Mitigating the Risk of Cyber Attack

1
Mitigating the Riskof Cyber Attack

• David Alderson, PhD
• California Institute of Technology
• alderd_at_cds.caltech.edu
• MSE 193/293
• November 17, 2004

2
Agenda

• Monday
• Critical Infrastructures
• Recent Failures
• Rise of the Internet
• The Potential Threat
• Policy Introduction
• Homework
• PBS Frontline Video Cyberwar!

• Wednesday
• Case Study Internet Worms and Viruses
• Threat Mitigation U.S. Federal Policy
• Conclusions
• Open Questions
• Research Topics
• Potential Paper Topics

3
Motivating Questions

• What are critical infrastructures, and how does
  our dependence on them make us vulnerable to
  accidents, failures, and attacks?
• To what extent does the open and insecure nature
  of the Internet and related cyber infrastructure
  pose a threat to national security?
• What are the current vulnerabilities, and what
  can be done in the short term to mitigate against
  them?
• Where would we like to be in the future with
  regard to the Internet and the critical
  infrastructures, and what needs to be done to get
  there?

We dont have all the answers yet!
4
Acknowledgements

• Caltech John Doyle
• UCB Vern Paxson
• UCSD Stefan Savage
• EPRI (now UMN) Massoud Amin
• CISAC Kevin Soo Hoo, Keith Coleman, Dan
  Wendlandt, Martin Casado, Mike May, David
  Elliott, William Perry
• Stanford Student Cybersecurity Group
• http//cybersecurity.stanford.edu

5
Critical Infrastructures

• Definition an infrastructure so vital that its
  incapacity or destruction would have a
  debilitating impact on our defense and national
  security.

Source Critical Foundations Protecting
Americas Infrastructures

• Examples
• Information and Communications
• PTN, TV/Radio, CATV, Internet, Satellite,
  Wireless
• Energy Systems
• Electrical Power Systems
• Gas and Oil Production, Storage and
  Transportation
• Banking and Finance
• Physical Distribution
• Transportation
• Water Supply Systems
• Vital Human Services
• Emergency Services
• Government Services
• Military Services

More information available from Critical
Infrastructure Assurance Office (CIAO)
www.ciao.gov
6
The Internet has become a critical information
infrastructure.

• The Internet has become a type of public utility
  (like electricity or phone service) that
  underlies many important public and private
  services.
• Internet disruptions have a ripple effect
  across the economy.

• The Internet is a control system for monitoring
  and controlling our physical environment.
• Hijacking the Internet can be even more
  devastating than interrupting it.

7
Best Practices in Security

• Most attacks occur through known vulnerabilities
• Most attacks could be prevented if the victim had
  been using best practices for cyber security
• Latest software patches for known bugs
• Virus protection software with up-to-date virus
  definition files
• Frequently changed passwords of proper syntax
• Firewalls
• More than one layer of protection All of the
  above!
• SANS/FBI publishes a list of top 20
  vulnerabilities, updated annually
  (www.sans.org/top20)
• But evidence repeatedly suggests that best
  practices are not followed consistently

8
Misalignment of Incentives

• Protection is costly and inconvenient
• Business imperative is competition
  (profitability, cost management, new markets, new
  technologies), not protection
• Users are not accustomed to bearing any direct
  costs of protecting infrastructures
• Direct (immediate) benefits of protection are
  unknown (difficult to measure)
• Exploitation is cheap and convenient
• tools (laptop and network connection) are
  inexpensive
• training is easily obtained or downloaded
• prosecution is difficult
• Exploitation is potentially highly-rewarding
• money, power, prestige

9
An Ongoing Debate

• Does the vulnerability of the Internet pose a
  threat to national security?
• Why Is This A Hard Question?
• There is a lack of public evidence
• Strong disincentives for companies to share
  information about incidents
• Strong disincentives for the government to share
  information about vulnerabilities
• Measurement is a challenge
• How to quantify the consequences of an incident?
• Who has time to gather data during an incident?

10
Case StudyThe Threat of Internet Worms
11
Viruses and Worms

• Definition A computer virus is a small program
  written to alter the way a computer operates,
  without the permission or knowledge of the user.
  (Symantec Website www.symantec.com)
• Network worms are sometimes called automated
  intrusion systems because, unlike viruses, they
  do not require action by a human (via a host
  file). They contain 3 basic parts
• Exploit (the means by which a computer is
  compromised)
• Propagation (the means by which the worm moves
  from one machine to another)
• Payload (what the worm does to the computer,
  other than self-replicate)
• These parts are modular and independent
• Exploits take advantage of well-known, insecure
  open services
• Toolkits are readily available online

12
References

• How to 0wn the Internet in Your Spare Time
• Stuart Staniford, Vern Paxson, Nicholas Weaver.
  Proceedings of the USENIX Security Symposium
  2002.
• (Vern Paxsons Home Page, http//www.icir.org/vern
  )
• Internet Quarantine Requirements for Containing
  Self Propagating Code
• David Moore, Colleen Shannon, Geoffrey M.
  Voelker, Stefan Savage
• IEEE Infocom, April 2003
• Inside the Slammer Worm
• David Moore, Vern Paxson, Stefan Savage, Colleen
  Shannon, Stuart Staniford. IEEE Security
  Privacy, July/August 2003.
• (Stefan Savages Home Page, http//www.cs.ucsd.edu
  /savage/)
• Models of Internet Worm Defense
• David M. Nicol, Michael Liljenstam
• Presentation at IMA Workshop, January 12, 2004
• http//www.ima.umn.edu/talks/workshops/1-12-16.200
  4/nicol/talk.pdf

13
Brief History(courtesy Stefan Savage)

• Early Worm Development
• Science fiction references Brunner describes
  tapeworm program in novel Shockwave Rider
  (1972)
• Shoch Hupp coin term worm for programs that
  self-propagate to perform some (benign) task
  (1982)
• Morris Worm (1988) exploits buffer overflow
  vulnerabilities and infects a few thousand hosts
  (10 of Internet)
• Then nothing for 13 years
• until a recent renaissance in worm activity
• CodeRed (Summer 2001)
• CodeRed II, NIMDA (Fall 2001)
• Sapphire/Slammer (Winter 2003)

14
Code Red

• CRv1 (originally identified on July 13, 2001)
• Spread by compromising a Microsoft IIS
  vulnerability (that had been cataloged on June
  18, 2001)
• (Sometimes) defaced the web server
• After infection, it attempted to compromise other
  machines identified by generating a sequence of
  random IP addresses (but flawed RNG had a fixed
  seed, so same sequence of random numbers used
  everywhere ? growth was linear)
• CRv2 (observed on July 18, 2001)
• Fixed the RNG bug
• No more web site defacements, but added a DDOS
  payload targeting the IP address for
  www.whitehouse.gov
• More successful Infected 360,000 hosts in 10
  hours
• This version is commonly called Code Red
• Another bug, caused it to die after 20th day of
  month (initial release only 1 days)
• But, incorrect computer clocks allowed the worm
  to persist and reactivate itself on August 1,
  2001 (and its still going!)

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
15
Code Red II

• Released on Saturday, August 4, 2001
• Contained comment calling itself Code Red II,
  but the code base was different from Code Red I
• Exploited the same vulnerability in Microsoft IIS
• Payload installed a root backdoor allowing
  unrestricted remote access to the infected host
• Kills Code Red I
• BUT, only worked on Windows2000 (crashed on NT)
• Used a localized strategy to choose IP addresses
• From local class B network (probability 3/8)
• From local class A network (probability 1/2)
• From entire Internet (probability 1/8)
• Very rapid local infection, once through a
  firewall
• Died by design on October 1, 2001

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
16
NIMDA

• Began on September 18, 2001
• A multi-vector wormspread by five methods
• Infecting web servers from clients by exploiting
  a (different) Microsoft IIS vulnerability
• Bulk emailing itself as an attachment to
  addresses obtained from the infected machine
• Copying itself across shared network file systems
• Adding exploit code to web pages in order to
  infect web clients that browse the page
• Exploiting backdoors left behind by Code Red II
• Combination of methods bypassed current security
• As email payload, passed many firewalls
• Many infections before anti-virus signatures in
  place

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
17
NIMDA Virulence
Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time. Courtesy Vern Paxson.
18
An Ecosystem of Worms
Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time. Courtesy Vern Paxson.
19
Sapphire/Slammer Worm

• Observed on January 25, 2003
• Buffer overflow vulnerability in Microsoft SQL
  Server (documented in July 2002)
• Worm fit in a single UDP packet (404 bytes
  total)
• Key insight decouple scanning from target
  behavior
• Sapphire Growth
• First 1min behaves like random scanning worm
• Doubling time of 8.5 seconds
• Code Red doubled every 40mins
• 1min worm starts to saturate access bandwidth
• Some hosts issue 20,000 scans/sec
• Self-interfering (no congestion control)
• Peaks at 3min (55million IP scans/sec)
• 90 of Internet scanned in
• Infected 100k hosts (conservative due to PRNG
  errors)
• No malicious payload, but caused severe network
  congestion and disabled many database servers.

Source Moore, Paxson, Savage, Shannon, and
Staniford. Inside the Slammer Worm.
20
Worm Evolution

• Cooperative Association for Internet Data
  Analysis (CAIDA)
• http//www.caida.org/analysis/security/code-red/
• http//www.caida.org/dynamic/analysis/security/nim
  da/
• http//www.caida.org/analysis/security/sapphire/

21
The Worm Threat

• Proposition worms are among the most serious
  threats today to Internet infrastructure
• Evidence
• Millions of susceptible hosts
• Easy to write
• Can cause serious damage (damage hosts,
  expose/corrupt information, DoS attacks)
• Rapid time scales make defense difficult
• How to quantify the threat as well as the
  effectiveness of possible defense strategies?
• Threat Capability x Intent
• Vulnerability Threat x Consequence

22
Epidemiological Model
Courtesy Stanison, Paxson, Weaver.

• For a fixed population size N
• I(t) infected population at time t
• i(t) fraction of infected population
  (i(t)I(t)/N)
• K (constant) contact rate per host
• T starting time of outbreak

Logistic growth equation. Ref Boyce and
DePrima. Elementary Differential Equations and
Boundary Value Problems.
23
Comparing Models
S-I Model N initial size of susceptible
pop. I(t) infected population at time
t i(t) fraction of infected population
(i(t)I(t)/N) K contact rate per host

• Assumptions
• Homogenous mixing
• No natural births/deaths

24
How to Mitigate the Worm Threat?

• S(0) N
• ? ? / M
• probe rate of worm
• M total population (232 IPv4)
• ? removal rate

25
How quickly does each strategy need to react?
Address Blacklisting
Content Filtering
Infected (95th perc.)
Infected (95th perc.)
Reaction time (hours)

• To contain worms to 10 of vulnerable hosts after
  24 hours of spreading at 10 probes/sec (CodeRed)
• Address blacklisting reaction time must be minutes.
• Content filtering reaction time must be hours
• Reaction times must be fast when probe rates get
  high
• 10 probes/sec reaction time must be (content filtering)
• 1000 probes/sec reaction time must be minutes (content filtering)

Source Moore, Shannon, Voelker, and Savage.
2003. Internet Quarantine Requirements for
Containing Self Propagating Code. (Courtesy
Stefan Savage)
26
Modeling Cyber Epidemics

• Interpreting quantities of interest in this new
  domain
• Generation time, reproductive rate
• Threshold criteria (worms on Macs?)
• Limiting values (how and when to intervene?)
• Understanding the relationship between model
  assumptions and details of application
• Homogeneous mixing and virus/worm spread
• Births/deaths and endemic persistence of worms
• More realistic representation of worm behavior
• Policy implications
• Direction of technology investment
• User behavior as well as technology
• Opportunity modeling at the cutting edge of
  network research, with many contributions to be
  made.

27
What Does All This Mean?

• The scale/speed of these attacks pose new
  challenges
• Zero latency period, High infection rate, use
  Internet against itself
• Human response is not possible
• Significant technical challenges to reactive
  defense
• Worms and viruses create the possibility of
  additional cyber attacks with incredible threat
  potential
• Imagine What could you do if you 0wned 1M
  machines?
• Massive, diffuse DDOS attacks
• Against a single industry or infrastructure?
• Subtle, hard to trace
• Use the information on those machines
• Passwords
• Fraudulent credit card transactions, Identity
  theft
• Corrupt the information on those machines
• Rapidly evolving technology is fertile ground for
  new and more dangerous worms and viruses

28
(How) Can public policy assist in providing a
solution to this problem?
29
Abbreviated Timeline
30
Abbreviated Timeline (cont.)
31
National Strategy Initiatives

• Information Sharing Information, including
  threat analysis and warning, should flow freely
  and in a timely manner among the stakeholders.
• Incident Response and Recovery Government should
  facilitate timely warning and recovery to
  (imminent) attack.
• Awareness All stakeholders (from large
  corporations to home users) must recognize and
  understand the problem.
• Securing Governments Cyberspace Federal,
  state, and local government information systems
  should be better protected through enhanced
  threat and vulnerability assessment, updated and
  more secure technologies, and adherence to
  recognized operational best practices.
• Training and Education Technical expertise
  necessary for securing the infrastructure must be
  cultivated.
• Research and Development New technologies to
  help identify, prevent, and mitigate new
  vulnerabilities must be developed and implemented.

32
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
chair.
Feb 2003
33
DHS Organization
Office of the Secretary
Emergency Preparedness Response
Coast Guard
Citizenship Immigration Services
Management
Information Analysis Infrastructure
Protection
Border Transportation Security
Science Technology
Secret Service
Homeland Security Operations Center
Information Analysis
Infrastructure Protection
National Communication System
National Cyber Security Division
Infrastructure Coordination Division
Protective Security Division
source www.dhs.gov
34
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
chair.
Feb 2003
35
July 04 Report on DHS Progress

• Conducted Dec 2003 Feb 2004
• Objective to determine whether DHS efforts to
  implement the White Houses cyber strategyThe
  National Strategy to Secure Cyberspaceand to
  protect the nations critical infrastructure from
  a major cyber terrorist attack are adequate and
  effective.
• Accomplishments
• Launched US-CERT
• National Cyber Alert System
• National Cyber Security Summit (December 2003,
  Santa Clara, CA)
• Establishing groups to strengthen Federal IT
  systems

36
July 04 Report on DHS Progress

• According to the report, the NCSD has not
• Prioritized its initiatives to address the
  recommendations in The National Strategy to
  Secure Cyberspace.
• Identified the resources needed to ensure that
  it can identify, analyze, and reduce long-term
  cyber threats and vulnerabilities.
• Developed strategic implementation plans,
  including performance measures and milestones,
  focusing on the divisions priorities,
  initiatives, and tasks.
• Instituted a formal communications process
  within DHS, as well as the public, private, and
  international sectors.
• Initiated and implemented a process to oversee
  and coordinate efforts to develop best practices
  and create cyber security policies with other
  government agencies and the private sector.
• Reviewed or updated the actions and
  recommendations in The National Strategy to
  Secure Cyberspace.

37
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
chair.
Feb 2003
38
Where We Are

• Significant assets now in place for dealing with
  cybersecurity incidents
• Incident response and recovery
• US-CERT
• Cyber Alert Warning System
• Law Enforcement
• FBI
• U.S. Secret Service Electronic Crimes Task Forces

• But, substantial challenges remain
• Technology hurdles software patches
• Application of Best Practices by vendors,
  corporations, individuals
• Alignment of economic incentives

39
Open Issues
To what extent is information deficit the root
cause of insecurity in the Internet? To what
extent is a misalignment of economic incentives
the root cause?

• Worm exposes apathy, Microsoft flaws by Robert
  Lemos, CNET News.com, January 26, 2003
• Microsoft fails Slammer's security test by
  Robert Lemos, CNET News.com, January 27, 2003

40
Open Issues
Is the monoculture of a Microsoft-based Internet
a significant threat to the security of
cyberspace?

• CyberInsecurityThe Cost of Monopoly
• Published by the Computer Communications
  Industry Association. September 2003.
• http//www.ccianet.org/papers/cyberinsecurity.pdf
• CyberInsecurity Much ado about nothing
• By Mary Landesman, About.com.
• http//antivirus.about.com/cs/allabout/a/cyberinse
  curity.htm
• To Fix Software Flaws, Microsoft Invites Attack
  
• By Steve Lohr, NY Times, Sept. 29, 2003

41
Open Issues Incentives

• Will a government strategy based on voluntary
  information sharing and public-private
  partnership ever effectively address the
  potential threats to national security posed by
  internet vulnerability?
• Should the government use regulation, taxation,
  and other methods of influence to correct the
  misalignment of incentives among Internet
  stakeholders?
• Should software manufacturers be held liable for
  damages caused by distributing insecure software?
• Should organizations and individuals be held
  liable for damages caused by failing to patch
  insecure software?
• Will it take a cyber 9/11 (possibly caused by a
  worm) to move individuals, corporations, and the
  government into action?

42
Preliminary Conclusions

• Problems of growing importance that affect
  everyone
• There are no clears answers (yet)
• Assessment of the scope of the problem
• Identification of promising solutions
• A problem at the intersection of technology and
  policy
• An assessment of policy requires a good
  understanding of technology
• Pursuit of technological solutions requires an
  understanding of policy implications
• Many opportunities for valuable contributions
• Independent research projects
• Ongoing research programs here at Stanford
• (CISAC, SNRC, Law School, and others)

43
Potential Paper Topics

• Evaluating evidence is there a threat?
• How should the Federal Government respond to
  evidence of an impending attack?
• Evaluate a specific public-private partnership
  initiative for DHS support?
• Is the Internet an appropriate platform for
  supporting critical infrastructures?
• Should government systems diversify away from a
  Microsoft monoculture?

44
Additional Campus Resources
Questions? Comments?
alderd_at_cds.caltech.edu

• Stanford Student Cybersecurity Group
• http//cybersecurity.stanford.edu
• Computer Science Security Lab http//crypto.stanfo
  rd.edu/seclab
• Stanford Law SchoolCenter for Internet and
  Societyhttp//cyberlaw.stanford.edu/security/