**********************************************************************
CIO Institute Bulletin On Computer Security
Vol. 2. No. 3.
Monday, March 8, 1999
Contents:
Major News Networks Provide Misleading Reports Of Hacker Threats
in Department of Defense Stories
Promising Practices:
* Identifying Vulnerabilities: Multi-source automated vulnerability
scanning
* Recruiting and Training Technical Security Professionals
* Equipping Technical Information Security Auditors
**********************************************************************
Major News Networks Provide Misleading Reports Of Hacker Threats in
Department of Defense Stories
In the past five days, major news networks featured lead stories about
cyberattacks against Department of Defense computers. In those stories,
reporters guessed what the Defense Department presented in classified
briefings before the US House of Representatives Military Research and
Development Subcommittee of the Committee on National Security. Some
networks reached back nearly six months for data, but the past half year
has seen two complete generations of attacks and attack tools. Viewers
who believe that the descriptions of attacks reported by the news networks
accurately reflect the state of the art should not be deceived.
Four of the five major networks covered the hearings. Some quoted the
subcommittee chairman (Rep. Curt Weldon of Pennsylvania) as saying either
"You can basically say we're at war" or "This is far more important than
any Year 2K problem" or "It's not a matter of whether America will have
an electronic Pearl Harbor, it's a matter of when".
Given that level of coverage and zeal, your CEO or agency head may well
ask you what you are doing about these new attacks. In this bulletin,
we will provide more timely information about the current status of the
scanning and attack tools and we'll describe initiatives organizations
are using to alleviate the problem. Our hope is that this combination
of information will make you better prepared to respond to questions
from your CEOs and to the real threats that exist.
The news networks reported that the DoD experienced up to 100 attacks
each day, including coordinated probes from multiple nations. One
network singled out Russia as the source for at least some of the attacks.
Another called the attack a coordinated assault through networks in
Canada, Norway, and Thailand.
Had the attacks occurred before mid-December, coordinated multi-national
attacks would have been a reasonable analysis. But beginning just before
Christmas, intrusion detection experts have reported widespread use of
a new version of a popular scanning tool which *simulates* coordinated
multi-national attacks using a very effective illusion.
This tool (called `nmap') can perform decoy scans using any selection
of TCP addresses desired by its operator. So, a person scanning you
from your own city can pretend to be a coordinated group of Russian,
Canadian, Norwegian, Israeli, French, and British hackers even though
he is using just one computer running nmap to find vulnerabilities on
your computer! Furthermore, it takes only 15 minutes to download nmap
and complete a scan -- this tool does *not* require one to be an expert
cracker.
Do not allow this information to lead you to think that there is nothing
to worry about; exactly the opposite is the case. This new generation
of tools can hide their activities in a barrage of what appears to be
multi-national attacks. Unfortunately, behind that barrage the tools
are far more malignant than their predecessors. They can spread out
their attacks to hide below your monitoring thresholds and are extremely
effective at identifying the types of computers you are running and the
potentially vulnerable services available on every one of those computers.
By embedding these new tools in a perl script, sophisticated hackers
can automate the entire process of identifying your systems, finding
the ones that have services with known vulnerabilities, and exploiting
those vulnerabilities to gain root access -- all in seconds. Once root
access is gained, every file and every program on your servers is open
to being read or changed. As you'll hear when you listen to the web
broadcast in Resource (1) below, the state of the art may soon include
freely available automated scripts that are push- button tools for
automatically finding your vulnerabilities and taking control of your
machines. Military and commercial espionage has never been so easy.
Competitors inside or outside the country have little stopping them from
closing down an enemy's electronic commerce and other network-based
services.
**** Resource 1:
To get a thorough and somewhat technical picture of this new type
of attack and its impact, listen to the March 2nd Web Briefing by
the SANS Institute at
http://webevents.broadcast.com/edu/sans/hackers1999c/
The broadcast is archived so you may listen at any time. It will
ask you for a user name and password. Use sansinst as the user name
and secur3 as the password. You may also wish to ask the SANS
organization for announcements of upcoming briefings (send email to
[email protected] with the subject "Subscribe"; you'll get web
announcements and breaking security news). The next broadcast is
Tuesday, April 6 (currently running on the first Tuesday of each
month). These broadcasts are a rare source of up-to-date,
authoritative information in this fast-changing field.
**** Resource 2:
The original Navy Shadow Team report (from September 4, 1998)
referenced in some of the network news reports has been updated with
the words, "This document has largely been overtaken by new advances
in hacker technology." The revised report lists some of the new
technologies described in this CIO Bulletin but also includes the
original data describing early detection of multi-national attacks.
See http://www.nswc.navy.mil/ISSEC/CID/co-ordinated_analysis.txt
**********************************************************************
PROMISING PRACTICES
== The following sections provide detailed descriptions of practices
== used by leading-edge organizations to reduce the threat from network
== hackers.
The emergence of automated scanning and attack systems has forced network-
connected organizations to establish automated monitoring and auditing
procedures along with rapid system administration response capabilities
that appear to keep them ahead of the attackers. The most promising
practices we have seen so far are in very large banks, military
organizations, and advanced research laboratories. [Note: The CIO
Institute attributes Promising Practices to the organizations that first
demonstrated their effectiveness -- as, for example, in the Government
Technology Leadership Awards. In computer security, however,
organizations that gain public exposure as "effectively secured" quickly
become the targets for recreational hackers who want to prove that "those
companies are not as smart as they think they are." To avoid wasting
their time, we will not name the organizations that have shared these
practices with us.]
The only way to be invulnerable to well-designed attacks is to make sure
that the holes they use are closed. All of the practices listed below
are aimed at accomplishing that objective.
== Identifying Vulnerabilities: Multi-source automated vulnerability
>scanning
Scanning tools are computer programs that send network traffic to
computers with the goal of receiving return traffic that will indicate
whether those computers have known vulnerabilities. Attackers use these
tools to find holes, just as defenders try to find the holes first so
they can be patched.
There are seven major scanning tools (and many other minor ones) and
they all find different vulnerabilities. Moreover, the most commonly
used scanning tool has more than 140 settings, and each setting will
change the sensitivity or targeting the tool uses to focus its scan.
That means that two different people who use automated tools are almost
certain to do the job differently.
PROMISING PRACTICE: To ensure that they are getting as complete a view
of their vulnerabilities as possible, several smart organizations are
running three automated vulnerability scans each year, for example in
January, May and September. They contract two of them out -- one to a
major company (a big accounting firm or system integrator) and one to
a smaller, more specialized organization. The third they ask their own
staff to perform. The combination of competition among the testing
teams and continuous monitoring provides a very clear picture of what
needs to be fixed.
[Resource: The CIO Institute has gathered over 35 evaluations of user
experiences with vulnerability testing firms. We'll share this data
with Institute members as appropriate.]
== Recruiting and Training Technical Security Professionals
Vulnerability scanning consultants don't make systems more secure --
they just point out possible holes. The people who can make systems
more secure are the people who work at your organization and who know
how to implement corrections and test your systems to be sure the
corrections function correctly. Some of them are called system
administrators, system analysts, or system programmers. Others are
called technical security professionals or security programmers. A few
organizations call them network administrators. Whatever you call them,
they are very rarely the same security professionals who write policy
and run user education programs.
The key challenge is recruiting technically capable people and then
training them and keeping their education current so they don't fall
behind the attackers. For recruiting, most organization select from
new college recruits, from the existing system administration community,
from technically savvy auditors, and from less technical security
professionals willing to make the difficult switch. Pay for the good
ones generally runs 8 to 16% above the pay of comparably experienced
systems administrators. [Resource: highlights of the 1998 salary survey
of system, security, and network administrators may be found at
http://www.sans.org/salsurvey98.htm ]
PROMISING PRACTICE: In addition to using the sources listed above,
several organizations have begun to recruit new technical security
professionals from among the staff involved in their Y2K efforts. These
organizations tell us their Y2K programmers are coming to the end of
their heavy development period (most companies have March 31 deadlines
for program changes), are capable and careful, and have worked hard
enough to deserve the professional opportunity that computer security
offers.
Training for technical security professionals comes from two sources.
First, the vendor that supplied the operating system (Sun, IBM, HP, and
more recently Microsoft) generally offers 5-day security courses that
administrators find very useful for administering security. However,
the vendors seem to have a hard time telling their students about security
vulnerabilities -- probably because they don't want to admit they made
programming errors that left their users vulnerable. For that reason,
no smart organization relies exclusively on vendor training for the
complete knowledge needed to understand the inner workings of their
systems so they can find and fix the vulnerabilities.
The supplementary training most often takes place at large conferences
that offer the experienced instructors conducting in-depth training
classes. Some last as long as eight days. The next opportunity for
this type of training is at the SANS99
(http://www.sans.org/sans99/index.htm) conference in Baltimore where
more than 50 full-days of courses will be offered along with more than
25 two-hour short courses and even more state-of-the-art technical
presentations. In addition to in-depth courses on intrusion detection
and vulnerability analysis, it has advanced security training for Windows
NT and for UNIX. Nearly all the courses are taught by full-time
practitioner/teachers who give practical, from-the-trenches information
that can be implemented immediately when students return to work.
If your people cannot get places in the courses at SANS99 (they often
fill up early) they can attend a similar array of courses at the Network
Security Conference in New Orleans in October.
The CIO Institute provided assistance to establish the SANS Institute
nearly a decade ago because of the desperate need for in-depth technical
training to replace the non-technical security conferences that had been
around since the mainframe days. In the intervening years, SANS has
grown to provide in-depth technical security education to more than
3,000 people each year and to provide the industry's authoritative
monthly security update for more than 61,000 technical security
professionals. As an adjunct to this year's SANS program, the CIO
Institute is sponsoring the Federal Computer Security Conference
(http://www.cio.org/fcsc.htm) during SANS, at which Federal Information
Security Officers will learn the most effective practices used by
security-savvy military agencies that can be transferred to the civilian
side.
== Equipping Technical Information Systems Auditors
Information systems auditors are faced with a monumental task of verifying
that security policies are effectively enforced on every computer. For
years they based their judgements on answers provided by system
administrators. Auditors could never be certain whether to rely on the
answers, because some system administrators saw auditors as "the enemy,"
and did not provide accurate information.
Promising Practice: A new class of tools is maturing to automate the
process of verifying security policies in hundreds or thousands of
systems spread throughout the organization. The tools compare actual
practice with a baseline policy and point out changes in daily operations
that have taken systems out of compliance. The most advanced
organizations have developed their own programs to perform comprehensive
checks, but increasingly companies and government agencies are turning
to commercial tools to automate auditing of security policy enforcement.
Equally promising are tools for automation of the forensic process after
an incident has occurred. This task used to require an extremely highly
trained security professional but can now be accomplished by a suitably
equipped auditor or other security professional.
[Resource: user assessments and comparison of capabilities of the most
popular policy compliance auditing, intrusion detection, and vulnerability
analysis tools are presented in the SANS course book "Selecting the
Right Intrusion Detection and Active Auditing Tools" which may be ordered
from the secure site: https://nt4.corpsite.com/secure_escal/book.htm ]
**********************************************************************
In The Next CIO Institute Bulletin On Computer Security :
A Reality Check on Public Key Infrastructure and Certificates
**********************************************************************
The CIO Institute Bulletin on Computer Security is published monthly
and distributed via email to Institute members without cost. Members
include the CIOs in organizations spending at least $250 million per
year on information technology, and, through the CIOs, all other
information system executives in those corporations and agencies.). IS
executives in smaller organizations may subscribe for $95 per year.
For a subscription form, email [email protected] with the subject "Subscription
Form" and include your name, title and organization.
Send address change information for this mailing to