CERT
 
Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities
 

Note: This is an historic document. We are no longer maintaining the content, but it may have value for research purposes. Pages linked to from the document may no longer be available.

Information Technology—Essential But Vulnerable: Internet Security Trends

Testimony of Richard D. Pethia, Director, CERT® Centers
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213

Before the House Committee on Government Reform, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations

November 19, 2002

Contents:

Introduction

Mr. Chairman and Members of the Subcommittee:

My name is Rich Pethia. I am the director of the CERT® Centers. Thank you for the opportunity to testify on computer security issues that affect the government. Today I will discuss the vulnerability of information technology on the Internet, including information about recent security trends, and steps I believe we must take to better protect our critical systems from future attacks.

My perspective comes from the work we do at the CERT Centers, which are part of the Survivable Systems Initiative of the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We have 14 years of experience with computer and network security. The CERT Coordination Center (CERT/CC) was established in 1988, after an Internet "worm" became the first Internet security incident to make headline news, acting as a wake-up call for network security. In response, the CERT/CC was established at the SEI. The center was activated in just two weeks, and we have worked hard to maintain our ability to react quickly. The CERT/CC staff has handled well over 173,000 incidents and cataloged more than 8,000 computer vulnerabilities.

The CERT Analysis Center, established just two years ago, addresses the threat posed by rapidly evolving, technologically advanced forms of cyber attacks. Working with sponsors and associates, the CERT Analysis Center collects and analyzes information assurance data to develop detection and mitigation strategies that provide high-leverage solutions to information assurance problems, including countermeasures for new vulnerabilities and emerging threats. The ultimate goal of this work is to predict technologically sophisticated cyber attacks and develop defensive measures to protect against them before they are launched. The CERT Analysis Center builds upon the work of the CERT Coordination Center.

The CERT Centers are now recognized by both government and industry as a neutral, authoritative source of data and expertise on information assurance. In addition to handling reports of computer security breaches and vulnerabilities in network-related technology, we identify preventive security practices, conduct research, and provide training to system administrators, managers, and incident response teams.

The Growing Risk

Government, commercial, and educational organizations depend on computers to such an extent that day-to-day operations are significantly hindered when the computers are "down." Currently, many of the day-to-day operations depend upon connections to the Internet and other interconnected networks, and new connections are continuously being made. The Internet Domain Survey (http://www.isc.org/ds/) reports that the Internet grew from 109 million computers in January 2001 to more than 147 million in January 2002.

Computers have become such an integral part of American government and business that computer-related risks cannot be separated from national defense, general safety, health, business, and privacy risks. Valuable government and business assets, along with critical services, are now at risk over the Internet and other information infrastructures. For example, citizen and personnel information may be exposed to intruders. Public safety services, health services, defense operations, and commerce conducted over the networks can be disrupted. Financial data, intellectual property, and strategic plans may be at risk. The widespread use of databases threatens the privacy of individuals. Increased use of computers in safety-critical applications, including the storage and processing of medical records data, increases the chance that accidents or attacks on computer systems can cost people their lives.

Today there is rapid movement toward increased use of interconnected networks for a broad range of activities, including defense, commerce, education, entertainment, operation of government, and supporting the delivery of safety, health, and other human services. Although this trend promises many benefits, it also poses many risks. Techniques that have worked in the past for securing systems are not effective in the current world of networks without well-defined boundaries, mobile computing, distributed applications, and dynamic computing. It is easy to exploit the many security holes in our networks and in the software commonly used in conjunction with it; and it is easy to hide the true origin and identity of the people doing the exploiting. Many of our information systems are easily accessible to anyone with a computer and a network connection. Individuals and organizations worldwide can reach any point on the network without regard to national or geographic boundaries.

The Growing Threat

Our increasing dependency on these networked systems is being matched by an increase in the number of attacks aimed at these systems. The CERT Coordination Center alone, one of more than 200 computer security incident response teams globally, has seen a dramatic increase in incidents reported over the last four years: from 3,734 incidents reported in 1998 to over 52,000 incidents reported in 2001. At current rates, the number of incident reports for 2002 is estimated to top 97,000. Other teams are reporting similar growth in the number of incidents reported to them.

These attacks have been aimed at systems across government and industry and have led to loss and compromise of sensitive data, system damage, lost productivity because of system down time, financial loss, and loss of reputation and customer confidence. Virus and worm attacks alone have resulted in hundreds of millions of dollars of loss in just the last twelve months.

While many of the attacks on the Internet today could be classified as nuisance activities, there is growing evidence that criminals and terrorists view the Internet as a tool to reach their goals.

The capabilities and opportunities provided by the Internet have transformed many legitimate business activities, augmenting the speed, ease, and range with which transactions can be conducted while also lowering many of the costs. Criminals have also discovered that the Internet can provide new opportunities and multiple benefits for illicit business. The dark side of the Internet involves not only fraud and theft, pervasive pornography and pedophile rings, but also drug trafficking and criminal organizations that are more concerned about exploitation than the kind of disruption that is the focus of the more general intruder community.

Cyber Space and Physical Space Are One

Most threatening of all is the link between cyber space and physical space. Supervisory control and data acquisition (SCADA) systems and other forms of networked computer systems have for years been used to control power grids, gas and oil distribution pipelines, water treatment and distribution systems, hydroelectric and flood control dams, oil and chemical refineries, and other physical systems. Increasingly, these control systems are being connected to communications links and networks to reduce operational costs by supporting remote maintenance, remote control, and remote update functions. These computer-controlled and network-connected systems are potential targets of individuals bent on causing massive disruption and physical damage.

This is not just theory; actual attacks have caused major operational problems. Attacks against wastewater treatment systems in Australia, for example, led to the release of hundreds of thousands of gallons of sludge.

A recent article in the Washington Post 1 reports that our growing dependence on computer-controlled and network-connected infrastructures—and the damage that could result from cyber attacks against those infrastructures—has not gone unnoticed by terrorist organizations. As the article reports: "…U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Queda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport, and communications grids." And "…al Queda prisoners have described intentions, in general terms, to use those tools."

The Internet is Attractive to Attackers

Compared with other critical infrastructures, the Internet seems to be a virtual breeding ground for attackers. There is (loosely) organized attack tool development in the intruder community, with only a few months elapsing between "beta" software and active use in attacks. Moreover, intruders take an open-source approach to development. There are parallels with open system development: many developers and a large, reusable code base.

Intruders are also developing techniques to harness the power of hundreds of thousands of vulnerable systems on the Internet. Using what are called distributed-system attack tools, intruders can harness a large number of compromised computers simultaneously, focusing all of them to attack one or more victim computers or networks. In addition, sophisticated developers of intruder programs package their tools into user-friendly forms and take advantage of the Internet to make them widely available. As a result, even technically unsophisticated intruders can use them to cause serious damage.

Unfortunately, Internet attacks in general, and denial-of-service attacks in particular, remain easy to accomplish, hard to trace, and a low risk to the attacker.

Internet Attacks Are Easy

Both the nature of Internet users and the nature of the Internet itself make attacks easy. Internet users place unwarranted trust in the network. It is common for sites to be unaware of the amount of trust they actually place in the infrastructure of the Internet and its protocols. The Internet was originally designed for robustness from attacks or events that were external to the Internet infrastructure; that is, physical attacks against the underlying physical wires and computers that make up the system. The Internet was not designed to withstand internal attacks—attacks by people who are part of the network; and now that the Internet has grown to encompass so many sites, hundreds of millions of users are effectively inside the network.

The Internet is primarily based on protocols (rules and conventions) for sharing electronically stored information, and a break-in is not physical as it would be, for example, in the case of a power plant. It is one thing to be able to break into a power plant, cause some damage, then escape. But if a power plant were like the Internet, intruders would be able to stay inside the plant undetected for weeks. They would come out at night to wander through the plant, dodging a few guards and browsing through offices for sensitive information. They would hitch a ride on the plant's vehicles to gain access to other plants, cloning themselves if they wished to be in both places at once. The openness of the network and the availability of easy access provide intruders with many paths to successful attacks.

Internet Attacks Are Difficult to Trace

Internet protocols make it easy for attackers hide their identity and location on the network. Information on the Internet is transmitted in packets, each containing information about the origin and destination—senders provide their return address, but they can lie about it. Most of the Internet is designed to merely forward packets one step closer to their destination with no attempt to make a record of their source. Unlike traditional paper mail, there is not even a postmark to indicate generally where a packet originated. It requires close cooperation among sites and up-to-date equipment to trace malicious packets during an attack.

Moreover, the Internet is designed to allow packets to flow easily across geographical, administrative, and political boundaries. Consequently, cooperation in tracing a single attack may involve multiple organizations and jurisdictions, most of which are not directly affected by the attack and may have little incentive to invest time and resources in the effort.

This means that it is easy for an adversary to use a foreign site to launch attacks against U.S. systems. The attacker enjoys the added safety of the need for international cooperation in order to trace the attack, compounded by impediments to legal investigations. It is common to see U.S.-based attackers gain this safety by first breaking into one or more foreign sites before coming back to attack their desired target in the U.S.

Internet Attacks Are Low Risk

Failed attempts to break into physical infrastructures involve a number of federal offenses; such events have a long history of successful prosecutions. This is not the case for Internet intrusions. Because attacks against the Internet typically do not require the attacker to be physically present at the site of the attack, the risk of being identified is reduced. In addition, it is not always clear when certain events should be cause for alarm. For example, what appear to be probes and unsuccessful attacks may actually be the legitimate activity of network managers checking the security of their systems. Even in cases where organizations monitor their systems for illegitimate activity, which occurs in only a small minority of Internet-connected sites, real break-ins often go undetected because it is difficult to identify illegitimate activity. In the case of cross-site scripting, web users trigger malicious code without even knowing they have done so, and web sites can unknowingly pass the code along. Finally, as mentioned earlier, because intruders cross multiple geographical and legal domains, there are difficult legal issues involved in pursuing and prosecuting them.

Our Systems are Vulnerable

Last year, the CERT/CC received 2,437 vulnerability reports, more than double the number of the previous year. In the first three quarters of 2002, we have already received 3,222 reports and expect over 4,300 reports by the end of this year. These vulnerabilities are caused by software designs that do not adequately protect Internet-connected systems and by development practices that do not focus sufficiently on eliminating implementation flaws that result in security problems.

There is little evidence of movement toward improvement in the security of most products; software developers do not devote enough effort to applying lessons learned about the causes of vulnerabilities. We continue to see the same types of vulnerabilities in newer versions of products that we saw in earlier versions. Technology evolves so rapidly that vendors concentrate on time to market, often minimizing that time by placing a low priority on the security of their products. Until customers demand products that are more secure or there are changes in the way legal and liability issues are handled, the situation is unlikely to change.

Additional vulnerabilities come from the difficulty of securely configuring operating systems and applications software packages. These products are often shipped to customers with security features disabled, forcing the technology user to go through the difficult and error-prone process of properly enabling the security features they need. While the current practices allow the user to more quickly use the product and reduce the number of calls to the product vendor's service center when a product is released, it results in many Internet-connected systems that are misconfigured from a security standpoint.

Attack Technology is Advancing

CERT/CC experience shows that there has been a steady advance in the sophistication and effectiveness of attack technology. Intruders quickly develop exploit scripts for vulnerabilities discovered in products. They then use these scripts to compromise computers and, as mentioned earlier, share these scripts so that more attackers can use them. These scripts are combined with other forms of technology to develop programs that automatically scan the network for vulnerable systems, attack them, compromise them, and use them to spread the attack even further.

These new attack technologies are causing damage more quickly than those created in the past. The Code Red worm spread around the world faster in 2001 than the so-called Morris worm moved through U.S. computers in 1988, and faster than the Melissa virus in 1999. With the Code Red worm, there were days between first identification and widespread damage. Just months later, the Nimda worm caused serious damage within an hour of the first report of infection.

In the past, intruders found vulnerable computers by scanning each computer individually, in effect limiting the number of computers that could be compromised in a short period of time. Now intruders use worm technology to achieve exponential growth in the number of computers scanned and compromised. They can now reach tens of thousands of computers in minutes where it once took weeks or months.

This fast exploitation limits the time security experts like those at the CERT/CC have to analyze the problem and warn the Internet community. Likewise, system administrators and users have little time to protect their systems.

Fixing Vulnerable Systems is Difficult

With an estimated 4,000 (and climbing) vulnerabilities being discovered each year, system and network administrators are in a difficult situation. They are challenged with keeping up with all the systems they have and all the patches released for those systems. Patches can be difficult to apply and might even have unexpected side effects. We have found that, after a vendor releases a security patch, it takes a long time for system administrators to fix all the vulnerable computer systems. It can be months or years before the patches are implemented on 90-95 percent of the vulnerable computers. For example, we still receive reports of outbreaks of the Melissa virus, which exploits vulnerabilities that are more than three years old.

There are a variety of reasons for the delay. The job might be too time-consuming, too complex, or just given too low a priority for the system administration staff to handle. With increased complexity comes the introduction of more vulnerabilities, so solutions do not solve problems for the long term—system maintenance is never-ending. Because many managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources. Exacerbating the problem is the fact that the demand for skilled system administrators far exceeds the supply.

Even in an ideal situation, conscientious system administrators cannot adequately protect their computer systems because other system administrators and users, including home users, do not adequately protect their systems. Incident reports to the CERT/CC indicate that many people do not keep their anti-virus software up to date; and they do not apply patches to close vulnerabilities. Computers on the Internet are extremely interdependent. The security of each system on the Internet affects the security of every other system.

Reactive Solutions Have Limited Effectiveness

For the past 14 years, we have relied heavily on the ability of the Internet community as a whole to react quickly enough to security attacks to ensure that damage is minimized and attacks are quickly defeated. Today, however, it is clear that we are reaching the limits of effectiveness of our reactive solutions. While individual response organizations are all working hard to streamline and automate their procedures and are working together to better coordinate activities, a number of factors have combined to limit the effectiveness of reactive solutions:
  • The number of vulnerabilities in commercial off-the-shelf software is now at the level that it is virtually impossible for any but the best resourced organizations to keep up with the vulnerability fixes.

  • The Internet now connects over 162,000,000 computers and continues to grow at a rapid pace. At any point in time, there are hundreds of thousands of connected computers that are vulnerable to one form of attack or another.

  • Attack technology has now advanced to the point where it is easy for attackers to take advantage of these vulnerable machines and harness them together to launch high-powered attacks.

  • Many attacks are now fully automated and spread at nearly the speed of light across the entire Internet community.

  • The attack technology has become increasingly complex and in some cases intentionally stealthy, thus increasing the time it takes to discover and analyze the attack mechanisms in order to produce antidotes.

  • Internet users have become increasingly dependent on the Internet and now use it for many critical applications as well as online business transactions. Even relatively short interruptions in service cause significant economic loss and can jeopardize critical services.
These factors, taken together, indicate that we can expect many attacks to cause significant economic losses and service disruptions within even the best response times that we can realistically hope to achieve. Aggressive, coordinated response will continue to be necessary, but we must also move quickly to put other solutions in place.

Recommended Actions

Working our way out of the vulnerable position we are in requires a multi-pronged approach that helps us deal with the escalating near-term problem while at the same time building stronger foundations for the future. The work that must be done includes achieving these changes:
  • Higher quality information technology products with security mechanisms that are better matched to the knowledge, skills, and abilities of today's system managers, administrators, and users

  • Wider adoption of risk analysis and risk management policies and practices that help organizations identify their critical security needs, assess their operations and systems against those needs, and implement security improvements identified through the assessment process

  • Expanded research programs that lead to fundamental advances in computer security

  • A larger number of technical specialists who have the skills needed to secure large, complex systems

  • Increased and ongoing awareness and understanding of cyber-security issues, vulnerabilities, and threats by all stakeholders in cyber space

Higher quality products: In today's Internet environment, a security approach based on "user beware" is unacceptable. The systems are too complex and the attacks happen too fast for this approach to work. Fortunately, good software engineering practices can dramatically improve our ability to withstand attacks. The solutions required are a combination of the following:

  • Virus-resistant/virus-proof software - There is nothing intrinsic about digital computers or software that makes them vulnerable to viruses, which propagate and infect systems because of design choices that have been made by computer and software designers. Designs are susceptible to viruses and their effects when they allow the import of executable code, in one form or another, and allow the unconstrained execution of that code on the machine that received it. Unconstrained execution allows code developers to easily take full advantage of a system's capabilities, but does so with the side effect of making the system vulnerable to virus attack. To effectively control viruses in the long term, vendors must provide systems and software that constrain the execution of imported code, especially code that comes from unknown or untrusted sources. Some techniques to do this have been known for decades. Others, such as "sandbox" techniques, are more recent.

  • Reducing implementation errors by at least two orders of magnitude - Most vulnerabilities in products come from software implementation errors. They remain in products, waiting to be discovered, and are fixed only after they are found while in use. Worse, the same flaws continue to be introduced in new products. Vendors need to be proactive, and adopt known, effective software engineering practices that dramatically reduce the number of flaws in software products.

  • High-security default configurations - With the complexity of today's products, properly configuring systems and networks to use the strongest security built into the products is difficult, even for people with strong technical skills and training. Small mistakes can leave systems vulnerable and put users at risk. Vendors can help reduce the impact of security problems by shipping products with "out of the box" configurations that have security options turned on rather than require users to turn them on. The users can change these "default" configurations if desired, but they would have the benefit of starting from a secure base.
To encourage product vendors to produce the needed higher quality products, we encourage the government to use its buying power to demand higher quality software. The government should consider upgrading its contracting processes to include "code integrity" clauses, clauses that hold vendors more accountable for defects in released products. Included here as well are upgraded acquisition processes that place more emphasis on the security characteristics of systems being acquired. In addition, to support these new processes, training programs for acquisition professionals should be developed that provide training not only in current government security regulations and policies, but also in the fundamentals of security concepts and architectures. This type of skill building is needed in order to ensure that the government is acquiring systems that meet the spirit, as well as the letter, of the regulations.

Wider adoption of security practices: With our growing dependence on information networks and with the rapid changes in network technology and threats, it is critical that more organizations, large and small, adopt the use of effective information security risk assessments, management policies, and practices. While there is often discussion and debate over which particular body of practices might be in some way "best," it is clear that descriptions of effective practices and policy templates are widely available from both government and private sources. The Internet Security Alliance, for example, has recently published a "Common Sense Guide For Senior Mangers" that outlines the security management and technical practices an organization should adopt to improve its security. Guidelines and publications are also available from the National Institute of Standards and Technology, the National Security Agency, and other agencies. What is sometimes missing today is management commitment: senior management's visible endorsement of security improvement efforts and the provision of the resources needed to implement the required improvements.

Expanded research in information assurance: It is critical to maintain a long-term view and invest in research toward systems and operational techniques that yield networks capable of surviving attacks while protecting sensitive data. In doing so, it is essential to seek fundamental technological solutions and to seek proactive, preventive approaches, not just reactive, curative approaches.

Thus, the research agenda should seek new approaches to system security. These approaches should include design and implementation strategies, recovery tactics, strategies to resist attacks, survivability trade-off analysis, and the development of security architectures. Among the activities should be the creation of

  • A unified and integrated framework for all information assurance analysis and design

  • Rigorous methods to assess and manage the risks imposed by threats to information assets

  • Quantitative techniques to determine the cost/benefit of risk mitigation strategies

  • Systematic methods and simulation tools to analyze cascade effects of attacks, accidents, and failures across interdependent systems

  • New technologies for resisting attacks and for recognizing and recovering from attacks, accidents, and failures
In this research program, special emphasis should be placed on the overlap between the cyber world and the physical world, and the analysis techniques developed should help policy and decision makers understand the physical impact and disruption of cyber attacks alone or of cyber attacks launched to amplify the impact of concurrent physical attacks.

More technical specialists: Government identification and support of cyber-security centers of excellence and the provision of scholarships that support students working on degrees in these universities are steps in the right direction. The current levels of support, however, are far short of what is required to produce the technical specialists we need to secure our systems and networks. These programs should be expanded over the next five years to build the university infrastructure we will need for the long-term development of trained security professionals.

More awareness and training for Internet users: The combination of easy access and user-friendly interfaces have drawn users of all ages and from all walks of life to the Internet. As a result, many Internet users have little understanding of Internet technology or the security practices they should adopt. To encourage "safe computing," there are steps we believe the government could take:

  • Support the development of educational material and programs about cyberspace for all users. There is a critical need for education and increased awareness of the security characteristics, threats, opportunities, and appropriate behavior in cyberspace. Because the survivability of systems is dependent on the security of systems at other sites, fixing one's own systems is not sufficient to ensure those systems will survive attacks. Home users and business users alike need to be educated on how to operate their computers most securely, and consumers need to be educated on how to select the products they buy. Market pressure, in turn, will encourage vendors to release products that are less vulnerable to compromise.

  • Support programs that provide early training in security practices and appropriate use. This training should be integrated into general education about computing. Children should learn early about acceptable and unacceptable behavior when they begin using computers just as they are taught about acceptable and unacceptable behavior when they begin using libraries. 2 Although this recommendation is aimed at elementary and secondary school teachers, they themselves need to be educated by security experts and professional organizations. Parents need be educated as well and should reinforce lessons in security and behavior on computer networks.

Conclusion

Interconnections across and among cyber and physical systems are increasing. Our dependence on these interconnected systems is also rapidly increasing, and even short-term disruptions can have major consequences. Cyber attacks are cheap, easy to launch, difficult to trace, and hard to prosecute. Cyber attackers are using the connectivity to exploit widespread vulnerabilities in systems to conduct criminal activities, compromise information, and launch denial-of-service attacks that seriously disrupt legitimate operations. Most threatening is the clear evidence that terrorists are investigating the feasibility of launching cyber attacks that could lead to devastating physical consequences.

Reported attacks against Internet systems are almost doubling each year and attack technology will evolve to support attacks that are even more virulent and damaging. Our current solutions are not keeping pace with the increased strength and speed of attacks, and our information infrastructures are at risk. Solutions are not simple, but must be pursued aggressively to allow us to keep our information infrastructures operating at acceptable levels of risk. However, we can make significant progress by making changes in software design and development practices, increasing the number of trained system managers and administrators, improving the knowledge level of users, and increasing research into secure and survivable systems. Additional government support for research, development, and education in computer and network security would have a positive effect on the overall security of the Internet.

[top]

References

1 "Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say," Washington Post, 27 June 2002.
2 National Research Council, Computers at Risk: Safe Computing in the Information Age, National Academy Press, 1991, recommendation 3c, p. 37.

CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office.
Copyright 2002 Carnegie Mellon University.

Disclaimers and copyright information.

Last updated November 19, 2002.