Click here to load reader
Upload
lamkien
View
214
Download
0
Embed Size (px)
Citation preview
Jayant Gandhi
Defense in a Virtual WorldProtecting Ourselves in the Age of Cyber Threats
Cyber-attacks pose a very real threat to everyone who uses the Internet; not only
individuals, but corporations and governments as well. Accountability is not as easily
determined as it is in the physical world as it is nearly impossible to trace back an attack to its
source. The Internet’s ability to transcend borders turns this security issue into an international
one. So how can the international community effectively deal with the threat of cyber-attacks?
International cooperation to strengthen current security software is the best option in the
short-run. Internet security was designed as an afterthought. The Internet was not designed
with security in mind and this apparent in the tools used to protect it. Firewalls and anti-virus
software are incomplete because of their reliance on quickly out of date malware libraries. The
only solution to this is to take a more active role. The private sector began to hire hackers to
attack their software with the goal of using the data collected from the attacks to strengthen
the vulnerabilities they exploited. This method eventually spread of individual companies to
industry-wide events. The only true solution is to rebuild the Internet with security in mind; a
task being undertaken by the National Science Foundation. The best solution for the short-
term, however, is to increase international cooperation in a fashion similar to how private
corporations have been cooperating to continually test the Internet for security vulnerabilities
and repairing them before hackers exploit them.
0
Security in the Virtual World
Since the introduction of the Internet, cyber-attacks have been a constant threat to
those who wish to use the Internet. Unlike attacks in the physical world, these virtual attacks
are nearly impossible to trace back to their sources so normal methods of deterrence are not
effective. An attacker has little or nothing to lose by initiating an attack. In the virtual world,
there is always an incentive to be the first to attack.
This poses a dilemma for states. States cannot threaten retaliation because of the
difficulty in tracking where an attack came from; therefore any form of deterrence akin to the
strategy of Mutual Assured Destruction would not work. Similarly, a state cannot always be on
the offensive because this would most likely cause more trouble for the state than good and
increase the likelihood that they could be detected. Building an effective defense is the only
way to protect oneself.
This problem becomes magnified by the international nature of the Internet. By
transcending borders, the security threats posed by cyber-attacks have developed into an
international issue. The cyber-attacks on Estonia in 2007 and the Stuxnet worm in Iran
demonstrate that these attacks in the virtual world can have very real effects (whether that is
by consuming the resources of an entire government for a time, or sabotaging equipment used
in nuclear facilities). So how can the international community effectively deal with the threat of
cyber-attacks?
The Internet was not designed with safety in mind and its own evolution has led to
several features that can be exploited by hackers. They benefit from nearly perfect anonymity
1
and can turn the very thing that makes the Internet so beneficial (increased interconnectivity)
against their target. This has led us to a very precarious position in internet security.
All the security systems that we have in place now have been retrofitted. This leads to a
plethora of internal flaws that can only be fixed by constant updating. Firewalls and anti-
malware software (the two leading security measures) rely on extensive libraries of known
malware and are not good at dealing with evolving attacks. The problem is most hackers are
constantly evolving their malware in order to circumvent the security software. Security experts
are perpetually left one step behind as they rush to identify and protect against the latest virus.
In all this commotion, private companies have been left to fend for themselves. Where
as a physical attack causing massive damage would be (hopefully) stop by the protection of the
state in which that company resides, there exists no such protection in the virtual realm. A few
companies responded to this absence by banding together and holding annual security
conferences whose goal is to hack these companies’ software in an attempt to locate all holes
in security. This has gone a long way to improving internet security because this level of
cooperation has given security experts the edge they needed to catch up with hackers.
There have also been talks of a complete overhaul of the Internet itself. The National
Science Foundation (NSF) has proposed building a new internet from scratch with their Future
Internet Design (FIND) program. Eliminating the security problems inherent to the Internet
would be a great victory for cyber-safety, but there are still concerns. Will this new internet
work as efficiently as the current one does? Will it open the door for new bigger problems?
These are questions that need to be addressed before this idea can be effectively implemented.
2
In the short term, however, the best hope for internet security lies in the cooperation of
the international community. If the international community can mimic what private
corporations have already begun doing, it would go a long way to ameliorating the state of
internet security. By increasing the amount of information and resources shared by security
experts they stand a better chance at identifying and disarming threats before they get out of
hand.
Malware 101
So how do hackers threaten the security of the Internet? They use malware. Short for
malicious software, malware is the principle tool for anyone wishing to execute an effective
cyber-attack. This ‘bad’ software finds its way onto a victim’s computer and then executes its
programmed directive. The results can be as benign as causing unwanted advertisements to
open up in one’s web browser, or they can cause a complete system failure, forcing the user to
wipe their hard drive.
These pieces of coding are readily available online for a price and recent advancements
in programming are making them more and more user friendly, so the world of malware is no
longer restricted to veteran programmers. Malware also comes in many varieties, enabling
hackers to pick and choose the specific characteristics of the malware they need to meet their
needs.i
Of these types, the most common are viruses, worms, and Trojan horses. Each of these
has its own strengths and weaknesses and has the potential to inflict considerable damage. All
three are designed to make their way onto a victim’s computer undetected and then complete
their mission.
3
Viruses are perhaps the most well known of the different types of malware; this is
because they are usually the most obvious. Viruses are not standalone programs. They require
a complete piece of software to ‘piggy-back’ on and user interaction to allow them access to
the computer (usually inadvertently). A user can download viruses from fake emails sent by the
virus that trick the user into opening them or from websites that are hosting them. In a 2008
analysis of 4.5 million URLs, Google found that 700,000 of them were possible hosts for
malware. Another study added that only about 20% of these websites were intentional hosts. ii
Once infected, the original software now becomes a tool for the virus; every time it is
activated the virus runs as well. When the virus runs it not only causes whatever damage it was
intended to do, but also attaches itself to other programs in order to replicate, making it that
much harder to find and stop. It will then seek to spread to other computers. Normally this is
achieved by hijacking a user’s email account or any other program that uses network access.
The other most common form of malware is the worm. The Stuxnet worm is a famous
recent example of a worm and a good example of the nature of worms. Unlike viruses, worms
are independent pieces of software. They do not attach themselves to programs within the
victim’s computer, but rather locate specific security holes in a network and copy itself from
computer to computer. For this reason worms are considered self-replicating rather than self-
propagating.
Worms can spread incredibly fast once they have gained access to a network. In 2001, a
worm called Code Red infected over 250,000 systems in just 9 hours.iii Once dispersed, a worm
then unleashes its payload. In the 2010 Stuxnet attack, this meant executing a program
overrode the previous program that monitored the frequency of the Iranian centrifuges and
4
caused them to rotate at modulating frequencies. Because of their fast rate of diffusion and
efficiency at executing their directive, worms are often used to create large botnets1 that are
then used in Distributed Denial of Service attacks (DDoS). However, it is this fast expansion that
reveals one of a worm’s weaknesses. In the process of replication, it uses a large portion of the
computer’s processing power and the networks bandwidth, briefly exposing itself to a vigilant
network administrator. iv
While viruses and worms sneak onto a computer by exploiting security holes in software
and networks, Trojans horses take the more direct approach. This type of malware claims to be
a useful piece of software. An unsuspecting user would then download or install the Trojan
horse thinking it is a desired piece of software. Unfortunately, once activated the Trojan horse
reveals itself as malware and causes the intended damage (e.g. wiping the victim’s hard drive).
The major drawback of Trojan horses (from the hacker’s perspective) is that they rely
completely on user interaction and have no way to replicate themselves. This limits their
applications tremendously and requires greater creativity to entice users to download the
Trojan horse. Conversely, they are harder to detect until they have already cause significant
damage over a number of systems making them more visible.
No matter how a computer becomes infected by malware the intended goals usually fall
into three categories. (1) They can damage the computer by erasing information or inserting
faulty code. This can lead to a fatal error, forcing the victim to erase their hard drive. (2) They
can gather information from the computer and send it to another location. This is normally
done in preparation for a larger attack to check for the weakest spots in the computer’s
1 Botnets are hidden networks of computers that can be controlled by the hacker that creates them. Once a computer becomes part of a botnet it will follow any commands issued by the master computer.
5
security. (3) They can give commands directly to the computer, which could lead to physical
and/or economic damage or turn the computer into a zombie2. All three have the potential to
inflict great harm not only to individual users, as was formerly the case, but also to large
companies and even government networks.
How the Internet Has Helped Hackers
The Internet has been an incredible boon to hackers. When the internet was being
designed, very little thought was given to security; the idea of malware as a major problem
seemed farfetched. At the time, most viruses were used in harmless pranks between computer
scientists and worms were a legitimate tool for performing system maintenance.v Any actual
malware that existed was more of a nuisance than a threat. However, as the Internet spread
and the number of users increased, the opportunity to profit by turning these formerly benign
forms of software into tools of aggression became a big enough incentive for hackers to invest
in developing and evolving more malware.
The first and most important flaw of the Internet is its support for anonymity. This has
allowed hackers to operate with virtually no repercussions. IP addresses3 were not meant to be
used to locate specific people, they were only meant to facilitate communication between two
computers by giving them a way to identify each other in networks with multiple computers.
Since the introduction of malware into widespread use, security firms have been working with
Internet Service Providers (ISPs) to trace attacks back to an individual by way of IP address.
2 A zombie is the term used for a computer that is a part of a botnet.3 An IP address (short for Internet Protocol Address) is the numerical label assigned to any device connecting to the internet used to identify that device and enable online applications to interact with it by giving it a virtual location (address).
6
At first this seemed like a promising method for bringing cyber-criminals to justice,
however, hackers were one step ahead and learned how to spoof IP addresses. There are many
websites that allow for CGI proxies (or Common Gateway Interface proxies) that allow users to
access websites from a server other than the one provided by their ISP. Hackers can also now
use programs that hide their IP address by creating an encrypted network of relays between
the user and the target computer.vi Darknets4 are another way to avoid IP address tracing. A
hacker using a darknet will display an IP address that does not appear in the ISP’s lists making it
impossible to trace using regular IP address tracing.
Peer-to-Peer (P2P) networks have also proven useful to hackers. These networks were
originally developed to facilitate file-sharing between peers. There is no need to connect with a
server as each member equally sends and receives data. Unlike in a server-client system, a P2P
network will not fail if one member does. It increases in capacity as more devices join and is
much cheaper to run as it does not require a system administrator like a server-client network.
The problem with this feature of the Internet arises when extra overlay networks are added. A
P2P network functions as an overlay network on top of the regular IP network, but, when more
of these networks are created and information is routed through them in such a way as to
obscure the identities of the members, a darknet is created.
Another flaw in the design of the Internet is the lack of authentication. Vinton Cerf, co-
inventor of the TCP/IP protocol5, said in an interview with FORA.TV that one of the things he
would change about the Internet would be the inclusion of authentication at various levels that
4 Darknets are private networks formed by using the peer to peer (P2P) communication system between computers effectively circumnavigating the need for IP address sharing.5 Transmission Control Protocol/Internet Protocol – The TCP sets up the connection of data transfer between host and receiver while the IP is responsible for actually delivering the data to the desired address.
7
would help a user tell who they are communicating with.vii Currently the only forms of
authentication available have been developed separate from the Internet (the most prevalent
being firewalls) and therefore have their limitations.
This lack of authentication leaves security completely in the hands of software
developers who often overlook minute details that could be exploited by a clever hacker.
Viruses are expressly designed to attach themselves to software through these weaknesses. In
this vacuum of security, developers have had to create retrofitted systems for protecting
computers from malware attacks. These methods are forced to work from outside the structure
of the Internet and this puts them at a disadvantage to the malware the exploits that very
structure.
Current Internet Security
One of the salient features of the internet security industry is that it is constantly
changing; it has to be in order to keep up with the ever evolving malware. The major aspect
that has not changed, however, are the two main methods for dealing with and defending
against malware: firewalls and anti-virus software. The reason for this constancy is partly due to
the fact that these methods have been effective, but their effectiveness is only relative to the
alternatives and not an absolute measurement.
Both firewalls and anti-virus software are not perfect solutions. Most internet users
have some form of anti-virus software installed on their computers now and it is nearly
impossible to find an internet connection that does not have even the most primitive firewall
set up. The fact that malware attacks still occur frequently shows how this is an incomplete
solution.
8
Firewalls are the strongest form of protection available. A firewall can be set up in an
office environment where there is a large internal network which is then connected to the
Internet or in a home environment where computers are usually have more direct internet
access. They work by controlling the flow of traffic to and from the Internet. This is done in one
of three ways. A firewall uses either (1) packet6 filtering which analyzes packets against a library
of filters; (2) proxy service which sends the information to a requesting system that
authenticates the data; or (3) stateful inspection, a method that only looks for key parts of the
packet to compare against a database of unwanted information.viii
In theory, a firewall can be 100% effective and block all malware and unwanted content,
but this would also bring internet use to a halt by blocking all content. The only way to use a
firewall then is to balance between allowing and stopping traffic. This can be done to varying
degrees of security, but even the most well balanced firewalls often fall short. A November
2011 study conducted by Larry Suto (a security industry expert) found that a properly set up
firewall can block about 79% of attacks.ix
Anti-virus software is not designed to prevent malware for entering a computer, but
rather provides a method of dealing with it once infected. It achieves this by monitoring all the
files on the computer in order to detect any signs of malware. This type of software relies
heavily on virus dictionaries in order to compare the files to a list of known viruses. When a
virus is detected it can delete, quarantine, or attempt to repair the file.x
There is also a suspicious behavior approach that more recent anti-virus software uses
as it does not require a virus dictionary. This helps protect against unknown and new viruses.
6 Packets are small bits of information and are how data is sent over the Internet.
9
This method monitors the behavior of all programs and looks for any program doing something
unusual, such as writing an executable program. It will then alert the user and ask for
permission to run the program. The problem is that this happens with great frequency so users
get desensitized to the warnings and often just click allow without thinking. Malware also
evolved to outsmart this system and often hides its processes from plain site (especially in the
case of worms, which operate within the holes in network security).xi
Anti-virus software is also very costly and often viewed as causing more problems than
they solve. The virus dictionary requires constant updating not only on the part of the security
firm, but also on the part of the user (a task that more often than not goes neglected). The
suspicious behavior detection has caused much complaint as it slows down overall computer
speed by forcing these checks even on perfectly good software. A recent survey of different
anti-virus programs found that seventeen were unable to detect over 48% of the malware on
the computer.xii
With a clear dependence on up to date information on malware, firewalls and anti-virus
software are will always lag behind the latest malware. It is true that these security measures
can never fully fortify a network from malware attacks because of this lag, but detection rates
of malware have been steadily increasing. This is due in large part to new strategies being
implemented by security firms. The goal is to preempt the hackers by finding vulnerabilities
before they can.
Cooperation in the Private Sector
In contrast to physical crimes where someone can be held accountable for the damage
they cause, cyber-crimes cannot be effectively prosecuted. This fact has left the private sector
10
with little to no protection from world governments. If a bomb were to go off causing millions
of dollars worth of damage there would be a full criminal investigation and hopefully an arrest.
In all likelihood the attack would be stopped by the police or some other security firm. If,
similarly, a cyber-attack were to cause millions of dollars worth of damage and investigation
would ensue, but with little hope for a resolution. There are no cyber-police to turn to and
states are currently not equipped to deal with cyber-threats on a large scale.
In this vacuum of security, the private sector came up with its own innovative solution:
employ the hackers that have been creating malware to help defend against it. At first it may
seem counterintuitive to hire your enemy, but, for the most part, hackers do what they do for
fun or to make money rather than inflict wanton damage. Most hackers would jump at the
opportunity to be paid legally for their services.
The logic behind this move was to employ these hackers, now called ‘security
researchers’, in what is called ‘penetration testing’ in order to expose vulnerabilities of new
software before it can be exploited by other hackers. This strategy was originally adopted by
individual companies, but once its success was understood it grew into larger events spanning
multiple software companies. The largest of which is the annual PWN2OWN contest held at the
CanSecWest security conference where a cash prize is offered for each program successfully
hacked.
The information gathered at these events has proven to be incredibly valuable. After the
most recent PWN2OWN contest in March 2011 Google quickly released a patch7 for their
Chrome web browser that fixed a vulnerability that was rated, by Google, as a high severity
7 Patches are pieces of code added to software to fix a problem.
11
weakness.xiii Many other companies have benefitted from these contests as well, such as Apple,
Microsoft, and Blackberry. These events also led towards the creation of applications that can
achieve similar ends.
Dynamic Application Security Testing (DAST) mimics the effects of the PWN2OWN
contest by intentionally attacking web applications and then by patching the discovered
vulnerabilities. DAST systems are divided between two applications: the attacker and the
patcher. If used in conjunction with properly balanced firewalls it can increase effectiveness by
up to 19%.xiv These applications are no substitute for living people who can discover clever ways
to circumvent software security in a way that the applications’ programming cannot.
Hiring hackers to work as ‘security researchers’ has definitely proven to be a wise
decision, but what was even more beneficial was the cooperation between corporations that
allowed for the large scale vulnerability testing that occurs at these security conferences. An
individual company can only do so much, but by pooling resources they can gather much more
information and share it to reduce the overall vulnerability of our software.
Lessons for the International Community
The success of these conferences at leveling the playing field between hackers and
security experts can be shared by the international community if they implement their own
similar initiative. Contrary to most things in the tech industry, in this case, bigger is better.
The more sharing of information that can be achieved between security experts, the
better the chance of preempting the next cyber-attack. The Organization for Economic
Cooperation and Development (OECD) has called for an “Anti-Malware Partnership” between
nations in order to discover more vulnerabilities quicker.xv Recently, NATO has revised its policy
12
on cyber defense, stressing the need for “a coordinated approach to cyber defense across the
Alliance with a focus on preventing cyber attacks and building resilience.”xvi NATO’s
development of a policy on cyber defense shows how this is no longer an issue that can be
addressed by individual companies or even individual states.
A key component of the creation of this international regime is the campaign to increase
awareness of cyber-threats that must follow. NATO has noted the importance of educating and
training specialists in cyber defense as evidenced by the creation of the Cooperative Cyber
Defense Centre of Excellence (CCDCoE) in Tallinn, Estonia (created shortly after the attacks on
Estonia in 2007).xvii But it is just as important, if not more so, to raise awareness of the dangers
of cyber attacks amongst the general populace.
Many types of attacks are executed using botnets or involve, in some way, the
computers of innocent people who have no idea that their computers are infected. If people
are educated in ways to protect themselves from becoming the tool of a cyber criminal or
terrorist, it would greatly diminish the capabilities of hackers.
An international regime is the best way to get this information to as many internet users
as possible as quickly as possible. No company is going to be willing to pay for expensive
awareness campaigns. Governments that are not under the threat of attack will not expend
much effort educating their populace so other countries might be safer. However, an
international institution devoted to cyber security would definitely be able to affect meaningful
change.
13
Internet 2.0?
All the solutions mentioned thus far have been nothing more than bandages applied to
a broken piece of infrastructure. None of them address the core problem: the Internet itself.
But is it possible to overhaul the Internet entirely? This is a question that the National Science
Foundation (NSF) is presently addressing.
The NSF Future Internet Design (FIND) program is tasked with researching how a more
perfect internet can be built from scratch. One of the specific problems FIND is aiming to
resolve is how to design a more fundamentally secure internet.xviii After a recent evaluation of
the programmer by five external researchers, FIND has placed security at the top of the list. The
program is determined not to let security be an add-on as it is now. To ensure this the
evaluating panel suggested the use of Red team tactics8.xix
Any potential successor to the Internet is still a ways off. The NSF places their new
version, now dubbed the Global Environment for Network Innovations (Geni), appearing
somewhere between 10-15 years from now. The problem is that the Internet has grown so
large and complex that it makes it incredibly difficult to start from scratch. There is also the
worry that the new Internet, while possibly improving security, may be worse than the current
Internet at certain important tasks (a security heavy internet runs the risk of complicating all
communication of data).xx
No matter what the future form of the Internet looks like, an overhaul of the Internet is
not going to fix the immediate threat of cyber-attacks that the world faces. It is the ultimate
8 Red team tactics refers to use of cyber attacks in order to expose vulnerabilities (as seen in PWN2OWN or DAST)
14
solution to deficiencies in internet security, but, for now, emphasis must be placed on
mitigating the damage from these cyber-attacks.
So Where Does that Leave Us?
The only true solution to the problem of cyber-attacks is to rebuild the Internet from the
ground up and include security processes within its architecture. No matter how advanced
methods for checking for vulnerabilities and detecting threats become, any device on the
Internet will be at risk of falling victim to a cyber-attack. Hackers are nothing if not persistent
and that determination can lead them to overcome the expanding security community.
The innovation of using red team tactics by employing hackers to attempt to exploit
vulnerabilities in software was a momentous advancement. In this case, offense proved to be
the best defense. Increasing the magnitude of these tactics from an industry based level to an
international based level would close the gap between the attacking hackers and defending
security experts.
Anti-virus software and firewalls are not enough to stop malware from causing havoc
and infecting many machines. These tools must be augmented by the enhanced information
gathering abilities of these security conferences. Involving the international community would
only increase the amount of information available to these applications, thus making them that
much more efficient.
There is great potential for success in the creation of a new internet, but there is also
great potential for disaster. Much more research needs to be done regarding how the new built
in security will actually work, if it will cause any inadvertent problems, and it should be clarified
15
how a transition would take place and what it would look like. In the meantime, it is time for
the international community to step up and help defend all internet users from cyber threats.
16
i “Malicious Software (Malware): A Security Threat to the Internet Economy”; Organization for Economic Cooperation and Development (OECD); 17-18 June 2008; Seoul, Korea; p. 11 http://www.oecd.org/dataoecd/53/34/40724457.pdfii Ibid p. 12iii “Code Red, Code Red II, and SirCam Attacks Highlight Need for Proactive Measure”; Keith A. Rhodes; United States General Accounting Office; August 29 2009; p. 4 http://www.gao.gov/new.items/d011073t.pdfiv “How Computer Viruses Work”; Michael Brian; http://computer.howstuffworks.com/virus5.htmv “Malicious Software (Malware): A Security Threat to the Internet Economy”; Organization for Economic Cooperation and Development; 17-18 June 2008; Seoul, Korea; p. 10vi “TOR: Overview”; https://www.torproject.org/about/overviewvii http://www.dailymotion.com/video/xhvn2j_vinton-cerf-lists-the-flaws-in-the-internet-s-original-design_techviii “How Firewalls Work”; Jeff Tyson; http://computer.howstuffworks.com/firewall1.htmix“ How Companies Can Defend Against Database Cyberattacks”; Joshua Phillips; http://english.ntdtv.com/ntdtv_en/science_technology/2011-11-22/How-Companies-Can-Defend-Against-Database-Cyberattacks-.htmlx “How Does Anti-Virus Software Work?”; http://www.antivirusworld.com/articles/antivirus.php xi ibidxii “Security and the Internet: Fighting malware”; Lyndon Thompson; The OECD Observer; Paris, France; July 2008; Issue 268; p. 10xiii “Google Patches Security Flaw Exploited by Security Researchers in Pwn2Own Contest”; M2 Presswire; March 15, 2011xiv “ How Companies Can Defend Against Database Cyberattacks”; Joshua Phillips; http://english.ntdtv.com/ntdtv_en/science_technology/2011-11-22/How-Companies-Can-Defend-Against-Database-Cyberattacks-.htmlxv “Security and the Internet: Fighting malware”; Lyndon Thompson; The OECD Observer; Paris, France; July 2008; Issue 268; p. 10xvi “NATO and Cyber Defense”; http://www.nato.int/cps/en/SID-18E557C3-C34AEA79/natolive/topics_78170.htm?xvii ibidxviii “NSF NeTS FIND Initiative”; http://www.nets-find.net/xix “FIND Observer Panel Repot”; Vint Cerf, Bruce Davie, Albert Greenberg, Susan Landau, David Sincoski; April 9, 2009; pp. 1, 6 xx “How do you build a new internet?”; Bobbie Johnson; The Guardian; August 1 2007; http://www.guardian.co.uk/technology/2007/aug/01/news.internet