Brian Rexrod
Cybersecurity & Cooperation
© 2010 FrontLine Security (Vol 5, No 1)

Q:How much damage can be mitigated if major companies such as Microsoft, AT&T, or, in Canada, Rogers, Bell and Telus provide the security before it reaches the user as your Chief of Security suggested last year?

A significant portion of these threats can be averted by network services providers. There are some categories where a network service provider is best suited to provide security services. There are numerous reasons for this:

  1. The network generates data that can be profiled and analyzed for anomalies that may be leading indicators of threats that are developing on the Internet. A large network service provider has a good vantage point to identify new threats and incorporate mechanisms to counteract them well before most network users can see them.
  2. Providers of private enterprise services can analyze the same types of data for both internal and external threats. Their customers can minimize their need to implement separate internal network protections to supplement Internet gateway solutions.
  3. Many providers control huge amounts of bandwidth in the core network where flooding attacks can be routed away from smaller bandwidth customer access links,
  4. The network represents a huge processing infrastructure that can be used to help provide the security services needed.

Q:Is this happening? What successes are you aware of?

Absolutely, network service providers are increasing these security services. The effectiveness and supplemental security services offerings provided by an ISP are an important differentiator in a highly competitive market. The most advanced security services are generally introduced in the business enterprise markets as supplemental services. They are implemented as supplemental services to help maintain competitive pricing for basic network services and to establish a concise agreement with customers with respect to how the customer’s traffic should be treated. Among network-based security service offerings that are available through leading providers include:

  • Direct Denial of Service Defence, which can detect and filter flooding attacks in the network, where significant amounts of bandwidth are available to steer attacks way from target victims.
  • Network-based Firewall services, which provide filtering of network packet activity before reaching customer boundaries based on ports, protocols, IP addresses, and even web URLs.
  • Email scanning services, which screen email content for malware attachments, malicious Internet links, and spam.
  • Various network flow analysis services can analyze Internet and private enterprise network activity for security threats without customers having to deploy services on their premise.
  • Security analysis and operations services provide 24/7 network security monitoring, analytical support, and incident response capabilities. This service brings to customers the advantages their network providers’ security expertise and merges it with their network operations disciplines.

Many network users are unaware of their need for security protections. This category of customer is the most difficult to help. A large majority of these customers (100s of millions) are consumers or in the small business category where there is no formally trained IT staff. This suggests the services must be very low cost and must scale very efficiently. There is progress here as well. Message Labs reports 81% of email is spam. There is likely a larger proportion of spam targeting consumer email addresses. Yet consumers of most mainstream ISPs receive a minuscule fraction of that spam due to free and automatic anti-virus and anti-spam mail screening in the network. ISPs generally provide the opportunity to opt-out from this service, but I don’t know why anyone would want to. Other service options that should be provided in the network are continually being investigated, and, in the meantime major providers offer anti-virus and web screening tools that customers can use for free.

With all this progress, there is more to be done. For example, Microsoft has a particular role as a software provider on most computers that are most subject to security problems. In my opinion, one of most significant developments in recent years has been implementation of auto-update features in operating systems and applications. This capability significantly reduces the window of opportunity between the time a vulnerability is discovered and the time when the vulnerability can be readily exploited. Newer versions of Microsoft’s operating systems highly encourage auto-update for the operating system and their provided applications. Other operating system providers have followed suite. However, many applications are responsible for introducing vulnerabilities that still do not incorporate effective update capabilities. Many users remain resistant to using auto-update, which places them at greater risk.

As long as there is motive (financial gain), malicious activities will continue. As vulnerabilities in computers are closed, the trend has moved more to using legitimate tools to deceive users.

One of the early forms of this was the “pop-up spam.” It used a little known messaging service to create a pop-up window on a user’s screen stating that your machine was infected and needed to be cleaned. The pop-up window provided a link to a site that would purportedly help. Those following the link were subject to malware or questionable anti-virus tools. The pop-up would occur not once, but perhaps 10 or 15 times. You would then be subject to saying: “Well maybe I really need to do this ...” and you would become a victim! These deception attacks, unbeknownst to you at your desk, are being done 100s of millions of times rather than dozens of times.

One of the recent and more devious botnets propagating now is called Koobface. Koobface impersonates legitimate users on social networking applications like Facebook. It shares malicious links with that user’s friends. The tendency of course is for friends to trust links provided by other friends, and consequently, the user can become easily infected. Once infected, your computer becomes part of a botnet which can be used for other malicious acts, and your user account is used to continue propagation the infection.

These types of attacks have been very successful for the botnet operators. Pervasiveness of this attack is incredibly widespread and diversified, making them ­difficult to stop. There is a deliberate diversification in the way botnets structure themselves in a variety of ways, which make it difficult for any one organization to mitigate the threat. As you see, the analysis suggests this botnet is dominant throughout North America including Canada. We suspect this is due partly to the use of the English language, but the apparent distribution could also be influenced by attributes of our analysis methods.

Another series of botnets called Zeus uses deceptive techniques to infect users’ computers. Once a machine is infected, it will then start transferring funds invisible to the operator whenever any banking or commercial transaction is undertaken by him or her henceforth. They are not out to steal passwords necessarily, though they could, they are using the authentication that you have already performed and are able to bypass the security at your bank for as long as you are logged in.

Threats like this diminish the value of the services, and consequently application operators inherit new challenges to help identify malicious use and control them. As in any arms race, the counter-measures tend to lag a little behind the attacks.

 This is an arms race. Botnet operators and other malicious actors attempt to counteract or steer around each countermeasure that is put in place. As said, as long as there is motive and means, the malicious activities will continue. Much greater deterrence is needed against use of computers and networks in malicious acts. My recommendation is that we need a more formalized cooperative effort. Industry has some ad-hoc groups that exchange threat information and cooperatively counteract threats. And there are some relatively small scale cooperatives with Government to share very high-level threat information. But the activities are far from robust and participation is very spotty. And as we have seen from the Koobface botnet example, this is not only a network service provider challenge; it includes challenges in software quality, and web application abuses, and general user vigilance. There needs to be stronger backing in the public domain to really support a strong cooperative. We must really strengthen the criminal pursuit of these cases.

Q:How do you see working with law enforcement organizations?

Dozens of the botnets being tracked are capable of taking down a medium or large sized business through flooding attacks, and a few of these could take down a major infrastructure system just through brute force of volume -- not with anything clever per se. I postulate that criminals will gravitate to sources of money, state sponsored threats will tend to target critical assets, and terrorist threats will prefer to target high-visibility assets. However, criminal botnets can be (and are) paid to perform any of these objectives.

Underlying all of this, botnets that perform criminal, state sponsored, or terrorist acts are invariably created by committing massive numbers of computer penetration crimes such as network exploitation and installing deceptive Trojans. Only very, very rarely are these individual penetration crimes reported; we have become numb to the notion of computer penetrations being considered serious crimes, but they are. And among the very few that are reported, there is little to no means to effectively correlate the huge numbers of individual crimes with any sort of coordinated effort such as creating a botnet. And the botnets themselves are intentionally designed to remain stealthy to the individuals that are infected.

Consequently, law enforcement organizations cannot do anything about something of which they are unaware. Effective ways are needed to make them aware of the many crimes that are committed to create a botnet. There needs to be a significant effort to help automate the criminal investigation methods. This effort obviously requires a strong emphasis on protecting privacy while motivating private-sector service providers to produce innovations and competitive service improvements for users.

Botnets do not respect regional or national boundaries. In fact, as the Koobface example shows, they deliberately will diversify across jurisdictional these boundaries to help thwart investigation. I believe that it is imperative that all jurisdictions pursue aggressive criminal investigation and that we work together globally to establish appropriate information exchange as well as national and international cooperative on malicious botnet intelligence. Together, we need to investigate the technical and monetary trails and diminish the motivation for operating botnets.

Finally both the private and public sectors should be encouraged to purchase network services from network, software, and application service providers that are part of the solution.

Q:This brings up the issue of secure operating systems for large infrastructure and the vulner­ability of open source SCADA control systems. What are your thoughts?

There are certainly ways of making the SCADA protocol more secure, but we also need to recognize there is really no such thing as an absolutely secure protocol. And while it may be a noble goal, we should not presume the control systems themselves can be autonomously secure. A protocol can enhance security, but it still needs security around it. While we have come to expect any general purpose computer to require supplemental security controls such as enclosing it within a private network, providing supplemental network-layer encryption, and scanning for malicious behaviour, we can expect to do the same for SCADA. No matter how well you encrypt or authenticate, an attacker can overwhelm the control system and, consequently, you lose control of those systems. A framework needs to be followed that considers the threats, and considers a systemic approach to minimizing vulnerabilities. All of the network-based security services that encompass policy enforcement, private network services, attack mitigation, security monitoring, and incident response are applicable to SCADA control systems to help create an inherently secure system.

Q:In January 2008, as part of National Security Presidential Directive 54 and Homeland Security Presidential Directive 23, the Com­prehensive National Cyber­security Initiative (CNCI) was adopted in the U.S. as a national policy. The annual threat assessment again stated that:

“We are witnessing an unprecedented unity of effort across a broad coalition of government agencies, members of Congress, and leaders of industry. To succeed, however, the CNCI must remain a long-term national priority. With ­sustained momentum and continued national resolve we can and will build an enduring security framework capable of protecting our vital national security, economic, and public health interests.

This of course fits well with what you were saying earlier. Do you know if other NATO countries are doing something similar? Are you aware if we are doing something similar or at least compatible? Does this possibly imply some potentially coordinated offensive cooperation?

I am aware Canada is pursuing very similar objectives, but I really cannot address specifics. Nor can I speak in detail of the US CNCI strategy as many aspects are still evolving. However, there is one initiative making good progress. It is the Managed Trusted Internet Protocol Service (MTIPS). This service contract precipitated from as a mandate from the Office of Management & Budget (OMB) in the US. The OMB mandate requires US Government agencies to meet some basic security requirements for connectivity to the Internet. The mandate also requires consolidating the number of US government connections to Internet from tens of thousands to around 200. MTIPS is a service contract facilitated by the US Government Services Administration (GSA) where agencies can purchase Internet access while easily satisfying this mandate. The service includes network-based security protections including network-based firewall, intrusion detection, web filtering, incident response, forensics analysis support, and highly reliable access. There are arrangements included to facilitate coordination with US-CERT (United States Computer Emergency Response Team) on incidents. This allows US-CERT to alert the MTIPS service with threat information or allows the MTIPS provider to alert US-CERT of any recognized incidents or threats to US Government agencies. MTIPS is basically an enhancement to our commercial network-based gateway service to satisfy the Government’s needs. Some agencies are building a trusted internet gate way themselves for specific reasons. The question is: “Should MTIPS or derivative be made available to private industry companies that provide critical infrastructure services?” This could foster significant progress toward important cooperative industry-government security measures in keeping with CNCI.

Q:Are U.S. financial institutions still the “most secure,” in light of what transpired with the recent bank defaults?

I believe that this is still so. I do not think that oversight is going to be the ultimate panacea to financial institution security as espoused by some. In fact, we should not expect oversight to be effective at improving security significantly in any industry sector. What the financial industry has to their benefit is that they can quantitatively measure losses. Because of this they are more prone to invest a visibly reasonable sum for their cyber security to control these losses. For many other industries it is far more difficult to make a quantitative evaluation of risk and decision on investment unless there is a catastrophic failure like the 2003 Eastern Seaboard Power failure. That, of course, led to greater attention to the security of at least the power grids. Unfortunately, I do believe that it will still take more publicly apparent events in the other industries to yet raise attention to the level referred to in the Intelligence Assessment. Some of the defence contractors, however, are recognizing the need for improved security for obvious reasons and we are working with several. They are seeking to get a more secure network controls, though they are not yet entitled to the MTIPS program itself. I think the public sector can help by providing incentives to improve security across industry by helping to highlight the value of good security and helping to provide positive incentives to implement good security measures.

Information sharing between Government and industry must be improved for this to be accessible. Government entities responsible for criminal investigation need to be aware of crimes that are perpetrated. As well, there is the mutual need to maintain the private nature of the private sector and the public nature of the government. There is much sharing and trust ongoing but the challenge is to establish the infrastructure to optimize and not compromise this security and trust. This ultimately becomes an international challenge as well since we do need to share information with each other, as the recent financial situation attests so vividly. It seems that if we can team internationally to make a space station, we should be able to team up to share cyber-security threat information.

Q:How does cyber spying among allies and adversaries affect security, trust and information sharing?

We must ultimately operate within our realms of authority. We are aware of these types of threats and they present quite a challenge. Certainly there are more kinds of things than we can discover and there is a lot of what I would call “noise” that helps to cover up things that would be lower and slower and well hidden. Ultimately it consumes resources to pursue these, and, if you have just enough resources to deal with your day to day threats, it is very difficult to go looking for these more subtle long term threats, let alone doing something about them. As suggested earlier, if we can do a better job thwarting the criminal activities, it will raise the signal to noise ratio, and the more sinister activities will become exposed to detection. And ultimately, there will be better opportunities to mitigate the threats before they are able to induce any significant damage.

Q:What can service providers do to help increase protection?
Network-based security services provide an opportunity for network service providers to offer more than competitive pricing as selection criteria for customers. As an important part of critical national security infrastructure, it is only natural to consider network service providers as a trusted resource to help protect other assets. A strong public-private partnership is the best path to mitigating the globally diverse botnet threats. Attack techniques, tools, and botnets used by terrorist and state sponsored attackers are the same as the criminal element. A solid criminal investigation structure including automation will increase threat awareness, deter less committed perpetrators, and will help isolate more sinister threats. Incentives for an international public-industry cooperative for real-time information and response will help to thwart globally diverse botnet threats before they can conduct other malicious acts. And we hope that owners and operators of other critical infrastructure will do their part to employ well prepared service providers to help protect their services. That is our challenge and our destiny in cybersecurity.  

Clive Addy is the Executive Editor of FrontLine Security magazine.
Brian Rexrod is Principal Network Security Architect at AT&T Chief Security Office.
© FrontLine Security 2010