 |
|
. . . despite our greater reliance on network computing, the Internet isn't a safer place today than it was in 1991. If anything, the Internet is quickly becoming the Wild West of cyberspace. Although academics and industry leaders have long known about fundamental vulnerabilities of computers connected to the Internet, these flaws have been accommodated rather than corrected. As a result, we have seen many cases within the past few years of wide-scale security infractions throughout the network.
Simson Garfinkel and Gene Spafford in Practical UNIX &
Internet Security [GaS96:xiii] At one point, if not already, you will be the victim of Information Warfare. If not you, then a member of your family or a close friend. Your company will become a designated target of Information Warfare. If not yesterday or today, then definitely tomorrow. You will be hit. Winn Schwartau in Information Warfare: Chaos on the Electronic Superhighway [Sch94:11] 1.1. A Scary Place? The Internet is a scary place. At least that's what we've been told by numerous authors -- scholars and sensationalists alike. In the Spring of 1994, I visited with Richard Pethia and Tom Longstaff at the CERT® Coordination Center (CERT®/CC), Carnegie Mellon University (CMU). As part of my growing interest in the Internet and Information Warfare, I was in search of some information on just what had been happening on the Internet in terms of security. It was a fortuitous meeting - not because they were able to answer my question, but because they wanted to know the answer to that question also. Security is a problem on the Internet. The thousands of successful break-ins over the years are a testimony to that. But just how much of a problem is it? The answer to this question is important for two reasons. First, with information about Internet security problems, we could determine to what extent, and in what areas, government programs and policies should be instituted to devote society's resources to protecting the Internet. Second, trends over time could be used to determine the effectiveness of these policies and resources. 1.2. Contributions of this Research Prior to this research, our knowledge of security problems on the Internet was incomplete and primarily anecdotal. Despite our increasing reliance on the computer networks, there had been no systematic and coordinated program for gathering and distributing information about Internet security incidents. As a result, the limited information available could not be effectively used to determine either what government policies and programs should be, or the effectiveness of current policies and programs. This research brings us toward improved Internet security through:
1.3. Recommended Actions The following actions were recommended based on this research: Recommendations for all Internet users are as follows: 1. Back up important files. 2. Use a good password for network access controls. 3. Ensure permissions are set properly on files that can be accessed by others. 4. Encrypt, or store off-line, files that are particularly sensitive. 5. Do not send sensitive user identifications, such as a social security number, address, phone number, personal data, or credit card number across the Internet unless it is encrypted at the source (prior to being sent across the Internet). 6. Use an encryption program, such as Pretty Good Privacy (PGP), if you want e-mail to be private. An additional recommendation for commercial Internet users is as follows: 7. Conduct some form of risk analysis to determine the cost effective level of security. Recommendations for Internet suppliers are as follows:
Recommendations for the U.S. government are as follows: 1. Increase funding for incident response, particularly the CERT®/CC. 2. Encourage Internet users to take simple security precautions. 3. Encourage Internet suppliers to improve Internet security. 4. Require government employees to take reasonable security precautions to protect sensitive data. Recommendations for Internet response teams are as follows: 1. Do not disclose sites names reported to response teams (the status quo). 2. Disclose incident data based on a taxonomy. 3. Reexamine policies on the release of vulnerability information with the objective of seeing the degree to which more disclosure would benefit the Internet community. 4. Evaluate the taxonomy for computer and network attacks developed for this research. Recommendations for the CERT®/CC are as follows: 1. Maintain only one internal incident summary for each incident, open or closed. 2. Record a standard set of keywords and phrases that are defined, systematic and consistent, in each summary, such as reporting date, starting date, ending date, number of reporting sites, reporting sites, number of other sites, other sites, number of messages, attackers, tools, vulnerabilities, level, results, objectives, and corrective actions. 3. Classify each incident according to the worst level of unauthorized access or use. 4. Post the data set used in this research on line at www.cert.org. 5. Evaluate the taxonomy for computer and network attacks developed for this research. 6. Develop and implement a program to better estimate total Internet incident activity. Such a program should involve the voluntary reporting of all incident activity at representative Internet sites. This program should include coordination and/or participation from other response teams and related organizations, such as DISA and AFIWC. 7. Estimate average number of attackers per incident, and their typical activity, in cooperation with personnel from DISA, AFIWC, and other response teams, in order to improve estimates of total Internet incident activity. 8. Do not disclose sites names that appear in the CERT®/CC records or are otherwise reported to the CERT®/CC (this is the status quo). 9. Disclose incident data based on a taxonomy. Suggested steps are as follows: 1. Methodology development at the CERT®/CC 2. Trial implementation at the CERT®/CC 3. Methodology development with other response teams 4. Trial implementation at other response teams 5. Public release and formalization 10. Reexamine policies toward the release of vulnerability information with the objective of seeing the degree to which more disclosure would benefit the Internet community. 1.4. Why Comprehensive Information Was Not Available on Internet Incidents While CERT®/CC personnel were exposed to numerous incidents during the period of time studied in this research, their perspective and understanding was mission oriented -- a perspective that was naturally myopic. Their primary mission was to provide real-time incident response to the Internet. The information they accumulated and distributed was tailored for this. For example, the records of the CERT®/CC were maintained on-line for personnel to search during an incident. Each incident recorded contained only the information necessary for Incident response. When an incident was closed, the record was marked closed, with no further action to gather or analyze the information. The "big picture" has been difficult for CERT®/CC personnel to see from this perspective. This is a case of seeing the individual trees (incidents) in the forest, but having difficulty seeing the pattern of the forest (the overall state of Internet security). CERT®/CC personnel conducted research, but it was primarily a technical focus on current security problems. Their focus was also not policy-oriented, such as toward determining the effectiveness of Internet security policies. This is most likely the reason that, when asked for a sense of the overall Internet security activity, CERT®/CC personnel were not able to provide comprehensive information. 1.5. Overview This research project analyzed trends in Internet security, primarily through an investigation of security-related incidents on the Internet from 1989 to 1995, as reported to the CERT®/CC. The CERT®/CC has been responsible for Internet-related incident response since November, 1988 [ISV95:14]. This research also produced recommendations to improve Internet security. This dissertation begins with a description of relevant Internet characteristics (Chapter 2), and then proceeds in the next chapter (Chapter 3) to present a history of the CERT®/CC, along with a description of their policies. This is followed in Chapter 4 by a discussion of the evolution of CERT®/CC incident response, the characteristics of the CERT®/CC records, the methods used to construct the individual incident records, and the categories of data extracted from these constructed incident records. The next seven chapters of the dissertation involve the classification and analysis of the CERT®/CC incidents. This begins with the development of a formal definition of computer security (Chapter 5), followed in the next chapter with a development of a taxonomy for computer and network security (Chapter 6). The development of a comprehensive taxonomy in the field of computer security has been a relatively intractable problem of increased interest [Amo94:31]. It is, however, a necessary prerequisite for systematic studies of computer and network attacks and incidents. An attack is a single unauthorized access attempt, or unauthorized use attempt, regardless of success. An incident, on the other hand, involves a group of attacks that can be distinguished from other incidents because of the distinctiveness of the attackers, and the degree of similarity of sites, techniques, and timing. The taxonomy developed for this research was to classify attacks. Along with other measures of severity, this taxonomy was used in Chapter 7 to classify Internet incidents. Chapter 7 also used the taxonomy to present a history of the incidents in the CERT®/CC records. This research was concerned primarily with an analysis of Internet incidents and not Internet vulnerabilities, which is a related field of inquiry. More specifically, an attacker exploits vulnerabilities in order to conduct unauthorized actions. As such, vulnerability information was, to an extent, part of this research. This was, however, limited to the existence and frequency of use of vulnerabilities, and not further details concerning the vulnerabilities themselves. This was considered to be beyond the scope of this research. The taxonomy of computer and network attacks is used in Chapter 8 to present a summary of the relative frequency that various methods of operation and corrective actions appear in the CERT®/CC incident records. More detailed data are presented in Appendix A and B. Chapter 8 also discusses some of the things the CERT®/CC records do not include. Nearly 10% of all incidents in the CERT®/CC records examined for this research involved one Internet site, which was termed Site A. Chapter 9 presents an analysis of the subgroup of incidents reported to the CERT®/CC that involved Site A. This is followed in Chapter 10 by a more detailed description of a different subgroup: 22 incidents that were identified by various measures as being the most severe in the CERT®/CC records. A third subgroup is examined in Chapter 11: denial-of-service incidents. The data from all incidents and the three subgroups were used to estimate the total Internet incident activity during the period of the research. This is presented in Chapter 12, followed in Chapter 13 by a critical evaluation of the utility of the taxonomy developed for this research.
The dissertation concludes with a discussion of the implications
of this research, (Chapter 14), with recommendations for future
research (Chapter 15), and with a summary of conclusions and recommendations
(Chapter 15).  [1]
 |
