The State of Systems Security
              by Ron DuFresne (mailto: dufresne@sysinfo.com)
                 Pulished in the TISC Insight Newsletter
                   http://www.tisc2002.com/insight.html
                     Volume 4, Issue 8, May 10th 2002 

Security has become a serious matter since the 911 terrorist attacks in New 
York, Washington, and the foiled attempt in Pennsylvania.  Travelers demand 
greater security in airports and employees expect likewise in the 
workplace.  Corporate America, federal and state government organizations 
have, at least in principle, redoubled efforts to secure IT and network 
infrastructures.  Today, we examine current information and network 
security in light of these events.

Is Security a Priority?

While security seems to be a paramount concern, implementing security is 
not a priority for society at large, and information technology in 
particular (see http://hhi.corecom.com/~yodave/strategic-security.htm).  
Industry leaders emphasize that security in the digital world is an 
individual and personal matter of import; with information technology, 
however, employees and administrators alike grudgingly adopt security 
practices, and too frequently compromise or circumvent security measures 
for the sake of convenience, expediency, and ease of use.  A common 
response to an intrusion from harried, overburdened, and sometimes 
under-skilled administrators is a hasty patch to the service that allowed 
the intrusion, with no review of policy or change in operating practices.  
In the aftermath of a virus "incident", a flurry of memoranda on the topic of 
"virus awareness" may be issued, possibly accompanied by user training or
A memorandum reminding employees to update of virus definitions, but no 
further effort is made to improve the organization's anti-virus 
countermeasures or to improve data recovery practices for a perhaps more 
damaging AV incident to follow.

IT security in the private and government sector suffers from substantial 
under-funding, improperly trained and over-tasked technicians, systems and 
network administrators, and ill-informed management too pressured to 
increase near-term profit (or in today's economy, reduce losses). Too few 
companies have a well-articulated security policy and an appreciation of 
the importance of security to e-business. The result in many organizations 
is that no true sense of who is responsible or accountable for security 
trickles down from management. One would hope that at least the U.S. 
government, with all the Homeland Security bravado, would lead in this 
area, and set an example for corporate America as well as residential users.

Sadly this is not the case.  Whether it's the expense or complexity of 
trying to secure computers and networks, or the ongoing nature of 
maintaining safe computing environments, even well intentioned individuals 
and administrators become lax with security. It's often only after 
suffering the consequences of lost time, revenue, and data that many are 
dragged reluctantly to adopt better security processes and procedures. Even 
in such extreme circumstances, however, reluctance and fear of losing 
capabilities, has often and will continue to cause many organizations to 
dilute policies and deploy only those measures that at best meet minimal 
security standards. The global Internet, with its ambiguous domestic and 
international legal boundaries, exacerbates this situation. Conflicting 
legal ideals and legislation on what constitutes legal responsibility in 
their prospective jurisdictions creates a virtual security vacuum.  Simply 
put, with little uniformity on which to broadly deploy security solutions, 
we must continue to deal with the same attack vectors today as we have for 
the past two decades (see http://sysinfo.com/iworms.html).

Shortage of Security Professionals?

Many blame lax security practices to a critical shortage of security 
professionals (see 
http://www.eweek.com/article/0,3658,s=701&a=23973,00.asp). However, the
numbers of individuals with information security experience seeking 
employment or enduring extended lay-off situations is considerable.  Even 
prior to the current economic recession, many information security 
professionals held positions not specifically related to systems nor 
network security functions. Does demand exceed availability, or this is a 
convenient way of diverting attention from the fact that security is 
under-funded and hence understaffed? Even in situations where staffing 
numbers are adequate, expertise comes into question: tough economic 
conditions entice organizations to make do with hastily trained staff at 
hand rather than hire trained and more expensive security professionals.

Is Government better prepared?

Governmental systems security in the United States seems to fare no better 
than corporate America. The General Accounting Office (GAO), who routinely 
audits information security, reports that professional resources are low in 
the government sector as well.  GAO investigation into the effectiveness of 
government systems security measures recently graded a large number of 
agencies at D and F levels, and concludes that the Treasury Department and 
IRS, among numerous federal agencies "remain highly vulnerable to hackers 
and employee fraud" (see the list of additional reading at the end of this 
column).

The GAO reports demonstrate information security is a persistent and 
troublesome issue at the U.S. Federal level.  The FBI and CIA website are 
constant targets, and continually hit with defacements.  The CIA network 
was recently mapped from outside the U.S. via strictly legal means. The 
scan exposed exactly the kinds of information attackers gather prior to an 
attempted entry into more protected systems (see 
http://www.computerworld.com/storyba/0,4125,NAV47_STO68961,00.html)

As recently as April 1, 2002, the President's cyber security advisor, Dick 
Clarke, stated that Federal IT security has a "sad" history.  He further 
maintains that it will take 3-5 years of focused effort "before we get into 
a comfort zone." (see http://gcn.com/21_7/news/18305-1.html).

What about Corporate America?

Far too many organizations fail to properly train and fund those 
responsible for maintaining the integrity of their systems.  This applies 
to both technical staff in charge of daily operations, more senior 
administrators charged with design and planning, and even IT management. 
Without such training and exposure to new technologies and practices, 
security in such organizations cannot keep pace with the stream of new 
threats and vulnerabilities that are exposed daily. Furthermore, when such 
companies are notified that their systems have been compromised or are 
being misused (as zombies for DDOS attacks, for example), their staff may 
not have the time or talent to investigate and remedy such situations.

The financial toll and damage to reputation on such companies can be 
measurable. In certain instances, e.g., the codeRed and nimbda worms, 
Internet Service Providers have been forced or enjoined by courts to sever 
a company's access to the Internet for failure to contain the viruses. The 
fallout from such actions can affect more than the negligent companies:
ISPs and large organizations may block very large portions of the IP
address space to stem an attack. Any organization that has acquired IP
addresses within these portions of the address space may find itself
blocked.  A militant posture emerging in cyberspace parallels U.S.
President Bush's declaration that those countries that refuse to assist in
the War on Terrorism are themselves suspected of (harboring) terrorism. In
an attempt to protect themselves, many members of the Internet community
now treat any organization addressed within a "rogue" ISP's IP address
block as "part of the problem" when confronted with an attack, and simply
cut the entire block.

Simple "Initial Steps" towards Better IT Security

Many companies can improve IT security measurably by merely implementing 
industry best practices across their organizations. For example, systems 
exposed to the Internet should be dedicated to a single service, e.g., DNS, 
mail.  This reduces the likelihood that any individual system compromise 
will disrupt all services. Services separation also eases the tasks of 
fault isolation, service restoration, and post-incident investigation
(forensic analysis).

Many of the issues related to the nimda and code red worm infestations last 
year could well have been reduced had administrators kept up with available 
patches and vendor rollups. Many vendors, including Microsoft, made patches 
available for most of the vector these malware variants exploited. These 
and anti-virus definitions for all major AV products are readily available, 
yet attackers continue to probe the known attack vectors, and unprotected 
systems are still compromised, only to propagate the worm yet again.

Organizations in general can measurably improve security by carefully 
assigning security-related tasks according to the security expertise they 
have in their IT department, and by documenting best practices and policies 
so that lower level administrators can learn and follow basic systems 
administration related to secured administration. Senior security staff 
should delegate routine tasks and spend less time configuring systems, and 
more time verifying and auditing system security status.  Additionally, 
maintaining absolute minimal staff. Time must be allocated for security 
training; if budgets absolutely cannot absorb travel, consider on-site 
training and security staff "transfers of information" sessions, where 
senior staff instructs their junior counterparts in how to secure systems, 
and why.  Maintaining knowledgeable and trained personnel with wide ranging 
hardware and software environments can only benefit a corporation. Even if 
some staff leave the company, the staff that remains is more likely to 
have the cumulative skills to maintain security in the wake of their 
departures.

In Summary

The state of information systems and network security remains poor.  The 
immediate future holds little promise of any dramatic improvements over a 
short span of time.  Companies having to deal with government-mandated 
security requirements like HIPAA by next spring will very likely experience 
Y2Kaos once again.  Until governments and corporations allocate money to 
build and maintain a security baseline and entrench a security knowledge 
base required for such tasks, a secure networking will remain out of reach.

Additional Reading

Computer Security At Treasury Dept. Arm 'Critical' GAO
http://www.newsbytes.com/news/02/174207.html

Thompson: IRS Was Unable to Adequately Protect Electronically Filed 
Taxpayer Data
http://www.senate.gov/~gov_affairs/031501_press.htm

9/11/00 Most Federal Agencies Flunk Computer Security 101 - GAO By Brian
Krebs, Newsbytes
http://www.info-sec.com/internet/00/internet_091100b_j.shtml


About the Author


Ron DuFresne is a 16-year IT veteran who has managed systems from small 
desktops to Cray's in networked and internet environments. His primary 
administrative roles for the past 8 years have been in the area of systems 
and network security.  Ron actively contributes to Bugtraq, 
firewalls-wizards list, as well as numerous security-related and *NIX 
related mail lists and newsgroups.  Well respected in the firewalls and 
security communities, Ron is recognized as an extremely versatile security 
and IT professional.


Hosted by: Enter: sysinfo.com
©copyright 1995-2002 sysinfo.com