Mitigating the Risk of Cyber Attack - PowerPoint PPT Presentation

1 / 44
About This Presentation

Mitigating the Risk of Cyber Attack


David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford. ... David M. Nicol, Michael Liljenstam. Presentation at IMA Workshop, January 12, 2004 ... – PowerPoint PPT presentation

Number of Views:245
Avg rating:3.0/5.0
Slides: 45
Provided by: davidal6


Transcript and Presenter's Notes

Title: Mitigating the Risk of Cyber Attack

Mitigating the Riskof Cyber Attack
  • David Alderson, PhD
  • California Institute of Technology
  • MSE 193/293
  • November 17, 2004

  • Monday
  • Critical Infrastructures
  • Recent Failures
  • Rise of the Internet
  • The Potential Threat
  • Policy Introduction
  • Homework
  • PBS Frontline Video Cyberwar!
  • Wednesday
  • Case Study Internet Worms and Viruses
  • Threat Mitigation U.S. Federal Policy
  • Conclusions
  • Open Questions
  • Research Topics
  • Potential Paper Topics

Motivating Questions
  • What are critical infrastructures, and how does
    our dependence on them make us vulnerable to
    accidents, failures, and attacks?
  • To what extent does the open and insecure nature
    of the Internet and related cyber infrastructure
    pose a threat to national security?
  • What are the current vulnerabilities, and what
    can be done in the short term to mitigate against
  • Where would we like to be in the future with
    regard to the Internet and the critical
    infrastructures, and what needs to be done to get

We dont have all the answers yet!
  • Caltech John Doyle
  • UCB Vern Paxson
  • UCSD Stefan Savage
  • EPRI (now UMN) Massoud Amin
  • CISAC Kevin Soo Hoo, Keith Coleman, Dan
    Wendlandt, Martin Casado, Mike May, David
    Elliott, William Perry
  • Stanford Student Cybersecurity Group
  • http//

Critical Infrastructures
  • Definition an infrastructure so vital that its
    incapacity or destruction would have a
    debilitating impact on our defense and national

Source Critical Foundations Protecting
Americas Infrastructures
  • Examples
  • Information and Communications
  • PTN, TV/Radio, CATV, Internet, Satellite,
  • Energy Systems
  • Electrical Power Systems
  • Gas and Oil Production, Storage and
  • Banking and Finance
  • Physical Distribution
  • Transportation
  • Water Supply Systems
  • Vital Human Services
  • Emergency Services
  • Government Services
  • Military Services

More information available from Critical
Infrastructure Assurance Office (CIAO)
The Internet has become a critical information
  • The Internet has become a type of public utility
    (like electricity or phone service) that
    underlies many important public and private
  • Internet disruptions have a ripple effect
    across the economy.
  • The Internet is a control system for monitoring
    and controlling our physical environment.
  • Hijacking the Internet can be even more
    devastating than interrupting it.

Best Practices in Security
  • Most attacks occur through known vulnerabilities
  • Most attacks could be prevented if the victim had
    been using best practices for cyber security
  • Latest software patches for known bugs
  • Virus protection software with up-to-date virus
    definition files
  • Frequently changed passwords of proper syntax
  • Firewalls
  • More than one layer of protection All of the
  • SANS/FBI publishes a list of top 20
    vulnerabilities, updated annually
  • But evidence repeatedly suggests that best
    practices are not followed consistently

Misalignment of Incentives
  • Protection is costly and inconvenient
  • Business imperative is competition
    (profitability, cost management, new markets, new
    technologies), not protection
  • Users are not accustomed to bearing any direct
    costs of protecting infrastructures
  • Direct (immediate) benefits of protection are
    unknown (difficult to measure)
  • Exploitation is cheap and convenient
  • tools (laptop and network connection) are
  • training is easily obtained or downloaded
  • prosecution is difficult
  • Exploitation is potentially highly-rewarding
  • money, power, prestige

An Ongoing Debate
  • Does the vulnerability of the Internet pose a
    threat to national security?
  • Why Is This A Hard Question?
  • There is a lack of public evidence
  • Strong disincentives for companies to share
    information about incidents
  • Strong disincentives for the government to share
    information about vulnerabilities
  • Measurement is a challenge
  • How to quantify the consequences of an incident?
  • Who has time to gather data during an incident?

Case StudyThe Threat of Internet Worms
Viruses and Worms
  • Definition A computer virus is a small program
    written to alter the way a computer operates,
    without the permission or knowledge of the user.
    (Symantec Website
  • Network worms are sometimes called automated
    intrusion systems because, unlike viruses, they
    do not require action by a human (via a host
    file). They contain 3 basic parts
  • Exploit (the means by which a computer is
  • Propagation (the means by which the worm moves
    from one machine to another)
  • Payload (what the worm does to the computer,
    other than self-replicate)
  • These parts are modular and independent
  • Exploits take advantage of well-known, insecure
    open services
  • Toolkits are readily available online

  • How to 0wn the Internet in Your Spare Time
  • Stuart Staniford, Vern Paxson, Nicholas Weaver.
    Proceedings of the USENIX Security Symposium
  • (Vern Paxsons Home Page, http//
  • Internet Quarantine Requirements for Containing
    Self Propagating Code
  • David Moore, Colleen Shannon, Geoffrey M.
    Voelker, Stefan Savage
  • IEEE Infocom, April 2003
  • Inside the Slammer Worm
  • David Moore, Vern Paxson, Stefan Savage, Colleen
    Shannon, Stuart Staniford. IEEE Security
    Privacy, July/August 2003.
  • (Stefan Savages Home Page, http//
  • Models of Internet Worm Defense
  • David M. Nicol, Michael Liljenstam
  • Presentation at IMA Workshop, January 12, 2004
  • http//

Brief History(courtesy Stefan Savage)
  • Early Worm Development
  • Science fiction references Brunner describes
    tapeworm program in novel Shockwave Rider
  • Shoch Hupp coin term worm for programs that
    self-propagate to perform some (benign) task
  • Morris Worm (1988) exploits buffer overflow
    vulnerabilities and infects a few thousand hosts
    (10 of Internet)
  • Then nothing for 13 years
  • until a recent renaissance in worm activity
  • CodeRed (Summer 2001)
  • CodeRed II, NIMDA (Fall 2001)
  • Sapphire/Slammer (Winter 2003)

Code Red
  • CRv1 (originally identified on July 13, 2001)
  • Spread by compromising a Microsoft IIS
    vulnerability (that had been cataloged on June
    18, 2001)
  • (Sometimes) defaced the web server
  • After infection, it attempted to compromise other
    machines identified by generating a sequence of
    random IP addresses (but flawed RNG had a fixed
    seed, so same sequence of random numbers used
    everywhere ? growth was linear)
  • CRv2 (observed on July 18, 2001)
  • Fixed the RNG bug
  • No more web site defacements, but added a DDOS
    payload targeting the IP address for
  • More successful Infected 360,000 hosts in 10
  • This version is commonly called Code Red
  • Another bug, caused it to die after 20th day of
    month (initial release only 1 days)
  • But, incorrect computer clocks allowed the worm
    to persist and reactivate itself on August 1,
    2001 (and its still going!)

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
Code Red II
  • Released on Saturday, August 4, 2001
  • Contained comment calling itself Code Red II,
    but the code base was different from Code Red I
  • Exploited the same vulnerability in Microsoft IIS
  • Payload installed a root backdoor allowing
    unrestricted remote access to the infected host
  • Kills Code Red I
  • BUT, only worked on Windows2000 (crashed on NT)
  • Used a localized strategy to choose IP addresses
  • From local class B network (probability 3/8)
  • From local class A network (probability 1/2)
  • From entire Internet (probability 1/8)
  • Very rapid local infection, once through a
  • Died by design on October 1, 2001

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
  • Began on September 18, 2001
  • A multi-vector wormspread by five methods
  • Infecting web servers from clients by exploiting
    a (different) Microsoft IIS vulnerability
  • Bulk emailing itself as an attachment to
    addresses obtained from the infected machine
  • Copying itself across shared network file systems
  • Adding exploit code to web pages in order to
    infect web clients that browse the page
  • Exploiting backdoors left behind by Code Red II
  • Combination of methods bypassed current security
  • As email payload, passed many firewalls
  • Many infections before anti-virus signatures in

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
NIMDA Virulence
Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time. Courtesy Vern Paxson.
An Ecosystem of Worms
Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time. Courtesy Vern Paxson.
Sapphire/Slammer Worm
  • Observed on January 25, 2003
  • Buffer overflow vulnerability in Microsoft SQL
    Server (documented in July 2002)
  • Worm fit in a single UDP packet (404 bytes
  • Key insight decouple scanning from target
  • Sapphire Growth
  • First 1min behaves like random scanning worm
  • Doubling time of 8.5 seconds
  • Code Red doubled every 40mins
  • 1min worm starts to saturate access bandwidth
  • Some hosts issue 20,000 scans/sec
  • Self-interfering (no congestion control)
  • Peaks at 3min (55million IP scans/sec)
  • 90 of Internet scanned in
  • Infected 100k hosts (conservative due to PRNG
  • No malicious payload, but caused severe network
    congestion and disabled many database servers.

Source Moore, Paxson, Savage, Shannon, and
Staniford. Inside the Slammer Worm.
Worm Evolution
  • Cooperative Association for Internet Data
    Analysis (CAIDA)
  • http//
  • http//
  • http//

The Worm Threat
  • Proposition worms are among the most serious
    threats today to Internet infrastructure
  • Evidence
  • Millions of susceptible hosts
  • Easy to write
  • Can cause serious damage (damage hosts,
    expose/corrupt information, DoS attacks)
  • Rapid time scales make defense difficult
  • How to quantify the threat as well as the
    effectiveness of possible defense strategies?
  • Threat Capability x Intent
  • Vulnerability Threat x Consequence

Epidemiological Model
Courtesy Stanison, Paxson, Weaver.
  • For a fixed population size N
  • I(t) infected population at time t
  • i(t) fraction of infected population
  • K (constant) contact rate per host
  • T starting time of outbreak

Logistic growth equation. Ref Boyce and
DePrima. Elementary Differential Equations and
Boundary Value Problems.
Comparing Models
S-I Model N initial size of susceptible
pop. I(t) infected population at time
t i(t) fraction of infected population
(i(t)I(t)/N) K contact rate per host
  • Assumptions
  • Homogenous mixing
  • No natural births/deaths

How to Mitigate the Worm Threat?
  • S(0) N
  • ? ? / M
  • probe rate of worm
  • M total population (232 IPv4)
  • ? removal rate

How quickly does each strategy need to react?
Address Blacklisting
Content Filtering
Infected (95th perc.)
Infected (95th perc.)
Reaction time (hours)
  • To contain worms to 10 of vulnerable hosts after
    24 hours of spreading at 10 probes/sec (CodeRed)
  • Address blacklisting reaction time must be minutes.
  • Content filtering reaction time must be hours
  • Reaction times must be fast when probe rates get
  • 10 probes/sec reaction time must be (content filtering)
  • 1000 probes/sec reaction time must be minutes (content filtering)

Source Moore, Shannon, Voelker, and Savage.
2003. Internet Quarantine Requirements for
Containing Self Propagating Code. (Courtesy
Stefan Savage)
Modeling Cyber Epidemics
  • Interpreting quantities of interest in this new
  • Generation time, reproductive rate
  • Threshold criteria (worms on Macs?)
  • Limiting values (how and when to intervene?)
  • Understanding the relationship between model
    assumptions and details of application
  • Homogeneous mixing and virus/worm spread
  • Births/deaths and endemic persistence of worms
  • More realistic representation of worm behavior
  • Policy implications
  • Direction of technology investment
  • User behavior as well as technology
  • Opportunity modeling at the cutting edge of
    network research, with many contributions to be

What Does All This Mean?
  • The scale/speed of these attacks pose new
  • Zero latency period, High infection rate, use
    Internet against itself
  • Human response is not possible
  • Significant technical challenges to reactive
  • Worms and viruses create the possibility of
    additional cyber attacks with incredible threat
  • Imagine What could you do if you 0wned 1M
  • Massive, diffuse DDOS attacks
  • Against a single industry or infrastructure?
  • Subtle, hard to trace
  • Use the information on those machines
  • Passwords
  • Fraudulent credit card transactions, Identity
  • Corrupt the information on those machines
  • Rapidly evolving technology is fertile ground for
    new and more dangerous worms and viruses

(How) Can public policy assist in providing a
solution to this problem?
Abbreviated Timeline
Abbreviated Timeline (cont.)
National Strategy Initiatives
  • Information Sharing Information, including
    threat analysis and warning, should flow freely
    and in a timely manner among the stakeholders.
  • Incident Response and Recovery Government should
    facilitate timely warning and recovery to
    (imminent) attack.
  • Awareness All stakeholders (from large
    corporations to home users) must recognize and
    understand the problem.
  • Securing Governments Cyberspace Federal,
    state, and local government information systems
    should be better protected through enhanced
    threat and vulnerability assessment, updated and
    more secure technologies, and adherence to
    recognized operational best practices.
  • Training and Education Technical expertise
    necessary for securing the infrastructure must be
  • Research and Development New technologies to
    help identify, prevent, and mitigate new
    vulnerabilities must be developed and implemented.

Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
Feb 2003
DHS Organization
Office of the Secretary
Emergency Preparedness Response
Coast Guard
Citizenship Immigration Services
Information Analysis Infrastructure
Border Transportation Security
Science Technology
Secret Service
Homeland Security Operations Center
Information Analysis
Infrastructure Protection
National Communication System
National Cyber Security Division
Infrastructure Coordination Division
Protective Security Division
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
Feb 2003
July 04 Report on DHS Progress
  • Conducted Dec 2003 Feb 2004
  • Objective to determine whether DHS efforts to
    implement the White Houses cyber strategyThe
    National Strategy to Secure Cyberspaceand to
    protect the nations critical infrastructure from
    a major cyber terrorist attack are adequate and
  • Accomplishments
  • Launched US-CERT
  • National Cyber Alert System
  • National Cyber Security Summit (December 2003,
    Santa Clara, CA)
  • Establishing groups to strengthen Federal IT

July 04 Report on DHS Progress
  • According to the report, the NCSD has not
  • Prioritized its initiatives to address the
    recommendations in The National Strategy to
    Secure Cyberspace.
  • Identified the resources needed to ensure that
    it can identify, analyze, and reduce long-term
    cyber threats and vulnerabilities.
  • Developed strategic implementation plans,
    including performance measures and milestones,
    focusing on the divisions priorities,
    initiatives, and tasks.
  • Instituted a formal communications process
    within DHS, as well as the public, private, and
    international sectors.
  • Initiated and implemented a process to oversee
    and coordinate efforts to develop best practices
    and create cyber security policies with other
    government agencies and the private sector.
  • Reviewed or updated the actions and
    recommendations in The National Strategy to
    Secure Cyberspace.

Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
Feb 2003
Where We Are
  • Significant assets now in place for dealing with
    cybersecurity incidents
  • Incident response and recovery
  • Cyber Alert Warning System
  • Law Enforcement
  • FBI
  • U.S. Secret Service Electronic Crimes Task Forces
  • But, substantial challenges remain
  • Technology hurdles software patches
  • Application of Best Practices by vendors,
    corporations, individuals
  • Alignment of economic incentives

Open Issues
To what extent is information deficit the root
cause of insecurity in the Internet? To what
extent is a misalignment of economic incentives
the root cause?
  • Worm exposes apathy, Microsoft flaws by Robert
    Lemos, CNET, January 26, 2003
  • Microsoft fails Slammer's security test by
    Robert Lemos, CNET, January 27, 2003

Open Issues
Is the monoculture of a Microsoft-based Internet
a significant threat to the security of
  • CyberInsecurityThe Cost of Monopoly
  • Published by the Computer Communications
    Industry Association. September 2003.
  • http//
  • CyberInsecurity Much ado about nothing
  • By Mary Landesman,
  • http//
  • To Fix Software Flaws, Microsoft Invites Attack
  • By Steve Lohr, NY Times, Sept. 29, 2003

Open Issues Incentives
  • Will a government strategy based on voluntary
    information sharing and public-private
    partnership ever effectively address the
    potential threats to national security posed by
    internet vulnerability?
  • Should the government use regulation, taxation,
    and other methods of influence to correct the
    misalignment of incentives among Internet
  • Should software manufacturers be held liable for
    damages caused by distributing insecure software?
  • Should organizations and individuals be held
    liable for damages caused by failing to patch
    insecure software?
  • Will it take a cyber 9/11 (possibly caused by a
    worm) to move individuals, corporations, and the
    government into action?

Preliminary Conclusions
  • Problems of growing importance that affect
  • There are no clears answers (yet)
  • Assessment of the scope of the problem
  • Identification of promising solutions
  • A problem at the intersection of technology and
  • An assessment of policy requires a good
    understanding of technology
  • Pursuit of technological solutions requires an
    understanding of policy implications
  • Many opportunities for valuable contributions
  • Independent research projects
  • Ongoing research programs here at Stanford
  • (CISAC, SNRC, Law School, and others)

Potential Paper Topics
  • Evaluating evidence is there a threat?
  • How should the Federal Government respond to
    evidence of an impending attack?
  • Evaluate a specific public-private partnership
    initiative for DHS support?
  • Is the Internet an appropriate platform for
    supporting critical infrastructures?
  • Should government systems diversify away from a
    Microsoft monoculture?

Additional Campus Resources
Questions? Comments?
  • Stanford Student Cybersecurity Group
  • http//
  • Computer Science Security Lab http//crypto.stanfo
  • Stanford Law SchoolCenter for Internet and
Write a Comment
User Comments (0)