If you purchased a brand new computer today with all the latest security software and plug it into the Internet, how long would it be before the first hacker probed it?
About four hours.
Even the latest innovations to protect networks are not enough to counter cybercrimes.
“Unfortunately, it’s still a bit of a wild West,” says Tim McKnight, vice president and information security officer for Northrop Grumman Information Systems.
“You’re having to fight hackers with very little governance and law,” he adds. Cybercriminals have the upper hand because the cost of planning and executing a cyber-attack is cheap and it’s difficult to identify the attackers.
U.S. networks are the targets of choice.
“We’re the most vulnerable nation on the Earth because we’re the most dependent,” John “Mike” McConnell, former director of national intelligence and a senior vice president at Booz Allen Hamilton, says at a conference organized by the Security Innovation Network.
President Obama in a May speech pinned America’s economic prosperity to the security of its digital infrastructure. “It’s now clear this cyberthreat is one of the most serious economic and national security challenges we face as a nation. It’s also clear that we’re not as prepared as we should be,” he warned.
On July 4, about 170,000 computers in 74 countries were linked, unbeknownst to their owners, in a botnet — a collection of malicious software robots that run autonomously. The botnet was commanded by unidentified assailants who attacked government websites in South Korea and the United States. Nearly all U.S. federal agencies, including the White House, were hit by the denial-of-service attack.
“I think we’re really at a crisis point where we have no confidence in the security of our information,” Amit Yoran, former director of the United States Computer Emergency Readiness Team, (US-CERT), and Department of Homeland Security’s national cybersecurity division, tells National Defense.
Homeland security officials worry most about a “digital Pearl Harbor” attack on the nation’s cyber-infrastructure. The July 4 attack could be a harbinger of things to come, they say.
“I believe we are being set up. We are being probed constantly,” says Robert Rodriguez, chairman and founder of the Security Innovation Network. “The adversaries are innovating faster than we are because they don’t have corporate governance and budget and privacy issues. They move at warp speed.”
Many of the technologies that have been developed in the last decade to protect networks — firewalls, intrusion detection systems and anti-virus products — assume that networks have perimeters, points out Yoran, who is now chief executive officer of NetWitness Corp., a security software provider. But in the current digital world, there are none.
“You can’t build a fort,” he says. “You can prevent really simplistic attacks by putting up these castle walls. But in today’s environment … it’s literally impossible to define what your enterprise network looks like today, let alone build a castle around it that leaves your organization nimble and agile enough to accomplish its mission.”
Another problem is that friends and foes all operate in the same Internet. Like the shipping lanes of the seas, it could take decades to establish borderlines in the digital world. “It’s taken hundreds of years to define those treaties and those boundaries,” says Rodriguez. “We haven’t come close to defining the Internet routes and the policies.” Until those are established, defending networks will remain an ad hoc process where even the best defensive measures turn into a sieve through which cybercriminals can slip.
“Our solutions are perishable. The shelf life of a solution is fairly short,” says Per Beith, director of global network operations at Boeing Co., which is attacked by some 500,000 viruses a month.
To demonstrate how vulnerable networks can be, a team of Northrop Grumman engineers purchased a brand new computer with the latest security software and linked it to the Internet.
Within four hours, a hacker had “pinged” or probed the system. Within a week, a “rootkit” — a form of malicious software — had been installed on its hard drive. Within two weeks, the computer was enslaved by servers that were traced to Canada, Singapore and another unidentified location, and used to attack a computer in Poland.
This happens because there is a large gap between the time a vulnerability is discovered and the release of a software patch to protect a system, says McKnight of Northrop Grumman. In many cases, it takes vendors weeks and even months to provide a patch, which may not even work.
If perpetrators are discovered in time, the harm can be mitigated. “There’s a window of opportunity between the time a system is compromised and the time that the organization is impacted,” says Yoran of NetWitness. A better approach is to address advanced threats, such as attacks that are targeting applications, he says.
An example would be an Adobe attachment or image file in an email. Within the metadata tags of the PDF, would-be attackers could embed exploit codes that literally take control of a system, or establish a command-and-control shell back out to somebody in a remote location who wants to have access to a system, he explains.
“When you’re dealing with advanced threats, you don’t know what you don’t know,” Yoran says. “Getting this type of independent, forensically valid observation point to help you start answering questions is quite compelling.”
The Independence Day denial-of-service attacks did not affect sites that had kept up-to-date with patches, says Lee Holcomb, director of Lockheed Martin’s center for cybersecurity innovation.
He estimates that 80 percent of today’s problems result from simply not patching systems or following appropriate guidelines for network security.
This is relatively easy to achieve for home PC users. But entities with high value assets, such as financial institutions, or government contractors, are exposed to more sophisticated attacks from savvier adversaries.
Yoran believes that many of the malicious activities are happening on the inside of networks after intrusions have already occurred. It is nabbing those types of activity that is causing the most headaches for security professionals.
Northrop Grumman has set up a new cyber-operations facility in Maryland where teams monitor more than 10,000 servers for about 105,000 clients. The center has been compared to a CSI forensics laboratory.
“It really brings together a comprehensive picture of the threat intelligence,” says McKnight. The goal is not only to detect intrusions and react to the consequences, but also to analyze malicious software and codes, and break them down so that information security efforts can start to be more proactive.
Catching up to the perpetrators is difficult. “We’re not dealing with the big worms and viruses like we did three, four, five, seven, 10 years ago. Now it’s all quiet and sophisticated attacks that have to be broken down and analyzed at a forensic level,” he says.
McKnight, a former FBI agent, says these forensics investigations are not easy because the attacking software continually evolves. Eventually, technologists will have to focus on the resiliency of networks to stay up and running while under attack.
Other companies, such as Boeing, also are applying the concept called “defense in depth,” which aims to deploy protective measures in layers across networks. Much like securing a home, where locks on doors and windows are but the first layer of defense, further measures, such as monitoring systems, cameras and guards, can be added to provide additional security.
Cyberdefense begins and ends with the individual computer user, Beith says. Training operators to act defensively against potential threats, and then adding layers of security — hardware, software, intrusion detection systems, and monitoring systems — can help protect networks.
Boeing also is developing simulations to replicate the network environment in the virtual world. There, engineers can test the network for potential vulnerabilities and design countermeasures.
Lockheed Martin is working on several technologies to combat cyber-attacks, says Curt Aubley, chief technology officer of NexGen operations and solutions. A system called Ironclad enables networks to have “trusted end points” so there is no data leakage. Another technology called Nimbus allows real-time command and control of cloud computing. A DASHnet self-healing capability gives a network the ability to chase down perpetrators and conduct forensic investigation.
Besides improved technology, a sea change in the perception and policies of cybersecurity is needed, experts note.
The mentality of “it won’t happen to me” is pervasive, Rodriguez says. Holcomb, a former chief technology officer for the Department of Homeland Security, says that during his time at DHS, many companies, even those that provide critical infrastructure for the nation, were not willing to spend a penny more for security than their competitors. “This has continued today. They don’t invest, and won’t, until something happens,” he says. “There needs to be better transparency and metrics in this area. It’s hard to measure the significance of the threat and the problem.”
More collaboration between the government and industry will help to advance the security of the nation’s networks, experts agree.
“If we do that effectively, then I think we truly can be more timely in our reaction and hopefully get to the point where we can be more proactive in how we respond to these threats,” says Beith.
McConnell says that nations will have to agree to some international standards to make the global cyber-infrastructure more secure. “We’ll have partnerships that we didn’t imagine just a few years ago. That’s how I see the future,” he says. IT systems must have built-in cyberprotection, which potentially will be a huge market, he adds.
Already, new standards put forth by the National Security Agency are driving companies to provide better encryption methods to protect data in transit. But ensuring that all companies are meeting those higher standards will be a challenge.
Most companies employ strong encryption and decryption measures, but use weaker methods to send those keys to and from endpoints. “That’s a little bit like having a steel door to your house, but putting the key to that door in a little tin box next to it. I don’t have to cut through the steel door to the vault. I can just cut through the tin box and get your key out,” says Bill Lattin, chief technology officer for Certicom, the company that pioneered a new key distribution technique called elliptic curve topography.
ECC uses smaller key sizes to achieve the same level of security as older methods, such as RSA, an algorithm for public-key cryptography. An ECC key size of 256-bits is equivalent to an RSA key size of 3,072-bits. Increasingly ECC is being incorporated into software products from Microsoft and Sun, and into devices, such as Blackberries.