Should agencies have ‘unplug’ policies?

They must weigh the costs of disconnecting computers vs. potentially spreading attacks.

Good information security starts with prevention, but what if someone has already compromised your network and outsiders are attacking your computers?The Commerce Department’s Bureau of Industry and Security has had to cope with that situation during the past few months. The Washington Post reported that unnamed Commerce officials said malicious hackers had launched a successful rootkit attack on many of the bureau’s workstations. The bureau disconnected its computers from the Internet to prevent the rootkit from spreading to other agencies, according to the Washington Post.A bureau representative refused to confirm whether the bureau had pulled its Internet plug, but the incident raises questions about how agencies should react to such circumstances. External threats cannot affect systems that don’t connect to the Internet, but agencies should weigh the consequences of interrupting business operations, said Steve Bannerman, vice president of marketing and product management at Narus, a network security company. Bannerman said it is “a last resort to shut down a productive, active node to prevent it from being attacked.”Other agencies have also had to pull the plug. Al Pesachowitz, former chief information officer at the Environmental Protection Agency, said he decided to cut off the agency’s Internet connection in 2000 as a pre-emptive measure while the agency set up new firewalls and improved basic network protections. A report had shown that the EPA’s network was unprotected. Pesachowitz said he pulled the plug to foil any outsider attacks.“We were down for a few days, [so] the business interruption was relatively small,” he said. The EPA set up an internal committee to evaluate the network’s security and fix vulnerabilities so that it could reconnect the most important business entities as quickly as possible. “That took us several months before we were completely back to business as usual.” Alan Paller, director of research at the SANS Institute, which focuses on network security, said cutting off Internet access is a viable security tactic in extreme situations.Paller said if agencies can’t determine how deeply attackers have penetrated, they must disconnect potentially infected systems to avoid causing damage to other agencies. That “happens often enough in the Defense Department when external unauthorized access is detected,” he said.DOD has experienced collateral damage from pulling the plug. Marc Sachs, a computer scientist at SRI International and former senior operations analyst for DOD’s Joint Task Force for Computer Network Defense, said such damage occurred in 2001 when DOD was fighting an attack by the Code Red computer worm. Sachs said DOD officials decided to avoid spreading the worm by blocking access to TCP/IP Port 80, the standard port for HTTP traffic. But Sachs noticed alarming side effects.“What we found was there was a huge dependency on .mil Web sites from people outside of the military that we didn’t know about,” he said. “We didn’t know about that until we started blocking Port 80 and the phones started ringing off the hook.”Callers included veterans who could not access their medical accounts and panicked members of the Army Corps of Engineers who said people could no longer use its Web site to check Mississippi River flood levels, causing safety concerns. The corps’ worries forced DOD to reopen Port 80.Sachs said agencies should create a policy for disconnecting from the Internet and rehearse procedures for implementing that policy. “You can plan incremental changes to make right up until you pull the plug from the router,” he said.

Editor's note: This story was updated at 11:55 a.m. Nov. 13. Please go to Corrections & Clarifications to see what has changed.


























Rootkit of all evilRootkits are software tools that mask the detection of unwanted processes, programs and data flows.

Marc Sachs, a computer scientist at SRA International, said rootkits are dangerous because when they infect a computer, they tell unsuspecting users that nothing is wrong with the system.

“If you don’t know you’ve been rootkitted, then there’s very little you can do,” Sachs said. “If you’re infected at that level, then you have no idea what else the intruder has done already.”

The best way to remove a rootkit is to reformat the computer, he said. But if the attack involves a low-level, virtualized rootkit, the infection can affect the computer’s hardware.

Rootkits are particularly dangerous on interagency networks, where they can spread to secure, classified data, Sachs said. Pulling the plug on agency networks and Internet connectivity can prevent that from happening.