I also investigate attacks against infrastructures, and I am dismayed at the fact that all of those attacks were completely preventable. All of the recent attacks that have hit the media during the previous year were all easily prevented. For example, the Pentagon hacks committed by those "dreadful" teenagers from California and Israel were only successful because the administrators of the victim systems did not fix widely known vulnerabilities. The teenager who compromised the Air Traffic Control System in Worcester, Massachusetts did so because of a modem connection that didn't require a password.

     The World tags the perpetrators as geniuses instead of tagging the victims as inept, or at least unprepared. All of the widely known vulnerabilities exploited were described by CERT months, if not years, prior to the attacks. I find it ironic, at best, that federal agencies are not required to subscribe and adhere to CERT advisories.

     While I don't want to downplay the importance of advanced research and development efforts, people are not doing "the basics". This usually renders any advanced work useless. For example, if people don't wear seat belts, "advanced, engineered crumble zones" will not save lives. Likewise, if people are not configuring NFS permissions correctly, Public Key Infrastructures are useless.

     The underlying cause of this problem is that systems and network administrators are generally overworked and undertrained. They don't usually have the time to load vendor security patches, and they rarely know what security patches are to begin with. While good administrators know that good security is just an outgrowth of good administration, these people are few and far between.

     The solution to the actual cause of the problem, in my opinion, is either regulation by the federal government or requirements by the insurance industry. From my personal experience, I know that voluntary cooperation from commercial organizations is little more than wishful thinking. Commercial organizations have looked at security as a cost and not a benefit. This is the case whether the organization is a part of a critical infrastructure or not. Additional security procedures have to be cost justified.

     For example, it is a widely accepted fact within the financial infrastructure that banks lose hundreds of millions of dollars a year. While that sounds like a staggering figure, it is minuscule compared to other operating losses. Voluntarily improving security and increasing costs, first causes consumers to questions if the bank is safe to begin with. Then share holders question the spending of increased operating expenses. I have personally taken over a bank's Electronic Funds Transfer system, and the CEO questioned my recommendation of an increased training budget for his administrators.

     With the above in mind, my position is that the federal government should regulate good administration procedures for "Federal interest computers." These computers include those involved in federally insured institutions, such as banks, and those involved in federally subsidized industries, such as power and transportation.

The specific regulations would include at least:

1. Federal interest computers should implement recommendations described by CERT Advisories within 30 days of the release of the advisory.
2. Federal interest computers should be periodically scanned by networked and system vulnerability scanning tools. These are tools that are or are similar to ISS and Tiger.
3. Organizations should ensure that there is the vendor specified number of administrators given the number of federal interest computers in the organization.
4. Administrators of federal interest computers should complete vendor approved basic administration courses. This training must include explanation of security patches, advisory services, and scanning tools among other things
5. Full backups of federal interest computers must performed on a weekly basis, and incremental backups are required on daily basis.
6. Vendors who provide Operating Systems or applications software must e-mail all registered users to let them know when new security patches are available.

     Alternatively the above regulations could be implemented as insurance requirements. Insurance companies could require any company wanting general liability insurance to implement them. Since most attacks seem to be the result of organizations not fixing known vulnerabilities, insurance companies would greatly decrease their liabilities.

     Whether it is an insurance requirement or a federal regulation, commercial organizations would be forced to implement good security administration. Customers and share holders could not question their implementation. Organizations are just implementing business requirements.

     The above position comes from years of consulting to governments and commercial firms, and observing security as it is implemented in operational environments.

     The research community is not entirely blameless in this area. Many researchers in Information Survivability related fields tend to pursue advanced research areas, while ignoring research that is practical and simple to implement. Anything that makes security invisible or reduces the work of administrators would be ideal. Possible research projects include:

1. Automation of security patch installation,
2. Automated vulnerability scanning and repairing

• Fourteen years working with and for NSA and other intelligence agencies
• Previously the Director of Technology of the National Computer Security Association
• Author of the book, Corporate Espionage. Also contributed to several books, and has written dozens of professional articles on subjects related to Information Survivability
• Keynote or featured speaker at dozens of Information Survivability related conferences
• Member of a National Infrastructure Protection Center pseudo-advisory committee.
• Performed Defensive Information Warfare studies for the Joint Chiefs of Staff
• Consulting to some of the largest banks and companies in the World to help them secure their information and infrastructures
• Five years of performing penetration tests of commercial and government organizations
• Four years of investigating crimes against companies and infrastructure related elements
• My middle name is Samuel, making my initials, ISW. Therefore if you accept me, you will have an ISW at ISW 98.

Back to the Table of Contents
   [43]