Managing Network Security

In Your Face Information Warfare

by Fred Cohen

Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

A Shooting War

I read last month that the US DoD recently figured out that it's at war. It shouldn't be a big surprise - after all people have been talking about information war ever since Al Gore declared it in the early 1990s. That's when Al declared information war on the world by telling everybody that the US was going to use the Internet to expand global influence, gain economic advantage, and exploit our information technology advantage to spread democracy and US imperialism around the world. Of course he didn't use those exact words, but that's more or less what he seemed to mean by it - and that's more or less what the result has been.

So what's the big surprise? After 8 years of the US domination, the rest of the world is starting to catch up! Is it any surprise that suspected Russian attackers are breaking into US DoD sites to take plans of US command and control and weapons systems designs? The warning has only been out in the DoD for 4 years or so. That's when they published statistics indicating that, on average, every DoD computer was successfully attacked once per year. Now, they have 'just discovered' that they were broken into 6 months ago and that the Russians had been taking weapons information ever since then. And why did it take them 6 months to figure it out? Because it was a person who noticed that a print job was taking a long time and bothered to look into it. That's security!

So now I guess it has come into the open. There's a real shooting war underway in information technology, and the Y2K situation has introduced the opportunity of a lifetime for the world's information warriors. You didn't think I was going to miss the opportunity to take a shot at Y2K projects - did you? After all, this is probably one of the last issues where I can declare a Y2K possibility.

How Did I Sneak Y2K Into This?

Of course, Y2K was the chance of a lifetime for information warriors. Folks from all over the world have been contracted to do Y2K work on critical systems of all sorts all over the world. Those folks come from all of the countries I count among my closest historical allies - like Pakistan, India, China, Japan, the ex-soviet states, France, the US, England, Germany, and the list goes on and on. If you are offended by the list, don't be. I think that list includes enough countries that are at odds with each other that they will likely notice that the same kinds of software attacks that their folks made in the systems of other countries were made by people from other countries in their systems. Yes - that's right. In the global village, Indian programmers worked on code that eventually made its way into Pakistani information infrastructures - but don't worry - the Pakistani programmers also got to code software that went into the Indian Y2K fixes too.

Now I'm not just being and idle speculator here. I have spoken with folks who know in detail about incidents wherein Trojan horses have been detected in fixes to critical infrastructure software being 'upgraded' for Y2K. They also told me some of the countries involved, that the ones that were caught were caught by accident, and that there is no systematic check for this, so there are probably lots of others out there that are yet undetected.

Now if I were going to plan a nasty attack on critical infrastructures via computer networks, I would certainly take the opportunity to plan my attacks when I was given insider programming access. By the way... none of your Y2K upgrades involve any software written by people you don't completely know and trust - do they? They do? Ouch!!! And - as an aside - if I were going to do a nicely coordinated attack that was hard to track down or defend against, I would probably select the period surrounding Y2K to spring it.

Feeding the Frenzy

Now I don't want to raise a panic over this information warfare and Y2K thing. After all, over-reaction will likely cause more problems than any technical attack would cause, wouldn't it? Not if you happen to live in an area where you will freeze to death, or in an area that depends on a strong economy for economic well-being.

But why get all in a tiff about a once-in-a-lifetime event like Y2K? How about getting concerned about the 20,000 new virus strains introduced in the last 4 months? You would think that the fact that several of these strains have entered sites that were supposed to be 'secure' from a standpoint of holding critical data of one form or another would trigger someone to stand up and take notice - wouldn't you? No! After all, the virus problem doesn't make a dent when compared to the other crimes of the Internet - like child pornography - and scams of every sort and description - and pyramid schemes - and good old fashioned stalking crime - and theft of trade secrets - and insider information being released by employees - and gee - it almost seems like there's a war going on out there and nobody noticed!

So - when a crime goes down in the 'real-world' - you call the police - right? I guess that means we can call the cybercops to our rescue - right? Well... you can call! Or better yet... email them! Where's the local cyber-police station? I looked at the Livermore, CA (where I live) police Web site to find crime statistics on computer crime in my area. Out of thousands of crimes per year, there wasn't a single computer crime in the listing of reported crimes. It also seems there is no way to report a crime via email.

The United States Department of Justice has a list of 'types of computer crime' and lots of good information. And any crime with provable losses in excess of a few hundred thousand dollars might get their attention. They list Computer intrusion (i.e. hacking), Password trafficking, Copyright (software, movie, sound recording) piracy, Theft of trade secrets, Trademark counterfeiting, Counterfeiting of currency, Child Pornography or Exploitation, Internet fraud, Internet harassment, Internet bomb threats, and Trafficking in explosive or incendiary devices or firearms over the Internet. In every case, the local FBI office is a good contact point. I guess things like taking out the power grid or the phone system just don't make it.


Getting back on track for this month's article, I should point out that a six month lag between a break-in and a detection is pretty common in my experience. For example, I know of at least 3 cases in the last year with this characteristic pattern. And the same situation arose in the DISA study published about 5 years ago and cited as the basis for the numbers of attacks on Defense Department sites. In those studies, there was a breakin detected that had been going on for at least 6 months as well. The secret, by the way, to the 6-month duration is that lots of people and organizations only keep backup tapes for 6 months, so any attack that lasted longer would be called 6-months duration.

Now that I am on the backup thing, I figure I should also mention that I recently visited an ISP that claims to emphasize security as one of their benefits, but it turned out that they couldn't reproduce audit information from as little as 2 months ago. It seems that they take monthly backups and could produce the audit trails that happened to be on those systems when the systems were backed up, but for other audit trails - those that were removed on a weekly or daily basis to limit file space consumption, there were no backups. Unless you detected the activity within a few weeks, odds were not very good that any audit trails would be there to track down the source of the attack.

In doing digital forensics - something I do more and more of these days - this sort of lack of information and lack of consistency reflects a real problem. For example, there might be missing exculpatory evidence, or the time frame of interest might not be covered. But in addition to the lack of forensic evidence, there is the notion that it would be nice to know if you are under attack - or at least be able to figure out when the attack started, how long it lasted, and what was involved - once you find out you are under attack.

In Your Face

The information warriors are getting bolder and bolder, to the point where it's hard to explain it away as anything but a shooting war. The bad guys are in your face. They are taking your information. They are taking your money. They are destroying your information. Eventually, they may destroy your ability to do business and destroy your economy.

So what can you do about it? Not very much without some real serious management support and a few key decisions about what has priority in your organization. And that's what we really aren't getting. Getting good decisions on information protection seems like pulling teeth.

There was a time when people in information protection complained that senior management didn't use computers and therefore didn't understand what we were talking about with this information security thing. Now, the situation is worse. Senior management uses computers and doesn't want to be restricted from doing things that are inherently dangerous. For example, I know of many large companies where top management uses their desktop PC to dial out to America OnLine during the day so they can check their stock values and make trades.

First problem - what are they doing working on their personal financial portfolio on company time? That's called time card fraud and it is normally considered illegal - a form of theft. Second problem - AOL creates an IP tunnel between the PC and the Internet. This means that the senior management is creating a possible firewall bypass, and of course they have access to lots of sensitive company data, some of which is on their PC! Third problem, the use of the dial-out line for this activity makes if far more difficult to track what they do and implement intrusion detection on their systems. Fourth problem - instead of not caring, they actively work to keep unsafe features, making it far harder for security to get the job done.

We are losing the information war - mostly because we are losing the hearts and minds of our own people. The will to fight is overwhelmed by the will of the users to have fun and do what they will with information technology. It's like kids in a candy shop, telling them that it will ruin their teeth and they will get fat is not an effective way to stop them from overeating.


I think I have visited a wide enough range of areas today, so I just want to close by reiterating that there is a shooting war on in the cyber-world, and for the most part, those with the power to do something about it don't care enough to act decisively. There's nobody to call for help other than one of those high priced consultants who is already helping others to the point where they can likely only sell you their assistant at a hefty fee. You are on your own!

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at or visiting /