In the last newsletter, I gave an overview of a presentation about information security I made to a group of chief information officers at a retreat sponsored by SARCOM. That newsletter provided a baseline of the current state of information security challenges. In this newsletter, we will look at the future of cyberattacks and product trends. And we will attempt to answer the question: Are we headed for an Electronic Pearl Harbor?
What about the future of cyberattacks?
Advertisement: |
We will certainly see more coordinated attacks using the distributed computing model. The power gained by harnessing thousands, or even millions, of CPUs creates the ability to crack keys and overwhelm e-commerce Web sites with denial-of-service attacks. The legitimate Internetwide projects such as Distributed.net, which has been used to crack algorithms and factor keys, show the power of the concept and even a deployment roadmap.
We will also certainly see more sophisticated social engineering. Viruses will be developed that follow today's headlines, or target specific industries and companies. These viruses will go even further in breaking down the human barriers to executing malicious code. What are theoretical examples of this? A virus targeted at Coca-Cola that is disguised as a sensitive internal document from Pepsi. A worm targeted at Florida disguised as a real time hurricane monitor. Better tools will be available for virus and Trojan Horse authors, tantamount to fourth-generation virus development languages. This will allow even nonprogrammers to create their own custom viruses.
As the stakes grow in the value of obtaining data from online sources, we will certainly see greater involvement in cyberattacks by foreign governments and traditional criminal organizations, particularly if they see only a minor chance of negative consequences. Information warfare is simply another means to gain political and financial advantages, and as the course of history shows, all means are used once they are understood.
What are the product improvement trends we will see?
Products clearly must provide better heuristics and pattern recognition capabilities to detect unknown attacks. Security that is completely dependent upon specific signatures of known attacks will be completely inadequate in the future. This goes to the heart of every type of security product - AV software needs to detect polymorphic viruses, operating systems need to be shielded from malicious code seeking to reformat hard drives, network traffic needs to be proactively monitored for patterns of attack in real time, and systems of all types need to be made immune to buffer overflow attacks.
The recognition that no single system is infallible will lead to the development of systems of distributed trust. No one system should hold the keys to the kingdom, therefore no one compromise should derail an entire network.
Security will continue to make its way into all other computer products and develop new product niches. Firewall and intrusion-detection technology will someday be a part of all computers - more pervasive than AV software on PCs today.
So to get to our question: Is the stage set for an Electronic Pearl Harbor? Of course that question is somewhat of a teaser: it is an outcome that can still be determined by our own vigilance. However, here are some reasons to answer yes:
- We have the technology. The shear processing power of the millions of computers on the Internet means we have the capabilities for a distributed model of cracking, flooding and other forms of electronic mayhem. Some of the virus/worms we have seen this year, (for example, Melissa and ExploreZip) have shown the ability to travel around the world with amazing speed and cause corporate networks to be shut down.
- Large financial stakes. As Willie Sutton said when asked why he robbed banks, "That's where the money is." There quite certainly are people and organizations that would stand to gain tremendously from the chaos caused by an Electronic Pearl Harbor, and that mere fact is enough to cause worry.
- Corruptible foot soldiers. Many of the most talented people who can help bring about electronic terror are extremely young. This technical talent is often not counterbalanced by the wisdom to use this talent appropriately. While all "thirty-somethings" like me are guilty of some youthful indiscretions, they don't occur while connected to a global network.
Jurisdictional issues and anonymity may embolden attackers. The challenges of successfully apprehending and prosecuting cybercriminals is and will continue to be a daunting challenge.
So what did the CIOs think of my remarks? The area they struggled with the most was having a comprehensive understanding of the technical issues that may lead to an Electronic Pearl Harbor and accurately assessing their own vulnerabilities. On the other hand, their experience with risk management and planning for "Act of God" catastrophes gave them some peace of mind and belief that they will be able to protect their enterprises before cyberattackers get too sophisticated.
A few of the CIOs recognized that strong business and technical skills are not enough for their organizations, and they have actually started hiring cyberwarriors - military and law enforcement veterans with experience in fighting hackers and capable of taking a hard line inside and outside of the company.
Whether or not you feel that the worst case scenarios will happen, there is no escaping the fact that if we are to, on a regular basis, thwart cyberthreats, we need to act as if we are at war with them.
RELATED LINKS
Antivirus software vendors raise red flag on new versions of ExploreZip and Melissa
Network World, 12/01/99.
Cyberattacks against DOD up 300% this year
Network World, 11/04/99.
Panel: Future attacks on U.S. info systems likely
Network World, 10/07/99.
Inside the FBI
Network World, 08/23/99.
RELATED LINKS
Antivirus software vendors raise red flag on new versions of ExploreZip and Melissa
Network World, 12/01/99.
Cyberattacks against DOD up 300% this year
Network World, 11/04/99.
Panel: Future attacks on U.S. info systems likely
Network World, 10/07/99.
Inside the FBI
Network World, 08/23/99.
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
