Return-Path: <sentto-279987-1718-999882007-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 07 Sep 2001 10:01:23 -0700 (PDT) Received: (qmail 29310 invoked by uid 510); 7 Sep 2001 17:00:16 -0000 Received: from n12.groups.yahoo.com (216.115.96.62) by 204.181.12.215 with SMTP; 7 Sep 2001 17:00:16 -0000 X-eGroups-Return: sentto-279987-1718-999882007-fc=all.net@returns.onelist.com Received: from [10.1.4.54] by n12.onelist.org with NNFMP; 07 Sep 2001 17:00:06 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_1); 7 Sep 2001 17:00:06 -0000 Received: (qmail 73038 invoked from network); 7 Sep 2001 16:49:11 -0000 Received: from unknown (10.1.10.26) by l8.egroups.com with QMQP; 7 Sep 2001 16:49:11 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 7 Sep 2001 16:48:39 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id JAA08674 for iwar@onelist.com; Fri, 7 Sep 2001 09:48:27 -0700 Message-Id: <200109071648.JAA08674@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 7 Sep 2001 09:48:27 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Intrusion-Detection-Limits] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Reality Intrudes on the Internet Robert Mitchell, Computerworld, 9/6/2001 <a href="http://www.antionline.com/showthread.php?threadid=108372">http://www.antionline.com/showthread.php?threadid=108372> Stephen Northcutt, who developed the U.S. Department of Defense's Shadow intrusion-detection system (IDS), is a director of the SANS Institute in Bethesda, Md., where he teaches classes about information security topics. He has also written several books about information security. Computerworld's Robert Mitchell caught up with him at a recent training conference in Ottawa. In that conversation, Northcutt raised alarms about the vulnerability of the Internet and the networks connected to it. What limitations do you see in today's IDSs? We just cannot handle the bandwidths that are available. Vendors claim to have good sensors, but they just don't pan out. Another fundamental limit that's killing us is cryptography. A lot of advanced hacker code is encrypted with tools like Bruce Schneier's Blowfish (www.counterpane.com/blowfish.html) algorithm. Not only can't we detect the encrypted information, we almost can't build IDSs that can detect that there is encrypted information. The next problem is the number of signatures. Depending on who you talk to, you might say there are 1,000 rules. But compare that to any antivirus tool. [It has] 40,000 rules. This is another indication of how much we're in our infancy. Another limitation is that IDSs are a single sensor in a huge world of events. There's no other way to describe Code Red other than an attack on all of the Internet, because when you have 300,000 compromised boxes scanning as many hosts as they can, everybody's Internet safety has been touched. What does that mean for Internet security? To put it bluntly, we're one major attack from losing the bubble. The original Code Red worm was not that big of a deal. But a slightly smarter attack code will be capable of doing significant harm, to the point where we could lose connectivity in parts of the Internet. It could be a day or two before we [recover], and that's a whole lot of downtime if you're Amazon.com. How can the information security community respond to that? What you have to have is constellations of sensors working together in order to get results that let you see that there's possibly a zero-- day vulnerability or some massive growth in a known vulnerability. A zero-day vulnerability is one that exists but has not been announced yet. DShield (www.dshield.org) is one of a number of experimental techniques. The idea is to get everyone to run code on their system or firewall, and as they get attacked, report it to a central place that can monitor those attacks. Should software vendors be held liable for security defects that result in attacks such as Code Red? We have two possibilities. One is the operating system company. Microsoft is a good example, especially in the case of IIS [Internet Information Server], because it's inarguable that IIS is not engineered in such a way as to be secure, therefore it's a deficient piece of software. The other potential [group] to go after are the [Internet service providers]. ISPs could have done something [about Code Red]. They actually could have patched their boxes. Another thing they could have done with Code Red is blocked port 80. What's the most common misconception you hear from security managers who take your classes? They actually think you can make the vulnerabilities go away. The complexity of modern [operating systems] is so extreme that it precludes any possibility of not having vulnerabilities. What needs to be done to correct these vulnerabilities? Good coding allows you to prevent buffer overflows. That's just cheap coding - avoiding error checking - that makes these buffer overflows, [which are] one of the common techniques used to exploit systems, possible. The other thing is to identify the 10 vulnerabilities that are most commonly used to break into any given operating system. As these things become coded into rulers or yardsticks, if an operating system company releases a new version that doesn't fix the well-known vulnerabilities, they're acting below due diligence. And we need to hammer them for that. Should companies be more aggressive in prosecuting attackers? I think we'd better start right now, because the cost of hacking is nearly 100% free. It's a criminal act. If they succeed and do harm, then you've lost a lot of money, prestige, revenue. We need to educate prosecutors and law enforcement agents. But to make a difference, we need to start prosecuting as many cases as we can in civil court. You can win these cases. Some IDS products claim to take steps to block an attack. How well do these tools work? This is what we call active defense. You can set up shunning with IDSs. You can hook them to a firewall. Another very interesting technique is rate limiting. If you suddenly shun an attacker, then they know you've responded, but what if you just start responding slower and slower? Especially for keyboard-style attacks, it will drive [the attackers] absolutely crazy. What every sane person is trying to get to is intrusion protection. I need my IDS to scream bloody murder when my Web server gets attacked by something that I'm vulnerable to. And if the attacker succeeds, I want to be able to do rollback to my good pages as fast as possible. Today, [vendors] are starting to come out with commercial tools that do this. How much effort should organizations put into security efforts before they reach diminishing returns? In 2001, did the defensive security community gain ground or lose ground? I'd say the answer is pretty self-evident. If we lost ground, we shouldn't be thinking about diminishing returns, we should be thinking about survival. Until we come up with some leadership, until we come up with some programs like a DShield on steroids, until we can come up with active response and until we start busting some attackers, I don't see any hope of turning the comer. (C) 2001 Computerworld. All Rights Reserved ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now! http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:41 PDT