Welcome to Volume 4, Issue 8 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me. If you like the issue, let us know!
Enjoy, and be safe,
Dave
President Bush's War on Terrorism has affected every country. Counter-terrorism has become an International imperative. In the United States, a Homeland Security Office is now charged with improving the security of public resources. The Office is also responsible for shoring up defenses against cyber terrorism.
So what is the state of IT security? I recently polled several security mailing lists in an attempt to answer this question. I received over 100 responses, and culled responses from security administrators, hoping to get a more accurate response from the folks who have to deal with security issues, daily.
Frankly, the results are not good, and even more frankly, not unexpected. Ron DuFresne examines this same question in a broader manner in today's column, and offers some sage advice on how to begin to turn the dismal state of information systems and network security around.
Happy reading...
Security has become a serious matter since the 911 terrorist attacks in New York, Washington, and the foiled attempt in Pennsylvania. Travelers demand greater security in airports and employees expect likewise in the workplace. Corporate America, federal and state government organizations have, at least in principle, redoubled efforts to secure IT and network infrastructures. Today, we examine current information and network security in light of these events.
While security seems to be a paramount concern, implementing security is not a priority for society at large, and information technology in particular. Industry leaders emphasize that security in the digital world is an individual and personal matter of import; with information technology, however, employees and administrators alike grudgingly adopt security practices, and too frequently compromise or circumvent security measures for the sake of convenience, expediency, and ease of use. A common response to an intrusion from harried, overburdened, and sometimes under-skilled administrators is a hasty patch to the service that allowed the intrusion, with no review of policy or change in operating practices. In the aftermath of a virus "incident", a flurry of memoranda on the topic of "virus awareness" may be issued, possibly accompanied by user training or a memorandum reminding employees to update of virus definitions, but no further effort is made to improve the organization's anti-virus countermeasures or to improve data recovery practices for a perhaps more damaging AV incident to follow.
IT security in the private and government sector suffers from substantial under-funding, improperly trained and over-tasked technicians, systems and network administrators, and ill-informed management too pressured to increase near-term profit (or in today's economy, reduce losses). Too few companies have a well-articulated security policy and an appreciation of the importance of security to e-business. The result in many organizations is that no true sense of who is responsible or accountable for security trickles down from management. One would hope that at least the U.S. government, with all the Homeland Security bravado, would lead in this area, and set an example for corporate America as well as residential users.
Sadly this is not the case. Whether it's the expense or complexity of trying to secure computers and networks, or the ongoing nature of maintaining safe computing environments, even well intentioned individuals and administrators become lax with security. It's often only after suffering the consequences of lost time, revenue, and data that many are dragged reluctantly to adopt better security processes and procedures. Even in such extreme circumstances, however, reluctance and fear of losing capabilities, has often and will continue to cause many organizations to dilute policies and deploy only those measures that at best meet minimal security standards. The global Internet, with its ambiguous domestic and international legal boundaries, exacerbates this situation. Conflicting legal ideals and legislation on what constitutes legal responsibility in their prospective jurisdictions creates a virtual security vacuum. Simply put, with little uniformity on which to broadly deploy security solutions, we must continue to deal with the same attack vectors today as we have for the past two decades.
Many blame lax security practices on a critical shortage of security professionals. However, the numbers of individuals with information security experience seeking employment or enduring extended lay-off situations is considerable. Even prior to the current economic recession, many information security professionals held positions not specifically related to systems nor network security functions. Does demand exceed availability, or this is a convenient way of diverting attention from the fact that security is under-funded and hence understaffed? Even in situations where staffing numbers are adequate, expertise comes into question: tough economic conditions entice organizations to make do with hastily trained staff at hand rather than hire trained and more expensive security professionals.
Governmental systems security in the United States seems to fare no better than corporate America. The General Accounting Office (GAO), who routinely audits information security, reports that professional resources are low in the government sector as well. GAO investigation into the effectiveness of government systems security measures recently graded a large number of agencies at D and F levels, and concludes that the Treasury Department and IRS, among numerous federal agencies "remain highly vulnerable to hackers and employee fraud" (see the list of additional reading at the end of this column).
The GAO reports demonstrate information security is a persistent and troublesome issue at the U.S. Federal level. The FBI and CIA website are constant targets, and continually hit with defacements. The CIA network was recently mapped from outside the U.S. via strictly legal means. The scan exposed exactly the kinds of information attackers gather prior to an attempted entry into more protected systems.
As recently as April 1, 2002, the President's cyber security advisor, Dick Clarke, stated that Federal IT security has a "sad" history. He further maintains that it will take 3-5 years of focused effort "before we get into a comfort zone." (See http://gcn.com/21_7/news/18305-1.html.)
Far too many organizations fail to properly train and fund those responsible for maintaining the integrity of their systems. This applies to both technical staff in charge of daily operations, more senior administrators charged with design and planning, and even IT management. Without such training and exposure to new technologies and practices, security in such organizations cannot keep pace with the stream of new threats and vulnerabilities that are exposed daily. Furthermore, when such companies are notified that their systems have been compromised or are being misused (as zombies for DDOS attacks, for example), their staff may not have the time or talent to investigate and remedy such situations.
The financial toll and damage to reputation on such companies can be measurable. In certain instances, e.g., the CodeRed and Nimda worms, Internet Service Providers have been forced or enjoined by courts to sever a company's access to the Internet for failure to contain the viruses. The fallout from such actions can affect more than the negligent companies. ISPs and large organizations may block very large portions of the IP address space to stem an attack. Any organization that has acquired IP addresses within these portions of the address space may find itself blocked. A militant posture emerging in cyberspace parallels U.S. President Bush's declaration that those countries that refuse to assist in the War on Terrorism are themselves suspected of (harboring) terrorism. In an attempt to protect themselves, many members of the Internet community now treat any organization addressed within a "rogue" ISP's IP address block as "part of the problem" when confronted with an attack, and simply cut the entire block.
Many companies can improve IT security measurably by merely implementing industry best practices across their organizations. For example, systems exposed to the Internet should be dedicated to a single service, e.g., DNS, mail. This reduces the likelihood that any individual system compromise will disrupt all services. Services separation also eases the tasks of fault isolation, service restoration, and post-incident investigation (forensic analysis).
Many of the issues related to the Nimda and CodeRed worm infestations last year could well have been reduced had administrators kept up with available patches and vendor rollups. Many vendors, including Microsoft, made patches available for most of the vector these malware variants exploited. These and anti-virus definitions for all major AV products are readily available, yet attackers continue to probe the known attack vectors, and unprotected systems are still compromised, only to propagate the worm yet again.
Organizations in general can measurably improve security by carefully assigning security-related tasks according to the security expertise they have in their IT department, and by documenting best practices and policies so that lower level administrators can learn and follow basic systems administration related to secured administration. Senior security staff should delegate routine tasks and spend less time configuring systems, and more time verifying and auditing system security status. Additionally, maintaining absolute minimal staff. Time must be allocated for security training; if budgets absolutely cannot absorb travel, consider on-site training and security staff "transfers of information" sessions, where senior staff instructs their junior counterparts in how to secure systems, and why. Maintaining knowledgeable and trained personnel with wide ranging hardware and software environments can only benefit a corporation. Even if some staff leave the company, the staff that remains is more likely to have the cumulative skills to maintain security in the wake of their departures.
The state of information systems and network security remains poor. The immediate future holds little promise of any dramatic improvements over a short span of time. Companies having to deal with government-mandated security requirements like HIPAA by next spring will very likely experience Y2Kaos once again. Until governments and corporations allocate money to build and maintain a security baseline and entrench a security knowledge base required for such tasks, a secure networking will remain out of reach.
Computer Security At Treasury Dept. Arm 'Critical' GAO
http://www.newsbytes.com/news/02/174207.html
IRS Was Unable to Adequately Protect Electronically Filed Taxpayer Data
http://www.senate.gov/~gov_affairs/031501_press.htm
9/11/00 Most Federal Agencies Flunk Computer Security 101 - GAO,
By Brian Krebs, Newsbytes
http://www.info-sec.com/internet/00/internet_091100b_j.shtml
Ron DuFresne is a 16-year IT veteran who has managed systems from small desktops to Cray's in networked and internet environments. His primary administrative roles for the past 8 years have been in the area of systems and network security. Ron actively contributes to Bugtraq, firewalls-wizards list, as well as numerous security-related and *NIX related mail lists and newsgroups. Well respected in the firewalls and security communities, Ron is recognized as an extremely versatile security and IT professional.