 |
|
© Copyright by John D. Howard, 1997. All rights reserved. Abstract This research analyzed trends in Internet security through an investigation of 4,299 security-related incidents on the Internet reported to the CERT® Coordination Center (CERT®/CC) from 1989 to 1995. Prior to this research, our knowledge of security problems on the Internet was limited and primarily anecdotal. This information could not be effectively used to determine what government policies and programs should be, or to determine the effectiveness of current policies and programs. This research accomplished the following: 1) development of a taxonomy for the classification of Internet attacks and incidents, 2) organization, classification, and analysis of incident records available at the CERT®/CC, and 3) development of recommendations to improve Internet security, and to gather and distribute information about Internet security. With the exception of denial-of-service attacks, security incidents were generally found to be decreasing relative to the size of the Internet. The probability of any severe incident not being reported to the CERT®/CC was estimated to be between 0% and 4%. The probability that an incident would be reported if it was above average in terms of duration and number of sites, was around 1 out of 2.6. Estimates based on this research indicated that a typical Internet domain was involved in no more than around one incident per year, and a typical Internet host in around one incident every 45 years.
The taxonomy of computer and network attacks developed for this
research was used to present a summary of the relative frequency
of various methods of operation and corrective actions. This was
followed by an analysis of three subgroups: 1) a case study of
one site that reported all incidents, 2) 22 incidents that were
identified by various measures as being the most severe in the
records, and 3) denial-of-service incidents. Data from all incidents
and these three subgroups were used to estimate the total Internet
incident activity during the period of the research. This was
followed by a critical evaluation of the utility of the taxonomy
developed for this research. The analysis concludes with recommendations
for Internet users, Internet suppliers, response teams, and the
U.S. government.
My thanks goes first and foremost to my family, Diane Howard, and our children, Jessica, Rachel, Luke and Nathan. They gave me their support during my studies at Carnegie Mellon University, while enduring poverty and neglect. I am indebted to them for their understanding and their encouragement. I am indebted also to my dissertation committee. Dr. Paul S. Fischbeck was my advisor throughout my studies at CMU, and he was chairman of the committee. Thanks to him for his insight, instruction, support and patience. He has high standing among that rare breed of professors who always place their students as their first priority. Thanks also to Dr. Thomas A. Longstaff of the CERT®/CC. He introduced me to the CERT®/CC records, was instrumental in providing me a place to work, and helped me understand the records and the operation of his organization. He also provided me valuable insight which I was able to apply to the research. Thanks also to Dr. M. Granger Morgan, Department Head, Engineering and Public Policy (EPP). He supported me when I needed it, and was always a learned instructor. I also appreciate the help from Dr. Alex Hills, head of CMU Computing Services. Thanks particularly to him for teaching me about telecommunications policy. And much thanks to the entire committee for their timely insights, particularly the suggestions each of them made for adding more conclusions and recommendations. With a few questions to me, they were able to allow me to see that my research had broader and more important implications than I had initially realized. Many thanks also to the other members of the CERT®/CC team who cheerfully responded to my many needs during the research, particularly Katherine Fithen, who acted as a liaison with Site A and carefully read the completed dissertation for accuracy and to check that all the material could be released, and Howard Lipson, who helped me with many technical questions and with the procedures and software for safeguarding the records. Thanks also to Richard Pethia, Barbara Fraser, Moira West-Brown, James Ellis, Ed DeHart, Derek Simmel, and James Stevens. Thanks to the Engineering and Public Policy Department for their support, both intellectually and financially. Dr. Indira Nair, in particular, helped me throughout the EPP program. Thanks to her for her encouragement in applying to EPP, her advice and insight, and for reminding me of the importance of ethics in our professional and personal lives. Thanks also to my other instructors, Dr. Benoit Morel, Dr. Michael Meyer, Dr. Mitchell Small, Dr. Mark Fichman, and Dr. Jon Peha, and the EPP staff, particularly Vicki Massimino, Patti Steranchak and Denise Murrin-Macey.
During the 1996-97 academic year, I was Visiting Professor in
the Computer Science Department at the US Air Force Academy. Thanks
to the members of the department for their encouragement and understanding
while I completed the dissertation, and particularly to Colonel
Samuel Grier, Department Head and Permanent Professor, who allowed
me time for the research. Thanks also to Major Rick Mraz for his
encouragement, help and insight while I struggled to conceptualize
the taxonomy, to Captain Jonathan Robinson for his help on the
statistics, and Lieutenant Colonel Greg White for his understanding
of Information Warfare.
And finally, my warmest thanks to my fellow traveler through CMU,
my friend and confidant, Dr. Karen Jenni. She provided me support
and sanity that was much needed, and much relied on.
Chapter 2. Internet Characteristics Chapter 3. CERT®/CC History and Policies Chapter 5. A Formal Definition of Computer Security Chapter 6. A Taxonomy of Computer and Network Attacks Chapter 7. Classification of Internet Incidents and Internet Activity Chapter 8. Methods of Operation and Corrective Actions Chapter 9. Case Study - Site A Chapter 11. Denial-of-Service Incidents Chapter 12. Estimates of Total Internet Incident Activity Chapter 13. The Utility of the Taxonomy of Computer and Network Attacks Chapter 14. Policy Implications and Recommendations Chapter 16. Conclusions and Recommendations Appendix A. Summary of Methods of Operation Appendix B. Summary of Corrective Actions
1.1. A Scary Place? 1.2. Contributions of this Research 1.3. Recommended Actions 1.4. Why Comprehensive Information Was Not Available on Internet Incidents 1.5. Overview Chapter 2. Internet Characteristics 2.1. Description and Origins of the Internet 2.2. Internet Hosts and Domains 2.2.1. IP addressess 2.2.2. Domain Names 2.2.3. Domains 2.3. Domain Name System (DNS) Terminology 2.4. Site Names 2.5. The Internet Domain Survey 2.6. Estimated Growth of the Internet 2.7. Summary of Internet Characteristics Chapter 3. CERT®/CC History and Policies 3.1. Origins of the CERT®/CC 3.2. CERT®/CC Purpose 3.3. Operating Procedures and Policies 3.4. Other Incident Response and Security Teams 3.5. Summary of CERT®/CC History and Policies 4.1. CERT®/CC Incident Response 4.1.1. Early, Informal Period -- November, 1988 to January, 1992 4.1.2. Transition Period -- January, 1992 to September, 1993 4.1.3. Formal Period -- September, 1993 to December, 1995 4.2. CERT®/CC Record Characteristics and Methods of Analysis 4.2.1. Early Period Records -- November, 1988 to May, 1992 4.2.2. Later Period Records -- May, 1992 to December, 1995 4.3. Data Extraction 4.4. Summary of CERT®/CC Records Chapter 5. A Formal Definition of Computer Security 5.1. Simple Computer Security Definitions 5.2. Narrowing the Definition of Computer Security 5.3. Toward a More Formal Definition 5.3.1. What resources are we trying to protect? 5.3.2. Against what? 5.4. A Formal Definition of Computer Security Chapter 6. A Taxonomy of Computer and Network Attacks 6.1. Characteristics of Satisfactory Taxonomies 6.2. Toward a Taxonomy of Computer and Network Attacks 6.3. Current Computer and Network Security Taxonomies 6.3.1. Lists of Terms 6.3.2. Lists of Categories 6.3.3. Results Categories 6.3.4. Empirical Lists 6.3.5. Matrices 6.3.6. A Process-Based Taxonomy 6.4. A Taxonomy of Computer and Network Attacks 6.4.1. Attackers and Their Objectives 6.4.2. Access 6.4.3. Results 6.4.4. Tools 6.4.4.1 User Command 6.4.4.2 Script or Program 6.4.4.3 Autonomous Agent 6.4.4.4 Toolkit 6.4.4.5 Distributed Tool 6.4.4.6 Data Tap 6.4.5. The Complete Taxonomy of Computer and Network Attacks 6.5. Summary of the Taxonomy of Computer and Network Attacks Chapter 7. Classification of Internet Incidents and Internet Activity 7.1. Number of CERT®/CC Incidents 7.2. Classification of Incidents 7.2.1. False Alarms 7.2.2. Unauthorized Access Incidents 7.2.3. Unauthorized Use Incidents 7.2.4. Inadequacies of this Classification 7.3. Alternate Measures of Severity 7.4. Sites per Day Recorded in the CERT®/CC Incidents 7.5. Summary of the Classification of Internet Incidents and Internet Activity Chapter 8. Methods of Operation and Corrective Actions 8.1. Methods of Operation 8.1.1. Attackers 8.1.2. Tools 8.1.3. Access 8.1.3.1 Password Vulnerabilities 8.1.3.2 SMTP 8.1.3.3 Mail 8.1.3.4 Trusted hosts 8.1.3.5 Configuration 8.1.3.6 TFTP 8.1.3.7 NIS 8.1.3.8 FTP 8.1.3.9 NFS 8.1.3.10 Other vulnerabilities 8.1.3.11. Types of Accounts 8.1.4. Results 8.1.5. Objectives 8.1.6. Summary of Methods of Operation 8.2. Corrective Actions 8.2.1. Internal Actions 8.2.2. External Actions 8.3. Some Things the CERT®/CC Incidents Do Not Include 8.4. Summary of Methods of Operation and Corrective Actions Chapter 9. Case Study - Site A 9.1. Description of Site A 9.2. Site A Reporting Criteria 9.3. Classification of Site A Incidents 9.3.1. False Alarms 9.3.2. Unauthorized Access Incidents at Site A 9.3.3. Unauthorized Use Incidents at Site A 9.4. Sites per Day 9.5. Summary of Case Study - Site A 10.1. Selection of the Severe Incidents 10.2. Description of the Severe Incidents Chosen 10.2.1. Incident #1 - Dutch Hackers 10.2.2. Incident #9 - Danish Hackers 10.2.3. Incidents #2, 3, 4, and 8 - Other Command Line Incidents 10.2.4. Incident #5 - FTP Abuse and Software Piracy 10.2.5. Incident #7 - TFTP Attacks 10.2.6. Incidents #6, 10, 11, 12, 13, 14, 17 - Sniffer Attacks 10.2.7. Incident #15, 18, 19, 21, 22 - Toolkit and Sniffer Attacks 10.2.8. Incident #16 - Toolkit, Sniffer and IRC 10.2.9. Incident #20 - IP Spoofing 10.3. Summary of Severe Chapter 11. Denial-of-Service Incidents 11.1. Denial-of-service Definition and Types 11.1.1 Destruction 11.1.2 Process Degradation 11.1.3 Storage Degradation 11.1.4. Shutdowns 11.2. History of Internet Denial-of-Service Attacks 11.2.1. Numbers of Attacks 11.2.2. Methods of Attack 11.2.3. Additional Denial-of-service Attack Characteristics 11.3. Summary of Denial-of-Service Incidents Chapter 12. Estimates of Total Internet Incident Activity 12.1. Relationship of Attacks, Incidents and Total Activity 12.2. Estimates of Total Internet Attack Activity 12.2.1. Monitoring Sites For Attack Activity 12.2.2. Reports of Attack Activity From Representative Sites 12.2.3. Vulnerability Studies 12.2.3.1. DISA Vulnerability Studies 12.2.3.2. AFIWC Security Posture Studies 175 12.3. Estimates of Total Internet Incident Activity 12.3.1. Monitoring Sites For Incident Activity 12.3.2. Reports of Incident Activity From Representative Sites 12.3.3. Estimates of Attack Reporting Rate and Attacks per Incident 12.3.3.1. Estimates of Attack Reporting Rate 12.3.3.2. Estimates of Attacks per Incident Using All CERT®/CC Incident 12.3.3.3. Estimates of Attacks per Incident Using CERT®/CC Incidents by Type 12.3.4. Summary of Incident Estimates 12.4. Severe and Above Average Incidents 12.5. Estimated Number of Internet Denial-of-service Incidents 12.6. Summary of the Estimates of Total Internet Incident Activity Chapter 13. The Utility of the Taxonomy of Computer and Network Attacks 13.1. Review of the Characteristics of Satisfactory Taxonomies 13.2. Evaluation of the taxonomy relative to the taxonomy criteria 13.2.1. Categories that are Mutually Exclusive 13.2.2. Categories that are Exhaustive 13.2.3. Categories that are Unambiguous 13.2.4. Categories that are Repeatable 13.2.5. Categories that are Accepted 13.2.6. Categories that are Useful 13.3. Classifications of Incidents 13.3.1 Classifications at the CERT®/CC during the period of research 13.3.2. Classification of Incidents for this Research 13.3.3. Recommended Process for Classifying Incidents 13.3.3.1. Determining Incident Scope 13.3.3.2. Determining Incident Characteristics 13.3.3.3. Classification of Incidents 13.4. Summary of the Utility of the Taxonomy of Computer and Network Attacks Chapter 14. Policy Implications and Recommendations 14.1. General Implications of This Research 14.2. Implications for Internet Users 14.2.1. Basic Precautions All Users Should Take to Protect Files 14.2.2. Advanced Precautions to Protect Files 14.2.3. Precautions to Protect Data in Transit 14.2.4. Additional Considerations for Commercial Internet Users 14.2.5. Summary of the Implications for Internet Users 14.3. Implications for Internet Suppliers 14.3.1. Password Problems 14.3.2. Shipping Software in an Insecure State 14.3.3. Additional Actions Suppliers Should Take 14.3.4. Summary of Implications for Suppliers 14.4. Implications for the Government 14.4.1. The Government's Role in Providing Information 14.4.2. Government Information Policies and the Computer Security Market 14.4.3. Funding of Incident Response Supported by This Research 14.4.4. Other Government Policies Supported by This Research 14.5. Implications for Response Teams 14.5.1. Objectives of Incident Response 14.5.2. Possible Alternative Courses of Action 14.5.2.1. Disclosure of Site Names 14.5.2.1.1. Alternative 1.1 - Full Disclosure of Site Names 14.5.2.1.2. Alternative 1.2 - Partial Disclosure of Site Names 14.5.2.1.3. Alternative 1.3 - Delayed Disclosure of Site Names 14.5.2.1.4. Alternative 1.4 - No Disclosure of Site Names 14.5.2.1.5. Recommended Alternative for the Disclosure of Site Names 14.5.2.2. Disclosure of Incident Activity 14.5.2.2.1. Alternative 2.1 - Disclosure of CERT® Summaries 14.5.2.2.2. Alternative 2.2 - Creation and Disclosure of Incident Files 14.5.2.2.3. Alternative 2.3 - Development and Disclosure of Incident Data based on Incident Summaries 14.5.2.2.4. Alternative 2.4 - Development and Disclosure of Incident Data based on a Taxonomy 14.5.2.2.5. Alternative 2.5 - Limited Disclosure of Incident Activity 14.5.2.2.6. Recommended Alternative for the Disclosure of Incident Activity 14.5.2.3. Disclosure of Vulnerabilities 14.5.3. Other Implications for Response Teams 14.6. Implications for the CERT®/ 14.7. Summary of Policy Implications and Recommendations Chapter 16. Conclusions and Recommendations 16.1. Contributions of this Research 16.2. A Taxonomy of Computer and Network Attacks 16.3. Classification of Internet Incidents and Internet Activity 16.4. Tools and Vulnerabilities 16.5. Severe Incidents 16.6. Denial-of-Service Incidents 16.7. Estimates of Total Internet Incident 16.8. Policy Implications and Recommendations 16.9. Future Research Appendix A. Summary of Methods of Operation Appendix B. Summary of Corrective Actions
Figure 2.1. Typical Internet Domain Name Tree Figure 2.2. Growth in Internet Hosts Figure 2.3. Projected Internet Growth Figure 2.4. Growth of Top-Level Domains with Predominantly U.S. Hosts Figure 2.5. Growth of Top-Level Domains with Predominantly U.S. Hosts Figure 2.6. Top-Level Domains as a Percentage of the Internet Figure 2.7. Growth in DNS domains Figure 2.8. Trends in Internet Hosts per DNS domain Figure 2.9. Growth of the World Wide Web Figure 6.1. Example Two-Dimensional Attack Matrix Figure 6.2. Security flaw taxonomy: Flaws by Genesis Figure 6.3. Security Attacks Figure 6.4. Operational Sequence of Computer and Network Attack Figure 6.5. Attackers and their Primary Figure 6.6. Access for Attack Figure 6.7. Results of Attack Figure 6.8. Tools of Attack Figure 6.9. Complete Computer and Network Attack Taxonomy Figure 7.1. CERT®/CC Incidents per Year Figure 7.2. CERT®/CC Incidents by Month, 1989 - 1995 Figure 7.3. CERT®/CC Incidents and False Alarms per Year Figure 7.4. False Alarms as a Percentage of CERT®/CC Incidents Figure 7.5. Access for Figure 7.6. CERT®/CC Access Incidents by Month Averaged Over Quarters Figure 7.7. CERT®/CC Access Incidents per 100,000 domains by Month Averaged Over Quarters Figure 7.8. CERT®/CC Access Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 7.9. CERT®/CC Successful Access Incidents by Month Averaged Over Quarters Figure 7.10. CERT®/CC Successful Access Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 7.11. CERT®/CC Total Unauthorized Use Incidents by Month Averaged Over Quarters Figure 7.12. CERT®/CC Abuse Incidents by Month Averaged Over Quarters Figure 7.13. CERT®/CC Total Unauthorized Use Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 7.14. CERT®/CC Abuse Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 7.15. CERT®/CC Denial-of-service Incidents by Month Averaged Over Quarters Figure 7.16. CERT®/CC Denial-of-service Incidents per 10,000,000 Hosts by Month Averaged Over Figure 7.17. CERT®/CC Spoofing Incidents by Month Averaged Over Quarters Figure 7.18. CERT®/CC Spoofing Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 7.19. CERT®/CC Sites per Day - All Incidents Figure 7.20. CERT®/CC Sites per Day - All Incidents, Averaged Over Months Figure 7.21. CERT®/CC Sites per Day - All Incidents, Averaged Over Quarters Figure 7.22. CERT®/CC Sites per Day - Root and Account Break-ins, Averaged Over Months Figure 7.23. CERT®/CC Sites per Day - Root and Account Break-ins, Averaged Over Quarters Figure 7.24. CERT®/CC Sites per Day per 10,000,000 Hosts - All Incidents, Averaged Over Quarters Figure 7.25. CERT®/CC Sites per Day per 10,000,000 Hosts - Root and Account Break-ins, Averaged Over Quarters Figure 8.1. Range and Mean Incident Reporting Dates for Methods of Operation - Attackers Figure 8.2. Range and Mean Incident Reporting Dates for Methods of Operation - Tools Figure 8.3. Range and Mean Incident Reporting Dates for Methods of Operation - Access - Part 1 Figure 8.4. Range and Mean Incident Reporting Dates for Methods of Operation - Access - Part 2 Figure 8.5. Range and Mean Incident Reporting Dates for Methods of Operation - Access - Part 3 Figure 8.6. Range and Mean Incident Reporting Dates for Methods of Operation - Access - Part 4 Figure 8.7. Range and Mean Incident Start for Methods of Operation - Access - Type of Account Figure 8.8. Range and Mean Incident Reporting Dates for Methods of Operation - Results Figure 8.9. Range and Mean Incident Reporting Dates for Methods of Operation - Objectives Figure 8.10. Range and Mean Incident Reporting Dates for Corrective Actions Figure 9.1. Site A Incidents and False Alarms per Year Figure 9.2. False Alarms as a Percentage of Site A Incidents Figure 9.3. Site A Incidents per Month (with and without false alarms) Figure 9.4. Site A Access Incidents by Month Averaged Over Quarters Figure 9.5. Site A Access Incidents per 100,000 domains by Month Averaged Over Quarters Figure 9.6. Site A Access Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 9.7. Site A Successful Access Incidents by Month Averaged Over Quarters Figure 9.8. Site A Successful Access Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 9.9. Site A Total Unauthorized Use Incidents by Month Averaged Over Quarters Figure 9.10. Site A Total Unauthorized Use Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 9.11. Site A Abuse Incidents by Month Averaged Over Quarters Figure 9.12. Site A Abuse Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 9.13. Site A Denial-of-service Incidents by Month Averaged Over Quarters Figure 9.14. Site A Denial-of-service Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 9.15. Site A Spoofing Incidents by Month Averaged Over Quarters Figure 9.16. Site A Spoofing Incidents per 10,000,000 Hosts by Month Averaged Over Quarters Figure 9.17. Site A Sites per Day - All Incidents Figure 9.18. Site A Sites per Day - All Incidents, Averaged Over Months Figure 9.19. Site A Sites per Day - All Incidents, Averaged Over Quarters Figure 9.20. Site A Sites per Day per 10,000,000 Hosts - All Incidents, Averaged Over Quarters Figure 9.21. Site A Sites per Day - Root and Account Break-ins, Averaged Over Months Figure 9.22. Site A Sites per Day - Root and Account Break-ins, Averaged Over Quarters Figure 9.23. Site A Sites per Day per 10,000,000 Hosts - Root and Account Break-ins, Averaged Over Quarters Figure 10.1. Number of Sites versus Number of Incidents Figure 10.2. Number of Sites versus Number of Incidents (Less than 200 sites and less than 500 Incidents) Figure 10.3. Incident Duration versus Number of Incidents Figure 10.4. Incident Duration versus Number of Incidents (200 or Less Days and less than 1000 Incidents) Figure 10.5. Number of Messages versus Number of Incidents Figure 10.6. Number of Messages versus Number of Incidents (Less than 200 messages and less than 500 Incidents) Figure 10.7. Distribution of Root Break-in Incidents With 79 Days Duration, 62 Sites, 87 Messages Figure 10.8. Sites per Day versus Duration for 22 "Severe" Incidents Figure 11.1. Denial-of-Service Attack Methods Figure 11.2. Internet Protocol Layering Compared to Network Process Categories Figure 11.3. Sites per Day Involved in Denial-of-service Attacks, Averaged Over Each Quarter, as Recorded in CERT®/CC Records Figure 11.4. Sites per Day Involved in Denial-of-service Attacks, per 100,000 Internet Domains Averaged Over Each Quarter, as Recorded in CERT®/CC Records Figure 11.5. Sites per Day Involved in Denial-of-service Attacks, per 10,000,000 Internet Hosts Averaged Over Each Quarter, as Recorded in CERT®/CC Records Figure 11.6. Denial-of-service Attacks by Method, as Recorded in CERT®/CC Records Figure 11.7. Primary Category of Denial-of-service Attacks, as Recorded in CERT®/CC Records Figure 12.1. Results of DISA Vulnerability Assessments, 1992 - 1995 Figure 12.2. On-Line Survey Results from 1,248 Hosts at 15 USAF Bases, Air Force Information Warfare Center, Jan 95 Figure 12.3. Estimates of the Number of Incidents per Host at Site A Figure 12.4. Estimates of the Number of Internet Incidents based on Site A Data Figure 12.5. Average Sites per Incident by Year Figure A.1. Range and Mean Incident Start for Methods of Operation - Attackers Figure A.2. Range and Mean Incident Start for Methods of Operation - Tools - Part 1 Figure A.3. Range and Mean Incident Start for Methods of Operation - Tools - Part 2 Figure A.4. Range and Mean Incident Start for Methods of Operation - Tools - Part 3 Figure A.5. Range and Mean Incident Start for Methods of Operation - Tools - Part 4 Figure A.6. Range and Mean Incident Start for Methods of Operation - Tools - Part 5 Figure A.7. Range and Mean Incident Start for Methods of Operation - Tools - Part 6 Figure A.8. Range and Mean Incident Start for Methods of Operation - Tools - Part 7 Figure A.9. Range and Mean Incident Start for Methods of Operation - Access - Part 1 Figure A.10. Range and Mean Incident Start for Methods of Operation - Access - Part 2 Figure A.11. Range and Mean Incident Start for Methods of Operation - Access - Part 3 Figure A.12. Range and Mean Incident Start for Methods of Operation - Access - Part 4 Figure A.13. Range and Mean Incident Start for Methods of Operation - Access - Part 5 Figure A.14. Range and Mean Incident Start for Methods of Operation - Access - Part 6 Figure A.15. Range and Mean Incident Start for Methods of Operation - Access - Part 7 Figure A.16. Range and Mean Incident Start for Methods of Operation - Access - Part 8 Figure A.17. Range and Mean Incident Start for Methods of Operation - Access - Part 9 Figure A.18. Range and Mean Incident Start for Methods of Operation - Access - Part 10 Figure A.19. Range and Mean Incident Start for Methods of Operation - Access - Part 11 Figure A.20. Range and Mean Incident Start for Methods of Operation - Access - Part 12 Figure A.21. Range and Mean Incident Start for Methods of Operation - Access - Part 13 Figure A.22. Range and Mean Incident Start for Methods of Operation - Access - Part 14 Figure A.23. Range and Mean Incident Start for Methods of Operation - Access - Part 15 Figure A.24. Range and Mean Incident Start for Methods of Operation - Access - Part 16 Figure A.25. Range and Mean Incident Start for Methods of Operation - Access - Part 17 Figure A.26. Range and Mean Incident Start for Methods of Operation - Access - Part 18 Figure A.27. Range and Mean Incident Start for Methods of Operation - Access - Part 19 Figure A.28. Range and Mean Incident Start for Methods of Operation - Access - Part 20 Figure A.29. Range and Mean Incident Start for Methods of Operation - Access - Part 21 Figure A.30. Range and Mean Incident Start for Methods of Operation - Access - Part 22 Figure A.31. Range and Mean Incident Start for Methods of Operation - Access - Part 23 Figure A.32. Range and Mean Incident Start for Methods of Operation - Access - Part 24 Figure A.33. Range and Mean Incident Start for Methods of Operation - Access - Part 25 Figure A.34. Range and Mean Incident Start for Methods of Operation - Access - Part 26 Figure A.35. Range and Mean Incident Start for Methods of Operation - Access - Part 27 Figure A.36. Range and Mean Incident Start for Methods of Operation - Access - Part 28 Figure A.37. Range and Mean Incident Start for Methods of Operation - Access - Part 29 Figure A.38. Range and Mean Incident Start for Methods of Operation - Results - Part 1 Figure A.39. Range and Mean Incident Start for Methods of Operation - Results - Part 2 Figure A.40. Range and Mean Incident Start for Methods of Operation - Results - Part 3 Figure A.41. Range and Mean Incident Start for Methods of Operation - Objectives Figure B.1. Range and Mean Incident Reporting Dates for Corrective Actions - Restrict System Hardware/Software Figure B.2. Range and Mean Incident Reporting Dates for Corrective Actions - Configure System Hardware/ Figure B.3. Range and Mean Incident Reporting Dates for Corrective Actions - Upgrade System Hardware/Software Figure B.4. Range and Mean Incident Reporting Dates for Corrective Actions - Preventive Measures Figure B.5. Range and Mean Incident Reporting Dates for Corrective Actions - Take Action Against Intruder
Figure B.6. Range and Mean Incident Reporting Dates for Corrective
Actions - Law Enforcement
Table 2.1. Internet Network Classes Table 2.2. Summary of /etc/hosts file at Carnegie Mellon University, September 7, 1996 Table 2.3. Linear Regression Slopes of Growth Rates of Top-Level Internet Domains Table 2.4. Growth of the World Wide Web Table 2.5. Summary of Internet Growth Rates Over Six-Month Intervals Table 3.1. Internet and Other Network Response Teams in FIRST, and their Constituencies Table 3.2. Other U.S. Government Agency Response Teams in FIRST, and their Constituencies Table 3.3. U.S. Military Response Teams in FIRST, and their Constituencies Table 3.4. U.S. Educational Response Teams in FIRST, with Constituencies Table 3.5. Foreign Government Response Teams in FIRST, with Constituencies Table 3.6. Computer and Communications Vendor Response Teams in FIRST, with Constituencies Table 3.7. Other Commercial Response Teams in FIRST, with Constituencies Table 5.1 Example Attacks Table 8.1. Methods of Operation Table 8.2. Corrective Actions Table 9.1. Estimated Number of Hosts at Site A Table 9.2. Access Incidents at Site A Table 9.3. Unauthorized Use Incidents at Site A Table 10.1. Mean and Standard Deviations of Measurements Table 10.2. Summary of Root Break-in Incidents With 79 Days Duration, 62 Sites, 87 Messages Table 10.3. Reporting and Other Sites for Severe Incident Number 1 Table 10.4. Reporting and Other Sites for Severe Incident Number 9 Table 10.5. Reporting and Other Sites for Severe Incident Number 2 Table 10.6. Reporting and Other Sites for Severe Incident Number 3 Table 10.7. Reporting and Other Sites for Severe Incident Number 4 Table 10.8. Reporting and Other Sites for Severe Incident Number 8 Table 10.9. Reporting and Other Sites for Severe Incident Number 5 Table 10.10. Reporting and Other Sites for Severe Incident Number 7 Table 10.11. Reporting and Other Sites for Severe Incident Number 6 Table 10.12. Reporting and Other Sites for Severe Incident Number 10 Table 10.13. Reporting and Other Sites for Severe Incident Number 11 Table 10.14. Reporting and Other Sites for Severe Incident Number 12 Table 10.15. Reporting and Other Sites for Severe Incident Number 13 Table 10.16. Reporting and Other Sites for Severe Incident Number 14 Table 10.17. Reporting and Other Sites for Severe Incident Number 17 Table 10.18. Reporting and Other Sites for Severe Incident Number 15 Table 10.19. Reporting and Other Sites for Severe Incident Number 18 Table 10.20. Reporting and Other Sites for Severe Incident Number 19 Table 10.21. Reporting and Other Sites for Severe Incident Number 21 Table 10.22. Reporting and Other Sites for Severe Incident Number 22 Table 10.23. Reporting and Other Sites for Severe Incident Number 16 Table 10.24. Reporting and Other Sites for Severe Incident Number 20 Table 12.1. Estimates of Total Internet Attacks per Year in 1995 Table 12.2. Estimate of the Ratio of Total Internet Incidents to Reported Incidents Table 12.3. All CERT®/CC Incidents Compared To Incidents at Site A Table 12.4. Estimate of Incident Reporting Rates from Site A Data, Assuming All Root Break-ins Reported Table 12.5. Example Weighted Estimates of Attacks per Incident Table 12.6. Assumed Values for an Estimate of the Number of Attacks for Each CERT®/CC Incident Table 12.7. Estimate Average Attacks/Incident Derived From Each CERT®/CC Incident Using Assumed Parameters Table 12.8. Adjustments to the Probability of Report, Based on Site A Information Table 12.9. Estimates of the Average Percentage of Report of an Incident and the Total Number of Internet Incidents Based on an AFWIC Estimated Average Probability of Report of Attack Table 12.10. Estimates of the Average Probability of Report of an Incident Based on an AFWIC Estimated Average Probability of Report of Attack Table 12.11. Estimates of the Average Percentage of Report of an Incident and the Total Number of Internet Incidents Based on an DISA Estimated Average Probability of Report of Attack Table 12.12. Estimates of the Average Probability of Report of an Incident Based on an DISA Estimated Average Probability of Report of Attack Table 12.13. Summary of Estimates of Total Internet Incident Activity Table 12.14. Estimates of the Probability of Incident Report, Rate of Incident Reports, and Total Internet incidents for Incidents with Above Average Duration and Number of Sites Table 12.15. Estimates of Total Internet Attacks per Year in 1995 Table 12.16. Summary of Estimates of Total Internet Incident Activity Table 14.1. Estimated Rate that an Internet Domain or Host was Involved in an Incident in 1995 Table 14.2. Comparison of Estimated Rates That Risks Occur Table 14.3. Estimated Rate that an Internet Domain or Host was Involved in an Incident in 1995 Table 16.1. Summary of Estimates of Total Internet Incident Activity Table 16.2. Estimated Rate that an Internet Domain or Host was Involved in an Incident in 1995 Table 16.3. Comparison of Estimated Rates That Risks Occur Table A.1. Methods of Table B.1. Corrective Actions |
