With the firewall up, the ‘holistic’ security management policy in place and the system scrutinised regularly for vulnerabilities, it is easy to see why organisations might get complacent about information security. But a recent high-profile hacking break-in at the University of California at Berkeley, one of the US’s most prestigious technology research sites, provides some salutary lessons in why no-one can afford to relax their guard. Even more so because Berkeley was doing a lot right.
The university regularly checked its system for vulnerabilities and was in the process of implementing a new set of security standards that were due to come into force in spring 2005. Nonetheless, a hacker was able to gain access to the names, addresses, phone numbers, birthdates and Social Security numbers of 600,000 elderly and disabled people participating in Berkeley’s In Home Supportive Services (IHSS) programme.
The breach appears to have happened as a result of an unpatched vulnerability in an (unnamed) commercial database and an unsecured connection by a new user. A visiting scholar accessed the IHSS database for research purposes and saved the data on her own computer, which had accessed the network without the university’s usual security precautions.
Such errors are worryingly familiar. A recent survey of 36 security professionals from large UK organisations, mostly in the finance sector, by security consultancy NetSec found that patching was rated the greatest security problem facing their companies. Application-level vulnerabilities were deemed the most dangerous emerging threat and more than half admitted to finding it difficult to resource ongoing vulnerability and threat management in-house.
At Berkeley, George Strait, the university’s associate vice chancellor of public affairs, told local newspaper the Oakland Chronicle that he wished “that computer security could be 100%, but in this day and age, it can’t be.” He said the university would bolster its routine system vulnerability checks and seek to improve departmental compliance with existing patching policy.
The acceptance that security can never be faultless is widespread among security experts such as Colm Murphy, technical director at Espion, an IT security services and training company which runs “ethical hacking” courses (see box). “In large networks, it just isn’t realistic to have everything patched and up to date. There will always be a window of opportunity for the attackers.”
Given the scale of the task, the best way for organisations to mitigate the possibility of a serious breach is to focus their attention on their system’s most critical areas, paying particular attention to known areas of weakness. To this end, the SANS (Systems Administration, Networking and Security) Institute, a US organisation that researches vulnerabilities and trains security professionals, releases an invaluable list of the “Top 20” areas of Windows and Unix system vulnerabilities every year in October (see table).
The complete list (see www.sans.org/ top20), which is not in any order of severity, contains over 230 individual vulnerabilities. New entrants this year include flaws in Windows instant messaging and version control systems in Linux. Alan Paller, the SANS Institute’s director of research, says the key lesson that users should draw from the list is “know your system intimately”. He also recommends that management looks “outside the toolbox” to information-sharing communities for trends and alerts, and “updating when necessary” with patches or by disabling insecure systems.
“All it takes is for an implementation or modification of a service to be neglected or not performed to the same standard and holes can appear which hackers can exploit,” says Phil Robinson, chief technology officer of Information Risk Management (IRM), an IT security consulting and services company. “So it’s not often the technology that fails, it’s poor design, change control, implementation, and/or policy.” He warns that many organisations fail to stress the importance of good Internet usage to new starters.
Forrester Research found large US financial institutions spend an average of $5 to $10 per employee on raising awareness of online security threats. Other advice from those who have the greatest incentive to get IT security right includes having a central information security (IS) department which focuses on strategic tasks such as risk assessments, policy formulation and product recommendation, while individual projects are budgeted and managed by other IT teams.
SECURITY, NOT OBSCURITY
Although Berkeley’s breach occurred on 1 August 2004, it was not revealed for some months so as not to impede the FBI’s (ongoing) investigation. The unwanted publicity was required by a Californian law that ensures people are notified if their personal information has been stolen.
Although similar laws exist elsewhere, any announcements of exposure are few and far between.
“People are afraid to share information,” says the SANS Institute’s Alan Paller. He says the phenomenon of criminals using the threat of ‘denial of service’ (DOS) attacks to extort money from online businesses is “an epidemic of crime” most are ignoring. “The reason it is working is people don’t want other people to hear about it.” He says as many as 7,000 companies are paying up an average of $40,000 because they lack faith in law enforcement’s ability to protect them.
BlueSquare, a UK online gambling site, faced one such threat in late October but with an added twist: As well as the usual DOS attack, the extortionists threatened to send out emails containing child pornography in the company’s name unless they were paid E7,000. “We’ve had demands ranging down from £40,000 to £3,000 so we see no pattern,” says Peter Pedersen, BlueSquare’s chief technology officer. “I’ve lost count of how many times we’ve been threatened like this.”
Although the company has allowed for extra bandwidth to help withstand a DOS attack, as well as a strict security policy and well trained staff, the site was out of action for a few hours as the company monitored the attack. Pedersen says he plans to “continue doing exactly the same thing” to mitigate future threats – which includes not giving into the demands.
Only armed with knowledge – of their own systems, of others’ experiences and of new developments – can even well-secured organisations protect themselves from the kind of attacks that hit Berkeley and BlueSquare.