Blended Threats: A New Risk to Academic Freedom

The difficulties of balancing security and freedom are now under a national spotlight as a result of the terrorist attacks of September 11, but institutions of higher education have struggled with the problem for decades. Universities have always tried to maintain openness and experimentation in order to promote a credible environment for teaching, learning, and research. Of course, this doctrine is double-edged, because openness invites risk.

In the practical arena of computer science, this means knowing that when students write Common Gateway Interface, or CGI, scripts for university systems, they are creating well-known targets for malicious users. Also, students might be encouraged to use software probes to test systems, networks, and Web sites with the understanding that such utility programs are also widely exploited by hackers to uncover weaknesses.

Such challenges of balancing openness and security are often dangerously compounded at the level of system use and administration. For instance, systems are often improperly installed and configured by non-technical faculty and staff. Or, a departmental server might be informally administered by a faculty member or graduate student whose experience with computers is slight.

But even when properly configured, authorized systems can be troublesome. The growing diversity of operating systems from one school to another requires equal levels of expertise from already burdened technology support staff. Add to that the problems of limited budgets, transitory student populations, and inexperienced users, and achieving healthy checks on openness can become impracticable.

To exacerbate an already troubling security situation, Internet-based attacks have become more complicated, often combining multiple threats to extend or propagate the attack. These so-called blended threats demand a more comprehensive approach to security—one that replaces a “one threat, one cure” approach with a multilayered defense and response strategy.

A blended threat is malicious code that uses multiple methods to attack or propagate. Blended threats share a number of characteristics: They cause harm, they use more than one attack method, they are automated (requiring no user intervention), they exploit vulnerabilities, and they typically use several propagation methods.

Although blended threats differ in how they infect and spread through systems, all such threats can send the cost of lost productivity, cleanup, and recovery into the stratosphere. Recovering a single infected system can take an entire day, and the strain of repairing thousands of systems is formidable, even for the most efficient university security team.

Under the pressure of budget and time constraints, many universities often simply react to the latest threat. Security priorities are based on addressing current attacks rather than on preventing future problems. However, code remediation is the most costly and least efficient way to deal with security issues. Security must become a part of the operating business plan of a university, rather than an afterthought.

To that end, universities can take several steps to reduce their vulnerability to current and emerging security threats. An effective combination of best practices and technology should include the following components:

  • Conduct an information campaign. An information campaign aimed at educating students, faculty, and staff about security threats and what those threats mean in behavioral terms can be highly effective in preventing security breaches. If users recognize unsafe practices, they are less likely to put their systems at risk. If they know what to do when their systems are compromised, they can prevent a serious problem from becoming a nightmare.

  • Deploy antivirus software, intrusion-detection tools, and firewalls. Antivirus software on desktop computers, servers, and gateways protects against malicious code at its points of entry. Intrusion-detection software detects unauthorized activity and security breaches and, in some cases, can respond automatically. Firewalls control incoming and outgoing traffic, allowing only authorized activity across the university network. The University at Buffalo uses Norton AntiVirus from Symantec Corp. on all Microsoft Corp. Windows desktops and Microsoft Exchange Servers. As a result, both incoming and outgoing viruses—including script-based threats—are detected and either repaired or quarantined before they have an opportunity to spread. The university makes the software available to all students through its “Tech Tools” CD and secure download site.

  • Keep apprised of security events. Internet security organizations such as the SANS Institute (www.sans.org) and the CERT Coordination Center (www.cert.org) provide current information on the latest national and international computer security incidents and threats. In addition, many vendors provide up-to-the-minute security advisories and assistance based on information gathered and analyzed by their own security experts.

  • Identify and patch critical systems. Keeping operating systems and applications up-to-date with the latest security patches can prevent even the most sophisticated blended threats from compromising a university network. Vulnerability assessment software eases this process by automatically identifying unpatched systems.

  • Remove unneeded services. Unneeded services are often installed by default; they are a security risk because the open port through which they communicate is commonly used by hackers and viruses. Vulnerability assessment software is useful in detecting such services. Administrators can also visit one of a growing number of Web sites that will scan their systems, pinpoint potential problems, and recommend repairs.

  • Maintain system logs. Thorough system logs enable administrators to prevent future attacks by understanding past ones. In addition, if needed, system logs can give law enforcement officials the documentation they need to investigate security issues as outlined in the recently passed federal anti-terrorism legislation, the USA Patriot Act.

  • Create a response team. Identify key individuals and the roles they will assume in the event of a security incident. Set aside a “war room” where the response team will meet to respond to an event. In addition, make sure appropriate non-IT communications tools are available, including phones and faxes.

As technology evolves and Internet use skyrockets, blended threats are likely to grow in frequency and complexity, increasing the likelihood of attacks at universities around the world.

But by capitalizing on today’s security technologies, universities can begin to alleviate these risks and build a protected environment that allows openness, enhances learning, improves teaching, and advances research.

Blended Havoc: Code Red and Nimda Worms

The Code Red and Nimda worms were blended threats. Unleashed in August and September 2001 respectively, these worms spread rapidly and caused a great deal of damage.

Nimda used four methods of propagation, including unpatched Microsoft Corp. Internet Information Server systems, e-mail, visits to compromised Web servers, and systems that had file-sharing enabled. It was written to find and exploit backdoors left by previous viruses, including Code Red. Nimda slowed and even stopped Web traffic for many users and generated excessive traffic at businesses and educational institutions around the world.

Research firm Computer Economics estimated that Nimda infected more than 2.2 million servers and PCs in a 24-hour period and caused more than half a billion dollars in damage.

Code Red launched denial-of-service attacks and defaced Web servers. Code Red II also left behind Trojan horses for later execution by worms such as Nimda. Because Code Red processed in memory rather than on a hard disk, and since it gave no outward indications of its presence, it went largely undetected.

The Code Red worm cost an estimated $2.6 billion, according to Computer Economics. The research firm calculated that more than $1 billion dollars was spent cleaning up 1 million infected servers and inspecting another 8 million related servers. The rest—approximately $1.5 billion—was lost to corporate downtime.

The message left by these two blended threats is clear: Single-point solutions are ineffective in thwarting complex, multileveled threats. Instead, organizations need to deploy security solutions that provide several layers of defense and response.

comments powered by Disqus