Can be Done to Reduce the Threats Posed by Computer Viruses and Worms
to the Workings of Government?"
CERT Coordination Center
Carnegie Mellon University
Subcommittee on Government Efficiency,
and Intergovernmental Relations
Mr. Chairman and Members
of the Committee:
My name is Jeffrey Carpenter.
I manage the CERTŪ Coordination Center (CERT/CC), which is part of the
Software Engineering Institute (SEI) at Carnegie Mellon University. Thank
you for the opportunity to testify on computer security issues that affect
the government. Today I will discuss the Code Red worm attacks, the broader
implications, and considerations for the future.
The CERTŪ Coordination Center (CERT/CC)
is part of the Survivable Systems Initiative of the Software Engineering
Institute, a federally funded research and development center operated
by Carnegie Mellon University. The CERT/CC was established in 1988, after
an Internet "worm" stopped as much as 10 percent of the computers
connected to the Internet. This program—the first Internet security incident
to make headline news—was the wake-up call for network security. In response,
the CERT/CC was established at the SEI. The center was activated in just
two weeks, and we have worked hard to maintain our ability to react quickly.
The CERT/CC is now recognized by both
government and industry as a neutral, authoritative source of data and
expertise on information assurance. In addition to handling reports of
computer security breaches and vulnerabilities in network-related technology,
the CERT/CC identifies preventive security practices, conducts research,
and provides training to system administrators, managers, and incident
response teams. More details about our work are attached to the end of
this testimony (see Meet the CERT Coordination Center).
In the first full year of operation,
1989, the CERT/CC responded to 132 computer security incidents. In 2000,
the staff handled more than 21,700 incidents. In total, the CERT/CC staff
has handled well over 63,000 incidents and cataloged more than 3,700 computer
vulnerabilities. This testimony is based on that broad experience as well
as our specific experience with the Code Red worm.
Of the thousands of vulnerability
reports that come into the CERT/CC, it is difficult to predict which ones
the intruder community will exploit and how rapidly exploit scripts (computer
programs the intruders use to take advantage of a vulnerability in a computer)
will become available. CERT/CC security experts analyze every vulnerability
and widely disseminate information on the most serious ones. These are
published as CERT advisories, which are posted on the CERT/CC web site
and sent to a mailing list of 150,000 addresses, most of which go to system
and network administrators.
On June 19, 2001, we published an
advisory describing the vulnerability that was later exploited by the
Code Red worm. CERT advisory CA-2001-13, "Buffer Overflow in the
IIS Indexing Service DLL," describes a vulnerability in Microsoft’s
Internet Information Server (IIS—a web server) that could allow an intruder
to compromise the web server. This means an intruder could take control
of a vulnerable computer, access or change data on that computer, or use
that computer to launch attacks against other sites. The advisory includes
links to a Microsoft bulletin and patches. (This advisory and other CERT/CC
publications on Code Red are appended to this testimony.)
The first signs of the Code Red worm
appeared on July 13, 2001. Code Red is a malicious program called a worm
because it is self-propagating. When it compromises a computer, the worm
uses that computer to begin looking for other vulnerable computers; it
then propagates itself to those computers without any user action. Code
Red took advantage of the fact that many computers on the Internet ran
vulnerable versions of IIS.
On July 19, a more aggressive version
of the Code Red worm began spreading rapidly. We published an incident
note (IN-2001-08) that describes the activity and the need for system
administrators and users to apply the appropriate patch if they are running
a vulnerable version of IIS. As the day progressed, the rate of computers
being scanned and compromised continued to increase. We were aware of
tens of thousands of computers compromised, which was unprecedented for
this type of activity in a 24-hour time frame. This increase in activity
warranted another advisory—CA-2001-19, "Code Red Worm Exploiting
Buffer Overflow in IIS Indexing Service DLL."
On July 20, Code Red changed its type
of activity. Instead of propagating, the worm attempted to launch a denial-of-service
attack against a high-profile web site. When this change occurred, the
worm stopped spreading. The CERT/CC helped to coordinate an effort by
the major Internet Service Providers to mitigate the effectiveness of
the denial-of-service attack.
By this time, more than 250,000 computers
had been compromised. In other words, in the month after the advisories
were released by both the CERT/CC and Microsoft, more than 250,000 computers
still had not been patched. (Even people who removed the worm remained
vulnerable to attack if they did not patch their systems.) The CERT/CC,
along with a number of government and industry organizations, worked over
the next few weeks to publicize this fact and to raise awareness of the
need to patch systems immediately. There was an urgency connected with
this joint warning because we anticipated a change back to propagation
mode on August 1, 2001.
Even with the publicity, when the
worm began propagating again on the first of August, 150,000 computers
were compromised by the very next day.
The significance of the Code Red worm
lies beyond the specific activity we have described. Rather, the worm
represents a larger problem with Internet security and forecasts what
we can expect in the future.
My most important message today is
that the Internet is not only vulnerable to attack today; it will stay
vulnerable to attack in the foreseeable future. This includes computers
used by government organizations at all levels, computers used at research
laboratories, in schools, in business, and at home. They are vulnerable
to problems that have already been discovered, sometimes years ago, and
they are vulnerable to problems that will be discovered in the future.
The implications for Federal, state,
and local governments is that their computer systems are vulnerable both
to attack and to being used to further attacks on others. The confidentiality,
integrity, and availability of their information is at risk of compromise.
Factors and Trends
Multiple factors contribute to the
problem and pose obstacles to the solutions. They include the nature of
intruder activity, the vulnerability of technology on the Internet, and
the difficulty of fixing vulnerable systems.
Intruder Activity: The Ease
CERT/CC experience shows that the
intruders will develop exploit scripts for vulnerabilities in products
such as IIS. They then use these scripts to compromise computers and,
moreover, share these scripts so that more attackers can use them. Automation
increases the efficiency of the attacks.
New exploits are causing damage more
quickly than those created in the past. The Code Red worm spread around
the world faster than the so-called Morris worm moved through U.S. computers
in 1988, and faster than the Melissa virus in 1999. One primary reason
is that intruders are developing better techniques for identifying vulnerable
computers and exploiting them. (See the Attack Sophistication diagram
appended to this testimony.) After the Morris worm in 1988, we saw little
significant use of worms until last year. In the past, intruders found
vulnerable computers by scanning each computer individually, in effect
limiting the number of computers that could be compromised in a short
period of time. Now intruders use worm technology to achieve exponential
growth in the number of computers scanned and compromised. They can now
reach tens of thousands of computers in minutes or hours, where it once
took weeks or months.
This fast exploitation limits
the time security experts like those at the CERT/CC have to analyze the
problem and warn the Internet community. Likewise, system administrators
and users have little time to protect their systems.
Vulnerability of Technology on the Internet
Last year, the CERT/CC received 1,090
vulnerability reports, more than double the number of the previous year.
In the first half of 2001, we have already received 1,151 reports and
expect well over 2,000 reports by the end of the year.
Among the reasons for the vulnerabilities
are software design and development practices that do not focus sufficiently
on security and system administration practices that leave systems vulnerable.
There is little evidence of improvement
in the security of most products; developers are not devoting sufficient
effort to applying lessons learned about the sources of vulnerabilities.
The CERT/CC routinely receives reports of new vulnerabilities. We continue
to see the same types of vulnerabilities in newer versions of products
that we saw in earlier versions. Technology evolves so rapidly that vendors
concentrate on time to market, often minimizing that time by placing a
low priority on the security of their products. Until customers demand
products that are more secure or there are legal of liability changes,
the situation is unlikely to change.
Good security practice is as important
in system administration as it is in software development.
The Internet is becoming increasingly
complex and dynamic, but among those connected to the Internet there is
a general lack of adequate knowledge about the network and about security.
The rush to the Internet, coupled with a lack of understanding, is leading
to the exposure of sensitive data and risk to safety-critical systems.
Misconfigured or outdated operating systems, mail programs, and web sites
result in vulnerable computer systems that intruders can exploit.
Difficulty of Fixing Vulnerable
With an estimated 2,000 (and climbing)
vulnerabilities being discovered each year and exploit scripts available
for many, it can be difficult to quickly determine how serious the spread
of a particular exploit will be. Analyzing the exploit scripts is time
consuming even when source code is available. These obstacles, combined
with fast exploitation, make it difficult for security experts to provide
timely warnings and workarounds.
System and network administrators
are also in a difficult situation. They are challenged with keeping up
with all the systems they have and all the patches released for those
systems. Patches can be difficult to apply and might even have unexpected
We have found that, after a vendor
releases a security patch, it takes a long time for system administrators
to fix all the vulnerable computer systems. It can be months or years
before the patches are implemented on 90-95 percent of the vulnerable
computers. For example, we still receive reports of outbreaks of the Melissa
virus, which is more than two years old.
There are a variety of reasons for
the delay. The job might be too time-consuming, too complex, or just at
too low a priority for the system administration staff to handle. With
increased complexity comes the introduction of more vulnerabilities, so
solutions do not solve problems for the long term—system maintenance is
never-ending. Because many managers do not fully understand the risks,
they neither give security a high enough priority nor assign adequate
resources. Exacerbating the problem is the fact that the demand for skilled
system administrators far exceeds the supply.
Even in an ideal situation, conscientious
system administrators cannot adequately protect their computer systems
because other system administrators and users, including home users, do
not adequately protect their systems. People don’t keep their anti-virus
software up-to-date; and they don’t apply patches to close vulnerabilities.
Computers on the Internet are more interdependent than most people realize.
The security of each system on the Internet affects the security of every
for the Future
Things are not going to get better
in the foreseeable future. The number of Internet users increases daily
(an estimated 109 million computers were connected to the Internet at
the beginning of this year). Many users aren’t aware of security issues—or
aren’t aware that their computer can be used to attack others. Even if
they are aware, they aren’t knowledgeable enough to implement appropriate
security. The lack of security on their systems puts all other systems
on the Internet at risk.
While we continue to see exploitation of old vulnerabilities, we are also
seeing an increase in new vulnerabilities. Many of them have the same
root causes. And many of them can be prevented by good software development
practices and good system administration practices. The continuing increases
in incident reports to the CERT/CC suggest that the use of these practices
Federal, state, and local governments
should be concerned. Their increased use of the Internet to conduct business
and provide information results in a corresponding increase in the risk
Action is needed on many fronts: product
development, system administration, home use, and acquisition. The government
needs to support research on computer security and network survivability,
as well as supporting education.
Technology product development:
Most vulnerabilities in products come from a few root causes. They remain
in products, waiting to be discovered, and are fixed only after they are
discovered while in use. Worse, the same flaws continue to be introduced
in new products. Vendors need to be proactive, improving their development
practices and shipping products configured securely "out of the box."
Improved practices will reduce the vulnerabilities in products on the
market and thus reduce the risk of compromise.
System administration: While
we tell system and network administrators to keep their systems up to
date with security patches and workarounds, the volume of patches and
difficulty in installing them makes it very difficult for system and network
administrators to keep up to date. System administrators need better tools
to manage the updating of software and computers.
Computer users/consumers: Because
the survivability of systems is dependent on the security of systems at
other sites, fixing one’s own systems is not sufficient to ensure those
systems will survive attacks. Home users and business users alike need
to be educated on how to operate their computers most securely, and consumers
need to be educated on how to select the products they buy. Market pressure,
in turn, will encourage vendors to release products that are less vulnerable
Acquisition: It is important
to evaluate suppliers for product security, but the current ways of describing
security in requirements are immature. Using a list of features (such
as encryption and a firewall) is helpful but not sufficient. The problem
is not a lack of features, but software that is flawed.
In addition to improving the way security
requirements are described, we recommend that acquisition practices encourage
diversity. Malicious code like Melissa and Code Red spread better in a
highly homogeneous environment. Diversity improves survival.
Government support: For long-term
improvements to occur, the government should do the following:
- Sponsor research and development leading to
safer operating systems that are also easier to maintain and manage.
- Sponsor research into survivable systems that
are better able to resist, recognize, and recover from attacks while
still providing critical functionality.
- Provide meaningful infrastructure support for
university programs in information security education and research to
produce a new generation of experts in the field.
Problems such as the Red Code worm
are likely to occur again. Solutions are not simple because the underlying
causes must be addressed. However, we can make significant progress through
changes in software design and development practices, in system administration,
in the knowledge level of users, and in acquisition practices. Additionally,
the government should support research, development, and education in
computer and network security.