[ISN] Who's Protecting Our Infrastructure?

From: InfoSec News (isnat_private)
Date: Thu Sep 20 2001 - 02:17:53 PDT

  • Next message: InfoSec News: "[ISN] Disconnect the Dots"

    By Alex Salkever 
    SEPTEMBER 18, 2001 
    No one. Computer-security standards that would thwart hacker terrorism
    against utility, telecom, health-care, or power systems don't exist.
    Chris Wysopal, a computer-security expert, was scheduled to brief the
    Senate Governmental Affairs Committee in Washington, D.C., on
    Wednesday, Sept. 12. But when the Federal Aviation Administration
    grounded all national air travel after two hijacked planes struck the
    World Trade Center towers and a third set the Pentagon ablaze,
    Wysopal's appearance was postponed indefinitely.
    His message, however, should not get drowned out in the din of war
    talk. A noted good-guy hacker and the research director of
    Web-security company @stake, Wysopal planned to deliver a candid
    assessment of how utilities, telecoms, and other critical national
    infrastructure providers protect their computer networks.
    A HODGEPODGE.  Wysopal's assessment? Much work remains to be done.
    While some critical infrastructure providers have rock-solid
    protections, all too many have neglected even the basic steps of
    encrypting databases, auditing their networks, and patching security
    holes on all their servers. When it comes to network security, "there
    need to be some minimum requirements," says Wysopal. "There are none
    With major military action looming and the economy reeling, shoring up
    computer security among infrastructure providers might not seem a top
    priority. It would cost money, obviously, and might be inconvenient.
    Nevertheless, President George W. Bush should add the protection of
    infrastructure -- and the crucial computer systems that control it --
    to the growing list of mandates under the rubric "Homeland Defense."
    The very backbone of what makes America strong is the reliable
    provision of water, power, communications, and health care. Without
    these services, our ability to wage a war and to project power would
    be severely diminished. Furthermore, the disruptions to normal life
    unleashed if determined, malicious hacker-terrorists were successful
    could could be disastrous.
    A BIT SHOCKING.  How shaky is the protection of the computer networks
    embedded in our critical national infrastructure? That's hard to tell
    right now. Says Wysopal, who has audited security at a number of
    infrastructure providers: "It varies across the board. I have seen
    some excellent security in some places and very poor in others."
    That's about par for a field where no national standards have been
    developed. But it's a bit shocking considering what's at stake.
    Imagine the chaos that could ensue should a terrorist act of mass
    destruction be combined with induced power or telecom outages.
    Obviously, cell phones played a crucial role in the aftermath of the
    New York disaster. For many, they were the only means of contact with
    the outside world. Yet earlier this summer, Verizon Wireless, the
    nation's largest cell-phone provider, encountered horrendous problems
    after someone hacked into a customer database and dumped credit-card
    records into various Internet chat rooms. Many security experts
    commented, in the wake of that incident, that Verizon should do a
    total security audit. In response, the company said it would
    vigorously investigate the issue and put in place preventive measures.
    POROUS 911.  Here's another truly terrifying tale from a man who
    should know -- Thomas Noonan, the CEO of Internet Security Systems.
    One of the largest computer-security companies in the world, ISS
    builds software and sells protection services. That makes Noonan a
    personal target for nefarious hackers. Small wonder a police officer
    shows up at his front door at least once a week in response to "calls"
    by hackers who break into the 911 system. "It's just their way of
    letting me know that they can find me if they want," says Noonan. It
    also means that the 911 system, a decentralized but critical part of
    the infrastructure, needs a major network security overhaul.
    No question, the cost of bringing infrastructure providers' systems up
    to snuff could well stretch into the billions. But what's a few more
    billion, considering the types of spending the U.S. is now looking at
    in the name of Homeland Defense? Computer-security standards for
    critical companies could end up being well worth the cost.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 05:06:46 PDT