Managing Network Security

Breaking In - to test security?

by Fred Cohen



Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Some Recent Incidents

Over the last several months, the media has described a number of interesting incidents in which people who are acting under the color of legitimacy break into computer systems, are arrested, and claim that what they did was just 'testing security'. Indeed, in some cases they have bragged about their efforts as a way to generate more business for their company, leading to their being arrested.

The two most published recent accounts involve the folks at ForensicTec who claim to have done the U.S. government a favor by breaking into their computer systems and the admissions administrator at Princeton who broke into a Yale admissions computer to look at student applicant records.

The ForensicTec folks apparently wanted to prove their skills, presumably in order to get a contract and launch themselves into the limelight. Perhaps they will have a multi-year exclusive with the government indeed, and of course they are in the lime light. The academics probably didn't want to be left behind, and they have certainly demonstrated that academia is no bastion of integrity, but then the Ivy League schools have produced quite a few lawyers and politicians, so whoever had any doubts before may now lay them to rest.

I want to make one really important note here. Neither of these have gone to trial or been convicted of anything and I certainly do not know the facts. So I guess my statements about them should be taken not to indicate anything about the individuals, but rather it should be taken to represent my views of the practices they are accused of using. So to be as clear as I can, I believe it to be immoral, unethical, and unprofessional to do such things and that by doing so, and assuming they did, these individuals have smeared themselves and their institutions.


Doing me a favor?

To be clear, you are not doing your local grocery store a favor by breaking the front window at night and demonstrating that you can take something out of the store. If you pick up a rock to do it, it is likely not a big surprise when you tell them that you found the rock in the street. If you come in by picking the lock on the back door, even if you defeat the alarm first, you are just breaking and entering, not doing them a favor.

It is easy to be a burglar, and many people try it, and many get caught. It takes no expertise in security to do it, and being able to throw a rock through a window is not related to the skills associated with securing stores against theft. Finding a rock on the street and applying it properly is not an indication of skill, and just because you show me that you can do it, this does not make it a good idea for me to replace all of my windows with bullet proof glass. The day after I replace the windows you will try a shaped charge which you purchased from your local underworld figure, and it will still work.

The same is true of network security. It is easy to try attack script after attack script, and against the millions of computers in the Federal government, you are virtually certain to find something that works somewhere. It takes no expertise in network protection to do it, and being able to run a script from off the Internet against thousands of hosts is not related to the skills associated with protecting those systems against attackers. Just because you can find a script that breaks into my Windows doesn't make it a good idea to replace all my Windows with FreeBSD. The day after I change my operating systems, you will try a new FreeBSD break in, perhaps purchased from your local computer crime group, and you may still get in.


Preaching to the Choir

I know that I am preaching to the choir here, but I thought I would start with my published site policy statement on 'Testing our Security':

Of course this should not have to be said. It is, at least, obvious, and certainly I do not have to tell people not to break the laws in order to prosecute them for it. After all, ignorance of the law is no excuse. And yet, I figure it costs little enough to include this warning, just in case it helps someone who was thinking of doing it but wanted to see if it was fine with me first.

And what good does a policy statement do anyway? That's simple. It provides notice. It does not prevent crime or criminal activities, nor does building a bigger stronger firewall. All it does is cause those who might be teetering on the brink another reason to teeter back toward the good side.


So What Should We Do?

I believe that a 3 part process is appropriate for this sort of situation; (1) Throw perpetrators in jail in a very public way, (2) Use deceptions to make such simple 'break-ins' less meaningful, and (3) Make prudent risk management decisions after such incidents.

Step 1: Throw them in jail and make it very public. This has several benefits. It stops them from doing it again for some time and clearly marks them as criminals. This has negative effects on them and their families, but generally beneficial effects on reducing the population of folks willing to try it next time. Another major benefit is that, if we do this on a widespread basis and uniformly as a society, it changes the social norms. It will also end the practice among commercial companies because of the high liability, and eliminate the irresponsible people who have been doing this all along to get business, replacing them with responsible people who know more about the issues but who do not break the law in doing their jobs.

Step 2: Use deceptions to counter the perception issues. There are many ways to use deceptions to counter such things. One way would be to provide easy to break into systems on your network that contain false information so you can tell it was not a real break-in, the information is unique and fingerprints the attacker as having broken in to get it, and you get to tell the public that the attackers were incompetent and you were doing your job well by revealing that a deception had caused the attacker to think they succeeded when they failed. Of course you can do this last element even if they did break into something important and get real information. The point is to make the attacker look like the fool in a very public way and also to protect your real assets by seeing them coming.

Step 3: Make prudent risk management decisions. In my view, the prudent decision in this sort of circumstance is for all parties to settle quickly and for the perpetrators to be terminated for cause (i.e., criminal activity), arrested, tried, and so forth. If one of the parties will not go quickly into settlement, a civil suit may be required. For example...

In the case of the government as well as Yale, it would seem prudent to review their risk management decisions to assure that the attacks that did happen were within their expected loss manifolds. If not, mitigation should be taken and process changes made to assure that future risk analysis better handles these issues.

In both cases the perpetrators should have their rights well protected, including their rights to a speedy trial. If they are found not guilty, they should be treated as if they never did what they are currently accused of. If they are found guilty, unless it is later found that they were not, they should be appropriately punished by the legal system and they should not be placed in positions of such trust unless and until they have demonstrated that they are again worthy of such trust - the bar being raised somewhat because of historical data.

An additional note of caution: I am not a lawyer and I have no special information about these cases. I am using them as examples of my thoughts on these issues and do not in any way intend to imply that any of these parties is guilty or that I know one way or the other. These are only being used as examples and nothing more.


Conclusions

I have said it before and I will likely say it again. Breaking in is a poor way to test security, not because it fails, but because you learn so little from it. Breaking in and claiming it was just a way to test security should be treated as a criminal act.

The trend in society to make everything a show and to use hyperbole in order to market ideas seems to me to be closely related to the trend to break into systems to demonstrate skills. But of course the skills associated with breaking in are not those associated with defending systems. When people come to me and tell me that my computer systems are weak and that they can attack them successfully, I am offended. But I don't just ignore them. I have a standard bet that I offer. None have taken it up yet - at least not formally.

Here's the bet. You bet that you can break into my systems, and I bet I can have you thrown in jail. It's a simple matter of risk management. Given that they can lose the bet by going to jail, the uniformly back down. Do I learn about weaknesses in my computer systems this way? No. But I learn about them in other ways... but that is the subject for another article.


About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/