SIGNAL Magazine came and interviewed myself and several others during my tenure at SDI. They were actually a very good organization to work with as they visited our site and really took time to conduct multiple interviews and to incorporate graphics from our powerpoint briefings, etc. The graphics aren’t in the version below.

From the AUGUST 2000 Issue

©SIGNAL Magazine

Internet-Based Attack Risk Distracts Organizations From Internal Trouble

Lack of cohesive planning, overemphasis on perimeter security leaves networks vulnerable to intruders via ignored pathways.

By Henry Kenyon

Threats to government and private sector computer systems continue to evolve in new and unexpected ways. These challenges come from a variety of groups such as hackers, terrorists and, increasingly, radical political and social activists.
The continuing growth of global communications and data networks presents an unprecedented opportunity to connect people to businesses and federal bureaus. This openness also creates an ideal target for individuals and groups with personal agendas. While checking assaults on computer systems has become a substantial industry in itself, many organizations are unaware of evolving threat profiles or are overly preoccupied with specific perceived dangers and fail to notice real weaknesses or flaws in their networks.

An industry has emerged to serve the increasing demand for detailed vulnerability assessments. One information security firm, Security Design International (SDI) Incorporated, Annandale, Virginia, applies specific methodology to serve its customers’ security needs.

One goal of an assessment is to look at a client’s network as a whole, Chris Goggans, SDI’s director of operations, says. Many information security firms make the mistake of investigating only what they perceive to be critical sites, ignoring the broader picture. For example, organizations place extra security around what they consider to be important but ignore unprotected host systems that share the same user accounts.

According to Matthew G. Devost, a senior information security analyst at SDI, the vulnerability assessments provided to clients contain a detailed analysis of the weak points in an organization’s network such as unprotected dial-in lines and modems. The reports also describe how the firm’s consultants are able to move around the client’s various networks and provide recommendations to correct these deficiencies.

Similar information security assessments may simply use an off-the-shelf product such as Internet Security Systems Scanner or Network Associates Cyber Cop to search for vulnerabilities, SDI officials claim. While such scanning software programs are effective for baseline compliance checking, they miss many real-world threats, Devost notes. Scanning software is often updated on a monthly or sometimes quarterly basis, which is not frequent enough to keep up with new threats.

Software-based methods also produce false returns. System administrators are frustrated when reports that have 60 percent of the vulnerabilities listed and turn out to be false hits. “You’re trying to take action on things that don’t exist,” Devost says. By comparison, vulnerability alerts from industry groups like Bugtraq are loaded into SDI’s assessment methodology within hours of their release, he observes.

Scanning tools have their place in compliance checking, but they do not emulate an attacker because they are not intelligent and cannot combine external and internal information to recognize vulnerabilities, SDI President Donald O. Hewitt says. “By reading the advertisements a little too closely, one can think they are actually buying a vulnerability assessment in a box. They’re just buying a tool–there’s a big difference,” he warns.

When conducting internal and external vulnerability assessments, SDI engineers work both off and on site. The external check consists of investigating Internet connections and firewalls for holes or back doors. The firm’s consultants go to the client’s location for the internal assessment, which is the bulk of the work conducted, Devost says. There, the engineers examine an organization’s entire network with the perspective and privileges of a regular user. For example, can a new temporary worker access material detailing a company’s mergers and acquisitions from the legal department’s files? Any weaknesses discovered through the internal check can be applied externally because once the firewalls have been penetrated or circumvented, intruders will be able to move around the network at will, Devost observes.

A lack of understanding about the current network environment is a common issue in both government and private sectors, Devost says. Assessments often turn up surprises such as unauthorized modem lines, he notes. Another issue for both groups is an inability to secure known vulnerabilities. A substantial amount of information exists in the public domain such as advisories and software patches for security problems, but these remedies are often not implemented, he contends. This lack of enforcement is somewhat more prevalent in the government, but it is still a major problem in the private sector as well. “Policies are not enforced. If they have taken the time to develop a policy, it’s either not current enough to be effective, or it is current but not being enforced because no one is doing any compliance checking. That’s a big issue for both sides,” he says.

Where the two sectors differ is in motivation to react to threats. Being financially driven, the private sector often implements changes before vulnerabilities can affect business and, by extension, customer and shareholder confidence. Government organizations may sit on an issue as it passes through several layers of management. The result may be that nothing happens for six months in part because accountability is different in government circles, Devost says. However, this is changing as the government becomes more responsive, he observes.

Putting a good policy in place and enforcing it is important. Devost notes that SDI’s assessment teams penetrate hundreds, sometimes thousands, of systems at client sites because of simple mistakes such as poor, easily cracked password choices and lack of compliance checks. He advises administrators to keep their auditing systems enabled to determine if employees are exceeding their privileges. “You can usually distinguish between an accidental click in the wrong place [and] if someone is snooping around in resources they shouldn’t have access to,” he says.

External network threats are quite real, however, as terrorist and extremist groups begin to see the utility of conducting cyberattacks. Devost notes documented cases of such organizations trying to buy information and solicit help from hackers. Japan’s Aum Shinrikyo cult, operating under front companies, wrote software for 80 Japanese companies and 10 government agencies. Back doors in that software allowed the group to track hundreds of unmarked cars used by the Japanese police. This information was siphoned from police networks and fed into a database listing the vehicles’ current locations and what they were investigating.

Another growing threat comes from groups of political activists referred to as hacktivists. Unlike traditional hacker groups, hacktivists are driven by ideological or political motivations, selectively targeting corporations or government institutions with whom they disagree. During the 1999 protest demonstrations at the World Trade Organization’s (WTO’s) meeting in Seattle, attacks were coordinated against WTO-related World Wide Web sites in conjunction with protesters marching on the buildings that were hosting the conference.

Devost is concerned that these groups are developing their own software and represent a relatively large community. He notes that more than 20,000 people participated in virtual sit-ins against meat manufacturers, the banking industry and government. These events began as unorganized actions, but the groups have become more sophisticated, developing more complex denial of service tools. Software tools that can be activated and left to wreak havoc on their own are unpopular because they do not fit in with these groups’ participatory ideology. Some of the hacktivists’ most recent software creates a small screen on a monitor allowing a user to draw pictures in it. As the mouse cursor is moved across the window, an attack is launched. “For some reason morally, they feel that it is better to participate than to release a tool you can just walk away from,” Devost says.

The popular perception is that the Internet is the access point for external threats, Goggans notes. But Internet connections are only one route into an organization. The same company or government bureau can have 10,000 incoming telephone lines and five different lease-line connections to partners or other related organizations. By adding the number of telephone lines and lease lines at those outside groups, the number of threats increases exponentially, he says.

Perhaps the largest handicap many organizations face when they set up a defensive architecture is a perimeter mentality with respect to design, Hewitt observes. So much attention is paid to defending perceived critical areas from external threats that the system’s designers usually do not prepare the defense in depth to really secure their networks. “When somebody gets in, they’re going to have the run of the place,” he maintains.

Goggans cites a bank that had an extremely elaborate defensive system. It consisted of multiple layers of firewalls separating demilitarized zones–a point between a firewall’s internal protection and the Internet connection–followed by a firewall between each application and the Internet and another ring of firewalls defending the internal network. Despite the attention paid to Internet access, this same institution never conducted any modem scanning of its branch installations or investigated the security of its firewalls placed between its partner connections. The bank also had never conducted an internal assessment, but it had spent hundreds of thousands of dollars protecting itself against perceived Internet-based threats, he observes.

A properly placed firewall eliminates Internet-based intrusions, but other means of entry exist, Goggans points out. “In doing our assessments, there hasn’t been an organization yet that we haven’t penetrated to some degree. Very few of those [penetrations] happen over the Internet. Most happen over poorly secured modem access,” he says.

Threats to networks also have potential for litigation. As protection of intellectual property becomes a growing factor in due diligence, legal issues will become a key driver in the security industry because there will be major lawsuits, Devost says. Recent distributed denial-of-service attacks have raised due diligence issues because they only succeeded based on poor security that allowed a system to be penetrated and used as a launching point against others. “If you can go back and prove the company that was penetrated wasn’t practicing due diligence, then was it a vulnerability known about for a year or a patch that has existed for 10 months? Are they liable now for the company that was actually hit?” he questions.

These issues are partially responsible for the security industry’s continuing growth. Hewitt believes that the next three to five years will continue to be strong for fundamental services in areas such as technical network security. Other expanding areas will coincide with the emergence of public key infrastructure technologies, which represent an enormous market. Both areas will grow exponentially, he predicts. Hewitt also sees continued expansion in overseas markets. While this international growth trails the United States, he expects a leapfrog effect as many nations bypass certain infrastructure steps and move directly to new technologies such as cellular and wireless networks. –HSK