Security Vulnerability Threatens Entire Internet

1
Security Vulnerability Threatens Entire
Internet

• Expertsurged end users and IT security pros to
  remain calm.

George Hulme, Information Week, 20 April 2004
Gregg Keizer, TCP Vulnerable, But Net Wont Go
Down, TechWeb News,
20 April 2004
2
Cyberterrorism Were Toast
Bill Neugent 22 April 2004
The views expressed are those of the author and
boy do they not reflect the official policy or p
osition of The MITRE Corp.
3
Outline

• Beach cottages on a sand bar
• The problem with software
• Threats
• Enterprise engineering
• Points of Light
• Conclusion

4
The Situation

• Computer-controlled networks empower and enable
  modern society
  

Networks bring us together
5
World is Interconnected

• Cyber assets sit on rug of communications
• Global Internet
• Global Public Switched Network
• Were at risk
• Rug can be pulled out from under us
• Cyberterrorists are seconds away

6
The Dilemma

• Power travels at light speed
• Power networks are controlled by computers
• Communication signals travel at light speed
• Communication networks are controlled by
  computers
  

Remote control makes it possible
to run a complex network
Remote control makes it possible
to ruin a complex network
7
Potential for great good offset byPotential
for great harm
Dr. Jekyll
Mr. Hyde
8
SCADA On Thin Ice

• 3 million SCADA systems in use
• Increased use of Windows, UNIX
• Utilities connecting SCADA to corporate networks,
  Internet, wireless networks

Stratum8 Networks, New Layer of Internet
Security is Required to Protect Critical Systems
that Manage Oil, Natural Gas, and Electricity
Resources, 30 October 2002
9
So You Say Youre Not On The Internet

• Nearly every bank in the United States runs its
  operations on an internal network that connects
  to the Internet.

Maybe your front door isnt
Sandeep Junnarkar, CNET News, 1 May 2002
10
Shouts of Warning

• Electronic Pearl Harbor Winn Schwartau
• Digital Waterloo
• Center for Strategic and International
  Studies
  
• Digital Armageddon
• Sen. Charles Schumer, D-N.Y.

11
Outline

• Beach cottages on a sand bar
• The problem with software
• Threats
• Enterprise engineering
• Points of Light
• Conclusion

12
What Motivates Bullies?

• The reason the software you buy isnt secure is
  that companies dont care.
  
• The reason is there is no liability for
  producing a shoddy product.
  
• Bruce Schneier

COMDEX Panel Accept the Net is vulnerable to
attack, IDG News Service, 19 November 2002
13
Software Complexity

• Software more complex than any other human
  construct
  
• No two parts alike
• Software differs profoundly from computers,
  buildings, or automobiles, where repeated
  elements abound
  
• Rapid time to market
• Armies of programmers work independently
• Complex legacy software carried forward

Feature-rich software asks for trouble
Frederick Brooks
14
Industry Complexity (Applies to DoD)

• Example freight information systems involve
  diverse companies
  
• Carriers, shippers, distributors, freight
  forwarders, government agencies, e.g., Customs
  
• No integration hard to establish
• Consistent security baseline
• Security standards, e.g., e-documents
• Identity of users and systems

800,000 hazmat shipments/day in U.S.
Transportation Research Board Special Report
274, Cybersecurity of Freight
Information Systems, A Scoping Study, National
Research Council, 2003
15
Market Forces Lead To Fragility

• Competition forced cost-cutting
• Led to dependency on Internet
• Freight information systems efficient, reliable
• Freight customers have lower inventories,
  just-in-time inbound material strategies

Market forces Computer-enabled efficiencies
Critical dependencies
Transportation Research Board Special Report
274, Cybersecurity of Freight
Information Systems, A Scoping Study, National
Research Council, 2003
16
Competition

• Got to drop this extra security weight

17
Cutting Software Development Costs

• Products that include software developed in
  Beijing
  
• Microsoft
• IBM
• Sun
• Etc.

18
The Issue Closing The Gap

• Security needed against state-sponsored attacks

• Security provided by market-based solutions

Where should it be closed? How?
19
Outline

• Beach cottages on a sand bar
• The problem with software
• Threats
• Enterprise engineering
• Points of Light
• Conclusion

20
Terrorist Know-How, Resources

• We train the world
• Try to find an American in an American grad
  school
  
• Funding

21
Terrorist Requirement

• Make headline news
• Whats the visual?

After a bomb
After a cyberattack
TV news producer, judging whether to include
coverage of a fire
22
Prognosis For Cyberterrorism

• Not top terrorist priority
• Definitely on their to-do list
• Much terrorist research and preparation for
  cyberterrorism

Col Bradley K. Ashley, USAF, Anatomy of
Cyberterrorism--Is America Vulnerable?
IA Newsletter, Vol. 5., No. 4., IA Technology
Analysis Center (IATAC), Winter 2002/2003
23
Hacker Threat

• To date, a major annoyance, especially with
  viruses, worms
  
• Main motivation for last decade of cybersecurity
  improvements

Most cyber defenses focus on countering
hackers, i.e., outsiders, not professionals
24
At Least Were Secure Against Hackers, Right?

• Sanctum broke into 98 percent of 350 corporate
  sites it audited
  
• Government Red Teams succeed every single
  time using hacker tools

Good news Few hacker attacks intend destruction
PC World Communications, Cyberterrorism
Scenarios Scrutinized, 23 August 2002
Richard Clarke, Cyberwar!, PBS Frontline,
April 2002
25
Why So Few Intentionally Destructive Network
Attacks?

• Hackers, criminals, spammers want to use
  Internet, not destroy it
  
• Terrorists not yet active in cyber domain
• To most adversaries, our nets are worth more up
  than down
  
• The Big One Is Coming
• We live in a straw house
• Too many people have matches

26
The Big One

• Exploitable vulnerability on millions of systems

27
Against such a threatthere is no current defense
28
Opportunity

• Windows of vulnerability
• Handful of critical Windows flaws (last weekhave
  you patched?)
  
• ASN.1 vulnerability (February 2004)
• RPC vulnerability (August 2003)

29
It Could Be Worse

• Hypothetical headline AMERICAN ECONOMY STRUCK BY
  BUSINESS FAILURES
  
• Corporate leaders struggle to explain
• Dartmouth study of business failures many could
  have been induced by cyber means
  
• Could focus on confidentiality and denial of
  service be misplaced?

Need more attention to business processes, applic
ations
Scott Borg
30
Threats

• Government-funded professionals
• Cyberterrorists

• Corporate cyber Black Bag cells
• Organized crime

Congress (after the first truly malicious worm)
Hackers
Users
31
Outline

• Beach cottages on a sand bar
• The problem with software
• Threats
• Enterprise engineering
• Points of Light
• Conclusion

32
Pieces Of DoD Enterprise Puzzle

• GIG-BE (Global Information Grid-Bandwidth
  Expansion)
  
• JTRS (Joint Tactical Radio System)
• Transformational Communications (TC)
• HAIPE (High Assurance Internet Protocol
  Encryptor)
  
• NCES (Network-Centric Enterprise Services)
• DoD PKI (Department of Defense Public Key
  Infrastructure)
  
• KMI (Key Management Infrastructure)
• Etc., etc., etc., ad infinitum

33
Network-Centric OperationDemandsEnterprise
Engineering
Also known as Enterprise Systems Engineering
(ESE)
34
Engineering Within A Program

• Chief engineers
• Authorized and qualified to make engineering
  decisions
  
• Resourced to explore and test technical
  alternatives, e.g., lab, prototype suite
  
• Supported by process that identifies, tracks,
  communicates program and enterprise decisions

35
Engineering Across An Enterprise

• Enterprise engineers
• Authorized and qualified to make engineering
  decisions
  
• Also mandate enterprise standards, influence
  program funding
  
• Supported by community process that weighs
  stakeholder equities, prioritizes, adjudicates
  disagreements
  
• Involves a negotiation process (hint dont open
  with your bottom line)
  
• Provided with enough visibility into programs to
  enable early detection of enterprise issues

36
Goals Of Enterprise Engineering

• Interoperability and sharing (e.g., achieve
  optimal information sharing and access at
  acceptable risk)
  
• Integration (e.g., independent parts work
  together)
  
• Innovation (e.g., empower local creativity)
• Economy of scale (e.g., shared common components,
  shared acquisition costs)
  
• Efficiency (e.g., avoid undesirable redundancy)
• Consistency (e.g., avoid weak links in the chain)

Achieve greater capability do more with less
37
Technical StrategyDefense-in-Depth
38
A Defense-in-Depth Consideration

• Poor security often due to lack of qualified
  people
  
• Layered security creates more work, not more
  people

39
Outline

• Beach cottages on a sand bar
• The problem with software
• Threats
• Enterprise engineering
• Points of Light
• Conclusion

40
Ways To Get Money, Motivate Action

• Show vulnerability
• Scan for vulnerabilities
• Map network!
• Red team as outsider!
• Red team as authorized insider!
• Show threat
• Deploy intrusion detection system
• Scan for unauthorized wireless!
• Monitor Internet usage!

Prove threat is real Produce near-term results
41
Simplify

• Firewall enterprise
• Castle walls and gates enable control
• Simplify enterprise management
• Identity management, policy and access
  management, provisioning, e.g., Netegrity, RSA,
  Oblix
  
• Single sign-on, integrated auditing
• Server-based architectures
• E.g., thin clients, Citrix Secure Gateway
• Simplify system management
• Configuration management, including patch
  management, e.g., Radia, SMS

Easier, cheaper, more secure dont settle for ju
st two
Applies to home computers
42
CIOs ChoiceHeterogeneityHomogeneity
43
Chaos

• Diverse hardware and software
• Applications testing
• Staff training

Non-interoperable applications
44
Assimilation By The Borg

• Homogeneous hardware and software
• Applications and infrastructure part of a
  coherent, holistic whole

45
The More Integrated And Interoperable You Are,
The Easier You Fall
Defense-in-depth becomes more critical
46
Vulnerability Management
Configuration guidance NSA, DISA, CIS, etc.
Get it Secure
Gold standard (XML) DISA, etc.
XML Policy Server
Identify IAVA DISA, etc.
Check for IAVA (XML) DISA, etc.
Scans
Scanners
Check for vulnerability (XML) MITRE, industry, et
c. (OVAL)
Keep it Secure
Identify vulnerability MITRE, industry, etc. (CVE
)
47
Secure (Pg 1 of 5)

• Ensure resilient foundation
• Programmed to respond automatically
• Partitioned
• Able to sustain emergency operation
• Not fully Internet-dependent

48
Secure (Pg 2 of 5)

• Create risk domains
• DMZ for sharing with outsiders
• Internal subnets at different risk levels

Verify network perimeter, e.g., Lumeta IPsonar
Find unauthorized connections, including WAP
Applies to home computers
49
Secure (Pg 3 of 5)

• Strengthen systems, e.g., Host Intrusion
  Prevention Systems (HIPS) such as McAfee
  Entercept
  
• Firewall desktops
• Deploy strong authentication

Such as Public Key Infrastructure, e.g.,
VeriSign access tokens Explore Web security serv
ices E.g., XML firewalls such as DataPower, Westb
ridge XMS, NuParadigm, Reactivity
50
Secure (Pg 4 of 5)

• Deploy automatic malware protection
• Email gateway, e.g., Trend VirusWall
• eManager plug-in to block installer patches,
  registry files
  
• Network Intrusion Prevention Systems (NIPS),
  e.g., TippingPoint UnityOne
  
• Spam filters (perimeter Trend VirusWall,
  eManager desktop SpamAssassin, MailWasher)
  
• Detect, automatically react to internal
  propagation e.g., WormScout, CounterMalice claim
  to detect and quarantine scanning worms
  
• Desktop, e.g., Symantec AntiVirus, HIPS,
  TripWire, BBX ImmuneEngine
  
• Deploy automatic backup infrastructure
• E.g., Veritas NetBackup

Applies to home computers
51
Secure (Pg 5 of 5)

• Monitor and respond
• Security Information Management (SIM)
• Harness deluge of event data, e.g., ArcSight,
  GuardedNet, Intellitactics, netForensics
  
• Vulnerability scanners (network and host), e.g.,
  Harris STAT, ISS
  
• Monitor user activity
• Internet usage, e.g., SurfControl, Vericept
• Spyware detectors, e.g., Spybot Search Destroy,
  Ad-Aware, PestPatrol
  
• Application-specific, e.g., several GOTS
  examples
  
• Separate infrastructure to monitor, react to
  malicious insiders, professional penetrations
  
• Securify, StealthWatch, UTexas Data Fusion
  research, honeytokens, tripwires, homing beacons

Applies to home computers
52
Data Care And Breeding (Pg 1 of 2)

• Data creation
• Label, wrap, sign
• Help make judgments
• Sensitivity, releasability
• Help monitor judgments
• Grammar-style check for security rules
• Data death
• Clean, decent burial
• Inform concerned parties

53
Data Care And Breeding (Pg 2 of 2)

• Data life
• Protect data, allow flexible, granular sharing
• E.g., Digital Rights Management (DRM)-like
  technology such as Authentica, Liquid Machines
  
• Update labels, wrappers, signatures
• Check for leaks, lice, integrity
• Help make judgments about combining, releasing,
  retaining
  
• Monitor data flows, reads, writes
• Protect privacy
• Facilitate forensic collection
• Clean up data trash, footprints

54
Laptops to Belt-Tops to Bionics

• Personal Digital Assistant (PDA)/Palm PC
• Cell phones
• Approach for new gizmos
• Understand vulnerabilities quickly, establish
  policy
  
• Achieve risk awareness be aware of
  exploitations
  
• Grow accustomed to fewer secrets, less privacy

All wireless All will include microphones Many w
ill include cameras
55
When Hackers Get Bored, They Turn On Captured
Webcams
WinPopup messages
Why are you using a computer when theres a girl
on your bed?
The word you want for 14-Down is careless.
You idiot!
56
Points of Darkness

• Witty worm targets ISS products
• Exploits via single UDP packet
• Destroys data on hard drive, lives within memory
• Bagle worm variants run without launching
  attachment
  
• Phatbot, "a virtual Swiss Army knife of attack
  software," uses P2P networks
  
• Symbiot iSIMS blacklists attackers and enables
  retaliation via DDoS

The Arms Race Continues
57
ConfrontUltimate Threats
58
User Survey--Infosecurity Europe 2003

• 75 immediately gave passwords when asked
• 15 more required social engineering
• password 12, name 16, football team 11
• 75 knew coworkers passwords
• 67 used same password for everything
• Personal banking, Web site access
• 91 of men circulated dirty pictures or jokes
• 40 of women did same
• If discovering a salary file, 75 would read it
• 38 would pass file around office

59
Two Things To Count On

• Users will click on attachments
• Users will hit Reply All

60
User-Based Security

• Picture a vehicle with an independent steering
  wheel on each tire

61
The Greatest Risks Are From Those We Most Trust
62
Lesson Learned Its Who You Know

• 80 percent of murder victims killed by someone
  they knew
  
• 22 percent killed by people with whom they had
  romantic involvement

Murder in Large Urban Counties, The Bureau of
Justice Statistics Study, 1988
63
Separation of Power In Government
Humans dont deal well with absolute power
64
Separation of Power In Systems

• Study of over 100 espionage cases showed 55 of
  spies were network or system administrators

Data is from the Espionage Database Project of
the Defense Personnel Security Research Center
65
Outline

• Beach cottages on a sand bar
• The problem with software
• Threats
• Enterprise engineering
• Points of Light
• Conclusion

66
Think In Advance

• Team with others
• Community partnerships (trust everyone)
• Enterprise engineering adjudicates community
  issues
  
• Inoculate against Insider attacks
• Minimize trust on users (trust no one)
• Safeguard treasures
• Architect for resilience, emergency operation
• Automate responses