Attack Trends Editors: Iván Arce, [email protected] Elias Levy, [email protected] The Weakest Link Revisited lem is the information access t is a common saying that a chain is only as strong as its controls in the operating system and supporting hardware.”5 weakest link—a phrase information security officers, IT Successful exploitation of a main- managers, consultants, researchers, journalists, and opin- frame assumed a both technically and financially resourceful attacker ion makers reiterate ad nauseam when referring to an or- who could access the computing fa- I cilities and had extensive knowledge ganization’s information security posture. Most in the information of operating system internals and the technical expertise to develop com- plex attacks. The military, govern- IVAN´ ARCE security community would agree tial research efforts in secure oper- ment, and large educational and re- Core Security that a security architecture is only as ating systems design and security search organizations of the ’60s and Technologies strong as its weakest link. However, mechanisms subversion,1,2 results ’70s, as main users of mainframes they usually cannot agree on what of penetration-testing exercises,3,4 and timesharing systems, could eas- that is, and no expert risks making a and the emergence of security- ily associate the attackers’ profile to definite statement about it. oriented subsystems such as IBM’s their IT infrastructure. In this way, We can argue that a security Resource Access Control Facility they could focus their effort in pre- strategy’s weakest component will and Computer Associates’ ACF-2 venting security breaches from de- vary from one organization to an- and Top Secret (software packages termined intruders with access to other but perhaps we should com- that manage and enforce access the operating system either as legiti- pare past perceptions of what a control restrictions to mainframe mate users or through procedural weakest link is to what it could well resources) indicate that the pri- flaws in the operating system devel- be in the near future. mary security concern was internal opment and deployment process. operating system security. There- The weakest fore, the weakest link could be de- The personal computer link timeline fined as flaws in an operating sys- During the ’80s, extensive deploy- A retrospective look at informa- tem’s security controls or as ment of PCs in companies and tion technologies, information se- procedural weaknesses in its devel- households not only revolutionized curity trends, and threat models opment and deployment process. the work and leisure time of a new provides a few good guesses as to As Roger Schell, Peter Downey, range of computer users, but also what the weakest links were in pre- and Gerald Popek outline in Pre- presented a new security problem: vious decades. liminary Notes on the Design of Secure the computer virus. Military Computer Systems: While mainframes and Unix sys- The mainframe tems continued to present challenges The mainframe and early time- “Most contemporary shared related to the traditional ’70s ap- sharing systems of the 1960s and computer systems are not se- proach to operating systems’ secu- 1970s had stringent mechanisms to cure because security was not a rity, the growing number of PCs enforce security at the operating mandatory requirement of the were completely open to a new form system level. When coupled with initial hardware and software of attack because of the lack of secu- physical access controls and secu- design. The military has rea- rity controls in hardware and soft- rity clearance requirements, these sonably effective physical, ware. The computer virus6 threat mechanisms presented a substantial communication, and person- became the springboard for a multi- barrier to opportunistic attackers nel security, so that the nub of billion-dollar industry—Network or internal attack threats. Substan- our computer security prob- Associates and Symantec entered the 72 PUBLISHED BY THE IEEE COMPUTER SOCIETY I 1540-7993/03/$17.00 © 2003 IEEE I IEEE SECURITY & PRIVACY Attack Trends information security market as an- tivirus companies—and the princi- pal security concern of any PC user. Researchers considered the com- puter virus a minor threat because it only affected isolated computers with limited spreading capabilities due to the spread mechanism’s low bandwidth and, in general, they deemed virus infection to be an im- plausible method for directly attack- ing specific targets. However, with the introduction of hard-disk technology in the early ’80s and the usage of floppy disks to transfer information between com- puters, the virus threat became more evident and incidents multi- plied rapidly. A virus could infect files stored in the hard disk, make itself a persistent problem, and spread through files exchanged in floppy disks between otherwise isolated PCs. By the end of the ’80s and into the early ’90s, researchers identified the desktop computer and its susceptibility to computer 7,8 viruses as the weakest link, and ILLUSTRATION BY ROBERT STACK extensively documented and ana- lyzed numerous accounts of newly discovered viruses and virus infec- tion incidents.9 friends (internal, controlled net- In short, by the end of the works) from foes (all others on the decade, the weakest link became a The networked outside) and effectively “sealed” moving target. While still strug- organization the perimeter, the newly identified gling to secure the perimeter and In the 1990s, the security commu- weakest link. server systems with solutions such as nity focused its attention on net- Extensive study of the security of firewalls, cryptographically strong work security. The interconnect- networking protocols and infra- authentication systems, network ing of multiple networks via a set of structure components identified and host-based intrusion detection Internet protocol standards and the new security problems such as secu- systems, VPN devices, and cryp- sudden realization that research, rity design flaws in the Internet pro- tography additions to networking academic, and government and tocols, weak user authentication sys- protocols, organizations then faced military organizations’ networks tems, and buffer overflow conditions a new threat—a blurring perimeter (which until then were somewhat in the most common publicly acces- that made it almost impossible to isolated from untrusted users) were sible network services and proposed differentiate friends from foes and open to attack demanded addi- new solutions. Meanwhile, the use internal users from external attack- tional measures beyond traditional of LANs to connect PCs (which ers and vice versa. operating system security. Servers, were previously isolated) to internal The community’s immediate re- not workstations, were the crown corporate networks (which were action to the threat called for in- jewels to protect, but efficient con- protected only at the perimeter), creased attention to server security, trol of interconnected servers was highlighted a problem that became operating system controls, patch ma- not enough to prevent external at- evident by the mid ’90s with the full nagement, and additional peri-meter tackers from breaching security. adoption of the World Wide Web defenses, not only to protect the orga- The firewall emerged as the de and the Internet as a means to con- nization from external attacks but also facto security device that separated duct daily business. to detect and react to incidents. http://computer.org/security/ I IEEE SECURITY & PRIVACY 73 Attack Trends The weakest digital media players, and a wide Several indicators point to the workstation: range of software packages that in- workstation being the new weak- A new beginning? teract directly or indirectly with in- est link. Information security—both as a ternal networks and the Internet practical discipline and as an acade- are an information security offi- The human factor mic field—has steadily increased in cers’ nightmares. To effectively An organization’s IT assets are ulti- mately managed and operated by humans, and an IT asset’s manage- Desktop operating systems and the ment and operational roles typically are not assigned to the same indi- vidual. Generally, those who have individuals operating them become the the most security training in the or- ganization manage and operate se- most obvious vulnerable avenues of curity infrastructure components. IT staff with various degrees of ex- pertise manage and operate internal attack for internal and external threats. and publicly accessible servers as well as mission-critical applications, complexity since the 1950s. A wider mitigate risk, the security officer and are tasked to maintain and en- range of problems must now be con- now must to identify vulnerabilities force an organization’s information sidered to devise effective security and assess their impact in a large set security policy. architectures for today’s organiza- of software packages from multiple At the end of the line comes man- tions. Security solutions should ac- vendors ranging from small to large aging workstations and workstation count for our IT infrastructure’s software companies, in-house de- security. Although this responsibility technological challenges and the velopment teams, and third-party hopefully falls with IT staff, usually it particular aspects of human and or- integrators with various degrees of falls to end users—perhaps the least ganizational behavior. It is in this maturity in their development