Dealing with worst-case scenarios

Experts think up the unthinkable, and offer advice on avoidance.

Last in a four-part series, looking at the toughest security issues facing corporate users.

Imagine a natural disaster the likes of Hurricane Katrina or a terrorist attack on a major U.S. city wipes out business operations. In the mad dash to get back online as quickly as possible, security protocols and procedures take a back seat to regaining business continuity. And that's when a second catastrophe occurs: Information systems are vulnerable to attackers, who see an opportunity in the chaos as companies are forced to rely on backup operations (or even pen and paper).

That's just one example of the worst-case security scenarios that emerged during recent discussions with customers and industry experts. Others include targeted cyberattacks in which precious corporate jewels, such as intellectual property, are held for ransom; biometrics and other identity-verifying techniques disrupting essential functions; and the emergence of a new type of denial of service that keeps companies from communicating with their customers and halts the flow of genuine information across the Internet.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last in a four-part series, looking at the toughest security issues facing corporate users.

Imagine a natural disaster the likes of Hurricane Katrina or a terrorist attack on a major U.S. city wipes out business operations. In the mad dash to get back online as quickly as possible, security protocols and procedures take a back seat to regaining business continuity. And that's when a second catastrophe occurs: Information systems are vulnerable to attackers, who see an opportunity in the chaos as companies are forced to rely on backup operations (or even pen and paper).

That's just one example of the worst-case security scenarios that emerged during recent discussions with customers and industry experts. Others include targeted cyberattacks in which precious corporate jewels, such as intellectual property, are held for ransom; biometrics and other identity-verifying techniques disrupting essential functions; and the emergence of a new type of denial of service that keeps companies from communicating with their customers and halts the flow of genuine information across the Internet.

A few of these security-disaster scenarios have happened, but the majority are exaggerations of current technology, processes and policies that probably haven't occurred yet but aren't out of the realm of possibility. Such scenarios and how to prepare for them will be a topic at the Security Standard event to be held in Boston next month (see "Security check").

When a natural disaster or terror attack halts business, for instance, security weaknesses emerge because people are distracted by what's happened or by the rush to get business running again.

"When bad stuff happens there's chaos and panic. Everyone has procedures [to follow], but it's not clear that people even know where they are," says Charles Palmer, CTO of security and privacy with IBM Research. "When you're in a hurry to get back online, especially if you're losing lots of money each minute, you're going to do what it takes to get online."

That period of lax security could open a back door to the same attacker or a new one. Or depending on the level of devastation, it could allow someone to walk out the front door with sensitive information.

"I wouldn't necessarily classify natural disasters as security issues, with one caveat - out of chaos bad actors seek to take advantage," says Paul Kurtz, executive director of the Cyber Security Industry Alliance, a public policy and advocacy group based in Arlington, Va. Such behavior happened in New Orleans in the aftermath of Katrina when nonvictims tried to benefit from government relief funding, he says.

Closer to the forefront of most security professionals' minds are targeted attacks that seek to damage a specific company by stealing sensitive information or interrupting business. Most companies have taken measures to block mass attacks, such as viruses and worms that spread across the Internet; now they're grappling with what to do if a cybercriminal attempts to steal sensitive company or customer information.