Who's Protecting Our Infrastructure?

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/bwdaily/dnflash/sep2001/nf20010918_8931.htm

By Alex Salkever 
SEPTEMBER 18, 2001 

No one. Computer-security standards that would thwart hacker terrorism
against utility, telecom, health-care, or power systems don't exist.

Chris Wysopal, a computer-security expert, was scheduled to brief the
Senate Governmental Affairs Committee in Washington, D.C., on
Wednesday, Sept. 12. But when the Federal Aviation Administration
grounded all national air travel after two hijacked planes struck the
World Trade Center towers and a third set the Pentagon ablaze,
Wysopal's appearance was postponed indefinitely.

His message, however, should not get drowned out in the din of war
talk. A noted good-guy hacker and the research director of
Web-security company @stake, Wysopal planned to deliver a candid
assessment of how utilities, telecoms, and other critical national
infrastructure providers protect their computer networks.

A HODGEPODGE.  Wysopal's assessment? Much work remains to be done.
While some critical infrastructure providers have rock-solid
protections, all too many have neglected even the basic steps of
encrypting databases, auditing their networks, and patching security
holes on all their servers. When it comes to network security, "there
need to be some minimum requirements," says Wysopal. "There are none
now."

With major military action looming and the economy reeling, shoring up
computer security among infrastructure providers might not seem a top
priority. It would cost money, obviously, and might be inconvenient.
Nevertheless, President George W. Bush should add the protection of
infrastructure -- and the crucial computer systems that control it --
to the growing list of mandates under the rubric "Homeland Defense."

The very backbone of what makes America strong is the reliable
provision of water, power, communications, and health care. Without
these services, our ability to wage a war and to project power would
be severely diminished. Furthermore, the disruptions to normal life
unleashed if determined, malicious hacker-terrorists were successful
could could be disastrous.

A BIT SHOCKING.  How shaky is the protection of the computer networks
embedded in our critical national infrastructure? That's hard to tell
right now. Says Wysopal, who has audited security at a number of
infrastructure providers: "It varies across the board. I have seen
some excellent security in some places and very poor in others."

That's about par for a field where no national standards have been
developed. But it's a bit shocking considering what's at stake.
Imagine the chaos that could ensue should a terrorist act of mass
destruction be combined with induced power or telecom outages.

Obviously, cell phones played a crucial role in the aftermath of the
New York disaster. For many, they were the only means of contact with
the outside world. Yet earlier this summer, Verizon Wireless, the
nation's largest cell-phone provider, encountered horrendous problems
after someone hacked into a customer database and dumped credit-card
records into various Internet chat rooms. Many security experts
commented, in the wake of that incident, that Verizon should do a
total security audit. In response, the company said it would
vigorously investigate the issue and put in place preventive measures.

POROUS 911.  Here's another truly terrifying tale from a man who
should know -- Thomas Noonan, the CEO of Internet Security Systems.
One of the largest computer-security companies in the world, ISS
builds software and sells protection services. That makes Noonan a
personal target for nefarious hackers. Small wonder a police officer
shows up at his front door at least once a week in response to "calls"
by hackers who break into the 911 system. "It's just their way of
letting me know that they can find me if they want," says Noonan. It
also means that the 911 system, a decentralized but critical part of
the infrastructure, needs a major network security overhaul.

No question, the cost of bringing infrastructure providers' systems up
to snuff could well stretch into the billions. But what's a few more
billion, considering the types of spending the U.S. is now looking at
in the name of Homeland Defense? Computer-security standards for
critical companies could end up being well worth the cost.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.