The Nature of Incidents | Incident Response: A Strategic Guide to Handling System and Network Security Breaches

‚ < ‚ Free Open Study ‚ > ‚

It is extremely difficult to predict how future incidents will differ from current trends because the data on current trends is so incomplete. Although some evidence might suggest that external attacks are becoming more common (as discussed in Chapter 10, "Responding to Insider Attacks"), personal experience tends to imply that insiders continue to dominate (at least the most serious). Recent years have seen a rise in virus and worm incidents and new motivations for attacks (such as "hacktivism").

Viruses and Worms

Viruses and worms are nothing new. In 1988, the Morris worm brought virtually the entire Internet to a halt. At that time, however, the Internet was restricted to a few government agencies and academic institutions. The effect on the average person or business was nonexistent. This is no longer possible.

Ten years after the Morris worm, the Melissa worm hit. Melissa was the first worm with the capability to spread itself over a network. Since then, variants and copies of this worm have emerged. All tend to infect the host computer and then spread by mailing infected emails to other computers. Most are programmed inVisual Basic. Although they are not technically viruses in that they do not infect a specific file or program, many do require that certain programs be installed in order to run. For example, both Melissa and the I LoveYou worm required Microsoft Outlook to propagate.

Although the antivirus community has been quick, in all of these cases, to develop tools to detect, quarantine, and clean these viruses, the rate at which they can spread is phenomenal. Company email servers have been crippled by the shear volume of the attacks. Some companies have even disconnected their mail servers in an attempt to prevent the spread of the virus. This, however, both prevents users from getting antiviral updates and also accomplishes a complete denial-of-service attack against the corporate network. Even if the virus does not gain hold, the company is completely shut down for the period.

Virus writers (with the exception of Robert T. Morris) have traditionally been viewed by law enforcement as nuisances not worthy of prosecution . This has changed. The FBI launched massive investigations following the outbreaks of both Melissa and the Love Bug. This will almost certainly continue as new viruses emerge.

Insider Attacks

Chapter 10 discussed some recent statistics that tend to indicate that external attacks are becoming more prevalent . This might, in fact, be a function of better detection or the widespread virus/worm outbreaks in the last few years. Insider attacks are still recognized as the most potentially damaging for all the reasons previously given.

Because most office workers now have personal computers on their desktops ‚ and most of these have connections both to the company network and the Internet ‚ the potential for abuse is extraordinary. A malicious employee can use "tunneling" technology to send and receive encrypted data over open ports, regardless of the firewall configuration. These attacks are covered in more detail in Chapter 11,"The Human Side of Incident Response."They are almost impossible to detect and even more difficult to block.

Some corporations have expressed concern over the use of a secure sockets layer (SSL) in web sites because they cannot monitor the traffic. However, blocking SSL will raise concerns with employees because then they cannot access e-commerce sites or do online banking from their corporate computers. Even some news and informational sites require SSL. If a company chooses to do this, it must first establish a policy that states that the company computers and network connections are for business use only and that no personal use is allowed.

The trend, however, is in the other direction. Most companies accept some level of personal use, provided it does not impact business. Accepting this, however, does introduce some additional risk, and businesses must be prepared to address this.

New Internet services can also introduce risk.Yahoo! now offers a service called the Yahoo! Briefcase (http://briefcase.yahoo.com). This service allows users to store up to 30MB of files on Yahoo! servers, accessible anywhere from a web browser. If an employee wants to steal data from the organization, he or she can now do it through the web browser and download it later from outside the organization. It will be almost impossible to detect unless the organization is specifically looking for (or blocking) connections to these sites.

Another dangerous trend is the widespread use of personal systems (such as personal data assistants). Malicious users can download large amounts of data to these devices, which can be easily concealed and removed from the site. Some of these devices support wireless communication, either by wireless radio frequency modems or by infrared technology.

Also newly available are removable storage devices. For example, there are now devices that plug into the universal serial bus (USB) port on a computer. Agate Technologies (www.agatetech.com) makes a USB hard drive about the size of a key fob.When plugged into the USB port, it appears to the computer as an additional hard drive. These drives can hold up to 64MB of data.

External Attacks

The most recent trend in external attacks has been in denial of service. Security expert Bill Cheswick describes this as "the last computer security problem." ^[6] When all the patches are applied, when all the firewalls are in place, when all the software is completely secure, denial-of-service attacks are still possible.

^[6] From a talk given by Bill Cheswick at the Cannes security conference. Copies of the slides were available on his web page at http://cm.bell-labs.com/who/ches/talks/index.html.

The CIA model discussed in the Chapter 1 recognizes that information must be available to be useful. It is more than that, however. There are now businesses that have no physical presence to their customers outside of the Internet. The financial loss to an online merchant when customers cannot access the site is staggering. Individuals are now buying and selling stock over the Internet. Although it might be frustrating to one person not to be able to buy or sell, it could mean major losses for the brokerage houses . One can even postulate an incident in which a person can artificially manipulate a stock price simply by denying others the opportunity to trade.

The costs in lost revenue are difficult to measure when customers cannot get into the site to buy. The intangible losses, in which new customers simply decide to go somewhere else, cannot be quantified . Even organizations that do not directly do business over the Internet can be affected. Their employees cannot exchange email with clients or suppliers. They can't access patches or updated software. It is even possible that the loss of network connectivity might overload or slow other communications networks, and the phone service into a company might be affected.

Distributed denial-of-service attacks were discussed in earlier chapters. Until recently, a company under attack could simply add more capacity. It was likely that a corporation could quickly have more capacity than the attacker could overwhelm. With distributed attacks, however, an attacker can easily have more available bandwidth than the victim. As personal broadband systems become more widespread, the number of available agent computers increases dramatically. It will be easy for an attacker to compromise a few dozen home machines with DSL service and quickly overwhelm a T-1 connection.The suggestions in the following sidebar might help prevent these attacks, but they require that Internet service providers implement certain controls.

DDOS

Distributed denial-of-service attacks were described in earlier chapters. Here are a few steps that users, companies, and Internet service providers can take to help prevent their severity:

Patch vulnerable systems and maintain the patch level. To exploit a system as a zombie, the system must first be compromised.
Use antivirus software on personal computers. Although the attacks are not technically viruses, the attack techniques are often detected and blocked by AV software.
Use a personal firewall on home-use systems. Do this especially if a personal system is always connected to the Internet through a cable modem or DSL. This software will also assist in blocking zombie attacks.
Use ingress filtering on firewalls. A firewall should never accept packets that appear to come from either an internal address or a nonroutable address. This will block many of the spoofed packets.
Use egress filtering on border routers. A border router should never allow outbound packets that do not appear to come from the internal network. This will help prevent internal computers from being used to launch attacks on other networks.
Maintain a good relationship with service providers. If an attack is occurring, the ISP can block the traffic upstream or can divert traffic. An alternate ISP can also keep connectivity alive even during an attack.

Another recent trend in external attacks has been to attack the corporation by compromising internal (or virtually internal) clients. For example, Microsoft had an incident in late 2000 in which a personal computer owned by a Microsoft employee and used to access the internal network was compromised by a trojan horse program. The attacker potentially had access to the entire internal Microsoft network through the company's own virtual private network.

Firewalls and external controls have become very robust and, provided that they are maintained and patched, all but impossible to breach. However, more companies are allowing employees to telecommute or are providing access to workers who travel. These computers are much more difficult to secure because the company does not have day-to-day control, and the computers might be exposed to any number of attacks, unprotected by any kind of firewall (or even an antivirus program). A trojan program can initiate connections or can wait for the VPN client to establish a tunnel and then gather information about the internal network or even spread itself to other computers. When the attacker has access to an internal computer, he or she can tunnel traffic in both directions over a permitted port such as HTTP.

Two Major Internet Incidents

In November of 1988, an Internet worm began spreading across what was then the ARPAnet. The worm used a bug in the UNIX sendmail program to gain root access to computers. If the program had been patched, it used a buffer overflow in the finger daemon. The program contained some rudimentary encryption in the source code to hide its commands and make reverse engineering more difficult. Over a period of about a week, the program spread to more than 2,000 computers, estimated to be approximately 10% of the ARPAnet at the time.

The program manifested itself by creating multiple connections to other networked computers. In doing so, it produced a large number of system processes, slowing the infected machines to a near halt. Investigators from the military community (the owner of ARPAnet), educational institutions, and law enforcement agencies worked to develop a countermeasure and to discover the identity of the author. The investigation was unprecedented and worked primarily through personal contacts. At the time of the incident, computer security was still an extremely small field, and specialists in it were rare. Almost everyone knew everyone else.

In early 1990, a jury in Syracuse, New York, found Robert T. Morris guilty of creating and spreading the worm. He was sentenced to probation, community service, and a fine.

The first week of May 2000, a computer virus called the Love Bug began spreading across personal computers. The program was technically a worm, not a virus, because it did not actually infect another program. The worm spread by sending infected emails of itself ‚ with the subject line "I Love You" ‚ to all members of a computer's address book. It also changed the user 's Internet home page and downloaded and installed an executable program.

Reaction to this worm was swift. The major antivirus vendors issued updates to their products within hours of its release. Corporations instituted quarantine programs to isolate infected computers and to filter out suspected emails. Although the worm still spread quickly, infection rates varied widely. Personal users were hit heavily, as were some companies and government organizations; others were virtually unaffected.

The U.S. Federal Bureau of Investigation immediately began an investigation of the incident. Working with Interpol, it traced the probable source of the program to the Philippines. It then coordinated with the Philippines National Bureau of Investigation to arrest a suspect within a week. That suspect was charged in the incident, although the charges were eventually dropped based on the lack of applicable laws in the Philippines.

The contrast between these two incidents is striking. Although both were massive denial-of-service attacks against the Internet, the Morris worm was investigated primarily by amateurs. There was no dedicated computer crime section in the FBI, and few organizations had incident response teams . The Love Bug, however, had immediate attention by dedicated computer crime investigators worldwide. International cooperation was significant, whereas it was not a major factor in the Morris incident. Finally, although the Morris worm infected a larger percentage of the Internet, the all-pervasive nature of the network in the year 2000 ensured that a much greater number of users were affected, even if it was only by a network slowdown trying to get email or access virus update files.

‚ < ‚ Free Open Study ‚ > ‚