Note: This is an historic document. We are no longer maintaining the content, but it may have value for research purposes. Pages linked to from the document may no longer be available.

Computer Security

Testimony of Richard D. Pethia, Director, CERT^® Centers
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213

Before the Committee on Government Reform Subcommittee on Government Management, Information, and Technology

March 9, 2000

Contents:

• Introduction
• Vulnerability of the Internet and World Wide Web
• Distributed Denial-of-Service Tools
• Role of the CERT/CC in Distributed Denial-of-Service Attacks
• Recommended Solutions
• Conclusion

Introduction

Mr. Chairman and Members of the Subcommittee on Government Management, Information, and Technology:

My name is Rich Pethia. I am the director of the CERT^® Centers, which include the CERT^® Coordination Center (CERT/CC) and the CERT^® Analysis Center (CERT/AC). The centers are part of the Software Engineering Institute (SEI) at Carnegie Mellon University. Thank you for the opportunity to testify on the issue of computer security. Today I will describe a number of trends that have an impact on the security of the Internet, illustrate the results of those trends by describing the recent distributed denial-of-service attacks (DDoS), and outline steps I believe are needed to effectively manage the increasing risk of damage from cyber attacks.

My perspective comes from the work we do at the CERT Centers. The CERT Coordination Center was established at the SEI in 1988, after an Internet "worm" stopped 10% of the computers connected to the Internet. This program - the first Internet security incident to make headline news - was the wake-up call for network security. The CERT/CC went into operation in just two weeks with a charter to respond to security emergencies on the Internet and to work with both technology producers and technology users to facilitate response to emerging security problems. In the first full year of operation, 1989, The CERT/CC responded to 132 computer security incidents. In 1999, the staff responded to more than 8,000 incidents. In total, the CERT/CC staff has handled well over 24,000 incidents and analyzed more than 1,500 computer vulnerabilities. More details about our work are attached to the end of this testimony (see Meet the CERT Coordination Center).

The recently established CERT Analysis Center addresses the threat posed by rapidly evolving, technologically advanced forms of cyber attacks. Working with sponsors and associates, the CERT/AC collects and analyzes information assurance data to develop detection and mitigation strategies that provide high-leverage solutions to information assurance problems, including countermeasures for new vulnerabilities and emerging threats. The CERT Analysis Center builds upon the work of the CERT Coordination Center. The CERT Analysis Center extends current incident response capabilities by developing and transitioning protective measures and mitigation strategies to defend against advanced forms of attack before they are launched. Additionally, it provides the public and private sectors with opportunities for much-needed collaboration and information sharing to improve cyber attack defenses.

--Back to top.--

Vulnerability of the Internet and World Wide Web

Vulnerabilities associated with the Internet put government, business, and individual users at risk. Security measures that were appropriate for mainframe computers and small, well-defined networks inside an organization, are not effective for the Internet, a complex, dynamic world of interconnected networks with no clear boundaries and no central control. Because the Internet was not originally designed with security in mind, it is difficult to ensure the integrity, availability, and privacy of information. The Internet was designed to be "open," with distributed control and mutual trust among users. As a result, control is in the hands of users, not in the hands of the provider; and use cannot be administered by a central authority. Furthermore, security issues are not well understood and are rarely given high priority by software developers, vendors, network managers, or consumers.

In addition, because the Internet is digital, not physical, it has no geographic location and no well- defined boundaries. Traditional physical "rules" are difficult or impossible to apply. Instead, new knowledge and a new point of view are required to understand the workings and the vulnerabilities of the Internet. Another factor is the approach typically taken by intruders. There is (loosely) organized development in the intruder community, with only a few months elapsing between "beta" software and active use in attacks. Moreover, intruders take an open-source approach to development. One can draw parallels with open system development: there are many developers and a large, reusable code base.

Intruder tools are becoming increasingly sophisticated and also becoming increasingly user friendly and widely available. For the first time, intruders are developing techniques to harness the power of hundreds of thousands of vulnerable systems on the Internet. Using what are called distributed-system attack tools, intruders can involve a large number of sites simultaneously, focusing all of them to attack one or more victim hosts or networks. The sophisticated developers of intruder programs package their tools into user-friendly forms and make them widely available. As a result, even unsophisticated intruders can use them.

The current state of Internet security is the result of many additional factors, such as the ones listed below. A change in any one of these can change the level of Internet security and survivability.

• Because of the dramatically lower cost of communication on the Internet, use of the Internet is replacing other forms of electronic communication. The Internet itself is growing at an amazing rate. An additional 16 million computers connected to the Internet between July 1999 and January 2000, bringing the estimated total to 72.4 million.
• There is a continuing movement to distributed, client-server, and heterogeneous configurations. As the technology is being distributed, so is the management of that technology. In these cases, system administration and management often fall upon people who do not have the training, skill, resources, or interest needed to operate their systems securely. The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These "always- on, rarely-protected" systems allow attackers to continue to add new systems to their arsenal of captured weapons.
• Internet sites have become so interconnected and intruder tools so effective that the security of any site depends, in part, on the security of all other sites on the Internet.
• The difficulty of criminal investigation of cyber crime coupled with the complexity of international law mean that successful apprehension and prosecution of computer criminals is unlikely, and thus little deterrent value is realized.
• The Internet is becoming increasingly complex and dynamic, but among those connected to the Internet there is a lack of adequate knowledge about the network and about security. The rush to the Internet, coupled with a lack of understanding, is leading to the exposure of sensitive data and risk to safety-critical systems. Misconfigured or outdated operating systems, mail programs, and Web sites result in vulnerabilities that intruders can exploit. Just one naive user with an easy-to-guess password increases an organization's risk.
• When vendors release patches or upgrades to solve security problems, organizations' systems often are not upgraded. The job may be too time-consuming, too complex, or just at too low a priority for the system administration staff to handle. With increased complexity comes the introduction of more vulnerabilities, so solutions do not solve problems for the long term - system maintenance is never-ending. Because managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources. Exacerbating the problem is the fact that the demand for skilled system administrators far exceeds the supply.
• As we face the complex and rapidly changing world of the Internet, comprehensive solutions are lacking. Among security-conscious organizations, there is increased reliance on "silver bullet" solutions, such as firewalls and encryption. The organizations that have applied a "silver bullet" are lulled into a false sense of security and become less vigilant, but single solutions applied once are neither foolproof nor adequate. Solutions must be combined, and the security situation must be constantly monitored as the technology changes and new exploitation techniques are discovered.
• There is little evidence of improvement in the security features of most products; developers are not devoting sufficient effort to apply lessons learned about the sources of vulnerabilities. The CERT/CC routinely receives reports of new vulnerabilities. We continue to see the same types of vulnerabilities in newer versions of products that we saw in earlier versions. Technology evolves so rapidly that vendors concentrate on time to market, often minimizing that time by placing a low priority on security features. Until their customers demand products that are more secure, the situation is unlikely to change.
• Engineering for ease of use is not being matched by engineering for ease of secure administration. Today's software products, workstations, and personal computers bring the power of the computer to increasing numbers of people who use that power to perform their work more efficiently and effectively. Products are so easy to use that people with little technical knowledge or skill can install and operate them on their desktop computers. Unfortunately, it is difficult to configure and operate many of these products securely. This gap leads to increasing numbers of vulnerable systems.

--Back to top.--

Distributed Denial-of-Service Tools

Because of the factors described above, organizations and individuals using the Internet are vulnerable to many kinds of cyber attacks, including the denial of service attacks that were widely publicized in February. Distributed attack tools based on the client/server model have become increasingly common. In recent months, there has been an increase in the development and use of distributed network sniffers, scanners, and denial-of-service tools. Attacks using these tools can involve a large number of sites simultaneously and be focused to attack one or more victim hosts or networks.

Damaged systems include those used in the attack as well as the targeted victim. For the victim, the impact can be extensive. For example, in a denial-of-service attack using distributed technology, the attacked system observes simultaneous attacks from all the nodes at once - flooding the network normally used to communicate and trace the attacks and preventing any legitimate traffic from traversing the network.

There are indications that the processes for discovering vulnerable sites, compromising them, installing daemons (programs used in the attack), and concealing the intrusion are largely automated, with each step being performed in "batch" mode against many machines in one "session." Attack daemons have been discovered on a variety of operating systems with varying levels of security and system management.

It is critical to plan and coordinate before an attack to ensure an adequate response when an attack actually happens. Since the attack methodology is complex and there is no single-point solution or "silver bullet," resolution and restoration of systems may be time-consuming. The bottom line is that an organization's systems may be subject at any time to distributed attacks that are extremely difficult to trace or defend against. Only partial solutions are available.

Although an organization may be able to "harden" its own systems to help prevent having its systems used as part of a distributed attack, there is essentially nothing a site can do with currently available technology to prevent becoming a victim of, for example, a coordinated network flood. The impact upon the site and its operations is dictated by the (in)security of other sites and the ability of a remote attacker to implant the tools and, subsequently, to control and direct multiple systems worldwide to launch an attack. The result may be reduced or unavailable network connectivity for extended periods of time, possibly days or even weeks depending upon the number of sites attacking and the number of possible attack networks that could be activated in parallel or sequentially.

Coordinated attacks across national boundaries have occurred. The tools and attacks demonstrate that a network that optimizes its technology for speed and reliability at the expense of security may experience neither speed nor reliability, as intruders abuse the network or deny its services. The intruder technology is evolving, and future tools may be more difficult to defeat.

Here are key points to note about distributed denial-of-service tools:

• Intruders compromise systems through other means and install DDoS tools.
• The DDoS tools often are equipped with a variety of different attack types.
• Computers that are compromised with DDoS tools are aggregated into networks.
• These networks act in unison to attack a single victim. Any computer on the Internet can be a victim.
• The networks can be activated remotely at a later date by a "master" computer.
• Communication between the master computer and the networks can be encrypted and obfuscated to make it very difficult to locate the master.
• Once activated, the tools typically proceed on their own. No further communication is necessary on the part of the intruder - it is not possible to discover the master by tracing an ongoing attack. However, there may be evidence on one or more of the machines in the DDoS network regarding the true location of the master.
• Attacks from the network to the victim typically employ techniques designed to obfuscate the true location of the machines in the DDoS network. This makes it difficult to recognize the traffic (and thus block it), to trace the traffic back from the victim to the nodes in the network, and to analyze an attack while it is in progress.
• There are no proactive technical steps an organization can take to prevent becoming a victim. Everyone's security is intertwined. However, by preparing a response in advance, sites can significantly diminish the impact. For information on preparing to respond to these attacks, see the report on the results of a workshop that the CERT/CC organized in November 1999 to address the imminent threat posed by the tools:
  
  http://www.cert.org/reports/dsit_workshop-final.html
  
  
• The tools are rapidly evolving but have not reached their full potential by any means.
• The magnitude of the attacks can overwhelm even the largest networks.
• Intruders are building networks of machines used in these attacks ranging in size from tens to hundreds of machines. It is likely that some networks are much larger.
• The individual nodes in the network can be automatically updated by the master machines, enabling rapid evolution of tools on an existing base of compromised machines.
• A variety of tools are available to detect DDoS tools. Each of these tools has weaknesses, and none is a general-purpose solution. Some of these tools can be found at
  
  http://www.fbi.gov/nipc/trinoo.htm
  http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
  http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/122899199.plt
  http://www.sans.org/y2k/stacheldraht.htm
  
  
• Currently, there is a nearly inexhaustible supply of computers with well-known vulnerabilities that intruders can compromise and install DDoS tools on. Additionally, many networks are configured in a way that facilitates the obfuscation techniques used by intruders to conceal their identity. Information about how to configure networks properly is available at
  
  http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2267.txt
  
  
• An archive of DDoS tools can be found at
  
  http://packetstorm.securify.com/distributed/
  
  
• The CERT/CC published advisories and other documents about this topic; for example,
  
  http://www.cert.org/advisories/CA-2000-01.html
  http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html
  http://www.cert.org/tech_tips/denial_of_service.html

--Back to top.--

Role of the CERT/CC in Distributed Denial-of-Service Attacks

The CERT Coordination Center constantly monitors trends and watches for new attack techniques and tools. As the attached timeline shows, we began seeing distributed denial-of- service tools in early 1998. Denial-of-service attacks are not new. (See, for example, the CERT advisories CA-96.21 on TCP “syn” flooding and CA-98.01 on “smurf” attacks, as well a “tech tip” on denial-of-service attacks, which the CERT/CC wrote for system administrators in 1997.)

By fall 1999, it was evident that steps needed to be taken to deal with increasingly sophisticated intruder tools before they—and attacks using them—became widespread. On November 2-4, 1999, the CERT/CC invited 30 experts from around the world to address the problem of network attack tools that use distributed systems in increasingly sophisticated ways. During the Distributed-Systems Intruder Tools (DSIT) Workshop, participants discussed a large number of approaches to preventing, detecting, and responding to distributed attacks. The CERT/CC invited people who could contribute technically to the solutions regardless of their position in their home organization or their "political" stature in the community. Thus, the workshop effectively provided a venue for experts around the world to share experiences, gain a common understanding, and creatively brainstorm possible responses and solutions to this category of attack before the dissemination of the attack tools - and the attacks themselves - became widespread. A paper, Results of the Distributed-Systems Intruder Tools Workshop, is available on the CERT web site . This paper explains the threat posed by these intruder tools and provides suggestions for safeguarding systems from this type of malicious activity.

The CERT/CC continues to collaborate with the participants who attended the workshop and with an additional group of security experts to address the ongoing problem.

Earlier this month, Rich Pethia of the CERT/CC, Alan Paller of the SANS Institute, and Gene Spafford of Purdue University, prepared a Consensus Roadmap for Defeating Distributed Denial of Service Attacks for the Partnership for Critical Infrastructure Security. The most current version can be found on the SANS Institute web site.

--Back to top.--

Recommended Solutions

The problem is serious and complex, and a combination of approaches must be used to reduce the risks associated with the ever-increasing dependence on the Internet and the possibility of a sustained attack on it. Effective solutions require multi-disciplinary and cross-domain cooperation that includes information sharing and joint development of comprehensive solutions, as well as support for a long-term research agenda.

Support an established center for collecting, analyzing, and disseminating information assurance information.

The nature of threats to the Internet is changing rapidly and will continue to do so for the foreseeable future. The combination of rapidly changing technology, rapidly expanding use, and the continuously new and often unimagined uses of the Internet creates a volatile situation in which the nature of threats and vulnerabilities is difficult to assess and even more difficult to predict.

To help ensure the survivability of the Internet, and the information infrastructure as a whole, it is essential to continuously monitor and analyze cybersecurity threats and vulnerabilities and to identify trends in intrusion activity. The organization doing this should collect, analyze, and report on quantity, trends, and character of cybersecurity incidents. To obtain the required information, the organization must be well trusted throughout the community. Given the universal concerns about privacy and confidentiality and the inherently voluntary nature of reporting, the collection organization should be neither government nor commercial. Nor can it be responsible for public policy, investigation, enforcement, or other activities perceived as conflicting. Organizations that have suffered attacks are often unwilling to discuss their problems for fear of loss of confidence by their customers.

The CERT/CC is establishing an analysis center to expand its work of collecting and analyzing information assurance data. The goals are to identify trends and to develop detection and mitigation strategies that provide high-leverage solutions to information assurance problems, including countermeasures for new vulnerabilities and emerging threats. It takes advantage of the information dissemination channels already in place at the CERT/CC.

The CERT Analysis Center extends current incident response capabilities by developing and transitioning protective measures and mitigation strategies to defend against advanced forms of attack before they are launched. Additionally, it provides the public and private sectors with opportunities for much-needed collaboration and information sharing to improve cyber attack defenses.

The strength of the CERT/AC will come from contributions across the information technology community. SEI affiliate and visiting scientist programs provide an established model to integrate the contribution of diverse participants. These programs bring together members of academic, industry, and government organizations to address problems and meet common needs. The center provides the means for private sector firms to collaborate with technical staff from the CERT/AC on leading-edge information assurance research.

Research includes intruder tool analysis; that is, in-depth analysis of new and emerging cyber- attack methods in order to develop defenses and countermeasures that can be deployed before these new attack methods are widely used. Equally important is in-depth analysis of information technology vulnerabilities and malicious code in order to develop techniques that are effective at eliminating entire classes of vulnerabilities and entire families of malicious code.

Support the growth and use of global detection mechanisms.

Among the ways to gain a global view of threats are to use the experience and expertise of incident response teams to identify new threats and vulnerabilities. The incident response team at the CERT/CC and other response teams have demonstrated their effectiveness at discovering and dealing with vulnerabilities and incidents. Ongoing operation and expansion of open, wide area networks will benefit from stronger response teams and response infrastructures.

Similarly, it is important to encourage Internet service providers to develop security incident response teams and other security improvement services for their customers. Many network service providers are well positioned to offer security services to their clients. These services should include helping clients install and operate secure network connections as well as mechanisms to rapidly disseminate vulnerability information and corrections.

Support education and training to raise the level of security.

As noted earlier, the security of each system on the Internet depends on the security of all other systems on the network. The interconnectedness and interdependency of systems pose a serious threat to commerce.

The combination of easy access and user-friendly interfaces have drawn users of all ages and from all walks of life. As a result, many users of the Internet who have no more understanding of the technology than they do of the engineering behind other infrastructures. Similarly, many system administrators lack adequate knowledge about the network and about security, even while the Internet is becoming increasingly complex and dynamic. To encourage "safe computing," there are steps we believe the government could take:

• Support the development of educational material and programs about cyberspace for all users, both adults and children. There is a critical need for education and increased awareness of the characteristics, threats, opportunities, and appropriate behavior in cyberspace. This need goes far beyond protecting children from pornography. It relates to how quickly cyberspace will be developed, to how rapidly and effectively cyberspace will be exploited for social and economic benefit, and to what influences will drive the economic, social, and political directions in cyberspace. In particular, support programs that provide early training in security practices and appropriate use. This training should be integrated into general education about computing. Children should learn early about acceptable and unacceptable behavior when they begin using computers just as they are taught about acceptable and unacceptable behavior when they begin using libraries.¹ Although this recommendation is aimed at elementary and secondary school teachers, they themselves need to be educated by security experts and professional organizations. Parents need be educated as well and should reinforce lessons in security and behavior on computer networks.
  
  
• Invest in awareness campaigns that stress the need for security training for system administrators, network managers, and chief information officers. Building, operating, and maintaining secure networks are difficult tasks; and there are few educational and training programs that prepare people to perform them. Training will also enhance the ability of administrators and managers to use available technology for configuration management, network management, auditing, intrusion detection, firewalls, guards, wrappers, and cryptography.
  
  Furthermore, the increasing need for such roles in organizations of many sizes and descriptions has led to assigning information security responsibilities to inexperienced personnel with little or no training. In the short term, the greatest need is for short "how to" and "what to be aware of" courses. In the long term, there should be undergraduate-level or master's-level specialties in network and information security.

Support research and development in the areas of security and survivability of unbounded systems' architectures with distributed control.

It is critical to maintain a long-term view and invest in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data. In doing so, it is essential to seek fundamental technological solutions and to seek proactive, preventive approaches, not just reactive, curative approaches. The research agenda should seek new approaches to system security. These approaches should include design and implementation strategies, recovery tactics, strategies to resist attacks, survivability trade-off analysis, and the development of security architectures. Among the activities should be these:

• Develop science-based engineering methods for information assurance specification and design through innovative adaptation of existing formal specification theory originally developed for other purposes.
• Develop prototype tools to assess information assurance properties of specifications and designs by adapting core algorithms of existing theory-based analytical tools that were originally developed for other purposes.
• Leverage past investment that has produced an extensive, but little used, body of knowledge in rigorous methods for system analysis and design in general, and for security and survivability in particular. Work needs to be done to extend and unify previous research to deal with new problems of information assurance in a coherent and integrated manner, and to make innovative use of existing research, technology, and tools.

--Back to top.--

Conclusion

The Internet has proven to be an engine that is driving a revolution in the way government, companies, and individuals conduct their business. Capitalizing Internet opportunities, however, brings a new set of risks - risks that must be effectively managed. Because of the interconnectedness and interdependence among computer systems on the Internet, the security of each system depends on the security of all other systems on the network. For the United States to thrive on the Internet, cyber security efforts need to focus on reporting and monitoring threats and vulnerabilities, education and training, and research and development.

--Back to top.--

1. National Research Council, Computers at Risk: Safe Computing in the Information Age, National Academy Press, 1991, recommendation 3c, p. 37.

Prepared for presentation on the Web March 2000