 |
|
This dissertation presents only a preliminary analysis of the data derived from the CERT®/CC incident records during 1989 to 1995. In the last chapter, it was recommended that the CERT®/CC make the summary data set available on-line at cert.org for use by other researchers. Possible research opportunities with this data set are as follows: 1. Trends in the data over time - Since the data set has historical information of Internet incidents over a seven-year period, there are many research opportunities involving an analysis of the trends in the data over time. This dissertation examined overall trends, such as root-level break-ins or denial-of-service attacks. These data could be analyzed in greater detail. For example, 22% of incidents reported problems with passwords. Did the type of problems change over time? It appears that they did, but this level of analysis was beyond the scope of this dissertation. Another example is the types of sites involved in incidents. There appears to be an increase in the percentage of commercial sites involved over time. Does this correspond to the increase in the percentage of Internet sites in the .com and .net domains, or is the trend different? Further research into trends in the data over time could yield additional interesting insights into Internet security. 2. Comparison of Incident trends to other events - CERT®/CC personnel speculate that the release of information about Internet security problems, such as in a CERT® advisory, influences incident activity. Dr. Dorothy Denning from Georgetown University suggested that law enforcement activities, such as "hacker crackdowns" may also influence the rate of Internet security activity. Perhaps the rate that activity is recorded at the CERT®/CC is influenced by funding for incident response, or manning at the CERT®/CC. I have speculated that the World Wide Web growth after 1993 may be responsible for a decline in activity because Internet hackers now have more interesting things to do on the Internet than break into computers. Perhaps the activity was influenced by historical events such as Presidential elections, the weather, the economy, etc. These types of comparisons between Incident trends and other events remain unexplored. 3. Implications of trends in the types of hosts (operating systems) on the Internet - In the early days of the Internet, most hosts on the Internet used the Unix operating system. Over time, many hosts were added to the Internet that used operating systems that were not Internet attackable, such as DOS or Windows 3.1. Newer operating systems such as Windows 95 and Windows NT are more vulnerable. What are the implications of these trends? Should we expect increased problems as operating systems become capable of more integration on the Internet? The findings of this research could be validated or extended through additional data. This could be accomplished as follows: 4. Validation and extension through 1996 and 1997 CERT®/CC data - This research included CERT®/CC records through 1995. It is recommended that CERT®/CC personnel generate summary data for release (see Chapter 13), probably beginning in 1998. As such, the records from 1996 and 1997 will remain unexplored. Extracting data from these records would provide a more complete picture. 5. Validation and extension through data from other response teams - Although other response teams have smaller constituencies, their data could provide additional valuable data. Experience during this research has also indicated there are important areas of related research that remain largely unexplored. Among these are: 6. Development of a heuristic for determining the scope of an incident - As described in Chapter 13, an ad hoc process was used to determine the scope of an Internet incident both by the CERT®/CC, and for this research. This ad hoc process will not scale up as the Internet grows exponentially. Automated software tools will be necessary. This will probably require some capabilities in the field of artificial intelligence, particularly those capabilities for analyzing the content of text. 7. Refinements of the taxonomy - Use and evaluation of the proposed taxonomy by the CERT®/CC and other response teams was recommended in Chapter 14. Further research into the utility and validity of the taxonomy is recommended. One particular area of investigation would be to examine relationships between the categories of the taxonomy. Do certain tools pair up with certain types of access, results or objectives? 8. Research into behavior of attackers - As noted in Chapter 12, very little is known about the behavior of actual attackers. This is an open area of research that could significantly increase our understanding of Internet security attacks and incidents. 9. Better sampling of Internet activity - This research indicated that an accurate estimate of total Internet activity must be based on some sampling of the Internet. For this research, only two types of samples were available: the reports from Site A, and the DISA and AFIWC studies of the rate of reporting of attacks at DoD sites. Perhaps more rigorous and beneficial methods of sampling Internet security activity could be developed and implemented.  [15]
 |
