fragile web

8/7/2019 fragile web

http://slidepdf.com/reader/full/fragile-web 1/5

68 comms SECURITY

fragile weAs society ecomes reliant on the Internet, the needto secure it has grown urgent. but the vulneraility of cyerspace may e intrinsic, writes David sandha



COMMUNICATIONS networks

underpin modern society like

the nervous system of a living

organism. The public switched

telephone network, the Internet,

VoIP, cable television,

submarine cables, and satellite

communications form the major

information pathways that keep

society functioning.

This system is under dailyattack. Viruses, unauthorised

access, security breaches, spam,

phishing, illicit electronic

surveillance, denial of service

attacks and cyber terrorism are

on the increase. The very inter-

connectedness that the modern

world depends upon has become

one of its major weaknesses.

Recent events illustrate the

threat to commercial and govern-

ment networks, and the informa-

tion that flows over them.

“I’m not sure that most

law-abiding citizens understand

the magnitude of the threatfrom cyber-criminals,” says

Colonel Gary A McAlum,

formerly Chief of Staff, Joint

Task Force for Global Network

Operations at the US Strategic

Command, who recently joined

Deloitte Touche Tohmatsu, a

global financial services

company. “There is a thriving

cyber-crime market for personal

and financial information.”

In March, thieves stole

4.2 million credit and debit card

numbers from Hannaford and

Sweetbay, supermarket chains

in north east US and Florida,respectively. The cyber-crimi-

nals put software on computers

to capture credit-card informa-

and led to about 1,800 frauds.

Ironically, on the day it was

discovered, Hannaford received

a certificate saying it was fully

compliant with the Payment

Card Industry standard, which

obliges retailers to encrypt data

sent over publicly accessible

networks, but not over private

lines. Both supermarket chains

thought they were safe. But thecyber-criminals intercepted

unencrypted credit-card data as

it travelled from shop tills to

corporate servers, from where it

would have been encrypted and

routed to credit-card company

servers for authorisation.

The extent of the problem

is hard to measure, because

reporting is largely voluntary.

Victims of cyber-crime don’t

like to discuss it, because hacked

systems damage reputations

and cost customers. The US

Treasury Department has

estimated the annual profitsfrom cyber-crime at $105bn.

“I believe that is on the low end,”

says McAlum.

WAR In addition to organised crime,

there are other murky presences

lurking in cyberspace: spies.

intelligence agencies, the

shadowy groupings that assist

them, and the military of several

nations, are all interested in

mining information from the

networks of target countries.

“A significant amount of data

[has been taken] from federalnetworks over the past few

years. I don’t think we will ever

know the true extent of how

is also a significant concern

about the level of access

obtained in some cases that

would allow a potential adver-

sary to become disruptive at a

time and place of their choosing.

This is a huge concern.”

Cyber skirmishes have

already begun. In 1998 the

Internet Black Tigers, a

guerrilla organisation, floodedSri Lankan embassies with

800 emails a day for two weeks.

The first cyber war between

nations may have occurred last

year, when the digital infrastruc-

ture of public institutions in

Estonia, including the parlia-

ment, ministries, banks,

newspapers, broadcasters and

telecommunications companies,

was attacked. Estonian

networks were blasted with up

to 90Mbit of traffic a second for

up to ten hours. Most of the

traffic was part of a distributed

denial of service (DDoS) attack,in which a network of

computers, perhaps one million

strong, was hijacked and used to

flood the Estonian networks

with requests for services such

as web-page transfers. The

attacks happened after Estonia

offended Russia by relocating a

Russian Second World War

memorial. The attacks origi-

nated from computers allegedly

traced to Russia, but the Russian

government has denied any

involvement.

This year’s conflict between

Russia and Georgia had acyber-war component. DDoS

attacks disrupted access to

many Georgian websites

ENGINEERING’sGRAND cHALLENGESECURE CYbERSPACE

‘There is concernaout the level of

access otained thatwould allow an

adversary to ecome

disruptive at a time andplace of their choosing’



70 comms SECURITY

‘We cannot securecyerspace any

more than we cancompletely securethe oceans or the

airspace’clnel Gary A mAlu,Delitte Tuhe Thatu

FThe United States is also

under continual attack. In a

recent statement to Congress,

Jim Lewis, of the Center forStrategic and International

Studies, said: “Cybersecurity is

now one of the most important

national security challenges

facing the US...this is not some

hypothetical catastrophe. We are

under attack and taking

damage.”

More than 30 nations are now

believed to have information

warfare programmes. And

individuals with technical

expertise have found their

power to disrupt their enemies

transformed in cyberspace.

In March 2000, a disgruntledAustralian employee used the

Internet to release one million

litres of raw sewage into the

river and coastal waters of

Queensland. The same year, a

university student in the

Philippines created the ‘Love

Bug’ virus, which caused

damage estimated at up to

$15bn world-wide – or about

as much as a major hurricane

disaster.

The problem is growing fast.

Mikko Hyppönen, chief

researcher at antivirus

software company F-SecureCorporation, says: “We are now

seeing tens of thousands of

unique malware samples each

SOLUTIONSThe US National Academy of

Engineering has recognised the

importance of securingcyberspace by declaring it one

of 14 Grand Challenges for

Engineering, alongside issues

such as providing energy from

fusion, preventing nuclear

terror and making clean water

accessible to all. It is right to

focus on the problem, especially

because it cannot be overcome

by a single approach. It’s just not

that simple.

As Hyppönen says: “The

power and growth of cyberspace

is due to it being an open system.

‘Open’ doesn’t always equal

‘secure’. How can you securecyberspace? Close it – but then

you might also end up killing it.”

Complete solutions, even if

they could be built, could have

unwanted consequences. In

today’s open cyberspace, anyone

or anything can connect to the

Internet. It might be possible to

introduce controls that

guarantee that all the endpoints

in the network are known to be

‘safe’. But that would destroy the

Internet as it is today, reducing

it to a closed system.

The US government has

proposed another solution using‘key escrow’, in which informa-

tion is handled under the same

kind of public-key cryptography

spare key that they can use to

decrypt any message they want.

It’s the kind of ‘solution’ that

holds the seeds of its own

destruction – it wouldn’t be used

by those it seeks to expose, and

also raises tremendous civil

liberties issues.

“Cyberspace cannot be

secured 100 per cent without

radical and fundamental

changes in the architecture and

implementation of governance

models that would never fly,”

says McAlum. “We cannot

secure cyberspace any more

than we can completely secure

the oceans or the airspace.”

Toralv Dirro, security analyst

at McAfee, says: “Because of its

nature, cyberspace is very diffi-

cult, maybe even impossible, to

secure. There is no real central

instance controlling it, each

country has different laws that

apply, and it is growing at a rapid

pace. The best hope is to make

some vital parts as safe aspossible, to allow business to be

done in a reasonably secure

manner, and to protect the users

as well as possible.”

Dr Guy Bunker, chief scien-

tist of security software and

services company Symantec

Corporation, says: “Cyberspace

as we know it is, in some places,

very insecure. So it is relatively

simple for fraudulent behaviour

to occur. We could secure it very

rapidly, but that would shut it

down for most people.”

ARMS RACEMost experts agree that there is

no single answer to securing

cyberspace. Instead, think

evolution. Think arms race.

Progress will come by

incremental improvements to

many technologies.

The traditional model of

cyber-security is to use a perim-

eter defence, the classic firewall.

But perimeters often have holes.

Today, a perimeter defence is

seen as just one component of a

multi-layered defence: it will not

keep out a determined adver-

sary, but reduces minor threatsso that effort can be concen-

trated on more sophisticated

exploits or insider threats

prevention systems run on a

remote desktop or mobile laptop,

protecting the machine

wherever it goes. Instead of

hiding behind the castle walls,

and only being safe there,

individual machines are given

their own armour.

Cyberspace security has also

become an active, rather than

passive, discipline. Instead of a

guard patrolling a perimeter

fence, think of a roving investi-

gator seeking out threats before

they cause damage. Hackers are

lured out of hiding by tempting

them with ‘honeypots’ and

‘honey-clients’, apparently

unprotected machines that can

be used to detect threats.

However, it takes two to make an

arms race. Advanced viruses

fight back by constantly

changing their attributes to

outwit security technology.

Clever hackers learn to side-step

honeypots.

Malicious software (malware)is becoming so prevalent that it

is beginning to outnumber legit-

imate software. At that point, it

is easier to create ‘white lists’ of

legitimate software than to

maintain the blacklists of

malware. Hyppönen recom-

mends a blend of whitelists and

blacklists for best effect.

INTELLIGENCEFighting a war demands a

good map of the battlefield.

Symantec runs a Global

Intelligence Network that has

more than 40,000 sensors aroundthe world and more than

two million dummy email

accounts – all of which are

monitored all day, every day.

Hundreds of millions of users

contribute statistics on

malware.

“This means that outbreaks

can be readily spotted and

contained,” says Bunker. “It also

means that new virus or

malware definitions can be

quickly and effectively written

and rolled out to prevent the

infection spreading.”

McAlum would like to seemore than just lots of sensors.

“There are sensors all over

the place and most feed back to a

The Russia/Georgia conflict was waged in cyberspace as well as in the streets



derivation of such a system,” he

says. “What I’d like to see is

more effort placed on capabili-

ties that provide a holistic

picture of the enterprise that is

more than just an integration of

existing views and [which] helps

develop the risk picture based

on current threats, vulnerabili-

ties, and anomalous activities.

And I think there needs to be a

‘cause-effect’ aspect that helps

leadership understand the

impact of actions they may take,

for example blocking a port or

disabling a service.”

Cyberspace will get more

secure as software learns more

about how we behave. Suppose

an employee, who typically uses

a company database to access

individual customer records,

suddenly looks at the top 1,000

customers: software could be

written to highlight this

anomaly. Or suppose an Internet

user goes to a website he or she

has not visited before: softwarecould warn them that they may

have misspelled the address,

helping counter malware

infections caused by downloads

from web pages masquerading

as popular sites. Dirro believes

that behaviour-based technology

is “very important, the next

big thing”.

TRUST – BUT VERIFY Companies today tend to rely on

implicit trust to control access

to their networks: employees are

given a username and password

and then expected to do the rightthing. This will change.

Companies will keep closer tabs

on what their employees are

doing and how they are doing it.

Behaviour-based technology

“can look at things such as

typing speed or style as an

additional means of

authentication,” says Bunker.

Advanced reputation services

may also help secure

cyberspace.

“Reputation-based

technology helps

people browse the

Internet safely andengenders trust between

consumers and

businesses as well as

reputations can be inflated.

Take an online auction seller

who sells and promptly delivers

100 pencils at £1 each, gaining a

great reputation. They then

offer a car for £100,000, and

abscond with the payment. The

reputation system wasperverted to abet the crime.

Systems will get smarter.

“Neural networks and other

artificial intelligence technolo-

gies have a place in learning

what is good, bad or indifferent

about networks and systems to

help administrators make intel-

ligent decisions to enable them

to fix problems,” Bunker says.

But let’s not get

carried away. A lot of

progress can be made

by getting on with the

drudge work of imple-

menting currentsecurity techniques. The

Hannaford super-

market chain says that

it has started encrypting

customer credit-card data as

soon as the card is swiped.

Other low-technology activity,

such as creating information-

sharing mechanisms between

affected groups such as banks,

who are notoriously shy aboutrevealing their cyber-crime

losses, could also help. Just

locking equipment up can help

a lot: laptop computers and

PDAs are increasingly a target

for thieves who want them for

as much for the value of the

data they may carry as for what

they might get by selling the

hardware down the pub.

“In many cases, particularly

when it comes to industrial

espionage, employees of partic-

ular companies may be targeted

for the opportunity to snatch a

laptop,” warns McAlum.As the UK civil service is

learning, you shouldn’t leave

laptops on a train or put

chink in cyberspace’s armour –

ordinary people and their

ordinary working practices.

According to a study by

Compuware, only 1 per cent

of recent corporate data losses

were due to hackers. The biggest

culprits were negligentemployees, with outsourcing and

malicious employees being

among the other causes of

significant breaches. Worryingly,

of the 1,112 practitioners

surveyed, 79 per cent said their

organisation had experienced at

least one data breach.

Dirro of McAfee thinks that

what’s needed to secure cyber-

space for the long run is

progress on many fronts,

including technology, aware-

ness, legal redress and human

behaviour.

Given the complexity of theissue, is there any sign that we

are winning the cyber-security

war yet?

EXPLoITING WEB 2.0Facebook is becomingincreasingly popular as atarget for virus attacks.Some Facebook users arecurrently receiving a mes-sage that appears to befrom a ‘friend’. Upon click-ing the link, they are redi-rected to an enticingvideo. The video will notplay, and they are toldthey need to update

Adobe Flash. It’s a virus.

If you lose your laptop, youcould lose a lot more than

just the hardware

fragile web

Documents

Transcript of fragile web