Security: Trends and Perspectives | Microsoft Application Center 2000 Resource Kit 2001

We'll start this section with a summary of computer industry trends in the context of computer crime.

What's Been Happening in the Computer Industry

Like the Internet, computer crime continues to be a growth industry. Hackers and vandals discover and create innovative—and often all too simple—techniques for disrupting computer systems around the world. It seems like the computer security industry is always one step behind the criminals, playing catch up in response to new intrusions and virus infections.

The following sidebar summarizes the results of the "1999 CSI/FBI Computer Crime and Security Survey" undertaken by the Computer Security Institute (CSI) and the FBI. These results underscore the magnitude of the computer security problem in this country.

"1999 CSI/FBI Computer Crime and Security Survey"
From the "1999 CSI/FBI Computer Crime and Security Survey":
For the third year in a row

System penetration by outsiders increased, with 30 percent of survey respondents reporting intrusions.

The number of respondents who identified their Internet connection as a frequent point of attack increased from 37 percent in 1996 to 57 percent in 1999.

Unauthorized use by insiders increased, with 55 percent of respondents reporting incidents.

Financial losses due to security breaches exceeded $100 million. Note: Of the 51 percent who reported losses, only 31 percent could quantify these losses.

Types of crimes reported by survey participants

Denial-of-service (DoS) attacks reported by 32 percent of participants.

Sabotage of data or networks reported by 19 percent.

Financial fraud reported by 14 percent.

Abuse of Internet access (for example, downloading pirated software or pornography, and inappropriate use of e-mail systems) reported by 97 percent.

Virus contamination reported by 90 percent.

Laptop computer theft reported by 69 percent.

The Nature of the Beast

It's obvious from the statistics presented in the "1999 CSI/FBI Computer Crime and Security Survey" that many businesses aren't coping well with computer security or still aren't "getting it." Why not?

There are many reasons for the alarming trends identified in the survey, including:

The complexity of the problem
The scope and volume of the problem
Misunderstanding the nature of the solution
Ownership of the problem

The Complexity of the Problem

There has been exponential growth in the complexity—and inherent vulnerabilities—of computer systems over the past several years. Computer system complexity has been exacerbated by the broad acceptance of the Internet as a networking platform for business computing. The growing complexity of this computing environment means that products are becoming less secure rather than more secure.

The Scope and Volume of the Problem

At the same time that the Internet gave businesses global access to customers and other businesses, it also gave users around the world access to these same businesses and their computer systems. The increase in the number of attackers worked in combination with the rapid growth of Internet-based computing to put IT staff in an untenable situation, one in which support demands, particularly in the area of security, far outstripped available resources and capabilities. Hackers and vandals, on the other hand, were unhindered by bureaucracy and budgets and had an unlimited number of targets from which to choose. From the onset, security professionals and system administrators were forced into a catch-up role, a role that still persists today.

Jim Magadych, security research manager with Network Associates, observed: "There are a lot of system administrators out there that are aware that security holes exist in their systems, but they see the alerts coming out daily and are overwhelmed by sheer numbers." As a result, security fixes often don't get applied. According to a CMPnet (http://www.cmpnet.com) security task force, at least three-quarters of the businesses connected to the Internet have at least one of 20 known security holes.

Misunderstanding the Nature of the Solution

Even today, years after the Internet was adopted by mainstream businesses, many of the business managers and system administrators for these companies still believe that their systems are safe, simply because they have a firewall. Nothing could be farther from the truth. Reliance on a purely technical solution—particularly if it's flawed or poorly configured and implemented—is no solution. Numerous security professionals have noted that effective security systems are not a simply a product but an appropriate combination of products and processes that are designed to meet the needs of an individual organization.

Ownership of the Problem

An organization's staff members, from the CEO to junior office worker, have to share the burden of the security problem. The responsibility for computer security is everyone's problem, not just the individual or individuals that have formal responsibility for corporate computer security.

One writer equates user responsibility for computer security to employee responsibility for making sure the door is locked when they leave the building at the end of the work day—regardless of whether or not it's part of their job description.

Insights From the Experts

The SANS (System Administration, Networking, and Security) Institute, working with experts from more than 40 private and public sector security research and practitioner groups, compiled several lists of security-related items for managers and IT professionals to consider when dealing with security in their organizations.

But before examining the "The Ten Worst Security Mistakes Information Technology People Make" and "The Ten Most Critical Internet Security Threats" that the SANS Institute published, let's see what attendees at a large security conference identified as the top seven mistakes that managers made in the area of security.

The Seven Top Management Errors that Lead to Computer Security Vulnerabilities

The 1,850 computer security experts and managers attending the SANS99 and Federal Computer Security Conferences compiled this list of management errors:

Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
Fail to understand the relationship of information security to the business problem—they understand physical security but do not see the consequences of poor information security.
Fail to deal with the operational aspects of security—make a few fixes and then not allow the follow-through that is necessary to ensure the problems stay fixed.
Rely primarily on a firewall.
Fail to realize how much money their information and organizational reputations are worth.
Authorize reactive, short-term fixes so problems re-emerge rapidly.
Pretend the problem will go away if they ignore it.

Management security mistakes are frequently compounded by mistakes made by the IT professionals in their organization, as the next section illustrates.

The Ten Worst Security Mistakes Information Technology People Make

The 10 worst mistakes identified by the experts are:

Connecting systems to the Internet before hardening them (removing unnecessary services and patching necessary ones).
Connecting test systems to the Internet with default accounts/passwords.
Failing to update systems when security vulnerabilities are found and patches or upgrades are available.
TIP
Install and use the Microsoft Windows 2000 Internet Information Services 5.0 (IIS) hotfix checking tool, HFCheck. This tool allows administrators to ensure that their servers are up to date on all IIS security patches. The tool can be run continuously or periodically against the local computer or a remote one, using either a database on the Microsoft Web site or a locally hosted copy of the program. When the tool finds a patch that hasn't been installed, it can display a dialog box or write a warning to the Event Log.

To obtain more information about this tool and download it, go to http://www.microsoft.com/technet/security/tools.asp

WARNING
Test your system(s) thoroughly after installing a software patch. Don't assume that simply applying the fix solves the problem. There may be other issues related to system configuration that need to be dealt with as well.
Using Telnet and other unencrypted protocols for managing systems, routers, firewalls, and PKI (public key infrastructures).
NOTE
This issue of unencrypted Telnet traffic is important if you are using one of the load balancing devices described in Chapter 13, "Third-Party Load Balancer Support."
Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requestor is not authenticated.
Failing to maintain and test backups.
Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, and rservices.
Implementing firewalls with rules that allow malicious or dangerous traffic—incoming or outgoing.
Failing to implement or update virus detection software.
Failing to educate users on what to look for and what to do when they see a potential security problem.

And a bonus...

Allowing untrained, uncertified people to take responsibility for securing important systems. (Author's note: This item is a recurring theme in most security surveys and articles.)

The Ten Most Critical Internet Security Threats

In the wake of the distributed denial-of-service (DDoS) attacks that brought down eight major Web sites in a week, the SANS Institute started soliciting input from security experts in February 2000. The entries in "The Ten Most Critical Internet Security Threats" list are the results of a consensus between almost 50 experts from companies, universities, and such government agencies as the National Security Agency and the Department of Defense. It is intended to give system administrators who are looking to secure their systems a place to start.

The top 10 threats identified by the experts are:

BIND weaknesses: nxt, qinv, and in.named allow immediate root compromise.
Vulnerable Common Gateway Interface (CGI) programs and application extensions (for example, Cold Fusion) installed on Web servers.
RPC weaknesses in rpc.ttdbserverd (Tooltalk), rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root compromise.
Remote Data Services (RDS) security hole in IIS.
Send-mail buffer overflow weaknesses, pipe attacks, and MIMEbo that allow immediate root compromise.
Sadmind and Mountd.
Global file sharing and inappropriate information sharing via NetBIOS and Microsoft Windows NT ports 135-139 (445 in Windows 2000), or UNIX network file system (NFS) exports on port 2049, or Macintosh Web sharing or Appleshare/IP on ports 80, 427, and 548.
User identifiers, especially root/administrator with no passwords or weak passwords.
Internet Message Access Protocol (IMAP) and point of presence (POP) buffer overflow or incorrect configuration.
Default Simple Management Network Protocol (SNMP) community strings set to 'public' and 'private'.

Alan Paller, director of research for the SANS Institute, says that this list gives administrators a set of priorities for dealing with security holes. With regards to the items in this list, he says, "This is probably 70 percent of the attacks occurring on the Internet. Even though (the list represents) 10 out of a large number of exploits, it's the majority of attacks."

Jim Magadych (Network Associates), a contributor to the report, says that by closing the holes identified in the top 10 list, companies "are protecting themselves against the largest number of intruders on the Internet, but also the least sophisticated—what we call ankle-biters."

NOTE
The SANS Institute also published "How to Eliminate the 10 Most Critical Security Threats," which can be downloaded from its Web site at http://www.sans.org.