NISCC and the Internet Security Threat

August 31, 2001

This article from the NISCC Secretariat explains what the NISCC aims to do and the services it can provide by way of alerting to security dangers.

Back in 1775, Boswell wrote ‘knowledge is of two kinds. We know a subject ourselves, or know where we can find information upon it’. He can’t have envisaged in his wildest dreams (and anyone who has read his ‘London Journal’ will know that he had some pretty wild dreams) how appropriate his words would seem in the Internet age of the early 21st century. Nor the lengths that some would go to in their attempts to obtain or subvert that knowledge.

As we confront the cyberspace oddities of 2001, increasingly the theme of organisational horror stories is the failure of damage done to their IT infrastructure and the consequences to their business. The IT revolution is beginning to underpin the very fabric of the UK’s infrastructure. Many of the critical services that are essential to the well-being of the UK are dependent on IT and the UK Government is determined to honour its commitment to protect the things that are important to the country as a whole.

Good security is a vital enabler for both e-Government and e-commerce. Besides the immediate impact of loss of service or corruption of data, attacks can damage public confidence in companies, electronic services and e-commerce. To help in the fight to ensure that the UK is well positioned to protect itself against the threats, the Government has established NISCC (pronounced ‘nicey’), the National Infrastructure Security Co-ordination Centre, whose key role is to protect the country’s Critical National Infrastructure (CNI) from electronic attack.

So what exactly is an electronic attack? Thirty years ago the term might have conjured up visions of Vincent Price as a mad professor with a set of nasty-looking probes. Nowadays the definition is more clear-cut. An electronic attack is ‘an attempt to gain unauthorised access to an IT system in order to disrupt its operation or gain access to information about, or stored on, that system’. Phew, quite a mouthful – but quite a problem, too. Because not only are there plenty of people out there keen to target computers with malicious intent, but as they become more and more sophisticated, so they are unearthing more and more ways to exploit the Internet to carry out their desires. You can be sure that the incidence and severity of electronic attacks will increase and the threat will rise for the foreseeable future.

Most successful attacks on computer systems via the Internet are a result of the exploitation of security flaws. Software vulnerabilities account for the majority of successful attacks because attackers are opportunistic, taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They can often rely on organisations not fixing the problems, or not fixing them quickly enough after the discovery of a new vulnerability. Attackers are often acting indiscriminately, scanning the Internet for any vulnerable systems ripe for their purposes.

Often system administrators may not have corrected these flaws because they simply do not know which problems are the most dangerous. To combat this difficulty, the information security community is taking steps to identify the most critical Internet security problem areas – those vulnerabilities that system administrators should aim to eliminate as a matter or urgency. During the past year UNIRAS (the IT security incident reporting and alerting part of NISCC) has evidence of exploitation vulnerabilities in the following areas:

  1. Network service vulnerabilities. A number of common vulnerabilities in network services continue to be exploited routinely by attackers. These include vulnerabilities in UNIX Remote Procedure Call (RPC) services, which allow programmes on one computer to execute programmes on a second computer, and in ‘sendmail’ the programme that sends, receives and forwards most electronic mail processed on UNIX and Linux computers. Many distributed denials of service attacks were carried out by systems that had been infiltrated because they had RPC vulnerabilities. Sendmail has been vulnerable to many attacks over the years, including a vulnerability which allows an attacker to appropriate password files. Other services with commonly exploitable vulnerabilities are the File Transfer Protocol (FTP) and the Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) that are used to access mail from a client machine.
  2. BIND vulnerabilities. BIND (Berkeley Internet Name Domain) is the most common implementation of DNS (Domain Name System) on UNIX systems. DNS is the means we use to locate systems on the Internet by name (eg www.) A number of serious vulnerabilities in BIND have been discovered that compromise UNIX systems (which are not necessarily DNS servers). Because these vulnerabilities cause denial of service and arbitrary code to be executed on DNS servers, which hackers can use to erase the systems logs and install tools to gain access to other remote systems, the vulnerabilities in BIND constitute a serious threat to the infrastructure of the Internet.
  3. Web browser vulnerabilities. A number of vulnerabilities have been discovered in Microsoft’s Internet Explorer 4.x and 5.x browsers and in Netscape’s Navigator 4.x browser. These vulnerabilities potentially allow arbitrary code to be executed on the local machine, giving the attacker the ability to overwrite files on the local machine and access to protected files on the local machine. Some of these vulnerabilities reflect serious flaws in the implementation of the Java virtual machine and in ActiveX controls used by Web browsers.
  4. Web server vulnerabilities. A number of vulnerabilities in Microsoft’s Internet Information Server (IIS) have arisen during the last year which allow an attacker to read protected information from the server, to deface Web sites hosted on IIS and to execute arbitrary code on the Web server. Frequent incidents involving exploitation of the vulnerabilities in the IIS’s HTR functionality have been seen. HTR scripts enable users to change their own Microsoft Windows NT passwords and system administrators to do password administration via a Web site. Vulnerabilities in these HTR scripts leave the IIS Web server vulnerable to denial of service attacks and allow attackers to access certain security critical files on the server and to execute arbitrary code on the server. Vulnerabilities in the product’s Remote Data Services (RDS) also continue to be exploited which allow attackers to run remote commands with administrative privileges.
  5. Web server script vulnerabilities. A number of Web sites have been defaced because of vulnerabilities in scripts executed on the Web server. Server-side scripts languages are potentially vulnerable if the inputs to the scripts are not checked for allowable values. These include scripts written to the Common Gateway Interface (CGI) standard, as well as scripts written in Microsoft’s Active Server Pages (ASP) scripting language and in PHP. It is possible to cause affected scripts to run operating system commands as the Web server user.
  6. Information resource sharing services. Such network services, eg Network File System (NFS) on UNIX systems and NetBIOS Microsoft Windows systems, are vulnerable to allowing the inadvertent disclosure of system information and full file system access if the sharing is not properly configured. This is a general problem that potentially affects all systems which allow file sharing.
  7. Default Passwords. A number of vulnerabilities have been reported in systems (including telephony switches) and services (such as the Simple Network Management Protocol) which have non-existent, weak or well-known default passwords.

So where does NISCC fit in?

Just as there are a number of flaws to be exploited, so there are plenty of would-be protagonists ready to effect the exploitation. These range from the individual and/or hacker groups to the murky world of the organised criminal and the terrorist, the hostile foreign government with its bookshelves groaning under the complete works of John le CarrĂ©, the pseudo-anarchist groups, the industrial competitor, the disgruntled member of staff. And if you think there’s only a handful ‘at it’, think again – the US Pentagon, for example, estimates that it receives over 300,000 hacks per year, at least 500 of which are considered to be serious attempts at breaking into classified systems. Just as significantly, vast numbers of similar attacks are never spotted by those who have been on the receiving end. In the late 1990s the US General Accounting Office issued some revealing statistics relating to a government-led initiative to test as wide a range of government systems as possible. Of the 38,000 systems tested, 65% were successfully penetrated: only 4% were both penetrated and detected.

Hence the need for the NISCC. It has a big job to do, but its remit is clear. It aims to establish a long-term partnership with those companies that provide CNI services; to work with them to identify critical systems and reach a level of assurance about their protection; supply and receive information about the threat to assist in risk management and offer assistance in the event of a serious attack. NISCC can provide specialist protective security advice and expertise. In support of all of this, NISCCruns the United Incident Reporting and Alert Scheme (UNIRAS) which gathers information about IT security incidents and vulnerabilities and attacks and issues alerts and briefings. NISCC draws its members from a number of parent department that include the Cabinet Office, the Home Office, the Ministry of Defence, the Security Service, the Communications-Electronics Security Group (CESG) of GCHQ, the DTI and the police.

Everyone can avail themselves of the UNIRAS Alerts and Briefings through the UNIRASWeb site. In addition UNIRAS is willing to give advice and help about significant electronic attack incidents to non-government and non-CNI organisation, subject to resource constraints.

To maintain the continuing provision of CNI services supported by IT systems, it is essential that appropriate and proportionate protective security measures are in place and that staff are aware of the risks and are well trained. This cannot be just a ‘one-off’ and NISCC is committed to continuing to provide updated advice and threat information as the threat develops and as dependency on interconnected systems grows with the advance into the technological new frontier.

All of which tends to suggest that you’ll be hearing a lot more about NISCC in the years to come. For those of you who would like to know more, please visit the Web sites: www.niscc.gov.uk and www.uniras.gov.uk.