Dr. Ed Amoroso
Cyber Security: An Expert Opinion
© 2008 FrontLine Security (Vol 3, No 4)

Dr. Ed Amoroso, AT&T’s Chief Security Officer, with over 20 years in this field, was in Ottawa recently, speaking at a Cyber Security Conference by the ­Conference Board of Canada on Proactive Defence of Critical Systems and Information. An ­experienced and internationally respected Computer Engineer, Dr Amoroso presented a clear picture of our overall cyber vulnerability and of what he described as our patchwork and ineffective reaction to it. His ­proposal suggested a major change to this situation, and he consented to answer FrontLine questions based on a Canadian perspective.

Q:Dr. Amoroso, while in Canada recently, on assessing on the cyber activity of 20 April 2008, you postulated that potentially destructive Botnets could be used for Denial of Service (DOS) such as in Estonia in the Spring of 2007 or other nefarious purposes (see table 1). Is this a typical day, and what do you deem to be the key targets and sources of these threats: Foreign Government? Criminal? Com­petitive business focus?

I am pleased to be able to share what knowledge I have with your readers. This is a particularly pertinent question indeed.

This was just a sample day and quite average. In fact this was only part of a random sampling on that day and these were new ones that cropped up. On normal days we find a couple of dozen new ones and monitor several thousand at all times. From 2003 to 2005, you will recall you would be warned of viruses and worms quite regularly by your security provider. These days threats have now morphed to phishing and denial of service attacks from captured computers on these botnets. As I said there are literally thousands out there.

Some are active in many domains obtaining information for criminal, business or other advantage. Others are dormant until they need to be used. We monitor them and take what actions are necessary to protect and forewarn our customers and friendly agencies. They can target just about anything. For instance, Storm Worm Botnet from Jan to Sep 2007 had an estimated 2.5 million captured ­computers to form the Botnet. You should put this in the perspective that a net of 250 could disrupt a business and one of 4,000 or more could disrupt major ­infrastructure such as electric power, water or gas in a major state or province.

Yes, it is a dangerous cyber-world out there and the security of our tools and the information itself is at vital risk in this age of new and evolving cyber threats.

Q:You have been quoted widely saying that the patchwork/firewall security systems that most employ are not only complicated, they are very vulnerable to such attacks. Could you explain to our readers by whom and how our computers should be secured?

Indeed, this must be put in context. Back in the 90’s there were not the different means and volumes of computer use we have today. For instance, one could characterize the Communications provider, be it Bell, AT&T or whomever, entering the business or institution on a single or at least controlled choke point into the local information network of 10 to 20 computers. Firewalls were designed and quite effective at controlling the access in and out of this network at that choke point. With the advent of access by all to the World Wide Web and the mushrooming of platforms in everyone’s hands, firewalls are challenged by thousands of potential connections that could go out to distrusted sources, themselves multiplying continuously. Relying only on firewall protection is unwise in this environment. The firewall was a good device serving as a traffic cop on one road, but is incapable of maintaining security when the access roads continue to multiply. The firewalls have become so complex in most organizations as to render them even more vulnerable to volume attacks and to be easily overwhelmed and useless.

It is a bit like protecting yourself in a glass bubble with your computer, the bubble being the firewall, when now the cyber thief can enter the whole house without going into the bubble and pulling the plug on the bubble and computer therein on his way out. In addition there are thousands of variable access rules to each bubble within a house. There is much room for human error and technical weakness let alone aggressive attack.

A new approach is needed. As all knowledgeable people in the Com­muni­ca­tions Security field would attest, this must be a multi-layered approach.

Instead of focusing on protecting multiple millions of guarded bubbles, in millions of homes, I have suggested that we produce a guarded community wherein the providers such as my company or major Canadian providers like Bell, Telus or Rogers be required to “clean the pipes” before sending these dangerous cyber-threats towards you to be screened by a complex and inadequate firewall.   

Q:In discussing the failure to recognize the risk of attacks, and the consequences thereof, you have been quoted as saying: “There will be some set of catastrophes, then the lawyers will fight it out, and the question will come down to, "Who’s responsible if software flaws exploited over a network cause damage to society?” And on the topic of present cost to Internet Service Providers of firewall/patchwork systems, you have said: “They typically get $50 or less a month from each subscriber. As zombies and malicious attacks proliferate, sucking up band­width and disrupting PC performance, consumers don’t call the phone company or Microsoft, they call the ISP. It costs $8 just to have a service rep pick up the phone, about $50 to roll out a service truck on a house call.”

These are very serious liabilities and infrastructure security risks here. How vulnerable are we, and how do you see this being handled internationally?

I think that I partially answered this earlier, in that I believe it is the responsibility of the major phone companies and the likes of Microsoft to “clean the pipes upstream” as a customer service for the whole system in principle. This will lessen the occurrence of these failings whereby the user and ISP will have left a minor number of bad software and technical failures to deal with and the available bandwidth should be greater.

Of course, other technical developments and realities occur as the systems and their use evolve. Take Facebook, for instance. This is a much-used social network that has one of the few securely encrypted one to one discussion platforms commercially available. Another reality is that the cell phone has fewer vulnerabilities than your standard PC. Some people are giving up the PC altogether and relying on the portable communication devices with text in lieu of classic email. The securing of the mobility cloud computing network, of which this forms part, is the present security challenge. We are already in another generation. Not only is the liability from vulnerability that you outlined still there, but the reality is that its resolution or mitigation is constantly changing. No doubt these features will be tested in the coming years and weaknesses will be found and amplified. The mitigation will reside largely with less software and the simplification of ­systems like smart phones.

We also have serious vulnerabilities to our major infrastructure control systems relying on the very vulnerable and web-based SCADA systems that can be potential prime targets for major botnets world-wide. These deserve major attention.  

Q:As we are going through a major economic challenge world-wide, what is the threat of, and vulnerability to cyber attacks on our financial business systems – and what would you recommend be done?

I believe that there is a serious public ­misconception here. In fact, the financial and banking sector has been at the forefront of cyber security from the beginning – as one of the three core partners, along with government and telecommunications. They are among the best at sharing solutions and have some of the best ­cryptography in the business. They also ­continue to attract the best and brightest in the computer security field. Notwith­standing the stories that crop up now and then, what is remarkable is how secure and reliable the new electronic way of doing business really is. Can you imagine any other way of transacting things these days… troubled though they are? These systems have been regularly ­subjected to botnets and other types of attacks, and have fared quite well.

Q:In your Canadian presentation, did you imply that these botnets could be attacked and taken down? Can you tell us more about the possible use of hackers as allies versus villains that you have suggested elsewhere along this vein?

Let me start by saying that most SPAM comes from botnets originating in port 425 DCP. In our previous discussion on security and cleaning the pipes we can indeed affect many of these through pro-active defence, but it is not “attacking the botnets” as you put it, but rather denying them access to what they need to be effective.  

As to the hackers, notwithstanding the less-than-politically-correct jargon that they use and their unbridled enthusiasm in finding fault and even entering, altering or sometimes destroying data, I feel that they are a resource that we must co-opt and engage, less we be caught short through professional vanity and, someday, consequently brought to account for major failure. I cannot but reflect upon the fact that it is that same undisciplined and raw enthusiasm which burns in them that attracted me to do what I have become reasonably good at doing. It does attract my son a well. Let them have a go and let us learn from what they achieve…better them than learning some surprise vulnerability from the hands of terrorists, criminals or other less than friendly groups.

Q:Any further reflections with you wish to leave our readers?

As a matter of fact, yes. Much of our security vulnerability, complexity and technical fragility comes from poorly designed software of all types. There is a need for standards for programmers and computer engineers, but it would be wonderful to have a type of Software Consumers Report available that we could all refer to. I know I would use it. I mean one dedicated to evaluating the best from the tons of products flooding the market for a myriad of applications. Just a thought.

© FrontLine Security 2008