CYBER EYE

Any networked system is a dangerous toy in denial-of-service game

William Jackson

Last month's distributed denial-of-service attacks upped the ante in the cybersecurity game, turning virtually every networked computer into a mission-critical machine.

Security has always been an afterthought in software and systems design. The primary focus has been on sensitive stored information. Thousands of networked computers that store information of little or no value receive little or no attention. Now these computers, including ones operated by the government, can host Trojan horses that let hackers launch remote attacks to block otherwise well-protected Internet sites.

By leaving any networked machine unprotected, 'you're leaving a loaded gun out,' said Alan Paller, director of research at the SANS Institute of Bethesda, Md.

The Unix vulnerabilities that hackers exploited to plant the Trojan horses were well-known, but the personnel and expertise needed to patch and monitor the holes have always been in short supply. New, improved attack tools now can target Microsoft Windows systems.

Always-on, broadband connections via cable modems and digital subscriber lines are increasing the count of loaded guns.

Ensure yourself

If there's no longer such a thing as a noncritical computer, the only way to ensure system integrity is with out-of-the-box security'software from the operating system up that has security built in, not patched in.

I suspect this is the point the hackers were trying to make in their recent attacks. You might disagree with the method, but the message deserves full attention.

Building an operating system from the ground up is a massive undertaking, and building a secure one is even tougher.

But in an economy in which Cisco Systems Inc. of San Jose, Calif., is the most valuable corporation, and in which the company that would be created by the proposed merger of America Online and Time Warner would dwarf General Motors Corp., the stakes are high enough to warrant the effort.

Disregarding the economic incentive, owners of compromised computers could be held liable if their machines are used in an attack. Some security experts advocate prosecuting the developers of flawed software, and this idea is likely to find support as businesses seek to spread the cost of online losses.

Unfortunately, if the work began today, we would still be years away from having secure software.

In the meantime, every chief information officer and every security administrator needs to make sure that agency computers have not been compromised and are adequately protected.
Help is coming

Help is available in software downloadable from www.nipc.fbi.gov and www.sans.org.

Security vendors have been knocking themselves out to ship products that search for and remove known Trojan horses, and many types of software are available to detect and prevent intrusion.

Using them costs money, takes time and can be a pain. But the risk of not using them is going to be more painful.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group