Guarding against cyberterrorism
By Heather Harreld and Brian Fonseca
October 17, 2001 12:01 pm PT
WITH THE COUNTRY FULLY engaged in a war against terrorism, enterprise security managers nationwide are on heightened alert, scrambling to ramp up security to guard against attacks on critical electronic infrastructure.
While terrorism experts are predicting that IT systems at American corporations will be among the most likely targets for an another round of attacks, companies are scurrying to patch known vulnerabilities, increase perimeter security, and amend security policies. This heightened state of alert is not likely to diminish, with security experts warning that future threats will force enterprises to take new steps to thwart cyberattacks.
Security vendors are revamping many offerings to meet the evolving needs of companies maneuvering to lock down their mission-critical systems against any number of computer threats that may arise overseas or within the United States in the days to come. In many ways, those charged today with safeguarding corporate IT assets have been vindicated after waging long, internal battles with top executives who have long dismissed IT security as an afterthought.
Now that terrorists have successfully exploited one weakness in the fabric of American life -- air travel -- they quickly will escalate their efforts, says William Tafoya, a former FBI agent and dean and director of the Information System Security and Education Center (ISSEC) at the The National Intellectual Property Law Institute in Washington.
"Criminals start by robbing a gas station and move on to an armored car," Tafoya says. "The vulnerabilities to the systems ... have been known and acknowledged for a long time. If one is a terrorist and wants to attack 'the great Satan' then you attack where they're weakest."
John Powers, former executive director and commissioner of former President Bill Clinton's Commission on Critical Infrastructure Protection, agrees, saying cyberintrusions aimed at U.S. businesses are a likely scenario for future terrorist attacks.
"One of the things that terrorists can do with absolute impunity is cyberintrusions," Powers says. "All of our good-sized businesses need to be concerned about this. If I were a terrorist, I would want to follow on with some additional hits. It would add again to the loss of confidence in this country's institutions and processes." Craig Mundie, Microsoft's CTO of advanced strategies and policies, called 2001 the first year of "cyberwars."
A call to action
For many companies the entire paradigm of information security changed on Sept. 11. David Andersen, a former top military planner for the U.S. operation in Bosnia, is now modeling his business continuity planning on his former military work. Andersen, now CTO of Digital Direct Services, a unified messaging center in Los Angeles, is breaking IT security out as a separate initiative under the company's continuity efforts. He plans to move responsibility for all security operations to a single employee (see "C-level security," page 48).
"Up until [Sept. 11] the biggest physical threat that I was planning for were earthquakes," Andersen says. "Now I have re-evaluated. What happens if the building is no longer standing? How can I duplicate and create redundancies in another location which will allow me to transfer not only my IT functions but my human resources, my employee records, my employees?"
Before the attacks, the company was finalizing plans to expand into adjoining office space; now officials are looking for additional real estate off-site, he says. In addition, Andersen is investigating the option of having a third party host his Web servers to ensure that software security updates are performed consistently. He also plans to move intrusion-detection functionality outside the perimeter of his firewall and increase the frequency of the scans.
Merrill Lynch is continuing to hone its efforts on tackling the "human factor" of information security since the attacks, says Stephen Katz, chief information security and privacy officer. All employees will be required to watch a new video presentation highlighting the precautions they need to take against "social engineering," a common tactic used by hackers to gain information from company personnel needed to break into systems.
"Information security is a business risk-management issue, and implementation is the responsibility of every person at a company," Katz says. "As you automate ... you want to make sure that the people who perform the functions pay as much attention to the security concerns in the cyberworld as they are in the physical world. If someone asks you to use your driver's license, you certainly wouldn't give it to them. You must have the same degree of responsibility for protecting your password."
Despite the slumping economy, companies are sharpening their focus on information security projects that may have been bypassed as companies struggle to eliminate any investments that do not visibly bolster the bottom line. Ted Julian, chief strategist and co-founder of Arbor Networks, a Waltham, Mass.-based security company, says a sense of paranoia, of not wanting to "get caught with their pants down," is driving corporations to alter plans and cast budget considerations aside while time still exists to make necessary changes.
"We've definitely seen an uptick in inbound calls, about 20 [percent] to 30 percent magnitude in the last couple of weeks. We've seen examples of prospects shortening cycles, bringing in an evaluation that they weren't going to get to until next quarter," Julian says. "It's more people reeling in time frames -- waiting until Q1 and Q2 won't cut it, given recent events."
As one of the simpler forms of computer assaults to orchestrate, DDoS (distributed denial of service) attacks remain a major concern, he says. Fears of either becoming a victim of the traffic-clogging attack or being used as a "zombie" to help launch the DDoS have users looking over their shoulder.
"I don't think there is any question that DoS has become a top concern because from a terrorism perspective, it is one of the best approaches to launch an attack," Julian says.
Although the terrorist attacks may have forced enterprises to focus on measures that have been the cornerstone for IT security efforts for years, such as changing passwords and scanning for intrusions, companies will have to radically change some security evaluations as a result of the attacks. Charles Wood, an independent information security consultant at InfoSecurity Infrastructure in Sausalito, Calif., says companies need to create new models for risk analysis. Traditionally, enterprises have looked at systems containing sensitive information and created scenarios weighing the amount of work it would take for a "rational perpetrator" to benefit from breaking into a system. If the work outweighed the benefit to an intruder, a company could move forward without adding additional security measures, Wood says. Now that scenario cannot be applied; companies have to model potential attacks by "irrational perpetrators."
"All those bets are off in the new game of terrorism," he says. "They're willing to work years at this. They're willing to die for this."
In addition, companies cannot sever their relationship with the vendors that design or install their systems after they have been deployed, the ISSEC's Tafoya says. Instead, companies need to work more closely with vendors whose employees have intimate knowledge of any access points to those systems, he says.
"The people who have the kind of access to a client system that is beyond the average employee, these are the people that need to be tracked," Tafoya says. "The minute they leave the company I [as a customer] want to know. A disgruntled employee ... if he or she has access to a customer's system, then they can sure make life uncomfortable. The customer needs to be told that this person has left the company who worked on your system and his [or her] access has been eliminated."
Protecting American information is so crucial in the new era since the attacks, Tafoya says, that Congress needs to require that all systems considered to be mission-critical be audited periodically to ensure they are properly secured.
"The national information infrastructure demands that we take precautions ... just as we require drivers to have driver's licenses and insurance. Driver's licenses and insurance do not guarantee that a person is always going to drive properly. They provide a minimum level of confidence to the public that this person just did not get behind the wheel and go," Tafoya added.
Companies first need to focus on business goals and then on how those can be disrupted, Powers says. He urges companies to adopt a method called "fault-tree analysis" developed by the nuclear power plant industry.
"This method forces a CEO to systematically look at all of the bad things that might happen and make judgments concerning the prevention, mitigation, or response actions that might make sense," Powers says.
In addition, security mechanisms must be ingrained in application development, Merrill Lynch's Katz says. During development, he says, companies must address several fundamental questions including if the confidentiality of the data can be assured, if a sender can receive a receipt from a recipient for a transaction, and if the accuracy of the information can be assured.
"It is up to each person to make sure that they get satisfactory answers to these questions and, if they can't, it is up to each person to raise their hand and say, 'Something is missing,' " he says.
Companies must become more vigilant in their efforts to apply patches to plug software and hardware vulnerabilities, Katz says.
"The technology vendors are doing a reasonably good job at letting you know when a problem or a new vulnerability has been discovered," he says. "They issue the equivalent of a factory recall. Not taking action when you get a notice from a technology vendor is virtually the same as not taking your car in after you receive a recall notice."
Defending against cyberattacks
Just as the physical terrorist attacks have evolved to sophisticated attacks via commercial airliner, so too will cyberattacks morph to more complicated assaults, says Rob Clyde, CTO of Cupertino, Calif.-based Symantec. The vast array of information on the Web allows malicious code creators to build much more "blended" assaults that are more difficult to identify and defend against than ever before, Clyde says.
"This blended threat is going to be the wave of the future," he says. "You're not going to be easily able to diagnose the attack and stop it. One of the things we're seeing is customers [asking] for a comprehensive response" to thwart attacks, he noted.
Clyde says this type of response covers all three tiers of a network: the gateways, the servers, and client and end-user systems. He suggests that customers should adopt automated metrics to test against best practices. He also suggests routine checks of security products and solutions on systems at least weekly, if not daily.
Just as enterprise users are adapting to the new IT security environment following the attacks, vendors, too, are tweaking their offerings to meet market demand. Data Return, a Dallas-based managed security services company, plans to build increased automation into its security product to free up staff to trace more detailed and difficult attacks, says Bill Lowry, director of product marketing at Data Return.
In addition, Data Return will be part of a contingent of hosting providers that will be forced to provide some type of information regarding its recovery service to satisfy customer assurance. The hoster also will design sites where customers can receive information and test their security posture. This plan calls for a public-facing site that would accept an IP address and perform a rudimentary scan of equipment, as well as a stricter password-only site to conduct remote vulnerability testing for specific services.
The time frame for the release of the "self-testing" Web sites has been sped up.
"We'll be delivering this in the next one to two months," Lowry says. "We had been working on it before the [terrorist attack] disaster but we moved it up the queue."
As they continue to keep their watches on heightened alert, many IT security professionals find themselves at the top of executive management's agenda after years of struggling to get security issues on the radar. The stakes are higher now, Digital Direct's Andersen says.
"The ROI on an investment for this may well be being able to survive and not having a hack attack that causes the company to go out of business," Andersen says.