Threats to Information

Capstone – it 4444 /
Threats to Information /
A Study of SANS and Educause /
Brady Martin, Thomas Graham, Kezron Caines /
4/13/2011 /
This paper discusses the trends and lifecycles of “threats” to information and systems over the past 10 years, with an eye towards analyzing” where we came from”, ”where we are”, and “where we are going”. Using data recorded by SANS and Educause correlated with statistics, the analysis will compare what threats were, and are, when and why they became important, when they were downgraded, and why. This paper will pay primary attention to the factors that pushed each of these threats to the top of the lists making them noteworthy. /

Contents

Introduction

Where we came from

Where we are

Where we are Going

Conclusion

References

Table of Figures

Figure 1 Web Excerpt

Figure 2 - Web Excerpt

Figure 3 - Major Computer Developments

Figure 4 - Population Growth Trend

Figure 5 -Users in the United States

Figure 6 -World vs. United States Complete Comparison -2010

Figure 7 - Incident Tracking -2000-2007

Figure 8 - Dell Inc. Financials

Figure 9 - Educause It Security Challenges – 2001

Figure 10 - Educause It Security Challenges – 2010

Figure 12 - Attacks on Critical Microsoft Vulnerabilities (last 6 months)

Figure 11 - Number of Vulnerabilities in Network, OS, and Applications

Introduction

This paper discusses the trends and lifecycles of “threats” to information and systems over the past 10 years. Using data recorded by SANS, Educause, and Internet World Stats, our analysis will show past threats, current threats, their importance to the security community, and the why they fade in and out of sight. Where trends are moving towards in respect to the future, and advances in Information Technology will also be discussed. This paper will pay primary attention to the factors with an eye towards analyzing” where we came from”, ”where we are”, and “where we are going”, and attempting to answer what pushes these factors to the forefront making them noteworthy.

Over the past 10 years, Threats to Information and Systems have been evolving. As the number of systems and users increases, so too does the number of targets available for exploitation. Something interesting to note is that although, the types of targets and attacks change, categories remain the same; exploiting human weaknesses, hardware resources, and software weaknesses.

Ten years ago, the threats were as different as the attackers. Attacks on information systems were driven by ideology and curiosity, now as the world becomes more connected the motive of profitability is added. In the past, the attacks were not sophisticated or stealthy. Today, in alignment with emerging technology, the attacks are both sophisticated and stealthy. The “Social” network phenomenon has given attackers completely new avenues of attack through improved “social engineering.”

The charts below illustrate that the categories of reported attacks in 2001 are very general in nature. As data collection progresses through 2007, the numbers increase and become more specific.

Some of the old attacks have fallen by the wayside as technology and education systems improve. Exploitable targets have become numerous and profitable as the world continues to move towards being more interconnected. As new devices are developed that connect us further, we are also left more vulnerable. As technology continues evolving, the problems created are overwhelming the IT community’s ability to solve them. Even with all the changes, much of the previous and current problems remain the same. Attackers exploiting the bad habits of users: leaving servers and workstations unsecured, operating systems and software left unpatched, and routers, firewalls, and switches left in autonomous states largely unmonitored. Until these and other hurdles are overcome, the attacks will continue unabated.We began this project with thepurpose of identifying the top threats to information and quickly discovered that there were no “all-inclusive” sources that clearly identified what those threats were. We also found widespread disagreement between what educators, governmental agencies, and corporate leadersconsidered their top threats. These realizations forced our team to reshape our premise to make use of the data collected. The sheer volume of data available referencing threats to data and information system is overwhelming until you look at the underlying metrics with a much simpler premise. To illustrate the disagreement:

The two excerpts above come from the business side of threat analysis and clearly show different priorities and focus surrounding the same problem of Information Security.

Where we came from

The beginnings of threats to information began with a need to communicate and collaborate for the purpose of speeding and simplifying research. On October 29, 1969 the first message was sent over the Arpanet. The intended message was “login” to SRI from UCLA however after the first two letters were transmitted, the system crashed. (Leonard Kleinrock, 2009) Up until this time, the cost of computers was so high that only the government and major corporations could afford them. Those that needed them for research were often geographically dislocated. Arpanet was developed to overcome this problem. As with any problem, when one is solved, potentially another is created, asis the case here. The phenomena now called the “Internet,” very unexpectedly, began here.

Up until this stage, the computer resources were few and controlled by a select group of researchers. To access these devices, one had to go to where the resource was located and be granted access for a specific purpose. Once interconnectivity of these resources was established, it wasn’t long before remote access was possible. It was at this point that centralized physical control shifted toward decentralized control ceded to many. This was the first window of opportunity provided for any “outsider” to manipulate system resources without the need to be sitting physically at a co-located terminal.

It wasn’t long after the creation of Arpanet that businesses realized a real profit potential in the development of smaller, more powerful computer systems and innovative ways to interconnect them. The period between 1969 and 1985 was marked with several major developments that contributed substantially toward this goal as illustrated on the following page:

All of this activity was primarily profit driven but benefitted educators, researchers, government, business, and consumers. These developments had finally brought the per unit price within reach of the common man’s budget and served as the second push towards de-centralized control. There were now computer resources in the hands of general consumers and they were demanding utility and connectivity to services. Businesses were only too happy to oblige and services such as CompuServe® and AOL® filled that need. CompuServe® being the defacto leader from 1977 through the mid 1980’s(The Gale Group, 2011). CompuServe® had all but disappeared with the introduction of AOL® in 1989 (Admin, 2010).

Where we are

Fast forwarding past other major developments and the introduction of cellular technology for the masses, we come to the beginning of the 21st Century. By this time the majority of American households contained at least one computing device and a mobile phone ofsome kind. The charts below were generated with data obtained from Internet World Stats:

Data collected from Internet World Stats indicate that technology has proliferated into most countriesregardless of economic status as a direct result of the previous 15 years spent globalizing the “Internet” and creating vast communications network.

During this period, many avenues of electronic intrusion were encountered. Both hardware and software had provided ample targets. Hackers, motivated either by curiosity, ideology, malevolence, or simple greed, enjoyed relative anonymity. The explosion of computing devices connected to the “Internet” here and abroad and the relative lack of laws available to prosecute electronic intrusions, work stoppage, theft, or destruction made the “Internet” the “Wild, Wild West” of the Information Age. The Internet is considered the major threat to organizations because access valuable information in criminal’s hands can be disastrous. Many “weaknesses in operating systems (OS), network operating systems (NOS), default configuration of network devices and firewalls, encryption, and poorly written applications are the cause.” As security threats continue to evolve and become more complex, organizations must take steps to prevent losses caused by these threats. Removing threat and eliminating vulnerability is nearly impossible as long as organizations are connected to the internet and hackers are breathing.” (Alshboul, 2010)

The North America population data we collected when compared to market saturation of the same, establishes a Pearson’s linear correlation coefficient of 0.972. We attempted, and were unable to calculate a correlation coefficient between user penetration and growth of incidents due to unavailability of data to provide scale. Based on the data we collected and extensive reading on the subject, we believe a correlation does exist between the trends. As more users become connected, the simple fact that more doors are being opened and exploited supports this assertion. When the data is compared with incident reports collected from Educause and SANS, they don’t follow the same trend lines as seen graphed on the following page:

Where we are Going

It is a well-accepted fact that our world is becoming more and more globalized. As our economies and cultures merge, there is an ever increasing need to connect to one another. Competition for finite resources has become intense. Competition between corporations for market share and profitability is also fierce. New markets are opening in areas once considered to be Third World. This explosive market expansion is accompanied by new consumers, hungry to enter the world stage.

In simplest terms, globalization can be defined as the blending of economies, cultures, and traditionsacross the globe. It is evidenced by increased communication and the intermingling and exchange of ideas between various countries across the world. It is a continuous socio economic process; a major step towards the development of a country. Theprimary aspect of globalization is the mutually beneficial establishment of business and trade links between countries that has given rise to the globalization of markets. (MapsOfIndia.com, 2004)

The business of providing consumer electronics in these emerging markets has become big business. Companies producing devices capable of Internet connectivity are tapping into these emerging markets. Of note is Dell Inc. with numbers listed on the next page:

Figure 8 - Dell Inc. Financials

(Dell: Information from Answers.com, 2011)

As populations around the world continue to grow, businesses like Dell Inc. will continue to compete in these new marketsfor customers. This trend shows no signs of abating as noted in the Market Penetration graph previously cited in this document. The difficulty comes as these companies rush product to market to meet customer demand. With each wave of supply, new users are created, often under educated, often un-sophisticated. Each new user becomes a potential threat or an un-witting accomplice by providing another attack pathway that can be exploited. As mentioned earlier, as long as there is a hacker breathing, organizations will have to secure their networks. Simply stated, there aren’t enough IT professionals to keep up with all the potential threats created by pace at which the business cycle operates. It generally takes four years of higher education to train an IT professional and a lifetime of continuous learning to be effective in the field. With a two to three year life cycle for mobile devices and three to four years for desktop, replacing old technology with new happens faster than the education system can produce newly trained professionals to manage and secure them.

“According to Rich Cheston, an executive director and distinguished engineer at Lenovo, the most accurate method for choosing an effective life cycle involves dividing the company into a set of user groups. For example, the fact that other enterprises choose company-wide desktop life cycles of four years doesn’t make the same strategy right for other companies, such as financial services companies, where seconds of performance difference between PCs could represents millions of dollars of lost profits to bonds traders. For those companies, the desktop life cycle might be every six months, as long as processing power continues to ramp upward.
“The net result is [that] many factors drive life cycle rates, and each corporation is unique, but on average, the life cycle of a mobile device is two to three years—driven heavily by the introduction of new technologies over time—whereas desktops are three to four years because they are used inherently differently than notebooks,” Cheston says. (Perry, 2006)

A look at Educause data collected supports the assertion that education is not

There hasn’t been much change in the focus of Educators over the past 10 years. The majority of their assessment centers on funding strategy, personnel, and the management of both. Therefore, it is a fair assumption that this trend will not abate and the insufficient numbers of IT professional will not be able to keep up with the globalization process. We believe that this will continue into the foreseeable future because the education system simply cannot keep pace with the business cycle producing devices and software.

Barring any changes to the current climate or some new breakthrough in computer security, managing threats to information will continue to be a tenuous process of maintaining a balance priorities and assumption of risk. With limited resources, IT professionals will continue to be called upon to provide management with the capability to make informed decisions about which assets require heightened vigilance.

Conclusion

In this paper we looked at SANS, Educause, Internet Usage world statistics to chart and find trends prevailing in the Information Technology industry. For research purposes, we maintained the simple premise that the desires of consumer far outpace the abilities of IT professionals to deliver and secure the internet and associated products. We paid special attention paid to “where we were”, “where we are”, and “where we are going”. Looking at the type of attacks starting in 2000 (Table 1) to 2007 (Table 2) and evaluating the most current data available in similar, useable formats, we noticed the breakdown and classifications of the problem had grown increasingly complex. This is what we face as IT professionals in today’s market. Continuing on, we took a snapshot of two different websites claiming top 10 issues in information technology (Figure 1 and Figure 2)to illustrate the lack of standardization. We wrap up our introduction by showing that even organization of a similar purpose cannot agree on a list of top threats to information and systems.

The“where we came from” section is based on a mini timeline of significant developments to illustrate what that we believe helped shape a lot of the issues today (Figure 3). Without the creation of connectivity and affordable equipment, there would be no discussion about information security.

The “where we are” section looks at past trends showing how population data (Figure 4) and market penetration (Figure 5)for North America compare. We demonstrated that these trends have a Pearson’s correlation coefficient of 0.972 which supports a strongly positive correlation, and therefore, are directly related to each other. This explosive, continued growth of users has outpaced the IT communities’ ability to fix the issues. In Figure 6, we assert that the disproportionate population of users in the United States as opposed to the rest of the world has created an environment where the U.S. has become a target of both access and opportunity. In simplest terms we are outnumbered. In Figure 7 we attempt chart the actual number of Common Vulnerabilities and Exposures (CVE) and Candidates for CVE (CAN) from 2000 to 2007. We do not actually address the number of specificattacks, instead choosing to represent them as the number of issues found in each heading.

The “where we are going section,” globalization is addressed. Globalization coupled with the vast profits companies are posting (Figure 8), provide opportunityand motivationto threaten information and the trend is ever increasing.

Figure 9 and Figure 10 addresses the education side of the house to balance out the government and business interest previously shown and we see is that very little has changed in the way of thinking about how best to attack the problem of securing information assets in respect to how the education community views things. All in all, the data collected for this project reflect problems that have been with us for a very long time. Overall the issues addressed within have enjoyed little in the way of progress towards solution. The individual communities (Government, Educators, and Business) seem stuck in the defining stage of problem solving with little progress towards real solutions. We conclude that there is no real interface between all the parties and the problems will remain until real communication between them is realized.

As a final illustration we offer Figure 11 and Figure 12 gathered from the 2009 Sans report to reinforce the point that both vulnerabilities and frequency of attacks are on the rise.