21st century security
EVEN BEFORE TERRORISM REARED ITS ugly head in the United States in September, security was a hot topic. After all, the past year has seen a number of high-profile epidemics and attacks on computer systems. But now the potential threat of cyberterrorism has made security concerns of paramount importance to organizations of all sizes.
Let's review some of the recent lowlights in the world of security breaches:
*The Nimda computer worm emerged exactly one week after Sept. 11 terrorist attacks on the World Trade Center in New York and the Pentagon in Washinton. Nimda infected about 100,000 computers worldwide, 80,000 of those in North America.
*In July, in a matter of homes and without any user involvement, the Code Red worm managed to infiltrate and commandeer more than 300,000 Windows NT and 2000 desktops and servers across the planet with the eventual launching of an unsuccessful attack on the White House Web site. While the White House was spared, Code Red left slow-- performing and defaced Web sites, crashing routers and leaving untold millions of lost productivity dollars in its wake. If not for some lucky flaws in its implementation and prior knowledge of its target vulnerability, the damage could have been much worse. Subsequent versions supposedly created back doors into thousands of systems, with the possibility of further damage in the future.
* Microsoft admitted in June that its own network had been infiltrated for weeks.
* In May, there was a successful distributed denial-of-service (DDoS) attack on the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University in Pittsburgh, one of the foremost centers of security expertise in the U.S.
* Several high-profile Web sites, including eBay and Yahoo!, were brought to a virtual halt for hours in February by the same type of simple but treacherous DDoS aimed at the White House.
* In December 2000, online computer retailer Egghead.com's site was breached, resulting in the possible loss of thousands of credit card numbers.
These high-profile attacks illustrate the harsh reality of 21stcentury Internet security: Nobody is safe, not even technologysavvy organizations such as CERT and Microsoft. In fact, a recent research report from the Ernst & Young Computer Security Institute found that 62 percent of the companies it surveyed experienced a security breach in the prior is months. Thirty percent of those breached networks had firewalls in place. The average cost to each company was $650,000. Another recent Computer Security Institute study conducted with the Federal Bureau of Investigation found that go percent of its recipients reported security breaches in a one-year period, with 74 percent suffering financial losses, for a total cost of $265 billion.
Code Red illustrates other security realities as well: New types of ever more sophisticated attacks are occurring with increasing frequency. Worms such as Code Red are particularly treacherous because existing security solutions can't easily stop them.
"Code Red is a new breed of attack mechanism," says Marty Lindner, team leader for incident handling at CERT. "It made it through most firewalls as a well-formed Web request. Unlike viruses, it doesn't need a human being to propagate. And the original version was memory resident; if the system rebooted, all traces were gone. Such a mechanism is extremely difficult for existing antivirus packages to detect. Some scan system memory, but most look at the disk. And scanning memory impacts the performance of the machine in question."
Another sobering reality: While the attacks are sophisticated, they often don't require much sophistication on the part of the perpetrator, as easy-to-use tools for launching most attacks are easily available on the Web. Widespread knowledge of a particular vulnerability doesn't necessarily protect anyone from it; the operating-system patches that would have prevented systems from being compromised by Code Red were long since available, but so many software patches are released each week, system administrators don't have the resources to keep up with them.
"Everyone had a heads up that the second wave of Code Red was coming. Still, most companies did not apply the patch," says Dave King, director of business development for Cisco's virtual private network (VPN) and security business unit.
And no one company has complete control over its own security. Instead, each is increasingly dependent on the security provisions implemented by thousands of other companies it doesn't know. For example, Code Red relied on an unrepaired weakness called a "buffer overflow" in thousands of widely scattered machines running Microsoft's Internet Information Server to launch its attack on the White House.
"Historically, most people felt that if they didn't patch their systems, they wouldn't be affected because their company wasn't targeted," says Christopher W. Klaus, founder and CTO of Internet Security Systems Inc. "But Code Red was a wake-up call. Almost every Web server had been tested for a hole by the Code Red worm. Automated attacks like Code Red will take advantage of any system, regardless of whose network it's on."
The Disappearing Perimeter
But perhaps the biggest security challenge businesses face today is the disappearing perimeter. In 1996 and 1997, when the Internet was just beginning to catch fire in the commercial world, there was a notion of the trusted and untrusted network. Even then, everyone knew these terms were a bit bogus, since for many companies, most security breaches occurred internally. But at that time, there was a dear perimeter between what was perceived as the anarchic, hacker-ridden Internet and the carefully controlled internal network. No more.
"The perimeter is impossible to define," says Randy Sandone, CEO and founder of Argus Systems Group Inc., which makes PitBull, a new type of security solution called a trusted operating system. "Today, you have telecommuters, wireless devices, and other ways to access services. And as services get better and more interesting, the resulting security problems will only get worse."
Wireless access, telecommuting, and corporate extranets are the three primary culprits behind the disappearing perimeter. More and more companies are taking advantage of wireless services that allow mobile users direct access to corporate applications remotely from their cell phones and personal digital assistants. While wireless standards such as the Wireless Application Protocol (WAP) offer some security, it is rudimentary at best and limited by the small amount of memory, processing power, and storage these devices possess. Wireless LANs, perhaps the hottest networking technology of 2000, by default have no security enabled whatsoever. Most network administrators don't even bother with the few user-authentication and encryption features they offer, despite the fact that most wireless LANs are gateways into their cabled corporate LANs, because they are usually too cumbersome to configure on large numbers of user machines. The result? Anyone with a notebook and standard wireless LAN card can access the corporate network behind the firewall while sitting on the floor above, in an office across the street, or a car that is driving by or in the parking lot. In fact, such infiltrations have become a favorite pastime of large numbers of college students. And the 40-bit Wireless Equivalent Privacy (WEP) encryption offered by these devices has been cracked so many times that it is practically a joke.
"The trouble with wireless security is that most people don't think about it," Klaus says. "They say `let's just get wireless working and move on to the next project.' The security folks are usually called in on the final rounds of the average wireless project, and they often don't know how to deal with wireless security." ISS offers intrusion-detection (ID) and security scanning products and services that can detect security weaknesses in network setups, including wireless LANs, and alert IS managers when intrusions occur.
Mobile users and telecommuters with broadband connections are another culprit behind the disappearing perimeter. Home cablemodem connections are shared within neighborhoods, cable and Digital Subscriber Line (DSL) are always on, and unlike dial-up connections, they usually have a permanent IP address, creating an easy avenue of attack when the proper security isn't implemented. Thousands of telecommuters then use these unprotected machines to connect to the corporate network remotely over a remote-access connection or VPN connection over the Internet, giving any breaches to their machines a direct route through corporate firewalls.
In fact, it doesn't even take a remote connection. "You give an employee a laptop," Lindner says. "He takes it home and plugs it into his cable modem or DSL service. The next morning, he comes into work and plugs into the corporate network. From the point of view of the IT manager, you just allowed a machine on the untrusted network to plug directly into the trusted network."
Finally, companies are increasingly using the Internet to create extranets that link their systems to those of their corporate suppliers, allowing them to streamline business processes and adjust inventory in precise increments. In doing so, t\hey are effectively extending their perimeters to encompass their partners' and suppliers' networks and possibly those folks' partners and suppliers. Bold new service initiatives, such as Microsoft.Net, aim to make these connections as common as marketing Web sites are today.
"Extranet applications, such as supply-chain management and procurement, are all about providing those users with access to your applications, and that's part and parcel of the destruction of the perimeter," Sandone says. "You can no longer define insiders and outsiders."
The Answer: In-Depth Security
As more and more companies wake up to the realities of network security, they are realizing that security has to be implemented in depth, with multiple layers of protection that start with typical perimeter protection, such as firewalls and ID, and move deeper into the network to directly protect sensitive departments, servers, applications, and even user PCs and notebooks. Unfortunately, this kind of security requires funding, manpower, and a commitment from higher-ups that hasn't been there until now.
"Security was not considered a serious problem by many companies until fairly recently," Sandone says. "They felt that their servers would be sitting in a protected space and that only authorized users would have access to them."
Lindner agrees. "I don't think today's security problems are the fault of IT managers," he says. "Most of them know right from wrong. It's more companies that are only now beginning to realize they have to give security the proper time and resources."
Adds Klaus: "We used to deal primarily with network administrators, but lately we're being brought into the board level of lots of companies to educate them. They realized that they are now being scrutinized by their shareholders and held responsible for security problems."
Many companies are also realizing that they are missing the boat by not having a clearly defined and practical security policy. "The biggest challenge companies must deal with is putting together clear and workable security policies," Lindner says. "You must decide exactly what is acceptable and get the rules written down so your people know what the rules and risks are. If you don't do that and your staff doesn't understand and enforce the rules, no firewall is going to protect you."
The proper process for policy creation involves coordination among IT managers and senior executives, business managers, and other key employees affected by these policies. Lindner further emphasizes the need to configure user systems according to your policies. "If the IT manager doesn't want notebook-- users to plug into a cable modem at home, he can configure their systems so they can't do it," he says.
In-depth security includes a number of tools, such as firewalls, VPNs, intrusion-detection devices and software, user-authentication solutions, corporate antivirus software, and a newer up-and-coming category called the trusted operating system. Firewalls provide a basic defense, but most companies should assume the firewall can and will be breached.
"Firewalls are designed as blocking devices and are based on port numbers and addresses," Klaus says. "They don't take into account threats embedded in a file. And you have to open firewalls to provide Web services, which provides an avenue for an embedded attack."
Lindner also notes that firewalls are essentially software that can have its own vulnerabilities to attack. "It doesn't matter what your policies and procedures are," he says. "If your firewall has a vulnerability you have to patch it just as you do with any software in order to protect yourself" In fact, Lindner goes so far as to recommend the use of two separate firewall products from separate vendors to implement the same policy, so that if one is compromised, the second will be unlikely to have the same vulnerability.
Another problem with firewalls is that they are frequently configured incorrectly. "In stateful firewalling, a simple feature called ingress filtering can help to eliminate the propagation of worms like Code Red," says Leslie Stem, senior product marketing manager at Check Point Software Technologies Ltd.
Despite their faults, firewalls are still seen as the essential perimeter defense, and they are increasingly used at numerous entry points into the network, including gateways from wireless LANs to the wired LAN and even internally in front of portions of the network in which sensitive financial, human resources, and other data are stored. In fact, personal firewalls have made it all the way down to the desktop and notebook level and are used in conjunction with antivirus software to protect these machines from attacks that come across their Internet connections.
"Personal firewalls are increasingly being used as a corporate defense," Klaus says. "More and more companies are calling us and saying they want protection down to the desktop."
Check Point Software Technologies and ISS offer personal firewalls that can be centrally managed by IT, along with their other multiple security solutions. In fact, with security's increasing complexity, central management is a must. The upcoming Windows XP will include an Internet connection firewall.
ID products use attack signatures-behavior that matches the pattern of a known attack-much like antivirus software to detect known types of network intrusions. As with firewalls, many companies are now using ID both at the perimeter and in front of sensitive departmental networks to catch the types of intrusions that firewalls miss. Host-based ID can even sit on the same server as a particularly sensitive application to detect suspicious behavior. Newer ID products from Entercept Security Technologies and ISS go beyond attack signatures and rely on protocol analysis.
"If you understand how a certain network protocol works, you can determine if any variation in that protocol may be an attack," Klaus says. Similar products called security scanners can scan your network for holes and report on vulnerabilities.
The problem with ID is the large number of alerts it can generate. In many cases only a small percentage may be actual attacks, so this solution requires constant monitoring.
"As a principal security tool, I don't think ID is worth a bang," Sandone says. "It's very expensive, reactive security. It can't deal with lots of the attacks that happen these days; it can't deal with sites that use [Secure Sockets Layer SSL] encryption, and it generates too many false positives. You have to monitor it 24x7 for the rest of your life. If you want to use it to gather information and fill up logs that you examine at your leisure, fine."
The need for continuous monitoring is the principal reason why managed security providers (MSPs) are being used increasingly by small- and medium-size companies that can't afford the staff and time for constant monitoring. The better providers have the staff expertise and the manpower to monitor several networks from their operations centers and either alert users or deal with intrusions as they occur. For example, The Merchants Bank of New York contracted with ISS to monitor its network security.
"There is this comfort factor knowing we don't have to monitor the network ourselves because someone else is doing it," says Debra Lott, The Merchants Bank's data-security administrator. "When I am at home or asleep, our Internet is being watched and protected. If there's a problem, they alert us."
Like these other security methods, VPNs are also moving into internal company networks. VPNs are typically used to create encrypted tunnels across the Internet, in order to provide inexpensive remote access for mobile users and site-to-- site network connections. Today, VPNs are being used to add another layer of protection to wireless LAN connections and to provide encrypted tunnels directly to sensitive internal corporate applications as well. They are often combined with user-- authentication technologies, such as smart cards, biometrics, and public key infrastructure (PKI), which provide much more bulletproof security than easily abused password protection.
Companies are paying much more attention to protecting their applications directly, which requires staying up to date with patches and hardening operating systems, a process that deactivates and often removes unneeded services from the system. The more active services there are, the more targets for attacks. Internally built custom applications can also be security sore spots, as they are frequently created by programmers with little knowledge of securityconscious programming practices and techniques, so it often makes sense to bring security consultants in to analyze them for holes. Increasingly, software vendors are providing automated systems for downloading and installing patches over the Internet.
Finally, an up-and-coming security solution called "the trusted operating system" is gathering steam in response to a National Security Agency study that cited trusted OS's as essential to effective security. Argus Systems' PitBull is one of the key players here, though HewlettPackard also has a product called the Virtualvault, and Sun has come out with something resembling a trusted version of Solaris.
"PitBull is a kernel loadable software program that becomes part of the OS," Sandone says. "It contains each application in its own environment so the hacker can't use it to get to another application or application's data. If an application spawns a process that tries to execute something or access data that it's not supposed to, it won't be able to do it."
PitBull can run on all versions of Unix, including Linux, but is not yet available for Windows OS's. Although PitBull can't replace software patches, Sandone claims that it can prevent many attacks before there is even a patch for them or before you install the patch. One interesting user of PitBull i\s the Baha'i International Community, which claims to be the second most geographically widespread religion in the world. The Baha'i needed the best security it could get, since its members are often the targets of persecution and even execution in several countries.
"We're firm believers in defense in depth," says Thane Terrill, the Baha'i's network administrator. "When you're on the Internet, everyone you don't like is right next door. Firewalls don't give you the right protection if you have publicly accessible services. The key to a trusted operating system is it lets you assume that your applications are never secure. The key was to make sure the operating system wouldn't do what hackers wanted it to do once they broke in."
So 21st-century security is a constantly moving target. As new solutions are found and new types of Internet services are discovered and take off, new attackers and more sophisticated attacks are inevitable. Increasingly, security is becoming a key component of corporate infrastructure and will undoubtedly increase in depth as the threats multiply and become more dangerous. sw
Security Starts at Home
BY JAMES KARNEY
SECURITY IS THE GAME OF KEEPING SECRETS AND AVOIDING SURprises. Threats can come from hackers, thieves, and disgruntled employees, all of whom play to win. For
most businesses of any size, it isn't a matter of if but when a crook or malicious intruder will make a play that can cost your company thousands of dollars as well as producing an embarrassing loss of confidence and privacy. Having confidential business information and proprietary data posted on the Internet or being the starting point for major customer fraud is something that is a constant risk in the Internet Age. To succeed, a security plan must keep ahead of would-be intruders, and managers must constantly improve plans and learn from the mistakes of others.
Most companies tend to keep any breach of their computer systems from customers and competitors alike; in many cases, contacting law-enforcement authorities isn't even advised. While that may make business sense and preserve reputations, it makes it hard to obtain case studies offering real-world insights into the range of threats and weaknesses. The limited number of high-priced professionals and the rarified world of computer forensics make it hard to staff a complete in-house solution. As a result, many firms outsource at least some security tasks to experts.
One experienced hand willing to talk-without naming names-is Don Walker, the former CIO of USAA, a worldwide insurance and diversified financial services company, primarily for military personnel. Today, he is the president and CEO of Veritect, a computer-security service company.
"At USAA, we were looking for an integrated solution and couldn't find a cost-effective way to provide a 24x7 solution," he says. For many firms, teaming with a service company is the way to provide a mix of target hardening techniques, coupled with intrusion-response policies that reduce risks and contain damage when a problem arises.
The problem and the solution are both human and technical in nature. "A lot of people think of security as an external threat, while in reality, employees are in a better position to do real damage," Walker says.
Knowing who has access to critical data and making sure users take proper precautions to safeguard their files and workstations are basic steps all businesses should take. It is vitally important for financial, legal, and healthcare operations. Important positions should be filled by people who have undergone thorough background checks.
Proper planning is key. A business plan that details both policy and methods should be in place. Any components that can't be handled in-house must be farmed out. It is
imperative that you practice for disaster before it strikes. Access togs, roll-back plans, and action plans with options need to be tested for holes and refined.
Most attacks aren't a frontal assault, and perpetrators usually first probe for weaknesses. Just as with burglary, a soft target is a more likely mark. Proper monitoring can often pinpoint a problem before the system is compromised. You can test your defenses with penetration drills and see just how far the "aggressor team" gets before the alarm sounds.
Solid forensics ability is part of a complete plan, allowing you to not only recognize an intrusion but also preserve the trail and collect evidence and determine damage. Business alliances and mergers complicate the issue.
"Many times, a company on the market will improve the bottom Line at the expense of good security practices," Walker says. "They may tout a list of best practices that are no longer in place," Walker points out. He recommends having a third party come in to vet the newly acquired systems before they are added to the corporate domain.
There is no way to predict the time or the nature of a breach, so there is no pat response. You may want to close the door right away to limit damage, but it might be better to watch the situation develop and try to apprehend the culprit. The action team has to include MIS and security experts as well as executive decision- makers and probably lawyers.
"The proper course of action will depend on what damage was done and who the intruder is," Walker says. "You have to decide just how aggressive to be and if you want Law enforcement involved."
If it is a hacker out for fun, an active approach lets him know you are watching, and that may be enough to stop the problem. If it is a competitor with deep pockets, developing a full-blown criminal and civil case might be worth the effort.
"A full-blown case can take up two to three weeks to wrap up, depending on the amount of data involved," Walker says. That can mean two or three experts, billing at $400 to $500 an hour. The level of effort can be reduced if a proper plan is in place and a company is monitoring the right things.
"The bad guys are very clever, and it can involve foreign nations, as well as crossing state boundaries," Walker says. Many firms keep security pros on retainer and private investigators with Law-enforcement background on call.
There is no one-size-fits-alt solution, and the bad guys are always Looking for new ways to open the back door or fake their way in the front. Smart managers make sure they have performed due diligence and make sure that their staff has the resources and the will to main the gates.
Contributing writer James Karney can be reached at firstname.lastname@example.org.
PKI Promises Security and Solid Identification
BUT DOES IT REALLY OFFER THE KEYS TO THE KINGDOM?
FOR ALL ITS BENEFITS, THE INTERNET'S EASY ACCESS AND anonymity make the online world a very scary place when transmitting funds, proprietary information, or
other sensitive data. Adding a few zeros to a purchase order that is then sent to an offshore account and electronic theft are just a couple of the perils of e-commerce and communications. To feel safe with our transactions, we need to be sure of the file's author, and that the data arrive exactly as sent. In addition, we need to prevent interception by eavesdroppers and impostors, as well as ensure that only the right people can read it at the final destination. Like governments and spies, Internet denizens are turning to sophisticated codes and passwords for safety, often without knowing it.
The most popular approach to protecting sensitive data and validating authors is public/private key cryptography, also known as asymmetric key technology or public key infrastructure (PKI). While replete with challenges, limitations, and detractors, many experts claim PKI is the best available solution for broad-scale management of secure communications.
The vast majority of PKI communications use the RSA public-key cryptosystem invented in 1977 by three MIT professors: Ron Rivest, Adi Shamir, and Len AdLeman. They took their patent to the private sector and formed what is now RSA Security Inc. The RSA system uses paired software keys, one public and one private, along with a series of proprietary encoding algorithms to provide digital signatures, encode data transmissions, and verify data integrity. (See the Internet World Interview with RSA Security's president and CEO Arthur W. Coviello on p. 341.
The basic concept is simple. All data sent using a PKI system are encrypted. A single private key is assigned to a specific entity and kept only by its owner. One or more matched public keys are distributed to the intended recipients. The originating key becomes part of the file. A oneway data hash, initiated and Linked to one of the keys, encodes all communications. The other key must be used to
unscramble the file by the recipient. The actual use of keys can be a software function that takes place in the background, subject to identity verification by the system.
Use a private key to encode a transmission, and you can confirm the author-only that person should have access to it. Use the public key, and only the intended recipient can open it with the private key, reducing the risk of eavesdroppers. Altering even a single bit will flag the document as altered, thwarting tampering. Such a system can also be used as a digital signature, since you can verify the owner of the key as the author. A public key can also be used to create a digital signature, as long as an issuing agency can authenticate the user's identity with a "public" key used only to obtain a certificate that is then used to validate a specific document.
Not a Perfect Solution
PKI systems have two basic weaknesses: the strength of the hashing algorithms and the integrity of the keys. No code is foolproof, especially in the computer age. Because there are two types of keys, it is easier to hack a PKI system than one with paired private keys. Generally, a PKI cipher has to use at least a 512-bit key to achieve the level of security of a 64-bit symmetric code\.
If a private key falls into the wrong hands, the entire reLated document library is compromised, and it becomes impossible to verify authenticity. To provide accurate digital signatures, the issuance of a public key/certificate as a digital signature must be verifiable and its ownership protected.
A Large part of the word "infrastructure" in PKI is in the real world-the work that must be done to validate the identity of certificate holders and their link to the appropriate keys. Keys are certified by one or more issuing authorities-certificate authority, or CA-that validate the identity of a key owner. The CA database must be kept current and free from comprise. Bogus certificates offer a pathway to fraud just as surely as a stolen private key.
There is no such thing as a totally secure code, as the combatants in World War II found out, to the dismay of the Axis powers. A PKI message itself is open to hacking, so basic data security is still a wise addition to a total plan. A code system is a defensive tactic, and any defense is open to a concerted attack. Security systems are designed to harden a target and make the level of effort to defeat it greater the ability of the potential threat.
Help Is Available
Over the past few months, pundits have varied between touting the benefits of PKI and predicting its demise. The truth is in between. Most companies don't have the in-house expertise to develop a PKI system and maintain a CA infrastructure. Even if they did, business partners might feel more comfortable with a third-party guarantee that everything in the system was in order. As a result, many firms are turning to contractors to handle the task.
Hiring vendors to produce custom turnkey solutions is one approach, but the costs are high, lead times can be long, and the customer is often still required to manage the certificates and take over the day-to-day operation of the PKI on completion. Another method is to farm out the process to a service provider such as VeriSign, a spin-off of RSA Security. The company has created a business model that allows consumers to obtain a digital-signature certificate over the Internet for $14.95 and a commercial plan that provides enterprisewide industrial-strength security for corporate clients.
"We took a different spin on PKI," says John Witcox, product marketing manager of VeriSign's enterprise service
group. "We don't charge for integration features but price on a per-user model."
For example, if a company wants to enable PKI on its exchange server for 5,000 employees, it purchases a 5,000user package, and all the integration support is free. They get support for Lotus Notes, browsers, VPN for Nortel, and Cisco, all as part of a single bundle, The firm limits turnkey support to common applications, allowing rapid deployment with minimal installation requirements.
Not all of the PKI solution is software-related, and trust plays a major role in its acceptance. The user of a key can be required to use a smart card, password, or even present a thumbprint and traditional ID to obtain access. After verification, a single key can be used to handle multiple parts of a transaction. For example, a purchase agent can cut a purchase order, verify the shipment's arrival and its proper contents, and then authorize payments from a third-party account.
Special root keys can be employed to grant access to the inner workings of the system, and often two or more keyholders must verify critical access or changes to the infrastructure. VeriSign also offers audio and video tapes, notarizes, and annually audits the issuance of private keys.
PKI technology isn't a perfect solution; there never will be one. But with rigorous auditing it does provide a reasonable level of safety for secure online transactions. The latest editions of the popular e-mail and business applications offer direct PKI support to Limit the transmission of malicious attachments and verify the identity of a sender. That alone ensures a future for the technology. The ever-present danger of online fraud guarantees its growth and evolution.
Argus Systems Group Inc.; Savoy, III.; 217-355-6308; www.argus-systems.com
Check Point Software Technologies Ltd.; Ramat Gan, Israel; 972-3-753-4555; www.checkpoint.com
©Copyright 2001, Internet World