Information easily accessed.

Digital Terrorism

NETWORK SECURITY IS BECOMING A CRITICAL PART OF NATIONAL SECURITY

July 31st, 2006

 

Hunter Holcombe


It didn’t take the significant hack of a State Department database last month to serve as a wake-up call that the vulnerability of digital data has become an alarming reality in today’s information infrastructure. The news has been filled in recent years with dozens of high-profile data thefts and network breaches – the massive Veterans Affairs theft of confidential information from 20 million people, several instances of credit card company theft, as well as many other cases of both government and industry data breaches.

Yet the State Department theft upped the ante, with the fact that it is such a critical source of confidential information and because hackers may have had access for up to a month before being detected.

With this as an example of what is possible in today’s digital-based information world, the protection of critical information is clearly becoming a rapidly increasing concern in maintaining security against both terrorist threats and bona fide foreign militaries. The Pentagon, for example, has warned that the Chinese government may have a dedicated task force of hackers with the sole purpose of breaking into other government databases.

With network-based information and communication at the heart of modern military defense, let alone protecting the secrets of infrastructure vulnerability, the importance of keeping potential terrorists and unfriendly governments out of critical databases is clear.

But while traditional information protection has been based on external security – firewalls, anti-viral programs and patch management - the evolution of hacking and the vulnerability of unmanaged devices have made internal attacks an increasingly dangerous reality. Not only are networks at risk by those intentionally working from the inside, but often hackers are able to exploit vulnerabilities in intrusion software and use an employee’s access without them even aware of their complicity. Often, traditional security cannot detect this kind of break-in for days or even weeks. And, by then, the hacker has long gone.

To keep up with the increasing skill of hackers – either those that are working for personal financial gain or those that could be hired by a terrorist group or hostile government – IT security firms are in a race to come up with new detection technology that aims to detect and stop intrusion within seconds.

Counterstorm, a government-contracted firm focused on eliminating internal network breaches, has developed a new device that does just this, and says new methods of network traffic detection can prevent the kind of long-term infiltration experienced at the State Department.

Homeland Security Weekly sat down with Matt Miller, Counterstorm’s vice president of engineering, and Michael Rothchild, director of marketing, to talk about the State Department break-in, the vulnerability of critical information, and the new arms race of network security.

 

Homeland Security Weekly: Looking at last month’s State Department attack – the hackers had access to their database for about a month, but it looks like they were only able to access unclassified material. Had they been able to get at classified material for a month, what kind of damage could they do to such a huge and important database as the State Department’s?

 

Michael: There were a number of articles that came out recently which showed that 24 sub-units within the government, including the State Department, received failing grades in terms of security. We are talking Ds and Fs. We got a glimpse into it with the veterans’ information that was stolen. In a situation like that, they literally had social security numbers; all kinds of proprietary, confidential information on people. And just with that, with that small glimpse of what is possible with accessing a database of that size, literally they could do identify thefts on 20 million veterans. To give you an idea of what something like that sells for underground, if you have good credentialed information on people, which includes all of the information that they had in the case of the veterans break-in, on the black market that sells for $10 per identify. Times that by 20 million names, and you can begin to understand what kind of damage can be associated with it on the identity theft side. Would they have gotten full access to everything in the State Department? Maybe yes, maybe no. More likely not. But even such small areas as the veteran’s area can really translate to incredible amounts of hassle and financial loss. 

 

HSW: What is your perspective of what really happened at the State Department? Was it that it took the State Department months to fess up, and that they actually knew about it a lot sooner, or did it actually take them a month to sort out what was going on and deal with it? And what are the implications of that in terms of the fact that the intruders may have been able to put backdoors into the system, and are they certain that they were able to clear those all out, or are they in fact still vulnerable?

 

Matt: I think that it is telling that not very much information has been released about what actually happened, and also the timeline on which the limited information has become available. I think there is a general trend that, first of all, when an attack is targeted in nature, it is much more difficult to detect and typically takes much longer to identify in an environment. So I have no doubt that this attack may have been ongoing for some time before it was identified by the State Department.

That makes it much more difficult to clean up after the attack, because you don’t know how deeply it has penetrated the environment, or what type of back doors may have been left behind to allow future access by the attacker, so the detection and cleanup are much more difficult when an attack is targeted in nature. 

 

HSW: The Pentagon has warned that China is putting considerable efforts into hacking into other government systems in terms of shutting them down for a pre-emptive military strike. With that as a potential component of future military attacks, do you see network breaches as becoming an increasing danger? Do you see this as becoming a typical part of military strategy and, with that in mind, how will this effect companies like yourself and other network security companies – is there going to be a boom in the next five to ten years?

 

Matt: Absolutely. We do a lot of work with government agencies, and that is something that is of great concern right now, the combination of a cyber security event with a physical security event. They call this a “blended threat”. So we see it as something that they are spending a significant amount of money and resources on to be able to deal with. I think that security technologies in general can help with this and technologies like ours can certainly help with this. This is why you see the Department of Homeland Security investing in our technology; this is why you see DARPA having funded our initial technology before it came out of Columbia University. So it is clearly something they are concerned about and something that technologies like ours are poised to help mitigate. 

 

Michael: It’s something that has only been brought to the forefront of the public’s eye since 9/11 and even beyond that, but in fact, if we look at 2000, there was a study that happened to mention that the government was being hit on average by three attacks a day. So it is not a new phenomenon, I would say it’s probably accelerating, but it’s something certainly that the government is taking very seriously and putting money into at this point.

 

HSW: With the current IDS setup they have at the State Department, they can usually detect a break-in within 7-12 hours on these zero-day attacks. How does your technology cut that detection down to seconds? 

 

Matt: Our entire approach is not to rely on signatures in order to detect new attacks as they come out. With a technology like a traditional IDS that relies on signatures, it means that an attack first has to be recognized, and then a security vendor needs to create a signature, which is similar to creating a patch, and then they need to distribute that to the customers. Our approach is to use behavioral characteristics, in combination with a honey pot in network anomalies, to identify malicious activity without relying on signatures, so this enables us to detect attacks without having to constantly update it, and allows us to detect new, or what we call zero-day, attacks. 

 

HSW: When you talk about attacks happening on the internal network, are you talking about attacks that originate externally but have somehow gotten backdoor access and continued internally, are you talking about someone who has gotten physical access to the premises, or are you talking about an employee?

 

Michael: They can actually be all of those. We’ve seen instances where somebody left a default password, or there was some vulnerability in the software program, like the DMF, where people can get access to the internal network and propagate an attack.

We’ve also seen other instances were personnel are coming in on unmanaged devices, or in some cases unmanaged users, that may not have an attack signature, or are not properly patched, and are introducing that software vulnerability into the network. We’ve seen other instances such as the transit strike in New York in the winter, where people were accessing work via VPN on laptops or computers from home because they couldn’t make it into the city, so they were running on an unmanaged device.

And in other instances they are employees in the company that either knowingly or unwittingly introduce some type of worm into their environment on a device that has been compromised somehow. 

 

Matt: It is also possible for external attackers to fairly easily evade traditional perimeter security solutions, for example firewalls, intrusion prevention systems, intrusion detection systems, which are usually deployed to protect the perimeter of an organization, whether it is the federal government or a commercial enterprise.

Those can be penetrated fairly easily, and then the attack, once it’s reached the internal network, if there is no internal network security solution, can pretty much roam freely, collect sensitive information, whether it is financial information, or patient information, and usually send that out, exfiltrate that data, without being detected.

So it is usually a combination of external types of attacks that ultimately reach the interior, and sometimes, as Michael said, people with internal knowledge, whether it is third party, or even company employees, that are already on the network interior.

Enter the title of your article


Enter a short (max 500 characters) summation of your article
Enter the main body of your article
Lock
+Comments (0)
+Citations (0)
+About
Enter comment

Select article text to quote
welcome text

First name   Last name 

Email

Skip