Computer Security Issues that Affect Federal, State, and Local Governments and the Code Red Worm

Testimony of Jeffrey J. Carpenter, Manager, CERT^® Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213

Before the House of Representatives Committee on Government Reform, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations

August 29, 2001

Contents:

Introduction
The Code Red Worm
The Implications
Contibuting Factors and Trends

Intruder Activity: The Ease of Exploitation

Vulnerability of Technology on the Internet

Difficulty of Fixing Vulnerable Systems

Prognosis for the Future
Recommended Actions
Conclusion
Attachments

Introduction

Mr. Chairman and Members of the Committee:

My name is Jeffrey Carpenter. I manage the CERT^® Coordination Center (CERT/CC), which is part of the Software Engineering Institute (SEI) at Carnegie Mellon University. Thank you for the opportunity to testify on computer security issues that affect the government. Today I will discuss the Code Red worm attacks, the broader implications, and considerations for the future.

The CERT^® Coordination Center (CERT/CC) is part of the Survivable Systems Initiative of the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. The CERT/CC was established in 1988, after an Internet "worm" stopped as much as 10 percent of the computers connected to the Internet. This program—the first Internet security incident to make headline news—was the wake-up call for network security. In response, the CERT/CC was established at the SEI. The center was activated in just two weeks, and we have worked hard to maintain our ability to react quickly.

The CERT/CC is now recognized by both government and industry as a neutral, authoritative source of data and expertise on information assurance. In addition to handling reports of computer security breaches and vulnerabilities in network-related technology, the CERT/CC identifies preventive security practices, conducts research, and provides training to system administrators, managers, and incident response teams. More details about our work are attached to the end of this testimony (see "Meet the CERT Coordination Center").

In the first full year of operation, 1989, the CERT/CC responded to 132 computer security incidents. In 2000, the staff handled more than 21,700 incidents. In total, the CERT/CC staff has handled well over 63,000 incidents and cataloged more than 3,700 computer vulnerabilities. This testimony is based on that broad experience as well as our specific experience with the Code Red worm.

The Code Red Worm

Of the thousands of vulnerability reports that come into the CERT/CC, it is difficult to predict which ones the intruder community will exploit and how rapidly exploit scripts (computer programs the intruders use to take advantage of a vulnerability in a computer) will become available. CERT/CC security experts analyze every vulnerability and widely disseminate information on the most serious ones. These are published as CERT advisories, which are posted on the CERT/CC web site (www.cert.org) and sent to a mailing list of 150,000 addresses, most of which go to system and network administrators.

On June 19, 2001, we published an advisory describing the vulnerability that was later exploited by the Code Red worm. CERT advisory CA-2001-13, "Buffer Overflow in the IIS Indexing Service DLL," describes a vulnerability in Microsoft's Internet Information Server (IIS—a web server) that could allow an intruder to compromise the web server. This means an intruder could take control of a vulnerable computer, access or change data on that computer, or use that computer to launch attacks against other sites. The advisory includes links to a Microsoft bulletin and patches. (This advisory and other CERT/CC publications on Code Red are appended to this testimony.)

The first signs of the Code Red worm appeared on July 13, 2001. Code Red is a malicious program called a worm because it is self-propagating. When it compromises a computer, the worm uses that computer to begin looking for other vulnerable computers; it then propagates itself to those computers without any user action. Code Red took advantage of the fact that many computers on the Internet ran vulnerable versions of IIS.

On July 19, a more aggressive version of the Code Red worm began spreading rapidly. We published an incident note (IN-2001-08) that describes the activity and the need for system administrators and users to apply the appropriate patch if they are running a vulnerable version of IIS. As the day progressed, the rate of computers being scanned and compromised continued to increase. We were aware of tens of thousands of computers compromised, which was unprecedented for this type of activity in a 24-hour time frame. This increase in activity warranted another advisory—CA-2001-19, "Code Red Worm Exploiting Buffer Overflow in IIS Indexing Service DLL."

On July 20, Code Red changed its type of activity. Instead of propagating, the worm attempted to launch a denial-of-service attack against a high-profile web site. When this change occurred, the worm stopped spreading. The CERT/CC helped to coordinate an effort by the major Internet Service Providers to mitigate the effectiveness of the denial-of-service attack.

By this time, more than 250,000 computers had been compromised. In other words, in the month after the advisories were released by both the CERT/CC and Microsoft, more than 250,000 computers still had not been patched. (Even people who removed the worm remained vulnerable to attack if they did not patch their systems.) The CERT/CC, along with a number of government and industry organizations, worked over the next few weeks to publicize this fact and to raise awareness of the need to patch systems immediately. There was an urgency connected with this joint warning because we anticipated a change back to propagation mode on August 1, 2001.

Even with the publicity, when the worm began propagating again on the first of August, 150,000 computers were compromised by the very next day.

The Implications

The significance of the Code Red worm lies beyond the specific activity we have described. Rather, the worm represents a larger problem with Internet security and forecasts what we can expect in the future.

My most important message today is that the Internet is not only vulnerable to attack today; it will stay vulnerable to attack in the foreseeable future. This includes computers used by government organizations at all levels, computers used at research laboratories, in schools, in business, and at home. They are vulnerable to problems that have already been discovered, sometimes years ago, and they are vulnerable to problems that will be discovered in the future.

The implications for Federal, state, and local governments is that their computer systems are vulnerable both to attack and to being used to further attacks on others. The confidentiality, integrity, and availability of their information is at risk of compromise.

Contributing Factors and Trends

Multiple factors contribute to the problem and pose obstacles to the solutions. They include the nature of intruder activity, the vulnerability of technology on the Internet, and the difficulty of fixing vulnerable systems.

Intruder Activity: The Ease of Exploitation

CERT/CC experience shows that the intruders will develop exploit scripts for vulnerabilities in products such as IIS. They then use these scripts to compromise computers and, moreover, share these scripts so that more attackers can use them. Automation increases the efficiency of the attacks.

New exploits are causing damage more quickly than those created in the past. The Code Red worm spread around the world faster than the so-called Morris worm moved through U.S. computers in 1988, and faster than the Melissa virus in 1999. One primary reason is that intruders are developing better techniques for identifying vulnerable computers and exploiting them. (See the Attack Sophistication diagram appended to this testimony.) After the Morris worm in 1988, we saw little significant use of worms until last year. In the past, intruders found vulnerable computers by scanning each computer individually, in effect limiting the number of computers that could be compromised in a short period of time. Now intruders use worm technology to achieve exponential growth in the number of computers scanned and compromised. They can now reach tens of thousands of computers in minutes or hours, where it once took weeks or months.

This fast exploitation limits the time security experts like those at the CERT/CC have to analyze the problem and warn the Internet community. Likewise, system administrators and users have little time to protect their systems.

Vulnerability of Technology on the Internet

Last year, the CERT/CC received 1,090 vulnerability reports, more than double the number of the previous year. In the first half of 2001, we have already received 1,151 reports and expect well over 2,000 reports by the end of the year.

Among the reasons for the vulnerabilities are software design and development practices that do not focus sufficiently on security and system administration practices that leave systems vulnerable.

There is little evidence of improvement in the security of most products; developers are not devoting sufficient effort to applying lessons learned about the sources of vulnerabilities. The CERT/CC routinely receives reports of new vulnerabilities. We continue to see the same types of vulnerabilities in newer versions of products that we saw in earlier versions. Technology evolves so rapidly that vendors concentrate on time to market, often minimizing that time by placing a low priority on the security of their products. Until customers demand products that are more secure or there are legal or liability changes, the situation is unlikely to change.

Good security practice is as important in system administration as it is in software development. The Internet is becoming increasingly complex and dynamic, but among those connected to the Internet there is a general lack of adequate knowledge about the network and about security. The rush to the Internet, coupled with a lack of understanding, is leading to the exposure of sensitive data and risk to safety-critical systems. Misconfigured or outdated operating systems, mail programs, and web sites result in vulnerable computer systems that intruders can exploit.

Difficulty of Fixing Vulnerable Systems

With an estimated 2,000 (and climbing) vulnerabilities being discovered each year and exploit scripts available for many, it can be difficult to quickly determine how serious the spread of a particular exploit will be. Analyzing the exploit scripts is time consuming even when source code is available. These obstacles, combined with fast exploitation, make it difficult for security experts to provide timely warnings and workarounds.

System and network administrators are also in a difficult situation. They are challenged with keeping up with all the systems they have and all the patches released for those systems. Patches can be difficult to apply and might even have unexpected side effects.

We have found that, after a vendor releases a security patch, it takes a long time for system administrators to fix all the vulnerable computer systems. It can be months or years before the patches are implemented on 90-95 percent of the vulnerable computers. For example, we still receive reports of outbreaks of the Melissa virus, which is more than two years old.

There are a variety of reasons for the delay. The job might be too time-consuming, too complex, or just at too low a priority for the system administration staff to handle. With increased complexity comes the introduction of more vulnerabilities, so solutions do not solve problems for the long term—system maintenance is never-ending. Because many managers do not fully understand the risks, they neither give security a high enough priority nor assign adequate resources. Exacerbating the problem is the fact that the demand for skilled system administrators far exceeds the supply.

Even in an ideal situation, conscientious system administrators cannot adequately protect their computer systems because other system administrators and users, including home users, do not adequately protect their systems. People don't keep their anti-virus software up-to-date; and they don't apply patches to close vulnerabilities. Computers on the Internet are more interdependent than most people realize. The security of each system on the Internet affects the security of every other system.

Prognosis for the Future

Things are not going to get better in the foreseeable future. The number of Internet users increases daily (an estimated 109 million computers were connected to the Internet at the beginning of this year). Many users aren't aware of security issues—or aren't aware that their computer can be used to attack others. Even if they are aware, they aren't knowledgeable enough to implement appropriate security. The lack of security on their systems puts all other systems on the Internet at risk.

While we continue to see exploitation of old vulnerabilities, we are also seeing an increase in new vulnerabilities. Many of them have the same root causes. And many of them can be prevented by good software development practices and good system administration practices. The continuing increases in incident reports to the CERT/CC suggest that the use of these practices is limited.

Federal, state, and local governments should be concerned. Their increased use of the Internet to conduct business and provide information results in a corresponding increase in the risk of compromise.

Recommended Actions

Action is needed on many fronts: product development, system administration, home use, and acquisition. The government needs to support research on computer security and network survivability, as well as supporting education.

Technology product development: Most vulnerabilities in products come from a few root causes. They remain in products, waiting to be discovered, and are fixed only after they are discovered while in use. Worse, the same flaws continue to be introduced in new products. Vendors need to be proactive, improving their development practices and shipping products configured securely "out of the box." Improved practices will reduce the vulnerabilities in products on the market and thus reduce the risk of compromise.

System administration: While we tell system and network administrators to keep their systems up to date with security patches and workarounds, the volume of patches and difficulty in installing them makes it very difficult for system and network administrators to keep up to date. System administrators need better tools to manage the updating of software and computers.

Computer users/consumers: Because the survivability of systems is dependent on the security of systems at other sites, fixing one's own systems is not sufficient to ensure those systems will survive attacks. Home users and business users alike need to be educated on how to operate their computers most securely, and consumers need to be educated on how to select the products they buy. Market pressure, in turn, will encourage vendors to release products that are less vulnerable to compromise.

Acquisition: It is important to evaluate suppliers for product security, but the current ways of describing security in requirements are immature. Using a list of features (such as encryption and a firewall) is helpful but not sufficient. The problem is not a lack of features, but software that is flawed.

In addition to improving the way security requirements are described, we recommend that acquisition practices encourage diversity. Malicious code like Melissa and Code Red spread better in a highly homogeneous environment. Diversity improves survival.

Government support: For long-term improvements to occur, the government should do the following:

Sponsor research and development leading to safer operating systems that are also easier to maintain and manage.
Sponsor research into survivable systems that are better able to resist, recognize, and recover from attacks while still providing critical functionality.
Provide meaningful infrastructure support for university programs in information security education and research to produce a new generation of experts in the field.

Conclusion

Problems such as the Red Code worm are likely to occur again. Solutions are not simple because the underlying causes must be addressed. However, we can make significant progress through changes in software design and development practices, in system administration, in the knowledge level of users, and in acquisition practices. Additionally, the government should support research, development, and education in computer and network security.

Attachments

Attack Sophistication Diagram:

See the conditions for use, disclaimers, and copyright information.

CERT^® and CERT Coordination Center^® are registered in the U.S. Patent and Trademark Office.

This page was last updated on August 24, 2001.