Companies Confront Rising Network Threats

[InfoSec News <isn () c4i org>]

Forwarded by: C. L. Staten <sysop () emergency com>

http://itmanagement.earthweb.com/netinf/article/0,,11962_795451,00.html

By Eva Marer
July 2, 2001

Every morning, Gregor Bailar, executive vice president of operations
and technology and CIO of NASDAQ, pores over the previous day's
security report. "We have hundreds of different types of hacking and
other security attempts in any given week," he says.

At the moment, Bailar's not so much worried about a breach of NASDAQ's
trading system -- a private network of computers secured behind a tank
embankment wall -- but about the potential damage in dollars and
investor confidence should one of the exchange's public Web sites go
down.

Like many senior technologists, Bailar makes decisions about risk
management every day. Unlike most CIOs, however, he's got the backing
to make his decisions stick. Those resources include two dedicated
security teams, a direct pipeline to national security personnel,
armed security guards, and a total budget of $450 million.


Yet even one of the most highly developed security machines in the
world is vulnerable. "As more and more of the nation relies on
computer systems and communication networks, dependencies have crept
into our infrastructure," says Fred Schneider, a professor of computer
science at Cornell University and co-author of "Trust in Cyberspace,"
a 1998 study commissioned by the National Research Council and the
Computer Science Technology Board. "The CIO is moving in a direction
where he doesn't have control over a piece of the picture and that
piece is getting bigger and bigger."

Network failures, and the impact of those failures, will likely get
worse. In the meantime, he says, most companies aren't doing nearly
enough to protect their networks from increasingly potent and global
threats.

The Rising Threat

Public attention on cyber-security has focused on high-profile
sabotage such as the denial-of-service attacks that shut down the
likes of CNN, eBay, and Amazon in February 2000. Yet such attacks are
far more common than most people realize. Researchers at the
University of California at San Diego found that online vandals stage
denial-of-service attacks 4,000 times every week, often targeting
individual users and small businesses. "And that's a conservative
estimate," says Stefan Savage, a UCSD professor and co-author of the
study.

Denial-of-service attacks are only a small piece of the puzzle. Other
forms of online mayhem include intrusion, defacing property, spreading
viruses, stealing or changing data, or totally shutting down network
capability. In the worst-case scenario, says Savage, it would be
feasible to take down a power grid, alter a medical database, or knock
out a couple of the high-level name servers that everyone on the
Internet relies on. Telephone companies, electric utilities, banks,
emergency services, and other essential infrastructure components have
all publicly acknowledged that their systems may be at risk.

Denial is rampant among corporations, many of which fear negative
publicity should a security flaw be exposed. "A lot of this stuff is
not widely reported," says Schneider. "The most attractive targets for
hackers are financial and military institutions, and neither has any
incentive to publicly report when a site has been compromised."
Without access to such information, he says, CIOs may find it
difficult to build realistic risk models.

Who are these cyber-criminals? They range from greedy employees and
contractors to individual hackers to well-funded organized groups
engaged in what some might call cyberwarfare, says Savage. In the wake
of recent high-tech layoffs looms a new threat: disgruntled employees
who break into the system to steal data, harass colleagues, or
otherwise embarrass their former employers.

The Government Responds

So far, the aim of these groups has been primarily mischief, but that
may be changing. At least 20 countries are developing offensive and
defensive cyberwar capabilities, says Clark Staten, executive director
of the Emergency Response and Research Institute in Chicago. "China
has pledged to create a fourth division of its military dedicated
solely to cyberwarfare and is already developing a battalion of US
hackers," Staten claims. Indeed, Bailar reports that about half of
NASDAQ's attempted break-ins come from overseas, mostly China. Those
threats could be part of an ongoing cyberskirmish between Chinese and
U.S. hackers, who have been defacing each other's government and
corporate sites following the U.S. spy-plane incident in March.

The government is well aware of the problem. According to Staten, a
confidential 1997 report issued by a presidential commission on IT
infrastructure protection acknowledged major vulnerabilities in
today's networked infrastructure. Air Force Gen. Robert Marsh, who
chaired the commission, stressed that the lack of information-sharing
between the public and private sectors was a major obstacle to
security. Due to the cascading effects of an infrastructure blockage,
says Staten, many businesses -- not just the intended targets -- could
be at risk in the event of such an attack.

In February 1998, President Clinton created the National
Infrastructure Protection Center (NIPC) to function as an
early-warning system and liaison between corporations and the
government. Nevertheless, industry and government remain at odds.
Companies hesitate to report intrusions to the FBI for fear that
proprietary information will be made public. In addition, industry and
government continue to battle over issues ranging from regulation of
computer products to the use of encryption. (As a possible sign of
their disconnection from the public, officials at NIPC, a division of
the FBI, failed to respond to repeated requests to be interviewed for
this article.)

Assessing Risk

In the end, it may be economic pressures, not government intervention,
that will force companies to shore up security. Already some insurance
companies are charging differential rates based on security measures
in place. And, as Bailar points out, potential bottom-line risk is a
great motivator for senior managers.

Studies on information security risk conducted by the U.S. General
Accounting Office show that senior management sponsorship is a
critical element of success in building a company-wide security
strategy. As a result, the CIO's first job may be to convince senior
management that such a strategy is needed at all.

"You have to take the time to gather the data to educate the board and
the CEO on the business risks involved," says Bailar. "If the risks
aren't that big of a deal from a business perspective, you should know
that, too." Bailar says CIOs should be able to show, among other
risks, "how many hacks you're getting, what they could do to your
business, the appropriate time frame for getting back on line, and the
risk to your customer base."

Bailar has identified two separate sets of risks for NASDAQ: one for
its public Web sites, and one for its private trading network, which
is not connected, even by a firewall, to the Web. "We're not so
worried about a hack into the trading environment," he says, noting
that a hacker would have to be sitting at the desk of a trader to even
access an account. "The risks to the trading network are more along
the lines of physical breakages or someone planting a bomb."

Each morning, Bailar receives security alerts from federal agencies
and independent monitoring groups like CERT, as well as daily updates
from his internal security teams. "For the Internet, we do raise our
alerts when something is going on internationally, for example in
Bosnia or Brazil, that could affect the Internet. In terms of physical
security for the trading network, we're more concerned about terrorism
that would happen on U.S. soil."

Of course, not all companies face such dramatic threats. The nature of
threat is highly contextual, based on the way a company does business,
what type of information it deals with, and where it is located, says
Christopher Alberts, a team leader with OCTAVE, a new program being
developed by the CERT Coordination Center (www.cert.org) at Carnegie
Mellon University.

The program, which will be made available at the end of August,
stresses a broad, self-directed approach to evaluating information
security risks, which could range from an employee accidentally
deleting an important file to generic threats such as viruses and
malicious code. OCTAVE will provide worksheets and templates to help
managers identify critical information assets and key risks, from
insider manipulation and outsider hacks to environmental
vulnerabilities such as floods, earthquakes, or tornadoes.

One obstacle to accurate risk assessment, Schneider says, is that
vulnerabilities are typically invisible. "Let's say you're paranoid of
losing phone connectivity with a branch office, so you contract with
both AT&T and MCI to get what you think is redundant service. Yet the
way the telephone paths are structured, both companies may be running
circuits in the same piece of fiber owned by Sprint. You cannot say
with certainty that you have contracted for two independent
connections, and the phone companies are under no obligation to make
that information available. In the same way, you don't know when you
buy phone service whether that phone is dependent on the power grid."

That level of insecurity is inherent in networks, Schneider says.
"CIOs are ultimately concerned about whether their systems are
trustworthy, and the answer to that may be unknowable." Unfortunately,
they do not have 30 years of research to lean back on. "It's only in
the last five years," he says, "that computer security has moved away
from a preoccupation with information secrecy and toward the integrity
and availability of networks."

Implementing Solutions

The issues are complex, but some companies have not taken even the
most basic steps to bolster security. "One of the most common and
avoidable mistakes is failing to upgrade," says Bailar. "A patch is
delivered, but some people just don't install it. Or they update 10
computers and leave five to become the next Trojan horses on the Web."
A recent case in point, the worm known as DoS.Storm, has been
burrowing its way through corporate servers, despite the fact that the
flaw in Microsoft's Web-server software has been known for some time
and the company issued a patch in August 2000. On its Web site, CERT
identifies failure to implement patches as the number-one security
risk companies routinely assume. "You start by looking at your closest
connection to the Internet and working your way back," says Bailar.
Securing your e-mail systems, Internet servers, and firewalls should
be top priorities.

It's also imperative to develop an action plan with your Internet
service provider, says Bailar. "Find out how they monitor malignant
intruders, what they can do to stop them, how they would handle a
denial-of -service attack, and how long they would be down following
such an attack. If you walk away from this conversation feeling they
had no idea what you were talking about, you should probably move. A
real professional in this space will probably have additional ideas
for you."

Bailar shakes his head at the way companies leave themselves open for
attack. But in a way it's understandable, says Savage. "A lot of
traditional companies are still coming to terms with what it means to
be on the network and they haven't internalized that they need
cybersecurity the same way they need a security guard on the ground
floor." In addition, he says, there's an acute shortage of trained
security personnel who typically go to the "sexiest jobs" at major
financial and e-commerce companies.

The shortage of trained security personnel is leading some companies
to outsource security, a trend some observers predict will be the next
hot growth area. Yet even companies that choose to outsource should
take a self-directed approach to risk assessment and security
management, says Alberts. "You want to leverage the existing abilities
of people in an organization so that technologists and business people
get together in interdisciplinary teams and solve problems from a
business perspective. You are the experts in the way you do business.
Even if you decide to acquire outside help, you can at least outline
your requirements it in a more targeted fashion."

It's easy to overlook a theoretical threat and hard to justify -- both
to investors and senior managers -- the additional money and time
needed to effectively assess and mitigate the problem. But the risks
are greater today too. "It used to be that companies worried about
what would happen if there was a snowstorm and we couldn't get our
products delivered," says Bailar. "Now the same risks are much more
potent and centered on global information security."

Eva Marer is a freelance reporter based in New York who writes for
CIN, an internet.com site where this story first appeared. She covers
investments, personal finance, and corporate technology issues for a
variety of trade and consumer magazines.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.