The Rise and Fall of Internet Security: A Story in Two Parts

Frederick M. Avolio
Avolio Consulting, Inc.

[Originally presented at the Spring 2000 Internet Security Conference, San Jose.]

Abstract

Future generations may know the end of the 1990s, among other things, as the time when computer and network security finally got some respect. Never before has the non-technical "person on the street" better known computer and network security issues. Many network security companies, even single-product ones, are riding high on Wall Street. Yet, the security posture of most companies and networks is worse than it was 3 years ago.

This paper discusses the growing awareness of the need for security, the growing threats that caused the awareness, the rise of Internet security, and the practices that lead to insecurity. It starts from the early days of the Internet and moves to today, making recommendations for tomorrow. It begins with a parable.

Part 1: A Parable

In the Beginning

Once upon a time, there was a beautiful Garden where people worked and played. Those who were in the Garden were Magi, and they worked their wonders in and about the Garden, communicating, always communicating. Speaking forth in RFCs, they created the True Speech, and their creation dressed the Garden and kept it. The whole Garden was of one language, and of one speech; and it was good. They were naked and were not ashamed.

Time passed, and it came to pass that one day a Worm entered the Garden. Using the True Speech, using their need to communicate, the Worm went to and fro in the Garden. Walking up and down in it, going where it would, it took advantage of the trust those in the Garden had, one for another. Upon discovering his presence, there was war in the Garden. The Magi fought against the Worm; and the Worm prevailed not; neither was his place found any more in the Garden. The great Worm was cast out, but the Garden had become a Wilderness, and Darkness walked among the Magi. When the Magi saw what they had allowed to happen, they were ashamed. And the Magi, seeing how they had been exposed and vulnerable, knew they were naked, and so made coverings for themselves.

The Time of the Prophets

Time passed. The Magi communicated in the True Speech and worked to return the Wilderness to the beauty of the Garden it once was. Many remembered how it was Before, and many were their followers. Prophets rose and went forth in the Wilderness, going to and fro and walking up and down in it. They spoke of danger. They taught of errors in the foundations of the True Speech and spoke of plagues, of the coming of false Magi, and a time when brother would not recognize brother, nor sister, sister. One would cry, "Here I am," and lo, it would not be so. An Archmage went forth, speaking of a time of floods and of those who would turn the truth to a false path. He spoke of wolves in the raiment of sheep. Few believed the Archmage, though he would prove to be true.

People from other lands came to the Wilderness to live and work. They too wanted to speak the True Speech, but it was difficult, because the True Speech was the language of the Magi. Soon, came the corruption of the True Speech, as more strangers entered into the speech of the Wilderness. They said, "More, more, more. Give us more." The Magi assented.

They changed the True Speech, and no longer did you have to be a Mage to work and play in the Wilderness. Kings, queens and those of the trades and arts could work and play in the Wilderness. Kings strove to claim the Wilderness for their own, but the magic of the Wilderness and the True Speech was too strong. And still people came. "More, more, more. Give us more," they cried. Again, the Magi assented.

Weaving their magic, again they changed the True Speech. "Behold," they said. "Is it not even more beautiful, even more true than before?" Indeed, it did seem much more beautiful. New colors, images, and sounds filled the Wilderness. The true True Speech was no longer required. The Vulgar Speech that replaced it was available to Magi and non-Magi, the naïve and the corrupt. Those who were not of the Magi filled the Wilderness. False Magi rose up and walked to and fro, and up and down in it.

Time passed, and the Magi built bastions in the Wilderness and pretended that it was the Garden and that nothing had changed. The people saw that the bastions were good. Having heard stories of the Garden, but never seeing it, the people moved behind their walls and, smiling, said, "Is not our Garden beautiful?" But Darkness lurked in the Wilderness. The people saw that the Wilderness was pleasing to the senses and good for knowledge, and so went up and down in the Wilderness, passing to and fro from their bastions. The Magi wanted all those of the True Speech, and those not, both small and great, rich and poor, free and bond, to carry the mark of the Magi. No one might pass through the gates, save he that had this mark. But, the people cried out, "It is too much to bear," and the Magi relented.

The people loved the Wilderness. To ease their comings and their goings from the bastions, they dug holes under their walls, broke holes through their walls, and put ladders up against their walls. Enjoying their new freedom, they said, "Is not our Garden beautiful? Is not our bastion safe?" It was not so. Yet, the people were happy.

The Time of the Profits

People from every kingdom went to and fro in the Wilderness, walking up and down in it. Merchants, pretenders, and swindlers came saying, "let us build us a city and a tower, whose top may reach unto heaven; and let us make us a name, lest we be scattered across the Wilderness." They settled in the Wilderness and claimed it as their own. With sizzle and flash, they enticed the people of the Wilderness from behind their bastions. The merchants, pretenders, and swindlers wanted all, whether small and great, innocent and corrupt, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads. And no one might buy or sell or pass through the gates, save he that had the mark. The people, now working and playing in bastions that were not bastions, cried out, "More, more, more. Give us more." The merchants and swindlers gave them still more. The Wilderness grew in size and numbers. None could measure it. None could fathom it.

Time passed. Throughout the Wilderness, there were plagues and rumors of plagues. With growing sense of unease, the people erected watchtowers and posted sentries against the rumored coming attack. Some said it would be the final battle, the end of time. The Magi kept silent.

False Signs

Time passed, and the True Speech was all but forgotten. Still, the sentries watched and waited. The invaders never appeared. They were already within.

It came to pass that a star fell from the heavens into the Wilderness. Its name was that of a woman and a song of a great "brothers" band of times past (let the reader understand). When it fell, it loosed a great plague upon the people. Many perished, and those who were left fell back into their bastions in terror. Those who were not of the Magi took up the raiment of the Magi and spoke. They warned of the end of days. They spoke of plagues worse than the present darkness and worse than those in times past. And other like plagues did follow. As time grew short, the people cried out to the mountains to fall on them. They cried out to the sea to cover them.

And Time stopped … became new … and continued … as did the Wilderness.

The people peered out from behind their walls, with fear, then wonder, then — finally — relief. They scoffed at all prophets and all Magi. "Has the sun fallen from the heavens?" they mocked. "Are not our bastions strong and secure?" they jeered, though the bastions were not. Yet, still the people felt safe. Still the Magi kept silent, and waited.

The Beginning of the End

Few Magi, and none of the people, remembered the most ancient of prophecies of woe spoken by the Archmage in times forgotten. An abomination of desolation accompanied by a great deluge was to come, but the foretelling had long passed from the memory of those in the Wilderness, save for the Magi.

The day of Its coming dawned as any other. Throughout the Wilderness, the Magi — those who remembered — spoke the True Speech. The people climbed around, through, and over their bastions that were not bastions, wearing the mark of the merchants on their right hands or on their foreheads. The merchants were happy. The people were happy. The swindlers were especially happy.

Without a sound, the sleeping invaders awoke.

From every corner of the Wilderness, it started — a trickle that grew to a torrent. Its rumbling was felt throughout the Wilderness. None could ignore the terrifying sounds and tremors. "Surely, this is the end," the people cried. "This is the end," the false Magi railed.

The embattled bastions withstood the deluge. But once again, as in the days of the Worm in the Garden, the very foundation of the Wilderness was shaken. And as quickly as it had started, the clouds rolled away. The merchants and swindlers brought out their wares. The people, once more, climbed around through and over their bastions that were not bastions, wearing the mark of the merchants on their right hands or on their foreheads. Once again, relieved, they worked and played in the Wilderness. And quietly, the Magi went about creating a new True Speech with which they would communicate, speaking forth in RFCs, with the goal of creating, then dressing and keeping a new Garden. While they had the time…

Part 2: From Security to Insecurity

What follows is obvious. There is nothing new under the sun. So, why are we not more on top of the security problem? What makes systems insecure? How do we regain ground? It all comes down to numbers.

The Numbers Problem: More is Less

As the research platform ARPAnet, the Internet was a simpler place than it is today. Simple, here, is quantified, in terms of numbers. In fact, it all comes down to numbers.

Targets

First, there were a small number of connected computers. You could count them on your fingers with some left over to type (more than enough for some). They were completely interconnected — although this was an internetworking experiment, it was a very small network, of very large computers.

According to the January 2000 Internet Software Consortium "Internet Domain Survey" [ISC], there are over 72 million hosts on the Internet. Given that many organizations do not advertise their internal name space, this represents many more computers connected in some fashion to the Internet. This is an incredibly large number of potential targets.

Originally, the computers on the Internet were computers used primarily for research. They were, for the most part, university computers with a few unclassified DoD nodes to keep the bean counters happy. Among the 72 million Internet hosts today are many of the world’s corporations, both large and small, and government agencies of much of the industrialized world.

Threat Agents

Few computers also meant few users. On the ARPAnet, everyone knew everyone else. Even so, ARPAnet use required the approval of a U.S. military officer. A person on the ARPAnet knew every system administrator on every computer, all of the children, and all of their names. (To carry the "King of the Road," Roger Miller, reminiscence further, they knew every handout on every machine, and every lock that wasn’t locked when no one was around.) [MIL]


Today, according to the above-cited numbers, there are potentially close to a billion people in our "network neighborhood." Few of us can ever hope to know much less ascribe some value of trust to even 1% of these neighbors. Even if we are trusting types, we have to assume that there are several orders of magnitude more attackers among those we do not know on today’s Internet than erstwhile uses among the entire population of the original ARPAnet.

Avenues of Threat

On the ARPAnet, everyone wanted universal connectivity — connectivity with every other node. Connectivity and communication was, after all, what they were testing. Today, for the most part, we (enterprises in particular) don’t want universal connectivity, so we hide behind firewalls. Only our gateways — we hope — are universally connected. But because of the population explosion of the Internet, the network map is too complicated to imagine, let alone draw. [CHE] And every connection to our firewalls is an avenue of attack.

Even just seven years ago, the Internet, was a simpler place, with fewer "services." Most Internet users stuck to the basic services: terminal service, file transfer, and electronic mail. When it became available, file sharing was thrown in. Today, we add web access, audio and video conferencing, "chat," streaming audio and video, data base services of different kinds, and the occasional Descent3 game (port 2092).

The Internet now acts as a corporate IT backbone for an increasing number of organizations, extending the corporate network to include travelers, voice communications, file sharing, and everything else that should and should not fit under the umbrellas of e-business and e-commerce. The more services there are, the harder it is to present those services securely. Every service represents possibilities for increased sales, increased market share, or increased customer satisfaction. But every service also represents a potential avenue of attack. Users and vendors exasperate the problem, as they demand new services or deploy new products in Internet time. Users seem to have little interest in security analysis or risk assessments, and vendors, responding to market demand, are motivated to ship products before they are fully tested.

Amount of "Clue"

All of the original users of the ARPAnet were engineers and computer scientists. If you used the Internet in the early days, you were there to "do science." You were technologically sophisticated: you had what Jeff Schiller, MIT’s network czar and Security Area Manager for the Internet Engineering Task Force, calls "clue." Contrast that with today’s Internet. Computers and networks are easy to use by just about anyone. From a usability viewpoint, this is a Good Thing. From a security viewpoint, it makes things complex. Assuming "cluefulness" is measured in terms of "amount of clue," then, according to Jeff Schiller, "The total amount of ‘clue’ on the Internet is constant." The average user is now probably more likely to fall for "Click here to download virus" kinds of tricks than an early Internet.

The ARPAnet grew big enough to allow attackers sometime prior to November 2, 1988 [SPA]. Maliciously attacking computers and networks still took smarts, skill, and patience—and a certain amount of depravity. The level of clue required by a would-be successful attacker limited the number of potential attackers. Today one does not have to be particularly smart or skilled, or have the patience to launch an attack. Anyone with a computer and the skills to click a mouse is a potential attacker. No other special skills are required. In other words, depravity is the bounding metric, not clue.

The Usability-Security Tug-of-War

We know that security and usability are always at opposite ends of a continuum or, if you will, a rope as used in a tug of war. As stated in an axiom, "Security and usability are inversely proportional." A corollary of this is "There is no such thing as complete security in a usable system." [AVO] Those of us on either side of the rope — users or security professionals — feel the tension. Security professionals are also users. Because of that, we understand the allure of the Internet as well as understanding the security view. Most of our users do not have the benefit of both points of view.

And the Internet is alluring. All of us want (sometimes need, but definitely want) new and better things and new and scarier services. Some of them make sense ("browser" as "travel agent"), and others may not (sitting in Maryland and listing to KING-FM in Seattle, just because I can). Demands come from internal users as well as the "external" users — clients, customers, business partners, suppliers, independent sales people, etc.—while vendors and site developers are happy to continue to come up with the new, the exciting, the insecure.

"More, more, more." We must remember, the more services we support, the more connections we permit, the more customers and business partners touch our inner sanctum, the more clueless our users, the less sure we can be about our network security. And the harder we will have to work to secure it. Of course, this may mean that we are also accomplishing more. This is also a Good Thing.

Controlling the Numbers: Less is More

So, we have the history and can see the picture of how we landed where we are today. As the Internet rose, so did insecurity, but then security followed closely behind. Today, we are in a state of modest equilibrium. How do we maintain it?

Give and Take

I do not have to explain the relationship between threats and security. We work in this realm. We also understand that there must be a balance. Back to the usability-security rope or continuum. Too much security and we are very secure but we pull our users into the mud. Worse, we might back up and fall off the cliff behind us. Too little security and we fall in the mud. Even worse, still. If we just give some slack, no one falls in the mud, but yes, our users fall off their own cliff. There is no good solution to this problem, except to try for equilibrium.

It does take work, but every time we deploy some new and well-conceived security device, we should make progress towards achieving equilibrium. For example, the new device might give the user usability while giving security. Both sides pull with less energy. Every time we educate the user, they pull a bit less hard, and we can ease up a bit. Every time we learn more about the user requirements, we can pull a little less hard, in terms of designing security devices such that they take requirements into consideration without adding undue complexity and hampering usability , and the users will follow suit. Equilibrium is good. It works. Security and usability. Security with usability.

The Seven Things to Help Keep Sanity and Equilibrium

No one needs to tell us how to play this tug-of-war. If we are security professionals, we are already engaged in it. How do we stay in the game, while providing security and providing usability in a way that occasionally permits us to relax? Security professionals must remember (at least) the following seven truisms.

  1. We ask for requirements, they give us solutions. It is very important to listen carefully and ask questions. When someone states "We need to allow the H.323 protocol through our firewall," they have given you a solution. You might not know whether it is the best solution, but you must recognize it for what it is … and gently push back. "What is your requirement?" You see, the requirement is probably something along the lines of this: We need to easily and inexpensively audio or video conference between groups X and Y." By giving you the "solution," you might be forced into opening up more (perhaps insecure) services through your firewall. Their proposed "solution" might not even be the best one for the application they truly wish to employ.
  2. Many requirements are wants or desires in disguise. Sometimes you may be in a position to "grant wishes," but it is important from a security point of view to understand what are business requirements and what are not. "We need you to open up UDP port 2092." Might really mean, "I want to play Descent3 on the network with some of my buddies." Once you know the want or desire, if it is contrary to a security or acceptable use policy, you can explain why this request cannot be satisfied. While it won’t make Descent3 users happy to know they can’t play this RPG at work, treat the user as an adult by explaining a vulnerability, threat, and consequence that gave birth to the policy (see 3 as well).
  3. It all has to do with numbers. The fewer the numbers of {supported services, permitted connections, outsiders allowed in, insiders allowed out, cluelessness}, the easier securing the network will be. If every sales person (let’s say 100 of them) needs access to the entire inside network (500 computers), utilizing any possible Internet service (65,000), we end up with a level 9 problem (3.25E9). If every sales person actually only needs access to send and receive e-mail and web access to the sales web server we end up with a level 2 problem (6E2). Which would you rather have to deal with, a level 2 or level 9 earthquake?
  4. The more granular (specific) we can be in our security measures, the easier it will be to secure the network — at least, in the long run — and the easier to provide services. This follows from number 2. Many corporate interoffice firewalls are configured to allow unlimited access from one site to another. It is far better to allow open access (if required) for only the required services between the offices. This is because …
  5. If you have mistakenly disabled a required service, you will hear about it. If you allow an insecure service over which someone can launch an attack, you may never know about it. This is a corollary to the axiom, "that which is not expressly permitted is prohibited." When unsure about a service, better to disable it and incur the temporary wrath of service users than to expose your network to attack.
  6. It is the responsibility of the clueful to clue in the clueless. We must remember that the clueless may and should make good and proper use of the Internet: this is a Good Thing. Simply put, it is a benefit for our jobs and our society that computers are accessible to almost anyone. People are not stupid just because they do not know that "macros" in a document running in word processor are actually programs and to be treated with suspicion. They do not have to know what is behind a web page in order to use it, but they should have enough security education — your job perhaps — to know when to stop and think ("Click here to infect your machine").
  7. Equilibrium is more than just good. Equilibrium is winning.

 

References

[ISC], The Internet Software Consortium, "Internet Domain Survey, http://www.isc.org/ds/.

[MIL], Roger Miller Lyrics, "King of the Road," http://www.netlink.com.au/~clarks/king.htm.

[CHE], Bill Cheswick, Bell Labs, Hal Burch, CMU, "Internet Mapping Project", http://www.cs.bell-labs.com/who/ches/map/index.html.

[SPA] Eugene H. Spafford; An Analysis of the Internet Worm; PROCEEDINGS OF THE EUROPEAN SOFTWARE ENGINEERING CONFERENCE 1989 (LECTURE NOTES IN COMPUTER SCIENCE #387); Springer-Verlag, Berlin, Germany; pp. 446-468, Sep 1989.

[AVO] Frederick M. Avolio, "Security Axioms," http://www.avolio.com/papers/axioms.html.