Does SNMP 'Vulnerability' Put Real Estate Systems 'at Considerable Risk'?

Week of February 25, 2002
Snapshot from the Field

LOOKING FOR A PREVIOUS STORY? CHECK THE ARCHIVE.

Report: Cyber-Attacks Doubled in 2001

Does SNMP 'Vulnerability' Put Real Estate

Finnish researchers at the University of Oulu (pictured above) initially identified the SNMP problem last summer.

Systems 'at Considerable Risk'?

By JACK LYNE, Site Selection Executive Editor of Interactive Publishing

PITTSBURGH -- As real estate becomes ever more embedded in cyberspace, news has broken of a new, and potentially highly damaging, security flaw - and one that's drawn only a lethargic response from many computer equipment makers.
Simultaneously, a U.S. government agency has released statistics showing that computer network security attacks more than doubled in 2001 - and that news came as the head of the FBI's cyber-security arm frankly admitted that his agency is just now getting beyond "being reactive."
The federally funded Computer Emergency Response Team (www.cert.org at CERT) at Carnegie Mellon University broke the news of the Internet security flaw.
"Numerous vulnerabilities have been reported in multiple vendors' implementations" of the widely employed Simple Network Management Protocol (SNMP), a CERT advisory cautioned.
Significantly, the SNMP problem is unlike last year's Code Red and Nimda worms, which entered through the Microsoft Internet Information Service Web server platform. In contrast, that the SNMP problem, CERT contends, extends to some 250 companies - many very well-known names. PCs, modems, operating systems, switches and routers are all "at considerable risk" of attack, the R&D center said.
The problem is not with the network protocol, but with product programming, CERT advised. The allegedly vulnerable products have been programmed to give access not only to network administrators, but to potential intruders as well, the center asserted. "These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks or cause unstable behavior," CERT's advisory said.

CERT Official: 'Raising
Attention a Difficult Problem'

Finish researches at the University of Oulu first identified the SNMP problem last summer. Since then, however, the vulnerability has gotten little high-profile attention. Potential cyber-intruders, however, have begun to learn of the problem, CERT said in explaining its decision to release its advisory.
The Pittsburgh-based Internet security center has been working to elevate the problem's profile, contacting many of the companies with allegedly vulnerable products, CERT officials said. Many firms, however, have thus far offered little or nothing by way of reply, they added.
"I'm somewhat disappointed in our ability to raise the attention of some of the companies," Shawn Hernan, a CERT security specialist, told The New York Times. "It was a very difficult problem in trying to raise the attention of the right people."
Some companies, however, have responded proactively. CERT has listed the firms that have answered its advisory at www.cert.org/advisories/CA-2002-03.html#vendors. That list contains links to useful information that includes corrective patches and security advisories and bulletins. The list, however, does not include firms from which CERT has "not received comments" in reply to its alerts.

CERT Report: Last Year's Cyber
Attacks More Than Doubled 2000's Tally

The news of the SNMP problem fit the times - at least according to a CERT computer security report released several days earlier. That report documented rapid rises during 2001 in security attacks and software vulnerabilities.
The total number of reported security attacks nearly doubled last year - to 52,658 incidents from 2000's 21,756 incidents, CERT reported. (A reported "incident may involve one site, hundreds, or even thousands of sites," CERT noted).
And the frequency trend line for computer security attacks is steadily shifting upward, the report noted. In 1999, for example, the number of reported incidents was 10,000 - less than one-fifth of 2001's total.
The CERT report documented a similarly rising trend in reported security vulnerabilities in software. Last year, 2,437 software security vulnerabilities were reported, more than doubling the 1,090 vulnerabilities reported in 2000. In 1999, only 417 software vulnerabilities were reported - less than a fifth of 2001's tally.
CERT officials added, however, that those recent upswings might not reflect "pure" numerical increases. Viruses like Code Red and Nimda have created greater awareness of the dangers of Internet security breaches; as a result, more companies and individuals may be coming forward to report incidents, they explained.

Agency Head: Government Must Provide
More Predictive Data on Cyber Dangers

One of the primary governmental agencies charged with defusing the kind of cyberspace dangers that CERT documented is the U.S. National Infrastructure Protection Center (NIPC at www.nipc.gov). But the FBI's cyber-security wing has a ways to go in that area, NIPC director Ronald Dick recently conceded.

"Infrastructure protection can only be accomplished with the government and private sectors working together," NIPC director Ronald Dick (pictured above) told the recent CyberCrime 2002 conference.

Predicting cyber-attacks and providing warnings is one of the main areas in which NIPC needs improvement, Dick said in a frank speech to the recent CyberCrime 2002 conference in Mashantucket, Conn.
Another measure of the NIPC's effectiveness, Dick added, lies in providing information that the private sector can turn into action. And the agency created in February of 1998 has only recently begun to make concrete progress there, he allowed. "The NIPC has finally reached a level of capabilities that we are finally providing value-added products and information," Dick said.
Cyberspace security, however, must be a two-way public/private street, the NIPC director argued. "Infrastructure protection can only be accomplished with the government and private sectors working together," Dick told the CyberCrime conference.
One collaborative example is Infraguard (www.infragard.net), which Dick called "one of the largest government/private-sector joint partnerships for infrastructure protection in the world." Developed by the FBI, Infraguard includes more than 3,000 U.S. government and corporate officials, who meet to discuss cyber-security.
"We've done a pretty good job of being reactive to events," Dick concluded. But "strategic analysis" is Dick's No. 1 priority, he said. The NIPC, Dick explained, is now beginning a strategic analysis program focused on "prediction, prevention, detection and mitigation." One hoped-for outcome, he said: a "cyber weather forecast" providing a daily outlook for cyber-threats on the horizon.

Looking for a previous “Snapshot” story? Check the Archive.