Security expert Eugene Spafford recommends network diversity.
Eugene Spafford, one of the nation's leading experts on information security, is director of the Center for Education and Research in Information Assurance and Security at Purdue University. Network World Senior Editor Carolyn Duffy Marsan recently sat down with Spafford at his West Lafayette, Ind., office to talk about the latest security threats and what network executives can do to mitigate them. Here are excerpts from their conversation:
What do you see as the top three information security threats that are most likely to hit U.S.-based multinationals?
One of the biggest threats we have right now is deployment of resources intended either to save on cost or enhance features without thinking through the consequences. VoIP and wireless fall in this category. They have failure modes that are very different than what they are replacing and are not well understood. Perceived cost advantages are driving these technologies, but that is overcoming the caution that should be in place. That's a threat not in the sense of a particular attack, but it is a systemic problem that leads to weakness in security posture and therefore may lead to attacks.
A second threat is a softening, if not disappearing, of the network perimeter. For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that's simply not the case.
A third threat is an overreliance on a small set of suppliers. We have too many enterprises that have everything running on the same hardware, the same operating system, the same database, the same network routers. Even their security systems are from one vendor. I don't mean to pick on a particular segment of the market or a particular vendor, but we see this homogeneity up and down the stack. The difficulty this brings is that the whole organization can fall with a weakness or failure of one platform type. That's very bad from an operational security point of view. This trend is driven by cost and convenience, but people simply aren't thinking about the potential cost of dealing with a disaster. Not having diversity in place applies to everything from viruses to break-ins to denial of service to potentially even bad bugs and vendor failure.
What steps should IT executives take to minimize these threats?
With any new technology, there should be a thorough understanding of the risks and the trade-offs. Some network systems are more fragile in the case of a fire or water main break than a similar twisted-pair telephone network. Those kinds of things need to be understood as risks before someone deploys the technology. That simply isn't being done in many environments. IT executives have to understand the risks extend outward beyond their enterprises when they're talking about these things, because they are infrastructure issues.
Regarding the disappearance of the network perimeter, they have to change their mind-sets to protecting the individual hosts or to building well-defined enclaves. The whole enterprise is no longer an island; it's an archipelago of islands that need to be protected individually, even down to the single-machine level. This means that you have to treat all of those machines as outside your perimeter for purposes not only of protecting them but of protecting your other machines from them. So when somebody comes back in with a laptop after they've been off-site, you can't trust it simply because it's a company-issued laptop unless you have applied specific control measures. This mode of thinking has to go down to the individuals who are using the systems.
For the homogeneity threat, even though it is contrary to some cost-containment measures and may increase the need for training or personnel, there should be some level of diversity in every infrastructure that's considered critical. This includes servers and routers and other appliances. This helps ensure that some of your infrastructure will be maintained so that you can send and receive e-mail and surf the Web even if one of your common configurations is completely blown away by some kind of attack or some kind of bug. It also limits internal damage if something gets into your systems. It can't sweep through everything. Also, the fact that you have a trained employee on different kinds of architectures means that you're more nimble to take advantage of advancements because you are not locked into a particular solution. There's a business advantage in the longer term to having some diversity in place.
What's the worst-case scenario for a U.S. multinational company?
I'm not sure I can actually say what's the worst case from an information security point of view. But something that would be bad would be an unobserved, automated attack that gets into the enterprise and because of a lack of internal controls or because of network homogeneity sweeps through the enterprise. The attack might slowly corrupt the data on a lot of machines so it isn't observed right away and you can't depend on yesterday's backups to help. Or it might do a massive ex-filtration of data such as company proprietary information, budgetary information, or it violates privacy issues. Or the attack coordinates some kind of massive or spam attack against a government or a major industry partner and causes them significant economic damage that they are forced to try to recover. All of those things would be very bad and could occur altogether. The only solution is to get a patch and shut down everything in the company and bring it back online. For most organizations, this scenario would be catastrophic in terms of the extent of the damage. If you add to the fact that the systems may have corrupted data, disclosed data or brought harm to an external entity that is going to want some kind of recompense, this would be a pretty grim scenario.
Are there any steps that an IT executive can take to prevent this type of catastrophe?
With network diversity, they won't have to reboot the entire enterprise. In fact, if they have diversity and appropriate alarms in place, they may detect the attack sooner. For example, if there's a computer worm that attacks Linux systems and you are monitoring with a Microsoft system, you may detect the worm far sooner than if everything is on a Linux system. Anytime you can detect an attack faster or respond more quickly, it is going to help. Planning can help. Even if only 25% or 20% of machines fall victim, how do you detect them? How do you get the patches in place? How do you do restores and reboots while maintaining any type of continuity? That type of planning is very helpful.
What's the bigger threat: insiders or outsiders?
That depends on the business and what's of value on the systems. Insiders already have access and know what would hurt the most. Disgruntled employees can cause a lot of hurt or they can steal a lot. Employees also can be the ones who carelessly change settings that allow outsiders in. In that sense, insiders are the biggest complication. Insiders may not be the biggest source of threats, but they can cause the most potential damage.
The threat from the outside is growing. More criminal activity is occurring on the network, and we don't have a corresponding increase in law enforcement to keep up with it. We're seeing more politically motivated activity. Some of it is vandalism, but quite a bit of it is economically motivated industrial espionage. Online clothing retailers are unlikely targets for that, but a big aerospace company or pharmaceutical company is. Everybody has to worry about the insider threat. The outsider threat is different for different companies.
What's the worst security incident you've witnessed in the course of your career?
It was an insider attack. It was a criminal matter. I'm not sure whether it was prompted by anger or greed. But it involved an employee making off with a copy of very valuable proprietary information for the industry and taking it to the competition. The company's own copies of the information were badly damaged so they couldn't be completely replaced. The incident leaked within the small circle of that industry, so there was damage to business relationships. It was a technical person that did the damage. This was many years ago. The company went through some hard times.
How has the situation with network security changed during the last 10 years from the point of view of the chief security officer developing policy and working with the CIO?
One of the major changes is increased speed. More can come into your network or go out in a shorter amount of time, and therefore you have less time to react. A second change is the scope within an enterprise where the network reaches. Ten years ago, we didn't have anywhere near the number of desktop systems, wireless was not a concern, and VoIP was not considered. Now we have all kinds of devices that we have to worry about. Third, the motivations of those who would attack our systems have moved from exploration and bravado pretty firmly into the realm of criminal activity. Finally, 10 years ago we were seeing targeted attacks such as getting into accounts or getting into machines. Now we're seeing more broadly based denial of service, spam, botnet, adware and spyware kinds of attacks that don't so much focus on gaining access as they do on affecting wide-scale capacity.
What grade would you give to U.S. multinationals in terms of information security?
Most of the big multinationals are probably at least in the B range. Aerospace, banks, pharmaceuticals, tend to be good, as are some online merchants. I'm told that the Internet gambling sites are incredibly good because their whole livelihood has to be protected. Government agencies in the United States are not particularly good. Universities, charities and state governments are all pretty bad.
What is the next big threat that worries you the most and why?
A threat that is not so much technology as it is governance is the trend toward preferential treatment for commercial traffic. Big ISPs and companies are installing spam filters that block traffic from other countries, companies, ISPs or domains. It's effectively a breakdown of the end-to-end model. You cannot depend on your e-mail going through. You've got some countries setting up their own domain roots. We're losing the underlying commonality that the Internet grew on. We're having a Tower of Babel moment of sorts. It's ironic that one of the reasons the Internet succeeded is its lack of centralized control. But that may destroy the other thing that made the Internet very attractive, which is its ubiquitous, common access. How that's going to play out I don't know. It's not a technology issue, but it impacts the technology in a major way.
What aspects of the Internet infrastructure are most vulnerable to attack?
The most vulnerable aspect of the Internet is the assumptions under which it has been operating. That it's going to remain open and equal. That names will always resolve, and routes will be chosen because they are short hops. It's not very far away - particularly if we move to IPv6 - that there will be routes that will be blocked and routing tables that will be different based on your IP, country of origin or what you paid. The dynamic is going to change very dramatically if that happens, and we are headed down that path because people can't agree as to what the network should be and have not responded appropriately to the abuse.
Should the NSA be allowed to eavesdrop domestically without a warrant?
This is an issue for Congress and the courts to decide. Should the NSA be able to listen to conversations? No. But listen in the sense of gathering information that relates to making connections? Maybe. My experience with people at NSA is that they are much more concerned with the rights of citizens than the average person on the street. They take it very seriously. I don't view this sort of listening as evil, but there are limits that should be imposed.
How bad is the situation with (which provide administrator-level access to networks)?
Not as bad as it's going to get. These attacks are getting more sophisticated, faster and more capable. Currently, rootkits are a complement of some attacks but soon will be the default.
Any guess why we're seeing fewer new worm outbreaks than we did a few years ago?
Attacks have switched from hackers to the criminal element. Worms used to be large and splashy attacks. We may have as many worm attacks, but now they are quiet, stealthy and more targeted. The attackers are not interested in being known.
Do CIOs understand that the threat is no longer teenage hackers but criminals?
No. They don't understand that it's more the criminal element. In Europe, companies are seeing denial-of-service attacks used for extortion - botnets that threaten attacks that will go away if money is wired to a particular bank account.
To battle criminals, you have to be concerned about customer data and remote control of systems that can be used for spam. You have to think about the exposure to your reputation if your systems are used as bots for something like kiddie porn. As far as I know, no companies have paid damages yet if their resources were used in an attack, but suits have been filed and settled out of court.
Multinationals also have to worry about patented information. They need to worry about information about their shipments that could be stolen. In other countries, companies have to worry about the addresses and travel itineraries for their executives to make sure they are not kidnapped.
There is a lot of information that is online that people don't think of protecting right away, like high-quality logos that can be used for counterfeit goods. Pictures of buildings and building plans can be useful information to someone interested in doing something of harm. Think about fire departments that have a GIS system that shows where all the hazardous chemicals in the town are. That's useful for the fire department but probably not something you want publicly available.