I viewed the "Cyberwar" program last night and it only solidified my fears of network intrusion. I'd like to know if you could suggest a educational path to become effective in combating security threats.
I am a system administrator with woefully little security training. I would like to present a path or curriculum which I can take to my superiors for training in this area.
thank you very much...
Would it be possible for all of you to launch a "war game" on Washington, D.C. just to show the sceptics that it is possible? After all, a few hours of lost infrastructure without affecting the emergency responders network as a practice, much as children have to go thru at school for fire drills, might help it to sink in to the thick skulls of politicians. What makes it more imperative is the fact that there are so many of you "in the know" who are of like mind.
As a veteran, let me thank you for your time here, and for your good work as citizens. Pity that the politicians aren't as patriotic as you are.
Leeds, ME Maine
Is it true that the Lucent Brick firewall has never been hacked?
Is it also true that it cannot be seen by hackers since it is a layered two device?
I do not know. I would feel more comfortable if a red team a group of engineers and computer scientists that pretend to be bad guys certified that such a firewall withstood their best attacks. That would be more convincing then marketing assertions, which are easy to make. Layer two devices could be most easily seen by layer two attacks. Existing at a lower layer does not make a system immune from attack. -O. Sami Saydjari
Is there a possibility of a hacker or cyberwarrior gaining control over the launch of strategic nuclear weapons by gaining control of a launch facility through electronic means, like, for example, using a phone connection?
From James Lewis: War Games was one of the first movies on hacker attacks it may even pre-date the term and had a similar scenario. However, computers dont launch nuclear weapons. To launch a strategic nuclear weapon, two armed and very intelligent people in a secure location have to simultaneously turn two keys after they have received, decrypted and confirmed a release code that authorizes the release of nuclear weapons. This is sent over a very secure military communications network that is not publicly accessible and which a hacker could not penetrate. It would also be extremely difficult to duplicate the authorization message. There were I think some scenarios where a surviving SSBN could launch independently if command nodes in the U.S. had been destroyed, but you still need two people with keys, not a computer. The real concern as was the case in War Games is not a hacker sending a false command or seizing control, but that at the last minute one of the key turners would freak out and refuse to execute the launch order. The answer was not to automate launch but to improve the reliability of the human systems.
In the program intro, I read a statement claiming that electric utility SCADA control systems would be vulnerable to hacking, especially if one is running under MS-Windows.
Obviously, any system can be hacked if it has a phone number or an Interet address.
But are these systems set up that way? It's very difficult to believe that the managers of such systems are so dumb that they allow Internet or dial-up access. How does the hacker even get to the "front door" of such a system?
From James Lewis:
This is a key area of debate. One of the criticisms I heard from a number of people of the otherwise excellent show was that the idea of the electrical grid being shut down for six months was not credible. In an earlier essay on this, I wrote:
Many analyses have cyber-terrorists shutting down the electrical power system. One of the better cyber security surveys found that power companies are a primary target for cyber attacks and that seventy percent of these companies had suffered a severe attack in the first six months of 2002. The U.S. electrical power grid is a desirable target, but it is a network of multiple, redundant systems that are used to routine system failure and disruption. The grid is a highly interconnected system of over 3,000 public and private utilities and cooperatives. These 3,000 electrical power providers use a variety of different information technologies to operate their controls for power generation and transmission. A hacker or even a large group of hackers would need to find vulnerabilities in multiple systems to significantly disrupt the power supply and even then, an attack might only disrupt service for a few hours.
The North American Electric Reliability Council, an industry group formed after the 1965 New York blackout, has been working with the Federal government since the 1980s to improve the security of the electrical system and to develop rapid responses to large outages. In Congressional testimony, NERC officials have said that in the last few years, neither viruses nor Distributed Denial of Service attacks against the U.S. electrical system have interrupted service. While industry sources can paint an over-optimistic picture at times, it remains true that falling trees have caused many electric system disruptions while cyber attacks have caused none. A risk assessment by the Information Assurance Task Force of the National Security Telecommunications Advisory Committee concluded Physical destruction is still the greatest threat facing the electric power infrastructure. Compared to this, electronic intrusion represents an emerging, but still relatively minor, threat.
The U.S. has already run a large-scale experiment on the effects of disrupting electrical power supplies, thanks to Californias experience with deregulation last year. Californias efforts to de-regulate the electrical power market resulted in months of blackouts and rolling brownouts across the state. Deregulation was a more powerful attack on the electrical infrastructure than anything a cyber-terrorist could mount. There was clearly economic cost to the California regulatory event, but it was not crippling nor did it strike terror into the hearts of Americans. Similarly, power outages across the country in 1999 affected millions of people and cost electrical power customers millions of dollars in lost business and productivity. These outages were the result of increased electricity use prompted by sustained high summer temperatures. In contrast to Californias State government or hot weather, the number of blackouts in U.S. caused by hackers or cyber-terrorists remains zero.
The link to this essay with the footnotes appears in an earlier answer. One of the things that led me to this position was an interview with Pepco officials on how the New York electrical power system reacted on September 11. With considerable damage to infrastructure and with people missing, Pepco employees immediately responded and worked around the clock to restore service, dragging in massive generators, laying temporary lines, getting assistance equipment, people, power from other electrical companies located in distant States the same is true of Verizon and telephone services. People are not helpless and do not sit around wringing their hands for six months.
From O. Sami Saydjari: SCADA systems DO have dial-ins and internet addresses. They do this for convenience, cost savings, and increased integration of their systems. Some configurations are stronger than others, but in general, SCADA systems have been identified as one of those with the most room for improvement, to put it nicely.
I believe that flaws in the overall design of tcp/ip and it's underlying protocols dns, igmp, etc are part of how a cyber terrorist could bring down the internet or at least parts of it. These flaws could be easily stopped by backbone modifications to routing equipment. What does the group have to say regarding flaws in hardware as opposed to software..?
From James Lewis:
I think we need to really explore the potential vulnerabilities found in the Internet protocols. At the same time, I dont want to overestimate them or the probability that we could shut down a conglomeration of hundreds of thousands of independent networks. The Internet was designed to survive global nuclear war, Even if we did, the effect of shutting down the Internet might not create panic and terror Stuart Baker, a former General Counsel of NSA, says that shutting down the Internet would be an adult snow day. I think that you have identified the next battlefield in network security and that you are right to say we should be thinking about defense at the backbone layer. Hardware fixes have worked for other IT security problems, but we need to be more specific in identifying them.
From O. Sami Saydjari:
You are right that there are security improvements to the protocols you mentioned that could significantly improve the defense of the internet -- many of which were created through the Defense Advanced Research Projects Agency DARPA. Unfortunately, it takes time to get such solutions adopted and deployed throughout the internet. These improvements are in the protocols themselves and thus are technically not hardware improvements -- but seriously needed nonetheless. Hardware is important to provide a trustworthy base to put trustworthy software on, so it is, in general, quite important.
Is there anything a layman, such as myself, can do to help? Am I helping "The Bad Guys" in any way and not knowing so Using or not using my computer in a certain way, for example?
valley center, ca
From James Lewis:
At the consumer level, were not looking at a lot of risk, but ask yourself if a hacker can take over your PC and use it as a zombie. Actions like leaving it connected to the Internet and on all the time or using an easy password can create vulnerabilities. Id look at a firewall and something that tracks spyware. Your browser should be able to lead you to some good ones. This would be good for your own privacy as well.
From O. Sami Saydjari:
Great question. It is always good to see citizens take a personal interest in the security of their cyber neighborhood. Yes, you can help by protecting your computer using firewalls and anti-virus software, for example, to prevent it from being taken over by an adversary and used in a concerted attack against a critical system. The National Strategy to Protect Cyberspace has a section on this very question. See http://www.whitehouse.gov/pcipb/. See also http://grc.com/default.htm for a free test of the security of your system.
I work as an network operations analyst for company which is a critical technology backbone of the hotel industry, which powers the majority of electronic hotel reservations around the world. I was very impressed with the comments and interviews in tonight's program.
Working in an industry that has been severely impacted by recent events, expenditure and effort in proactive security improvement is a very difficult sell. I would like to ask what public and private assistance organizations are out there that can help my peers and I push proactive security initatives through in a very visible infrastructure target such as mine?
Thanks in advance.
From O.Sami Saydjari: Good question. Start with the Computer Emergency Response Team CERT at http://www.cert.org/, a government-sponsored institution that tracks attacks, helps develop countermeasures, and publishes best-practice guidelines. I would also highly recommend SANS SysAdmin, Audit, Network, Security Institute at http://www.sans.org/, a private collection of system adminstration professionals who work toward making cyberspace a more secure place. SANS also tracks vulnerabilities and offers best-practice advice, include some sample security policies. Both sites offer pointers to many other related useful sites. There are also some useful recommendations and pointers in the National Strategy to Secure Cyberspace at http://www.whitehouse.gov/pcipb/.
In your opinion, how will law enforcement deal with the growth of encryption tools, as well as stronger encryption algorithms, being made public?
New York, NY
From O. Sami Saydjari: Assuming that you are referring to wiretap access, law enforcement will ultimately have little choice but to focus their access on the end points, before the communications are secured.
From James Lews: Encryption and open source are similar issues in the sense that they are part of the landscape now for IT and are not going to go away. Governments have to learn to change to accommodate this new landscape. The US thought about trying to restrict access to encryption in the mid 1990s, but decided that restrictions would fail. For law enforcement, theyve had to move to more expensive and riskier approaches to intercept messages as a result such as covert entry to gains access to a computer, but so far they seem to able to keep up with technology. This could change in the future, of course, and the FBI and others remain concerned about the threat that their wiretap capabilities will continue to erode.
If Microsoft security is NOT ENOUGH, how can I, as a control systems engineer, be assured that a control system that I design and implement, will be secure against attacks. Is a router between my controllers and the internet with a firewall & port blocking my best defense? Should I use multiple routers? What are some of the tools that I can test the security?
Why is it that we have not seen any disruption in any system in the US electrical, for instance besides the relatively harmless DOA's like CodeRed or Nimda? My point is that surely at some time such an attack would be tried by any enemy one could name. "Testing the system" theories make no sense, as it would indicate a concerted effort of all of the varied enemies we have. Surely just one nameless individual in, say, China, would take the opportunity just once? It baffles me.
My other question is the point made that these DOA's are again testing our system, and are part of a bigger plan developed by these groups. My belief is that it's individuals, not nations or organizations. A number of web sites showcase hacker members and their latest efforts.
From O. Sami Saydjari: Re: your first question - the same question might be asked of chemical and biological weapons use within U.S. borders. It is hard to say why these have not happened yet. Taking the the power grid down and holding it down would require substantial resources and planning. If an adversary were to develop such a capability, the adversary would likely hold it in reserve for when it was really needed to have some strategic effect.
Re: your other question...The vast majority of attacks are done by individual attackers, as you suggest. At the same time, we know that nation-states also have significant capabilities and some have used those capabilities in limited ways.
From James Lewis:Baffles me too, which is why I think cyber attacks are overrated. I put links to a long paper and a short paper at the end of this answer that try to answer this question. In a nutshell, while there have been many terrorist attacks and many hacking incidents, there have been any cyber terror or cyber attacks on infrastructure. Part of the explanation for this disparity lies with the goals and motives of terrorists. The people who are attracted to terrorism seek to do violence against their opponents. Cyber attacks are unsatisfactory in this regard. Terrorists plans call for actions that have a political and psychological effect produced by the shock and horror of physical destruction and casualties. Cyber attacks do not produce these. Terrorists have a keen sense of operational risk and will avoid untested weapons whose effect is unclear or unknown. Some experts go so far as to say that terrorists may avoid cyber weapons because of the potential risk it could pose to their own operations and communications.
There is also the issue that the hypothetical vulnerability of various infrastructures - water systems, air traffic control, electrical grids is routinely overstated in cyber attack scenarios. These infrastructures are not dependent on computer networks for their operation. Many analyses that predict electronic Pearl Harbors assume that there is a close connection between the physical and the cyber. In most instances, however, this connection seldom exists. Hackers, for example, cannot cause aircraft to fly into each other because there are still pilots and air traffic controllers that do not depend on computers.
A closer examination suggests that: a computer networks and critical infrastructure are not equally vulnerable; b nations are robust and resilient in responding to attacks, thus the potential for damage is limited, and c critical infrastructures in the U.S. have considerable redundancy, are accustomed to system failure, know how to repair these failures, and still require human intervention for many control mechanisms. This makes it difficult for remote computer attacks to disrupt critical functions.
http://www.csis.org/tech/0211_lewis.pdf long http://www.csis.org/tech/0403_cyberterror.pdf short.
With regard to your other question - There have been some good studies of hackers and these have found, as you suspected, that they tend to be individuals showing off to other hackers. I think there are countries that hack into computer systems, but their goal is espionage. They want to sit quietly and collect information, not cause some temporary flap that would end up with them being shut out.
Can it be determined if an attack is committed by a single person or by a cooperative group? Can a single hacker be as destructive as say a known group of attackers i.e. Al Qaeda? Are most attacks committed by lone hackers? It seems to me that a lot of "inside" hacking would be logical, committed by people who are familiar with systems and perhaps disgruntled than by terrorists half a world away. Is there such things as hacking gangs? Excuse my naivite but really what is there to gain by hacking other than cheap thrills?
Baldwin, New York
From O. Sami Saydjari:Unsophisticated attacks that are repeats of allready-seen attacks are almost certainly done by lone hackers looking for cheap thrills. More sophisticated attacks that require more planning, insider access, and coordinated multi-step attacks generally indicate that well-resourced organziations are involved. Single hackers, through worms and viruses, can do significant harm. Patient and well-resourced adversaries can go well beyond that level and can have strategic impact on national security and disrupt import services such as power, transportation, and banking.
From James Lewis:
These are good issues. Theres been a lot of work done on the hacker personality, so your question isnt naive, its right on target. Most hackers or virus writers tend to be young, single males with weak social skills who want a cheap thrill. Damage, in the sense of economic loss to companies, tends to from professionals stealing intellectual property or financial data. Its hard to tell especially in the beginning if an attack comes from a single person or a group, in part because its still easy for a single to take over thousands of computers and have them automatically launch attacks. There are hacking gangs, both in the sense of clubs and also criminal gangs. I think most people including the FBI would tell you that the insider threat is much greater than terrorists, if only because the insider has the specific knowledge about how a network is constructed, how the company operates and so on. An outsider cant get that knowledge.
The program was very informative, but dealt only with probing or attacking systems and networks with viruses. Is there also concern about adversaries hiding information or viruses in images or audio files as a means of transfer to their cohorts? I think I read something about this as a method Al Qeada used to transmit instructions. This activity may be more criminal profit-based in nature, but sensitive infrastructure or military information could be stolen this way as well. Are there any public sources or references on this subject?
From O. Sami Sayjdari: You are correct. Information hiding of the type you describe is a key problem in leaking sensitive information, transmitting illicit information, and in controlling malicious software. Hiding information inside of images is called "steganography." The term "covert channels" refers to hiding information in communication channels. Many technical papers have been published on both of these topic areas. A general literature search on these key words will turn up many interesting references.
Following the fact that DARPA decided to take back the 2 millions awarded to the OpenBSD project for research funding, i was wondering if any of you had some insight to the reason why?
Personnally, starting up in the security field, i think it really is a shame that one of the most secure and available operating system in the world as to count rely on the generosity of people who use OpenBSD and understand the need for a REAL secure system.
From O. Sami Saydjari: On the question of the DAPRA funding change, I have no inside knowledge on why this decision was made. More generally, the DARPA budget in information assurance research appears to be trending downward without a corresponding increase in funding from other agencies. This is a source of concern given the gravity and magnitude of the current national vulnerabilities.
From James Lewis:
Theres a big debate now within the government and particularly within DOD as to how to interact with open source software. A decision on Open BSD would reflect this. Some people say the government should not support open source because it is unfair competition with the private sector, others say open source is crucial because its more secure. Id note the NSA is continuing with its work on Secure Linux but the policy debate needs to work through a whole set of commercial, IP and security issues.
The recent shift in IT jobs overseas to countries with views counter to the US, do you believe that this poses a significant increase in risk? Where the code for applications being run in major US companies and government agencies being developed outside of our eyes by individuals who have the means and knowledge to place malicious code directly into these applications I feel this is a major risk that CIOs here are overlooking to save a few dollars in the current economy. How do you feel about this?
From O. Sami Saydjari: Absolutely. Outsourcing software development overseas increases the risk significantly. At the same time, we should also understand that there is still significant risk with software development in the United States due to the possibility of insiders placed by adversaries. We must develop systems to withstand the possibility of such internal subversions.