Computers Under Attack Internet Security Trends

1
Computers Under AttackInternet Security Trends

• Rich PethiaSoftware Engineering
  InstituteCarnegie Mellon UniversityPittsburgh,
  PA 15213
• This work is sponsored by the U.S. Department of
  Defense.

2
CERT Coordination Center

• The SEI established the Computer Emergency
  Response Team Coordination Center in 1988.
• The CERT/CCs mission is to respond to security
  emergencies on the Internet, serve as a focal
  point for reporting security vulnerabilities,
  serve as a model to help others establish
  incident response
• teams, and raise awareness of
• security issues.

3
Activity

• Since 1988, the CERT/CC has responded to over
  100,000 security incidents that have affected
  hundreds of thousands of Internet sites has
  worked over 5000 reported vulnerabilities, and
  has issued hundreds of advisories and bulletins.
  In addition, the CERT/CC has helped foster the
  creation of over 90 other incident response
  teams.

4
The Internet has Become Indispensable to Business

• The Internet allows organizations to
• conduct electronic commerce
• provide better customer service
• collaborate with partners
• reduce communications costs
• improve internal communication
• access needed information rapidly

5
The Risks

• While computer networks revolutionize the way
  you do business, the risks computer networks
  introduce can be fatal to a business.
• Network attacks lead to lost
• money
• time
• products
• reputation
• lives
• sensitive information

6
Incidents Reported to CERT/CC
7
Surveyed Companies Identify Risks -1
Attacks
Source - Computer Security Institute/FBI Survey
8
Surveyed Companies Identify Risks -2
Attacks
Source - Computer Security Institute/FBI Survey
9
How Did We Get Here?

10
The Problem

• In the rush to benefit from using the Internet,
  organizations often overlook significant risks.
• the engineering practices and technology used by
  system providers do not produce systems that are
  immune to attack
• network and system operators do not have the
  people and practices to defend against attacks
  and minimize damage
• policy and law in cyber-space are immature and
  lag the pace of change

11
Strain on System Administrators - 1

• There is continued movement to complex,client-serv
  er, peer to peer, and heterogeneous
  configurations with distributed management.
• There is little evidence of security improvements
  in most products new vulnerabilities are found
  routinely.
• Comprehensive security solutions are lacking
  current tools address only parts of the problem.

12
Strain on System Administrators - 2

• Engineering for ease of use has not been matched
  by engineering for ease of secure administration
• ease of use and increased utility are driving a
  dramatic explosion in use
• system administration and security administration
  are more difficult than a decade ago
• this growing gap brings increased vulnerability

13
Other Reasons for Concern

• Many security audits and evaluations only skim
  the surface of the organization and its
  technology major risks are often overlooked.
• Lack of understanding leads to reliance on
  partial solutions.

14
More Sophisticated Intruders

• Intruders are
• building technical knowledge and skills
• gaining leverage through automation
• exploiting network interconnections and moving
  easily through the infrastructure
• becoming more skilled at masking their behavior

15
Attack Sophistication vs. Intruder Technical
Knowledge
Tools
stealth / advanced scanning techniques
High
packet spoofing
denial of service
DDOS attacks
sniffers
www attacks
Intruder Knowledge
sweepers
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Attackers
password guessing
Low
1980
1985
1990
1995
2000
16
So What?

17
Its going to get worse - 1

• Explosive growth of the Internet continues
• continues to double in size every 10-12 months
• where will all the capable system administrators
  come from?
• Market growth will drive vendors
• time to market, features, performance, cost are
  primary
• invisible quality features such as security are
  secondary

18
Its going to get worse - 2

• More sensitive applications connected to the
  Internet
• low cost of communications, ease of connection,
  and power of products engineered for the Internet
  will drive out other forms of networking
• hunger for connectivity, data and benefits of
  electronic interaction will continue to push
  widespread use of Internet technology

19
Its going to get worse - 3

• The death of the firewall
• traditional approaches depend on complete
  administrative control and strong perimeter
  controls
• todays business practices and wide area networks
  violate these basic principles
• no central point of network control
• more interconnections with customers, suppliers,
  partners
• more network applications
• the network is the computer
• whos an insiderand whos an outsider

20
Low Quality Software is One Root Cause of the
Problem

21
Vulnerabilities Reports are Increasing
22
Cyber attackers routinely exploit defects in
commercial software.
Reference Computerworld, 7/31/2000, www.cnn.com
Additional reference S, Hernan, Business Week,
2/28/2000 www.businessweek.com
23
And...
The public is beginning to understand that poor
quality software is the cause of many problems.
Reference Cover of 12/6/1999 business week,
www.businessweek.com
24
Vulnerability classes

• Majority of the problem from 8 fault classes
• 31-Trusting untrustworthy information
• 15 - Buffer overflows
• 7 - Insecure default configurations
• 5 - Flawed protocol definition
• 4 - Inheriting insecure arguments
• 2 - Program hard to configure safely
• 2 - Protocol definition ambiguous
• 2 - Logic error

25
Legislating low quality is the wrong
answerUniform Computer Information Transactions
Act
26
The SEIs Vision for Software Engineering

• The right software,
• delivered defect free,
• on time, every time

27
The Right Software

• Meets users needs and expectations
• Satisfies system requirements (including
  security)
• No surprises
• Affordable and appropriate cost

28
Delivered Defect Free
State of Practice
Development Integration and System
Test
60 - 80 of effort and cost
Reduce time to market by eliminating rework
A Better Way
Standish Group, www.standishgroup.com, 1996
29
Beacon of Hope

• 100B in transaction volume/day
• SEI started working with EBS in November of
  1998.
• launched first TSP team in
• April1999
• launched multi-team project in August 1999
• - 4 teams
• - 50 managers and engineers
• Multiple team project finished in August 2000.
• only 3 weeks behind schedule
• no installation problems

30
CERT Contact Information
24-hour hotline 1 412 268
7090 CERT personnel answer 830 a.m. 800
p.m. EST(GMT-5) / EDT(GMT-4), and are on call
for emergencies during other hours. Fax 1
412 268 6989 Anonymous FTP archive
ftp//info.cert.org/pub/ Web site http//www.
cert.org/ Electronic mail cert_at_cert.org US
mail CERT Coordination Center Software
Engineering Institute Carnegie Mellon
University 4500 Fifth Avenue
Pittsburgh PA 15213-3890 USA