January 05, 2001, 2:06 PM — Each year, your risk for a hack attack grows. In 1999, 9,859 security incidents were reported to Carnegie Mellon University's CERT Coordination Center, a premier computer emergency response team. By June 2000, the number had already reached 8,836. Better awareness accounts for some of the increase, but not all: People submitted information on 417 software vulnerabilities to CERT in 1999. By mid-year 2000, that number had already reached 442.
Best-kept secret No. 1: Most security holes hired experts find are well-known vulnerabilities with easily accessible patches.
Most Internet-related hacks are traceable to a dozen security holes. These tend to be months -- even years -- old and easy to discover, says Phil Cox, a consultant for security firm SystemExperts in Sudbury, Mass., and former member of the Department of Energy's Computer Incident Advisory Capability team. The Systems Administration, Networking and Security (SANS) Institute keeps a list of the top 10 Internet security threats at www.sans.org/topten.htm. These are all preventable -- "all of them are [due to] a simple lack of configuration management," he says.
For example, the SANS Institute found that, in mid-1999, as many as 50% of Domain Name System servers were running vulnerable copies of the popular Berkeley Internet Name Domain program. Yet this same warning appears on the list today. Much the same can be said of others: An FTP vulnerability, called FTP Bounce, was reported in 1997. A malicious Visual Basic Script, known as network.vbs, was discovered in March. A vulnerability in the rpc.statd command found in several Linux variants was discovered in August. If you run any of this software, you have no excuse for not patching these holes.
You also have no justification for not configuring firewalls to block Internet Control Message Protocol (ICMP) pings originating externally, Cox says. It's well known that numerous attacks tunnel through in that protocol's echo reply. You should also block outgoing ICMP pings, lest your network be an accessory in a distributed denial-of-service attack.
While security consultants will happily take your money to find such obvious flaws, why not better apply your cash and their talents?
Best-kept secret No. 2: Contrary to common practice, scanning for vulnerabilities and patching holes does not constitute good Internet security.
Even if you check for vulnerabilities and are vigilant about security software upgrades, don't assume you're doing Internet security right, says Ian Poynter, founder of Jerboa, a security consulting firm in Cambridge, Mass. He believes this "find-and-fix" method serves the security industry's need for profit more than it serves a company's need for protection. With find and fix, vulnerabilities are identified via an attack or by antivirus, intrusion-detection and other so-called preventative software tools. The result is a never-ending spiral -- hackers keep inventing new ways to attack, and you're constantly investing in updated security tools.
Poynter contends it is better to apply the concepts of hardware reliability engineering to Internet-related network security. A hardware vendor can calculate the probable mean time between failures for each system component and thus the device itself. Using those calculations, corporate network managers schedule upgrades or architect redundancies, preventing failures.
Apply those methods to network security and you get true prevention rather than reaction, Poynter says. "We're trying to come up with a scientific approach to Internet security."
With this form of systems engineering, a security manager creates actuarial tables that list probabilities of an Internet attack for any given device or network segment. These tables guide the security manager in how, when, where and what type of security to apply to the network. It's like an insurance company that calculates risk factors to determine a customer's cost.
Systems-engineered security is designed in, rather than added on. Like the self-healing network IBM is building system-engineered security disallows unsanctioned software or network device outputs.
You can systems-engineer existing networks and applications, not just new ones.
To do that, you would profile the targeted network by creating a detailed schematic of external connections and the percentage of traffic every device receives from untrusted sources. Next, you would run several algorithms to ascertain statistical risk. For instance, Poynter uses a formula that produces a vulnerability measurement by multiplying a system's exposure by the value of the information at risk.
