IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

SUBCOMMITTEE ON GOVERNMENT EFFICIENCY, FINANCIAL MANAGEMENT AND INTERGOVERNMENTAL RELATIONS

Congressman Stephen Horn, R-CA Chairman


Oversight  hearing on

"What Can be Done to Reduce the Threats Posed by Computer Viruses and Worms to the Workings of Government?"

August 29, 2001

Testimony of 

Stephen Trilling
Senior Director of Advanced Concepts
Symantec Corporation

before the 


Subcommittee on Government Efficiency, 
Financial Management 
and Intergovernmental Relations 

 

 

Thank you Chairman Horn and members of the Subcommittee for providing me with the opportunity to testify before you today. Mr. Chairman, I would also like to commend you and your Subcommittee for your leadership in examining the state of cyber-security among federal agencies through previous hearings, and your release of the Report Card on Computer Security in the Federal Government last year.

My name is Stephen Trilling and I am here representing Symantec Corporation. Our company is a world leader in Internet security technology, providing a broad range of solutions to government, individuals, enterprises and service providers. We are a leading provider of virus protection, firewalls, vulnerability management, intrusion detection, and security services for enterprises and Internet providers around the world. In addition, Symantec is providing security solutions to numerous federal government agencies, including all four branches of the armed forces and the U.S. Postal Service. Our enterprise-level solutions span all tiers of the network, from desktop computers, to servers, to Internet gateways. Symantec’s Norton brand of consumer security products leads the market in worldwide retail sales and industry awards. Headquartered in Cupertino, California, Symantec has approximately 4000 employees, worldwide operations in 37 countries, and over 100 million users.

At Symantec, I oversee our Advanced Concepts team, a research group dedicated to studying new security threats and creating new technologies to protect computers at all levels of the Internet infrastructure. Prior to this role, I oversaw our anti-virus research team, responsible for analyzing and creating fixes for computer viruses and other malicious threats. I am pleased to have the chance today to speak with you about computer worms, a growing threat to our national and economic security.

Computer Viruses and Worms

A traditional computer virus is a program designed to spread to many files on a single computer. However, a virus cannot spread from one computer to another without the user performing some manual action. For example, a user could inadvertently copy a virus to a floppy disk, and then transfer the virus to another computer. Or a user could unknowingly attach an infected file to an e-mail message. Again, traditional computer viruses are dependent on user action, spreading only as fast as humans exchange information, on the order of days or weeks.

Computer worms are malicious programs designed to spread themselves over networks to as many computers as possible. Worms spread largely without human interaction and can therefore infect new computers at an exponential rate. In some cases, worms can infect hundreds of thousands or even millions of computers in hours, without regard to borders or boundaries.

Recent Computer Worms and their Impact

While there have been some notable computer worms in the more distant past, the release of Melissa in March, 1999, marked a significant turning point in fast-moving malicious computer threats. Melissa spread itself automatically through e-mail from one computer to the next, across the Internet. Even more damaging, was the LoveLetter worm from May, 2000, which infected millions of e-mail messages and is estimated by Computer Economics to have cost our global economy 8.7 billion dollars.

Most recently, certain versions of the Code Red worm spread, by some estimates, to more than 350,000 computers on the Internet in less than 15 hours, without any user interaction. According to Computer Economics, Code Red has already had a worldwide economic impact of 2.4 billion dollarsi. Initial versions of Code Red, released in July 2001 attempted to launch a denial of service attack on the whitehouse.gov Website. Code Red is particularly virulent because it combines two different forms of attacks, first spreading to many computers and then launching a denial of service attack.

A subsequent version of this worm, Code Red II, released in early August 2001, again spread to many computers across the Internet and also left behind a "back door" on each infected machine. This back door provides a new security hole in the machine, making it easy for an attacker to compromise the computer still further even after Code Red II has been removed and the system has been appropriately updated.

In the future, we could see computer worms moving across the Internet at even greater speeds with an even wider array of hostile capabilities.

The Dangers Ahead

Our global economy is becoming more dependent on the Internet. Computers connected to the Internet either control or will likely soon control e-commerce sites, stock market trading, power generation, transportation systems, electronic business supply chains, government transactions and numerous other operations. A properly targeted computer worm could hobble any or all of these systems, threatening our national security. This is the price we pay for all of the efficiencies that the Internet brings to our business and government systems.

The potential for such a devastating threat will only grow more likely as home users move in greater numbers to broadband Internet connections through cable modems or Digital Subscriber Lines (DSL). A Code Red-type worm could quickly spread, without user intervention, to 50 million or more home computers through broadband "always on" connections. Furthermore, a denial of service attack then launched from 50 million infected machines could decimate the online business-to-business transactions of all Fortune 500 companies, as well as all business-to-government and government-to-government electronic transactions. The Internet would grind to a halt, just as would traffic on a freeway if 50 million stalled cars were suddenly added to the road. In addition, the cleanup effort required to disinfect tens of millions of privately owned computers would be enormous, likely costing far more than for any previous incidents.

The demographics of online attackers are also changing. To the extent that we know of their origin, amateurs—primarily young males, ages 14-24—–appear to have created most of the recent computer worms and were not targeting any special victims. Even the most damaging of these threats, such as LoveLetter clearly had no particular target in mind. However, with more and more business and government functions conducted online, we expect to see an increase in professional attacks from organized crime, corporate spies, social or political activists, terrorist groups, rogue states, and other organizations targeting specific systems on the Internet.

In March of this year, the National Infrastructure Protection Center (NIPC) issued a release indicating that several organized hacker groups from Eastern Europe had penetrated US e-commerce systems and stolen proprietary customer information including over one million credit cards (NIPC Advisory 01-003). Given the increasing value of information stored on the Internet, we fully expect other targeted attacks from professionals in the future.

Security in the Government and the Private Sector

There is no question that the need for improved security is as much an issue for the private sector as for the United States Government. Research from IDC on North American security trends shows that both the federal government and private sector organizations have been fairly successful in setting up a first line of cyber-defense, through deployment of anti-virus software and firewalls. Furthermore, according to IDC, government entities rank among the earliest adopters of anti-virus technology and are also among the most effective at fighting computer viruses in a timely fashion. While this initial line of defense can thwart many of today’s threats, next steps should be taken if government and industry are to provide a complete security solution to protect against the targeted attacks we may face tomorrow. Should a professional attacker attempt to exploit existing vulnerabilities through a more targeted worm, the costs to American corporations could be astronomical.

Moving forward, it will be increasingly important for the government and the private sector to share as much information on cyber-attacks as possible, to protect our nation’s critical infrastructures. Thanks to the support of the government through Presidential Decision Directive 63 (PDD 63), private industry is in the process of setting up a number of Information Sharing and Analysis Centers (ISACs) that provide formal mechanisms for companies to share information on security attacks, vulnerabilities, solutions, and best practices. This information is, in turn, shared with the government in certain instances.

Symantec is a founding board member of the Information Technology or IT-ISAC. The effort to build an ISAC for the IT community has been spearheaded in large part by Harris Miller, President of the ITAA who is also testifying before you today and I would like to commend his efforts on this project. We hope that the creation of the IT-ISAC will encourage further efforts by both the government and the private sector to work together on cyber-security issues.

We provide further specific security recommendations on the following section.

Recommendations

The key to effective security is a set of well thought out and clearly communicated policies and plans that support the organization’s objectives and provide guidance for employees. Successful enforcement comes through a combination of informed people, sound policies, workable procedures, management commitment and appropriate use of technology and services.

One good lesson learned from the private sector is the need to appropriately prioritize potential solutions according to their cost/reward tradeoff. By applying a few simple rules, one can prevent the vast majority of attacks. We sometimes refer to this as the 80/20 rule for security - by applying the most important 20 percent of potential security solutions inside an organization, one can likely prevent 80 percent of possible attacks. Deploying effective security is not an all or nothing procedure. Rather, it is an evolutionary process, where each successive step further reduces risk.

Based on our experiences, the top security recommendations for any organization, public or private, which will likely protect against 80 percent of attacks, are:

1. Organizations need properly configured and regularly updated anti-virus software and firewalls, as a basis for any effective security solution. To use an analogy from physical security, this is similar to locking your door and having a guard in front of the house. According to the CSI/FBI 2001 Computer Crime and Security Survey, the penetration of both anti-virus and firewalls in the private and public sector is very high.

2. Organizations need to deploy appropriate updates for any announced security holes, on all systems, as soon as they are available. Whenever a new security vulnerability in commercial software is announced publicly, the information becomes accessible not only to legitimate users of the software but also to attackers who can then take advantage of the flaw for their own malicious purposes. This was clearly demonstrated with the recent Code Red wormii.

3. Organizations should have a specific policy to ensure that computer users’ passwords cannot easily be compromised. This will help ensure that none of these computers can easily be co-opted to launch a worm. This also greatly reduces the effectiveness of any worm that attempts to spread in an organization from one computer to the next by cracking user passwords. Such a policy includes making sure that users do not have easily guessed passwords, such as common words, users, names or initials, the word password and others. Users should be required to change passwords regularly and use passwords that are sufficiently long. The policy should include a requirement to regularly test that all passwords are adequately strong.

Further general security recommendations, again based on our experiences, are as follows:

1. Organizations should take more proactive steps to deploy vulnerability assessment and vulnerability management software. This type of monitoring can determine, for example, whether appropriate software updates for security holes have been deployed (#2 above) and whether any easily compromised passwords are being used (#3 above). As such, these software solutions can help ensure that organizations are adhering to the key elements of the 80/20 rule. This type of software can also help organizations ensure full compliance with existing security policies in advance of monitoring from outside agencies.

According to an IDC report, government agencies as a whole tend to be slightly behind some other critical organizations such as banking, communications, financial services, healthcare, and utilities with respect to routine security auditing, and slightly ahead of transportation. However, the federal government is well ahead of most critical industry sectors in this areaiii. While this survey does not directly address vulnerability assessment software, these results are likely indicative of the level of deployment of this type of solution across different sectors.

2. Organizations should consider blocking all executable programs flowing into the corporation through e-mail attachments. Such a policy will likely stop some legitimate attachments from entering the organization, but will also vastly reduce the chance of a malicious worm entering via e-mail. Many private corporations are quite willing to make this tradeoff and have successfully blocked numerous worms by instituting such procedures.

3. Organizations should consider installing intrusion detection software to monitor their networks for potential attacks. This software is analogous to alarm systems and motion sensors in a home, alerting on any suspected intrusion. On a computer network, intrusion detection software can provide alerts on attacks and break-ins from numerous threats including worms such as Code Red.

According to the CSI/FBI Computer Crime and Security Survey, deployment of intrusion detection systems is rapidly increasing for large corporations and government agencies, although its overall penetration is still well below that of anti-virus software or firewallsiv. According to IDC, the federal government is well ahead of such critical organizations as financial services, healthcare, transportation, and utilities and comparable to banking and communications with regards to deployment of intrusion detection softwareiii.

4. Organizations should deploy several layers of security software at all tiers within the enterprise. The following is an example of various different technologies that could have helped stop Code Red from infecting a given Web site:

  • Certain firewall products could prevent initial Code Red infection.
  • Intrusion detection software could alert on a Code Red attack
  • Vulnerability assessment software could alert administrators to update their software to prevent attack
  • Anti-virus software could be used to detect the "back door" left by Code Red II.

Computer worms can potentially attack large servers, desktop computers, and even handheld devices. This emphasizes the importance of having an integrated set of security solutions protecting all tiers of the network. For example, one should consider deploying firewalls not only at the network perimeter, but also on desktop machines to stop threats that have been released inside the organization.

5. Industries and government agencies that are essential to our national security (as described in Presidential Decision Directive 63) should consider using private networks for all critical communications. Such private networks could help isolate important transmissions from computer worms or worm-based denial of service attacks.

6. We need continued public/private sector cooperation in sharing information on security issues as well as in providing appropriate security education to both government and corporate entities. The IT-ISAC is a good current example of a cooperative sharing organization for the IT sector. Recent alerts from the public and private sectors on the need to deploy appropriate security updates to protect against Code Red were a good demonstration of educational efforts in this space.

Conclusion

Over the coming decade, a computer worm could easily devastate our economy. As the threats become more dangerous and more sophisticated, we must be vigilant and take necessary steps to better protect our nation’s critical infrastructure. The time to address and invest in the problem is now. Both the government and corporations are building the next generation of online systems today, and all of these systems will be targets tomorrow.

By applying the 80/20 rule, organizations can likely prevent 80 percent of potential worm attacks to their infrastructure, by addressing just the top 20 percent of good security practices. This is a very good first step. However, the growth of home broadband connections raises further concerns that a worm could spread rapidly to millions of Internet users and drastically impact the operation of our economy.

We must therefore look for comprehensive solutions to protect against future attacks on our electronic highways. Only through proactive attention to this problem across both the public and private sector, and through greater cooperation between both groups, will we be able to effectively deal with this serious threat.

Thank you.