Note: This is an historic document. We are no longer maintaining the content, but it may have value for research purposes. Pages linked to from the document may no longer be available.

Internet Security Issues

Testimony of Richard D. Pethia, Director, CERT^® Centers
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213

Before the U.S. Senate Judiciary Committee

May 25, 2000

Contents:

• Introduction
• Background
• Vulnerability
• Solutions
• Conclusion

Introduction

Mr. Chairman and members of the Judiciary Committee:

My name is Richard Pethia. I manage the Survivable Systems Initiative and the CERT^® Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute (SEI) in Pittsburgh, PA.

Thank you for the opportunity to testify on the role of the CERT/CC in dealing with Internet security issues. Today I will give some background on the CERT/CC, describe our experience with Internet security incidents, and outline some of the steps that I believe must be taken to reduce the impact of future security incidents.

--Back to top--

Background

The CERT Coordination Center (CERT/CC) is located at the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Following the Internet Worm incident, which brought 10 percent of Internet systems to a halt in November 1988, the Defense Advanced Research Projects Agency (DARPA) charged the SEI with setting up a center to coordinate communication among experts during security emergencies and to help prevent future incidents. Since then, the CERT/CC has handled over 28,000 computer network security incidents and analyzed more than 1,500 vulnerabilities in network-related products. Over 80 incident response teams around the world have adopted the incident handling practices of the CERT/CC.

Today, the Defense Information Systems Agency, the General Services Administration, and the Federal Bureau of Investigation sponsor the CERT/CC's work. The CERT/CC provides assistance to computer system administrators in the Internet community who report security problems. When a security breach occurs, CERT/CC staff members help the administrators of the affected sites to identify and correct the vulnerabilities that allow the incident to occur. The CERT/CC staff also coordinates the response with other sites affected by the same incident. When a site specifically requests, CERT/CC staff members facilitate communication with law enforcement agencies.

The scale of emerging networks and the diversity of user communities make it impractical for a single organization to provide universal support for addressing computer security issues. Therefore, the CERT/CC staff regularly works with sites to help them form incident response teams and provides guidance to newly formed teams. The CERT/CC is also responsible for the day-to-day operations of the FedCIRC (Federal Computer Incident Response Capability) Operations Center, an organization that provides incident response and other security-related services to Federal civilian agencies. The General Services Administration (GSA) manages FedCIRC.

The CERT/CC also handles reports of vulnerabilities in commercial products. When we receive a vulnerability report, our vulnerability experts analyze the potential vulnerability and work with technology producers to inform them of security deficiencies in their products and to facilitate and track their response to these problems. Another source of vulnerability information comes from incident analysis. Repeated incidents of the same type often point to the existence of a vulnerability and, often, the existence of public information or automated tools for exploiting the vulnerability. To achieve long-term benefit from vulnerability analysis, we have begun to identify the underlying software engineering and system administration practices that lead to vulnerabilities and, conversely, practices that prevent vulnerabilities.

Our ongoing computer security incident response activities help the Internet community to deal with its immediate problems while allowing us to understand the scope and nature of the problems and of the community's needs. Our understanding of current security problems and potential solutions comes from first-hand experience with compromised sites on the Internet and subsequent analysis of security incidents, intrusion techniques, configuration problems, and software vulnerabilities.

As a result of our incident and vulnerability analysis work, we have a broad view of incident and vulnerability trends and characteristics. We communicate this information back to the community through online reports, presentations at conferences and workshops, and training courses. In addition critical information about specific threats goes out to the Internet community through security alerts such as CERT advisories, incident notes, vulnerability notes, and vendor-initiated bulletins. The government receives early warnings through "special communications" to the Department of Defense (through their incident response teams), Federal civil agencies (through FedCIRC), and the FBI. This work is possible because the CERT/CC has become a major reporting center for incidents and vulnerabilities because staff members have an established reputation for discretion and objectivity. As a result of the community's trust, we receive thousands of reports every year.

In addition to incident response and vulnerability handling, we also work on security improvement and network survivability.

In the area of security improvement we are defining security improvement practices to provide concrete, practical guidance that will help organizations improve the security of their networked computer systems. These practices are being published as security improvement modules and focus on best practices that address important problems in network security. We also transition these practices through courses offered by the SEI and by the SEI's transition partners.

Our staff members are also developing a comprehensive, repeatable technique for identifying vulnerabilities in networked systems through self-evaluation. The information security self-evaluation takes into consideration policy, management, administration, and other organizational issues, as well as technology, to provide a comprehensive view of the information security state of an organization. We see this evaluation method as a key component of an overarching security improvement framework that allows an organization to maintain an acceptable level of security by quickly adapting to changes in the internal and external environments.

In the area of network survivability, we are concentrating on the technical basis for identifying and preventing security flaws and for preserving essential services in the event of intrusions, accidents, or failures. This work draws on the incident data collected by the CERT/CC. We are developing a survivable network analysis method, which uses a structured architectural specification of an existing or proposed network application to determine the most likely points in the architecture where accidents and/or intrusions could cause the mission of the application to fail. This method leverages SEI expertise in risk and architectural analysis, network intrusion expertise, and vulnerability analysis. It is applied to a selected system by a SEI assessment team working with system architects and stakeholders. Survivable network analysis identifies essential services and assets of the application that must survive intrusion, evaluates its ability to withstand attack, and recommends architecture strategies to mitigate vulnerabilities that are uncovered. The method is designed to scale to highly distributed systems in unbounded domains such as the Internet, for which traditional security techniques are inadequate. Along with the analysis method, our staff is building a simulator to explore survivability characteristics of large networked applications in an environment of limited administrative control. This will enhance the analysis of national infrastructures dependent on information systems that are interconnected and interdependent. This simulator will be used as part of a more advanced analysis technique for networked applications and network protocols. The simulator will help us understand how cascade effects and other complex failures arise from large networked domains where administrative control is localized but there is a dependence on network elements beyond this administrative control.

--Back to top--

Vulnerability of the Internet and World Wide Web

Vulnerabilities associated with the Internet put government, business and individual users at risk. Security measures that were appropriate for mainframe computers and small, well-defined networks inside an organization are not effective for the Internet, a complex, dynamic world of interconnected networks with no clear boundaries and no central control. Because the Internet was not originally designed with security in mind, it is difficult to ensure the integrity, availability, and privacy of information. The Internet was designed to be "open," with distributed control and mutual trust among users. As a result, control is in the hands of users, not in the hands of the provider; and a central authority cannot administer use. Furthermore, security issues are not well understood and are rarely given high priority by software developers, vendors, network managers, or consumers.

In addition, because the Internet is digital, not physical, it has no geographic location and no well-defined boundaries. Traditional physical "rules" are difficult or impossible to apply. Instead, new knowledge and a new point of view are required to understand the workings and the vulnerabilities of the Internet.

Another factor is the approach typically taken by the intruder community. There is (loosely) organized development in the intruder community, with only a few months elapsing between "beta" software and active use in attacks. Moreover, intruders take an open-source approach to development. One can draw parallels with open system development: there are many developers and a large, reusable code base.

Intruder tools are becoming increasingly sophisticated and also are becoming increasingly user friendly and widely available. For the first time, intruders are developing techniques to harness the power of hundreds of thousands of vulnerable systems on the Internet. Using what are called distributed-system attack tools, intruders can involve a large number of sites simultaneously, focusing all of them to attack one or more victim hosts or networks. The sophisticated developers of intruder programs package their tools into user-friendly forms and make them widely available. As a result, even unsophisticated intruders can use them.

The current state of Internet security is the result of many additional factors, such as the ones listed below. A change in any one of these can change the level of Internet security and survivability.

• Because of the dramatically lower cost of communication on the Internet, use of the Internet is replacing other forms of electronic communication. The Internet itself is growing at an amazing rate, as noted in an earlier section.
• There is a continuing movement to distributed, client-server, and heterogeneous configurations. As the technology is being distributed, so is the management of that technology. In these cases, system administration and management often fall upon people who do not have the training, skill, resources, or interest needed to operate their systems securely. The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These "always-on, rarely-protected" systems allow attackers to continue to add new systems to their arsenal of captured weapons.
• Internet sites have become so interconnected and intruder tools so effective that the security of any site depends, in part, on the security of all other sites on the Internet.
• The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer criminals is unlikely, and thus little deterrent value is realized.
• The Internet is becoming increasingly complex and dynamic, but among those connected to the Internet there is a lack of adequate knowledge about the network and about security. The rush to the Internet, coupled with a lack of understanding, is leading to the exposure of sensitive data and risk to safety-critical systems. Misconfigured or outdated operating systems, mail programs, and Web sites result in vulnerabilities that intruders can exploit. Just one naive user with an easy-to-guess password increases an organization's risk.
• When vendors release patches or upgrades to solve security problems, organizations' systems often are not upgraded. The job may be too time-consuming, too complex, or just at too low a priority for the system administration staff to handle. With increased complexity comes the introduction of more vulnerabilities, so solutions do not solve problems for the long term-system maintenance is never-ending. Because managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources. Exacerbating the problem is the fact that the demand for skilled system administrators far exceeds the supply.
• As we face the complex and rapidly changing world of the Internet, comprehensive solutions are lacking. Among security-conscious organizations, there is increased reliance on "silver bullet" solutions, such as firewalls and encryption. The organizations that have applied a "silver bullet" are lulled into a false sense of security and become less vigilant, but single solutions applied once are neither foolproof nor adequate. Solutions must be combined, and the security situation must be constantly monitored as technology changes and new exploitation techniques are discovered.
• There is little evidence of improvement in the security features of most products; developers are not devoting sufficient effort to apply lessons learned about the sources of vulnerabilities. The CERT Coordination Center routinely receives reports of new vulnerabilities. We continue to see the same types of vulnerabilities in newer versions of products that we saw in earlier versions. Technology evolves so rapidly that vendors concentrate on time to market, often minimizing that time by placing a low priority on security features. Until their customers demand products that are more secure, the situation is unlikely to change.
• Engineering for ease of use is not being matched by engineering for ease of secure administration. Today's software products, workstations, and personal computers bring the power of the computer to increasing numbers of people who use that power to perform their work more efficiently and effectively. Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers. Unfortunately, it is difficult to configure and operate many of these products securely. This gap leads to increasing numbers of vulnerable systems.

--Back to top--

Solutions

While it is important to react to crisis situations when they occur, it is just as important to recognize that information assurance is a long-term problem. The Internet and other forms of communication systems will continue to grow and interconnect. More and more people and organizations will conduct business and become otherwise dependent on these networks. More and more of these organizations and individuals will lack the detailed technical knowledge and skill that is required to effectively protect systems today. More and more attackers will look for ways to take advantage of the assets of others or to cause disruption and damage for personal or political gain. The network and computer technology will evolve and the attack technology will evolve along with it. Many information assurance solutions that work today will not work tomorrow.

Managing the risks that come from this expanded use and dependence on information technology requires an evolving strategy that stays abreast of changes in technology, changes in the ways we use the technology, and changes in the way people attack us through our systems and networks. To move forward, we will need to make improvements to existing capabilities as well as fundamental changes to the way technology is developed, packaged, and used.

• Enhanced incident response capabilities — The incident response community has handled most incidents well, but is now being strained beyond its capacity. In the future, we can expect to see multiple broad-based attacks launched at the Internet at the same time. With its limited resources, the response community will fragment, dividing its attention across the problems, thereby slowing progress on each. In addition, system operators will be confused as they try to understand if they are dealing with one problem with multiple symptoms or with multiple, simultaneous problems. New forms of communications must be developed that provide system operators with near real-time status on network security events with less person-to-person interaction than is required today. Incident response organizations must develop more effective ways to analyze security events and vulnerability data and to disseminate the results of the analysis to their constituents quickly. The mechanisms we have today work in units of hours and days, more time than we will have when faced with widespread, rapidly moving problems.
• Changes in technology development, packaging and use — In the long-term, it is unrealistic to expect that response organizations and system administrators, even with highly automated procedures, will be able to stay ahead of problems that move at Internet speed. While response teams will always be needed to handle new threats and unprecedented situations, technology producers must recognize that their products are being used in hostile environments and take steps to insure that their products are fit for use in those environments. Computers and software are becoming more powerful and more interconnected. At the same time, the average level of technical understanding of system users is declining. Powerful computers and software that anyone and everyone can use, without having a deep understanding of the technology, are now available. In this environment, a security approach based on "user-beware" is unacceptable. The systems are too complex for this approach to work. The long-term solutions required are a combination of the following.
• Virus-resistant/proof software — There is nothing intrinsic about digital computers or software that makes them vulnerable to virus attack or infestation. Viruses propagate and infect systems because of design choices that have been made by computer and software designers. Designs that allow the import of executable code, in one form or another, and allow the unconstrained execution of that code on the machine that received it, are the designs that are susceptible to viruses and their effects. Unconstrained execution allows code developers (e.g. macro-code developers) to take full advantage of a system's capabilities, but does so with the side effect of making the system vulnerable to virus attack. To effectively control viruses in the long term, vendors must provide systems and software that constrain the execution of imported code, especially code that comes from unknown or not-trusted sources. Some techniques to do this have been known for decades. Others, such as "sandbox" techniques, have been more recently developed.
• Widespread use of strong authentication — many forms of attack are successful partly because attackers are able to masquerade (in either direct attacks or indirect attacks launched through viruses) as being someone that the attack target knows. Carefully implemented authentication technology, such as digital signatures, that is in widespread use would allow people to reject messages, documents and code from unknown sources. This would have an immediate impact of inhibiting the spread of email carried viruses. Strong cryptographic technology exists today to provide integrity and authentication, but it is not in widespread use. Widespread deployment will require secure, manageable key distribution infrastructures, and research and development to produce these infrastructures should be accelerated.
• High-security default configurations — With the complexity of today's products, properly configuring systems and networks to use the strongest security built into the products is difficult, even for people with strong technical skills and training. Small mistakes can leave systems vulnerable and put users at risk when connected to the Internet. Vendors can help reduce the impact of security problems by shipping products with configurations that enable security options rather than require the user to enable them. The user can lower these "default" configurations if desired, but should provide the best security possible unless the user takes explicit steps to reduce it.

--Back to top--

Conclusion

The recent rash of attacks on the Internet demonstrates how quickly automated attacks can spread across the network and hints at the kind of damage that can be done. Incident response organizations are able to limit damage by working effectively together to analyze the problem, synthesize solutions, and alert the community to the need to take corrective action. With the attacks we can expect to see in the future, response organizations will need expanded resources and new techniques to act quickly and effectively. Response organizations will always have a role to play in identifying new threats and dealing with unprecedented problems, but response methods will not be able to react at Internet speeds with complicated viruses or with multiple, simultaneous attacks of different types.

The long-term solutions to the problems represented by new forms of automated attack will require fundamental changes to the way technology is developed, packaged and used. It is critical that system operators and product developers recognize that their systems and products are now operating in hostile environments. Operators must demand, and developers must produce, products that are fit for use in this environment. As new forms of attack are identified and understood, developers must change their designs to protect systems and networks from these kinds of attack.

--Back to top--

See the conditions for use, disclaimers, and copyright information.

This page was last updated on May 26, 2000.