Posted at 6:47 a.m. PDT Wednesday, April 8, 1998
Net attacks much less frequent than many fear
BY PETER WEISS
Contra Costa Times
LIVERMORE, Calif. -- He used to fly F-16 fighters, but now he is a Top Gun
of the Internet.
John Howard, one of Sandia/California National Laboratories' newest
employees, is the man with the goods on cyberspace mischief.
The truth is, he says, is the dangers have been overplayed for the average
Internet user.
The computer scientist, who has done some groundbreaking research on
Internet attacks, believes people are being needlessly scared --
especially from doing business online -- and are wasting money on Internet
security books and services to help them deal with the supposed danger.
``Unlike what you might read in the press and in some books, the Internet
is a pretty safe place,'' said the compact, solidly built former Air Force
major whose hair is sheared to within a fraction of an inch of his scalp.
The network security researcher says a few precautions are in order -- a
well-chosen password, regular backups of data and virus protection. In
most cases, with those you should be OK, he says.
Howard, 44, is the first researcher to ever study the full records on
Internet attacks compiled from 1989 to 1995 by one of the world's largest
Internet security teams, known by the acronym CERT/CC.
In the process, he has also begun compiling a ``common language'' for
computer attack reporting that might help shore up the nation's defenses
against a possible, coordinated cyberassault on U.S. computer systems --
a growing concern at the highest levels of government.
In February, U.S. Attorney General Janet Reno highlighted that danger in a
talk at Lawrence Livermore Laboratory.
Based on his study, Howard contends that not only are attacks less
frequent on the Internet than is generally believed, but that few assaults
of any significance escape the notice of the security squads, such as
CERT/CC.
His analysis shows no more than 2.5 million attacks in 1995, for instance,
whereas other experts have estimated the number as high as 900 million. Of
the worst Internet security crises in the same year -- those that involved
dozens of sites over a period of weeks -- no more than 4 percent could
have gone undetected by CERT/CC, he claims.
Howard admits that CERT/CC's records leave out an important sector --
banking and finance -- but he says he thinks there too, few, if any, major
security breaches occur without response teams knowing.
Howard details his work in a 292-page doctoral dissertation which CERT/CC
has made available -- in full text -- on its World Wide Web site,
http://www.cert.org. The study has received an extraordinary welcome,
especially for a dissertation, although some experts question parts of it.
Georgetown University computer security pioneer Dorothy Denning, for
instance, called Howard's thesis ``the only really detailed study of these
Internet incidents that anyone has done.''
Co-author of the 1997 book ``Internet Besieged,'' Denning said she agrees
with Howard the Internet is safer that many people say but suspects he
might have underestimated the magnitude of attacks.
CERT/CC has told Howard his dissertation is the most popular item on its
Web site, he said. Howard has also received, and filled, hundreds of
requests for paper copies.
Pleased with the recognition, Howard says he was in the right place at the
right time -- a career-changer who went back to school six years ago as a
doctoral candidate at Carnegie Mellon University in Pittsburgh, which
happens to be CERT/CC's home.
Although he was a fighter pilot for 11 years, Howard was no stranger to
the rigors of academic research, particularly in technological fields. An
Air Force Academy graduate, he already had masters degrees in both
aeronautical engineering and political science.
Thinking that attacks on military computers might be fodder for a
dissertation, he went to the response team looking for Internet security
statistics. But he found they had no answers, only similar questions,
because no one had ever systematically reviewed CERT/CC's records dating
back to team's founding as the first computer response squad in late 1988.
It took a while to win the confidence of the guardians of CERT/CC's
confidential files, Howard said, but soon he was hard at work on the
review.
Today, Howard continues the task -- dividing his time roughly equally
between Sandia, which recruited him in August, and CERT/CC, where he is
now studying Internet attack records from 1995 to now.
For now, the cross-country commute suits him fine, Howard said. His wife
and four teen-age children will be in Pittsburgh until next summer, when
they are slated to join him here.
Probability of Internet attack within a year vs. other risks:
OCCURRENCE, PROBABILITY:
Convenience store robbery, 2 in 3
Computer hard disk failure, 1 in 75
100-year flood, 1 in 100
Serious structural fire (New York City), 1 in 220
Internet break-in where attacker gains control of computer, 1 in 540
Chance of death in car wreck, 1 in 6,250
Chance of death in fire (NYC), 1 in 40,000
X X X
Source: Analysis of security incidents on the Internet 1989-1995
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Thu Apr 9 09:12:44 1998