Managing Network Security

To Prosecute or Not to Prosecute

by Fred Cohen



Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


If you work long enough you will have to face up to it

Eventually, all the efforts you put into information protection will pay off and you will catch someone breaking the law - big time. I'm not talking about defacing web sites, using the company computers to enhance your pornography collection, or taking home a disk from a 3 year old computer that is getting an upgrade - I'm talking about grand theft using a computer to do it, ripping of hundreds of thousands of dollars in funds transfers for phony hardware or software, taking a hundred million in a millisecond, using the company computers to start your new business, trading stocks all day instead of doing your job, or tapping into the management's phones to make your way up the corporate ladder.

You don't really see the big crimes in the press as far as I can tell, and the reason I know this is because I have personally encountered all of these examples in my work with clients. I have seen lots of cases of web site defacements making the media and I hear lots of folks talk about how they are going to prosecute if they catch anyone doing it. I have seen people fired for pornography at work too - mostly low-level employees who don't have the internal political clout to be above the rules. But you should know that I have never - not even once - encountered a really big case where a company had the guts to take on a public prosecution of a big crook.

Now we have all seen these in the papers, and we all know they happen. My personal experience may be very skewed, perhaps because people only call me in cases that are complicated or stranger than fiction. But judging from my experience, if you read about 100 people prosecuted in a year, there must be at least ten thousand who were caught dead to rights and never even identified to the police. The next time you see a one-time write-off for changes in accounting practices or a strange change in the bottom line - or an unexpected loss in third quarter earnings, you might have just seen the public face of a crime that the company was unwilling to report.


Why is this?

Anybody who is in the game already knows that the reason this happens is that top level decision makers are very shy when it comes to negative publicity - and they see weakness as just that. It has to do with the fact that business - public company stock price type business - is a confidence game. That is, it is based on the confidence that the members of the stock buying public, and perhaps more importantly, the big organizational investors, have in the company. The perception of negatives causes the share price to go negative and that costs the top level decision makers gobs of bucks. When I say gobs, you might consider the impact of the findings in the Microsoft antitrust case on Bill Gates' stock value. I think he lost tens of billions of dollars in a day or two.

So if Bill stands to lose a few billion every time someone hears about an insider at Microsoft planting a Trojan horse in his software, what should he do? If he prosecutes the employee, he loses gobs of money, but if he finds a way to slide through it unnoticed, or even to turn it into a positive, he makes big bucks. He can move the employee out in some other way - perhaps selling off a little side business the employee has been moved into, or giving him a raise and moving him to Gnome Alaska for his new leadership role. So let's say he makes a game out of it. They'll call them 'Easter eggs' instead of Trojan horses, and make a game out of finding them. If the media buys into it, he's free and clear - and since he indirectly controls a lot of the computer media (they don't call it a monopoly for nothing you know), it's a good bet his PR campaign will win the day.

But we are not all Bill Gates, even though the lion's share of top decision makers might secretly wish they were. And I'll tell you what. If Bill would have a nice public prosecution of one of his Trojan Horse writers, I would buy into his company. But that, of course, means that his company would lose lots and lots of money in share value - because the sure sign of a market collapse is when I start investing in you. I have thought of selling the list of companies I invest in to big money managers (for cash) to help them keep their portfolios safe from this scourge, but I think they already watch my moves and that's why it always goes down when I invest.


So You're Not Bill Gates

Business executives have a fiduciary duty to act in the best interest of their shareholders. The question is, what is that best interest? On one hand you have loss of confidence and on the other hand you have the reputation for being easily defeated. From a different perspective, you have public policy and the good of the society. Unfortunately, business people tend to discount the third point in many situations, and while I don't personally agree with this, I do understand that when it comes to the greater good, the good of the organization is often seen as dominant.

Loss of confidence is a pretty easy thing to understand. When an organization shows that it is weak or imperfect, people may not trust it as much as they otherwise might. Even worse, being seen as incompetent would tend to make investors very nervous. But the big problem with this is that we are all people and we all have our limitations and failings. One of the big failings of just about everyone at one time or another is excessive pride. When you are not willing to admit mistakes, sometimes you get away with it, but sometimes it looks worse and worse as you admit less and less. You get cornered, and then when things become public - if they ever do - you look far far worse.

On the other hand, the benefit of a public prosecution or law suit should not be minimized. There are several audiences for this. Of course there is the audience of criminals who realize that you may not be the best place to attack next time. Then there is the audience of your peers who may see you as stronger because you can come out looking like a hero by catching a bad actor. The key to this strategy is to focus on the criminality of it. You were not weak, they were criminals. It wasn't some genius attacking you, it was a common street thug who did something stupid, got caught, and is now being punished.


Where is the balance?

From my perspective, everyone you catch and throw in jail is one less perpetrator to deal with next time. In fact, because there are a finite number of these perpetrators out there, as we catch them, we are all made safer. At least that's the theory. On the other side, we have the theory that if you really get the bad guys upset, they may decide to really come after you, and then you may be put out of business.

The problems with living in fear are complicated, but basically, if they have you afraid to the point where you can't fight back, you have already lost. I understand very well what it is like to be the target of cyber attacks because I have been targeted for many years. While some of these attacks are marginally successful, I have always found that I am still here the next day and the attackers are defeatable. It is unlikely that your organization will be attacked as much as I am, and at the same time, you almost certainly have far more resources that I do to respond to attacks. I am still here, and you will be too.

Part of the information protection game - a very big part - is how you respond to the perception issues.


Last night...

At about 8PM last night I detected an attack against my infrastructure (and perhaps yours as well). It was a pretty interesting one, so I thought I would share it with you. It seems someone was sniffing IP traffic between one of my sites and the all.net web site. They were using this mechanism to inject content into the IP packet stream. The content they were injecting was in the form of URLs pointing to an escort service in New York. It was an interesting attack in that it only worked for web-based 'GET's of 12K or more (give or take). As a result, when people did web surfing, their traffic was screwed up.

Not this attack was, in some senses, very sophisticated, and in other senses, very lame. The sophisticated part probably came from an off-the-Internet tool that the attacker copied onto their computer and used. The really lame part involved the random insertion of html code into large IP streams. The reason this is really lame is that there was no attempt to look at the stream and figure out a cleaver place to inject the traffic, so the odds of the insertion having any real effect other than denying service to large files for a while were very low. In fact, these insertions were largely placed in the middle of GIF images - causing the picture to fail to fully download, but no other harm. If I weren't sniffing the traffic stream to detect the anomaly, I would not have been able to even detect that these packets were pointing toward this service. As a result, no real users were directed to the service, but many users were probably inconvenienced.

Tracking this down involved going to several points in the infrastructure over various covert (to the attacker) channels and detecting the presence or absence of the behavior, then correlating the routes from each place to the other. It was rapidly determined to be coming from within a particular ISP, they were notified, and within an hour or so, traffic was back to normal. I am not a big traffic site, of course, but on the other hand, the hour of slightly disrupted service was not a great pain to me. It did cause my son to have to go to bed and finish his Internet-based homework in the morning.


Huh?

This is a true story, and you might ask why it is that I told you it at this point in this article. That's easy. It's about perception management. I could have described this as a horrible attack that nearly caused the collapse of the global economy. I could have induced fear in your minds - perhaps to sell you consulting services or a new and improved virtual private network capability. But I am not selling fear, only reality. It's true - someone attacked my IP stream and had marginal success at inconveniencing my son for a few hours. They may have even inconvenienced some of my customers and clients, but I did not suffer greatly from it and my business is still here. By putting it this way, I make it clear that the attackers are malicious and somewhat inept people who deserve to be punished. They are not some brilliant wizards who will somehow save the world for the nice people if only given the freedom to express themselves at my expense. They are criminals who ply their trade to take from people who work for a living and line their own pockets. If they were smart or good people, they would not waste their time in this activity, but rather find something useful to do with their lives.

I would most certainly prosecute such folks if the impact was substantial and I had access to the details of who they were. I might be lenient if I thought they were basically good people who made a mistake, mostly because the harm they did was not of enough consequence to warrant a prosecution. I most certainly would not fear prosecuting them, and I would not hesitate to do so on the basis of reputation or being attacked by their friends. In fact, I would welcome the opportunity to reunite them with their friends who might choose to support them by attacking my sites - in prison.

The fact is, I try to be a fair and reasonable person, but I do not like to be maliciously attacked, and I am not afraid to fight back. If you steal from me, I will try to start a law suit or other legal action against you. If you work for me and do such a thing, I will collect the evidence, fire you, and try hard to have you prosecuted criminally while taking away all your assets as restitution. It may sound like beating my chest or some such thing, and in a way, that's exactly what it is. The perception of weakness is the best way to assure that you are taken advantage of.


Conclusions

In my mind, it is a simple matter of policy. If I can be easily taken advantage of with no negative consequence to the attackers, I have already lost and they have already won. If I show my willingness to prosecute by doing so when the occasion comes along, people will think twice before attacking me. If I do it alone, I have a marginal effect on the world, but I certainly drive the attackers elsewhere. If all business people did it, the cyber crime against businesses would be largely ended and the newspapers would begin to portray the growing cyber component of our prison population in terms of how people with such promise and seeming intellect could have been so dumb.

I understand that prosecutions cost money and, perhaps more importantly, direct your focus away from the things that make your business successful. They tend to generate a degree of uneasiness in employees as well. In some cases you will see a large increase in the number of reported incidents. Are they real or imagined? The only way to really tell is to investigate them. And that goes to the core o how to handle the issue, at least in my mind.

The solution to prosecuting attacks is pretty easy. Hunt them down and send them to jail whenever (1) it is feasible to find them and build a case against them, and (2) the damage is high enough to warrant the effort. The issue of focus is easily addressed by having outside expert contractors do the work for you. I know a very good private investigative firm that can get the job done. The issue of cost of prosecution goes to the question of how much it will cost to have it happen to you again and again. I think that every good prosecution is worth something like 10 times what was taken from you. If you figure you lost $100,000 in the incident, not prosecuting will probably cost you a million dollars in the long run. I guess this means that spending a few hundred thousand hunting them down (and using civil prosecution to recover most of that) is a good deal.


About The Author:

Fred Cohen is thinking inside a bigger box as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs at Fred Cohen and Associates, and educating defenders over-the-Internet on all aspects of information protection at the University of New Haven. He can be reached by sending email to fred at all.net or visiting http://all.net/