Homeland Security computers still vulnerable, says security expert

AT&T's Ed Amoroso

Computers at the Department of Homeland Security, as well as the majority of government IT, remain vulnerable to botnets, damaging malware and networked attacks, according to a long-time security expert at a big U.S. telecommunications carrier.

That may not be big news, said Ed Amoroso, chief security officer at AT&T, but the attack sources remain nagging problems for government networks and the nation's networking infrastructure is disturbingly vulnerable. “I predicted 10 years ago that signature-based security, based with passwords, anti-virus software and firewalls protecting computers, doesn’t work” on expansive, complex networks, he said in an interview with Government Security News. That prediction, he said, has largely come to pass, as malware, botnets and denial of service attacks have raged through computer and networking assets in the last decade or so.

Amoroso lays out his 25 years of computer networking experience and security knowledge in a recently-published book “Cyber Attacks: Protecting National Infrastructure.” The upshot of the book is computer security has been driven largely by the use of small scale protections designed for use with smaller enterprise computing environments, and that effective national Cyber security will be best developed with a collaboration among commercial, industrial and government organizations. He said the risk of a catastrophic Cyber attack on national infrastructure is “extremely high” and security measures desperately need to be review, followed by immediate action.

Distribute Denial of Service (DDoS) attacks, the kind of brute force, mass server request assault recently unleashed by WikiLeaks supporters on banking networks remain something of a government computer security blind spot, he said. “In the federal government space, it’s a surprise that civilian agencies require only light protection from denial of service attacks,” he said. When AT&T gets a large government contract, the company sometimes has to meet with the contracting agency to convince it to bolster DDoS protection, he said.

However, Amoroso said he is encouraged by the ongoing shift towards virtualization of applications, which put security controls in more of a centralized location, instead of relying on thousands of individual computers. He likens virtualization to a return to the centralized control of mainframe computer-based systems in the early days of computing, when a few dedicated security personnel controlled the network, narrowing the window for security incidents. “A couple of decades ago, a few system administrators protected the system. They implemented software and controlled what was on the system,” he said.

As computer networks have become dependent on personal computers and increasingly on mobile computing, he said, administrators don’t know what is being loaded into the system.

A cloud-based, virtualized system is something of a return to those days, according to Amoroso. “The cloud can act like a mainframe,” he said, since it offers a central control point for computers accessing it.  “Compliance and control functions are handed off to the cloud,” he added.

Not surprisingly—given his employer--he said telecommunications carriers with specialized services and networks, can be key in handling secure virtual applications, he said, since they have to meet stringent security standards. But established, experienced telecommunications carriers, have a long history of managing networks effectively and with innovation. “We’re already comfortable with it because we’ve been doing it for so long,” he said.

As virtualization gradually takes over, government agencies have to develop better techniques in the here and now, according the Amoroso. Government networking has to be more unpredictable to those with bad intent,” he said. “Homeland Security may buy off-the-shelf security products to protect their networks, but the guys who write malware are an advanced persistent threat. They’re testing against that same security software that they’ve bought off the shelf,” he said.

“I suggest we build more uncertainty into the network and ramp up research and development of deceptive computing” to make unauthorized, bad intentioned actors to think twice, said Amoroso. “’Honey Pots’ could be a part of that strategy, he speculated. “Honey pots” are network access points that are intentionally left with weak defenses in hopes of attracting bad guys intent on accessing the network to pilfer files or dump malware. The access point could be set up to offer no real access and bogus documents, but because the [security] patch is missing it would be an attractive target for hackers who don’t know that, he said.

The access point could be monitored for illegal activity, which could be exploited by the network operator in many different ways, including passing on bogus information or tracking down other bad guys, said Amoroso.

Even if the bad guys realize they’ve been accessing bad information, a “honey pot” could plant the seeds of doubt about everything they’re accessing, providing something of an intangible security feature, he said.