oversight

Information Security: Recent Attacks on Federal Web Sites Underscore Need for Stronger Information Security Management

Published by the Government Accountability Office on 1999-06-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Technology, Committee on
                          Science, House of Representatives




For Release on Delivery
Expected at
10 a.m.
                          INFORMATION SECURITY
Thursday,
June 24, 1999

                          Recent Attacks on Federal
                          Web Sites Underscore
                          Need for Stronger
                          Information Security
                          Management
                          Statement of Keith A. Rhodes
                          Director, Office of Computer and Information Technology
                          Assessment
                          Accounting and Information Management Division




GAO/T-AIMD-99-223
                         Madam Chairwoman and Members of the Subcommittee:

                         Two months ago, I testified before this Subcommittee on the “Melissa”
                         computer virus, which temporarily disrupted the operations of some
                         agencies by forcing them to shut down their e-mail systems. Since April,
                         the federal government and the private sector have tangled with additional
                         viruses, some more vexing than Melissa. For example, many agencies are
                         now contending with “ExploreZip,” an e-mail-delivered virus program that
                         can destroy electronic files, degrade network performance, and eventually
                         cause a denial of service on electronic mail servers.1

                         Today, I am here to discuss a different type of malicious attack—the recent
                         series of break-ins of federal web sites. Like “Melissa” and “ExploreZip,”
                         these attacks demonstrate just how vulnerable federal information
                         systems can be to computer attacks and, once again, underscore the need
                         for better agency and governmentwide protection over systems.



Benefits and Risks       Web sites clearly benefit federal agencies—they enable them to provide
                         better customer service, improve internal communication, and reduce
Associated With          communications costs. Web sites also benefit citizens, allowing them to
Establishing Web Sites   access needed information rapidly. For example, in just seconds federal
                         web site users can

                         • obtain information on applying for passports, U.S. visas and foreign
                           entry requirements, and travel warnings;
                         • electronically file a product incident report with the U.S. Consumer
                           Product Safety Commission;
                         • download federal tax forms from the Internal Revenue Service and
                           submit questions on tax preparation;
                         • access the Federal Jobs Data Base maintained by the Office of
                           Personnel Management and submit applications for job openings;
                         • research the Patents Database maintained by the U.S. Patent and
                           Trademark Office; and


                         1
                          According to the CERT Coordination Center (originally called the Computer Emergency Response
                         Team), ExploreZip is both a Trojan horse (i.e., it initially requires a victim to open or run an e-mail
                         attachment in order for the program to install a copy of itself) and a “worm” (i.e., once installed, it may
                         propagate itself, without any human interaction, to other networked machines that have certain
                         writable shares). The center began receiving reports of sites affected by ExploreZip during the second
                         week of June 1999.




             Leter       Page 1                                                                             GAO/T-AIMD-99-223
        • get the latest forecasts and weather warnings from the National Oceanic
          and Atmospheric Administration.

        For the private sector, web sites are becoming an increasingly popular
        avenue of doing business. A recent study jointly sponsored by the
        University of Texas Center for Research in Electronic Commerce and Cisco
        Systems, Inc., for example, found that the Internet economy generated
        more than $300 billion in U.S. revenue and was responsible for 1.2 million
        jobs in 1998. A business that establishes its presence on the web, in fact, is
        no longer just a “storefront”; rather it is a “worldfront” with a presence
        across all time zones and geographic barriers. It is also a
        24-hour-a-day/7-day-a-week operation.

        While there are significant advantages associated with establishing web
        sites, caution must be exercised to avoid or mitigate damages resulting
        from the types of attacks recently experienced by a number of federal
        agencies, as well as more pervasive system intrusions. By exploiting bugs
        and configuration problems found in web server software programs,
        operating systems, and the communications protocol, for example,
        unauthorized users can do any one or a combination of the following:

        • Change web site content to embarrass the web site owner.
        • Flood the web site with fake requests for pages. Known as
          denial-of-service, this type of attack can (1) make it difficult or even
          impossible for legitimate customers to access a web site or (2) cause the
          targeted system to crash.
        • Gain unauthorized access to resources elsewhere in an organization’s
          computer network.
        • Insert a “fake” web site between the user and the “real” web site so that
          the attacker can watch and record data such as account numbers and
          passwords as well as insert, delete, or change data sent in either
          direction.

        According to the World Wide Web Consortium,2 web servers themselves
        vary in their ability to restrict access to individual documents in the server.
        Some servers provide no restriction at all, while others allow a web site
        administrator to restrict access to directories based on the address of the
        browser or to users who can provide the correct password. A few servers


        2
         The World Wide Web Consortium serves as a repository of information about the World Wide Web and
        develops common protocols to ensure Internet interoperability.




Leter   Page 2                                                                      GAO/T-AIMD-99-223
                       provide data encryption as well. As a rule of thumb, according to the
                       consortium, the more features a server offers, the more likely it is to
                       contain security holes.

                       Similarly, according to the consortium, some operating systems are less
                       secure to use as platforms for web servers than others. Specifically,
                       operating systems with a large number of built-in services, scripting
                       languages, and interpreters are particularly vulnerable to attack because
                       there are simply so many portals of entry for hackers to exploit.
                       Furthermore, if not used carefully, the protocol used to write web site
                       program tasks (known as CGI or Common Gateway Interface protocol) can
                       be a major source of security holes.



Recent Attacks         The recent series of attacks on federal web sites have primarily focused on
                       defacing, or “vandalizing” web site content and/or initiating denial of
Primarily Involved     service attacks in order to crash servers. For example, in late May, a denial
Vandalism and Denial   of service attack was launched against the Federal Bureau of
                       Investigation’s (FBI) web site allegedly in retaliation for the bureau’s
of Service             pursuit of hackers who have broken into federal systems. In response, the
                       Bureau temporarily took its web servers off line. Shortly thereafter, the
                       same group of attackers reportedly broke in and defaced the U.S. Senate’s
                       home page with comments criticizing the FBI. The Senate also temporarily
                       took its site off line. Similar attacks were also committed on web sites
                       maintained by the Department of the Interior and a federal supercomputer
                       laboratory in Idaho Falls, Idaho. Also last month, several cyberattacks
                       successfully took down sites at the Department of Defense, the White
                       House, and other agencies.

                       Web site attacks have not been confined to federal agencies. Recently,
                       computers maintained by an Internet service company were reportedly
                       jammed by denial-of-service attacks similar to the FBI’s experience.
                       According to the IBM Global Services’ Internet Emergency Response
                       Service, other private sector web sites that have experienced attacks
                       include those belonging to the New York Times, BMW, and Motorola.

                       Fortunately, the consequences of recent attacks on federal web sites have
                       been largely confined to agency embarrassment and temporary shut downs
                       in web site service. In fact, web site attacks can have much more serious
                       consequences. For example, according to Carnegie Mellon University’s




                       Page 3                                                      GAO/T-AIMD-99-223
                       Software Engineering Institute (SEI), 3 the hardware and operating systems
                       that support web sites could be used as a staging area for intrusions into an
                       organization’s network. In turn, this could result in breaches of
                       confidentiality, integrity, or availability of information resources. Such
                       systems could also be used as a staging area for intrusions into external
                       sites.

                       For private sector organizations, web site security problems could impede
                       the ability to do business on the Internet. While the Internet may represent
                       hundreds of millions of potential customers, it also represents extensive
                       security risks. For customers, the primary security concern with shopping
                       on the Internet is credit card fraud. According to Internet Fraud Watch,
                       operated by the National Consumers League, complaints in this area have
                       increased 600 percent since 1997. Thus, in conducting business on the
                       web, businesses must not only ask how secure the business needs to be,
                       but also how much security it needs to provide to customers.



Underlying Causes of   Just like computer viruses such as “Melissa,” and “ExploreZip,” the recent
                       attacks on federal web sites are a symptom of broader information security
Web Site Security      concerns across the government. Over the past several years, we and
Problems               inspectors general have identified significant information security
                       weaknesses in each of the largest 24 federal agencies. These weaknesses
                       include the inability to detect, protect against, and recover from viruses,
                       web site break-ins, and other attacks; inadequately segregated duties,
                       which increase the risk that disgruntled employees as well as intruders can
                       take unauthorized actions without detection; and weak configuration
                       management processes, which cannot prevent unauthorized software from
                       being implemented.

                       Recently, for example, we reported4 that the National Aeronautics and
                       Space Administration (NASA) did not effectively evaluate its information
                       security risks or needs, implement sound security policies and controls,
                       monitor policy compliance, or provide adequate computer security
                       training. Tests we conducted at one of NASA’s 10 field centers showed that
                       some of the agency’s mission-critical systems at that center were


                       3
                         SEI is a federally funded research and development center sponsored by the U.S. Department of
                       Defense and operated by Carnegie Mellon University.
                       4
                       Information Security: Many NASA Mission-Critical Systems Face Serious Risks (GAO/AIMD-99-47,
                       May 20, 1999).




                       Page 4                                                                        GAO/T-AIMD-99-223
vulnerable to unauthorized access. These included systems that support
the command and control of spacecraft as well as the processing and
distributing of scientific data.

Overall, our work at NASA and many other agencies shows that federal
information security is seriously hindered by three narrow approaches
taken by agencies.

• System versus organization focus . Agencies tend to look at security
  from a system perspective, but not an organizationwide perspective.
  This focus, however, is unworkable in a networked environment.
• Static categories versus managing risks . Agencies often reduce
  information security to protecting static categories of information, e.g.,
  sensitive versus nonsensitive or classified versus unclassified. This
  approach fails to encompass the multifaceted nature of managing
  security across varying levels of risks to the integrity, availability, and
  confidentiality of information supporting agency operations and assets.
• Technical versus management function. Agencies frequently treat
  information security as a technical function rather than as a
  management function. This removes security from its integral role in
  program management.

In view of these and other pervasive security weaknesses, in February
1997, we designated information security as a new governmentwide
high-risk area.5 In performing audits at selected individual agencies, we
and the inspectors general have also developed hundreds of specific
recommendations aimed at improving the effectiveness of information
security programs, including the development of entitywide information
security management programs.

Since our 1997 High-Risk Report, the recognition of the importance of
addressing information security problems has greatly increased and led to
significant actions. In late 1997, for example, in response to our
recommendations, the Chief Information Officers (CIO) Council
designated information security a priority area and established a Security
Committee. Also, in May 1998, Presidential Decision Directive 63 was
issued, establishing entities within the National Security Council, the
Department of Commerce, and the FBI to address critical infrastructure


5
High-Risk Series: An Overview (GAO/HR-97-1, February 1997) and High-Risk Series: Information
Management and Technology (GAO/HR-97-9, February 1997).




Page 5                                                                     GAO/T-AIMD-99-223
                       issues. This directive also required each major department and agency to
                       develop a plan for protecting its own critical infrastructure.



Short- and Long-Term   Agencies can undertake a number of immediate actions to quickly bolster
                       security over their web sites. For example, SEI suggests that organizations
Solutions That Can     pay close attention to systems and networks, investigate unusual activity,
Address Web Site and   and react quickly to intrusions. Organizations can also begin to include
                       explicit security requirements when selecting server and host technologies,
Other Security         isolate the web server from the organization’s internal network, and offer
Problems               only essential network services and operating system services on the
                       server host machine.

                       However, while these and other actions recommended by security experts
                       sound simple enough, implementing them is a resource-intensive activity
                       that requires “continuous, automated support, and daily administrative
                       effort,” according to SEI. Further, the scale of security practices may have
                       to change as threats, system configurations, or security requirements
                       change.

                       To help agencies implement the kind of management framework that is
                       required to effectively respond to evolving security requirements, we
                       issued an executive guide in May 1998 entitled Information Security
                       Management: Learning From Leading Organizations (GAO/AIMD-98-68). It
                       describes a framework for managing risks through an ongoing cycle of
                       activity coordinated by a central focal point. The guide, which is based on
                       the best practices of organizations noted for superior information security
                       programs, has been endorsed by the CIO Council, and distributed to all
                       major agency heads, CIOs, and inspectors general. By adopting the
                       following 16 practices recommended by the guide, agencies can be better
                       prepared to protect their systems, detect attacks, and react to security
                       breaches.




                       Page 6                                                     GAO/T-AIMD-99-223
Table 1: Sixteen Information Security Practices of Leading Organizations

Principles                                       Practices
Assess risk and determine needs                  1.   Recognize information resources as essential organizational assets
                                                 2.   Develop practical risk assessment procedures that link security to business needs
                                                 3.   Hold program and business managers accountable
                                                 4.   Manage risk on a continuing basis
Establish a central management focal point       5.   Designate a central group to carry out key activities
                                                 6.   Provide the central group ready and independent access to senior executives
                                                 7.   Designate dedicated funding and staff
                                                 8.   Enhance staff professionalism and technical skills
Implement appropriate policies and related       9. Link policies to business risks
controls                                         10. Distinguish between policies and guidelines
                                                 11. Support policies through a central security group
Promote awareness                                12. Continually educate users and others on risks and related policies
                                                 13. Use attention-getting and user-friendly techniques
Monitor and evaluate policy control and          14. Monitor factors that affect risk and indicate security effectiveness
effectiveness                                    15. Use results to direct future efforts and hold managers accountable
                                                 16. Be alert to new monitoring tools and techniques

                                             Over the long run, it is also clear that more needs to be done to build and
                                             implement a comprehensive governmentwide strategy. At present, for
                                             example, there is no mechanism, such as required independent audits, for
                                             routinely testing and evaluating the effectiveness of agency information
                                             security programs. Also, there is no single governmentwide office that
                                             gathers and shares information about information security threats or acts
                                             as an emergency assistance center. Nor is any support agency responsible
                                             for providing technical assistance to agencies, undertaking research,
                                             engaging in proactive coordination, and generating more forward-thinking
                                             policy advice. Until such measures are implemented, it is likely that
                                             agencies will continue to address their web site and other information
                                             security problems in a narrow context and neglect to implement the
                                             management framework needed to thwart such attacks.



Conclusions                                  In conclusion, web sites offer enormous efficiency and productivity
                                             benefits to agencies and citizens alike. Moreover, they are now an integral
                                             part of the Internet economy, which is certain to continue to grow
                                             exponentially. Nevertheless, web sites open up yet another avenue of
                                             security risks that can range from the merely embarrassing to the theft of
                                             sensitive information. Thus, to maximize the advantages offered by web
                                             sites and the Internet, it is imperative that federal agencies implement
                                             vigorous security programs that will enable them to closely watch



                                             Page 7                                                                 GAO/T-AIMD-99-223
                   information resources for signs of intrusion and to quickly react to
                   intrusions when detected. Moreover, it will be important for the federal
                   government as a whole to implement an effective strategy that will
                   (1) ensure that agencies focus on security from an organizationwide
                   perspective and implement a comprehensive set of security controls and
                   (2) establish central tracking and reporting mechanisms that facilitate
                   analyses of web site attacks and other forms of attacks and their impact.

                   Madam Chairwoman, this concludes my testimony. I will be happy to
                   answer any questions you or Members of the Subcommittee may have.



Contact and        For information about this testimony, please contact Keith Rhodes at
                   (202) 512-6415. Cristina Chaplain made key contributions to this testimony.
Acknowledgements




(511059)   Leter   Page 8                                                    GAO/T-AIMD-99-223
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary, VISA and
MasterCard credit cards are accepted, also.

Orders for 100 or more copies to be mailed to a single address are
discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touchtone
phone. A recorded menu will provide information on how to obtain
these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Mail
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. GI00
Official Business
Penalty for Private Use $300

Address Correction Requested