********************************************************************** CIO Institute Bulletin On Computer Security Vol. 2. No. 3. Monday, March 8, 1999 Contents: Major News Networks Provide Misleading Reports Of Hacker Threats in Department of Defense Stories Promising Practices: * Identifying Vulnerabilities: Multi-source automated vulnerability scanning * Recruiting and Training Technical Security Professionals * Equipping Technical Information Security Auditors ********************************************************************** Major News Networks Provide Misleading Reports Of Hacker Threats in Department of Defense Stories In the past five days, major news networks featured lead stories about cyberattacks against Department of Defense computers. In those stories, reporters guessed what the Defense Department presented in classified briefings before the US House of Representatives Military Research and Development Subcommittee of the Committee on National Security. Some networks reached back nearly six months for data, but the past half year has seen two complete generations of attacks and attack tools. Viewers who believe that the descriptions of attacks reported by the news networks accurately reflect the state of the art should not be deceived. Four of the five major networks covered the hearings. Some quoted the subcommittee chairman (Rep. Curt Weldon of Pennsylvania) as saying either "You can basically say we're at war" or "This is far more important than any Year 2K problem" or "It's not a matter of whether America will have an electronic Pearl Harbor, it's a matter of when". Given that level of coverage and zeal, your CEO or agency head may well ask you what you are doing about these new attacks. In this bulletin, we will provide more timely information about the current status of the scanning and attack tools and we'll describe initiatives organizations are using to alleviate the problem. Our hope is that this combination of information will make you better prepared to respond to questions from your CEOs and to the real threats that exist. The news networks reported that the DoD experienced up to 100 attacks each day, including coordinated probes from multiple nations. One network singled out Russia as the source for at least some of the attacks. Another called the attack a coordinated assault through networks in Canada, Norway, and Thailand. Had the attacks occurred before mid-December, coordinated multi-national attacks would have been a reasonable analysis. But beginning just before Christmas, intrusion detection experts have reported widespread use of a new version of a popular scanning tool which *simulates* coordinated multi-national attacks using a very effective illusion. This tool (called `nmap') can perform decoy scans using any selection of TCP addresses desired by its operator. So, a person scanning you from your own city can pretend to be a coordinated group of Russian, Canadian, Norwegian, Israeli, French, and British hackers even though he is using just one computer running nmap to find vulnerabilities on your computer! Furthermore, it takes only 15 minutes to download nmap and complete a scan -- this tool does *not* require one to be an expert cracker. Do not allow this information to lead you to think that there is nothing to worry about; exactly the opposite is the case. This new generation of tools can hide their activities in a barrage of what appears to be multi-national attacks. Unfortunately, behind that barrage the tools are far more malignant than their predecessors. They can spread out their attacks to hide below your monitoring thresholds and are extremely effective at identifying the types of computers you are running and the potentially vulnerable services available on every one of those computers. By embedding these new tools in a perl script, sophisticated hackers can automate the entire process of identifying your systems, finding the ones that have services with known vulnerabilities, and exploiting those vulnerabilities to gain root access -- all in seconds. Once root access is gained, every file and every program on your servers is open to being read or changed. As you'll hear when you listen to the web broadcast in Resource (1) below, the state of the art may soon include freely available automated scripts that are push- button tools for automatically finding your vulnerabilities and taking control of your machines. Military and commercial espionage has never been so easy. Competitors inside or outside the country have little stopping them from closing down an enemy's electronic commerce and other network-based services. **** Resource 1: To get a thorough and somewhat technical picture of this new type of attack and its impact, listen to the March 2nd Web Briefing by the SANS Institute at http://webevents.broadcast.com/edu/sans/hackers1999c/ The broadcast is archived so you may listen at any time. It will ask you for a user name and password. Use sansinst as the user name and secur3 as the password. You may also wish to ask the SANS organization for announcements of upcoming briefings (send email to info@sans.org with the subject "Subscribe"; you'll get web announcements and breaking security news). The next broadcast is Tuesday, April 6 (currently running on the first Tuesday of each month). These broadcasts are a rare source of up-to-date, authoritative information in this fast-changing field. **** Resource 2: The original Navy Shadow Team report (from September 4, 1998) referenced in some of the network news reports has been updated with the words, "This document has largely been overtaken by new advances in hacker technology." The revised report lists some of the new technologies described in this CIO Bulletin but also includes the original data describing early detection of multi-national attacks. See http://www.nswc.navy.mil/ISSEC/CID/co-ordinated_analysis.txt ********************************************************************** PROMISING PRACTICES == The following sections provide detailed descriptions of practices == used by leading-edge organizations to reduce the threat from network == hackers. The emergence of automated scanning and attack systems has forced network- connected organizations to establish automated monitoring and auditing procedures along with rapid system administration response capabilities that appear to keep them ahead of the attackers. The most promising practices we have seen so far are in very large banks, military organizations, and advanced research laboratories. [Note: The CIO Institute attributes Promising Practices to the organizations that first demonstrated their effectiveness -- as, for example, in the Government Technology Leadership Awards. In computer security, however, organizations that gain public exposure as "effectively secured" quickly become the targets for recreational hackers who want to prove that "those companies are not as smart as they think they are." To avoid wasting their time, we will not name the organizations that have shared these practices with us.] The only way to be invulnerable to well-designed attacks is to make sure that the holes they use are closed. All of the practices listed below are aimed at accomplishing that objective. == Identifying Vulnerabilities: Multi-source automated vulnerability >scanning Scanning tools are computer programs that send network traffic to computers with the goal of receiving return traffic that will indicate whether those computers have known vulnerabilities. Attackers use these tools to find holes, just as defenders try to find the holes first so they can be patched. There are seven major scanning tools (and many other minor ones) and they all find different vulnerabilities. Moreover, the most commonly used scanning tool has more than 140 settings, and each setting will change the sensitivity or targeting the tool uses to focus its scan. That means that two different people who use automated tools are almost certain to do the job differently. PROMISING PRACTICE: To ensure that they are getting as complete a view of their vulnerabilities as possible, several smart organizations are running three automated vulnerability scans each year, for example in January, May and September. They contract two of them out -- one to a major company (a big accounting firm or system integrator) and one to a smaller, more specialized organization. The third they ask their own staff to perform. The combination of competition among the testing teams and continuous monitoring provides a very clear picture of what needs to be fixed. [Resource: The CIO Institute has gathered over 35 evaluations of user experiences with vulnerability testing firms. We'll share this data with Institute members as appropriate.] == Recruiting and Training Technical Security Professionals Vulnerability scanning consultants don't make systems more secure -- they just point out possible holes. The people who can make systems more secure are the people who work at your organization and who know how to implement corrections and test your systems to be sure the corrections function correctly. Some of them are called system administrators, system analysts, or system programmers. Others are called technical security professionals or security programmers. A few organizations call them network administrators. Whatever you call them, they are very rarely the same security professionals who write policy and run user education programs. The key challenge is recruiting technically capable people and then training them and keeping their education current so they don't fall behind the attackers. For recruiting, most organization select from new college recruits, from the existing system administration community, from technically savvy auditors, and from less technical security professionals willing to make the difficult switch. Pay for the good ones generally runs 8 to 16% above the pay of comparably experienced systems administrators. [Resource: highlights of the 1998 salary survey of system, security, and network administrators may be found at http://www.sans.org/salsurvey98.htm ] PROMISING PRACTICE: In addition to using the sources listed above, several organizations have begun to recruit new technical security professionals from among the staff involved in their Y2K efforts. These organizations tell us their Y2K programmers are coming to the end of their heavy development period (most companies have March 31 deadlines for program changes), are capable and careful, and have worked hard enough to deserve the professional opportunity that computer security offers. Training for technical security professionals comes from two sources. First, the vendor that supplied the operating system (Sun, IBM, HP, and more recently Microsoft) generally offers 5-day security courses that administrators find very useful for administering security. However, the vendors seem to have a hard time telling their students about security vulnerabilities -- probably because they don't want to admit they made programming errors that left their users vulnerable. For that reason, no smart organization relies exclusively on vendor training for the complete knowledge needed to understand the inner workings of their systems so they can find and fix the vulnerabilities. The supplementary training most often takes place at large conferences that offer the experienced instructors conducting in-depth training classes. Some last as long as eight days. The next opportunity for this type of training is at the SANS99 (http://www.sans.org/sans99/index.htm) conference in Baltimore where more than 50 full-days of courses will be offered along with more than 25 two-hour short courses and even more state-of-the-art technical presentations. In addition to in-depth courses on intrusion detection and vulnerability analysis, it has advanced security training for Windows NT and for UNIX. Nearly all the courses are taught by full-time practitioner/teachers who give practical, from-the-trenches information that can be implemented immediately when students return to work. If your people cannot get places in the courses at SANS99 (they often fill up early) they can attend a similar array of courses at the Network Security Conference in New Orleans in October. The CIO Institute provided assistance to establish the SANS Institute nearly a decade ago because of the desperate need for in-depth technical training to replace the non-technical security conferences that had been around since the mainframe days. In the intervening years, SANS has grown to provide in-depth technical security education to more than 3,000 people each year and to provide the industry's authoritative monthly security update for more than 61,000 technical security professionals. As an adjunct to this year's SANS program, the CIO Institute is sponsoring the Federal Computer Security Conference (http://www.cio.org/fcsc.htm) during SANS, at which Federal Information Security Officers will learn the most effective practices used by security-savvy military agencies that can be transferred to the civilian side. == Equipping Technical Information Systems Auditors Information systems auditors are faced with a monumental task of verifying that security policies are effectively enforced on every computer. For years they based their judgements on answers provided by system administrators. Auditors could never be certain whether to rely on the answers, because some system administrators saw auditors as "the enemy," and did not provide accurate information. Promising Practice: A new class of tools is maturing to automate the process of verifying security policies in hundreds or thousands of systems spread throughout the organization. The tools compare actual practice with a baseline policy and point out changes in daily operations that have taken systems out of compliance. The most advanced organizations have developed their own programs to perform comprehensive checks, but increasingly companies and government agencies are turning to commercial tools to automate auditing of security policy enforcement. Equally promising are tools for automation of the forensic process after an incident has occurred. This task used to require an extremely highly trained security professional but can now be accomplished by a suitably equipped auditor or other security professional. [Resource: user assessments and comparison of capabilities of the most popular policy compliance auditing, intrusion detection, and vulnerability analysis tools are presented in the SANS course book "Selecting the Right Intrusion Detection and Active Auditing Tools" which may be ordered from the secure site: https://nt4.corpsite.com/secure_escal/book.htm ] ********************************************************************** In The Next CIO Institute Bulletin On Computer Security : A Reality Check on Public Key Infrastructure and Certificates ********************************************************************** The CIO Institute Bulletin on Computer Security is published monthly and distributed via email to Institute members without cost. Members include the CIOs in organizations spending at least $250 million per year on information technology, and, through the CIOs, all other information system executives in those corporations and agencies.). IS executives in smaller organizations may subscribe for $95 per year. For a subscription form, email info@cio.org with the subject "Subscription Form" and include your name, title and organization. Send address change information for this mailing to .