Are you CERTain you are secure?

Do you subscribe to government agencies dedicated to tracking security issues? How quickly should you expect to receive notification of security problems? John McCormick tells you where you stand with the Computer Emergency Response Team (CERT).

Some of the best resources for network security administrators are the advisories produced by the Carnegie Mellon University-based Computer Emergency Response Team (CERT). CERT advisories are highly regarded among security administrators, with a wonderful track record for predicting major security issues. For example, last year, they warned of the possibility of distributed denial of service attacks months before Yahoo! and other major sites were hit.

CERT advisories serve best as a pointer to more detailed information. For example, the CERT Advisory "CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service Attacks," distributed on June 9, contains a summary of the problem and suggestions for how to deal with it. This advisory also contains a link to the highly detailed explanation from MIT's Web site.

Unfortunately, although CERT is an excellent resource, it can be slow when it comes to notification of newly discovered security holes, virus attacks, and other types of security problems. Some CERT advisories are not published until well after the fixes are developed. Even worse, sometimes CERT does not send these advisories long after hackers know about the problem.

Where was CERT when Melissa showed up?
The Melissa virus caused security administrators major headaches back in 1999. Concerns about CERT effectiveness for the general public came into question about this time. For example, CERT Advisory "CA-99-04-Melissa-Macro-Virus" was first published on March 27, 1999. On April 15, 1999, in testimony before the Subcommittee on Technology, Committee on Science, and U.S. House of Representatives, Richard Pethia, director of the Survivable Systems Initiative and CERT Coordination Center (CERT/CC), testified, "The CERT/CC received its first confirmed reports of Melissa early in the afternoon of Friday, March 26, 1999."

CERT realized this was a major event: "It soon became evident that the virus had the potential to cause severe problems across the Internet. Both government and industry sites contacted the CERT/CC to report problems." Mr. Pethia went on to say, "In response, the CERT/CC contacted many other government sites, including the House of Representatives, and also provided information to the National Coordination Center for Telecommunications, the National Infrastructure Protection Center, and the Critical Infrastructure Assurance Office."

Sounds great so far, right? Sure, if you are a governmental agency. The next sentence in Mr. Pethia's testimony points out the danger in relying on CERT: "Eight hours after receiving the first report of Melissa, the CERT/CC gave early warning, through the first of five 'special communications' to Department of Defense incident response teams, the FedCIRC Management Office, the FBI, and other sensitive sites."

If it took CERT eight hours to notify highly "sensitive" sites of what they knew or suspected was a major Internet security problem, what sort of time delay existed before it was public knowledge? According to the House Subcommittee testimony, the advisory wasn't published until the morning of March 27.

What is CERT really all about?
Please note—I am not CERT bashing. CERT is a useful organization for network administrators who need data on security issues. My intention here is merely to point out that CERT is a bureaucracy paid for and controlled by the federal government. In a December 13, 1988, CERT press release, it states CERT was started by the Defense Applied Research Projects Agency (DARPA), a part of the U.S. Department of Defense, in response to the Morris Worm incident. The press release contained this statement of purpose: "CERT will focus on the special needs of the research community and serve as a prototype for similar operations in other computer communities. The National Computer Security Center and the National Institute of Standards and Technology will have a leading role in coordinating the creation of these emergency response activities .…"

In other words, CERT is doing exactly what it was organized to do. Contrary to popular belief, CERT was not intended to be the central police force for the entire Internet community. Therefore, it's reasonable that they don't focus on notifying corporate security managers first. If e-mail was as slow as snail mail, and if businesses didn't operate on a 24/7 basis these days, the delays would not be a problem. However, if you rely solely on CERT for information on security issues, then do not expect to be the first to know about them.

Nevertheless, CERT alerts are an important tool, and the fact that CERT only has about 70,000 people on its mailing list for alerts indicates that far more security professionals need to subscribe. To get e-mail alerts and periodic CERT advisory summaries, go to the CERT sign-up Web page. CERT messages are all protected by a PGP signature, so you know you're not getting a false message when the alerts arrive.

John McCormick is a security consultant and technical writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.

Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.


Editor's Picks

Free Newsletters, In your Inbox