Conclusions and Recommendations
C&R (sub)Table of contents
The bottom line - the numbers
I categorized the potential security problems into two groups -
red and yellow. Red problems are more serious than yellow ones, and,
if a host has both a red and a yellow problem, it will only be reported
in the red category.
Red problems mean
that the host is essentially wide open to any potential attacker - there
are known security problems
that can be exploited, usually by typing a few simple commands or running
a widely-published program against the host. For instance, a typical
red problem is a host having its anonymous ftp service misconfigured.
It would take a potential intruder about 10 or 12 seconds (assuming she or
he weren't a very good typist) to type the two or three lines needed
to exploit this problem and compromise the system (more information about
this example and others like it can be found in a paper written by
Wietse Venema and myself, called
Improving the Security of Your System by Breaking into It.)
Yellow security problems are less serious, but still of great concern;
they mean one of two things, and with either one I would put the host
in a high risk group for potential disaster:
This table gives a summary of the types of hosts, the number of
hosts in each category, and the vulnerability percentages of each
host type; I've highlighted the totals from the survey hosts and the
results for the random hosts for easy comparison. All
of these numbers are upper limits, but still pretty scary!
- the problem does not immediately compromise the host, but either
could cause serious damage to the host (for instance, the
ability to delete any file or to crash the system) or, if used
in conjuction with other problems, could mean that the host
could be broken into with little effort.
- there is a good possibility that a red problem exists on the host,
but further, more intrusive testing was required. Due to the
hands-off approach of the survey, no effort was made to verify
that a red problem actually existed.
The total number of hosts in the individual categories does
not add up to the "Total" number of hosts because of multi-homed hosts.
|Type of site
||Total # of hosts scanned:
||Total % Vulnerable
|US federal sites
If you're interested in further details, you can go the to the
breakdowns-by-vulnerability type page,
which lists breakdowns for all the vulnerabilities for each host class.
I'm not going to subject the rest of you to that tedium.
To some degree, the numbers almost speak for themselves. It doesn't
take a degree in archery to see that nearly two thirds
of the surveyed hosts have significant security problems. About a
third of them can be broken into with almost no effort at all.
I estimate that approximately 3/4 of all surveyed sites could
be broken into if significant force and effort were applied.
Some additional commentary:
- Why are the numbers so high? There is no one
problem that all hosts have. It's a bit of this problem, a bit of
that problem. If anything, it is that the hosts are trying to
do too much at once. They are Web, news, nameservice, ftp and
other types of servers, they are user machines - that
is, people use the computer for general purpose things, like mail,
WWW browsing, etc. None of these are wrong or harmful by
themself, but way too much is going on on these hosts.
To make a host secure, you need to keep things simple and small.
More than one function (such as being a WWW server, a mailhub,
etc.) per host is simply too difficult in practice
to keep secure. Theoretically there should be almost no difference,
but humans are not merely theoretical creatures.
- Note is how similar the results are for the surveyed hosts; four
out of the five types of sites range from 61 to 69 percent total
vulnerabilities. If a host has a higher than usual yellow
vulnerability score, then they usually have a low red one, and
vice-versa. I would surmise that if more hosts were surveyed and
more tests were run the final numbers would be even closer together.
To repeat an earlier and very important point: it is vital to note that
there is a significant difference between a bank, credit union, federal
agency, or whatever, and the real, physical location of the organization.
Most Web sites amount to what is primarily an advertisement on the
Internet, and the systems are often managed by an ISP or business that
is entirely unrelated to the real organization. And though some WWW
sites provide considerable amounts of information,
and the number of services being offered is rising,
it is important to see that even if you could break into one of the
Web sites in this report you couldn't actually steal any money! This
is not to say, of course, that such a thing couldn't happen in the future
as the Internet is relied on for more and more commercial and government
Here are some of the reasons these high-profile hosts are
in more danger than their randomly chosen cousins:
- More services being run. The configuration woes of Web, name service
gopher, ftp, and other network service programs add considerably
to the security problems on the Internet.
- Commercialization of the Internet. The intense competition among
the many different vendors forces out products that are poorly
designed, written, and tested. And when security is usually not
even on the top 10 list of customer wants, it will almost always
get short shrift. Netscape
programs (for instance) have wonderful
functionality (when they don't crash), but the company is
notorious for its abysmal security architecture and coding
practices - and they are not alone in this category. Most
companies use bright programmers who work long hours and
think that they have little use for software engineering practices
and security architectures, and they certainly have no training
or experience about how to write secure code.
By far the worst offenders are Microsoft and the various
Unix vendors that provide the OS's fueling virtually all of the
surveyed and random hosts. They demonstrate all of the above problems,
despite the fact that they have been around long enough to know
better (they're probably saying the same thing about me.) While
at least most of the Unix vendors admit to some serious
security problems from time to time, you would think that
NT and Windows 95 were paragons of safety if you listened to
Microsoft long enough. The appalling manner in which Microsoft
documents its operating systems and refuses to disseminate serious
security problems on their products borders on criminal
(I even like and use several Microsoft products, but their
philosophy on security is abhorrent to me.)
- Lots of attention is being paid to the Web and security. Fueled
by Java, the Mitnick chase, SATAN, etc., the denizens of
the Internet now are thinking about security in ever greater
numbers, and have
very good methods
for disseminating information to like-minded people. Discussions
on how to break into computing systems as well as how to defend
them are growing in number, but unfortunately the information
often doesn't make it to people outside these specialized circles.
- Businesses and other organizations are coming to the net,
expecting turnkey solutions to their company needs.
Unfortunately, the technology for this
has not arrived, at least with respect to security. Powerful
workstations running complex operating systems, network services,
and applications are not like cash-registers, and should not
be treated in the same way.
This illustrates the serious paridigm shift from the real to
the virtual world that appears to be missing from the
conciousness of Information superhighway.
With the ignorance about security combined with the
supreme emphasis on functionality and performance, you have a
situation like... well, a situation that looks almost exactly like
what we have today.
One of the the things that this survey has proven to me is that
people really do need a turnkey solution for the
Internet; they don't have the resources or the expertise to
set up a reasonably secure system on the Internet. But, as far
as I know, this sort of solution does not exist yet.
Which brings us to the next question: if these hosts have so many
security problems, why isn't something being done to eliminate
them? It's a good question, and a question with no easy answer.
I generally don't care one way or the other if people don't want to
learn about computer security; I'm content living alone in my world
of obsessions. But issues of computer security, whether people like it or
are increasingly encroaching upon the everyday life of more
and more of the population of the world.
With something on the order of 10% of the United States
currently using the WWW, and increasing numbers of important organizations
having at least
some sort of presence there, security becomes more than an
curiosity. I'm not advocating that the casual layperson learn about
security - however, I am encouraging them to demand
that these crucial
organizations that provide all sorts of social, cultural, and
services behave as responsibly on the Internet as they do off of
To be fair, I must say that there are many sites and
locations that have done a very fine job of protecting their on-line
resources. There is no reason that
others could not do the same. However, my experience with large
organizations has shown me that, while it is possible to have
a secure site, it is
very difficult. There are many technical strategies to
keep in mind while attempting to keep a site secure, and, combined
with the incredible fluidity and dynamism of computer security today,
it is increasingly difficult to use techniques and architectures
ill-designed for our current situation.
All of this is further exacerbated by the governments in the world making it
very difficult to create a safe and private world by making valuable
cryptographic techniques and practices difficult to legally implement
In any case, having a secure site is not about
having a technical guru throw up a firewall (no matter how secure it
is initially) and then having the guru disappear for a year or more,
until the next upgrade or because a security disaster is in progress.
Regretfully, this is how a great
many systems are put together (and I'm being very charitable about the
Farmer's law says that the
security on a computer system degrades in direct proportion to the amount
you use the system.
To make things worse, the social problems can be of even greater concern
and are more difficult to solve. Ignorant or malicious users do more
damage to system security than any other factors. And finally,
organization against social engineering
should be a real concern, especially with larger organizations.
I wrote this paper (is a collection of web pages a "paper"?) to try
to educate and alert people to what I consider an absolutely appalling
situation. Banks, governments, and other trusted institutions
are racing into a complex technical arena that they appear to know very
little about and to be doing still less to learn about. What is worse is
that in their mad rush to appear
technically savant they seem to have discarded any sense of
social and cultural responsibility to their constituents.
In the meantime, what can individuals do to protect themselves?
Would it be reasonable for
a person or an organization to rate the security level of systems on the net
without the permission of the systems involved? One of the tenets of this
paper was that no one would see which sites were actually involved or
found vulnerable. Would it have been more of a public service to disclose
the findings, so that WWW consumers could make intelligent and informed
decisions about using various services, or so that they could complain
to the agencies involved so that they could improve their security?
Since such a service does not yet exist, would it be reasonable for an
individual to test the security a site her/himself, given strong enough
motivation, such as the potential for monetary loss?
In "real life" no one would dream of putting money in a
bank without it being guaranteed of its safety acording to
government laws and standards.
But where are the standards in cyberspace? While there are laws
to protect your resources on-line, such as with credit card
theft, most companies don't keep 20,000 credit cards in a file where
anyone could reach in and steal them, which is exactly what happened with the
Shimomura/Mitnick case and Netcom.
What this survey revealed
should be totally unacceptable, at least
to anyone considering using the WWW/Internet for financial purposes.
So far system crackers have been generally benign - but as money starts
to show its face on public networks, I fear that this behavior will
become the exception rather than the rule.
That many people call me an "expert" about a field I have studied and
worked in for such a short time is equally disturbing. Computer
security is a young field, in which very little research has been
done to study practical applications in real life security situations.
How this dovetails with our increasing love affair with computers and
the Internet bodes ill for us, at least in the short-term.
But it is important to emphasize that, despite
my diatribes about the current situation and the practices used
by many Internet sites, Internet commerce and on-line communications
can be effective and reasonably secure.
This will only be possible, however, if people remember that, despite
how private and secure their communication is,
if an intruder can break into their
or the recipient's computer and capture the message, all is lost.
Secure commerce and WWW communications requires
two basic components needed to secure network communication:
- secure communication. This typically means a strong cryptographic
system that provides authentication and
encryption. Technically this is a moderately easy thing to
accomplish, but many, if not most, governments have laws that
prevent this from becoming a reality on the Internet. Netscape's
40 bit SSL security on their browsers is a
(this is no fault of Netscape - it's a federally mandated artificial
limitation.) The computing department of the
Helsinki University of Technology provides a
page on cryptography, if you'd like more information on this.
- secure endpoints:
- Servers, the computers that provide the services
and information used today, should be at least moderately secure.
While there currently is no standard (and it is not clear whether or
not such a thing is possible) to measure whether a machine
is "secure" or not, there are some
generally accepted guidelines
that can be adhered to.
- Clients, the computers that consume the services provided
by the servers, should be as secure as the servers that they
communicate with. This is often
much easier than securing the servers, but there are two significant
problems. First, individual users quite often control the security
of their own computers, without having much technical experience
or security education. This means that they often do things
compromise a system or site's security. Second,
the impact of a client's security on a larger organization's overall
security is often overlooked and even more frequently flatly
ignored. It's a serious subject, few have covered it, and I
could write another paper on this subject alone, but I've
compiled a few suggestions
to attempt to cover the basics of this thorny subject.
Needless to say, we have a long way to go.
The Final Solution
I forsee at least three basic solutions that we shall see more
of in the future:
- Continuous monitoring. Consistency is the key
to effective security. Most organizations don't have the resources or
expertise to monitor their own critical systems effectively. Having a
third party (a security consultant on retainer or a organization who
specializes in this) do this on a regular basis, running security programs,
patching security problems found (or at least informing you of
potential problems), keeping a continual eye on the latest in security
programs, bugs, etc. could be a cost-effective solution.
This individual or organization would have a significant amount of power
over the sites it covered, which, of course, would require a great deal
of resources and trust from all involved. Needless to say, they must have
impeccable security themselves. The danger would be diminished
if they didn't have an account on your systems, but the effectiveness
would also be lessened.
- Getting a "stamp of approval".
Unfortunately, unlike in the financial markets, there are no
organizations of note
that monitor sites or give any assurance that they are secure.
Such a thing is certainly possible, although difficult to do, given the
dynamism of the field. But
if an organization could give their stamp of approval confirming
that a site was relatively secure, it might be a way of
getting around the current uncertainty.
Such an organization would either create or utilize a reasonably standard
security policy for any host in
question; great care would have to be taken to ensure that the security
policy that the host was being audited against was very clear and concise.
Just like the "continual monitoring" solution, this organization would
perform routine security audits and have a significant amount of power
over the sites it covered, which, of course, would require a great deal
of resources and trust from all involved.
- Better security "out of the box" from the OS and program vendors.
This is the most difficult solution to implement, but probably the
only way a real long-term solution can be obtained.
I do hope this paper has proven to be both educational and useful for you.
I won't be doing this again anytime this millenium... and hopefully there
will be no reason for anyone to do it the next, as systems become more
and more secure. While I'm not holding my breath for this, I
am waiting for it!
Best of luck -
| dan farmer
|| Dec 18th, 1996