[ISN] Companies Confront Rising Network Threats

From: InfoSec News (isnat_private)
Date: Wed Jul 04 2001 - 23:19:29 PDT

  • Next message: scorkeat_private: "[ISN] CASIS Conference Programme and Registration"

    Forwarded by: C. L. Staten <sysopat_private>
    By Eva Marer
    July 2, 2001
    Every morning, Gregor Bailar, executive vice president of operations
    and technology and CIO of NASDAQ, pores over the previous day's
    security report. "We have hundreds of different types of hacking and
    other security attempts in any given week," he says.
    At the moment, Bailar's not so much worried about a breach of NASDAQ's
    trading system -- a private network of computers secured behind a tank
    embankment wall -- but about the potential damage in dollars and
    investor confidence should one of the exchange's public Web sites go
    Like many senior technologists, Bailar makes decisions about risk
    management every day. Unlike most CIOs, however, he's got the backing
    to make his decisions stick. Those resources include two dedicated
    security teams, a direct pipeline to national security personnel,
    armed security guards, and a total budget of $450 million.
    Yet even one of the most highly developed security machines in the
    world is vulnerable. "As more and more of the nation relies on
    computer systems and communication networks, dependencies have crept
    into our infrastructure," says Fred Schneider, a professor of computer
    science at Cornell University and co-author of "Trust in Cyberspace,"
    a 1998 study commissioned by the National Research Council and the
    Computer Science Technology Board. "The CIO is moving in a direction
    where he doesn't have control over a piece of the picture and that
    piece is getting bigger and bigger."
    Network failures, and the impact of those failures, will likely get
    worse. In the meantime, he says, most companies aren't doing nearly
    enough to protect their networks from increasingly potent and global
    The Rising Threat
    Public attention on cyber-security has focused on high-profile
    sabotage such as the denial-of-service attacks that shut down the
    likes of CNN, eBay, and Amazon in February 2000. Yet such attacks are
    far more common than most people realize. Researchers at the
    University of California at San Diego found that online vandals stage
    denial-of-service attacks 4,000 times every week, often targeting
    individual users and small businesses. "And that's a conservative
    estimate," says Stefan Savage, a UCSD professor and co-author of the
    Denial-of-service attacks are only a small piece of the puzzle. Other
    forms of online mayhem include intrusion, defacing property, spreading
    viruses, stealing or changing data, or totally shutting down network
    capability. In the worst-case scenario, says Savage, it would be
    feasible to take down a power grid, alter a medical database, or knock
    out a couple of the high-level name servers that everyone on the
    Internet relies on. Telephone companies, electric utilities, banks,
    emergency services, and other essential infrastructure components have
    all publicly acknowledged that their systems may be at risk.
    Denial is rampant among corporations, many of which fear negative
    publicity should a security flaw be exposed. "A lot of this stuff is
    not widely reported," says Schneider. "The most attractive targets for
    hackers are financial and military institutions, and neither has any
    incentive to publicly report when a site has been compromised."
    Without access to such information, he says, CIOs may find it
    difficult to build realistic risk models.
    Who are these cyber-criminals? They range from greedy employees and
    contractors to individual hackers to well-funded organized groups
    engaged in what some might call cyberwarfare, says Savage. In the wake
    of recent high-tech layoffs looms a new threat: disgruntled employees
    who break into the system to steal data, harass colleagues, or
    otherwise embarrass their former employers.
    The Government Responds
    So far, the aim of these groups has been primarily mischief, but that
    may be changing. At least 20 countries are developing offensive and
    defensive cyberwar capabilities, says Clark Staten, executive director
    of the Emergency Response and Research Institute in Chicago. "China
    has pledged to create a fourth division of its military dedicated
    solely to cyberwarfare and is already developing a battalion of US
    hackers," Staten claims. Indeed, Bailar reports that about half of
    NASDAQ's attempted break-ins come from overseas, mostly China. Those
    threats could be part of an ongoing cyberskirmish between Chinese and
    U.S. hackers, who have been defacing each other's government and
    corporate sites following the U.S. spy-plane incident in March.
    The government is well aware of the problem. According to Staten, a
    confidential 1997 report issued by a presidential commission on IT
    infrastructure protection acknowledged major vulnerabilities in
    today's networked infrastructure. Air Force Gen. Robert Marsh, who
    chaired the commission, stressed that the lack of information-sharing
    between the public and private sectors was a major obstacle to
    security. Due to the cascading effects of an infrastructure blockage,
    says Staten, many businesses -- not just the intended targets -- could
    be at risk in the event of such an attack.
    In February 1998, President Clinton created the National
    Infrastructure Protection Center (NIPC) to function as an
    early-warning system and liaison between corporations and the
    government. Nevertheless, industry and government remain at odds.
    Companies hesitate to report intrusions to the FBI for fear that
    proprietary information will be made public. In addition, industry and
    government continue to battle over issues ranging from regulation of
    computer products to the use of encryption. (As a possible sign of
    their disconnection from the public, officials at NIPC, a division of
    the FBI, failed to respond to repeated requests to be interviewed for
    this article.)
    Assessing Risk
    In the end, it may be economic pressures, not government intervention,
    that will force companies to shore up security. Already some insurance
    companies are charging differential rates based on security measures
    in place. And, as Bailar points out, potential bottom-line risk is a
    great motivator for senior managers.
    Studies on information security risk conducted by the U.S. General
    Accounting Office show that senior management sponsorship is a
    critical element of success in building a company-wide security
    strategy. As a result, the CIO's first job may be to convince senior
    management that such a strategy is needed at all.
    "You have to take the time to gather the data to educate the board and
    the CEO on the business risks involved," says Bailar. "If the risks
    aren't that big of a deal from a business perspective, you should know
    that, too." Bailar says CIOs should be able to show, among other
    risks, "how many hacks you're getting, what they could do to your
    business, the appropriate time frame for getting back on line, and the
    risk to your customer base."
    Bailar has identified two separate sets of risks for NASDAQ: one for
    its public Web sites, and one for its private trading network, which
    is not connected, even by a firewall, to the Web. "We're not so
    worried about a hack into the trading environment," he says, noting
    that a hacker would have to be sitting at the desk of a trader to even
    access an account. "The risks to the trading network are more along
    the lines of physical breakages or someone planting a bomb."
    Each morning, Bailar receives security alerts from federal agencies
    and independent monitoring groups like CERT, as well as daily updates
    from his internal security teams. "For the Internet, we do raise our
    alerts when something is going on internationally, for example in
    Bosnia or Brazil, that could affect the Internet. In terms of physical
    security for the trading network, we're more concerned about terrorism
    that would happen on U.S. soil."
    Of course, not all companies face such dramatic threats. The nature of
    threat is highly contextual, based on the way a company does business,
    what type of information it deals with, and where it is located, says
    Christopher Alberts, a team leader with OCTAVE, a new program being
    developed by the CERT Coordination Center (www.cert.org) at Carnegie
    Mellon University.
    The program, which will be made available at the end of August,
    stresses a broad, self-directed approach to evaluating information
    security risks, which could range from an employee accidentally
    deleting an important file to generic threats such as viruses and
    malicious code. OCTAVE will provide worksheets and templates to help
    managers identify critical information assets and key risks, from
    insider manipulation and outsider hacks to environmental
    vulnerabilities such as floods, earthquakes, or tornadoes.
    One obstacle to accurate risk assessment, Schneider says, is that
    vulnerabilities are typically invisible. "Let's say you're paranoid of
    losing phone connectivity with a branch office, so you contract with
    both AT&T and MCI to get what you think is redundant service. Yet the
    way the telephone paths are structured, both companies may be running
    circuits in the same piece of fiber owned by Sprint. You cannot say
    with certainty that you have contracted for two independent
    connections, and the phone companies are under no obligation to make
    that information available. In the same way, you don't know when you
    buy phone service whether that phone is dependent on the power grid."
    That level of insecurity is inherent in networks, Schneider says.
    "CIOs are ultimately concerned about whether their systems are
    trustworthy, and the answer to that may be unknowable." Unfortunately,
    they do not have 30 years of research to lean back on. "It's only in
    the last five years," he says, "that computer security has moved away
    from a preoccupation with information secrecy and toward the integrity
    and availability of networks."
    Implementing Solutions
    The issues are complex, but some companies have not taken even the
    most basic steps to bolster security. "One of the most common and
    avoidable mistakes is failing to upgrade," says Bailar. "A patch is
    delivered, but some people just don't install it. Or they update 10
    computers and leave five to become the next Trojan horses on the Web."
    A recent case in point, the worm known as DoS.Storm, has been
    burrowing its way through corporate servers, despite the fact that the
    flaw in Microsoft's Web-server software has been known for some time
    and the company issued a patch in August 2000. On its Web site, CERT
    identifies failure to implement patches as the number-one security
    risk companies routinely assume. "You start by looking at your closest
    connection to the Internet and working your way back," says Bailar.
    Securing your e-mail systems, Internet servers, and firewalls should
    be top priorities.
    It's also imperative to develop an action plan with your Internet
    service provider, says Bailar. "Find out how they monitor malignant
    intruders, what they can do to stop them, how they would handle a
    denial-of -service attack, and how long they would be down following
    such an attack. If you walk away from this conversation feeling they
    had no idea what you were talking about, you should probably move. A
    real professional in this space will probably have additional ideas
    for you."
    Bailar shakes his head at the way companies leave themselves open for
    attack. But in a way it's understandable, says Savage. "A lot of
    traditional companies are still coming to terms with what it means to
    be on the network and they haven't internalized that they need
    cybersecurity the same way they need a security guard on the ground
    floor." In addition, he says, there's an acute shortage of trained
    security personnel who typically go to the "sexiest jobs" at major
    financial and e-commerce companies.
    The shortage of trained security personnel is leading some companies
    to outsource security, a trend some observers predict will be the next
    hot growth area. Yet even companies that choose to outsource should
    take a self-directed approach to risk assessment and security
    management, says Alberts. "You want to leverage the existing abilities
    of people in an organization so that technologists and business people
    get together in interdisciplinary teams and solve problems from a
    business perspective. You are the experts in the way you do business.
    Even if you decide to acquire outside help, you can at least outline
    your requirements it in a more targeted fashion."
    It's easy to overlook a theoretical threat and hard to justify -- both
    to investors and senior managers -- the additional money and time
    needed to effectively assess and mitigate the problem. But the risks
    are greater today too. "It used to be that companies worried about
    what would happen if there was a snowstorm and we couldn't get our
    products delivered," says Bailar. "Now the same risks are much more
    potent and centered on global information security."
    Eva Marer is a freelance reporter based in New York who writes for
    CIN, an internet.com site where this story first appeared. She covers
    investments, personal finance, and corporate technology issues for a
    variety of trade and consumer magazines.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 00:03:55 PDT