Distributed denial-of-service attacks put e-commerce on the line
Distributed denial-of-service attacks put e-commerce on the line
Better tools and changes in IT can help, but the best defense begins and ends with the systems staffAlan Paller founded the SANS Institute in 1992 as a cooperative research and educational organization for the people who secure and manage information systems. The institute now has more than 96,000 participants.
As research director, he has coordinated efforts to reach a consensus on securing Microsoft Windows NT, Linux and SunSoft Solaris and how to respond to computer security incidents. He also oversees the weekly and monthly digests of new security threats and solutions.
Paller holds degrees from Cornell University and the Massachusetts Institute of Technology. In addition to SANS, he founded the Data Warehousing Institute and co-founded the CIO Institute.
GCN features editor Kevin McCaney interviewed Paller at the SANS offices in Bethesda, Md., in January'notably before the rash of high-profile denial-of-service attacks that struck several heavily trafficked Web portal sites.GCN:'What are the biggest security threats facing government and other large systems?
PALLER: The biggest threats are denial-of-service attacks that can stop Internet commerce, and extortion based on threatened disclosure of private information or threats of closing down your site.
The last few months of 1999 isolated the type of attack known as the distributed denial of services, which can stop all of the work that you're doing on the Internet. Cold. These are proven attacks. A second, related threat is that your systems will be used to attack other people's work.
The reason that matters is that it creates two new requirements of federal agencies. One is that they must not be the organizations that are victimized and used to attack other agencies. We already have evidence that some Defense Department sites have been infected and used to attack other sites, and we expect to find civilian examples shortly. And more important, it means that they have to have a method of making sure that they can operate if their computers go out.
What's awful about the last 150 days is that, before that, if you were a good security person, you could establish a series of fences and you were safe. Now, if you are a good security person and I'm a bad security person, I put your system at risk.GCN:'Are the tools that exist now up to the task of fending off these sophisticated attacks?
PALLER: The dirty little secret of computer security is that the tools don't solve the problem. The tools actually provide a false sense of security. The reality of what solves the problem is training system administrators to systematically protect their systems.
Because it doesn't matter what kind of hardware and software you use, you cannot protect the system if they don't do it right.GCN:'Some feds have said the biggest threat is their own users, who may inadvertently or carelessly put systems at risk. Is this a big problem?
PALLER: I don't think they have any proof of that. I know they worry about that; they worry about passwords and about people sharing passwords. But that's not where most of the threats come from. There is one area: The user who opens an attachment in e-mail'stupidly'is an example of that. But that's the only place where there's lots of evidence that the users are the culprits. For the most part, the information technology community has the full responsibility for the lack of security. It's nice to find somebody else to blame, but we've got the responsibility.GCN:'What kind of investment is re-quired to secure systems?
PALLER: Security has a special characteristic that's confounding: As you solve a problem, someone else is in the business of creating a new problem. It's not like Y2K, where there was a fixed set of problems. So, at least for a while, there are going to be steady requirements for investments in securing systems.GCN:'What about the commercial side?
PALLER: There is one investment that's as large as the Y2K investment, and that is the conversion of the Internet from its current characteristic, which is that anyone can come from anywhere and pretend to be anyone else, to where everybody's authenticated through IPv6 [Internet Protocol Version 6], so that you are coming from a known place. But with the infrastructure removal and rebuilding required, it looks like that's a $100 billion kind of investment, so it doesn't look like it's going to happen in the next few months.
There is a reasonable expectation that over a long period of time'four, five, six years'that a very large investment on the vendor side will solve the problem.
A long time ago, we weren't worried about this level of attack because a computer was a closed system. My guess is that the vendors could again create systems with much less vulnerability.
A simple example would be Microsoft Corp. with Microsoft Office and Word. Word turns on by default functions that make it vulnerable. But Microsoft could systematically turn off the macros after use. You could have the default be protect rather than the default be open. Like a door that automatically locks when you close it.
Given how the Internet works, given that you're not going to spend $100 billion to fix IP right now, my guess is that we're going to need systems that automatically lock.
It could also involve hardware cryptography so that data is always encrypted, automatically. As long you have to have encryption software on both ends, you have an enormous performance problem, so that people say, 'Am I going to get my work done, or am I going to be secure? Well, I've got to get my work done.'
The hardware vendors are going to have to build in hardware encryption and develop systems that are closed by default.GCN:'Will the demand for security ever be equal to the demand for convenience?
PALLER: If you sell me a car with a door latch that opens too easily in an accident, and I lose an arm because of it, the guys who manufacture the car have responsibility for it.
There's a movement afoot to say: If you sell me a computer that makes it really easy for an attacker to break in, you have the responsibility to clean it up. That's the shift that will cause it to happen: When some court makes a ruling. But there are no cases pending now'and software does come with legal disclaimers.GCN:'We hear about some high-profile hacker attacks, but is there an onslaught of attacks that are relatively inconsequential, or not reported? Was there a barrage during the date rollover?
PALLER: Nobody said, 'Let's hide under the Y2K umbrella.' There was no Y2K umbrella to hide under because everybody was shining their light on it; it would have been stupid. But it's been going on for six months. The main threat to everything you think of right now as protection is these denial-of-service attacks.
And yet there are companies that have been taken down recently'in one case a financial institution in New York'that you are not going to hear about, because there's no benefit to it for the company. So they don't even tell the FBI. They call in one of the six or seven firms that are real good at cleaning up messes, and they're sworn to secrecy.
You only see it when it has already publicly affected somebody in a negative way. There was a huge Y2K thing: One of the big banks ' they were down for eight days. It was a stupid mistake, but it was a pure Y2K mistake. It will never be reported. Everybody has a don't-touch attitude to these security and Y2K things.GCN:'Do most of the attacks target government and industry sites? What do hackers gain from them?
PALLER: The majority of attacks are the hacker community generally attacking each other. They practice on each other.
My opinion is that, as for the active use of these things, the vast majority will be for extortion. We'll find that this is an economic business, this business of attacks. I believe there may also be some other national security issues. But threatening a bank with, 'If you don't give us $100,000, we're going to give this credit card information to people''that, I believe, is the signature crime. And it's not far from those bad guys attacking each other to that kind of extortion, if they can figure out a way to collect the money.GCN:'So what does all this mean to a federal agency?
PALLER: The best path to security motivation will come from a combination of congressional hearings and the inspector general. I think it will work this way: Congress will plan hearings and highlight the weaknesses that have been found and start doing scorecards on federal agencies that will motivate chief information officers to act. And then I think they'll make some mistakes.
They will hire a firm to do a vulnerability analysis of their computers, which will find an average of five to 30 vulnerabilities per system. A federal agency will have thousands of systems. Multiply, and you will get between 10,000 and 250,000 vulnerabilities.
An average vulnerability, to close it, takes at least a couple of hours. And if you're competent, it takes another few hours to test it, to make sure you haven't broken anything. So let's say it takes six or seven hours to fix a vulnerability.
Here's the mistake: You send this list of 10,000 to 250,000 vulnerabilities down to the systems staff and tell them they've got eight weeks to clean it all up. What you've done is completely debilitated them. You've taken any chance of their actually tightening up security and run it through.
If this interview has a useful function it will be to say to management: Don't you dare send the systems staff more to do than you give them the time and the training to do. If they close 500 holes, you still can have 249,500 left to do. What's the point?
And it's fatal. You will never get the relationship back; it will be: See, I told you'management is kooky. You break the chance that the CIO can be part of the solution.
The second step is a partnership between the CIO and sysadmin. It's two-way listening. ' I'm saying to senior management, these are the people who can save you. And you have to enable another group within your organization to test the system'to have regular, everyday testing.
It's also essential to have your people certified; get their skills up. And you're probably going to have to pay them more. I think the feds are working toward that.GCN:'So there's no single best approach besides being diligent?
PALLER: Securing a system is similar to building a house. What's the silver bullet to building a house?