Software: the Eternal Battlefield in the Unending Cyberwars

"We are at risk. Computers are vulnerable to the effects of poor design, insufficient quality control, accident and, perhaps more alarmingly, to deliberate attack." -- Computers at Risk, Computer Science and Telecommunications Board, National Research Council, 1991.

"We are at risk. Computers are vulnerable to the effects of poor design, insufficient quality control, accident and, perhaps more alarmingly, to deliberate attack." -- Computers at Risk, Computer Science and Telecommunications Board, National Research Council, 1991.

Now, 18 years later, we are still at risk. Our computers are still vulnerable. They still suffer attacks enabled by poor design and insufficient quality control. We spend huge sums on IT security, yet U.S. companies and individuals are loosing tens of billions of dollars annually to cybercrime.

In January, Heartland Payment Systems Inc. reported what may be the largest data heist ever.

The company said that a "global cyberfraud operation" stole information from more than 100 million credit cardholders. Someone had planted a software "sniffer" in a Heartland server disk, where it apparently nosed around undetected for weeks.

These mega-breaches make big news and cause their victims big pain. But they are just the tip of a huge cybercrime iceberg. Last September, Gartner Inc. published a chilling case study about The Procter & Gamble Co. , a business known for its sophistication in IT and one with a robust deployment of firewall, intrusion detection and antivirus software tools.

P&G conducted a six-month worldwide audit of its PCs to see if any were infected by hidden software robots, or bots, which can connect into botnets secretly controlled by external parties. Using special sensor software, P&G discovered that some 3,000 of its 80,000 PCs were infected with botnet clients. These bots were attempting to communicate with a dozen remote-control sites, with about 20% of those attempts getting through P&G security measures.

But that's not all. P&G scrubbed the offending bots by re-imaging the PCs, a laborious process of removing and reinstalling all the software including the operating system. According to Gartner, however, many PCs became reinfected immediately when backed-up user data that contained hidden executables was restored to the re-imaged machines.

In the past 18 years there have been amazing advancements in every facet of IT -- in networks, processors, memories, disks, languages, applications, development methods and security tools. Yet technology clearly has not turned the tide of war with cyber criminals.

"Our opponents in cybersecurity are winning, and they will continue to win," says Jim Routh, chief information security officer at The Depository Trust & Clearing Corp. "This is not a war we will ever see an end to."

William Scherlis, a professor of computer science at Carnegie Mellon University and a specialist in software security and reliability, says that attacks today are more sophisticated, more stealthy and carried out much faster than ever before. He points to three trends in IT that are making the problem worse.

"They are obvious, but they have crept up on us, and the world is now radically different," he says.

The first is a sea change away from functional system silos to interconnected, enterprise and cross-enterprise systems. A failure at one spot can influence or cascade to places far removed in time, geography and function.

The second is a decentralization of IT responsibility, some of it going to non-IT people. "One change -- such as a simple change in access privileges by an administrator, or a change to a business rule by a marketing expert -- can ripple across a worldwide enterprise," Scherlis says.

The third factor, related to the other two, is the extreme speed with which actions -- simple mistakes as well as attacks -- are propagated through networks and systems. "All three of these changes contribute value and agility to the enterprise, but they also reshape the security picture," he says.

Scherlis says that a few years ago, an organization would have put an "enterprise firewall" between its internal systems and external networks. Later, when it became obvious there were bad actors or bad software inside the company, the company would have turned to departmental firewalls and, soon after that, to firewalls on individual computers. Then, when that proved insufficient, the company would have started putting shields around individual applications.

Now, Scherlis says, even that is not enough as systems get more and more fragmented yet interconnected. "Modern applications contain frameworks and libraries from diverse sources, and they stretch across multiple computers," he says. "So now you need to consider perimeters inside the application, at the application programming interfaces."

Even the simplest of modern applications may contain thousands of individual executable components, from multiple sources. "That makes the software assurance problem really hard," Schneider says.

Turn the tables

Fred Schneider, a software security and reliability expert at Cornell University, goes even further, saying that the whole notion of building defensive perimeters -- at any level -- is outdated.

"Today, people discover vulnerabilities because someone uses one in an attack, and then they fix it. They are walking around finding holes in the dike and patching them. This is playing catch up and letting the attacker define the problem. It's an inherently losing mind-set."

But, he suggests, "what if we turned the tables in a way that allowed us to stay ahead of attacks?"

Many Internet-borne attacks come via spoofing; you get a message purporting to be from Citibank, but it's not, and it contains some malware. "Suppose every message on the Internet could be attributed to the person who sent it?" he says. "Then, when someone launched an attack, you could find out who sent it and arrest them."

He says this would change the mind-set from one of prevention to one of accountability. People would behave not because their misbehavior is blocked, but because they could be caught and held accountable.

"The problem with the current prevention mentality is you have to protect everything," Schneider says, "but the attacker only has to find one chink in the armor."

Although not trivial, implementing such accountability on the Internet is technically feasible. But there are two big barriers to making it happen, Schneider concedes.

One is an expectation of anonymity that many users would not lightly relinquish. The other is that vagaries of local law and custom could render attackers outside the U.S. difficult to bring to account.

"We need to strike a balance between accountability and anonymity," Schneider says, "and we need international agreements."

At least one major software maker may have gotten the message. In a paper published last year, Microsoft Corp.'s Scott Charney outlined steps the company has taken since 2002, when Bill Gates created the Trustworthy Computing initiative that Charney now heads. He notes that the company has made "significant progress" in strengthening its products against attack, but he acknowledges that improving any given piece of software isn't enough.

Charney argues that we must fundamentally "change the game," and that two elements are needed to do that. The first is to build a "trusted stack," with strong authentication at every layer -- hardware, software, people and data -- something Microsoft calls end-to-end trust. The second would implement Schneider's prescription for auditability of events to provide accountability.

However, in the short term, users must do the best they can with existing technology, says Alan Paller, research director at the SANS Institute, an information security education firm. He says cyberthreats that exploit software are of three types: those that exploit vulnerabilities left by faulty coding, those that exploit logic errors in faulty designs, and social-engineering exploits that trick users into doing things they shouldn't do, such as revealing a password.

"The most powerful of the new attack techniques are in social engineering, where they are doing much deeper analysis of the people they are going to attack," Paller says. But part of that is pure technology, he says, "because once you let the guy in, he still has to break some things."

That means defensive technology is needed inside the system so that if a user, for example, clicks on some malware, the attacker can't then insert a keystroke logger or other malicious software in his machine.

Users aren't helpless

So it seems users are in a holding pattern. They're waiting for software vendors to fortify individual products, something they have been doing slowly for years; they're waiting for IT companies to make massive rollouts of trust technologies; and they're waiting for governments and societies to agree on accountability measures. Meanwhile, companies like Heartland and P&G are on their own.

But there are things users can and should do, Scherlis says. "The key phrase is 'configuration management,' " he says.

People underestimate the importance of this because it sounds dreary and dull -- like taking inventory. But very few organizations or users even know what's running on their computers. "Stuff just turns up, and you don't even know what its heritage is," he says.

Scherlis says that a typical desktop can have 5,000 or more executable files, with many of uncertain origin. Additionally, there are hidden files and dynamic modifications to files. "That's pretty scary," he concludes.

"Attend to the provenance" of your software, Scherlis says, and "be absolutely rigorous about configuration management and configuration integrity, both during development and ceaselessly during operations."

In the meantime, he says, an emerging idea is for builders of software to produce evidence that their code meets certain criteria. Developers can help buyers and users evaluate software by providing test cases, models, linked documentation such as Javadoc, development/configuration logs, bug/issue logs and analysis results, he says.

But even the best protective measures will never completely do the job, says Robert Lucky, a research vice president at Telcordia Technologies Inc. Lucky chaired a U.S. Department of Defense task force in 2006 that looked into the threat from malicious code secretly inserted in U.S. software developed abroad.

His report detailed a number of steps that could be taken to help protect against such sabotage, but he told Computerworld recently that he considers the problem of cybercrime "intractable."

"The bottom line for me is always risk assessment," he says. "You can't spend an infinite amount of money. You have to make intelligent trade-offs and accept risk."

The best approach, Lucky advises, is to identify those system components that are critical and sensitive, and "spend the big bucks" only on those. But he admits that it's not easy to list all the critical components in a large, complex system.

No matter what users and vendors do, Cornell's Schneider warns against complacency. Schneider, who chairs Microsoft's external advisory board on security, says, "It's clear [Microsoft's] software is much more secure than it was five years ago -- no question."

But whether software is more secure is not the right question to ask, he says, "because the threat has changed, too."

The fact that software has gotten better is nice, he says, "but software is getting more complex, and the rate of successful attack seems to be increasing."

The challenge today is to approach the problem more holistically. And we'd better hurry, Schneider says, because the bad guys are nowhere near as knowledgeable as they may get.

"There are lots more sophisticated methods of attack that they don't yet use," he says. "Our software could get better, and they would still have many tricks."

Next:The grid: The new ground zero in Internet warfare

This story, "Software: the Eternal Battlefield in the Unending Cyberwars" was originally published by Computerworld.

Copyright © 2009 IDG Communications, Inc.

Discover what your peers are reading. Sign up for our FREE email newsletters today!