18 May 2000
(Says Internet vulnerable to sabotage) (2300) (Following is an article published May 18 in the Economic Perspectives journal of the U.S. State Department. No restrictions on republication. The complete journal can be found at http://usinfo.state.gov/journals/ites/0500/ijee/ijee0500.htm) The Vulnerability of the Internet By Stephen E. Cross (The author is the director of the Software Engineering Institute.) Vulnerabilities associated with the Internet put government, the military, commerce, and individual users at risk. The Internet is a complex, dynamic world of interconnected networks with no clear boundaries and no central control. Because the Internet was not originally designed with security in mind, it is difficult to ensure the integrity, availability, and privacy of information. This is important because use of the Internet is replacing other forms of electronic communication, and the Internet itself is growing at an amazing rate. Concurrent with the growth of the Internet, intruder tools are becoming increasingly sophisticated and also becoming increasingly easy to use and widely available. For the first time, intruders are developing techniques to harness the power of hundreds of thousands of vulnerable systems on the Internet. Here are just a few examples of security breaches that have been reported in the press. In addition to these examples, the CERT/CC handles reports of breaches at e-commerce sites daily. -- An attacker obtained 100,000 credit card numbers from the records of a dozen retailers selling their products through Web sites. The credit cards had limits between $2,000 and $25,000, putting the potential cost of theft at $1,000 million. The attacker was caught when he tried to sell the card numbers to an apparent organized-crime ring that turned out to be the Federal Bureau of Investigation. -- Intruders gained unauthorized access to proprietary information on the computer network of a major U.S. corporation. The company was not able to identify the techniques used by the intruders. The company shut down its Internet connection for 72 hours as a precaution, denying access to legitimate users and cutting customers off from information that the company normally makes available through the Internet. -- In a case of cyber-extortion, an intruder stole 300,000 credit card numbers from an online music retailer. The intruder, who described himself as a 19-year-old from Russia, sent an e-mail to the New York Times bragging he had accessed the company's financial data through a flaw in its software. The intruder later used the card numbers in an attempt to blackmail the retailer into paying $100,000 in exchange for destroying the sensitive files. When the company refused to comply, the intruder released thousands of the credit card numbers onto the Internet in what turned out to be a public relations disaster for the company. Security experts still do not know how the site was compromised or the full extent of how the break-in affected the site's customers. Credit card companies responded by canceling and replacing the stolen card numbers and notifying affected cardholders by e-mail. E-commerce analysts say many similar attacks go unreported. -- In March 2000, in the most serious systematic breach of security ever for British companies, a group of intruders based in the United Kingdom broke into the computer systems of at least 12 multinational companies and stole confidential files. The group issued ransom demands of up to $15.7 million in exchange for the return of the files. Scotland Yard and the FBI are investigating the break-ins and are scrutinizing e-mail traffic between England and Scotland. They believe the group is highly professional and may be working for information brokers specializing in corporate espionage. It is obvious from these examples and the ongoing activity of the CERT/CC that there is much work to be done to secure our electronic networks adequately to meet the needs of the expanding e-commerce marketplace. However, measures can be taken to reduce the risk of security breaches that can be so devastating to businesses seeking to establish a foothold in the electronic marketplace. ATTRACTIVENESS OF THE INTERNET TO ATTACKERS Compared with other critical infrastructures, the Internet seems to be a virtual breeding ground for attackers. Although some attacks seem playful (for example, students experimenting with the capability of the network) and some are clearly malicious, all have the potential of doing damage by denying the ability to transact business on the Internet. Attacks enable intruders to gain privileged access to a system so that it effectively belongs to them. With their unauthorized privileges, they can, for example, use the system as a launch platform for attacks on other sites or as one node in an attack using distributed-system intruder tools, which allow intruders to involve a large number of sites simultaneously, focusing all of them to attack one or more victim hosts or networks. Still other attacks are designed to reveal sensitive information, such as passwords or trade secrets. Examples of specific attack strategies can be found in CERT advisories, published online by the CERT/CC at http://www.cert.org/. Unfortunately, Internet attacks in general, and in particular denial-of-service attacks - attacks that prevent legitimate users of a service from using it - remain easy to accomplish, hard to trace, and of low risk to the attacker. Internet attacks are easy because Internet users place unwarranted trust in the network. It is common for sites to be unaware of the amount of trust they actually place in the infrastructure of the Internet and its protocols. Unfortunately, the Internet was originally designed for robustness from attacks or events that were external to the Internet infrastructure - that is, physical attacks against the underlying physical wires and computers that make up the system. The Internet was not designed to withstand internal attacks - attacks by people who are part of the network. And now that the Internet has grown to encompass so many sites, millions of users are effectively inside. Internet attacks are easy in other ways. It is true that some attacks require technical knowledge - the equivalent to that of a college graduate who majored in computer science - but many successful attacks are carried out by technically unsophisticated intruders. Technically competent intruders duplicate, share, and package their programs and information into user-friendly form at little cost, thus enabling naive intruders to do the same damage as the experts. THE DIFFICULTY OF TRACING INTERNET ATTACKS Through the use of a technique known as "IP spoofing," attackers can lie about their identity and location on the network. Information on the Internet is transmitted in packets, each containing information about the origin and destination. A packet can be compared to a postcard - senders provide their return address, but they can lie about it. Most of the Internet is designed merely to forward packets one step closer to their destination, with no attempt to make a record of their source. There is not even a "postmark" to indicate generally where a packet originated. It requires close cooperation among sites and up-to-date equipment to trace malicious packets during an attack. Moreover, the Internet is designed to allow packets to flow easily across geographical, administrative, and political boundaries. Consequently, cooperation in tracing a single attack may involve multiple organizations and jurisdictions, most of which are not directly affected by the attack and may have little incentive to invest time and resources in the effort. The attacker enjoys the added safety of the need for international cooperation in order to trace the attack, compounded by impediments to legal investigations. Because attacks against the Internet typically do not require the attacker to be physically present at the site of the attack, the risk of being identified is reduced. In addition, it is not always clear when certain events should be cause for alarm. For example, what appear to be probes and unsuccessful attacks may actually be the legitimate activity of network managers checking the security of their systems. Even in cases where organizations monitor their systems for illegitimate activity, which occurs in only a small minority of Internet-connected sites, real break-ins often go undetected because it is difficult to identify illegitimate activity. Furthermore, because intruders cross multiple geographical and legal domains, an additional cloud is thrown over the legal issues involved in pursuing and prosecuting them. IMPACT OF SECURITY BREACHES As illustrated by the examples cited at the beginning of this article, security breaches can cause a loss of time and resources as personnel investigate the compromise, determine potential damage, and restore the systems. The systems may provide reduced service or be unavailable for a period of time. Sensitive information can be exposed or altered, and public confidence can be lost. After a successful computer system intrusion, it can be very difficult or impossible to determine precisely what subtle damage, if any, was left by the intruder. Loss of confidence can result even if an intruder leaves no damage because the site cannot prove none was left. Particularly serious for business are denial-of-service attacks and the exposure of sensitive information. The goal of denial-of-service attacks is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A denial-of-service attack can come in many forms. Attackers may "flood" a network with large volumes of data or deliberately consume a scarce or limited resource. They may also disrupt physical components of the network or manipulate data in transit, including encrypted data. Once an overt denial-of-service attack has been resolved and the service returned, users generally regain trust in the service they receive. But exposure of sensitive information makes an organization highly susceptible to a loss-of-confidence crisis. RECOMMENDED SOLUTIONS The problem is serious and complex, and a combination of approaches must be used to reduce the risks associated with the ever-increasing dependence on the Internet and the possibility of a sustained attack on it. Effective solutions require multidisciplinary cooperation that includes information sharing and joint development of comprehensive solutions, as well as support for a long-term research agenda. -- Collect, Analyze and Disseminate Data on Information Assurance: The nature of threats to the Internet is changing rapidly and will continue to do so for the foreseeable future. The combination of rapidly changing technology, rapidly expanding use, and the continuously new and often unimagined uses of the Internet creates a volatile situation in which the nature of threats and vulnerabilities is difficult to assess and even more difficult to predict. To help ensure the survivability of the Internet, and the information infrastructure as a whole, it is essential that law enforcement organizations and incident response teams continuously monitor cyber security threats and vulnerabilities and identify trends in intrusion activity, and make this information widely available throughout the Internet community. -- Support the Growth and Use of Global Detection Mechanisms: One way to gain a global view of threats is to use the experience and expertise of incident response teams to identify new threats and vulnerabilities. The CERT/CC, for example, provides assistance to computer system administrators in the Internet community who report security problems. When a security breach occurs, staff members help the administrators of the affected sites to identify and correct the vulnerabilities that allowed the incident to occur; work with vendors to inform them of security deficiencies in their products, help them to develop workarounds and repairs for security vulnerabilities, and facilitate and track their responses to these problems; and coordinate the response with other sites affected by the same incident. Because major reporting centers for computer security information, such as the CERT/CC, gather large amounts of data, they can identify trends and coordinate the development of solutions to newly developing problems. Internet service providers, too, should develop security incident response teams and other security improvement services for their customers. Many network service providers are well positioned to offer security services to their clients. These services should include helping clients install and operate secure network connections as well as mechanisms to rapidly disseminate vulnerability information and corrections. -- Support Education and Training to Raise the Level of Security: Most users of the Internet have no more understanding of the technology than they do of the engineering behind other infrastructures. Similarly, many system administrators lack adequate knowledge about the network and about security, even while the Internet is becoming increasingly complex and dynamic. To encourage "safe computing," governments should fund the development of educational material and programs about cyberspace for all users, both adults and children, and invest in awareness campaigns that stress the need for security training for system administrators, network managers, and chief information officers. -- Support Research and Development: It is critical to maintain a long-term view and invest in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data. In doing so, it is essential to seek new, fundamental technological solutions and to seek proactive, preventive approaches, not just reactive, curative approaches. CONCLUSION The Internet has proven to be an engine that is driving a revolution in the way business is conducted. Because of the tremendous interconnectedness and interdependence among computer systems on the Internet, the security of each system on the Internet depends on the security of all other systems on the network. Cyber security efforts must focus on reporting and monitoring threats and vulnerabilities, education and training, and research and development. ____________________ The Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University sponsored by the U.S. Department of Defense, is the home of the CERT(r) Coordination Center (CERT/CC; URL: http://www.cert.org). Since it was established in 1988, the CERT/CC has worked with the Internet community to respond to computer security events, raise awareness of computer security issues, provide training, and conduct research into technical approaches for identifying and preventing security breaches. CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office. (Distributed by the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov) page 8