Ira Winkler, Director of Technology for America's National Computer Security Association, warns of the dangers threatening government intranets
Just about every government organisation from local to national levels is developing fully integrated, large scale intranets. This connectivity will allow governments to provide better service than people could have ever anticipated. Information that previously took months to find will be available in seconds. This is the blessing and the curse of intranets.
The availability of information does allow for increased services, but it also provides for tremendous breaches of security. This has been the irony of almost every information technology development. The more connectivity you provide, the better functionality you can provide. Unfortunately, the better the connectivity, the easier it is for outsiders break into the system and for insiders to abuse their access. With this in mind, security becomes a critical component of a government intranet.
These intranets can have data that is supposed to be widely available to people. The security of these systems is less important. Some intranets can contain very personal information about their constituents, and security would be crucial. However, the most common circumstance seems to be where both public and sensitive data resides on the same network.
There are many people who want to exploit the private and sensitive information on these intranets. Other people also want to modify the public data to embarrass or harass the government in general. Depending upon their intentions and their skill, these people can cause very major damage, compromising both public and personal information. The public information can be any form of public records, such as home sales, school records, arrest warrants, and so on. The effect of the modification or deletion of this information varies as well. For example, if you can delete an arrest warrant, a dangerous criminal can remain at large. If someone creates an arrest warrant against you, you could be put in jail.
These intranets also have very personal information about individuals. There was a case in the United States where employees at the Social Security Administration were accused of selling information about US citizens to people involved with credit card fraud. The information these people obtained allowed the criminals to impersonate the individuals. These types of breaches occur throughout the world, and usually go unnoticed.
Before you start figuring out what sort of damage an adversary can cause, you have to consider the typical security afforded to those networks. In military and otherwise classified or sensitive environments, the computer networks are closed; in other words there are not supposed to be an external connections. Only people who have physical access to the network can access the data. From my personal experiences, it is my opinion that these closed networks are generally insecure besides of the fact that they are closed. System administrators do not take special care to activate security features, to update the operating systems for known vulnerabilities, and to force users to have strong passwords. This means that anyone with physical access to the network can potentially compromise any computer on it.
Other government intranets might appear at first glance to be closed, but on closer inspection, you can see that they have modems that can be used for remote access. This means that the networks are vulnerable to insiders as well as outsiders who intentionally target the organisation.
War Dialers check every telephone number within a given telephone exchange and identify potential modem connections. Once they figure out where the modems are, an adversary will attempt to compromise the modems to gain access to the network. Unfortunately, modem security is usually poor. Administrators rarely require passwords on these modems, allowing for unchallenged access. When there is good modem security, a focused adversary will resort to 'Social Engineering'. This is involves lying over the telephone to get an unsuspecting insider to give them sensitive information, possibly even their computer passwords.
Lastly, there are intranets that are connected to external networks, such as the Internet. These networks will probably have all of the security vulnerabilities of the other types of networks, along with the increased vulnerabilities of the external networks. In these open networks, system administrators should be diligent in performing security related functions. Unfortunately the security varies computer to computer, depending upon the diligence of the individual system administrators. As many readers should be aware, their training, skills and diligence vary greatly. Security in intranets is primarily a function of system administration.
Your adversaries know what your probable vulnerabilities are. They exploit known technical vulnerabilities and system configuration mistakes to gain access to specific computers. If insiders are involved, they might have access to the information that they are after, or want to modify or delete. If they don't have the access, they could resort to computer hacking to gain the access they need.
I should make one point clear - no matter who is trying to hack your computers, they will use the same tools and techniques. The more organised attackers will probably have more efficient and focused attacks, but even the amateurs will eventually be successful if you are vulnerable.
As far as who the adversaries are, that depends on who the potential victim is. There are always those dreaded teenage hackers who want to get into government computers for bragging rights or to hurt the Government. There are also criminals that want access to government computers who want to see what the Government is up to. Criminals might also want to access law enforcement and tax computers to see who undercover agents might be. As the case of the Social Security Administration compromise shows, computers are targets because of the information about third parties. There is also the foreign intelligence threat.
The people responsible for securing the information are usually ignorant of the threats they face. For the most part, they take the information that they have for granted. They handle very valuable information on a daily basis, and they forget the value of the information that they handle everyday. After all, real attacks are very rare. I also have the cynical view that they would not recognise an attack when they do happen.
Most importantly, these people should realise the value of the basic system administration practices. To secure their intranets, they should focus on doing what they should be doing as normal administrators - updating the systems as new releases are made available from the vendors, for example.
They should also perform some penetration testing to find the vulnerabilities before the adversaries do. In a penetration test you use hacker tools against your own network. These tools are widely available on the Internet from both legitimate (government) and underground sources.
The people trying to compromise government intranets come from both inside and outside the governments. However, no matter what their intentions or who their sponsors are, they will use similar methods and tools. While the potential threat is large, intranet managers can secure their networks from just about any adversary by doing things that they should already be doing. Potential attackers are not unstoppable geniuses. They only exploit holes that can be plugged up with widely known countermeasures.
About the author
Ira Winkler, CISSP, is the Director of Technology for the National Computer Security Association. In that position, he helps to secure some of the largest companies in the world. He has also helped secure a variety of government organisations. He has written dozens of articles associated with information security, contributed to several books, and has authored the book, 'Corporate Espionage', which details actual cases of industrial espionage and computer-related crimes to demonstrate how they could have been prevented.