Network Guardians Face Thorny Job

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,58067,00.html

By Michael Grebb  
March 15, 2003

WASHINGTON -- The task of protecting America's communications and
information networks isn't getting any easier.

And federal agencies and private companies face a steeper and steeper
battle, according to data presented Friday at the Network Reliability
and Interoperability Council meeting at the Federal Communications
Commission.

Indeed, while computer viruses used to take days to spread across the
Internet, the Code Red virus propagated in 37 minutes in 2001, and the
more recent Slammer worm spread in about eight minutes.

"The propagation time for evil to hit everybody has gone from days to
minutes," said Bill Hancock, chairman of the Network Reliability and
Interoperability Council's cybersecurity focus group and vice
president of security at Cable & Wireless. (The NRIC is made up of
representatives from the telecommunications, cable, wireless,
satellite and ISP industries.)

Nonetheless, Hancock said Slammer would have died quickly if companies
had installed available patches to disable vulnerable ports. Instead,
it took about three days to neutralize.

"We live in a no-trust environment, and we need to figure out how to
deal with that," he said.

Others insisted that companies take Internet security as seriously as
physical security in the post-Sept. 11 world.

"I think people are treating cyberspace with renewed vigor," Richard
Notebaert, NRIC chairman who is CEO of Qwest, said in an interview
after the meeting. "We take this very seriously."

Notebaert conceded that small firms without many resources often face
challenges or delays in updating patches and fixing other network
problems. But he argued that problems aren't widespread.

"Prevention is so much better now than it was," he said. "But
sometimes a patch gets stuck in an in-basket."

As companies' vigilance increases, however, so do the threats.

Hancock said convergence of voice and data into packet networks and
the practice of assigning TCP/IP addresses to wireless devices has
turned just about everything into a "hackable target." He said
engineers must work together to improve signaling protocol security
and increase compatibility.

A common problem is that network protocols and operating systems don't
have the same security features, forcing tough choices for
administrators responsible for keeping networks up and running.

"In some cases, you may have to turn off (security) features to get
the operating system to work," Hancock said.

Physical security is also often overlooked.

Experts said managers should be increasingly worried about "blended
attacks" in which terrorists could simultaneously target physical and
virtual infrastructure to compound damage or to disrupt the ability of
first-responders to communicate and respond to an emergency.

"Sept. 11 had a big impact on the communications infrastructure," said
Karl Rauscher, director of network reliability at Lucent Technologies'
Bell Labs unit and chairman of NRIC's physical security focus group.  
"But that was just collateral damage."

In case of a direct attack on the nation's communications networks,
Rauscher said companies should plan for every contingency, including
storing extra fuel reserves for generators and backup equipment,
mapping out alternative transportation and even checking for chemical
residue that could damage equipment in the wake of a chemical attack.

The 56 NRIC members will vote on more than 200 "best practices"  
recommendations by March 28, then start the tough process of getting
members to adopt them across the country. With the telecommunications
sector in a financial slump, persuading companies to spend money
implementing the guidelines won't be easy.

At least one motivating factor, however, is the constant threat of
regulation from Congress: Some lawmakers would rather force specific
requirements on communications companies than trust voluntary industry
guidelines.

Notebaert repeatedly reminded NRIC members to stay involved -- lest
Congress mandate it.

"Voluntary is better than mandatory," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.