Thwarting
cyberterrorism
Are cyberterrorists
trying to crack your network? Five security gurus assess the
threat.
By
Paul Desmond
Network
World, 02/18/02
Network World assembled a team of experts to discuss security issues. Joining in were Mike Hager, vice president of network security and disaster recovery for Oppenheimer Funds in Englewood, Colo.; John Pescatore, research director for Internet security at Gartner in Stamford, Conn.; Paul Raines, global head of information risk management at investment bank Barclays Capital in London; Michael Vatis, former director of the National Infrastructure Protection Center (NIPC) and now director of the Institute for Security Technology Studies at Dartmouth College, a counterterrorism technology research and development institute, and an attorney with the law firm of Fried, Frank, Harris, Shriver & Jacobson, in New York and Washington, D.C.; and Chris Wysopal, director of research and development at @stake, a computer security consulting firm in Cambridge, Mass. Paul Desmond, editor of the eSecurityPlanet.com, moderated the discussion.
Since the Sept. 11 attacks, network executives
have to consider the possibility that terrorists may one day
attack critical IT infrastructures, private or public. New
questions raised are how likely is such cyberterrorism, what
can be done to defend against it, and who needs to be involved
in that defense?
Your reaction
What do you think of intrusion detection software?
National cybersecurity adviser Richard Clarke
has warned that the U.S. is "vulnerable to sophisticated attacks.
Not to 14-year-olds, but to a sophisticated group or nation-state.
. . . It could lead to catastrophic damage to the economy,
and, if done at a time of national security crisis, it could
lead to catastrophic damage to our national defense."
An act of cyberterrorism may be directed at
the nation's banking system, telecommunications network, air
traffic control system or virtually any critical infrastructure
that heavily relies on network technology. That, at least,
is the doomsday scenario. While not dismissing these threats,
security experts for the most part are uncomfortable with
the term "cyberterrorism." Some say it represents hype, others
that it's misleading, because the majority of cyberthreats
come from people who are motivated by factors other than terrorism.
Network World assembled a team of experts to
discuss the issue. Joining in were Mike Hager, vice president of network security and
disaster recovery for Oppenheimer Funds in Englewood, Colo.;
John Pescatore, research director for Internet security at
Gartner in Stamford, Conn.; Paul Raines, global head of information
risk management at investment bank Barclays Capital in London;
Michael Vatis, former director of the National Infrastructure
Protection Center (NIPC) and now director of the Institute
for Security Technology Studies at Dartmouth College, a counterterrorism
technology research and development institute, and an attorney
with the law firm of Fried, Frank, Harris, Shriver & Jacobson,
in New York and Washington, D.C.; and Chris Wysopal, director
of research and development at @stake, a computer security
consulting firm in Cambridge, Mass. Paul Desmond, editor of
the eSecurityPlanet.com,
moderated the discussion.
Does the form of cyberterrorism Clarke refers
to represent a new type of cyberthreat, or are people just
more aware of dangers that have been with us for some time?
Vatis: The threat that Richard Clarke
is talking about is not new at all. What's different today
is mainly the general awareness of the threat, because we've
seen so many instances involving destructive worms and viruses,
denial-of-service attacks and intrusions for malicious purposes.
But the general idea that we're vulnerable to sophisticated
attacks beyond mere script kiddies is not new. You can go
back to the mid-'80s and the Cuckoo's Egg case, which involved
four hackers from what was then West Germany stealing information
from Defense Department networks to sell to the KGB.
Raines: From my perspective, being in
charge of my company's network security, it doesn't make any
difference what the motive of an attacker is, whether he's
out to deliver a political message, steal funds from my company
or launch a cyberattack against the critical infrastructure
of the U.K. or the United States. I'm here to protect the
network, and I'm going to exercise the due diligence needed
to do that regardless of the motive.
 |
From
left to right: Chris Wysopal, security consulting professional;
Michael Vatis, cyberterrorist guru; John Pescatore, security
research authority; Paul Raines, Barclays Capital's
guardian; Mike Hager, Oppenheimer Funds' protector. |
Wysopal: If there are a lot of people
motivated out of terrorism to do something, the threat level
increases. Maybe they've got more resources and they're more
sophisticated, so you need to spend more money and more resources
to secure things.
Hager: With the limited resources most
companies have to address computer security issues, we have
to concentrate on the laws of probability vs. possibility.
That really limits us a lot of times in what areas we look
at. Where are the threats coming from, which ones are valid,
what can we document, what can we track, what can we actually
show?
Pescatore: Right, and a lot of it also
has to do with who you're going to call for help. A bank has
certain levels of protection it takes against bank robberies,
but it doesn't try to protect itself if a tank pulls up in
front of the bank. If it's an act of warfare, that's where
national governments get involved. So I think there's a lot
of disservice going on when we try to lump 14-year-olds launching
viruses with cyberterrorism, and use that word terrorism,
which we would typically expect government to be involved
in responding to and protecting us from.
Wysopal: The problem is the government
doesn't have a capability to defend against information warfare
because the infrastructure is owned and operated by private
industry. This is new territory for us, where neither private
industry nor the government has a capability to protect against
information warfare.
Vatis: I don't think we can have a model
where we say: "The private sector will take care of things
itself when it's just a crime or a hacktivist, but the government
needs to take responsibility when it's an information warfare
attack." Again and again we see in actual incidents that you
don't know what you're dealing with when you first have an
unauthorized intrusion.
How effective have government efforts been
in addressing this security issue?
Pescatore: What's been effective has
been raising the consciousness of security as an issue in
front of CIOs and CEOs as far as the commercial infrastructure.
But I think way too much of the government's effort has been
on [setting up] overlapping committees and not enough on securing
our infrastructure.
Raines: I agree wholeheartedly. Within
the government itself, there's the NIPC, and the FBI has also
beefed up its own cybersecurity section. So has the Treasury
Department with the Secret Service. We have a cybersecurity
czar, who falls under the new Office of Homeland Security.
The government really needs to get its act together in terms
of consolidating overlapping jurisdictions.
Vatis: The biggest thing that's been missing is
new resources to do all the things that the government has
identified as necessary, whether it's research and development,
securing government systems, etc. When we set up the NIPC
[in 1998], for instance, it was all funded out of hide,
out of existing resources. Year after year, we were totally
unable to get any additional resources.
What more should government be doing to
address cyberterrorism?
Wysopal: There are security problems
that are long-term, that the marketplace isn't going to
solve any time soon, or ever - things like the quality of
software. Are software developers educated in secure coding
and secure design? Are software vendors putting resources
in place to educate them? Whether an attack costs $9 billion
or $5 million, as an economy, we are paying for it. If that
$5 million were spent during the development time instead
of on patching things, it would be good for our economy.
Those sorts of incentives are something only the government
can offer, and I haven't seen much along those lines.
Vatis: I second that because research
and development and education are critical to the long-term
success of security, to get ahead of the problem rather
than always playing catch-up by relying on patches and alerts
about new vulnerabilities and things like that. Commercial
vendors continue to want to rush to market with the latest
features. Security is not given adequate priority, and that's
to be expected because the market still is not demanding
security, making it a priority for the manufacturers. To
really get at the long-term and also midterm needs, government-funded
R&D is critical.
Do you think that's going to happen?
Vatis: There have been various legislative
proposals over the past few months to increase the level
of government funding. Whether they get appropriations to
match that is the question. But at least there's more attention
to it now, and that's a good sign.
We frequently hear that companies need to
be at a higher state of alert since Sept. 11 to address the
threat of cyberterrorism. What does that mean in practice?
Raines: We really refined our disaster-recovery
and business continuity procedures. We practice them much
more frequently, and we've become a lot more proficient.
Hager: Two years ago, we started looking
at improving our ability to detect attacks on the network
and putting an incident response team together that can
identify when we're being attacked, what kind of attack
it is and what kind of response mechanism we need to come
up with. We added event-correlation tools to help us sort
through the muck and the mire of traditional intrusion-detection
tools and firewall logs and other kinds of logs. What we've
tried to do is hone our ability to define the lethal attacks
that we really want to spend our time responding to, and
log the others. But that started two years ago, not Sept.
11.
Pescatore: We've told clients to look
into building denial-of-service protection into their Internet
connection, to talk with their ISPs and data center providers
about their ability to mitigate denial-of-service attacks
upstream.
Vatis: We issued a report from the Institute
on Sept. 22 that had recommendations on how to reduce vulnerabilities
to cyberattacks that might come during the war on terrorism.
One of the things we particularly recommended, following
up on what John was saying, is ingress and egress filtering
to try to minimize the damage from distributed denial-of-service
attacks. And that does require cooperation with ISPs, because
one of the things that really would help is to have the
routers limit the rate at which packets usually associated
with [distributed denial-of-service] attacks can be transmitted
downstream.
Are ISPs playing ball and doing enough to
help protect against things like that?
Pescatore: ISPs are all playing with
denial-of-service protection technology from a lot of vendors.
What none of them are seeing yet is willingness by business
or government to pay extra for that level of protection.
Are there any areas that are not effective
in defending against cyberterrorism, where people are spending
too much time for little benefit?
Pescatore: We see a lot of shelfware
intrusion-detection investments where [failure to keep]
up with the signatures and tuning - so the false alarms
don't drive you crazy - results in a wasted investment.
So we tell people to look at whether their choices really
can handle that or if they need to get a managed service
to do it for them.
Hager: I concur with that. A lot of
companies have spent way too much money on building perimeter
security that ends up being a hard candy shell. They haven't
spent enough time looking at how they control access within
their networks, so that when someone does break through,
they can identify that someone is inside stealing data.
Any closing comments?
Pescatore: So much of what needs to
be done to secure computer systems connected to the Internet
is mundane, boring stuff. And it's good to have a boogeyman
[such as cyberterrorism] to get CEOs, CFOs and all to open
their pocketbooks. But we have to make sure we don't go
too far. Training and building better software products
are where the real answers lie, not simply finding a new
boogeyman every six months to scare people to do these mundane
things.
Desmond is editor of eSecurityPlanet.com. He
can be reached at paul_desmond@king-content.com.
Related links
Additional thoughts from these experts
Special
Report: Safety nets
Case studies, how-tos and information on the disaster recovery,
business continuity and security concerns and plans companies
face post Sept. 11.
Network World, 11/26/01.
Disaster
recovery planning audio primer
How to start the disaster recovery planning process, what
needs to be included in a plan and some of the options that
are available.
Disaster
recovery and business continuity planning research page
Links to resources, tutorials and other sources of information
on business continuity planning and disaster recovery.
Security
breaking news page
Keep up to date on the latest threats to your net.
Network
World's Security and Bug Patch Alert newsletter
Get the latest information on security and bug alert announcements
and fixes from major vendors.
Network
World on Security newsletter
Stay current on security challenges and solutions, and get
strategic insight into the future of information security.
Security
research page
Get up to speed on security issues, including intrusion detection,
hackers and other subjects.
Apply for your free subscription to Network World. Click here.
 
Request a reprint or permission to use this article.
|
