Some government CIOs have taken an innovative approach to improving the security of their systems without busting their budgets. Sadly, however, individual states may not be able to ensure their systems are sufficiently secure. However, if states act together, employing their combined technical expertise and buying power, they may be able to maximize their security defenses at a reasonable cost.
Why Are Systems So Easy To Hack?
Several years ago, when Janet Reno was Attorney General of the United States, the Justice Department's Web site was taken over by crackers. Reno's picture was changed to that of Adolph Hitler, and the site was renamed the "Department of Injustice." More than 1,000 other government Web sites have also been cracked and altered over the past three years. How could that many government sites be so easily tampered with by outsiders? What went wrong?
In the summer of 2001, nearly 200,000 computers were infected by a worm that swept through the Internet in just a couple of days -- without even requiring users to do so much as download an attachment. Many users who purchased a new version of Windows 2000 Server Edition during that period found that it was impossible to download and install the necessary security patches from Microsoft before their computers were infected with the worm via attacks from other systems that had already been infected. How could that many machines have been infected so rapidly? What went wrong?
During 2000 and 2001, criminals penetrated more than 100 U.S. electronic commerce sites using a single attack methodology. They stole customer credit card numbers and threatened site owners, saying they would release private customer information on the Internet if the e-commerce site owners didn't pay one hundred thousand pounds. The criminals were not bluffing, as some merchants learned the hard way. When the owners didn't pay, the criminals made their customers' credit card information public in lists on a Web site, just as they threatened to do. Even in cases where the merchants did pay, the criminals still sold the credit card information to other criminals who then used them for illegal purchases. Similar crimes of extortion continue to plague e-commerce sites. How could so many e-commerce sites have been so thoroughly compromised? What went wrong?
When I present that question -- "What went wrong?" -- to groups of information technology professionals, they generally give one of two answers: Either they say the companies and government agencies didn't have correct policies and procedures to protect their systems, or they say the system administrators didn't protect their systems by configuring them safely or keeping them patched. These answers, while accurate, inspire even more pertinent questions. How did the systems become vulnerable in the first place? How can hundreds of thousands of computers be installed all across the Internet with known vulnerabilities that hackers can easily exploit with automated scripts?
The answer is attacks are easy because systems are produced and delivered with vulnerabilities and with unnecessary services. The vendors understand the problem but do not correct it. More specifically, the systems are delivered with default configurations that include many unneeded services activated, and some of those services have vulnerabilities. If the vendors would patch the systems before they are delivered or configure the systems with the unnecessary services turned off, the vast majority of attacks would not be successful. Since the vendors do not take responsibility, system administrators, many with little or no security training, are left to protect their systems as best they can.
It's an uneven fight. Attackers have launched thousands of programs that automatically scan the Internet looking for vulnerable systems. Researchers at MIT report the average machine there is connected to the Internet for less than five minutes before an automated attack program scans it. Once the malicious program locates a computer that does not have the necessary patches installed for a specific vulnerability, it uses that vulnerability to enter the system and take control. Once a system is compromised, it can be used as a jumping off point for deeper attacks such as into state infrastructure and connected systems, as a storage site for pornography or stolen software, as a platform for new attacks, or just as an electronic-soldier-in-waiting, ready for the next opportunity to participate in a distributed-denial-of-service attack.
Attackers do not limit themselves to exploiting vulnerabilities in the systems. They exploit human vulnerabilities as well. They often fool people into downloading malicious software by promising it will include something useful like a security patch or a screen saver, or something of interest like a photograph. Tens of thousands of machines have been infected with back-doors installed when people downloaded software from the Internet or opened malicious e-mail attachments. In addition, many computers are accessed without permission by people who capture passwords by finding them in electronic mail or in unencrypted remote access sessions.
That's a very high level view of why and how systems are exploited. The next question is what Are the Most Effective Methods Of Improving Security?
Securing a Nation
A small number of government organizations have proven they can fight back against cyber crime and have provided models that others can and are beginning to use. Elements of NASA, the U.S. Department of Energy and the U.S. Department of Defense, have each demonstrated that certain promising practices can make a big difference. NASA reduced the incidents of the top 50 vulnerabilities still unpatched in their systems by over 92 percent, and the agency's computers have had far fewer security incidents as a result. One of the Department of Energy laboratories has enabled system administrators to install securely configured operating systems painlessly by contracting with vendors to deliver improved installation scripts that remove most vulnerable services. The Department of Energy is also working with Oracle to ensure that every Oracle installation in the department meets minimum security configuration standards.
Several agencies have demanded that system administrators learn (and prove they have learned) how to secure their systems through innovative training techniques. Still other agencies have implemented security awareness programs that actually work and get employees to actually learn to follow and understand their companies' acceptable use guidelines, and their computers were almost completely untouched by the viruses that swept through other agencies where users opened infected attachments to e-mails sent from already-infected co-workers.
The most pleasant and surprising aspect of all these developments is that the initiatives that worked best to improve security required among the smallest security expenditures made by those agencies. The NASA program to reduce the incidence of unpatched, high priority vulnerabilities on every NASA system cost less than 3 percent of NASA's security budget.
Researchers at the SANS Institute have identified four promising practices that are both effective and inexpensive:
- Targeted vulnerability reduction with graphic comparisons: Here, the organization's security experts have identified the 50 to 100 most important security vulnerabilities, those that are most often used by hackers to get unauthorized access. Once the target vulnerabilities are selected, the organization performs quarterly or monthly vulnerability scans that look only for the targeted vulnerabilities, and prepares graphs comparing the divisions against one another, showing how well each division is doing at reducing the number of critical vulnerabilities per system, on average. Before long competition between the divisions and senior management visibility interact to generate rapid improvement.
- Universal security awareness with testing: Organizations that want their computers to be used safely work to ensure that every user knows what safe computing means. They teach classes, often supported with videotapes and/or interactive computer teaching programs, to every incoming employee as part of the new employee orientation, and they require every employee to pass an online security awareness test each year. They publish divisional rankings of awareness test completion (but not grades) so that progress is visible.
- Buying safe configurations: Why make every system administrator configure systems safely when the vendor can do the job more cost effectively? In this movement, organizations negotiate with system and software vendors or with resellers to have them deliver fully patched, securely configured versions of the system or application with only the services required by the particular organization turned on. When the vendor delivers a new system, he does so just before it is to be installed with the very latest security updates.
- Online and mentored security-skills training for system administrators, auditors, and security managers: Training is the most commonly listed requirement in laws and other initiatives intended to improve security, but good training can also be expensive. Innovative organizations with limited training funds, have begun combining online training with mentors drawn from skilled technical staff inside the organization. This combinations approach avoids the high cost of sending many employees to outside training while eliminating the universal problem of often weak teachers being sent in to teach on site. Online training can be constantly updated and can combine audio and computer display to replicate live programs. Online training can also ensure mastery through online quizzes. The local mentor adds value by bringing key concepts to life through sharing of his or her real-world experiences, and helps the students work through hands-on exercises to build competence and confidence.
Successful Security
Success of any of these programs relies, to a large extent, on knowledge of exactly which vulnerabilities are the most threatening and should be fixed first, and which actions are most effective in eliminating those vulnerabilities. That reliance raises a key question: Where can you find the standards to use in defining "safe systems?"
As your security folks will tell you, none of these promising practices described previously work if you target the wrong vulnerabilities or leave out critical vulnerabilities that are being used to break in. Each organization can see only a portion of the total threat that it faces, only the very largest have a relatively complete picture. That's why 170 user organizations have all joined forces so their technical security experts can agree on minimum benchmarks for securing common systems. They include Shell, the Government of Singapore, Intel, the U.S. National Institutes of Standards and Technology, VISA, the Royal Canadian Mounted Police and many more. They have jointly funded the development of consensus benchmarks and simple tools that test computer systems to see whether they are configured according to the benchmarks.
Their cooperative, not-for-profit organization is called the Center for Internet Security. Its products, including benchmarks and tools that test and score systems against the benchmarks, are free for individual use and can by used by organizations that are center members. The center has delivered benchmarks and testing tools for Windows 2000, Solaris, and Cisco IOS. Other UNIX and Linux benchmarks are available online.
Commercial security software vendors are also becoming active in supporting consensus benchmarks. Bindview and Symantec, for example have integrated the center's benchmarks into their commercial security configuration testing tools so organizations that want to buy testing solutions can do that instead of using the free tools.
The consensus security configuration benchmarks developed by the Center for Internet Security enables existing systems to be tested and their security improved. Even more importantly, consensus benchmarks enable organizations to order systems configured securely, ridding their own system administrators of that time consuming task.
The center's benchmarks define and test safe configuration, but do not explicitly isolate the highest priority vulnerabilities that are being exploited. Two separate community consensus projects are attempting to identify the highest priority vulnerabilities. The first is the project that SANS and the FBI's National Infrastructure Protection Center undertake each year to identify the top 20 internet security vulnerabilities. This program brings together the people from more than 30 organizations around the world. They are the most experienced experts in analyzing successful attacks and therefore they understand how the attackers get control of systems and can reach consensus on which vulnerabilities must be corrected first. State funded universities, like Virginia Tech, now require all system vendors to certify their systems are free from all top 20 vulnerabilities. The top 20 are posted online.
A second community-consensus project is the new GIAC Site Certification program in which Internet-facing sites can earn the equivalent of a "Good Housekeeping Seal of Approval" by ensuring that a more complete set of critical vulnerabilities are all corrected, that users have passed security awareness training and that there are security professionals on staff or on contract who have proven skills in firewalls and perimeter protection and in auditing security. Data on the site certification is available from SANS with "site cert" in the subject line.
Even with safe initial configurations, system administrators face the challenge of keeping their systems patched to block newly discovered vulnerabilities. Each system administrator could monitor the dozen or so Web sites that try to report vulnerabilities. However, for federal system administrators, the General Services Administration has contracted with one of the commercial vulnerability warning companies to provide every federal system administrator with up to the minute vulnerability warning and prioritization and patching information for the 40 most commonly used software systems. This service will cost less than 10 percent of the cost of similar services if agencies had been forced to buy the services individually.
Acting Together
If each state, or each agency in each state, attempted to replicate the promising practices outlined above, the site and employee certification programs, and the contract mechanisms, they would spend, in the aggregate, tens or hundreds of millions of dollars. However, states may not have to act alone. They face a common set of security threats and they buy systems from many of the same vendors, making them prime candidates for cooperative action.
States may cooperate in at least four ways:
- Join with other states, with the federal agencies and with the commercial and foreign members of the Center for Internet Security to establish minimum security specifications for new systems to be purchased by states and for upgrading the security of systems already deployed. The joint purchasing power of states, federal agencies, and many commercial organizations will help ensure that application vendors work diligently to make their applications continue to work smoothly when system security is upgraded to the minimum security benchmarks.
- Establish a consensus list of common high-priority vulnerabilities -- those that have been used to break into state systems -- and jointly procure a scanning program and/or service to test all state systems and score and compare them. For this project the states can build on the selection of high priority vulnerabilities developed for the SANS GIAC site certification program. A half-dozen scanner manufacturers and service companies could compete for the scanning services and/or scanning software contract.
- Establish a security mentoring program that uses online training for the foundation skills and complements the online training with Web broadcast and mentoring by more savvy security professionals in each state. Shared procurement can lower the cost, as federal agencies have demonstrated, and shared exercises among states can make the program more valuable to all parties. Nearly a hundred commercial organizations have staff qualified to serve as mentors to complement staff in states that have limited numbers of trained technical security professionals.
- Replicate the contract developed by the GSA in procuring low-cost alerts for system administrators to inform them about new vulnerabilities and patch support for the systems they run. It is possible the states can use the federal contract to cover their systems.
The Bottom Line
Extremely rapid communication and unselfish sharing are prime characteristics of the hacker community. They tell each other about new techniques, share attack code, post lists of infected sites and run discussion groups on how to get around defenses. The user community, on the other hand, acts as if being hacked is the equivalent of being infected with a social disease. Security consultants hide what they know so they can sell to the highest bidder. In any war-like situation, if one side has near perfect communication and sharing while the other side is fragmented and selfish, the communicators generally win. The fight between criminals and defenders on the Internet is a war. States don't have enough money to fight the war alone -- and they wouldn't win it even if they did have enough money. Cooperative action to bring all systems and staff up to minimum benchmarks of security and skill is a rational behavior in a time of short money and rapidly rising threat.
Alan Paller is director of research for the SANS Institute, a cooperative education and research organization serving security professionals.
