The Year in Review An Intelligence Summary William Hugh Murray Executive Consultant TruSecure Corporationwhmurray@sprynet.com
William Hugh Murray Bill Murray is an executive consultant for TruSecure Corporation and a Senior Lecturer at the Naval Postgraduate School. He is Certified Information Security Professional (CISSP) and serves as Secretary of (ISC)2, the certifying body, Bill is an advisor on the Board of Directors of the New York Metropolitan Chapter of ISSA. He has more than fifty years experience in information technology and more than thirty years in security. During more than twenty-five years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the author of the IBM publication Information System Security Controls and Procedures.Mr. Murray has made significant contributions to the literature and the practice of information security. He is a popular speaker on such topics as network security architecture, encryption, PKI, and Secure Electronic Commerce. He is a founding member of the International Committee to Establish the "Generally Accepted System Security Principles" (GSSP, now referred to as the GAISP) as called for in the National Research Council's Report: Computers at Risk. Bill remains as an active member of this committee. He is a founder and board member of the Colloquium on Information System Security Education (CISSE). He has been recognized as a founder of the systems audit field and,, by Information Security Magazine as a Pioneer in Computer Security. In 1987 he received the Fitzgerald Memorial Award for leadership in data security. In 1989 he received the Joseph J. Wasserman Award for contributions to security, audit and control. In 1995 he received a Lifetime Achievement Award from the Computer Security Institute. In 1999 he was enrolled in the ISSA Hall of Fame in recognition of his outstanding contribution to the information security community. He holds a Bachelor Science Degree in Business Administration from Louisiana State University. He is a graduate of the Jesuit Preparatory High School of New Orleans.
Introduction This an update on the state of security for the year 2004. The easiest way to forecast the future is to identify states or trends that are unlikely to change during the forecast horizon and to project them. This presentation identifies and projects such trends. While this forecast has been widely published and, unlike most pronouncements of its author, has drawn little fire, the author takes full responsibility for its content.
2003 Events • SQLSlammer • Lovesan / Blaster • SoBig • “Social Engineering” explodes (e.g., “Phishing”) • Dramatic increase in spam • Others
First, the bad news: • Hacking is no longer trivial but serious, no longer for loners but forteams, no longer for fun but for profit, no longer mischievous but malicious and criminal, no longer amusing but frightening. • The Internet is seriously compromised by contaminated machines. • Spam now accounts for a significant part of the load for the Internet and more than half of e-mail. • SQLSlammer demonstrated the ability of an individual with a little special knowledge to seriously degrade the performance of the Internet at a time of his own choosing.
First, the bad news: (II) • Viruses and worms are becoming more sophisticated, successful, and malicious. They are used to compromise systems, insert remote controls, key-stroke grabbers and other spyware, covert agents ("bots"), and backdoors. They are a standard tool in the crackers kit. • Windows-based ATMs and POS (point-of-sale) devices are connecting to the Internet and are vulnerable to worms, viruses, and other Trojan Horse attacks. ATMs and POS devices are being operated by criminals. • The transport layer can no longer be relied upon for security. Connectivity trumps security.
More Bad News • The rate of discovery of unchecked input (e.g.,“buffer-overflow”)vulnerabilities is going up and the time to exploitation is going down. • Habit, bureaucracy, inertia, and institutional consent to bad practice resist improvement. • The Internet is resistant to all change in the short run; in the long run any improvement in practice is likely to be overwhelmed by growth in users, uses, and use.
More Bad News, II • Small improvements in software quality will be overwhelmed by increases in software. • There will continue to be a preference for applications and low price over security in choosing operating systems. [We will continue to complain about Microsoft security while using its products for applications and environments for which they are not intended and do not meet the security requirements.] • We will continue to try and patch and fix our way to security; we will enjoy the same lack of success.
More Bad News, III • Government will continue to chide the private sector while connecting weak systems to the public networks. • Business will continue to attach weak systems and inappropriate applications to public networks in the name of "early to market," "first mover advantage," and ease of operation and management. • Business audit trails are ad hoc and vulnerable to late change. They record mostly events and rarely content or context. Academia and government have little audit trail beyond the desktop or server.
Bad News Continued: • Government will continue to focus on user-to-user isolation at the operating system layer while authenticating those users only with passwords at the network and application layers. They will continue to prefer mandatory access controls over strict accountability. • Rogue hackers willcontinue to contaminate the Internet with viruses and worms in the name of improving security while continuing to be lionized by the media as "security experts" and “Robin Hoods.” • Law enforcement will continue to whine about business' reluctance to share intelligence while hiding, hoarding, abusing and misusing such intelligence as they have.
Bad News Continued: (II) • Vulnerability researchers will continue to publish exploitsin the name of improving security; the media will continue to refer to them as "security experts." Their 15 minutes is running out. • 2003 was not the year of PKI but it was the year of the VPN. SSH and SSL may win over IPSec. • Governments willcontinue to complain that criminals use technology while insisting on the right to use the technology to watch the citizen.
Bad News Continued: (III) • Anonymity in the Internet is now a commodity for sale. • Users will continue to compromise perimeter controls with tunnels and by clicking on strange files and icons.
And finally: • Government security efforts will continue to focus on preserving its secrets while tolerating fraud, waste, and abuse. • Businesses report that they have Tootsie Pop Security ("Hard and crunchy on the outside, soft and chewy in the middle.“) • Academic institutions will continue to peer connect student and faculty systems to the internet in the names of free speech and academic freedom. These systems will continue to be routinely compromised and will continue to be the source of most of the attack traffic.
And finally: (II) • User population still rising faster than awareness • We will be surprised again by the scope and effect of at least one attack in spite of our general awareness of or alarm about the exploited vulnerability.
Now for some good news: • Economics is on our side; cheap hardware firewalls, smarter network interface cards (NICs), routers, other application appliances, strong authentication, and end-to-end encryption (e.g., SSL, SSH, VPNs) will be used to hide operating system vulnerabilities, privileged controls, sensitive applications, and gratuitous functionality from the public networks. • Government has acknowledged that its security practice is unacceptable and places the infrastructure at risk. Its overall score has improved to “D.” Two departments have found a way to improve practice to “A” while still meeting reporting requirements. • Driven by demand from their customers and competition and example from AOL, retail ISPs are taking more responsibility for protecting their customers and for protecting the rest of us from rude behavior by their users.
Now for some good news: (II) • SQLSlammer demonstrated the ability of Network Operators to respond quickly and effectively to threats to the network itself. • Rogue hackers are losing their Robin Hood image and public sympathy, attracting law enforcement attention, being identified, indicted, prosecuted, copping pleas, being convicted, and sentenced to jail.
Now for some good news: (III) • There is an emerging consensus that rewarding hackers with jobs encourages more hackers without reforming anyone. • While users will continue to compromise perimeter controls with tunnels and click on strange files and icons, default use and automatic update of scanners, and controls to limit connectivity of systems that are not current will make us collectively resistant to viruses.
More good news: • Cheap hardware will accelerate the preference for single user and single applicationsystems over multi-user multi-application systems. • Led by reluctant heroes like Visa, American Express, and their competitors, and to meet the higher expectations of their customers, e-merchants and e-fiduciaries will continue to improve the security of the applications that they attach to the Internet. • Investors, inventors, product vendors, and service providers continue to invest, invent, innovate, provide, and encourage.
More good news: (II) • Government, industry, and professional organizations encourage training, education, commitment, and continuing development of professional knowledge, skills, and abilities. • While we will continue to experience attacks and breaches that define the limits of our success, security will continue to be (just barely) good enough toescape chaos and preserve public trust and confidence.
Recommendations • Exploit cheap hardware • Adopt restrictive policies and safe defaults. • Avoid multi-user multi-application systems. • Avoid gratuitous functionality. • Scan at the perimeter and the desktop, in both directions; refuse all unexpected attachments.
Recommendations (II) • Close your networks to all but registered (and current) devices and users. • Measure the state of your networks, systems, and applications; measure the performance of their managers and users. • Layer your defenses; do not rely on a brittle perimeter and a soft center. • Strengthen accountability with end-to-end encryption, strong authentication, and an integrated audit trail.