress. "The tools [with which to defend networks]
are getting better, but systems we are trying to protect are becoming
so complex that we're all losing ground," says Bruce Schneier, chief
technology officer for Counterpane Internet Security in Cupertino,
Calif.

That shows up in the statistics. According to the CERT Coordination
Center, a government-funded cybersecurity clearinghouse and research
group at Carnegie Mellon University in Pittsburgh, companies and
organizations reported 26,829 security incidents during the first
quarter of 2002. That compares with 52,658 for all of 2001, and 21,756
in 2000.

RISING DAMAGES.  At the same time, the number of software security
vulnerabilities -- bugs in code that can allow intruders to break in
or hackers to crash networks -- reported to CERT has soared. In 1995,
the group received 171 vulnerability notifications. That figure rose
to 2,437 in 2001, and to 1,065 in the first quarter of 2002 alone.  
"It's simply a case of low-quality security in a lot of our software,"  
says Rich Pethia, director of CERT.

Worse yet, the cost of hacker attacks appears to be rising. According
to the 2002 "Computer Crime & Security Study," released on Apr. 7 by
the FBI and the Computer Security Institute in San Francisco, some 90%
of the 503 respondents from large corporations and government agencies
said they had suffered some sort of cyberattack or security breach in
the past 12 months. The average financial toll from these has risen to
$2 million per instance in the latest survey, from $500,000 in 1997.

Those self-reported losses may be low, as companies frequently are
loath to reveal the true cost of security lapses. With awareness now
higher than ever, companies have started spending more on
cybersecurity. Despite the rising risks, "most big companies still
spend more on catering each year than they do on cybersecurity,"  
laments the security manager at a multibillion-dollar corporation.

VULNERABLE FROM THE START.  The roots of the security threat reach
back to the early days of the Internet. The languages and protocols
that allow so many disparate systems to talk to each other were never
designed for security, says Peter Neumann, a pioneer in secure
computing systems and a principal scientist at SRI International, a
private research lab in Menlo Park, Calif. That's because the systems
built back then were designed for a small, known community, not a
global village that logs on continuously.

This endemic weakness has become increasingly evident in recent
months. Researchers have discovered glaring vulnerabilities in some of
the most basic building blocks of data communications, such as the
ANS.1 protocol used for everything from remotely managing power plants
and nuclear reactors to passing basic instructions to switches and
routers on a network. At the same time, researchers are spotting more
problems in all types of application software.

Such revelations have added even more impetus to corporate efforts to
shore up cybersecurity. According to tech consultancy Gartner
Dataquest, the worldwide security software market should hit $4.3
billion in 2002, up 18% from 2001's $3.6 billion. That's at a time
when companies are reining in virtually all other types of tech
spending.

MISFIRING WEAPONS.  While everyone acknowledges that security software
and hardware are improving, the current crop of products still leaves
a lot to be desired, according to experts such as the FBI's Larkin.  
Just ask Bruce Hughes. As a manager at prominent computer security
certification and testing company ICSA Labs, Hughes test-drives and
rates dozens of virus-prevention and other software tools each year.

Hughes lauds the increased availability and affordability of
computer-security products. "If someone had said eight years ago that
you could walk down to Staples and buy a high-powered firewall for
$200, people would have laughed," he says. At the same time, "some
security products are getting much more difficult to use," he adds.  
"With so many options, you can easily forget to change the
configuration or skip right over something you could have configured."

Worse still, even some computer-security techniques remain
problematic. Cryptographic programs designed to mask information or
communications far too often have glaring flaws that make it easy to
crack their codes, according to ICSA tests. That seems particularly
galling, since the cryptographic standards behind these programs have
been around for years and have been put through rigorous academic and
real-world testing. "Even the stuff that you think is easy you screw
up all the time," says Counterpane's Schneier.

BUILDING IN SAFEGUARDS.  In fact, Schneier and others contend that the
best cybersecurity weapon remains the gray one between the ears --
that dependence on automated software will never eliminate the need
for brainpower. "Counterpane uses human judgment. We have a system
that has people involved. That's the only way to deal with
complexity," he says.

Still, it's no surprise that information-technology staffs are
agitating for better-made software. This is key, says CERT's Pethia,
because the basic code of so many of today's software products was
built before cybersecurity was a burning issue. Microsoft (MSFT ),
Oracle (ORCL ), and Apple (APPL ), among others, have stepped up their
efforts to write security protection into their products. Eliminating
vulnerabilities from the widely used software these companies produce
will give specialized security products a better chance to succeed,
says Pethia.

The cybersecurity front has had some bright spots. Many companies now
demand that partners or suppliers they link to electronically have
strong cybersecurity. Insurance companies are even forcing the issue,
by requesting more stringent audit and security measures from the
companies they deal with.

Moreover, some of the tools on Larkin's wish list appear to be in the
wings. The first generation of highly advanced log-management
software, from companies such as Network Associates and Network Flight
Recorder, is hitting the shelves right now.

CYBERSECURITY CORPS.  Perhaps most important, the federal government
finally seems to have grasped the importance of cybersecurity.  
President Bush has provided less than $100 million for research and
development on such security so far, but he has proposed hundreds of
millions for cybersecurity efforts in his fiscal 2003 budget,
including $11 million for the creation of a government cybersecurity
corps, which would pay the university tuition of students who agree to
do an as-yet-undetermined number of years of government cybercrime
work after graduation.

Bush has also proposed to upgrade the FBI and other government law
enforcement bodies, a chunk of which is bound to go toward
cybersecurity. For Larkin and his Pittsburgh charges, that's a vast
improvement over the days when computer security was an ugly stepchild
of law enforcement. Still, it's only a start on what will surely be a
long and possibly tortured effort to improve security technologies,
give humans better tools, and keep bad guys in cyberspace at bay.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.


Current thread: