x
Security Platforms/Tools

Telcordia Warns of 'Digital Pearl Harbor'

Be afraid. Be very afraid.

According to three cyber security experts at Telcordia Technologies Inc. , the networking industry is headed for a "digital Pearl Harbor" -- a security breach so serious that it creates major outages and serious economic damage.

US government officials, including the Obama White House, are well aware of the danger, which is one reason the President appointed cybersecurity czar Howard Schmidt. But the telecom and computing industries also need to be engaged in the process, which will require some changes in the way business is done today, says James Payne, senior VP/general manager of Telcordia's National Security and Cyber Infrastructure unit.

Payne says imposing security standards on today's converged-yet-diverse Internet service delivery community can be so complex that it even has some of those who are meeting to discuss the security challenge pining for the good old days, when monopoly AT&T Inc. (NYSE: T) ruled the roost and could have gold-plated security, albeit at its ratepayers' expense.

Convergence, the move to an all-IP infrastructure, and the best-effort nature of IP all play a role in the growing security challenge, as does the fact that organized crime, working on behalf of its own greed or rogue nations, now runs much of the cybercrime activities.

Payne quoted former national security adviser Richard Clark as saying recently that the cyber cartels are generating more money than drug cartels because of known exploitable vulnerabilities.

Multiple industry standards groups are attempting to address the issues, says John Kimmins, Telcordia fellow in security services and solutions. These include Alliance for Telecommunications Industry Solutions (ATIS) , the Internet Engineering Task Force (IETF) , the International Telecommunication Union (ITU) , 3rd Generation Partnership Project (3GPP) , and various government agencies such as the Department of Defense and Homeland Security, but no one agency is in charge of the effort.

"There is not one place to go and plug it [security] in -- each standards group has what it embraces, which is one of the problems," Kimmins says.

One thing that would help immediately, Payne says, is legislation similar to that passed in preparation for perceived Y2K dangers -- the kind that protects companies that admit vulnerabilities from being subsequently sued by their investors. Without such protection, it is hard for service providers, hardware companies, and software vendors to engage in "honest dialogue" about what the real dangers are, for fear of legal entanglements.

"At a policy level, let's get serious about having a dialogue to discuss moving away from the best-effort model," Payne says. "It's not about putting everything back together [like the old AT&T] but it's beginning of a dialogue that will enable us to avoid an event so serious" that repercussions might be unimaginable.

In advance of any standards or legal changes, however, there are things that the telecom and computing industries can be doing to mitigate some of the danger, Payne, Kimmins, and Petros Mouchtaris, executive director of information assurance and security, told press and analysts at Telcordia's New Jersey headquarters last Friday.

Those things include:
  • Greater testing and hardening of hardware and software products before they are released on the market. The industry needs to move away from the attitude of release now, patch later, Kimmins says.
  • Greater discipline in developing and deploying patches when they are needed. There is a lag between when vulnerabilities are discovered and when patches are released, and again between when patches come out and when they are deployed. The bad guys take advantage of those lag times, sometimes even using the information released about vulnerabilities and patches to select their targets.
  • Eliminate marketing hype around standard terms such as "five-nines" and "no single point of failure." Too many vendors are playing games with those terms, defining them in a limited way to make their gear sound more secure that it is.
Give consumers the information they need to protect themselves. Consumer broadband with its "always on" feature created an army of bot-net computers because consumers weren't made aware of the dangers and what they needed to do to protect themselves, Kimmins says.
  • Take a more disciplined approach to testing configuration management and correcting configuration mistakes, Mouchtaris says. More than 50 percent of downtime is caused by configuration errors, which occur for many reasons, and cyber criminals exploit those mistakes, he says. Configuration testing needs to be part of a regular disciplined approach to preventing such attacks.
Telcordia has a horse in this race, providing consulting and expertise as well as tools to test configuration management, among other things. But Krimmins says he believes the company is well positioned to be a trusted partner because it isn't using security as a way to sell more routers, software upgrades, or firewalls.

— Carol Wilson, Chief Editor, Events, Light Reading

digits 12/5/2012 | 4:21:07 PM
re: Telcordia Warns of 'Digital Pearl Harbor'

The whole cyber security situation is reaching fever pitch here in the UK


http://www.guardian.co.uk/politics/2010/oct/18/theresa-may-threat-cyber-warfare


 


and it seems that the 'Pearl Harbor' reference is quite well worn... see


http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/8070236/Cyber-attack-threat-could-be-next-Pearl-Harbor.html

Duh! 12/5/2012 | 4:21:07 PM
re: Telcordia Warns of 'Digital Pearl Harbor'

How about vendors enforcing use of ordinary good practice by their software developers (and vendors)? It's scary that any of these vulnerabilities are still being written into production software:  http://cwe.mitre.org/top25/.&a... Yet there are software developers who are not trained to avoid doing these things.  And, as much as code reviews are about as enjoyable as a root canal,  it is unfortunate that they seem to have fallen out of favor.


Another observation:  security vulnerabilities are an integral part of the Internet architecture.  For example: packet injection attacks are allowed by the fact that network nodes maintain no state that explicitly associates a data flow with a previous hop.  Spoofing attacks are allowed because there is no requirement that an  IP source addresses be checked at the edge;  this same property inhibits tracing and accountability  for attacks of any sort.   Congestion control in the network depends upon host behavior which cannot be enforced by the network.    Unfortunately, these features of the Internet architecture, are regarded by many in the community as positive, even sacred.   Even in the unlikely event that there were consensus in the IETF that they are problematic,  fixing them would cause huge disruption to installed base.


I'm frankly less worried about a "Pearl Harbor" than about the corrosive effect of  large numbers of lesser attacks,  and the cumulative costs of trying to fend them off.  It seems that systemic change is needed, but the will exists only to keep applying bandaids.  I think, though, that we're likely to muddle through. 

paolo.franzoi 12/5/2012 | 4:21:06 PM
re: Telcordia Warns of 'Digital Pearl Harbor'

 


Just take a look at PCI scan stats and you will see that there are LOTS of problems.


seven


 

HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE