Government Executive - Authors - Alan Paller

Security First

Alan Paller — Mon, 01 Jun 2009 00:00:00 -0400

Holistic acquisition approach builds in agility to protect networks.

Six and a half years ago, John M. Gilligan, who was the Air Force's chief information officer, told an assembly of 200 military and civilian IT managers that the dangerous state of federal cyber-security had to change. Few people in his audience realized they were witnessing the beginning of a quiet revolution. While Gilligan was addressing security problems, Charlie Williams Jr., the deputy assistant secretary for procurement and acquisition at the time, was developing strategies that would shape Air Force buying behavior and leverage its purchasing power to reduce total cost of ownership. The result: a consolidated approach to security technology and acquisition that targets a critical national security challenge.

"America's failure to protect cyberspace is one of the most urgent national security problems facing the new administration," the Center for Strategic and Inter-national Studies' Commission on Cybersecurity for the 44th Presidency wrote in a December 2008 report. "It is a battle we are losing." Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication, and U.S. defenses are not keeping up.

A central theme in the report is ensuring that security is "baked in" to the hardware, software and services the government procures, which means building security into equipment and software code as they are assembled. Trying to add it after systems are developed and deployed is a failed strategy, according to the commission. Sens. John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, introduced a bill in April to establish a Federal Secure Products and Services Acquisition Board to identify the most important technologies and how security can be built in during the acquisition process. The Air Force, which established a similar group, has demonstrated why and how such an approach would work-and more important, how it resulted in tighter security for its networks.

The results speak for themselves: Centralizing the management of security and standardizing security settings have enabled Air Force IT managers to block 85 percent of cyberattacks that are launched against Air Force systems, shorten the time to deploy critical patches from 57 days to just three, reduce user problems and calls to the help desk, respond faster to new threats, and save hundreds of millions of dollars at the same time.

Flexible Fliers

Gilligan, now president of the IT consulting firm Gilligan Group, and Williams, who has since left the Air Force to become director of the Defense Contract Management Agency, joined forces in 2004 to establish the Information Technology Commodity Council. The idea was to consolidate the purchase of PCs, software, printers and cellular devices across the Air Force to not only save money but also to defend the service's networks against cyberattacks. After all, firewalls, antivirus patches and other security capabilities are largely ineffective if users' computer configurations fail to address risks. On the buying side, purchasing equipment piecemeal raises costs, diverts resources and makes daily maintenance nearly impossible as technicians try to find bugs in hundreds of different hardware and software configurations.

The council included members from each major command who set strategy, centralized contracts, and tracked the prices, technology and performance of IT products to negotiate better deals with vendors. The goal was to buy technology that could be updated every quarter at a lower cost-even compared with agencies buying less technologically advanced systems.

Gilligan recognized that PCs must be configured safely, but also knew experts usually disagreed on just what constituted "secure." To avoid any ambiguity, he asked the National Security Agency to tell him what configurations it would use to stop as many cyber- attacks as possible. NSA made recommendations based on its experience and that of other groups, such as the Center for Internet Security, the Defense Information Systems Agency, the National Institute of Standards and Technology, and Microsoft Corp.

The Air Force then developed the Standard Desktop Configuration, a set of specifications for enterprise licenses and support contracts with Microsoft. Gilligan says suppliers such as Microsoft are enthusiastic about offering compatible hardware and pre-installing software, but only if their customers can specify the proper configurations.

As officials planned for the rollout of the Standard Desktop Configuration, they discovered the Air Force had thousands of legacy software applications and hundreds of configurations. What if the standard setup meant these applications wouldn't work? The familiar refrain from critics was: "One size does not fit all." To alleviate their fear, Gilligan started a phased rollout at four bases, testing the compatibility of every application. Most worked fine, while a few had to be customized or isolated on their own network segments.

Computers require frequent upgrades for new applications, updates to existing applications, security patches and other changes to thwart cyberattacks. Quick and comprehensive action is a must before hackers figure out how to exploit vulnerabilities. The Air Force's centralized network command-and-control function uses automated tools for updates and maintenance, installing upgrades in hours instead of months.

The Bottom Line

The Air Force's success story led the Defense Department, and later OMB, to require common configurations across all computer systems. When Defense standardized, it improved joint operations among the military services. Governmentwide standardization allowed agencies to build software applications for a few core configurations that are widely used and known to work, reducing the need for nonstandard configurations. More important, the standard configurations, available for Windows Vista and Windows XP and coming soon for other operating systems, give software developers a common, safe platform for their development. Common patches need be tested only one time and can be installed quickly-before attackers have time to exploit the vulnerabilities.

Theoretically, the entire nation could move toward more reliable and secure computing. But cost savings in acquisition and operations must be a priority for government. To meet those goals, several things must happen:

Establish an organization similar to the Federal Secure Products and Services Acquisition Board proposed in the Senate bill with a broad mandate and a short deadline to ensure all agencies buy IT products with security baked in.
Expand the General Services Administration's information security line of business to take in not only software and hardware purchases but also the adoption of secure configurations of those technologies across government, including its supplier base and computing cloud. The expansion should go beyond operating systems to include applications of all kinds, including databases, middleware, browsers and tools to automate security controls, and should cover all federal acquisition even if it is done outside GSA.
Stop measuring how much paper agencies produce describing their security efforts and focus on whether their network infrastructures and people are reliable, secure and resilient. This requires real-time feedback from network operators who use automated tools daily to enforce the security policies and monitor compliance.

By baking security into its systems and its buying power, the Air Force generated huge security improvements, more operational flexibility and savings. Using standard configurations allows commercial and government software developers to reduce the time and cost devoted to testing upgrades, maintaining a complex system and certifying products are secure. Also, enterprisewide initiatives can be deployed faster. When the Office of Management and Budget and the Environmental Protection Agency issued energy management policy and guidance, for example, the Air Force was better positioned to make the necessary hardware, software and process changes, saving $10 million per year The Air Force now has harmonized 90 percent of its IT inventory-more than 750,000 desktops and tens of thousands of servers-supporting all aspects of operations from warfighting to facilities management, health care to education, communications to logistics. At first, many employees resisted changes that required them to carry a common access card to log on to their computers and prohibited them from installing or changing software on their own. But weeding out compatibility issues has gone a long way toward alleviating employee frustration, reducing help desk calls by 40 percent. The result is a consistent infrastructure across the enterprise that can be changed dynamically in response to actual or potential threats.

Alan Paller is director of research at the SANS Institute of Bethesda, Md.

]]>

The Unsung Hereos of Information Security

Alan Paller — Fri, 01 Jun 2001 00:00:00 -0400

The IGs face a huge problem in deciding what to measure and determining whether what they find is good, average or unacceptable. Office of Management and Budget guidance on implementing the law offers no specifics or metrics for the assessments. But benchmarks for security assessments exist in the form of promising practices implemented successfully by agency leaders. IGs who want to know where their agencies stand can ask how far ahead or behind the benchmarks they are.

These benchmarks address the three primary goals of information security:

Integrity, meaning information will not be accidentally or maliciously altered or destroyed.
Availability, meaning information will be ready for use when needed.
Confidentiality, meaning information will be kept secret from all except those who have a right to see it. When auditors find breaches in any of these areas, they invariably find one or more of three mistakes:
Manufacturers delivered the systems with unsafe configurations or with unpatched vulnerabilities.
System administrators made an error in system settings or did not apply a critical security patch.
Users made an error such as giving out a password or downloading an infected picture or screen saver file from the Internet.

The innovators who created the promising practices and procedures to prevent these mistakes are the unsung heroes of information security, helping agencies answer three key questions.

How can we be sure that our systems have all the necessary security patches installed correctly?

Every major type of computer system has security vulnerabilities; new ones are discovered nearly every week. Hackers exploit vulnerabilities to get inside federal computers, deface federal Web sites, store pornography and hacker files, steal government information and launch attacks on other government systems.

Most agencies have policies requiring system administrators to install all security patches, but many are not applied. Why not? Because there are too many patches, because they must be installed in a specific order and, most troubling, because some patches don't work and others have caused computers to stop operating correctly.

Our first unsung security hero, Marcey Kelley of the Energy Department's Lawrence Livermore National Laboratory, led a team that solved the patch problem. Their solution, called SafePatch, automates the process of finding and installing patches. Even more important, Kelley's group does the difficult manual task of testing patches thoroughly before allowing them to be installed. System administrators who maintain standard configurations trust the patches, and they don't even have to install them. SafePatch does it automatically. Any government agency that maintains standard configurations for the systems supported by SafePatch-Solaris and Linux-can contract with Lawrence Livermore to take advantage of the centralized patch validation and testing as well as automated installation. You can reach Marcey Kelley at kelley6@llnl.gov.

How can we be sure our systems are configured to withstand the most common attacks?

Even if patches are installed correctly, privacy and security can be compromised when system administrators are unaware of needed configuration settings. Trusting the configuration that is automatically provided by the system vendors is a common error. The vendor-provided configuration is the equivalent of a house with all its doors unlocked in a neighborhood full of burglars. Sure, the vendor tells the buyer to close the doors they don't need open, but most system administrators don't know how.

Most agencies have discovered that new computers never should be connected to the Internet with their vendor-supplied configurations. They use industry security guides or system-hardening programs to "lock down" new systems. But until last year, no one had developed a practical a method of correcting configuration errors on the millions of deployed computers, where a configuration change could cause system shutdown.

Dave Nelson, NASA's deputy chief information officer, developed such a method. He based his solution on these assumptions:

Hackers generally exploit a few common attacks for which programs are widely available.
Focusing system administrators on correcting a limited number of problems would lead them to share solutions and make more rapid progress.
Reporting to top management on progress in closing the commonly exploited holes would ensure management support. Targeting the 50 most commonly exploited vulnerabilities has resulted in a 96 percent reduction in those vulnerabilities across NASA sites, and a welcome decrease in the proportion of successful attacks. We can't publish Nelson's Top 50, lest we provide a road map for attackers. But his work is being carried on by the Center for Internet Security, which is releasing global consensus rulers that check the security configuration of systems and target high-priority vulnerabilities. Nelson can be contacted at dnelson@hq.nasa.gov. The Center for Internet Security is at www.cisecurity.org.

How can we ensure security and system administrators are sufficiently up to date on the latest threats, technology and techniques?

System administrators rarely are trained in security; it's just an option in the most common system administrator certification-the Microsoft Certified Systems Engineer (MCSE)-and most MCSEs never study the security material. UNIX systems managers have similar deficiencies.

But more than 2,000 federal system administrators and security professionals have enhanced their security skills through five common certifications:

Certified Computer Crime Investigator, for law enforcement officers and private investigators: www.htcn.org.
Certified Information Security Auditor, for security auditors: www.isaca.org.
Certified Information Systems Security Professional, for higher-level, nontechnical security managers: www.isc2.org.
Checkpoint Certified Security Engineer, for those who manage Checkpoint firewalls: www.checkpoint.com.
Global Information Assurance Certification Certified Security Administrator, for system and network administrators, security analysts and security officers: www.sans.org/ giactc. htm. (The author's employer sponsors this certification program.) Some system administrators and security staffers have used the certification process to help the community. They have proved their mastery of the material by creating reports, which have been graded, verified, improved and posted at the Information Security Reading Room at www.sans.org/infosecFAQ/index.htm. Five federal security people who have demonstrated this willingness to share their knowledge are:
Jeffrey Payne of the Naval Surface Warfare Center (step-by-step guidelines for securing Microsoft Exchange).
Jeff Campione of the Federal Reserve Board (step-by-step guidelines, with graphics, on how to secure Windows NT systems).
Michael Sneddon of the National Renewable Energy Laboratory (guidelines for securing Microsoft Exchange servers).
Lorraine Williams of the Naval Aviation Systems Command (importance of key length in cryptography).
Brian Kelly of the Marshall Space Flight Center (safe firewall practices). IGs can measure the skills of security staff against professional standards set by their peers. They can compare vulnerability reduction program against NASA's, patch updating programs against the one at Lawrence Livermore.

Alan Paller is director of research for the SANS Institute of Bethesda, Md. ]]>

Who's Watching the Store?

Franklin S. Reeder and Alan Paller — Sat, 01 Apr 2000 00:00:00 -0500

letters@govexec.com

very sector is becoming increasingly dependent on information technology, especially the Internet, to conduct business and to stay competitive. That dependence has been accompanied by a growing threat from those who seek to disrupt Internet activities for personal gain or mischief.

Look at some recent stories:

High-visibility Web sites at Yahoo and CNN were blasted off the Internet through "denial of service" attacks.
Fourteen computers at the Agriculture Department were put out of service for several weeks because of an intrusion.
The State Department Web site that supports political operations around the world was compromised, its information altered and backdoors installed twice in less than eight months.
The federally sponsored Internet2 Site at the University of Minnesota was brought down for nearly two days by 232 infected computers at other sites being used to attack it. At four other commercial and academic sites, more than 1,400 computers were infected. The FBI issued a warning that potential attacks from infected computers put the Internet at risk.
Navy and NASA computers have been infected in the same way.

Computer security breaches no longer are someone else's problem. Protecting valuable computer and telecommunications resources requires trained professionals who understand the latest techniques for protecting against, detecting and recovering from intrusions.

Agency managers who allow their systems to be compromised can expect to find themselves squarely in the sights of congressional watchdogs and others who believe that private information should be kept private or that federal systems should not be compromised. More importantly, these managers risk undermining public confidence in government and the Internet. And, even worse, they may be closed down. That's what happened to the Environmental Protection Agency's Web site recently, as a result of congressional pressure that suggested the risk of compromise was so high that all public access should be denied.

Finding Trained Professionals

Technology managers have no way to determine whether people claiming to be computer security professionals know what they are doing. But the challenge of finding trained professionals does have analogs.

When we engage in high-risk or high-stakes activities such as flying in airplanes, obtaining medical services or assuring the financial integrity of our operations, well-understood and widely accepted credentialing processes give us confidence that we are relying on competent professionals. Those processes have five elements in common:

1. Individuals must have completed a formal training program accredited by an independent professional organization.

2. They must have demonstrated their ability to apply the concepts they learned through managed apprenticeship programs. Medical doctors have to complete internships and pilots have to fly airplanes.

3. They must pass a rigorous examination that includes both theory and practice administered by an independent professional organization.

4. To retain their professional credentials they must meet continuing education requirements.

5. Practitioners must subscribe to a professional code of ethics.

Potential employers and/or consumers then can have reasonable assurance that the professional with whom they are dealing is properly trained. For some fields, such as accounting, successful completion of an accredited training program may be sufficient. But for most jobs, all five components are required before an individual is entrusted with a critical task.

Casting Credentials

The information technology profession has long struggled with the concept of professional certification, dating back to the certified data processor (CDP) created by the Data Processing Management Association. Many educational organizations have created certification programs in sub-specialties, such as project management, but none has all the components of a professional certification outlined above. And most seek, as their primary objective, to promote a particular training curriculum.

Software and hardware vendors have established certification programs to ensure clients know how to use their products, but these programs have been damaged by promises of certification without much work. Today, few employers are even aware of certification programs and even fewer make them a requirement when hiring a job candidate or a consultant.

Since 1978, the Information Systems Audit and Control Association (ISACA) (www.isaca.org) has issued the certified information system auditor (CISA) credential to those who pass its exam, have the requisite experience, subscribe to its code of professional ethics and meet continuing education requirements. The International Information System Security Certification Consortium (ISC2 ) (www.isc2.org) developed a certification for professionals with at least three years of experience who pass its exam and subscribe to its code of professional ethics. Recertification every three years is based on a continuing education requirement. The Information Systems Security Association (ISSA) Web site (www.issa-intl.org/certification.htm) lists other professional certificate programs. Even the federal government, under the leadership of the National Security Agency, has developed standards for measuring mastery of various security skills.

Programs like those sponsored by ISACA and ISC2 are valuable for auditors and security managers. Unfortunately, they do not measure whether people can handle the technical tasks required to keep systems secure: intrusion detection, firewall tuning, incident handling, and Cisco, NT and Unix security, for example. For that, a new level of education and certification is required.

What Is Missing

Like flying airplanes, practicing medicine or handling large financial assets, running computer systems is inherently a high-risk activity requiring trained professionals. Passing a rigorous exam and having substantial experience, at least on paper, are important but not sufficient. There is no substitute for completing a thorough, independently accredited education program and demonstrating skills in simulated and actual conditions.

Requiring completion of an accredited training program reduces the risk that unqualified individuals will obtain the credential and enhances the credibility of the professional certification. These programs also help employers determine which job candidates are prepared for junior or entry-level positions.

It is time for the IT security profession to develop a scheme for accrediting training programs both at colleges and universities and at training institutes. Professional associations, such as ISC2 and ISSA, and groups of system and network administrators-the ultimate beneficiaries of the education-must be involved.

Until accredited programs and skills-based certifications are in place, the only path available to agency managers is to hire outside reviewers to test their systems for security vulnerabilities. But that is often expensive and incomplete. A recent General Accounting Offfice-sponsored test of NASA's information security by the National Security Agency audited only a tiny fraction of the computers managed by NASA.

On Jan. 7, the President announced an initiative to fund security education. Some of us are old enough to remember the questionable programs that sprang up in the 1940s and 1950s under the GI Bill, offering training in everything from electronics to flying airplanes. Do we really want the products of similar programs securing our computers?

Alan Paller is director of research for the SANS Institute, an organization of technical security professionals

Franklin S. Reeder teaches, writes, and consults on public management and information technology issues. He headed OMB's information policy staff.

]]>

Federal computers to face hack attacks

Alan Paller — Tue, 29 Dec 1998 00:00:00 -0500

AlanPaller@aol.com

During the first three months of 1999, federal agencies are likely to face unprecedented attacks on their computer systems via the Internet as part of a massive test of agencies' vulnerability to hackers.

GovExec.com has learned that groups of executive and legislative branch personnel and researchers from nonprofit organizations are currently putting together a set of wide-ranging efforts to test federal computer security. The simulated attacks would go well beyond previous tests of individual agencies' systems.

Although neither the cast of players nor the shape of the final program is clear yet, some details are starting to take shape.

Selected agencies engaged in critical infrastructure and defense activities will face attacks on a very large percentage of their computers, launched by their own staffers. The attacks will simulate intrusions by hackers in an effort to identify weaknesses in the security configuration of systems. There will be no long warning period before the attacks, and agencies will be required to report the results of the tests to a central authority. The testing will continue periodically and ongoing progress reports will be required.

Other federal agencies outside the national security arena will also face simulated attacks, launched either by a consortium of outside organizations, agency staffers, or both. Results will be compared across agencies to recognize organizations that have been diligent in eliminating vulnerabilities to intrusion. The tests will be repeated periodically to highlight progress.

The coming tests are the culmination of a series of events that date back to 1996, when the Justice Department's web site was defaced, in part with a picture of Adolph Hitler replacing that of Attorney General Janet Reno. Other agencies, including even the CIA, had similarly embarrassing experiences. The General Accounting Office reported that computer hackers "had penetrated Department of Defense computer systems; obtained and corrupted sensitive information; shut down and crashed entire systems and networks; and denied service to users who depend on automated systems to help meet critical missions." By September 1996, GAO reported "serious security weaknesses for ten of the largest federal agencies."

CIA Director George Tenet later told the Senate Governmental Affairs Committee that DoD had done a self-study during which it launched and measured the success of 38,000 attacks. The attacks were successful 65 percent of the time and 63 percent of the attacks went completely undetected.

By early 1998, GAO, prodded by the Governmental Affairs Committee, engaged the National Security Agency to conducted simulated hacker attacks on individual agencies' systems. The first targets were the Federal Aviation Administration and the State Department. GAO said the tests found "significant security weaknesses ... that threaten the integrity of their operations."

Last summer, GAO asked NSA to conduct a similar test on NASA's systems. During months of negotiations on how the exercise should be conducted, NASA told its divisions and offices about the tests. Most of the NASA division and office directors assigned staff to identify and correct security weaknesses in anticipation of the exercise. As a result, says one NASA system administrator, "I was finally allowed to make the security fixes that I had been asking to make for three years."

When the penetration tests finally were run, only a very small fraction of NASA offices were targets of the simulated attack. GAO has yet to release its report on the exercise.

]]>

Information Systems Security Special Section

Alan Paller and Nancy Ferris — Tue, 01 Sep 1998 00:00:00 -0400

nferris@govexec.com, alanpaller@aol.com

ith more and more mission-critical information on line, federal managers must protect that information from unauthorized access. Read about new biometric protections, ways to detect and fend off network instrusions and other important developments.

Cybercrime Comes to Washington
Federal agencies are ripe targets for a new breed of cybercriminals intent on making their marks. As the competition among hackers intensifies, it's no longer exciting or impressive enough to just sneak in, look around and leave some trap doors. Now hackers want to deface the systems or even bring them down.

Solving Password Proliferation
Tired of trying to remember all the passwords and personal identification numbers (PINs) that you need to get your work done these days? You're not alone.

]]>

CyberCrime Comes to Washington

Alan Paller — Tue, 01 Sep 1998 00:00:00 -0400

alanpaller@aol.com

ederal agencies are ripe targets for a new breed of cybercriminals intent on making their marks. As the competition among hackers intensifies, it's no longer exciting or impressive enough to just sneak in, look around and leave some trap doors. Now hackers want to deface the systems or even bring them down.

Meanwhile, some intruders are seeking sensitive information from agency files. Add to that the threat of infrastructure damage that can be done by enemy countries through holes left by loose computer security, and it's easy to understand why the Senate Governmental Affairs Committee is targeting agencies that are lax on security for scrutiny and, if necessary, for tighter management controls.

For Mark Boster, the wake-up call from the FBI came at 12:30 a.m. on a Saturday two years ago, and it was a rude awakening. An agent asked whether Boster was aware that the Justice Department Web site now displayed the words "The Department of Injustice" and that the picture of Attorney General Janet Reno had been replaced by a picture of Adolf Hitler.

As deputy assistant attorney general for information resources management, Boster was responsible for dealing with the break-in at the Justice site. Over the next two hours, he and his staff called the systems administrators responsible for the Web servers into the office and had the servers disconnected from the Internet. Their objective was to stop people from seeing the counterfeit Web page. They went to sleep, much later that night, confident they had accomplished this. But they were wrong.

For nearly a week afterwards, Boster received calls from reporters for The Wall Street Journal and other publications, who said they still were seeing the Hitler picture. He and his staff didn't know that large Internet service providers such as America Online hold copies of popular pages so they don't have to take the time to retrieve them. When Justice turned its system off, every large service provider had only the Hitler page to show when people requested information from the Justice site. Thinking they had solved the problem by disconnecting their Web site was just one of Justice's mistakes.

Today Boster, who chairs the CIO Council's Committee on Computer Security, says, "That break-in was probably the best thing that could have happened to improve security at the Department of Justice." In the aftermath, Boster identified a dozen errors he and his staff had made that might have opened the door to the hackers. Top-level management interest created by the defacement gave him the resources and opportunity to correct these errors.

Other agencies face a choice. They can wait until a hacker defaces their Web site and embarrasses their top managers, or a more serious attack stops their operations. Or they can take some surprisingly inexpensive actions to defend themselves.

A New Epidemic

Cybercrime is becoming epidemic. The president of one security consulting organization reports that every week there are three or four major security incidents at the 38 agencies and corporations that his firm monitors.

Defense Department officials estimated that DoD computers were attacked 250,000 times as far back as 1995, and DoD intrusion-detection expert Stephen Northcutt of the Naval Surface Warfare Center reports that the number of attacks has doubled just since the beginning of 1998 and has grown tenfold in the past three years. Attacks apparently have intensified on the civilian side too, but a 1997 survey by the CIO Institute and Government Executive showed that four out of five civilian agency security managers don't know how much they are being attacked or by whom.

The problem is being fueled by smart hackers who not only find vulnerabilities and build tools to exploit them but also post the break-in tools on the Web where any bored high-schooler, criminal or foreign power can find and use them. It doesn't take much intelligence to copy an attack script from a Web site and then point it at a target organization. The price of entry into the hacking game is just $9.95 per month for an Internet account, and the hacker can do the job from Prague as easily as from Princeton.

New vulnerabilities are discovered every week, and the threats are become more sophisticated. Gen. Kenneth Minihan, director of the National Security Agency, told the Senate Governmental Affairs Committee June 24 that structured attacks are on the rise. In structured attacks, a coordinated group of people tries to penetrate systems simultaneously by sharing the blueprints of sites they have probed and applying their combined processing power, network bandwidth, tools and expertise.

Defense agencies with research or weapons development responsibilities are mounting efforts to deploy multi-tiered early-warning systems and analytical capabilities to identify and thwart network-borne attacks. At best, they stay barely ahead of the intruders. Some attackers still get through. At the same time, according to Director of Central Intelligence George Tenet, other segments of the defense and intelligence community are working on ways to take advantage of computer and network vulnerabilities to plan offensive cyberwarfare attacks that could disrupt an enemy nation's command and control systems or even its telephone and electricity production and distribution capabilities.

In the competition between the need for secrecy to maintain an offensive edge and the need for disclosure to enhance the ability to defend against cyberattacks, the DoD offense people usually win. Thus, the defensive knowledge being gained by Defense is only minimally available to civilian agencies and commercial organizations.

In March, an 18-year-old Israeli hacker who went by the name "Analyzer" came forward to claim responsibility, along with a U.S. collaborator who goes by the handle "Makaveli," for breaking into 20 federal computer sites. Analyzer's attorney, Amnon Zichroni, told Reuters, "In the past we used to boast about the girls we had. Nowadays, kids boast with their ability to hack into computer systems."

The damage the teen-agers can cause even without malicious intent is substantial. Law enforcement agencies reached a plea bargain agreement late in March with a Massachusetts teen-ager who had broken into the Bell Atlantic system and disabled communication at the Worcester airport, cutting off services to the airport's control tower and preventing incoming planes from turning on the runway lights. With teen-age pranks wreaking such havoc, it's not difficult to imagine the damage organized criminals or unfriendly nations can cause.

A Security Checklist

With the risks growing every day, what's an agency supposed to do to protect its information, operations and reputation? To answer that question, Government Executive and the CIO Institute convened a panel of technology experts from five of the leading computer security firms and one of the government's most advanced intrusion-detection facilities. Their advice can be summarized in a four-step plan that closely parallels what careful people would do to protect their homes in high-crime areas:

Upgrade the locks on the doors. Computer managers use a tool called a firewall to lock out most network attacks. For firewalls to be effective, the people who install and maintain them must always be aware of the latest attacks so they can write programs that will stop those attacks, as well as ones that were discovered earlier.
Check to be sure that doors are locked and that windows and other means of access, such as balconies, are protected. Careful managers do the same thing by regularly performing a vulnerability analysis and penetration test to check that the computer hardware and software are set to the most secure positions. They actually perform two analyses-one from the outside and one from the inside-to simulate what both outsiders and insiders could do. And in a manner similar to the way they use virus checkers, they rerun the vulnerability analysis repeatedly with up-to-date settings that reflect both the old and the most recently discovered vulnerabilities.

When computer managers find important vulnerabilities, they eliminate them. The security experts on the panel report that the most common vulnerabilities they see are well-known security holes in operating systems and other services that the system administrators forgot to plug, out-of-date settings on firewalls, outside telephone lines plugged into computers that are also connected to the agency's internal networks, and passwords that haven't been changed in months and are easy to guess.

The Israeli hacker Analyzer reported that he used the first of those vulnerabilities-known holes in Web server software left unpatched by busy system administrators-to enter the federal computers. The numbers of holes to close is high, and new ones are being discovered every day. System administrators with hundreds of systems to manage don't have the time to keep up.

n Install burglar alarms, both as early-warning systems and as deterrents. Burglar alarms that protect computers are called intrusion-detection systems. These tools monitor the patterns and sources of electronic traffic coming into the site and, in a manner similar to virus checkers, compare the traffic with "signatures" of known attacks. Smarter varieties are being released that attempt to detect new kinds of attacks or sources of attacks, but so far they have been plagued by too many false alarms.

A second type of electronic burglar alarm monitors the computer's own log files to determine whether anyone is gaining unauthorized access to files or systems. Since half of all computer incidents, and the vast majority of all the losses from computer incidents, are caused by insiders, internal monitors are especially important. Computer crime is silent, so that many criminals-especially insiders who know the routine-feel quite safe. Effective burglar alarms can change that.

When these monitors find that unauthorized access has occurred, careful organizations act immediately to correct the structural or policy weakness that allowed the problem to occur.

n Make sure intrusions get the correct response. To do this, agencies connect the electronic burglar alarms to a 24-hour-a-day, seven-day-a-week monitoring center where trained people know how to reach the appropriate contact persons at all times, or where electronic sensors correlate information and page the right people automatically.

As these systems proliferate, more and more attackers are being caught and prosecuted. Each story about another successful prosecution serves as a warning to hackers. But agencies should be careful about publicizing their security strengths. To a hacker, a report of a new computer defense mechanism is a temptation to attack. Before he was caught, Analyzer was interviewed over the Internet by Wired News. Asked about his choice of targets, he said in broken English, "I hate when [security people] trying to be overconfident . . . try to be God."

To protect themselves, the experts say, agencies should follow the four-step action plan outlined above and also do the following:

Implement and enforce a comprehensive set of security policies. Provide continuous education and reinforcement programs that enable all employees to know what constitutes a breach of computer security and whom to call, and motivate them to make the call.
Learn from the Justice Department's experience. The CIO Institute has summarized the errors Boster identified after Justice's Web site was tampered with in a booklet, "Twelve Mistakes to Avoid for Managing Web Security." A brief summary is available at no cost to those who send e-mail to info@cio.org with the words "12 Mistakes" in the subject line.
Tap the expertise of law enforcement officials. Invite such officials, especially those from the FBI's new infrastructure protection team, to educate management and staff on what to do when they see an intrusion or other suspicious situation. (Contact the FBI's National Computer Crime Squad via e-mail at nccs@fbi.gov, or through the Washington Metropolitan Field Office at (202) 324-9164.)

Lack of Trust

Even if agencies take all these steps, the bad guys will still have the edge because they share everything they find. Attack victims, meanwhile, hide the information out of fear that publicizing their vulnerabilities could embarrass them or aid other attackers. Unfortunately, this approach is akin to an ostrich sticking its head in the sand. It is the integration of knowledge that provides the advantage in cyberspace. The only way to get ahead is the equivalent of a distant early-warning line created by pooling the intrusion-detection knowledge and data of federal agencies and commercial organizations.

One step in the right direction came in February when Attorney General Janet Reno announced a new center at the FBI to combat cybercrime. But most security experts feel uncomfortable with the FBI as the repository of all their knowledge. Instead, they'd like to establish a new federal agency that would operate the way the Centers for Disease Control and Prevention does. Doctors know they can send data about outbreaks of diseases to the CDC without fear of embarrassing their patients and with confidence that the CDC will act quickly and wisely to stem any potential epidemics.

The new Center for Intrusion Control (CIC), as some have dubbed it, would complement the work of the crime fighters by gathering filtered data (that is, only data pertaining to the transmission of the message and the potentially malicious sections of it) from all intrusion-detection sensors and integrating that knowledge. Commercial organizations would willingly provide the information as long as they know, beyond a doubt, that their confidentiality would be protected. The CIC's goal would be to provide new "intrusion signatures" that could be monitored and stopped by intrusion-detection systems throughout the Internet. Ultimately, the CIC should be in a position to anticipate the next attack, cut it off before it happens, and identify the attackers so that law enforcement people could take action.

Whether and when the CIC will go into operation will be decided by congressional committees and administration officials, all of whom are busy with other tasks. Last year a presidential commission found that the telephone network, the electric power grid and other basic utilities on which we all depend are vulnerable to partial destruction through coordinated attacks. There's little doubt that what the CIA's Tenet calls "an electronic Pearl Harbor" would provide enough incentive to get the CIC staffed and operational. But the nation might be better served if its leaders would take preventive steps today.

Alan Paller is director of research at the CIO Institute.

]]>

Avoiding Attacks

Alan Paller — Fri, 01 Aug 1997 00:00:00 -0400

ust after midnight on Aug. 16, 1996, hackers cracked the Justice Department Web site, replacing the Attorney General's picture with Adolf Hitler's. Deputy Assistant Attorney General Mark Boster, contacted by the FBI, ordered the site brought down at 2:45 a.m.

Boster, in charge of information resources management, ordered the department to review its online security, and what he learned can help others who want to make their systems less vulnerable.

Top management is asking information technologists to do more work on the Web, which makes organizations more vulnerable because internal networks are connecting to the world outside. In response, technologists buy a "firewall," a device that limits network access, and declare themselves safe. Actually, they're practicing "security by prayer"-praying people will hack other sites, where entry is easier.

"We know we'll be attacked again. We want to be ready," Boster says, offering these tips:

1 Don't allow outside organizations to set priorities. Justice attorneys said they were at a disadvantage because private lawyers, with whom they compete, have Web access. "Just because it can be done [elsewhere] doesn't mean it should be done at the Department of Justice," Boster says. The key, he says, is to explain the consequences of unfettered network access in easily understood language, and to manage expectations.

2 Don't believe self-proclaimed "security experts." Contractors and internal security staff have widely varying expertise, so Boster suggests a system of checks and balances. First, he makes at least two contractors responsible for a project, then rotates vendors to keep getting new perspectives. While he tends to hire individuals, if he hires large companies he puts every employee on the project through a background check.

3 Don't assume that once a system is secure it stays secure. Boster has three full-time security employees, and he says the job takes their full attention. The hackers are working full time, so security teams must continually change the system to make it less vulnerable. In addition, systems often expect too much of their firewalls, incorrectly assuming they offer comprehensive security. "We . . . forgot we had lots of modems and dial-in ports," Boster said. Every modem on a network is a back door through which a hacker can enter the system, bypassing the firewall. As a result, Justice eliminated individual modems on networked ma-chines and established standards for remote access to networked information.

4 Have a plan to deal with the next break-in. Boster suggests keeping up-to-date lists of pager numbers for key on-call personnel. In addition, have plans for bringing the site down and back up, and know what information should be kept, what needs to be replaced and where to find original material. And because there may be questions from the press, have a plan to deal with the media.

5 Designate a central authority. When a loose federation of groups populate and host Web sites, there may be rogue sites that don't adhere to standards. Justice has taken the exceptional step of moving toward one Internet access point, allowing the agency to monitor its site more closely to detect problems more quickly and, if needed, shut down.

6 Don't encourage heterogeneous telecommunications equipment. When Attorney General Janet Reno decided she wanted to be able to send e-mail to any Justice employee, the agency connected its separate networks--making it easier to send e-mail but increasing system vulnerability. If any part of the network is penetrated, the entire system may be at risk.

7 Don't believe your site can be removed quickly. The day after the attack on the Justice site, the offensive materials could still be viewed. Boster's staff had turned off the server, but had forgotten--or didn't know--that important Web sites are replicated on the large service-providers computers, such as America Online, without the knowledge of the Web site owner. The replicas of the hacked site are maintained until the next regular update, which could be several days later.

8 Maintain logs and other incident data on the Web server. Standard hacker procedure usually calls for a "cover your tracks" step just before leaving a hacked site. That often includes erasing the logging records that show which files were opened and what was done in those files. Sites that maintain remote logs, instantly updated and archived, can shift the information advantage away from the hacker. Boster also advises maintaining a completely separate backup site. When the main site is hacked, the backup can be compared with the hacked site to find where and what changes were made.

9 Don't leave tools hackers can use. Justice had followed general industry practice and removed most system administration software from the server, but the hacker found and used several tools. The best practice, Boster says, is to build the Web content remotely and transfer only essential files to the active Web server, using encrypted transmission.

10 Don't send unprotected information between servers. Sniffers are software tools that read all computer traffic. They can be useful for administrators who must find the cause of network problems, but they can also be used by hackers to find user names, passwords and other critical data. To counter that threat, Boster has implemented encryption of all information transferred among Justice computers used for Web development.

11 Don't participate in networks in which some members are careless about security. Weak sites can be hacked easily and used as entries to other sites. If the weak link is inside a trusted community-say another agency-attacks may be successful. It's important, Boster says, that all members of a networked community practice safe Internet.

12 Be tough on crime. Some organizations cover up security breaches, but attacks may increase because companies and agencies that ignore hackers create a crime-friendly environment. "You must . . . be willing to prosecute offenders to the full extent of the law," Boster says.

Finally, Boster says, "the best thing that ever happened to security at the Department of Justice was having our Web site hacked." The attack enabled officials to rearrange responsibilities, implement and enforce policies, and allocate resources.

Alan Paller is president of the CIO Institute in Bethesda, Md.

]]>