Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.govexec.com/features/0499/0499s1.htm
(GovExec.com) [April 1999] Every 20 minutes someone tries to penetrate a
Defense Department computer network. But not all of the intruders are
outsiders. Defense officials are increasingly concerned about trusted
employees seeking restricted data. Just as troubling is that many
intrusions could be prevented if workers followed basic security
procedures. While computers have become central to agency operations
across government, security has not.
A case in point: A few months ago, 27-year-old computer whiz Shawn Key
hacked into a federal agency's computer network. (He spoke about the
agency on the condition that it not be identified.) For national security
purposes, the office Key broke into was supposed to have no more than a
handful of carefully controlled modems through which employees could
access the Internet. Instead, Key found more than 500 modems on the
system—a mother lode for any hacker intent on wreaking havoc. Just days
before the modems were discovered, network administrators had issued an
order expressly forbidding the use of extraneous modems.
Fortunately for the agency, Key is what he calls an "ethical hacker,"
working to protect organizations against intrusions by "nonethical
hackers": disgruntled employees, precocious teen-agers trying to embarrass
institutions by posting electronic graffiti, and terrorists intent on
damaging national security. As a systems engineer at the computer security
firm J.G. Van Dyke and Associates in Bethesda, Md., Key's job is to probe
client computer systems for security breaches. And there are plenty of
breaches at federal agencies.
In recent months, Key says, he has repeatedly hacked into federal computer
systems where the network administrator's password was blank, essentially
giving him—and any other hacker—a key to the network and all the data
managed there. With such access, a hacker could shut down the system,
install or delete software, read, modify or delete data, and cover his
tracks, avoiding detection altogether. As for the 500 excess modems Key
recently encountered, agency employees were probably plugging laptop
computers with built-in modems into phone jacks at their desks to connect
to the Internet, he says, not realizing they were compromising security.
The vulnerability of federal agencies to computer attacks is growing, says
Michael Vatis, director of the FBI's National Infrastructure Protection
Center, one of several new government organizations established in the
last year to shore up computer security in both the public and private
sectors. NIPC's mission is to detect, deter, assess, warn of, respond to,
and investigate intrusions and illegal acts that target or involve
critical infrastructures. As such, it is the government's central
coordinating authority for responding to cyber threats.
"Unfortunately, this is definitely a growth industry," Vatis says. "Every
year the number of people using the Internet increases massively. That
means there are more illegal intrusions and I think a lot of the more
serious threats out there are beginning to see the utility of cyber
weapons—whether we're talking about organized crime groups, terrorists,
foreign intelligence services or foreign militaries. The problem is just
going to grow more and more."
Protecting information on computer networks in the federal government is a
vast and complex undertaking, because agencies have become dependent on
computers for almost all of their day-to-day business operations. Networks
have grown so fast in recent years that very few administrators fully
understand the systems they are supposed to manage. Rapidly changing
technology and employee turnover make it virtually impossible to keep
agency personnel appropriately trained to deal with intrusions on their
networks. At the same time, the government's growing reliance on data
networks increases its vulnerability to hackers by exposing agencies to
more points of entry, many beyond managers' control.
Insider Threat
Such vulnerability is keenly felt at Defense and intelligence agencies.
"We have found that almost anyone with a computer and modem can use
specialized malicious software and tools and attempt to disrupt our
network operations and make it difficult for us to effectively carry out
our missions," says Air Force Maj. Gen. John H. Campbell, commander of
the Pentagon's >Joint Task Force for Computer Network Defense, an interim
office established in January to coordinate DoD responses to cyber
threats. "It isn't just our classified data and systems that require
security, it is also our unclassified but sensitive data, such as payroll
and acquisition information."
"Traditional geographical boundaries do not exist in cyberspace and the
size of the area of operations is unbounded," says Campbell. "Since so
many of our computer systems are interconnected, threats to one seemingly
isolated computer system can potentially become a threat to multiple
computer systems."
Deputy Defense Secretary John Hamre told members of the House Armed
Services Committee's research and development panel at a closed hearing
Feb. 23 that it is not a question of whether there will be an electronic
equivalent of the sneak attack on Pearl Harbor but when such an attack
will occur. In an interview with Defense News, panel chairman Rep. Curt
Weldon said Hamre told the panel that Defense computer systems were then
under a significant, organized attack. Hamre told Government Executive he
could not discuss the attack, citing an ongoing investigation with the
FBI. In the unclassified version of Hamre's statement to the committee,
he wrote, "I am very concerned about our ability to defend the information
systems that make actual offensive operations possible."
Hamre noted that, "We are increasingly concerned about those who have
legitimate access to our networks—the trusted insider. . . . I cannot
emphasize strongly enough the seriousness of the insider threat to our
information systems and, through those systems, to the department's
operations." One security expert who works with both federal and private
sector organizations says that on average, as many as 70 percent of
intrusions come from inside an organization. Building and sustaining a
secure information infrastructure is a challenge across the federal
government.
Last September, the General Accounting Office reported significant
information security weaknesses in each of the 24 largest federal
agencies. Inadequately restricted access to sensitive data and other
weaknesses "place critical government operations, such as national
defense, tax collection, law enforcement and benefit payments, as well as
the assets associated with these operations, at great risk of fraud,
disruption and inappropriate disclosures. In addition, many intrusions or
other potentially malicious acts could be occurring but going undetected
because agencies have not implemented effective controls to identify
suspicious activity on their networks and computer systems."
GAO auditors demonstrated such weaknesses last year after the Senate
Governmental Affairs Committee asked them to assess whether the State
Department's unclassified information systems were susceptible to
unauthorized access. The answer, GAO found, was an overwhelming yes.
Auditors penetrated State's computer systems through internal network
security controls, Internet gateways and public information servers.
By simply walking into unsecured facilities, auditors were able to
download files that contained password lists. In one unlocked area,
auditors accessed a local area network server where they obtained
administrator-level access, known as "superuser" access, giving them total
control of the system's operations and security functions. After gaining
such access on several different operating platforms, including UNIX and
Windows NT, auditors viewed international financial information, travel
arrangements, detailed network diagrams, employees' e-mail and other
sensitive data.
Social Engineering
"Our penetration tests were largely successful," said Gene Dodaro,
assistant comptroller general in GAO's accounting and information
management division, during testimony before the Senate committee last
May. State's computer systems were vulnerable to just about anybody
determined to take advantage of them. "Without any passwords or specific
knowledge of State's systems, we successfully gained access to State's
networks through dial-in connections to modems," he said. "Having obtained
this access, we could have modified, stolen, downloaded or deleted
important data; shut down services; and monitored network traffic, such as
e-mail and data files."
"Unauthorized deletion or alteration of data could enable known criminals,
terrorists and other dangerous individuals to enter the United States.
Personnel information concerning approximately 35,000 State employees
could be useful to foreign governments wishing to build personality
profiles on selected employees. Manipulation of financial data could
result in overpayments or underpayments to vendors, banks and individuals,
and inaccurate information being provided to agency managers and the
Congress. Furthermore, the overseas activities of other federal agencies
may be jeopardized to the extent they are supported by State systems,"
Dodaro said.
In some cases, auditors were able to obtain key information, such as
passwords, just by talking to employees, a technique computer specialists
refer to as "social engineering." According to Key, employees in many
organizations don't follow, or aren't aware of, basic security policies,
such as how to establish effective passwords. In other organizations,
security policies are nonexistent.
Computer security weaknesses are by no means limited to the State and
Defense departments. "This country is wide open to attack
electronically," Hamre told leading private-sector chief information
officers at the Fortune 500 CIO Forum in Aspen, Colo., last summer.
"We're vulnerable because of the enormous productivity improvements that
we've sought through information technology in the last 20 years," Hamre
said. "Increasingly, American business, in order to save money and to shed
itself of the cost of proprietary networks, is moving these systems onto
an Internet-based communications network. So we're finding increasingly,
America's businesses and utilities are controlling the infrastructure
through a technology that was never designed with security in mind."
Over the last decade, the Defense Department has followed suit, shifting
what were formerly government-controlled communications systems to
commercial systems. Defense officials estimate more than 95 percent of
military communications today take place over commercial networks. The
liability posed by such dependence became clear when the Pentagon
conducted an exercise known as "Eligible Receiver" in 1997. Using
off-the-shelf technology and software downloaded from hacker Web sites, a
team of about 20 employees from the National Security Agency hacked into
unclassified Pentagon computer systems. The surprise exercise, designed to
expose weaknesses in computer security, succeeded beyond the planners'
wildest expectations. Among other things, the exercise showed how hackers
might disrupt troop deployments.
"It was startling," Hamre said. "We didn't really let them take down the
power system in the country, but we made them prove that they knew how to
do it."
The 'Big Banana'
Between 1999 and 2002, the Defense Department plans to spend $3.6 billion
to address computer security issues. With 2 million computers, 100,000
local area networks and more than 100 long-distance networks, securing
information is a formidable challenge for the agency.
Arthur Money, the DoD's CIO and the Pentagon's point man for computer
security, says on an average day there are about 60 unauthorized
intrusions into Pentagon computer networks. Of those, about 60 a week are
serious enough to be considered attacks. In his testimony, Hamre said the
Defense Department detects "80 to 100 events daily. Of these,
approximately 10 will require detailed investigation." Whatever the exact
figure, it represents only what the Defense Department is able to detect,
which may be only a fraction of actual intrusions, security officials say,
because a good hacker can mask his comings and goings.
"Almost every intrusion is first viewed as a law enforcement issue," says
Money. "If it's a blatant national security problem and it's recognized as
that—recognizing when that's the case is the problem—we have the authority
to do what we need to do." As such, the Pentagon works closely with the
FBI in investigating intrusions.
One significant attack was detected in early February 1998, just eight
months after the Eligible Receiver exercise, when officials at the Air
Force's Information Warfare Center in San Antonio, Texas, spotted a
pattern of unauthorized entries into several different Defense networks
around the country. For days, the hackers led military and FBI security
experts on a computer crime chase around the world. The attack, which
coincided with the deployment of troops and equipment to the Persian Gulf
for a possible strike against Iraq, was believed by some at the time to be
an act of cyber warfare on the part of Iraq, especially after
investigators traced intrusions to computer servers in the Middle East.
When the hackers turned out to be two teens in California and one in
Israel, national security personnel were relieved—but only somewhat.
"Doesn't it scare you that we're finding kids who can do this stuff?"
asked Vatis when he testified about the attack before the Senate Judiciary
Committee's panel on technology, terrorism and government information last
June. "Doesn't it scare you to think that we may not know what people
with more sophisticated skills and resources are doing? The cases that we
are seeing are enough of an indication of our vulnerabilities to make us
realize that this is in fact a very serious problem."
A majority of hackers just want to test their skills, Vatis said. "They
see the Defense Department as the big banana, the final exam, the ultimate
challenge." As a result, the FBI spends a lot of time working with Defense
and intelligence agency officials.
Since Eligible Receiver and the teen attack last February, the Defense
Department has beefed up security significantly, Money says. "All the
services now have deployed intrusion detection devices, so we're much more
aware when intrusions happen. We were pretty wide open a year ago. We have
much better tools, so we have more scouts out, if you will, and
consequently we're finding more intrusions."
Growing Threat
It is impossible to gauge the true number of intrusions into federal
networks. There is no central repository for such information. In the
private sector, information indicating security weaknesses is closely
guarded. Nonetheless, there are indications that hacking is a growing
problem. An annual survey of public and private security specialists
conducted by the FBI and the Computer Security Institute, a professional
organization of computer security specialists based in San Francisco has
shown dramatic increases in security breaches. Sixty-four percent of
respondents in 1998 reported intrusions in the previous 12 months, a 16
percent increase over 1997 survey results.
Law enforcement investigations have also increased. When the National
Infrastructure Protection Center was formed in February 1998, the FBI had
about 500 pending computer intrusion investigations. Today, there are more
than 650 such cases. There is also an increase in the number of intrusions
reported, says Vatis. "It could be that more are happening, it could be
that more are being noticed, or it could be that more are being reported.
It's likely all of those."
There is no single action agencies can take to protect their networks,
says Lt. Gen. William Campbell, the Army's director for command, control,
communications and computers. "It's a defense in depth. You need a series
of things, ranging from the mundane, such as having proper passwords, to
sophisticated intrusion detection devices."
There are three basic levels of managing security, he says, and all need
to be continually updated as technology changes. The first is establishing
security policies and procedures—and enforcing them. The second is
implementing effective training programs for the lowest-level users
through systems administrators. Finally, agencies must continue to refine
their network architectures and incorporate protection technologies.
While the Pentagon is investing more resources in network security,
hackers are also getting more sophisticated, says Vice Adm. Robert Natter,
director of space, information warfare, command and control for the Navy.
But he argues that the military must not shy away from commercial
technology because of the security >threat. Instead, he says, DoD should
continue to invest heavily in countermeasures. "I compare this technology,
where it is today, with the biplane. If we had walked away from that
technology because it crashed a lot, we wouldn't be flying jetliners
today. It's very fragile, it's very susceptible to problems, to nefarious
attempts to get into it, but we need to face up to that, invest in
combating it and move forward"
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Sat Apr 3 10:56:39 1999