How Can We Protect Our Critical Infrastructure From Cyber-Attack?

Computer networks everywhere were under attack.

The Sapphire (or Slammer) Worm was spreading throughout the Internet like wildfire, doubling in size every 8.5 seconds. It infected more than 90 percent of vulnerable hosts within 10 minutes.

The worm shut down Web sites all over the world. It infected at least 75,000 hosts and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections and ATM failures. A 9-1-1 call center outside Seattle, which services 14 fire departments, two police stations and a community of 164,000 people, was taken offline. Users attempting to access online services from many U.S. government Web sites could not.

And the Slammer Worm — which spread through the Internet on Jan. 25 — did not even contain what expert Nicholas Weaver of the University of California-Berkeley calls “a malicious payload.”

If it had been a more malicious virus, the results could have been catastrophic to government networks. And while Webmasters and network administrators felt a minor pinch from the worm, the situation emphasized once again the inherent vulnerability among many of the networks dedicated to U.S. critical infrastructure protection.

According to RSA Security Inc., a Bedford, N.H.-based network security provider, power plants, nuclear facilities, water treatment plants, factories, government agencies and other sites have implemented Internet-based technologies for remote monitoring and control of the facilities using a Web browser over the past several years. It’s a practice that can help bring cyber-terrorists to each network’s front (or back) door.

The federal government knows it’s a problem. And it isn’t going away.

Nearly double the number of information technology (IT) professionals say that the government is not prepared for a major cyber-attack than say it is, according to a survey by the Business Software Alliance, Washington, D.C.

The Computer Emergency Response Team (CERT), a federally funded research and development center in Pittsburgh operated by Carnegie Mellon University, tracked some 52,658 online security incidents in 2001 — more than double the 21,756 reported in 2000, and alarmingly higher than the 9,859 incidents reported in 1999. It estimates more than 74,000 incidents in 2002.

“The technology already exists to protect our networks against cyber-terrorism,” says Art Coviello, president and CEO of RSA Security. “Business and government must work together to identify vulnerabilities, develop more secure software, and educate each other on how to best secure these systems.”

Addressing The Problem

The government is bringing plenty of resources to bear on the problem. Since late 2002, Congress has passed several funding bills and guidelines surrounding information security. The Federal Information Security Management Act of 2002 (December) set key information security requirements for federal systems. The White House issued a National Strategy to Secure Cyberspace in February, and its Office of Management and Budget has placed a higher emphasis on information security in the budgetary process. The House of Representatives established a subcommittee charged with overseeing federal cyber-security policies and agency initiatives to secure government and private network infrastructures in March.

The creation of the Department of Homeland Security (DHS) last year helped to change the method by which the government defends against cyber-terrorism. Upon its creation, the department was immediately tasked with the role of improving Internet security. It proposed the launch of test attacks against civilian U.S. agencies and issued recommendations to improve the safety of automated systems that operate the nation’s water, chemical and electrical networks. DHS expenditures on information technology security were projected to reach $2.6 billion in 2003, according to Federal Sources Inc. (FSI), McLean, Va., compared to $1.5 billion of IT spending for Homeland security in 2002.

Some $903 million was recently appropriated to university and industry programs over the next five years to boost national cyber-security research and development.

“Cyber-security is a problem that is even worse than it first appears,” says Sherwood Boehlert, (R-N.Y.), chairman of the House Science Committee. “That’s because not only are our nation’s computers and networks vulnerable to attack, and not only could a cyber-attack disrupt our economy and threaten public health and safety, but we simply don’t know enough about how to design computers and networks to make them less vulnerable.”

Although governments administer only a fraction of the nation’s critical infrastructure computer systems, governments at all levels perform essential services in far-reaching sectors that depend on cyberspace for their delivery. The National Strategy to Secure Cyberspace notes that governments can lead by example in cyber-security by fostering a marketplace for more secure technologies through their procurement. The strategy identifies five actions and initiatives for the securing of governments’ cyberspace, including:

• Continuously assessing threats and vulnerabilities to federal cyber systems;

• Authenticating and maintaining authorized users of federal cyber systems;

• Securing federal wireless local area networks;

• Improving security in government outsourcing and procurement; and

• Encouraging state and local government to consider the establishment of information technology security programs and to participate in information sharing and analysis centers with similar governments.

Identifying Vulnerabilities

“Cyber-attacks on U.S. information networks occur regularly, generally exploit a system vulnerability previously identified and are therefore preventable,” says Carl Banzhof, chief technology officer of Citadel Security Software, Dallas. “Even though most cyber-attack incidents go unreported, enough of them make the headlines to raise awareness for even the most casual Internet user.”

Today, organizations use various commercially available tools to detect vulnerabilities and determine the exposure of their networks and information. In 2002, vulnerability assessment tools gained measurable acceptance in both government and private sectors. Security administrators could easily use them to identify several classes of vulnerabilities, including software defects, mis-configurations, back doors, unnecessary services, insecure accounts, and of course, worms and viruses.

Many organizations were surprised to learn that their exposure to vulnerabilities extended far beyond the patches typically highlighted in media headlines; in fact, a large portion of identified vulnerabilities could not be solved by a patch, but required more technical solutions such as complex configuration updates. Citadel offers a class of security software, Automated Vulnerability Remediation (AVR), which has evolved to meet the needs of administrators as they struggle to keep up with the growing number of vulnerabilities.

“We need to be constantly on the lookout for new vulnerabilities, new attack attempt methods, and new sources of cyber-terrorism,” says Michael J. Corby, president of QinetiQ Trusted Information Management Inc., a Worcester, Mass.-based information security risk assessment firm. “It would be erroneous to say that all we need to do is fine-tuning to have a really effective anti-terrorism program for our critical national computer and network infrastructures.”

The struggle continues. The U.S. General Accounting Office (GAO) recently found significant information security weaknesses at 24 major government agencies.

“Further information security improvement efforts are needed at the government-wide level,” the GAO report says. “These efforts need to be guided by a comprehensive strategy in which roles and responsibilities are clearly delineated, appropriate guidance is given, adequate technical expertise is obtained, and sufficient agency information security resources are allocated.”

The GAO identified several areas of weakness among the systems and issued the following recommendations:

• develop a comprehensive and coordinated national critical infrastructure protection (CIP) plan;

• improve information sharing on threats and vulnerabilities, both among government agencies and between the private sector and the federal government;

• improve analysis and warning capabilities for both cyber and physical threats; and

• encourage entities outside the federal government to increase their critical infrastructure protection efforts.

To improve analysis and warning capabilities for both cyber and physical threats, as the GAO recommends, IT managers have turned to vulnerability assessment. “Business and government entities must regard the threat of cyber terrorism with as much fervor as that for physical security,” Banzhof says. “More than 10 new vulnerabilities are being discovered daily according to the Computer Security Institute, and by the time the manual remediation efforts are completed, as many as 200-300 new vulnerabilities will have been discovered, leaving networks in a very unsecured position.”

RSA Security says every organization should “construct ‘what-if’ scenarios based on attacks to various parts of the organization’s information infrastructure and determine which areas are most at-risk and which areas would cause the most harm if they were attacked”

Even with vulnerabilities identified, network administrators applying technology to fix them must be thorough. RSA says governments need to view their security needs as three-fold:

• keeping threats from getting in through the network;

• controlling access to information once people are on the network; and

• protecting data at rest in systems within the network.

“This requires a mixture of authentication, access management, intrusion detection and anti-virus solutions, to name a few. Each has a role, but no single component will completely secure an organization,” the company says.

Getting Help From The Private Sector

One theme cyber-security experts continue to return to is public-private sector cooperation. Both the GAO report and the National Strategy To Secure Cyberspace stress that public-private partnerships can usefully confront IT security problems. Information exchange and cooperation can allow both sides to address awareness, training, technological improvements, vulnerability remediation and recovery operations.

The partnership can spawn successful relationships that lead to the ultimate goal of protecting government networks. Internet Security Systems Inc., an Atlanta-based Internet software security company, assists major agencies and departments within U.S. local, state and federal governments in protecting their critical infrastructures against cyber-attacks. The company’s X-Force security intelligence team operates from its on-site security operation center, monitoring global online threat conditions and sending detailed analyses tailored for specific customer needs.

ISS’ Dynamic Threat Protection framework combines security intelligence and technology to protect against known and unknown attacks. The multi-layered framework is comprised of three technologies that unite to provide protection, including:

• Protection engine to drive ISS Intrusion Protection and Vulnerability Detection agents across network, server, desktop and application;

• SiteProtector as a management platform to provide centralized control, command and even management; and

• Fusion which provides attack pattern recognition and impact analysis to minimize false alarms.

Many other companies also provide IT security products and services. Northrop Grumman, for example, developed Security Kinestix, a computer platform that takes the offensive against hackers. The platform goes beyond detecting an intrusion and acts as either a security guard or spy, depending on the situation. The platform can chase intruders, launch counterattacks and modify activity when given a new mission.

That the government is looking for help outside its wide resources underscores the reality that cyber-terrorism threats rise daily. Lawmakers, IT managers and other government executives are well aware of its disastrous potential, with the January Slammer incident supplying a recent reminder.

But changes can’t be accomplished overnight. That’s why the federal government is raising awareness about the problem and enacting laws to fight it. “Having a strategy — having a way ahead to deal with the critical infrastructure and cyber infrastructure — will be very helpful as we chart the course for that particular unit within the Department of Homeland Security,” says Homeland Security Secretary Tom Ridge. “These road maps will help guide government and business as we continue to improve our protective measures.”

Paul Rothman is associate editor of Government Security. Assistant editor Jennifer Pero contributed to this story.

CYBER SPOTLIGHT

Improving the Cyber-Security of Government Agencies: 10 Questions To Ask

1. Does every computer use a firewall to prevent unauthorized access to and use by hackers? Are the firewall rules and settings current and limited to allow only necessary data transfers?

2. For all programs on the computers including operating systems, does the IT staff check for security updates daily? Has the IT staff enabled automatic updating and/or subscribed to a notification service provided by the vendor?

3. Is end-to-end encryption widely deployed throughout the agency and used to protect communications with other agencies?

4. Does the agency use backup software daily or, in the case of highly critical data, in real-time, and is the backup kept off-site? Is an on-line backup service used?

5. Does the agency have a cyber-security plan that is updated and validated monthly?

6. Does the agency have an off-site contingency plan for critical government functions and communications?

7. Does the agency’s leadership take an active role in determining basic security policies and fully understand the dangers of not being cyber-secure?

8. Does the agency use virtual private networking to protect against data interception?

9. Does the agency view cyber-security as an enabler of e-government and integrate it into all agency e-government investments from the outset?

10. Has the agency fully implemented all existing government security regulations?

SOURCE: Business Software Alliance (BSA); www.bsa.org/security