[iwar] [fc:Cybersecurity's.Leaky.Dikes]

From: Fred Cohen (fc@all.net)
Date: 2002-07-04 23:08:51
Next message: Fred Cohen: "[iwar] [fc:China.may.be.behind.al.Qaeda.computer.hacking.plot]"
Previous message: Fred Cohen: "[iwar] [fc:Taking.Cyberterrorism.Seriously...]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200207050608.g6568pk21201@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Thu, 4 Jul 2002 23:08:51 -0700 (PDT)
Subject: [iwar] [fc:Cybersecurity's.Leaky.Dikes]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

JULY 2, 2002

SPECIAL REPORT: THE SECURITY CHALLENGE

Cybersecurity's Leaky Dikes
<a href="http://www.businessweek.com:/print/technology/content/jul2002/tc2002072_9216.htm?mainwindow">http://www.businessweek.com:/print/technology/content/jul2002/tc2002072_9216.htm?mainwindow>

While interest is rising in protecting computer networks, too often the
tools aren't powerful enough to keep hackers out

As head of the National Infrastructure Protection Center's office in
Pittsburgh, FBI supervisory agent Dan Larkin mans a sentinel post on the
front lines of the war against cybercrime. Rather than M-16s, his
soldiers tote powerful computers, which they use to unmask hackers who
break into networks and steal valuable information. They also try to
intercept so-called script kiddies, who launch damaging
denial-of-service attacks that flood Web servers with bogus queries and
freeze company online operations.

Rising interest in cybersecurity, spurred in part by the terrorist
attacks of September 11, has vaulted Larkin and his 110 FBI cohorts
staffing the NIPC into a much more visible role. Only problem is, the
demands on them have outrun the capability of the tools available to do
the best job possible.

True, software exists that can quickly mirror-image the hard drive of a
confiscated computer, thus making it possible to dissect evidence
without damaging the original material, says Larkin. Try to do something
more sweeping, however, such as sifting through the massive logs of data
that record activity on every computer network, and Larkin's cops might
as well be on foot patrol. The tools for heavy-duty cybersleuthing
remain rudimentary -- causing a "considerable amount of frustration"
within Larkin's team at its inability to do more.

GROWING WISH LISTS. It's a familiar sentiment. The lack of log-sifting
tools is just one of the obstacles that frequently short-circuit
computer cops, forcing them to spend on average 23% of their time per
investigation poring over logs, according to a survey of 151 cops
released on June 18 by Dartmouth College's Institute for Computer
Security Studies.

Other items on the investigators' wish lists include technology to
better track computer criminals' unique Internet protocol addresses,
plus tools to quickly map the topology of computer networks to learn
where breaches may have occurred. Such capabilities are a must if FBI
agents and others are to successfully investigate increasingly complex
cyberattacks, says Larkin.

The new focus on security of every kind has prompted more and more
companies to get serious about locking down their networks. And tools to
bar the network gates have become more affordable and more widely
accepted by both the private and public sectors. Yet the virtual threats
continue to evolve, in part because hackers are developing more
sophisticated tools as well.

"LOSING GROUND." Increasingly, high-level assailants are finding ways to
camouflage their cyberattacks. That includes sending destructive data in
numerous fragments that only assemble only once they arrive at their
ultimate targets inside firewalls and intrusion-detection systems --
thus breaching conventional security.

Other tools of destruction now sport code that morphs regularly, making
it doubly hard for automated security software to verify that an attack
is in progress. "The tools [with which to defend networks] are getting
better, but systems we are trying to protect are becoming so complex
that we're all losing ground," says Bruce Schneier, chief technology
officer for Counterpane Internet Security in Cupertino, Calif.

That shows up in the statistics. According to the CERT Coordination
Center, a government-funded cybersecurity clearinghouse and research
group at Carnegie Mellon University in Pittsburgh, companies and
organizations reported 26,829 security incidents during the first
quarter of 2002. That compares with 52,658 for all of 2001, and 21,756
in 2000.

RISING DAMAGES. At the same time, the number of software security
vulnerabilities -- bugs in code that can allow intruders to break in or
hackers to crash networks -- reported to CERT has soared. In 1995, the
group received 171 vulnerability notifications. That figure rose to
2,437 in 2001, and to 1,065 in the first quarter of 2002 alone. "It's
simply a case of low-quality security in a lot of our software," says
Rich Pethia, director of CERT.

Worse yet, the cost of hacker attacks appears to be rising. According to
the 2002 "Computer Crime &amp; Security Study," released on Apr. 7 by the
FBI and the Computer Security Institute in San Francisco, some 90% of
the 503 respondents from large corporations and government agencies said
they had suffered some sort of cyberattack or security breach in the
past 12 months. The average financial toll from these has risen to $2
million per instance in the latest survey, from $500,000 in 1997.

Those self-reported losses may be low, as companies frequently are loath
to reveal the true cost of security lapses. With awareness now higher
than ever, companies have started spending more on cybersecurity.
Despite the rising risks, "most big companies still spend more on
catering each year than they do on cybersecurity," laments the security
manager at a multibillion-dollar corporation.

VULNERABLE FROM THE START. The roots of the security threat reach back
to the early days of the Internet. The languages and protocols that
allow so many disparate systems to talk to each other were never
designed for security, says Peter Neumann, a pioneer in secure computing
systems and a principal scientist at SRI International, a private
research lab in Menlo Park, Calif. That's because the systems built back
then were designed for a small, known community, not a global village
that logs on continuously.

This endemic weakness has become increasingly evident in recent months.
Researchers have discovered glaring vulnerabilities in some of the most
basic building blocks of data communications, such as the ANS.1 protocol
used for everything from remotely managing power plants and nuclear
reactors to passing basic instructions to switches and routers on a
network. At the same time, researchers are spotting more problems in all
types of application software.

Such revelations have added even more impetus to corporate efforts to
shore up cybersecurity. According to tech consultancy Gartner Dataquest,
the worldwide security software market should hit $4.3 billion in 2002,
up 18% from 2001's $3.6 billion. That's at a time when companies are
reining in virtually all other types of tech spending.

MISFIRING WEAPONS. While everyone acknowledges that security software
and hardware are improving, the current crop of products still leaves a
lot to be desired, according to experts such as the FBI's Larkin. Just
ask Bruce Hughes. As a manager at prominent computer security
certification and testing company ICSA Labs, Hughes test-drives and
rates dozens of virus-prevention and other software tools each year.

Hughes lauds the increased availability and affordability of
computer-security products. "If someone had said eight years ago that
you could walk down to Staples and buy a high-powered firewall for $200,
people would have laughed," he says. At the same time, "some security
products are getting much more difficult to use," he adds. "With so many
options, you can easily forget to change the configuration or skip right
over something you could have configured."

Worse still, even some computer-security techniques remain problematic.
Cryptographic programs designed to mask information or communications
far too often have glaring flaws that make it easy to crack their codes,
according to ICSA tests. That seems particularly galling, since the
cryptographic standards behind these programs have been around for years
and have been put through rigorous academic and real-world testing.
"Even the stuff that you think is easy you screw up all the time," says
Counterpane's Schneier.

BUILDING IN SAFEGUARDS. In fact, Schneier and others contend that the
best cybersecurity weapon remains the gray one between the ears -- that
dependence on automated software will never eliminate the need for
brainpower. "Counterpane uses human judgment. We have a system that has
people involved. That's the only way to deal with complexity," he says.

Still, it's no surprise that information-technology staffs are agitating
for better-made software. This is key, says CERT's Pethia, because the
basic code of so many of today's software products was built before
cybersecurity was a burning issue. Microsoft (MSFT ), Oracle (ORCL ),
and Apple (APPL ), among others, have stepped up their efforts to write
security protection into their products. Eliminating vulnerabilities
from the widely used software these companies produce will give
specialized security products a better chance to succeed, says Pethia.

The cybersecurity front has had some bright spots. Many companies now
demand that partners or suppliers they link to electronically have
strong cybersecurity. Insurance companies are even forcing the issue, by
requesting more stringent audit and security measures from the companies
they deal with.

Moreover, some of the tools on Larkin's wish list appear to be in the
wings. The first generation of highly advanced log-management software,
from companies such as Network Associates and Network Flight Recorder,
is hitting the shelves right now.

CYBERSECURITY CORPS. Perhaps most important, the federal government
finally seems to have grasped the importance of cybersecurity. President
Bush has provided less than $100 million for research and development on
such security so far, but he has proposed hundreds of millions for
cybersecurity efforts in his fiscal 2003 budget, including $11 million
for the creation of a government cybersecurity corps, which would pay
the university tuition of students who agree to do an
as-yet-undetermined number of years of government cybercrime work after
graduation.

Bush has also proposed to upgrade the FBI and other government law
enforcement bodies, a chunk of which is bound to go toward
cybersecurity. For Larkin and his Pittsburgh charges, that's a vast
improvement over the days when computer security was an ugly stepchild
of law enforcement. Still, it's only a start on what will surely be a
long and possibly tortured effort to improve security technologies, give
humans better tools, and keep bad guys in cyberspace at bay.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Will You Find True Love?
Will You Meet the One?
Free Love Reading by phone!
http://us.click.yahoo.com/ztNCyD/zDLEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:China.may.be.behind.al.Qaeda.computer.hacking.plot]"
Previous message: Fred Cohen: "[iwar] [fc:Taking.Cyberterrorism.Seriously...]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:31 PDT