This research analyzed trends in Internet security through an investigation of 4,299 security-related incidents on the Internet reported to the CERT^® Coordination Center (CERT^®/CC) from 1989 to 1995. In 1988, the Defense Advanced Research Projects Agency (DARPA), established the CERT^®/CC at CMU's Software Engineering Institute (SEI), in order to provide the Internet community a single organization to coordinate responses to security incidents on the Internet.

16.1. Contributions of this Research

Prior to this research, our knowledge of security problems on the Internet was limited and primarily anecdotal. This information could not effectively be used to determine what government policies and programs should be, or to determine the effectiveness of current policies and programs. This research brings us toward improved Internet security through:

1. development of a taxonomy for the classification of Internet attacks and Internet incidents
2. organization, classification (using the taxonomy), and analysis of the records available at the CERT^®/CC concerning Internet security incidents
3. development of recommendations to improve Internet security and to gather and distribute useful information concerning Internet security

16.2. A Taxonomy of Computer and Network Attacks

A taxonomy of computer and network attacks was developed for this research in order to classify Internet security incidents. The taxonomy is based on a process viewpoint where an attacker attempts to link to ultimate objectives. This link is established through an operational sequence of tools, access, and results.

An attack is a single unauthorized access attempt, or unauthorized use attempt, regardless of success. An incident, on the other hand, involves a group of attacks that can be distinguished from other incidents because of the distinctiveness of the attackers, and the degree of similarity of sites, techniques, and timing. The taxonomy developed for this research was to classify attacks. This taxonomy was used to in this research to classify attacks within Internet incidents. These incidents were also classified using other measures of severity.

The taxonomy developed for this research was found to be satisfactory.

16.3. Classification of Internet Incidents and Internet Activity

A total of 4,567 incidents over this 7 year period were reconstructed from the CERT^®/CC records. This included 268 false alarms (5.9%), and 4,299 actual incidents (94.1%). Most of the CERT^®/CC incidents (89.3%) were unauthorized access incidents, which were further classified into their degree of success in obtaining access: root break-in (27.7%), account break-in (24.1%), and access attempts (37.6%). Relative to the growth in Internet hosts, each of these access categories was found to be decreasing over the period of this research: root-level break-ins at a rate around 19% less than the increase in Internet hosts, account-level break-ins at a rate around 11% less, and access attempts at a rate around 17% less.

Of the 4,299 actual incidents reported to the CERT^®/CC, 458 (10.7%) were classified as unauthorized use incidents. These were further classified into denial-of-service attacks (2.4%), corruption of information incidents (3.1%), and disclosure of information incidents (5.1%). The growth in total unauthorized use incidents was around 9% per year greater than the growth in Internet hosts.

An alternative method of presenting the CERT^®/CC incident information was developed for this research. For each incident, the average sites per day were calculated using the starting date, ending date and the total number of sites involved. These were then combined through the use of a custom computer program to find the total average sites per day for each classification of attack. The slope of the growth in all sites per day for all incidents, and for root- and account-level break-ins were both around 7% less than the growth rate in the number of Internet hosts.

16.4. Tools and Vulnerabilities

Recording of the use of tools and vulnerabilities in the CERT^®/CC records was not systematic or complete. As a result, this information is incomplete. Some valuable information, however, can be obtained by determining the relative frequency that various tools and vulnerabilities appear in the CERT^®/CC incident records.

A total of 778 incidents (18.1% of all incidents) reported the use of some tool. From these records, the largest category of tools was scripts or programs (15.4%). These consisted primarily of Trojan horses (10.5%) and sniffers (5.7%). The two general categories of toolkits were tools designed to exploit privileged or root access (1.2%), and scanners (2.6%). These tools appeared relatively late in the CERT^®/CC records. The CERT^®/CC records contain very few references to autonomous agents such as worms, and viruses.

Nearly half of the incidents in the CERT^®/CC records mention specific vulnerabilities (45.3%). The most frequently recorded vulnerability involved various problems with passwords (21.8%). Most of the password vulnerabilities were in three categories: password files, which indicated that a password file had been copied (13.8%), password cracking, generally indicating that passwords had been determined by the operation of a password cracking tool (10.4%), and weak passwords, which could easily be guessed (3.6%).

The reputation of sendmail and other mail transfer agents for being "plagued with security problems" was confirmed in the CERT^®/CC incident records, which contain numerous references to sendmail (10.4%), SMTP (0.4%) and mail (7.7%). Problems with implementation of trusted hosts (such as hosts.equiv or .rhosts files) was recorded in a significant number of incidents (5.8%), as was configuration (5.7%), TFTP (5.5%), NIS and YP (4.0%), FTP (4.0%), and NFS (3.2%).

16.5. Severe Incidents

A criteria was developed for this research in order to identify the most severe incidents in the CERT^®/CC records. The criteria were as follows: 79 days duration, 62 sites, and 87 messages. These criteria selected 22 incidents with an average of 203 days duration, which involved an average of 169 sites, and contained an average of 466 messages in the CERT^®/CC record.

There were two predominant trends seen in the 22 severe incidents. First, the sophistication of intruder techniques progressed from simple user commands, scripts and password cracking, through the use of tools such as sniffers (1993) and toolkits (1994), and finally to intricate techniques that fool the basic operation of the Internet Protocol (1995). The second trend was that intruders became increasingly difficult to locate and identify. In the early incidents, the attackers tended to be a few individuals confined to a specific location or group of locations, and as a consequence, tended to be easily identifiable. As intruder tools became more sophisticated and the size of the Internet grew, the severe incidents involved more attackers operating in many different locations. The newest and most sophisticated techniques allowed the attackers to obtain nearly total obscurity.

For these 22 incidents, a three-phase process of attack was consistently used: 1) gain access to an account on the target system, 2) exploit vulnerabilities to gain privileged (root) access on that system, and 3) use this privileged access to attack other systems across the network.

16.6. Denial-of-Service Incidents

Since the Internet Worm during the first week of November 1988, there has not been another large-scale denial-of-service incident on the Internet. On the other hand, the CERT^®/CC records do not give any indication that Internet denial-of-service incidents could not become widespread. Unlike other attacks reported to the CERT^®/CC, denial-of-service incidents grew at a rate around 50% per year greater than the rate of growth of Internet hosts.

16.7. Estimates of Total Internet Incident Activity

Table 16.1 summarizes the estimates of total Internet incident activity based on this research. These estimates are for one year in 1995.

Using the DISA probability of reporting an attack, the probability of any severe incident meeting the severe incident criteria not being reported to the CERT^®/CC was between 0% and 4%. Using the AFIWC probability of reporting an attack, the probability of any severe incident meeting the severe incident criteria not being reported to the CERT^®/CC was essentially zero. This confirms the impression the reports themselves give: that it is hard to conceive that a severe incident would not be reported to the CERT^®/CC.

There were 394 incidents in the CERT^®/CC records (9.2%) that were above average both in terms of duration (above 16.5 days) and in terms of the number of sites (above 6.5). When these incidents were isolated and analyzed, it showed that if we assume the DISA probability of report, then a minimum of around 1 out of 2.6 of the above average incidents were reported to the CERT^®/CC (and nearly all of them may have been reported). If we assume the AFIWC probability, then it was estimated that less than 4% of these incidents were not reported to the CERT^®/CC (and nearly all of them may have been reported).

16.8. Policy Implications and Recommendations

This research clearly showed that the state of Internet security is not as bad as some authors have proposed. Both in terms of the absolute numbers of incidents, and in the growth of these incidents, the numbers are lower than popularly thought. In addition, most attacks were in the category of a nuisance (although some were a big nuisance), and not something more destructive or harmful.

Internet security incidents were, however, clearly not dropping to zero. The growth of Internet incidents in absolute terms was nearly at the same pace as the growth of the Internet.

According to estimates from this research, a typical Internet domain is involved in no more than around one incident per year, as shown in Table 16.2. A typical Internet host is involved in no more than around one incident in every 45 years. At the same time, however, it should be noted that some sites and hosts are more attractive to attack and may be involved in many incidents each year.

Table 16.3 compares the risk of root-level break-ins to other typical risks.

Given this steady but relatively small level of Internet security incidents, the average Internet user is not likely to be the victim of an Internet attack. Internet users should, however, take reasonable precautions to protect their files and data in transits on the Internet.

Recommendations for all Internet users are as follows:

1. Back up important files.

2. Use a good password for network access controls.

3. Ensure permissions are set properly on files that can be accessed by others.

4. Encrypt, or store off-line, files that are particularly sensitive.

5. Do not send sensitive user identifications, such as a social security number, address, phone number, personal data, or credit card number across the Internet unless it is encrypted at the source (prior to being sent across the Internet).

6. Use an encryption program, such as Pretty Good Privacy (PGP), if you want e-mail to be private.

An additional recommendation for commercial Internet users is as follows:

7. Conduct some form of risk analysis to determine the cost effective level of security.

Additional recommendations for Internet suppliers, the U.S. government, and response teams are as follows:

Recommendations for Internet suppliers are as follows:

1. Provide protocols and software that encrypt user name, password and IP address combinations at the source, or provide an alternative to system that does not require passwords to be sent in the clear across the Internet.
2. Provide protocols and software that prevent access to files of encrypted passwords, or provide an alternative system that does not require encrypted passwords to be stored in files on systems accessible across the Internet.
3. Deliver systems to customers in a secure state.
4. Develop protocols and programs with reasonable protections against denial-of-service attacks.
5. Accelerate development of protocols and programs that provide reasonable privacy for such user programs as e-mail.

Recommendations for the U.S. government are as follows:

1. Increase funding for incident response, particularly the CERT^®/CC.

2. Encourage Internet users to take simple security precautions.

3. Encourage Internet suppliers to improve Internet security.

4. Require government employees to take reasonable security precautions to protect sensitive data.

Recommendations for Internet response teams are as follows:

1. Do not disclose sites names reported to response teams (the status quo).

2. Disclose incident data based on a taxonomy.

3. Reexamine policies on the release of vulnerability information with the objective of seeing the degree to which more disclosure would benefit the Internet community.

4. Evaluate the taxonomy for computer and network attacks developed for this research.

Recommendations for the CERT^®/CC are as follows:

1. Maintain only one internal incident summary for each incident, open or closed.

2. Record a standard set of keywords and phrases that are defined, systematic and consistent, in each summary, such as reporting date, starting date, ending date, number of reporting sites, reporting sites, number of other sites, other sites, number of messages, attackers, tools, vulnerabilities, level, results, objectives, and corrective actions.

3. Classify each incident according to the worst level of unauthorized access or use.

4. Post the data set used in this research on line at www.cert.org.

5. Evaluate the taxonomy for computer and network attacks developed for this research.

6. Develop and implement a program to better estimate total Internet incident activity. Such a program should involve the voluntary reporting of all incident activity at representative Internet sites. This program should include coordination and/or participation from other response teams and related organizations, such as DISA and AFIWC.

7. Estimate average number of attackers per incident, and their typical activity, in cooperation with personnel from DISA, AFIWC, and other response teams, in order to improve estimates of total Internet incident activity.

8. Do not disclose sites names that appear in the CERT^®/CC records or are otherwise reported to the CERT^®/CC (this is the status quo).

9. Disclose incident data based on a taxonomy. Suggested steps are as follows:

1. Methodology development at the CERT^®/CC

2. Trial implementation at the CERT^®/CC

3. Methodology development with other response teams

4. Trial implementation at other response teams

5. Public release and formalization

10. Reexamine policies toward the release of vulnerability information with the objective of seeing the degree to which more disclosure would benefit the Internet community.

16.9. Future Research

This dissertation presents only a preliminary analysis of the data derived from the CERT^®/CC incident records during 1988 to 1995. It was recommended that the CERT^®/CC make the summary data set available on-line at www.cert.org for use by other researchers. Possible research opportunities with this data set are as follows:

1. Analysis of trends in the data over time

2. Comparison of Incident trends to other events

3. Implications of trends in the types of hosts (operating systems) on the Internet

The findings of this research could be validated or extended through additional data. This could be accomplished as follows:

4. Validation and extension through 1996 and 1997 CERT^®/CC data

5. Validation and extension through data from other response teams

Experience during this research has also indicated there are important areas of related research that remain largely unexplored. Among these are:

6. Development of a heuristic for determining the scope of an incident

7. Refinements of the taxonomy

8. Research into behavior of attackers

9. Better sampling of Internet activity

Back to the Table of Contents
   [16]