HostedDB - Dedicated UNIX Servers

-->
COMPUTER CRIME

FEATURE • COMPUTER CRIME

Automated Security
Defending against automated crime will require a new security strategy based on "controlled unpredictability."
BY DONN PARKER

Part 2 of 2.

EDITOR’S NOTE: The following is part two of a two-part article on automated crime and security. Part 1 appeared in the September issue of Information Security, and can be found at here.This article is adapted from Fighting Computer Crime, a New Framework for the Protection of Information (ISBN 0-471-16-378-3). © 1998/1999 John Wiley & Sons Inc. Reprinted with permission. For more information on this book, call 1-800-CALL WILEY or visit www.wiley.com.

Over the past 75 years, technologists have structured many business processes to run automatically. Payroll and direct deposits, accounts payable and receivable, inventory control and other common business transactions are routinely automated to eliminate the need for human intervention. As I discussed in Part 1 of this article, it is now possible to automate crimes in much the same manner. For the first time in human history, a crime designer can create and package a crime that anybody can possess, not just commit or execute. Packaged as a single computer program, such a tool could select its victims, perpetrate a criminal act, convert a victim’s losses to a perpetrator’s irreversible gain and erase all evidence of its existence—all without the knowledge or intervention of the designer, perpetrator or victim.

Since automated crime occurs in computer time before the victim ever knows what happened, the solution to fighting automated crime is automated security. But before we can develop effective defense and response mechanisms, we must first understand the anatomy of an automated crime.

Anatomy of an Automated Crime
A fully automated crime involves six steps, all carried out by a program or suite of programs executed automatically, in sequence, without human intervention (see box below). This six-step process is only one scenario of how an automated crime could take place; many variations are also possible. Taken as a whole, the process provides a basis for organizing automated security.

Since I detailed each of these crime steps in Part 1 of this article, I’ll only review them briefly here. To accomplish the first two steps, the computer criminal could deploy a network probe such as SATAN (Security Administrators’ Tool for Analyzing Networks), which can automatically probe many network computers running with UNIX. While a human must deploy SATAN—that is, set the wheels in motion—the program itself automatically does the rest of the work. The SATAN probe contacts the target host system using a TCP/IP-based protocol, such as SMTP, FTP or RPC. Once the connection is made, it explores the security posture of a targeted computer system. With additional programming, the tool can be expanded to make decisions about which vulnerabilities to pursue. The first version of SATAN probes for 15 well-known vulnerabilities, and the program’s source code is available as freeware, making it easy for any competent programmer to modify SATAN to take advantage of the vulnerabilities it finds.

Using a technique such as IP spoofing, the tool could then impersonate a trusted computer and, using the discovered vulnerability, gain root authority (Step 3). Step 4—engaging in abusive or criminal activity—can be accomplished in any number of ways. For instance, a logic bomb could execute on a privileged basis when specific conditions are met within the target system. Or, the crime program could use a Trojan-horse technique to temporarily insert secret instructions into victim application programs.

Step 5 of the automated crime is conversion to criminal gain. (Note that "gain" may merely mean the satisfaction of sabotaging the target computer, with no removal or misuse of information.) To successfully execute Step 6 (eliminating evidence), the crime designer needs to deal with the possibilities of backups, shadow and mirror copies, audit and transaction logs, postings, residual data in peripheral buffers, output, printer buffer memories and data remaining in unassigned disk sectors.

The Six Steps of Security
My proposed methodology for automated security also has six steps (see box, below), each designed to counteract its corresponding automated crime step. This methodology, like the automated crime process, is one indication of the requirements for automated security. By necessity, the framework presented here is high-ended and general. The actual ways in which automated security will be implemented in tomorrow’s enterprise will depend on future automated crimes as well as forthcoming developments in security technologies and management processes.

In Step 1, security system designers must address the crime’s initial search for a victim system. This process could begin with disguising a computer system with an innocuous name or response and buffering it from the external cyberworld with a firewall. Firewalls serve as network gateway computers and security buffers that filter all incoming and outgoing messages. Network designers can further insert filtering software directly into network servers, hubs, switches and routers to limit the transmission of harmful information. Firewalls and filters can limit malicious programs that could modify or become resident among accepted programs in networked computers. They can further restrict automated crime communications according to times, addresses, sources and destinations.

However, since it may be impossible to completely "hide" a system from an intelligent network probe, Step 2—avoiding discovery of an exploitable vulnerability by an intrusion program—requires procedures to (a) detect attackers’ programs within targeted computers and (b) prevent discovery and malicious use of vulnerabilities. Automated security systems can accomplish this by using vulnerability assessment tools and updating software frequently to eliminate vulnerabilities. In addition, monitoring and detecting software anomalies can be made a part of this step.

While most organizations today use some form of traffic and content filtering devices, few take the additional step of deploying tools specifically designed to detect and thwart probes such as SATAN. Freeware examples of these tools include Courtney, developed by Lawrence Livermore Laboratories (http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney); and Gabriel, developed by Los Altos Technologies (www.lat.com/gabe.htm). In addition, sophisticated rule- and statistical-based detection systems may be used. Examples are DIDS, developed by Trident Data Systems for the U.S. Air Force; and the experimental and more general New Intrusion Detection Expert System (NIDES), developed for the U.S. government by SRI International (www.sdl.sci.com/nides/index.html). Commercial intrusion detection software systems such as Axent’s Intruder, Cisco’s NetRanger, ISS’s RealSecure, Network Associates’ Cybercop or Tripwire’s IDS contribute to the automated security toolbox.

When probing is detected in the target computer, the security program should terminate the attack, end its specific automated efforts and notify a security administrator or operator (most commercial intrusion detection systems can send an alert to an administrative console or contact a remote administrator via e-mail or page). However, sophisticated attack programs can counteract detection schemes, and if crime designers can anticipate these responses, they can divert them from their ultimate purpose by increasing the sophistication of the attack programs. For example, crime designers will create new versions of SATAN that are transparent to current detection programs, which will prompt security developers to modify their programs to detect the new SATAN versions, which will result in new SATAN exploits, and so on.

The third step in automated security is to avoid or stop the automated crime from taking advantage of discovered vulnerabilities. Limiting privilege before the attacks is the most desirable approach; however, not all vulnerabilities that facilitate attacks can be eliminated. While commercial IDSs such as those discussed above address Step 3 of an automated crime, they would have to be significantly extended to provide application safeguards to deal with Step 4.

Achieving defensive depth continues with Step 4: Avoiding the criminal act, or if avoidance is not possible, mitigating the act to minimize loss. In general, the best way to avoid the criminal act in the first place is to introduce the principle of "controlled unpredictability" into your system defenses (see box below). Other specific defensive controls could include independent balancing to detect financial deception, check summing to detect changed data or Trojan horses, within-range transaction checking, and other application integrity and authenticity checking procedures.

Irreversible conversion to criminal gain must be thwarted in Step 5. Examples include unintended contractor payments, excessive overtime payments to phantom employees in payroll applications, incorrect inventory changes, unauthorized customer services or output of private or proprietary information.

Stopping criminal gain at the point of accomplishment is an important but little addressed subject in security. It is important because the conversion process pinpoints the best and last places and times for checking the integrity and authenticity of transactions. It can be accomplished independent of the application program, before any assets leave the jurisdiction of the system. Strategic points could include a check printing queue or a file of ATM cash dispensing codes. It could occur at a network gateway, in a loan officer’s desktop computer or in a retail store terminal, where clerks deliver goods on credit to a perpetrator or an accomplice.

Finally, Step 6 involves preserving the evidence of automated crime. An automated security system could make protected copies of buffer contents, make independent record-only backups, and protect copies of transaction registers and audit logs with encryption. Attempting to physically remove evidence from the system to safeguard it—such as by printing or removing diskettes—would probably not be effective during an automated attack, since the automated crime would likely destroy all such evidence before victims could physically remove it.

The ultimate challenge of automated security, as outlined in these six preliminary steps, is to protect the use of application programs and operating systems without the need for human intervention. Today, automated security remains a concept; to be effective in a "live" environment will require significant advances in security automation.

Stopping the Perfect Crime
An automated crime is dangerous because it may be designed, developed, possessed and perpetrated by many people. Moreover, it has the potential for being the perfect crime—one with no evidence and no possibility for the victim and perpetrator to identify or confront each other. We must have an adequate information security framework to anticipate such events. Unfortunately, the traditional preservation of confidentiality, integrity and availability (CIA) cannot adequately prevent automated crime. In fact, the reason automated crime would be effective in the first place is because the possession and use of information (in this case, automated crime code) is possible without knowing the information or violating its confidentiality. A perpetrator can possess and execute an automated crime program without needing to know its contents or how it functions.

The key to defending against automated crime is understanding the characteristics of information (in all its forms) and the possible misuses and abuses of it. Today, information is vulnerable to loss in complex ways that don’t fit neatly into the traditional loss model—that is, loss of CIA from destruction, disclosure, use or modification (DDUM) of information. What about threats such as endangerment, observation, failure-to-use or deception? Information security must preserve availability and utility, integrity and authenticity, and confidentiality and possession from a much longer list of abuses and misuses.

Automated crime won’t just suddenly appear. I believe there is a slow evolution and extrapolation occurring right now, beginning with the emergence of highly sophisticated hacker/cracker tools. First, crime designers will continue to modify and enhance these tools to take advantage of new vulnerabilities. Then, they will explore what could be done once they have gained authority or control of an operating system. They will realize that copies of standard commercial applications are proliferating, and they will take advantage of the predictable contents and functions of applications as well as the standard operating systems of a wide range of victim systems. They will also see that they can exploit e-commerce to extend criminal acts in application systems to accomplish irreversible economic (and other kinds of) gain.

Possibly, the reason we haven’t seen the emergence of automated crime yet may be the absence of cooperation between several participants with different skills, knowledge, resources, authority and motives (what I call "SKRAM"). The SKRAMs of crime designers and perpetrators could be very different. Professional and white-collar criminals, who are seeing their traditional crime environments replaced with automated systems, will have to combine efforts with technologists to continue their wrongdoing. Ironically, for automated crime to be a reality, the underground will have to develop a cooperative network of resources that resembles a business supply chain. Crime designers will need the advice of expert criminals in applications and business processes, and input from network technologists and others who know how to anonymize perpetrators and convert criminal acts into irreversible gain. Surely, such cooperation will be enhanced by the communication and possibly the anonymity and absence of geographical constraints, all made possible through the Internet. In fact, one of the great dangers of automated crime is the opportunity for many people to apply their diverse talents to a single crime—and do so anonymously.

We must anticipate increasingly sophisticated automated crime and the inevitable emergence of easy-to-use computer programs that ingenious crime designers can adapt and extend into fully automated, complete criminal tools. The only viable response to fully automated crime is fully automated information security in a broader framework than that provided by the current "folk art" CIA/DDUM model. We must use the powerful but underutilized safeguard concept of unpredictability.

Automated security must take place at computer time-scale speeds before targeted victims are aware that an automated crime has commenced and ended. The victims and perpetrators will discover who won the next morning. This is the challenge facing security practitioners in the very near future.

Donn Parker, CISSP, is a senior management systems consultant (retired) for the Information Security Program at SRI Consulting.

 

Automated Crime & Prevention: Six Steps
For each step in the automated crime process, there is a corresponding automated security step.

AUTOMATED CRIME

1. Scan or search to find appropriate computers to attack.

2. Find the vulnerability in the selected system(s) in preparation for the attack.

3. Use that vulnerability to gain entry, resources and authority.

4. Engage in an abusive or criminal activity.

5. Convert that activity to some form of gain for the perpetrator and/or loss to the victim.

6. Eliminate evidence to avoid discovery of the perpetrator and the criminal activity, and create bi-directional anonymity among the providers, perpetrators and victims.

AUTOMATED SECURITY

1. Avoid attacks by disguising mission-critical systems, deploying security buffers and eliminating known vulnerabilities.

2. Deploy dedicated detection tools that search for indications of probing and testing for vulnerabilities, and stop such activities.

3. Stop unintended capture of privilege or authority and use of resources.

4. Detect and stop attempts to corrupt application programs, and create unpredictable environments that make corruption more difficult.

5. Detect and stop unintended transactions.

6. Gather and preserve forensic evidence of cybercrime activity.

 

 

"Controlled Unpredictability"

Over the past 30 years, I have interviewed more than 200 computer criminals in an effort to better understand what compels people to engage in computer abuse and misuse. During these interviews, I inquired about how they performed their crimes, what programs and utilities they used, why they knowingly engaged in illegal activity and how they viewed their crimes after they were caught. The goal of this research was not only to better understand the technical details of their exploits, but to determine if these criminals showed evidence of common behavioral or psychological patterns.

Few patterns emerged, and my selection of cases was not a statistically valid sample. However, an important lesson I learned from these interviews is that computer criminals universally fear unpredictable circumstances, environments and events that would cause their crimes to fail. Many criminals I interviewed consider computers to be ideal targets because they are predictable and repeatable (unlike humans) in important, exploitable ways. Conversely, for most of them, unpredictable systems would create an atmosphere of uncertainty, which usually acts as strong crime deterrent. Why attack an unpredictable system when a predictable one will pay off more quickly—and with less risk?

By nature, automated crime targets predictable—or, at least deducible—program codes and data located in predictable or determinable systems. For automated crime to work effectively, the crime designers must fine-tune their attack programs to work within very specific environments. They must know the functions and locations of every pertinent byte. Throughout the process, they assume their test environment(s) will mirror the actual target environment(s). They also rely on the fact that computers are repeatable and will perform exactly the same way each time given the same data and programs. That is why the first step of an automated crime is to find and attack computers that have the required operating system and application software—those that are perfectly predictable and repeatable in their performance.

Security practitioners can effectively and powerfully capitalize on the cybercriminals’ urgent requirement for predictable systems by periodically changing code in potential target systems and making controls function with changing and unknown parameters. Of course, such alterations are useful only if the systems preserve their correct function.

There are any number of ways that cybercrime fighters can introduce unpredictable performance into systems while maintaining their legitimacy and utility. For example, we could design source program compilers that would compile programs into polymorphic object programs. While these programs would be essentially different after each compilation, they would always execute correctly, producing the correct result. Or, compilers could create dynamically self-changing programs so that they would be different before or after each execution without changing the results (e.g., calculate B+A instead of A+B). Of course, special tools would be required to maintain and troubleshoot the dynamic code, possibly at the source-code level.

—Donn Parker