U of M Engineer to IT Admins: Rethink Your Security Solution

In a lab at the University of Maryland’s A. James Clark School of Engineering, researchers have set the bait: computers with built-in weaknesses to entice hackers to attack.

And attack they have—thousands upon thousands of times. Now, Clark School researchers have released quantitative data on how hackers break into computers. Their work could change the way system administrators secure their computer systems.

Many in the computer security community have assumed for years that “port scans” precede actual attempts to hack into computers (in a port scan, the hacker tries to find the availability and potential weaknesses of the computer). While some of the largest corporations and government agencies have focused on similar issues, they have not released their findings. The Clark School researchers, in an article published earlier this year at the Institute of Electronics and Electrical Engineers (IEEE) International Conference on Dependable Systems and Networks (DSN ’05), revealed that port scans precede attacks only around 5 percent of the time. More than 50 percent of attacks are not preceded by a scan of any kind. Hackers don’t necessarily look before they leap.

This means that security administrators may be using flawed assumptions to prevent attacks. Many IT administrators try first to detect scans and then take preventive measures to secure their networks. The research shows they may be acting too late to prevent the bulk of hacking attempts.

“We found that the confidence administrators have in their security solutions seems often to be misplaced,” says Michel Cukier, assistant professor in the Center for Risk and Reliability in the Clark School’s Department of Mechanical Engineering, and an affiliate of the university’s Institute for Systems Research. “We now have scientifically derived data—we know what kinds of hackers attacked our research test-bed network and what they did once they broke into it—and we have made them available.”

Further experiments conducted by Cukier include the measurement of the time separating scans from attacks, a longitudinal study of malicious activity recorded over one year, and a comparison between malicious activity from inside the University of Maryland with malicious activity from outside. The design and development of the test-bed collecting malicious activity has been led by Susmit Panjwani, a reliability engineering Ph.D. graduate student, with the help of several undergraduate students who conducted independent research studies.

While collecting the data, Cukier realized there is a need for a tool that checks for a wide range of host vulnerabilities for Windows computers. He and his team have developed “Ferret,” an open-source software tool that checks for these weaknesses on Windows platforms.

“Ferret automates what some Windows system administrators do manually,” Cukier says.

The program has more than 50 plug-ins for finding and fixing weaknesses in Windows operating systems. New plug-ins easily can be added as new vulnerabilities are identified.

The code is available for free and available to study, not just use, to gain the trust of those who may want to install it, Cukier says.

Published December 15, 2005