[ISN] Seeing No Evil

[InfoSec News]

http://www.cio.com/archive/110105/evil.html

By Matt Villano
November 1, 2005 
CIO Magazine

In a mock courthouse earlier this year, the smack of a gavel opened a 
case for the ages. Behind one bench, the defendants: Internet service 
providers, on trial for not providing adequate security to their 
customers. Behind the other bench, the plaintiffs: fictional companies 
ravaged by distributed denial of service (DDoS) attacks. The jury: 
hundreds of IT security professionals, packed into a conference room 
at the Gartner IT Security Summit to watch it all unfold.

The plaintiffs argued that ISPs could do much more to improve security 
by scanning subscriber computers, monitoring traffic and shutting down 
suspicious network uses. The defendants claimed that performing such 
scans would violate user privacy and that it would be impossible to 
distinguish malicious traffic from legitimate e-mails. 

Accusations flew. The plaintiffs equated ISP intransigence to that of 
a homeowner whose property is dangerous but doesn't buy a fence to 
keep others out. In response, the defendants said people should stay 
away from dangerous property; that safety is a responsibility that 
falls squarely on the individual. Next, in a rhetorical ploy, defense 
lawyers asked jurors if any of them would be willing to stay at a 
hotel that offered Internet access in exchange for the right to scan 
all computers for security vulnerabilities. Not one member of the 
audience raised a hand.

Around and around the two sides went, attacking each other like packs 
of wolves. The interchange got so heated at times that people almost 
forgot it was fake. Someday soon, however, this scenario could be 
real. As security threats such as DDoS attacks, identity theft and 
phishing continue to plague the Internet, ISPs find themselves under 
increasing pressure from business and consumers to eradicate risks 
before they get to the end users. Because ISPs control the pipes 
through which information is delivered, many customers, including 
CIOs, insist that service providers must play a more active role in 
securing the traffic that they deliver.

"Right now, all ISPs provide is entry to the Internet, period," says 
Stephen Warren, CIO of the Federal Trade Commission. "Believe me, it's 
in their best interests to get all the crap off their lines."

As Warren implies, the time for action is now. If water utilities can 
be required by state and local governments to deliver water that is 
clean and acceptable to drink, why can't ISPs be required to deliver 
data that is safe and threat-free? Such requirements would hold ISPs 
accountable for cleaning up their networks and force them to monitor 
traffic as it passes through their pipes for maliciousness of all 
kinds. Regulating ISPs in this way also would relieve at least some of 
the security burden from CIOs, freeing up more time, money and 
resources for other areas.

But so far, those types of government regulations and industrywide 
policies governing ISP security do not yet exist. In part, that's 
because ISPs came of age in the Wild West ethos of the Internet, and 
providers generally have been unwilling to spend the extra money and 
resources to secure the middle of the information pipe for all of 
their users. In addition, many ISPs think that if they become security 
cops or anything more than traffic carriers, they will be legally 
liable in the event of security breaches. They are also concerned 
about censorship issues and blocking legitimate e-mails that look like 
spam.

How valid are these concerns? Should ISP security be regulated much 
like utilities (and to a lesser extent, the airlines) are now? Are 
industrywide polices governing security even feasible? These were 
among the questions that jurors considered as they deliberated over a 
verdict at the Gartner mock trial. CIOs struggling to secure their own 
networks must stand among those who consider these questions and look 
for answers. After all, what's at stake is the viability of the 
Internet as a medium for commerce, communication and business 
connectivity into the 21st century and beyond.

"Security is something that everybody is accountable for—everybody 
including the ISPs," says Michael Vatis, an attorney at Steptoe & 
Johnson, a law firm in New York. "There has to be a better way to 
approach this than how we're doing it today."


The Wild Wild West

Much of the ISP industry's unregulated growth can be traced to the 
Telecommunications Act of 1996, the first major overhaul of 
telecommunications law in 62 years. The goal of the law was to create 
a free-market economy in which any single communications company could 
compete in any marketplace. According to Jonathan Zittrain, cofounder 
of Harvard Law School's Berkman Center for Internet and Society, the 
law and subsequent other FCC rulings opened the way for outfits 
promising to provide Internet service. All one needed to become an ISP 
was some cash, a few servers, the bandwidth to host real estate and a 
marketing plan to bring in customers. David McClure, president and CEO 
of the U.S. Internet Industry Association, estimates the number of 
ISPs today to be more than 400. 

As ISPs grew helter-skelter, there was very little effort to 
standardize security on any level. The only real attempt came in 2003, 
when Congress passed the Controlling the Assault of Non-Solicited 
Pornography and Marketing (Can-Spam) Act, which established 
requirements for sending commercial e-mail, spelled out penalties for 
spammers and companies whose products are advertised in spam, and gave 
consumers the right to ask spammers to cease and desist.

The law has been less than successful so far. Ask any CIO about what 
keeps her up at night and the general answer is security. Since 2003, 
the number of security threats has skyrocketed, with the typical 
suspects being viruses, spam, phishing scams and spyware. The new kid 
on the block, the DDoS attack, complicates matters even more. In this 
scenario, hackers use computer worms to take over vulnerable computers 
on corporate networks around the world. Then they tie the computers 
together through an Internet relay chat (IRC) server called a botnet. 
Unified as one, the rogues (or zombies, as they're sometimes called) 
set their sights on one particular corporate Web server, and 
simultaneously bombard it with data requests until the burden brings 
it down. These networks are responsible for 50 percent to 80 percent 
of all denial of service spam, according to various estimates.

Even among CIOs who spend millions on security, actions to prevent 
these threats breed nervousness. How do you know your firewall is 
equipped with the latest intrusion prevention signatures? How do you 
stop other threats such as viruses and spam? Most important, how do 
you protect yourself against spyware programs that infect vulnerable 
endpoints and turn them into zombie computers that launch DDoS attacks 
upon command? Just when CIOs think they've got everything under 
control, the hackers outsmart them and devise new ways to compromise a 
network's security.

"We are constantly bombarded," says Dewitt Latimer, deputy CIO at 
Notre Dame University, where the challenges of an inherently open 
academic network have him constantly on edge. "I find myself wishing 
that ISPs would help us out a little bit, if for no other reason than 
to eliminate a fraction of the security problems we worry about on a 
day-to-day basis."

Latimer adds that he assumes anything that is not on a private network 
is insecure. But what if some of these issues were resolved before 
traffic ever arrived at the network door? Since all external traffic 
must, at some point, be transported over the Internet, many CIOs say 
there's no better way to secure it than by securing the pipes 
themselves. Because ISPs serve as the conduit for all traffic into and 
out of a network, CIOs say these providers should be scanning 
subscriber computers for viruses, monitoring traffic for active hack 
attacks, and shutting down suspected network users immediately to 
protect the safety and sanctity of the connection for everyone else.


Why ISPs Are So Hands-Off

Richi Jennings, an analyst with Ferris Research in San Francisco, says 
that many ISPs wash their hands of these issues because such security 
measures are neither cost-effective nor conducive to revenue 
generation. For ISPs to be successful, they need volume, and resources 
spent on filtering malware or scanning subscriber computers ultimately 
affect the bottom line, Jennings says.

A perfect example of this philosophy is the ISP help desk. File a spam 
complaint with an ISP and Jennings notes it can be days before you 
receive a response, if you receive one at all. In most cases, he says, 
the response is automated. Sure, the ISP could be filing complaints 
away and pursuing them at a later time, but Jennings says that despite 
recently publicized lawsuits in which ISPs sued spammers for violating 
the Can-Spam Act and older state laws, most violations fly under the 
radar, even after they're reported.

"Rather than expend resources to try and stop all of these threats, 
most ISPs are taking the opposite approach and doing nothing," 
Jennings says. "It's just not a priority."

Kevin Dickey, deputy CIO and CISO for Contra Costa County, Calif., 
recently experienced this firsthand. After an attempted DDoS attack on 
the county network, Dickey asked his ISP for incident reporting logs. 
Though many ISPs keep these logs, Dickey's did not. So it was very 
difficult for him to identify and fix the hole the hackers had used to 
launch the attack (eventually he did patch it). Dickey declines to 
name the ISP because he says he's generally happy with it, but admits 
that the entire experience shocked him into realizing that security 
wasn't as much of a priority for the ISP as he had been led to 
believe.

Lawyers wonder if one reason ISPs shy away from security is a legal 
one. According to Benjamin Wright, a Dallas attorney who participated 
in the mock trial and specializes in Internet law, ISPs don't want to 
guarantee security because that could conceivably put them at risk for 
a negligence or invasion of privacy lawsuit. Wright alleges that 
scanning subscriber computers could violate privacy laws even after 
the packet leaves the desktop. Also, what happens if an ISP conducts a 
scan and blocks 100 threats but misses one? Zittrain says that if ISPs 
start taking responsibility for more than just carrying traffic, they 
could be making themselves legally liable. No lawsuits have been filed 
for this kind of negligence so far, but Zittrain says that an ISP 
knowingly permitting a zombie computer to remain on its network, which 
then wreaks havoc, could find itself sued. However, he doubts ISPs can 
be held legally accountable unless they have promised to protect their 
customers completely. "That's precisely why they're not promising 
complete protection," Zittrain says.

Scanning isn't the only legal quagmire. Even if ISPs could scan all 
incoming e-mail, it's nearly impossible for them to distinguish 
between, for example, a computer being used in a DDoS attack and 
legitimate Internet traffic such as the Weatherbug, which 
automatically checks National Weather Service servers every five 
minutes for regional weather updates. And just as ISPs can get 
themselves into hot water for blocking legitimate e-mail from a 
network, Zittrain says, they also can cause trouble when they are 
overzealous in monitoring legitimate e-mail going out of a network. 

"If a customer is sending out 25 messages a day and suddenly blasts 
500, that's a red light that maybe they have a spam zombie in place," 
says Don Blumenthal, Internet Lab Coordinator at the FTC. "Of course 
it also might be that the customer has just become [Parent-Teacher 
Association] president and is using his work computer to send out some 
personal e-mails. You just never know."

Down the road, perhaps the biggest security challenge could come from 
the increased use of encryption. For instance, Vista, the new 
Microsoft operating system that is expected to debut next year, 
streamlines point-to-point encryption across the Internet. As a 
result, ISPs and security vendors alike may have trouble determining 
which e-mail packets are legitimate and which are malicious, possibly 
giving hackers unmitigated opportunities to wreak havoc everywhere.

The ISPs say it's not as if they don't care about security. But 
because they operate in a free-market economy, the decision to provide 
security is one each provider makes individually. America Online, 
Comcast, EarthLink and SBC - the four largest ISPs by number of 
subscribers, according to a June 2005 market report from 
JupiterResearch - all provide users with some rudimentary security 
services in the form of standard e-mail filtering and antispyware 
protection. EarthLink, SBC and some other ISPs also attempt to prevent 
virus and worm outbreaks by blocking traffic through Port 25, the 
server port used for simple mail transfer protocol, or SMTP, 
transmissions. (For more on how this works, read "The First Line of 
Defense". [1]) Many other ISPs provide additional security to specific 
corporate customers at extra cost. And then there are those ISPs that 
don't bother with security at all. 

ISP executives say a more standardized approach to security would be 
cost-prohibitive - and it might not be what their business customers 
want anyway. "When you're dealing with security, there's simply too 
much at stake for us to offer a one-size-fits-all solution that works 
for everybody," says Stan Barber, vice president of engineering 
operations for Verio, an ISP and a subsidiary of NTT Communications. 
"What's important for one company might not be important for another, 
and we need features that can scale."

You don't need to be a mathematician to see that this patchwork 
coverage puts everyone at risk. With bits and bytes traveling from one 
ISP's network to another, who's to say that a security threat stopped 
by one ISP filter won't escape another network that doesn't filter or 
does it inadequately? Gregg Mastoras, senior security analyst for 
North America with the network security solutions provider Sophos, 
says that once a threat gets past one ISP, it essentially has gotten 
past them all. Mastoras adds that since information on the Internet 
knows no borders, everyone is at risk. If the security that ISPs 
currently offer is really as good as they say it is, this wouldn't be 
a problem. Yet one just needs to look at the news today to know that 
corporations are getting hit hard by all manners of malfeasant code. 
The problem, says Mastoras, is that nothing exists to standardize 
security across the ISP industry, making everyone in the industry 
susceptible to the lowest common denominator. 


How to Protect Yourself in the OK Corral

ISPs may not be able to get away with this free-market approach for 
long, if only because pressure from government, industry and consumer 
groups is growing. This May, the FTC said it would soon ask ISPs to 
make sure that their customers' computers haven't been hijacked by 
spammers with plans to create botnets. Though ISPs are not required to 
comply, the FTC suggested that service providers should identify 
computers on their networks that are sending out large amounts of 
e-mail and quarantine them if they are found to be zombies. One final 
recommendation from the FTC: Internet providers should route all 
customer e-mail through their own servers (as opposed to allowing 
individual users to route e-mails through their own servers). 

ISP executives are optimistic that the industry can regulate itself. 
Dave Jevans, chairman of the Anti-Phishing Working Group, says a 
number of ISPs have already banded together to discuss security best 
practices. If the industry can't improve security on its own, there's 
always the possibility of regulating it through state or federal 
legislation, but that's something that most in the ISP industry firmly 
oppose. Howard Schmidt, president and CEO of R&H Security Consulting 
and a former official with the Department of Homeland Security, agrees 
that legislation is not the answer, saying that most ISPs would simply 
pass the cost of compliance along to users in the form of increased 
monthly and annual fees.

For Schmidt, there is another way. He suggests that government 
facilitate change simply by wielding its own purchasing power. If, for 
instance, government agencies offered ISPs a 10 percent premium to 
provide reliable security services across the board, Schmidt believes 
the agencies could get ISPs to comply in exchange for the extra cash. 
This change, in turn, could have a trickle-down effect that improves 
the situation for business customers and CIOs alike.

"With the government being a large purchaser of IT services, they have 
the ability to say, "Here's what I'm willing to pay for,' and actually 
pay for it," Schmidt says. "Having controls built in as part of 
government projects gives you the side benefit of making it happen for 
private companies."

In the meantime, the SANS Institute, a private security education 
organization, is planning to evaluate ISPs on the way they handle 
security and release an ISP Security Report Card this month. Alan 
Paller, director of research for SANS, says this card will outline the 
steps CIOs can take to seek a greater level of security from their 
ISPs. (For more on this, see "ISP Essentials," this page.) In 
addition, Jennings, the Ferris Research analyst, says CIOs should 
combine whatever basic protections their ISPs offer with a customized 
security infrastructure comprising hardware and software for a 
multilayered approach that incorporates two or three antivirus engines 
(at the perimeter and on the desktop machines), a firewall, intrusion 
prevention software and any other functions that specifically suit an 
organization's needs.

One area in which Paller says CIOs can advocate for better security 
from ISPs is through their service-level agreements, or SLAs. 
Traditionally, these performance contracts with the ISPs loosely have 
covered issues such as uptime and maintenance or support. However, 
Paller suggests that CIOs should consider at least trying to get their 
ISPs to agree to incorporate security metrics such as virus scanning, 
DDoS monitoring and incident reporting, as well.

SLA clauses, however, are no panacea. Bob Paarlberg, CIO at 
Royster-Clark, an agri-business company, says that putting security 
into an SLA will do nothing but lull CIOs into complacency—not exactly 
a state that engenders secure networks. "Our SLA is that we don't sign 
a long-term agreement," Paarlberg quips. "If you do a good job for us 
this month, you earn the business from us next month. That's it."

Ultimately, Paarlberg contends, the best way to get ISPs to tackle 
security is to force them to bake-in additional security by law. Just 
look at what happened in the airline industry. Years ago, scanning 
passengers for security threats was the responsibility of individual 
airports. The result, of course, changed our nation forever: 
Terrorists took advantage of the weak points in the system, and 
successfully orchestrated the attacks of Sept. 11, 2001. In the 
aftermath, the federal government created the Transportation Security 
Administration to set policy for securing air travel nationwide. 
Today, whether you're traveling from Baltimore, Md., or Billings, 
Mont., you and everyone else on your flight are screened the same way, 
and by and large, the system is a lot safer than it was before. 

"At the end of the day, ISPs need to be held accountable for more of 
these violations," Paarlberg says. "If they're going to continue to 
bring threats to our doorsteps, something must be done." 

-=-

Matt Villano is a freelance writer and editor based in Half Moon Bay, 
Calif. Send your comments to Executive Editor Alison Bass at 
abass at cio.com.

[1] http://www.cio.com/archive/110105/evil_sidebar.html