I recently had the pleasure of making a presentation about information security to a group of chief information officers at a retreat sponsored by SARCOM, a nationwide systems integrator and reseller. As far as I can tell, my job was to play havoc with golf handicaps of the CIOs by providing them with some uncomfortable points to ponder about the future of info security issues they will be forced to deal with.
The theme of my talk was to ask a rhetorical question: Is the stage being set for an Electronic Pearl Harbor?
I would like to take the next two newsletters to provide a condensed version of my talk so that you may ponder that same question these CIOs did.
Advertisement: |
Although the prospect of an Electronic Pearl Harbor has been discussed in government and the private sector, there is not a specific definition of what this means. The idea is that some critical infrastructure could be disrupted to the point that society loses some ability to function normally. This could mean anything from businesses shutting down, to lives being put in peril or people losing their life savings. We may not be able to accurately define the term, but we will know it when we see it.
I spent a significant amount of time during my talk trying to set a baseline of the current state of Information Security. Some of the main points I made are that security tools are primitive; cyberattacks are, on the whole, unsophisticated; robust security is not user friendly; and governments are behind.
After that, we spent time trying to identify trends occurring throughout the security industry, as well as within the government and the hacker community. Finally, we tried to see if all of these factors added up to an Electronic Pearl Harbor, or some less-apocalyptic event.
What do I mean about the primitive state of security tools? A simple answer, post-conference, is ExploreZip.pack. Even though the dangerous ExploreZip worm/virus has been well known for months, a slight variation on the original has led to a new outbreak that has hit many large companies, including financial institutions.
Unfortunately, the simple action of packing the file has allowed it to evade many antivirus software packages once again. In fact, some experts have hypothesized that an innocent party inadvertently released this latest iteration of ExploreZip. This episode is symptomatic of the security industry as a whole, where tools tend to offer reactive protection and are weak at detecting previously unknown attacks. If our defenses can be so easily compromised accidentally, what hope do we have in defending ourselves against the bad guys?
Security is not user friendly. Long random passwords are difficult to remember and are often overcome by insecure means. Users may attempt to use simple passwords, write them down or find a technological way to get around them. Smart cards and authentication tokens are seen as a nuisance by many and often have user acceptance problems. The user friendly features that technology does bring us tend to lead to insecurity. One of the worst things done for the sake of password integrity is the "AutoComplete" feature of Internet Explorer 5. This feature offers to store your passwords on your computer so that you don't have to remember them in order for your computer to automatically log on to a Web site.
Today's cyberattacks are unsophisticated on the whole. Today's cyberattacks lack the massive coordination of military operations, and are instead the actions of a single person or a small group. By using compromised servers in different time zones as launch points, they sometimes appear to be more coordinated than they really are. Most of these bad guys do not have an organized criminal intent beyond the original break-in and are often characterized as high-tech graffiti artists. In fact, most of these bad guys are known as "Script Kiddies" - they are not developing their own exploits, but are simply running preprogrammed exploit code and often don't understand the technical details of what they are doing.
The hackers that do show a lot of talent in exploiting Internet servers are often immature kids seeking a thrill, and have not been connected with professional criminals - yet. Many people in contact with these kids describe them as coming from broken families, lacking attention - having been raised, in effect, by the technology. Ultimately, these are kids that could go either way - they could either become hard core criminals, or consultants for a Big Six firm. Most of the "outside" Internet hack jobs are not seeking financial gain at this point; it is the "inside" jobs that have a greater percentage of financial opportunism behind them.
In addition to the perception that today's hacks are not highly sophisticated, you could say that many systems administrators are not sophisticated either. Many of the high-volume security incidents reported by CERT involve advisories that have been reported and fixed by the product vendor months, or even years, earlier.
Social Engineering has been identified as an important element of security exploits. It can best be described as getting people to compromise their own systems by predicting their reaction to a given set of circumstances - knowing what your enemy is going to do before they do.
Increasingly, virus authors are not only writing elegant code, but are spending more time on the human side of the equation and are getting better at finding ways to exploit a user's trust. Social engineering has long been discussed in the hacker community. Talk to any experienced tiger team member (those ethical hackers hired to test corporate networks) and they will tell you that if the firewall is airtight, their best tools are to put on a suit, a tie and walk right into the computer room.
Government is behind. The actions of many governments have not helped the cause of security. Legislators continually struggle with a rapidly moving technological target. The U.S. government's misguided encryption export policies tend to have the effect of keeping strong encryption out of the hands of those who need it.
Beyond encryption policy in the U.S., a more global problem of detection, apprehension and prosecution of cybercriminals plagues all governments. A cloak of anonymity, and attacks that can be conducted from offshore locations, leads to a difficult process of gathering of evidence and identifying perpetrators. Only a very small percentage of criminal cases referred to the Department of Justice are successfully prosecuted. The newness factor leads to questions of admissibility of evidence, jurisdictional issues and a host of other problems. The result is that a low probability of conviction has emboldened criminals to take their pursuits online.
When surveying the governments' own security practices, it is clear from all of the hacks against government Web sites, including the White House Web site, and the fiasco within the Department of Energy, that the security measures being taken by the government are uneven, and in some cases inadequate.
In our next newsletter, we will bring you the second part of this series. I will look at some of the future trends of products and cyberattackers.
RELATED LINKS
Antivirus software vendors raise red flag on new versions of ExploreZip and Melissa
Network World, 12/01/99.
Denial of service and the worm
Network World, 06/28/99.
Vendors offer fixes for Worm.ExploreZip
Network World, 06/14/99.
RELATED LINKS
Antivirus software vendors raise red flag on new versions of ExploreZip and Melissa
Network World, 12/01/99.
Denial of service and the worm
Network World, 06/28/99.
Vendors offer fixes for Worm.ExploreZip
Network World, 06/14/99.
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
