By Brenda Collins
As the 21st century emerges, all levels of senior management are under significant pressure to emphasize information security as a visible priority at the executive or board level of their organizations—especially at those companies with a high profile and/or international presence. Events of the past year, including the release of the White House's Office of Homeland Security’s national strategy to secure cyberspace, have raised government, investor, and public expectations for protecting corporate systems from cyberterrorists, malicious hackers, and even misuse by trusted insiders.
Advisories from government agencies suggest that IT infrastructures are the modern equivalent of the historic supply chain targets and terrorists may shift their focus away from traditional physical targets and turn toward infrastructure instead. Companies that supply communications, energy, transportation, and other primary services could be likely targets for cyberterrorists but any unprotected corporate network can be used to launch a cyberattack. Cyberwar is less expensive than conventional methods of attack and easier to conceal. Terrorists now fully appreciate the economic impact of their actions and recognize the viability of critical IT infrastructures as vulnerable targets.
If you haven’t already, now is the time to examine the risk of cyberterrorism to your organization and to put into place policies and action plans that will minimize the risk of and repercussions from a cyberterrorist attack on your organization.
What’s the risk—really?
According to the National Infrastructure Protection Center as of Sept. 24, 2002, “Based on a review of intelligence and an assessment of threats by the intelligence community, as well as the passing of the anniversary of the September 11 terrorist attacks and the disruption of potential terrorist operations in the United States and abroad, the Attorney General in consultation with the Homeland Security Council has returned the threat level to an elevated risk of terrorist attack, or ’yellow‘ level.”
What does this mean to corporate America? As with most security discussions, positions seem to fall into extremes. Rep. Lamar Smith, R-Texas, in a statement heralding the House's passage of the Cyber Security Enhancement Act said, “A few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.” Others believe the threat of terrorists launching catastrophic cyberattacks that disable the country's critical infrastructure is largely overstated.
To assess the risk at a corporate level, it’s easier to break cyberattacks down into two types: attacks on data and attacks on control systems. Until recent events brought terrorism to the forefront, it was the first type that held public and media attention. These attacks centered on attempts to steal or corrupt data or deny services and included high profile denial of service attacks, Web site vandalism, and the occasional theft of credit card numbers.
The terrorism threat tends to focus more on the vulnerability of control systems. These attacks would see terrorists disabling or taking over operations used to maintain physical infrastructure, such as distributed control systems that regulate oil, gas, and water supplies, electrical transmission networks, and railroads. These operations are increasingly using the Internet to transmit data or are connected to a company's local network that may be vulnerable.
The generally accepted view of many security professionals is that any damage resulting from electronic intrusion would be measured in loss of data, not loss of life. However, it is true that data attacks can have severe consequences. Many energy distributors, power companies, and water utilities control their operations with supervisory control and data acquisition (SCADA) systems. In theory, an attack could tamper with a SCADA system that in turn could cause cascading malfunctions through other operations. But most utility and infrastructure operators have elaborate nontechnology backup measures to protect the public even if a system is breached.
So where do you begin if you are concerned that your IT infrastructure could fall victim to a cyberterrorism attack?
Primary points of exposure
The National Infrastructure Protection Center continues to warn government agencies and businesses of the potential for increased hacker and other opportunistic Internet activities directed at companies' sites and infrastructure. With increased military surveillance and tightening of security controls on government networks, terrorists could look to corporate internal networks as a launch pad for attacks. This would not only leave the executives of the company with legal liability for a lack of due care but may also have less tangible ramifications on the employees and others associated with the company.
If a company is relying on the Internet for any part of its business operation, it should have a secondary means to continue operation if the Internet becomes unavailable. Furthermore, experience has shown that loss of a network for e-mail can lead to capacity overload of PBX, fax, and other more conventional means of communication.
Social engineering may be the easiest and cheapest way for a terrorist to break into a company's computer system. Social engineering is the term used by hackers to describe attempts to obtain information about computer systems through nontechnical means and relies on lack of security awareness, human nature, and poor procedures.
Some things you can do to protect your company
Despite the added sense of urgency brought on by the escalating profile of terrorism worldwide, the risk of cyberterrorism is best managed through the implementation of sound information security policies, well-defined security processes, constant monitoring, and maintenance of systems and security awareness at all levels of the organization. Here are some specific steps companies should consider:
- Ensure all software (virus, mobile code, etc.) is up to date; stop hostile attachments of any kind at the e-mail server.
- Do thorough vulnerability assessments of Internet-exposed systems and servers; test associated tactical cyberincident response plans.
- Monitor all third-party connections with an intrusion detection system. Review intrusion detection system logs regularly to identify malicious activity.
- Update and test your Disaster Recovery Plan/Business Continuity Plan. Are contacts aware of their responsibility?
- Increase user awareness, particularly with respect to social engineering.
- Document and communicate specific travel-related security policies to ensure that information is backed up to the network and encrypted on the laptop hard drive. With enhanced security at airports, it is recommended that all unnecessary electronic devices be left home and that the potential for having to hand in a laptop as checked baggage be considered.
Cyberterrorism has been on the agenda of information security conferences for decades, but until this year, it has always been the last session on the last day. Times have changed. From this point onward, it will surely be a more prominent issue. Companies must take appropriate steps to ensure that their IT networks are safe from the cyberterrorist threat.