A computer security expert with the US Department of Defense says the rate of attempted cracker attacks against military computer systems has increased dramatically in recent months. However, most of those efforts are easily rebuffed or detected, and few attackers have been getting into the networks.
"We've been seeing almost a doubling per month in the number of attack attempts or probes, but ... the [actual] number of [intrusion] incidents we've had to handle is about flat," said Stephen Northcutt, director the Shadow project, one of the government's premier network intrusion analysis centers.
Northcutt, a security analyst for the Naval Surface Warfare Center, made the comments Tuesday during the introduction of a report designed to provide computer security specialists with step-by-step procedures for handling security incidents.
The report, "Computer Security Incident Handling Step by Step," emerged from an online collaboration by computer security administrators working at more than 50 organizations and companies, including the US Ballistic Missile Defense Organization, Coca-Cola, American Express, and Disney Online.
The security admins had all experienced network-based incidents at the hands of crackers, or network failures caused by external forces, such as weather or earthquakes. The report, to be released 7 July by the SANS Institute, was compiled from their online reports of incidents. They settled on tactics for handling various stages of a network crisis, including the initial response, identification, containment, and removal of the threat.
Northcutt said that, for its part, the Department of Defense was working on categorizing network attacks to determine appropriate levels of response.
"We are able at this point to identify a tremendous number of things that are run by the exploit scripts that are downloaded from [security Web] sites such as rootshell," Northcutt said.
"We also spend a lot of time looking for things that have never been seen before: attacks from the high end. Someone that is actively developing a new attack is of far greater interest."
Alan Paller, director of research for the SANS Institute, said that the only way to totally guarantee a secure system was to unplug it from the Internet.
"To have a Net connection, you need to drill holes in your system," Paller said, adding that the next best thing to security systems -- such as firewalls and intrusion detection systems -- is a coordinated response process.
Northcutt said that the security admins involved in the report agreed that commercial intrusion detection systems were essential to any network defense effort. "Commercial [intrusion detection] systems play a very important role," he said. "They do for intrusions what virus software does for viruses."
Northcutt said that another collaborative security project was under way with the goal of developing and releasing public domain code for an intrusion detection system that will be designed to complement existing commercial systems. An early version of such a system, called Cooperative Intrusion Detection Evaluation and Response, is available from the Navy's warfare site.
The report also addresses so-called "external circumstances" -- such as severe weather and earthquakes, or backhoes accidentally digging up network cables -- that can disrupt service.
"An incident is a very stressful thing," said Northcutt. "But you can have a process that will carry you through a variety of incidents. 'Stop the bleeding,' they used to tell soldiers. [Likewise, with this report,] we have a system that serves you well."
