[iwar] [fc:Intrusion-Detection-Limits]

From: Fred Cohen (fc@all.net)
Date: 2001-09-07 09:48:27
Next message: Fred Cohen: "[iwar] [fc:More-intel-funding]"
Previous message: Fred Cohen: "[iwar] [fc:Broadband-Firm-Unplugs-Code-Red-Victims]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200109071648.JAA08674@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Fri, 7 Sep 2001 09:48:27 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Intrusion-Detection-Limits]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Reality Intrudes on the Internet 
Robert Mitchell, Computerworld, 9/6/2001
<a href="http://www.antionline.com/showthread.php?threadid=108372">http://www.antionline.com/showthread.php?threadid=108372>

Stephen Northcutt, who developed the U.S. Department of Defense's Shadow
intrusion-detection system (IDS), is a director of the SANS Institute in
Bethesda, Md., where he teaches classes about information security
topics. He has also written several books about information security.
Computerworld's Robert Mitchell caught up with him at a recent training
conference in Ottawa. In that conversation, Northcutt raised alarms
about the vulnerability of the Internet and the networks connected to
it. 
What limitations do you see in today's IDSs? We just cannot handle the
bandwidths that are available. Vendors claim to have good sensors, but
they just don't pan out. 
Another fundamental limit that's killing us is cryptography. A lot of
advanced hacker code is encrypted with tools like Bruce Schneier's
Blowfish (www.counterpane.com/blowfish.html) algorithm. Not only can't
we detect the encrypted information, we almost can't build IDSs that can
detect that there is encrypted information. 
The next problem is the number of signatures. Depending on who you talk
to, you might say there are 1,000 rules. But compare that to any
antivirus tool. [It has] 40,000 rules. This is another indication of how
much we're in our infancy. 
Another limitation is that IDSs are a single sensor in a huge world of
events. There's no other way to describe Code Red other than an attack
on all of the Internet, because when you have 300,000 compromised boxes
scanning as many hosts as they can, everybody's Internet safety has been
touched. 
What does that mean for Internet security? To put it bluntly, we're one
major attack from losing the bubble. The original Code Red worm was not
that big of a deal. But a slightly smarter attack code will be capable
of doing significant harm, to the point where we could lose connectivity
in parts of the Internet. It could be a day or two before we [recover],
and that's a whole lot of downtime if you're Amazon.com. 
How can the information security community respond to that? What you
have to have is constellations of sensors working together in order to
get results that let you see that there's possibly a zero-- day
vulnerability or some massive growth in a known vulnerability. A
zero-day vulnerability is one that exists but has not been announced
yet. 
DShield (www.dshield.org) is one of a number of experimental techniques.
The idea is to get everyone to run code on their system or firewall, and
as they get attacked, report it to a central place that can monitor
those attacks. 
Should software vendors be held liable for security defects that result
in attacks such as Code Red? We have two possibilities. One is the
operating system company. Microsoft is a good example, especially in the
case of IIS [Internet Information Server], because it's inarguable that
IIS is not engineered in such a way as to be secure, therefore it's a
deficient piece of software. The other potential [group] to go after are
the [Internet service providers]. ISPs could have done something [about
Code Red]. They actually could have patched their boxes. Another thing
they could have done with Code Red is blocked port 80. 
What's the most common misconception you hear from security managers who
take your classes? They actually think you can make the vulnerabilities
go away. The complexity of modern [operating systems] is so extreme that
it precludes any possibility of not having vulnerabilities. 
What needs to be done to correct these vulnerabilities? Good coding
allows you to prevent buffer overflows. That's just cheap coding -
avoiding error checking - that makes these buffer overflows, [which are]
one of the common techniques used to exploit systems, possible. 
The other thing is to identify the 10 vulnerabilities that are most
commonly used to break into any given operating system. As these things
become coded into rulers or yardsticks, if an operating system company
releases a new version that doesn't fix the well-known vulnerabilities,
they're acting below due diligence. And we need to hammer them for that. 
Should companies be more aggressive in prosecuting attackers? I think
we'd better start right now, because the cost of hacking is nearly 100%
free. It's a criminal act. If they succeed and do harm, then you've lost
a lot of money, prestige, revenue. 
We need to educate prosecutors and law enforcement agents. But to make a
difference, we need to start prosecuting as many cases as we can in
civil court. You can win these cases. 
Some IDS products claim to take steps to block an attack. How well do
these tools work? This is what we call active defense. You can set up
shunning with IDSs. You can hook them to a firewall. 
Another very interesting technique is rate limiting. If you suddenly
shun an attacker, then they know you've responded, but what if you just
start responding slower and slower? Especially for keyboard-style
attacks, it will drive [the attackers] absolutely crazy. What every sane
person is trying to get to is intrusion protection. I need my IDS to
scream bloody murder when my Web server gets attacked by something that
I'm vulnerable to. And if the attacker succeeds, I want to be able to do
rollback to my good pages as fast as possible. Today, [vendors] are
starting to come out with commercial tools that do this. 
How much effort should organizations put into security efforts before
they reach diminishing returns? In 2001, did the defensive security
community gain ground or lose ground? I'd say the answer is pretty
self-evident. If we lost ground, we shouldn't be thinking about
diminishing returns, we should be thinking about survival. 
Until we come up with some leadership, until we come up with some
programs like a DShield on steroids, until we can come up with active
response and until we start busting some attackers, I don't see any hope
of turning the comer. 

(C) 2001 Computerworld. All Rights Reserved

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now!
http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:More-intel-funding]"
Previous message: Fred Cohen: "[iwar] [fc:Broadband-Firm-Unplugs-Code-Red-Victims]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:41 PDT