Critical Infrastructure Research paper

Ch7.pdf

Home >Government homework help >Critical Infrastructure Research paper

128

Cyber ThreaTs

A cyber threat is a computer or computer network hazard. It is a potential attack that preys on weaknesses or flaws in hardware and software systems. An exploit is defined as an unauthorized action performed on an information system such as a corporate network, desktop PC, enterprise server, web site, factory control systems, Supervisory Control And Data Analysis (SCADA) network, or home computer. A zero-day exploit is a previously unknown or unrecognized exploit. A remote exploit is an unauthorized access to an information system from a distance—from across a network.

There are a number of highly varied types of threats ranging from malicious software designed to penetrate entire systems to phishing e-mail exploits designed to betray users into giving out personal information, and numerous other types of threats designed to cause a nuisance or very serious theft of intellectual property, financial gain, and espionage. Perhaps the worst exploit is a rootkit, because it yields complete control of a computer to a hacker and requires an entire rebuild of the victim computer to remove. We will categorize all of these as malicious software to make the terminology simple.

This chapter is about exploits—the potential unauthorized acts against the information technology sector (IT) for the purpose of gaining control, stealing information, destroying data, and denying service to the authorized users of IT systems. We assume that the information systems of greatest interest are nodes connected to one another via the Internet. The links connecting these nodes are any transmission control protocol/Internet protocol (TCP/IP) connection, whether it is a wired or wireless communication link. However, because of digital convergence, the Internet connects not only Web-based systems but also non-Web

systems such as factory control, energy and power grids, and transportation systems. The IT sector provides an infrastructure for almost every other Critical Infrastructure and Key Resources (CIKR) system.

We must assume a highly percolated Internet as described in Chapter 6. This heightens the threat because, as illustrated earlier, percolation is a form of self-organized criticality that magnifies the consequences of normal accidents. It must be assumed that malicious software exploits can reach all parts of the Internet with very little expense, time, or effort on the part of the perpetrator. This assumption carries over to interdependent systems that use the Internet such as energy pipeline systems, the power grid, banking system, transportation systems, and municipal water systems. This interdependency makes the study of cyber threats of the highest importance.

In this chapter, the following concepts are explained through a combination of theory and real-world example:

• The cyber threat is real: estimates of the financial impact of computer hackers and crackers on the US economy range from US$200 million/year to hundreds of billions. Regardless of the wide range of estimates of the cost, IT systems are under almost continual attack and will continue to be attacked because the Internet was never designed to be secure and the rewards far outweigh the costs of attacking the IT sector.

• Cyber thieves are generally divided into several major groups: script kiddies are inexperienced nov- ices seeking notoriety, black-hats are knowledgeable hackers seeking fame and fortune, and crackers are

Lewis, T. G., & Lewis, T. G. (2014). Critical infrastructure protection in homeland security : Defending a networked nation. ProQuest Ebook Central <a onclick=window.open('http://ebookcentral.proquest.com','_blank') href='http://ebookcentral.proquest.com' target='_blank' style='cursor: pointer;'>http://ebookcentral.proquest.com</a> Created from apus on 2020-12-10 18:56:26.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

SCRIPT KIDDIeS AnD BlACK-HATS 129

even more knowledgeable criminals that pose even more severe threats—typically international thieves and militants. A relatively new kind of attacker—the nation-state hacker—joined the list of malicious perpe- trators when Stuxnet was launched to take out the Iranian nuclear program. Attacks are euphemistically called exploits because cyber criminals and nation-states attempt to exploit weaknesses in information systems.

• The tools of the exploit trade are viruses (malicious self-replicating and user-activating programs), worms (malicious self-replicating and self-activating programs that spread via the network), phishing (defrauding the user via e-mail or fake web pages), and more recently, weaponized bots (offensive worms like Stuxnet). These tools are used to render a web site unusable by denying access (DoS or Denial of Service), infect files and data- bases, inflict loss of information on the operation, destroy industrial control systems, and stop or lower workers’ productivity. In some cases, an exploit can result in the hacker remotely taking control of a target computer for financial gain or to cause physical damage.

• Break-ins typically begin with a minor infraction such as an unauthorized login and escalate to more serious infractions using backdoor programs (malicious pro- grams stored on the victim’s computer), Trojan horses (deceptive programs that look innocent but are actually malicious), and zombies (other people’s computers that are used to launch an attack on even more computers). Weaponized worms and viruses are more focused— they attempt to damage or take control of a specific target, such as a power plant, water treatment plant, or uranium purification facility.

• Viruses are an older technology typically used to infect disks and application software. A worm is the more-likely type of exploit that spreads like an epidemic throughout the IT sector because of TCP/IP flaws, unattended ports, weaknesses in operating systems and e-mail, and miscel- laneous flaws in software at all levels. Bots are malicious programs that inhabit other people’s IT systems and lie dormant while waiting for signals from a botherder. Bots connect with one another and therefore create a network on top of the Internet. Botnets lie in wait for control signals from their botherder owner/operator.

• The highly connected IT sector is an extreme example of a cascade network, which means it has the same vulner- abilities as self-organized networks studied earlier: worms spread like epidemics in human populations. Of particular concern is the very high spectral radius of the Internet, which greatly magnifies the spread of malicious software. The most effective countermeasure is to harden the most-connected hubs in the autonomous system (AS) network. The spread of online worms can be virtually stopped by hardening 2–3% of all AS servers.

7.1 sCripT Kiddies and blaCK-haTs

A century ago, the US national economy depended on railroads and heavy industries to create wealth. Today, the US economy is heavily dependent on information, and information is captured, stored, moved, processed, and delivered by information systems. These information systems have replaced many of the Industrial Age physical systems with a far more fragile virtual system. The train-robber has been replaced by the cyber thief and cyber fraud—the so-called script kiddies and black-hats that prey on vulnerabilities in information systems.1 Curiosity motivates script kiddies who use automated tools that are readily available over the Web to probe other people’s computers. More pernicious are the black-hats—people that are driven by more serious motiva- tions. Hackers typically break in because they can, while crackers break in to destroy or steal information. Both are knowledgeable experts that often develop their own malicious programs, mainly worms. Cyber threats are not acts of nature but instead are created by hackers and crackers.

7.1.1 script-Kiddies

Adrian lamo, “the homeless hacker,” cracked computer sys- tems at The new York Times, Yahoo, Bank of America, Citigroup, and Microsoft using free computers at places like coffee shops and libraries. He found flaws in his victim’s information systems, exploited them, and then told the com- panies about their vulnerabilities. lamo may have pioneered a racket used a decade later—cyber extortion of World Wide Web companies by promising to not attack their sites in exchange for money. lamo was eventually caught and ordered to pay approximately $65,000 in restitution and was sentenced to 6 months of home confinement plus 2 years of probation.

In a strange turn of events, lamo exposed Pfc. Bradley Manning, the soldier who released classified information in the infamous Wikileaks exploit. lamo reported Manning’s betrayal after chatting with him for 6 days in May 2010. He eventually notified the FBI in Sacramento, California, which led to the capture and sentencing of Manning to 30 years in prison.

Dark Dante, whose real name is Kevin Poulsen, worked for SRI International by day and hacked by night. His most famous exploit won him a brand new Porsche automobile. each week, the los Angeles radio station KIIS-FM awarded a $50,000 Porsche 944 to the 102nd caller following a pre-announced sequence of songs. When the song sequence triggered the calling frenzy, Poulsen took over the station’s phone system, blocked out all other callers, made call number 102, and drove away with the prize.

1Script kiddies are amateurs out for fun and glory. Black-hats are serious professionals working for financial gain.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

130 CYBeR THReATS

More seriously, he hacked into an FBI database containing wiretap information, perhaps to punish the FBI. law enforcement dubbed him “the Hannibal lecter of computer crime.” When he was captured, authorities found so many hacking devices they compared him to James Bond. Poulsen was captured in a supermarket after a 17-month pursuit; he served 51 months in jail and was levied a fine of $56,000. Poulsen later became a senior editor for Wired News, spe- cializing in cyber crimes and cyber criminals. His most prominent article exposed 744 sex offenders who exploited MySpace.com profiles.

7.1.2 black-hats

Perhaps the best-known black-hat is Kevin Mitnick, the self-proclaimed “hacker poster boy.” The Department of Justice described him as “the most wanted computer criminal in United States history.” Mitnick was the subject of two movies: Freedom Downtime and Takedown. Mitnick began his career as a small-time thief, hacking the los Angeles bus-ticketing system for free rides. He then dab- bled in phone phreaking—hacking the telephone system to make free long-distance calls. His online bio says, “[My] hobby as an adolescent consisted of studying methods, tactics, and strategies used to circumvent computer security.”2

Mitnick was eventually caught and convicted of stealing software. He served 5 years, of which about 8 months was spent in solitary confinement. He became a computer secu- rity consultant, author and speaker, appearing on television shows: 60 Minutes, The Learning Channel, Court TV, Good Morning America, CNN, and National Public Radio. He is the author of two books: The Art of Deception (2002) and The Art of Intrusion (2005).

7.1.3 Weaponized exploits

According to some experts, a cyber “Pearl Harbor” is unlikely, because such an operation would be highly com- plex, require extreme coordination effort, and result in dubious damage [1]. A more likely scenario is that future black-hats will use cyber attacks asymmetrically—as a force multiplier in concert with a physical attack. For example, a cyber attack might be used to interrupt emergency services, manipulate traffic control signals, hinder disaster recovery, and so forth, in concert with a bomb, biological, chemical, or other physical assaults.

But a cyber “Pearl Harbor” might be feasible using a weaponized exploit as demonstrated by the Stuxnet, a recombinant virus designed specifically to target the uranium centrifuge facility in Iran. Stuxnet was not the work of script- kiddies or black-hats, but rather it was the offensive work of

nations. It was the first widely known weaponized virus used by a country, although, others have preceded it. Stuxnet is interesting because of two key features—it was designed as an offensive weapon and it is recombinant—made from several other software fragments. The uniqueness of Stuxnet is perhaps its recombinant nature; this means that future malicious software can be mutated into more powerful and sophisticated threats.

Cyber security experts believe Stuxnet was launched circa June 2009 via a USB memory stick that was inserted into a Windows personal computer. A previously known flaw in Internet explorer was used to penetrate the Window’s operating system. Additionally, Stuxnet used stolen security certificates to get past computer security at Iran’s uranium refinery. It targeted the Siemens’ industrial control system being used to control the centrifuges at natanz, Iran. By giving commands to speed up, the exploit was able to destabilize and destroy the centrifuges.

Stuxnet is an example of a recombinant virus—it was 10× more complex than existing viruses. It combined a 2008 explorer Virus with a virus known as Zlob, plus a 2009 print virus, plus a Siemens’ Step7 Password exploit. A typical computer virus is 15,000 lines of code. Stuxnet exceeded 500,000 lines.

Governments are becoming a bigger threat to the Internet than script-kiddies and black-hats. In May 2007, President Bush authorized the national Security Agency (nSA) to attack the cellular phones and computers operated by insur- gents in Iraq. The insurgents were posting videos of roadside strikes on the Internet to recruit followers [2]. The nSA operators hacked into the insurgent’s network and sprung a trap set up by waiting U.S. soldiers.

A dispute between the Russian Federation and neigh- boring Georgia, over a region called South Ossetia located on the Russian-Georgian border, initiated an effective cyber exploit designed to augment physical conflict between the two countries’ military forces in August 2008. It began when Georgian forces launched a surprise attack against South Ossetia separatist forces on August 7. Russia responded the next day by sending troops into Georgian territory. Cyber attacks were launched against Georgian governmental web sites prior to the physical attacks. The exploits primarily defaced public web sites and denied service to a number of other sites.

7.2 Tools of The Trade

The most common exploits prey on flaws in software pro- grams and hardware. Due to the complexity and size of most software that are in use today, many flaws or “holes” exist in the operating systems, application programs, and hardware that they run on. Software flaws—called defects—are often discovered years after consumers have deployed the software. 2http://mitnicksecurity.com/media/Kevin_Mitnick_Bio_BW.pdf

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

TOOlS OF THe TRADe 131

Once a defect is discovered, the software manufacturer may offer a repair—a patch—that fixes the problem. Unfortunately, many of these patches are never installed, leaving the information system vulnerable. One of the most effective countermeasures to combat cyber attack—the patch—is often overlooked.

Hackers and crackers use a variety of methods for pene- trating corporate and home systems. One of the oldest is called war dialing, where a hacker programs his or her computer to dial all the telephone numbers listed in a tele- phone book, until a modem is sensed. Once the war dialing computer senses a modem tone, it repeatedly sends login and password combinations—words taken from the english dictionary. If the password is a proper english word, the war dialer will eventually discover it. The same idea is used on e-mail addresses— randomly trying out all combina- tions until one is found without a secure password.

War dialing is a tedious brute-force method of breaking into someone’s computer, but since it is done by another computer, it is easy and inexpensive for the hacker. Today the large number of open wireless access points encourage a variation of war dialing called war driving. A mobile hacker equipped with a laptop computer simply drives around a neighborhood until an 802.11 Wi-Fi signal is detected, and then begins exhaustively sending a series of user name and password codes (generated from a dictionary), until the login is successful.

Once in, a hacker or cracker will attempt to escalate his or her access privileges. Can the invader open up password files to get more user names and passwords? Can he or she intercept other user’s e-mail? Is the victim’s address book unprotected? Is the corporate database accessible from the login?

In some cases, the professional cyber thief can store a program on the cracked system for use at a later time. This is called a backdoor, a program that the hacker activates from outside of the security zone of the cracked system. A back- door program may lie dormant for a long period of time before it is activated, or activate itself periodically. It can look like an authorized part of the system but instead become destructive. A Trojan horse program is a deception—it looks valid, but it is not.

War dialing and war driving are not the only means of hacking into a system. A large number of exploits come from employees or trusted associates—the so-called insiders. But perhaps the most disturbing exploits come from outside the organization. If information systems can be attacked from anywhere in the world, no infrastructure sector is secure. Anyone in the world can attack any Internet-connected system located anywhere else in the world with inexpensive equipment and knowledge of how computers and networks operate. In fact, the construction of malicious programs for the purpose of carrying out remote exploits has become a cottage industry of virus, worm, and Trojan horse software developers.

Attacks from inside the organization and its information system perimeter are called insider attacks. Whether an attack comes from inside or outside, exploits are not difficult to initiate. The tools already exist, and for the most part, they can be acquired at little expense. Many of these tools are available from the Web itself. They fall into the following general categories:

• Virus programs (user-activating software that spreads via files, etc.)

• Backdoor programs (black-hat takes remote control).

• Trojan horse programs (deceptive software).

• Worm programs (self-activating software that spreads via a network)

These tools are used for a variety of nefarious activities, including, but not limited to the following:

• Stealing passwords or credit card information

• Taking control of a remote computer or network

• Destroying or corrupting files and databases

• Using a remote computer to spread viruses and worms to others

• Turning a remote computer into a zombie—a computer that launches a subsequent DoS attack on a web site or corporate network.

A virus is a malicious self-replicating program. A worm is a malicious self-replicating program that spreads through a network. A Trojan horse is a data file or program contain- ing a malicious program. It is a computer program that appears to be harmless but actually does damage. let us consider that viruses, worms, and Trojan horses are all the same—malicious software used by hackers and crackers to damage or take control of information systems. In the fol- lowing description of exploits and how they work, we will treat viruses, worms, and Trojan horses as tools of the black-hat trade.

7.2.1 The first exploit

In 1988, Robert Tappan Morris, a 23-year-old PhD student at Cornell University in Syracuse, nY, remotely launched the first cyber worm aimed at a MIT machine located miles away in Cambridge, MA. The worm quickly infected and disrupted 6000 computer systems and their users across the US. In some cases, the worm forced users to disconnect from the Internet to stop the worm.

How did this happen? Morris had discovered two flaws in the operating system of the Internet’s servers. These flaws allowed him to gain unauthorized access to machines all over the Internet. Once inside the target machine, the worm used the target machine’s routing tables and user names/passwords

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

132 CYBeR THReATS

to find new victims. The worm copied itself onto other machines, where the process was repeated.

The worm attempted three exploits on target machines as follows:

1. execute a remote command that gives the attacker access to the target machine

2. Force a so-called buffer overflow exploit on the target machine, which inadvertently relinquishes control to the attacker

3. Access the e-mail program on the target machine and command it to download the virus onto the target machine

Morris was caught, charged with computer fraud and abuse, and found guilty on May 4, 1990 in Syracuse, new York. He was sentenced to 3 years probation, levied a $10,000 fine, and required to contribute 400 h of his time to performing community services. estimates of financial loss range from $100,000 to $10,000,000. Today, Morris is an accomplished computer scientist working at a university.

The Morris exploit illustrates several features of cyber threats. First, flaws in the software of networked computers make it possible for hackers and crackers to gain access to remote machines. Cyber threats depend on these flaws to gain a foothold. Second, the malicious program replicates by copying itself onto other vulnerable machines. In other words, a computer virus or worm works much the same way that a biological virus or worm does—it reproduces itself and travels to a new host, where the process is repeated. Malicious programs can infect many remote systems at the speed of the Internet. Third, this historical example illus- trates what is still true: hackers may cause millions of dollars of loss, but they typically get modest sentences.

Viruses existed long before worms. In the early days of the PC, viruses traveled by infecting floppy disks, document files, and application programs. They did not depend on the Internet, but rather, they spread through physical contact. One of the oldest exploits used special tracks on software distribution disks, called the boot record. When the infected disk is inserted into a PC, the boot record is copied into the main memory of the PC. Once inside, the infected boot record made copies of itself on every disk inserted into the PC. The virus spread to new target machines whenever a human computer user shared the disk with another user. Today a computer user inadvertently activates viruses, whereas a worm spreads on its own.

Other viruses work through other vectors. A virus might attach itself to a document file, such as an excel or Word file. Wherever the file goes, the virus goes, also. The user acti- vates the virus when it is loaded into his or her computer. Trojan horse viruses frequently traveled this way before the Internet became widely used.

Microsoft Office products are designed to allow a programmer to imbed a program inside a Word or excel document. These programs are called macros.3 When activated, macros perform routine tasks or add additional capability to the Office application. But macros are vulnera- bilities in Microsoft products because a macro can be a Trojan horse. A hacker can embed a malicious macro in a Word doc- ument and sent it as an attachment to millions of personal computers. When the user opens the attachment, the macro activates and does its damage.

Worms can be thought of as mobile viruses because they copy themselves onto target computers but do not require a user to initiate them. They are a favorite of black-hats because they can infect the entire Internet with little time, effort, or expense on the part of the attacker. Hence worms pose an asymmetric threat to the Internet, SCADA networks, financial networks, power grids, and telecommunication networks.

Worms can do anything that any other software can do. Worms have been known to e-mail the entire contents of a victim’s hard disk to others, install a backdoor Trojan horse on the victim’s computer, observe and record a user’s key- board key strokes (key-logger), launch DoS attacks, disable anti-virus software, and steal or destroy a victim’s files. Worm exploits were the most frequent type of exploit in 2004 but have declined in use since 2005.

There are five fundamental ways that worms propagate from computer to computer:

1. Fundamental flaws in TCP/IP

2. Unprotected or open input/output ports on target machines

3. Operating System flaws: Buffer Overflow exploits

4. e-mail protocols and attachments

5. Flawed applications and system software

7.2.2 TCp/ip flaws

In Chapter 6, we surveyed TCP/IP’s historical past and observed that it was designed over 30 years ago to enable the US to regain leadership in missile technology, save money by sharing expensive computers among university and research labs, and withstand thermonuclear attack from the former Soviet Union. But it was not designed to withstand cyber attacks. Unfortunately, there are many known flaws in TCP/IP that make it extremely easy to exploit.

each TCP/IP packet contains both source and destination address. The source address identifies the server that sent the packet, and the destination address identifies the intended recipient of the packet. These IP addresses are clear—they can be read and changed by anyone clever enough to inter- cept and modify them.

3Macros are written in Visual Basic and activated by the user whenever the document is loaded into an Office application.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

TOOlS OF THe TRADe 133

TCP/IP’s address-in-the-clear vulnerability stalled the largest banking network in the country in 2003. SQl Slammer was launched on the weekend of January 24–26, 2003. It caused systems running Microsoft SQl Server to generate a massive number of messages with random source and destination addresses. This generated a flood of traffic between pairs of Microsoft SQl Servers, crowding out all other traffic on the Internet. One of the infected computers happened to also be connected to the Bank of America ATM network. When this computer stalled, it also stalled the Bank of America ATM network.

The Bank of America ATM network was affected because the bank’s financial network and Internet access were both hosted on the same machine. The worm got past this machine’s firewall and it became flooded with millions of short messages. normally, this machine exchanged information between ATM and non- ATM networks, but on Monday morning, the server was so loaded down with messages generated by the SQl Slammer that it was useless. All 13,000 Bank of America ATMs became unusable until port 1434 (used by Slammer) was filtered.

Another flaw in TCP/IP is responsible for another type of DoS attack. The SYn Flooding exploit works because TCP/IP was designed to be simple—not necessarily flawless. SYn Flooding is possible because of the three-way handshake used by TCP to establish a connection between two computers A and B. Figure 7.1 shows what is supposed to happen, and what can happen when SYn Flooding is used to overload a server with ceaseless unresolved SYn messages.

In Figure 7.1, system A (sender) initiates a connection to system B (receiver) by sending a SYn message.4 System B responds to the SYn request by returning a SYn followed by an ACK within a reasonable time interval. Sending a confirming ACK from sender to receiver confirms the three-

way handshake. Once the ACK is received, system A sends the message to system B.

But what if the three-way handshake never completes? An exploitation of this initiation protocol occurs when system A never returns the expected ACK corresponding with its initial SYn. System A (sender) and system B (receiver) shake hands by exchanging a SYn and ACK as before. But the receiver never gets an ACK. Instead, system B (receiver) gets a stream of more SYns. This ceaseless stream keeps the receiver busy doing nothing but waiting for ACKs that never arrive. Meanwhile, system B stores the pending SYn requests until its memory overflows, causing system B to collapse.

SYn Flooding is an elementary denial of service exploit. If millions of SYns are sent to a single receiver, both network and receiving system get bogged down with handshaking, which leaves little time to process valid messages. The hacker can magnify the number of sending systems by hijacking zombie computers (computers taken over by the hacker without the owner’s knowledge). Millions of zombies can be infected with malicious software timed so that all zombies send their SYn Flooding messages to the target at the same time. The remedy is to close the port or filter the stream of SYns coming from the zombies.

DoS attacks using TCP/IP flaws are commonplace, although they are not as frequent as other exploits. But they can be dramatic. Code Red was launched against the Whitehouse web site on October 21, 2002. Within hours, it was detected on millions of computers around the globe. Here is how Code Red worked:

• The worm enters the target computer through its port 80

• It finds and infects the Microsoft Internet Information server software

• It copies itself onto other targets generated at random for 20 days

Normal Under attack

System A System ASystem B System B

Receiver ReceiverSenderSender

Send

ACK

SYN;ACK

SYN

SYN;ACK

SYN

...

figure 7.1 TCP/IP is intrinsically flawed because of its simplicity.

4SYn is short form of synchronize and ACK of acknowledge—two hold over signals from the days of teletypes and Western Union “e-mail” delivery.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

134 CYBeR THReATS

• Then it goes dormant until a certain date, when all copies are activated

• Millions of distributed copies flood the Whitehouse server with messages

Code Red inundated the www.whitehouse.gov server with messages generated by zombie computers selected at random as the worm spread. The number of zombies was in millions, because the worm replicated itself for 20 days before launching the DoS exploit against www.whitehouse.gov. It infected servers on all continents including europe, Africa, Russia, China, and the north and South America.

Fortunately, Code Red used the numerical IP address of the Whitehouse server, instead of the symbolic www.whitehouse. gov. The DoS attack was diverted by simply changing the Domain name System (DnS) address book, pointing www. whitehouse.gov to a server with a different IP address. The Whitehouse administrators essentially spoofed the attacker.5

Code Red illustrated several vulnerabilities in the Web:

1. Port 80 (the port used by all Web browsers) was used, showing that a worm can travel through commonly used ports

2. Code Red showed that a simple worm could cause widespread damage

3. DoS attacks are simple but effective

DoS attacks don’t destroy information or cause physical damage. They simply render the web site they attack useless. In emergency or national security crises, information and information technology systems are essential for the operation of police, fire, military, medical, power, energy, transportation, and logistical systems. Without IT systems, modern information societies are crippled, if not permanently damaged.

7.2.3 open ports

Code Red used port 80 to travel through cyberspace. every computer has ports—doors through which information enters and leaves a system. Ports are numbered from 1 to 65,535, but only a few are actually used in a given computer. Some well-known ports are as follows:

Port no. How It Is Used

25 TelneT 80 HTTP

443 HTTPS 21 FTP

110 POP3 25 SMTP

1433 SQl Server 53 DnS

For example, port 21 is the preferred doorway to a commonly used data transfer program called FTP (File Transport Protocol). FTP provides a fast way to transfer large files. It also provides a fast way for worms to spread through exploitation of ports. Recombinant viruses called Sasser.C and Sasser.D swept through Windows XP and Windows 2000 systems in 2004 using FTP, mostly infecting home computers (500,000 to 1 million). The Sasser worm is not a single worm but a series or strain of worms that have mutated over time much like a biological virus mutates as it adapts to threats.

The worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulner- able system, through a buffer overflow exploit. Here is how a typical Sasser worm works:

• The worm initiates an infection by creating a remote program via port 9995

• The remote program creates an FTP program on the target computer, which downloads the remainder of the malicious program onto the target computer, thus com- pleting the infection

• now the infected target accepts any FTP traffic on port 5554, which gives the attacker access to the target computer

note that Sasser uses a combination of open ports and buffer overflow. What is buffer overflow?

7.2.4 buffer overflow exploits

One of the oldest, and still most difficult, exploits to prevent is called a buffer overflow exploit. essentially, this exploit uses the fact that a computer doesn’t know the difference between data and program code. All information looks the same to a computer, but if data is interpreted as code, then the infected computer can be fooled into accepting malicious code as if it were data. In a buffer overflow exploit, a virus, disguised as data, is sent from the attacker to the victim, but once it arrives at the target computer, it turns into a malicious program! How is this possible?

Figure 7.2a shows what is supposed to happen when data enters a computer operating system from an open port. normally, the operating system acts as an intermediary bet- ween the outside world and the application (user) program. Input data is temporarily stored in a storage area called a buffer, along with a return address that tells the operating system where to return control, once the data has been trans- ferred. After the buffer fills up, the return address is used to return control back to the user program. The user program then transfers the input data into its own processing area.

Figure 7.2b shows how a buffer overflow can be exploited to wrest control away from the operating system (and the user program) and turn control over to a malicious program. Data enters the target computer as before, but this time, it

5Spoofing means the source address of packets returned from DnS are changed to something else, which changes the identity of the sender.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

TOOlS OF THe TRADe 135

overflows the storage buffer. In fact, it writes over the return address stack and inserts a new return address that returns control to the buffer and stack, itself. The operating system uses the hacked return address to pass control to the malicious program, which now resides in the storage buffer or stack. What was thought to be data actually turns out to be a malicious program.

Perpetrators of buffer overflow attacks must discover the size of the storage buffer and return stack of each system by trial-and-error. That is, they have to guess where to place the malicious return address and viral code. This is done by launching thousands of buffer overflow attacks containing one, two, three, … hundreds of different trial return addresses, until one works.

In July 2003, the Win32:Blaster worm (a.k.a. msblast.exe) used port 135 and a buffer in Windows to spread throughout the Web. Here is how the buffer overflow exploit worked:

• exploits buffer overflow in the Microsoft Windows RPC interface

• Scans 20 hosts at a time, trying to connect to port 135

• When an open port is found, the worm copies itself to the host using TFTP

• Activated whenever Windows is started (via Windows registry)

• Can force Windows to restart

RPC is the remote procedure call mechanism that allows two computers to communicate with one another. TFTP is trivial FTP, and the Windows registry is a table inside Windows that holds the names of programs that are allowed to run on a user’s computer. The Windows registry is one of the primary targets of hackers because it contains access rights to everything in a com- puter. Registry attacks are commonplace and new zero-day exploits aimed at cracking into the registry occur every day.

7.2.5 ddos attacks

Open ports, buffer overflows, and various flaws in software pro- vide contamination vectors for the spread of cyber viruses and worms. These vectors can be exploited in thousands of computers

figure 7.2 Buffer overflow exploits enter a computer as data but overwrites portions of code to fool the computer system into treating the data as executable code. (a) Information is read into a storage buffer as data where it is passed on to the user. (b) Stored information changes the return address, pointing the computer to the previously stored information that is now interpreted as code.

Unprotected (a)

User program System program

Storage bufferData

Data

Input port ‘80’

Jump

Return stack Return stack

Protected (Privileged)

Return

Unprotected (b)

User program System program

Data

Input port ‘80’

Return stack

Protected (Privileged)

Return

Storage buffer

Return stack

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

136 CYBeR THReATS

at once to turn innocent victims into collaborators in denial of service attacks. When harnessed together, these zombies create a distributed denial of service attack (DDoS). The DDoS is one of the most effective exploits known, but fortunately, they do less harm than an exploit that erases files or steals documents.

A DDoS exploit starts by infecting a large number of zombies with an idle virus that lies in wait until a certain date arrives or signal occurs. At a specified time later, the zom- bies simultaneously flood a single target computer with meaningless data. The objective is to overload the target with messages, rendering it useless for ordinary processing. Figure 7.3 shows a diagram of the two-phase DDoS exploit.

A 15-year-old Canadian teenager calling himself and his exploit MafiaBoy launched a DDoS strike against the most popular e-commerce sites in February 2000. This worm flooded Amazon.com, Buy.com, Cnn.com, eBay. com, e-Trade.com, Yahoo.com, and ZDnet.com with millions of messages, resulting in an estimated loss of revenue of $1.7 billion. The MafiaBoy worm electroni- cally recruited an army of zombie computers around the

world, which in turn flooded the e-commerce servers with thousands of simultaneous requests for service, forcing them to shut down for several hours. The teenager was levied a fine $250 and given an 8-month jail sentence.

The MafiaBoy exploit illustrates how DDoS attacks work, and it also illustrates another unfortunate fact: billions of dollars of damage can be done with very inexpensive software. It does not even take a clever person to launch a DDoS attack. Anyone can download the software and turn it loose in the wild. even more disturbing are the social consequences of hacking: an underage offender can render billions of dollars of damage but suffers almost no punishment, or is given punishment that is extremely disproportionate to the amount of damage caused.

7.2.6 e-mail exploits

e-mail exploits are carried out by hackers using malicious programs that predominately spread by e-mail attachment. They depend on the victim activating the virus when it arrives as an attachment. The victim activates the virus by

figure 7.3 DDoS recruits innocent zombies to participate in a denial of service attack against a single target computer. (a) Phase 1: spread the worm to thousands of zombies. (b) Phase 2: zombies flood the target with messages.

Black-hat

Zombie

Target

Zombie

(a)

DOS worm

Black-hat

(b)

Zombie

Target

Zombie

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

TOOlS OF THe TRADe 137

clicking on it or saving it to his or her local storage. They typically modify the Microsoft Windows registry, which gives the hacker unlimited access to the victim’s computer.6 e-mail viruses are capable of performing all the activities that other viruses can such as installing backdoors, key- loggers, and compromising security and data integrity.

One of the most virulent e-mail exploits in 2002 was w32. klez.e@mm, also known simply as the Klez virus. It spread by reading the entries on the victim’s Microsoft Outlook address book. Klez tried to disable the user’s antivirus pro- grams, copy itself to network disks, and mail itself to all entries in the user’s Outlook address book.

In 2003, Bugbear used e-mail attachments and Multi- purpose Internet Mail extensions (MIMe) attachment vul- nerability to spread and install a backdoor, key-logger, and its own SMTP engine that sent spoofed e-mail using the victim’s address book. Bugbear could severely damage the target computer, including deletion of the user’s files.

7.2.7 flawed application and system software

The number of exploitable flaws in application and system software is legion. Malicious software enters a user’s computer through flaws and weaknesses as follows:

• HTMl and XMl as clandestine message software

• Hyper Text Transport Protocol (HTTP) may leave open access doors

• ActiveX: Code from the Web can access your computer

• SMTP & POP3: e-mail can give away your password

• SnMP: Manages networks but also opens it to the outside

• SOAP/XMl: RPC can be used against you

HTMl and XMl use tags to tell a web browser such as Microsoft Internet explorer what each line of data means. But if Internet explorer encounters an unknown tag, it simply skips over the line of data and continues looking for mean- ingful tags. What if the unknown tag is actually a malicious program? This is called steganography and has been used by spies for thousands of years to conceal messages within other messages.7 It is also a tool of hackers.

HTTP is the protocol that dictates how a web browser com- municates with a web server. There are several vulnerabilities in this fundamental software. First, it communicates in the

clear—transmissions can be intercepted and substituted by unscrupulous people looking for credit card names and num- bers. Second, version HTTP 1.1 leaves sessions open, because repeated opening and closing of sessions is inefficient. But open sessions can be used like open ports. Hackers can exploit port 80, the port used by HTTP. Once port 80 is hacked, the currently running session can be hacked, too.8

HTTPS (HTTP Secure server) and SSl (Secure Socket layer) should be used instead of HTTP when security is important. HTTPS/SSl encrypts transmissions between server and web browser. Most secure e-commerce applica- tions, such as credit card buying over the Internet, are run on HTTPS/SSl encrypted sessions. never enter a credit card number of banking account number into a web site unless the URl starts with https://.

HTTPS/SSl transmissions may still be vulnerable to ActiveX programs that are transmitted between server and desktop. ActiveX is a Microsoft system for downloading pro- grams and running them on the user’s computer. Secure ActiveX programs ask for the user’s permission and require a security certificate. But most users grant access to every ActiveX program without knowing what each program does! The ActiveX program may be a virus that destroys information or installs other malicious programs on the user’s machine. How can a user know?

ActiveX programs should not be allowed to write to a user’s local disk drive or alter a Windows registry file. Without prior knowledge of what the ActiveX program will do, granting access is like inviting a stranger to take over your house for the weekend! Web browsers can be set to block ActiveX downloads as well as data snippets called cookies, which may contain personal information.

ActiveX software has been employed by unscrupulous mer- chants and advertisers to promote their products and services. Called spyware for good reason, these ActiveX programs collect information about the user so that the unscrupulous merchant can target him or her for advertising, personalization, or privacy violations. For example, file-sharing music pirates used Kazaa in 2003 to download spyware to home computer users, and then subsequently spammed the unsuspecting users with popup ads.

An earthlink.com study found more than 29 million spy- ware-related files on 1 million of their subscriber’s computers. Dell Computer customer support reported 12% of their support calls were complaints about spyware. In 2004, Microsoft attrib- uted 50% of reported crashes of Windows XP to spyware.

Professional black-hats possess even deeper knowledge of how computers and the Web operate. Because of this knowledge, they have devised complex exploits that go far beyond the scope of this book. exploits involving the SnMP and POP3 e-mail servers are known for exposing passwords; the network

6The registry is where Windows keeps the names and authorizations of every program that is allowed to run on a Windows machine. 7Steganography is the art and science of hiding information by embedding messages within other, seemingly harmless messages. It is used for both good and evil. Steganography is used to electronically protect intellectual property by embedding watermarks in digital documents, as well as to con- ceal secret messages.

8A session and an application are almost identical, so hacking an open session is tantamount to hacking a running application.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

138 CYBeR THReATS

management protocol, SnMP, used to maintain the hardware of the Internet is also vulnerable to hacks; and the SOAP/XMl protocols used by e-commerce companies are vulnerable to knowledgeable hackers and crackers. The list continues to get longer, and the exploits continue to get more sophisticated.

7.3 boTneTs

In the early 1990s, clever IRC (Internet Relay Chat) program- mers invented IRC bots—programs that simulated users of the IRC online community. These programs evolved into over- networks—networks on top of the Internet network—mostly for doing useful but tedious IT chores. These networks-within- networks turned black when nefarious individuals began using the technology to spoof unsuspecting consumers. The most common spoof became spam—unsolicited e-mail typically sent as bulk e-mail to e-mail lists that have been collected from online chat rooms, web sites, newsgroups, and viruses that harvest unsuspecting users’ address books. Botnets are swarms of unwanted worms that collect and disseminate spam and invade IT installations for nefarious purposes.

Control of a botnet is under a botherder—someone or some organization that directs the botnet from a distance. For example, a single botherder might direct the botnet to remotely recruit zombies to spread the bot and do its dirty work. A typical botnet and botherder work as follows9:

• The botherder launches worms to infect millions of zombies with a bot

• The bot collects user information via the zombies and reports the personal information back to the botherder

• The botherder sells botnet services and information to a third-party spammer

• The spammer gives spam messages to the botherder which in turn instructs the zombies to send the spam throughout the botnet’s distribution channel

In 2010, Rustock was the largest known botnet at the time—a collection of 1.6–2.4 million unsuspecting zombie computers controlled by organized crime located in St. Petersburg, Russia.10,11 Rustock used the popular IRC to link together massive numbers of zombies. IRC is a kind of peer-to-peer (P2P) network like the ones used by music and movie pirates for media sharing. P2P over-networks are cheap, powerful, and resilient, because they are parasitic—living off of established IT infrastructure. But, unlike the public-switched Internet, P2P networks are distributed with relatively low spectral radius. Hence they are more resilient than the IT infra- structure they depend on.

Typical botnets can easily spew out 250 spams/min, night and day. During the month of August 2010, 1 in every 300 e-mails contained a virus, spam, or worm; 1 in 500 contained a phishing exploit; and over 4000 web sites were being blocked by a botnet every day. In 2009, Zeus—the largest known botnet in the US with 3.6 million zombies in tow— sold millions of user names, passwords, account numbers, and credit card numbers using key-logger technology.

Due to their immense size and capacity to spam the globe, botnets pose a serious threat to the very existence of the Internet. For example, if the 2 million zombies in the Rustock botnet were to simultaneously emit high-bandwidth spam, the load on the Internet could cripple or halt traffic all over the world. The botherder could extort companies, regions, and even nations that depend on Internet traffic for everyday business, commerce, and military coordination.

estonia’s experience in 2007 illustrates the power of botnets. estonian web sites were hammered for days after the government ordered the relocation of the Soviet-era war monument Bronze Soldier from the center of Tallinn to its suburbs. ethnic Russians rioted for 2 days. DDoS attacks on government web sites were so severe that many agencies were forced to discontinue service into and out of estonia for several days.

Over 1300 people were arrested, 100 were injured, and 1 person was killed in the rioting. Some of the attacks were traced back to Russia, but eventually a 20-year-old estonian student named Dmitri Galushkevich was arrested and charged with launching the DDoS from his PC. According to nATO, the cyber attack on estonia did not qualify as a mili- tary attack. If it had, and if Russia or some other country had launched the attacks, other nATO countries would have been obliged to come to estonia’s rescue.

At the time this was written, it is not clear what the future of botnets holds for the IT sector. At one extreme, botnets can potentially take over the Internet and parasitically dominate its host. This would essentially turn control of the IT sector over to botherders. At the other extreme, botnets could be a tempo- rary phenomenon, because policies and practices described later in this chapter can banish them, altogether. In short, it is up to nation-states to enact policies and laws banning botnets, if we want the global IT infrastructure to be safe and secure.

7.4 Cyber risK analysis

now that we are equipped with a fundamental understanding of cyber threats, it is possible to build a general model of cyber exploit risk against a generic computer system. This model may be used to reduce the risks facing single com- puter threat-asset pairs or risks facing a corporate data cen- ter’s threat-asset pairs. It is not, however, a model of a networked system of computers. For Internet system risk, consider the top 2000 AS in the Internet circa 2005 analyzed in the next section 7.5.

9https://en.wikipedia.org/wiki/Botnet#Illegal_botnets 10http://www.Messagelabs.com, www.Honeynet.org 11http://en.wikipedia.org/wiki/Russian_Business_network

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

CYBeR RISK AnAlYSIS 139

Figure 7.4 contains a fault tree model of threat-asset pairs typically found in a computer system. The threat-asset pairs are as follows:

Threat Asset

Spoofing TCP/IP DDoS HTTPS/SSl Key-logger Ports Trojan horse Browser Software flaws ActiveX Media player Key-logger Attachments Trojan horse Address book

Assuming all consequences are $10,000, all threats are 100%, and all vulnerabilities are 10%, initially, what is the best use of investing dollars to reduce risk in this fault tree? even though threat times vulnerability (TV) is 10% for every threat-asset pair, the overall vulnerability is 68.6%. Why is this so high? The answer lies in the OR-logic of the fault tree. Any one or multiple threats may occur, which drives the threat of zero, one, two, three, or more exploits to 68.6%. even though each individual threat is relatively small, the possibility of one or more threats is large.

The second observation addresses the allocation resources to reduce risk. Figure 7.5 shows the return-on-investment (ROI) curve for risk reduction investments. ROI drops below $1.00/$ when the total investment exceeds $3000. At $3,000, risk declines from $11,000 to $7,943, and vulnerability drops from 68.6 to 56.4%. An investment of twice this amount, that

TCP/IP

Ports

Cyber threats

Cyber threat... OR

Software �aws

SW �aws

Attachments

Attachments OR

OR DDoSDDoS

HTTPS/SSLHTTPS/SSL

Key-logger Key-logger

Trojan horse Trojan horse

Browser Browser

ActiveX ActiveX

Key-logger

Media-player

Key-logger

Media-player

Trojan horse Trojan horse

Address book

Addr book

Spoo�ng Spoof

figure 7.4 Common threat-asset pairs in a general fault tree of cyber threats.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

140 CYBeR THReATS

is $6000, is required to lower vulnerability below 50%, but the ROI is much lower—$0.76/$. It is extremely difficult to reduce risk when assets are threatened by multiple hazards.

This example illustrates the challenge of cyber security. The large array of threats makes protection very difficult and expensive. In fact, most computer system operators have never performed a rigorous risk analysis of the information systems under their care. According to a 2003 study, 43% of system administrators surveyed did not know how their systems got infected.12 Furthermore, they estimated that exploits had a minor financial consequence: 75% of the exploits detected caused damage of less than $100, according to the IT managers. This may seem small, but cyber exploits affect millions of computers once they spread. Therefore, an exploit that infects a million computers really cost millions of dollars.

The 2003 survey also concluded that 30% of the exploits caused some loss of data, typically due to a virus. Also, if we assume that the cost of each data loss incident is $100, then such exploits cost $30 million/million victims. Reducing the risk of a single IT installation by $1000 may not seem like much, but this risk is multiplied by potentially millions of similar IT installations, so the total risk can run into the millions or even billions of dollars.

7.5 Cyber infrasTruCTure risK

The foregoing fault tree analysis of threat-asset pairs suggests it is difficult to protect individual IT installations but the conse- quences are relatively small. However, when multiplied by the millions of IT installations connected to one another via the Internet, the accumulated consequences can become very large. The IT infrastructure is so heavily dependent on the Internet that it becomes necessary to recall Chapter 6 to reexamine the impact an Internet infrastructure attack might have on individual IT installations. Protecting individual IT installations or personal computers has almost no effect in protecting the Internet. Conversely, protecting a handful of major Internet hubs has an enormous impact on protecting individual IT installations and personal computers.

The AS2000 Internet network of Figure 7.6 contains 2000 AS and 6107 links. It is highly structured with a power law distribution of links-to-nodes and a spectral radius of 45.8. The hub contains 388 connections, but mean degree is only 6.1 connections. link robustness is very high and its experimen- tally determined number of blocking nodes is 247 (12.4%):

log . . ; . %

. %

q( ) = − =

= −

1 11 0 79 3 1

6107 2000

6107 67 3

0γρ γ

κL

Blocking noodes = 24712http://www.avast.com/

$2.50 ROI: Cyber threat fault tree

$2.00

$1.50

$1.00

$0.50

$– $– $5,000 $10,000 $15,000 $20,000

$Investment

R O

I $/

$25,000 $30,000 $35,000

figure 7.5 ROI analysis of the general fault tree model for the values shown in Table 7.1 suggesting the optimal investment is approximately $3000.

Table 7.1 input values for the general fault tree model of figure 7.4

name Threat Vulnerability elimination

cost Consequence

Spoof 100 10 2,500 10,000 DDoS 100 10 5,000 10,000 HTTPS/SSl 100 10 5,000 10,000 Key-logger 100 10 5,000 10,000 Trojan horse 100 10 2,000 10,000 Key-logger 100 10 5,000 10,000 Trojan horse 100 10 2,000 10,000 Key-logger 100 10 5,000 10,000 Trojan horse 100 10 2,000 10,000 Browser 100 10 2,000 10,000 ActiveX 100 10 1,000 10,000 Media player 100 10 4,000 10,000 Address book 100 10 1,000 10,000

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

CYBeR InFRASTRUCTURe RISK 141

The AS2000 Internet has a small number of very highly connected servers and thousands of servers with only a handful of connections. The high spectral radius and large hubs make the AS2000 network a near-perfect super- spreader of malicious software. This structure also explains why AS2000 can be fractured into disconnected pieces by removal of only 247 (12%) servers—most connectivity is vested in a handful of highly linked hubs.

The highly structured shape of the AS2000 network sug- gests an optimal protection strategy—harden the hubs and ignore small IT installations and individual computers. Invest heavily in the 247 blocking nodes because these autonomous servers hold the entire system together. In fact, the following analysis shows that installing antiviral soft- ware on individual computers is ineffective and a waste of resources. On the other hand, hardening the servers in the top hubs of the Internet is very effective. For example, hard- ening a mere 40 of the AS2000 network’s most-connected servers is 3.7 times as effective as protecting individual desktops, PCs, and laptops.

Figure 7.7 shows the results of a number of cascade simulations carried out on the AS2000 network of Figure 7.6. Four simulations were performed with varying levels of infectiousness: (1) no protection, (2) randomly selecting 2% of the nodes for protection, (3) protecting 2% of the least-connected nodes, and (4) protecting 2% (40) hub nodes and ignoring all the others. In all cases

except for the last one, protection of 2% of the nodes was ineffective. But when the top 40 nodes (hubs) were hardened so they could not spread malicious software to adjacent neighbors through peering, the spreading was nearly halted altogether.

The fundamental resilience equations for these four simula- tions on AS2000 show that hub protection is 3.7 times more effective than any other strategy, assuming critical vulnerability γρ = 1 corresponding with critical fractal dimension q

0 .

No protection

Random

: log( ) . . .

% : log( ) .

q q

= − = =

0 64 0 057 1 26

2 0 7 0γρ

44 0 067 4 71

2 0 76 0 069 4 91 0

− = = − =

. .

% : log( ) . . .

γρ γρ

q qSingleton

Hub 22 1 33 0 067 18 320% : log( ) . . .q q= − =γρ

Indeed, individual computer system (singleton) protection was no more effective than random protection. In other words, individual antivirus software installed on laptop and desktop computers is far less effective than hardening the top 40 AS servers in the Internet.

Effective Protection Strategy: The highly percolated and structured Internet is protected against the spread of malicious software by hardening a very small percentage of its hubs, typically less than 2–3%.

figure 7.6 AS2000: The top 2000 AS of the global Internet form a near-perfect scale free network with a 388-link hub at its center, a power law exponent of 1.93, and a spectral radius of 45.8. links have been removed to more clearly show the nodes and their degree distribution (higher degree nodes are placed near the center).

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

142 CYBeR THReATS

7.5.1 blocking node analysis

If the 247 blocking nodes can be found, hardening them pre- vents the spread of malicious software from one component to an adjacent component. Computer viruses cannot jump from one island to another, if a blocking node prevents it. Blocking nodes do exactly that they block further spreading of cascade faults. Perfect hardening of all 247 blocking nodes can stop spreading in its tracks. But, how are these highly critical nodes found?

We can use the structure of a scale-free network to identify most of the blocking nodes. Scale-free networks concentrate connectivity in hubs. Therefore, hubs are the most likely to link components together. They are the strongest glue holding the network together. Therefore, we need only to rank the most-connected 247 AS2000 nodes in descending order by degree to identify the most- likely blocking nodes. In this case, 80% of the nodes have two or more links. Unfortunately, 88% must be eliminated. Rank ordering by degree is only a partial solution.

An exact method of finding blocking nodes requires a fast computer and algorithm. each node is removed from the network one at a time. If it is impossible to trace a path from each of the removed node’s neighbors back to itself, the node is a blocking node, because its removal breaks the chain from neighbor back to neighbor. This algorithm must be repeated for every node in the network. Blocking nodes are the collection of nodes that break the chain of hops from each of their adjacent nodes back to itself.

Blocking Strategy: Malicious software is stopped from spreading by hardening all the blocking nodes in the AS2000 network, because hardened blocking nodes separate the network into disjoint islands.

7.6 analysis

How likely is it that cyber exploits will be used by terrorists in the future? In a report released immediately after 9/11, Michael Vatis, Director of the Institute for Security Technology Studies at Dartmouth University, claimed cyber attacks are highly cor- related with physical attacks and terrorism:

In the Israel/Palestinian conflict, following events such as car bombings and mortar shellings, there were increases in the number of cyber attacks. Subsequent to the April 1, 2001 mid-air collision between an American surveillance plane and a Chinese fighter aircraft, Chinese hacker groups immediately organized a massive and sustained week-long campaign of cyber attacks against American targets. [3]

Vatis argues that cyber attacks immediately accompany physical attacks, and they increase in volume, sophistication, and coordination. He also correlates these attacks with high- value targets.

Thus far, nobody has died from a cyber attack. In fact, James lewis argues that the threat of cyber attacks from ter- rorists has been exaggerated:

Digital Pearl Harbors are unlikely. Infrastructure systems, because they have to deal with failure on a routine basis, are also more flexible and responsive in restoring service than early analysts realized. Cyber attacks, unless accompanied by a simultaneous physical attack that achieves physical damage, are short lived and ineffective. However, if the risks of cyber-terrorism and cyber-war are overstated, the risk of espionage and cyber crime may be not be fully appreciated by many observers. This is not a static situation, and the vul- nerability of critical infrastructure to cyber attack could change if three things occur. Vulnerability could increase as societies move to a ubiquitous computing environment when

1.4 Log (q) vs. γρ: AS2000 internet

1.2 1

0.8 0.6 0.4 0.2

0 –0.2

lo g

(q )

–0.4 –0.6

0 2 4 6 8 10 γρ

12 14 16 18 20 γρ

log (None)

log (Hub)

log (Random)

log (Leaves)

figure 7.7 Result of four simulations shows hub hardening to be 3.7 times as effective as hardening individual computers.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

eXeRCISeS 143

more daily activities have become automated and rely on remote computer networks. The second is that vulnerability could increase as more industrial and infrastructure applica- tions, especially those used for SCADA (Supervisory Control and Data Acquisition), move from relying on dedi- cated, proprietary networks to using the Internet and Internet protocols for their operations. This move to greater reliance on networks seems guaranteed given the cost advantage of Internet communications protocols (Transmission Control Protocol/Internet Protocol), but it also creates new avenues of access. These changes will lead to increased vulnerabil- ities if countries do not balance the move to become more networked and more dependent on Internet protocols with efforts to improve network security, make law enforcement more effective, and ensure that critical infrastructures are robust and resilient [4].

Cyber threats still exist and are responsible for major financial losses. They will continue to be a threat as long as computer systems have flaws. And, flaws are expected to remain a part of this sector for a long time, because fallible humans build information systems. Moreover, cyber attacks are highly asymmetric, meaning they are cheap and easy to apply. As society continues its adoption of all things Internet, the consequences of damage to CIKR will also continue to increase.

7.7 exerCises

1. What is the precise definition of a virus? a. A malicious self-activating program b. An e-mail attachment c. A malicious user-activated program d. A malicious program that travels via the Internet e. A flaw in TCP/IP

2. What is the precise definition of a worm? a. A malicious self-activating program b. An e-mail attachment c. A malicious user-activated program d. A malicious program that travels via the Internet e. A flaw in TCP/IP

3. What is a Trojan horse? a. A malicious self-replicating program b. An e-mail attachment c. A malicious program disguised as a safe program d. A malicious program that travels via the Internet e. A flaw in TCP/IP

4. Software patches are: a. Often not installed on vulnerable systems b. A defect that opens a computer to attack c. A software developer’s repair kit d. A kind of virus e. A way to repair an open port

5. Which one of the following is an old method of breaking into a computer: a. War dialing b. War driving c. SIS d. SOS e. SOB

6. A zombie is a: a. Defective computer b. network of dead computers c. Innocent participant in a DDoS attack d. Computer cyber thief e. Black-hat cyber criminal

7. The AS network is characterized by: a. Giant Secure Connected Component b. Grand Secure Connected Component c. Giant Strongly Connected Component d. 2000 nodes e. Very high level of percolation

8. Typical TCP/IP exploits are: a. Focused on attachments b. Focused on design flaws c. Phishing expeditions d. Buffer overflow attacks e. Fixed by installing the latest software patches

9. Which of the following is nOT a critical node in the Internet? a. Amazon.com web services data center b. Typical desktop or laptop computer c. The MAe-West hub in San Jose, CA d. The hub at the Chicago nAP e. The root servers at a.root-servers.net

10. As far as we know, the first cyber worm was launched in: a. 1998 b. 2001 c. 9/11/01 d. 1988 e. 1984

11. A malicious program can be a macro that travels by: a. A Word or excel document b. Downloading itself through a buffer overflow attack c. Downloading itself through spyware d. Attaching itself to an e-mail e. embedding itself in a Trojan horse

12. A DDoS attack: a. Floods a victim computer with a huge number of

messages b. Uses e-mail to send fake messages to users listed in

address books c. Is a special kind of worm d. Uses macros to travel e. Blocks ports

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

144 CYBeR THReATS

13. The Bank of America ATM network was temporarily stalled by: a. A SYn Flooding DDoS attack b. SQl Slammer c. MS-Blaster d. Klez e. The Morris worm

14. The Whitehouse of the US was attacked in 2002 by: a. Bugbear b. MafiaBoy c. Code Red d. Microsoft IIS e. Changing the DnS server address

15. What are ports? a. Input/output channels through which network

information flows b. Vulnerable flaws in the global Internet c. 65,535 doors d. TelneT input e. FTP input/output

16. In a buffer overflow attack: a. A program enters a computer as if it were data b. A malicious program travels through ports c. A worm exploits FTP d. A worm exploits port 21 e. An operating system is exploited

17. Most DDoS exploits use: a. SYn Flooding b. Zombies c. Web servers d. Microsoft Windows flaws e. Routing tables

18. MafiaBoy caused $1.7 billion revenue loss. How much was levied for the person involved in this? a. $10,000,000 b. $1,000,000 c. $10,000

d. $250 e. none

19. Who turned in the Wikileaks traitor? a. Pfc. Bradley Manning b. Dark Dante c. Kevin Poulsen d. The new York Times e. Adrian lamo

20. Which of the following is the best protection strategy for reducing the spread of malicious software throughout the IT sector? a. Harden the Internet’s hubs b. Install antivirus software on all desktops and

laptops c. Install antivirus software on all end-user devices

including smart phones d. enacting stronger laws e. Redesigning the TCP/IP protocol

referenCes

[1] Dunlevy, C. J. Protection of Critical Infrastructures: A new Perspective. CERT Analysis Center, 2004. Available at http:// www.cert.org. Accessed June 20, 2014.

[2] Harris, S. The Cyberwar Plan, not Just a Defensive Game, National Journal, november 13, 2009. Available at http:// www.nextgov.com/nextgov/ng_20091113_1728.php. Accessed June 20, 2014.

[3] Vatis, M. Cyber Attacks During the War on Terrorism: A Predictive Analysis, Hanover, nH: Institute for Security Technology Studies, September 22, 2001. Available at http:// www.ists.dartmouth.edu/ISTS. Accessed June 20, 2014.

[4] lewis, J. A. Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats, Washington, DC: Center for Strategic and International Studies, December 2002. Available at http:// www.csis.org. Accessed June 20, 2014.

C op

yr ig

ht ©

2 01

4. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed