Guarding against cyberterrorism NEWS By and

advertisement
Guarding against cyberterrorism
About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events
: Store
NEWS
Guarding against cyberterrorism
By Heather Harreld and Brian Fonseca
October 17, 2001 12:01 pm PT
WITH THE COUNTRY FULLY engaged in a war against terrorism, enterprise security managers nationwide are on heightened alert,
scrambling to ramp up security to guard against attacks on critical electronic infrastructure.
SPONSOR
NEW! OPEN MOBILE
STANDARDS WITHIN THE
ENTERPRISE
Sponsored by Good
Technology
SPONSOR
White Paper: IT Consolidation
with LINUX Includes case
studies and more!
Sponsored by: HP
RELATED LINKS
» New Bagle variants
spreading
» NEC delays quantum
cryptography system
» Spam hurts developing
countries most, OECD says
» Security RSS feed
>> MORE
IDG ENTERPRISE NETWORK
• More Security News...
(ComputerWorld)
• Security product outbreak
hits InfoSec Europe
(ComputerWorld)
• Netscape laid wide open by
security flaw (TechWorld)
TOP NEWS
While terrorism experts are predicting
that IT systems at American
corporations will be among the most
likely targets for an another round of
attacks, companies are scurrying to
patch known vulnerabilities, increase
perimeter security, and amend
security policies. This heightened
state of alert is not likely to diminish,
with security experts warning that
future threats will force enterprises to
take new steps to thwart cyberattacks.
ADVERTISEMENT
Security vendors are revamping many
offerings to meet the evolving needs
of companies maneuvering to lock
down their mission-critical systems
against any number of computer
threats that may arise overseas or
within the United States in the days to
come. In many ways, those charged
today with safeguarding corporate IT
assets have been vindicated after waging long, internal battles with top executives who have long
dismissed IT security as an afterthought.
Now that terrorists have successfully exploited one weakness in the fabric of American life -- air
travel -- they quickly will escalate their efforts, says William Tafoya, a former FBI agent and dean
and director of the Information System Security and Education Center (ISSEC) at the The National
Intellectual Property Law Institute in Washington.
"Criminals start by robbing a gas station and move on to an armored car," Tafoya says. "The
vulnerabilities to the systems ... have been known and acknowledged for a long time. If one is a
terrorist and wants to attack 'the great Satan' then you attack where they're weakest."
John Powers, former executive director and commissioner of former President Bill Clinton's
Commission on Critical Infrastructure Protection, agrees, saying cyberintrusions aimed at U.S.
businesses are a likely scenario for future terrorist attacks.
"One of the things that terrorists can do with absolute impunity is cyberintrusions," Powers says. "All
of our good-sized businesses need to be concerned about this. If I were a terrorist, I would want to
http://www.infoworld.com/articles/fe/xml/01/10/22/011022fealert.html (1 of 5)6/1/2005 10:37:17 AM
Guarding against cyberterrorism
●
•
●
•
AOpen has answer to
Mac mini
HP pushes old thin-client
strategy with new devices
●
•
New Bagle variants
spreading
●
•
Tibco warns of Q2 sales
shortfall
IT SOLUTION SEARCH
follow on with some additional hits. It would add again to the loss of confidence in this country's
institutions and processes." Craig Mundie, Microsoft's CTO of advanced strategies and policies, called
2001 the first year of "cyberwars."
A call to action
For many companies the entire paradigm of information security changed on Sept. 11. David
Andersen, a former top military planner for the U.S. operation in Bosnia, is now modeling his
business continuity planning on his former military work. Andersen, now CTO of Digital Direct
Services, a unified messaging center in Los Angeles, is breaking IT security out as a separate
initiative under the company's continuity efforts. He plans to move responsibility for all security
operations to a single employee (see "C-level security," page 48).
"Up until [Sept. 11] the biggest physical threat that I was planning for were earthquakes," Andersen says. "Now I have re-evaluated.
What happens if the building is no longer standing? How can I duplicate and create redundancies in another location which will allow
me to transfer not only my IT functions but my human resources, my employee records, my employees?"
Before the attacks, the company was finalizing plans to expand into adjoining office space; now officials are looking for additional real
estate off-site, he says. In addition, Andersen is investigating the option of having a third party host his Web servers to ensure that
software security updates are performed consistently. He also plans to move intrusion-detection functionality outside the perimeter of
his firewall and increase the frequency of the scans.
Merrill Lynch is continuing to hone its efforts on tackling the "human factor" of information security since the attacks, says Stephen
Katz, chief information security and privacy officer. All employees will be required to watch a new video presentation highlighting the
precautions they need to take against "social engineering," a common tactic used by hackers to gain information from company
personnel needed to break into systems.
"Information security is a business risk-management issue, and implementation is the responsibility of every person at a company,"
Katz says. "As you automate ... you want to make sure that the people who perform the functions pay as much attention to the
security concerns in the cyberworld as they are in the physical world. If someone asks you to use your driver's license, you certainly
wouldn't give it to them. You must have the same degree of responsibility for protecting your password."
Despite the slumping economy, companies are sharpening their focus on information security projects that may have been bypassed
as companies struggle to eliminate any investments that do not visibly bolster the bottom line. Ted Julian, chief strategist and cofounder of Arbor Networks, a Waltham, Mass.-based security company, says a sense of paranoia, of not wanting to "get caught with
their pants down," is driving corporations to alter plans and cast budget considerations aside while time still exists to make necessary
changes.
"We've definitely seen an uptick in inbound calls, about 20 [percent] to 30 percent magnitude in the last couple of weeks. We've seen
examples of prospects shortening cycles, bringing in an evaluation that they weren't going to get to until next quarter," Julian says.
"It's more people reeling in time frames -- waiting until Q1 and Q2 won't cut it, given recent events."
As one of the simpler forms of computer assaults to orchestrate, DDoS (distributed denial of service) attacks remain a major concern,
he says. Fears of either becoming a victim of the traffic-clogging attack or being used as a "zombie" to help launch the DDoS have
users looking over their shoulder.
"I don't think there is any question that DoS has become a top concern because from a terrorism perspective, it is one of the best
approaches to launch an attack," Julian says.
Evaluating vulnerability
Although the terrorist attacks may have forced enterprises to focus on measures that have been the cornerstone for IT security
efforts for years, such as changing passwords and scanning for intrusions, companies will have to radically change some security
evaluations as a result of the attacks. Charles Wood, an independent information security consultant at InfoSecurity Infrastructure in
Sausalito, Calif., says companies need to create new models for risk analysis. Traditionally, enterprises have looked at systems
containing sensitive information and created scenarios weighing the amount of work it would take for a "rational perpetrator" to
benefit from breaking into a system. If the work outweighed the benefit to an intruder, a company could move forward without
adding additional security measures, Wood says. Now that scenario cannot be applied; companies have to model potential attacks by
"irrational perpetrators."
"All those bets are off in the new game of terrorism," he says. "They're willing to work years at this. They're willing to die for this."
In addition, companies cannot sever their relationship with the vendors that design or install their systems after they have been
deployed, the ISSEC's Tafoya says. Instead, companies need to work more closely with vendors whose employees have intimate
knowledge of any access points to those systems, he says.
"The people who have the kind of access to a client system that is beyond the average employee, these are the people that need to
be tracked," Tafoya says. "The minute they leave the company I [as a customer] want to know. A disgruntled employee ... if he or
she has access to a customer's system, then they can sure make life uncomfortable. The customer needs to be told that this person
http://www.infoworld.com/articles/fe/xml/01/10/22/011022fealert.html (2 of 5)6/1/2005 10:37:17 AM
Guarding against cyberterrorism
has left the company who worked on your system and his [or her] access has been eliminated."
Protecting American information is so crucial in the new era since the attacks, Tafoya says, that Congress needs to require that all
systems considered to be mission-critical be audited periodically to ensure they are properly secured.
"The national information infrastructure demands that we take precautions ... just as we require drivers to have driver's licenses and
insurance. Driver's licenses and insurance do not guarantee that a person is always going to drive properly. They provide a minimum
level of confidence to the public that this person just did not get behind the wheel and go," Tafoya added.
Companies first need to focus on business goals and then on how those can be disrupted, Powers says. He urges companies to adopt
a method called "fault-tree analysis" developed by the nuclear power plant industry.
"This method forces a CEO to systematically look at all of the bad things that might happen and make judgments concerning the
prevention, mitigation, or response actions that might make sense," Powers says.
In addition, security mechanisms must be ingrained in application development, Merrill Lynch's Katz says. During development, he
says, companies must address several fundamental questions including if the confidentiality of the data can be assured, if a sender
can receive a receipt from a recipient for a transaction, and if the accuracy of the information can be assured.
"It is up to each person to make sure that they get satisfactory answers to these questions and, if they can't, it is up to each person
to raise their hand and say, 'Something is missing,' " he says.
Companies must become more vigilant in their efforts to apply patches to plug software and hardware vulnerabilities, Katz says.
"The technology vendors are doing a reasonably good job at letting you know when a problem or a new vulnerability has been
discovered," he says. "They issue the equivalent of a factory recall. Not taking action when you get a notice from a technology vendor
is virtually the same as not taking your car in after you receive a recall notice."
Defending against cyberattacks
Just as the physical terrorist attacks have evolved to sophisticated attacks via commercial airliner, so too will cyberattacks morph to
more complicated assaults, says Rob Clyde, CTO of Cupertino, Calif.-based Symantec. The vast array of information on the Web
allows malicious code creators to build much more "blended" assaults that are more difficult to identify and defend against than ever
before, Clyde says.
"This blended threat is going to be the wave of the future," he says. "You're not going to be easily able to diagnose the attack and
stop it. One of the things we're seeing is customers [asking] for a comprehensive response" to thwart attacks, he noted.
Clyde says this type of response covers all three tiers of a network: the gateways, the servers, and client and end-user systems. He
suggests that customers should adopt automated metrics to test against best practices. He also suggests routine checks of security
products and solutions on systems at least weekly, if not daily.
Just as enterprise users are adapting to the new IT security environment following the attacks, vendors, too, are tweaking their
offerings to meet market demand. Data Return, a Dallas-based managed security services company, plans to build increased
automation into its security product to free up staff to trace more detailed and difficult attacks, says Bill Lowry, director of product
marketing at Data Return.
In addition, Data Return will be part of a contingent of hosting providers that will be forced to provide some type of information
regarding its recovery service to satisfy customer assurance. The hoster also will design sites where customers can receive
information and test their security posture. This plan calls for a public-facing site that would accept an IP address and perform a
rudimentary scan of equipment, as well as a stricter password-only site to conduct remote vulnerability testing for specific services.
The time frame for the release of the "self-testing" Web sites has been sped up.
"We'll be delivering this in the next one to two months," Lowry says. "We had been working on it before the [terrorist attack] disaster
but we moved it up the queue."
As they continue to keep their watches on heightened alert, many IT security professionals find themselves at the top of executive
management's agenda after years of struggling to get security issues on the radar. The stakes are higher now, Digital Direct's
Andersen says.
"The ROI on an investment for this may well be being able to survive and not having a hack attack that causes the company to go out
of business," Andersen says.
Security
checklist
http://www.infoworld.com/articles/fe/xml/01/10/22/011022fealert.html (3 of 5)6/1/2005 10:37:17 AM
Guarding against cyberterrorism
Guarding against cyberterrorism means following basic security guidelines.
Protect what you consider most critical to business operations, assets, and continuity.
Have intrusion detection so you'll know when intruders get around your defenses.
Have a response team and a response plan.
Tighten rules for inbound traffic.
If you don't do business with addresses in certain countries or regions, consider denying
those IP blocks at your gateways.
Ports are just as important in your defensive strategy as IP addresses.
Establish a good security and disaster-recovery posture for your networks.
Consider special insurance designed to cover Internet-and network-related damage or loss.
Notify all users on your networks not to open suspicious e-mail attachments.
Force anti-virus updates throughout the network and direct all users, particularly those with
laptops, to power up and update their anti-virus before conducting any business on the
computer.
SOURCE: INTERNET SECURITY SYSTEMS
RELATED SUBJECTS
Security
SPONSORED WHITE PAPERS
EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper! Ciphertrust - Are you ready for Sobig.G? Learn how to protect your
email systems. CDW - Personal attention. CDW. The Right Technology. Right Away. EMC - Explore key performance features and capabilities of
EMC ControlCenter 5.1.1. Intel - Free Intel white paper shows you how to deploy a secure wireless LAN Cisco - FREE WHITE PAPER: BLUEPRINT
to design and implement secure VPNs Verity, Inc. - "Mass Consolidation Hits the Web-Search Market" McDATA - Download a FREE storage
consolidation white paper from McDATA(R). Lucent Technologies - Overcoming Common Firewall Limitations Lucent Technologies - Leverage
Your Mobile High Speed Data Access. Download Free White Paper! Nokia - Get the scoop! Mobilizing business white papers & case studies. BMC
Software - Maximize the Potential of Enterprise Data: Free white paper! Network Associates - Free white paper - Strategies for Optimizing Network
Costs and Benefits Entrust - Manage identities across applications. Improve productivity. Stalker Software - CommuniGate Pro - Transform your
Email and Calendaring Remedy - A NEW Gartner Research Note:Producing Quality IT Services Search the IDG White Paper Library:
Search
SPONSORED LINKS
» Nortel - Resilient Terabit Cluster - the next evolution in networking » SOA Spotlight - Latest news and resources from key players in SOA »
Covad VoIP: the new voice of business. - Click here for a free analysis. » Microsoft - The Audiovox SMT5600 - the smallest Smartphone from
Cingular. » Aberdeen - InfoWorld and Aberdeen Group's Benchmark SOX Report
INFOWORLD MARKETPLACE
» Enterprise Secure Instant Messaging
See why Pepsi, iPass and others rely on Omnipod. Safe interoperability with consumer IM. Complete ...
» Security Within - Configuration based Security
Configuration and policy based security systems are a pro-active way to defend against IT security ...
» Stop Spam and Viruses on YOUR terms
Roaring Penguin's CanIt-PRO anti-spam solution offers flexible spam and virus control for ...
» Small Medium Business solutions from Trend Micro
SMB solutions from Trend Micro. Automatically protect against viruses, spam, spyware, worms with a ...
» Wireless LAN Security
Detect and Prevent WLAN Intrusions & Attacks with AirMagnet Enterprise
>> BUY A LINK NOW
http://www.infoworld.com/articles/fe/xml/01/10/22/011022fealert.html (4 of 5)6/1/2005 10:37:17 AM
Guarding against cyberterrorism
HOME
NEWS
TEST CENTER
OPINIONS
PRODUCT GUIDE
TECHINDEX
About : Advertise : Subscribe : Contact Us : Awards : Events
Copyright © 2005, Reprints, Permissions, Licensing, IDG Network, Privacy Policy
Computerworld : Network World : CIO : PC World : Darwin : CMO : CSO : Bio-IT World
IT Careers : JavaWorld : Macworld : Mac Central : Playlist : GamePro : GameStar : Gamerhelp
http://www.infoworld.com/articles/fe/xml/01/10/22/011022fealert.html (5 of 5)6/1/2005 10:37:17 AM
Download