Unless you own a car dealership or hold an executive position with Amazon.com, you’re probably going with “B,” right?
Ah, if only it were that simple. Unfortunately for CSOs, each one of those diverse scenarios illustrates a trend that is a clear, present and growing danger to corporate security. In spite of the fact that security is finally getting the attention and resources it deserves, the list of threats that CSOs will have to handle during the next few years continues to expand at an alarming rate.
And it’s no longer just the antisocial basement-dwelling hacker, cracker or script kiddie behind such attacks. The collection of ne’er-do-wells with an interest in undermining your corporate security has metastasized during the past few years into a multifarious cast of characters: industrial and state-sponsored spies, cyberterrorists, ecoterrorists and international mafiosi, just to name a few.
There are some definite trends that security executives should pay attention to – evolutionary changes occurring within the underground. Ask security experts to forecast the future, and they’ll usually profess at least one certainty: that convergence will occur. By that, they mean that criminal groups will band together to attempt larger attacks, and that those efforts will likely include blended attacks that have a physical and cyber component to them.
Blended attack threat
The threat of a blended attack is one that the intelligence community takes very seriously. Most experts agree that while terrorism groups have indicated an interest in using IT attacks to undermine critical infrastructure (and are using the Internet extensively as a communication medium by burying messages in spam), they haven’t matched up the intent with the capability yet. But it’s likely not too far away.
“These are educated, smart, well-funded and reasonably motivated individuals, and there’s a lot they can do,” says Bill Hancock, CSO of telecommunications company Cable & Wireless PLC. “The entry point for cyberterrorism is different from (bioterrorism) where you have to pay people to develop things for you. The entry point for cyberterrorism is the cost of a PC.”
“If you’re looking at convergence as the possibility to launch a coordinated attack physically and virtually, I think that we’ll see the effect of that fear in the next five years,” says Dario Forte, security adviser to the European Electronic Crimes Task Force. “But if you are looking at this phenomenon for a cyber-event like the Blaster worm to have an impact on physical security, I think we’ll see that in the next two years.”
In fact, in September the U.S. Department of State had to temporarily shut down its electronic CLASS system (the Consular Lookout and Support System), which checks visa applicants for terrorist or criminal histories because of an infestation of the Welchia virus. Forte predicts that those kinds of incidents are only going to increase in frequency.
For CSOs, the pressure is on to knit the physical and cybersecurity departments closer together, if not merge them entirely.
Perpetrators are indicating a willingness to pool their resources and pull off ever larger exploits. Hackers are countering increased network resistance to old-style attacks by working in gangs – harnessing their collective brain and computing power. Even crime syndicates have developed a very sophisticated set of technology skills.
The worry is that those skills might be hired out to a terrorist organization, providing an out-of-the-box cyberterrorist capability, notes Matthew Devost, a founding director of the Terrorism Research Center. “They have their own laptops and accounting systems and command-and-control networks, and everything that a billion-dollar multinational would have,” he says.
In the coming years, facility security and IT security may be joined by a third and equally important area of security practice – personal security. This issue is starting to go mainstream as citizens and employees are targeted for an employer’s perceived transgressions – and sometimes for no reason at all. Such threats will also carry over to employees as they travel overseas.
Several high-profile executives have had ransom demands delivered and negotiated via cyberspace when a family member was kidnapped, and their personal information has been stolen for identity theft. Hancock notes that the home computers of executives will continue to be targeted for ‘harvesting’ by competitors. CSOs will have to ensure that their departments work closely with every employee who has access to sensitive information so that they can secure their computing environments no matter where they work.
The enemy within
One of the threats that CSOs face – particularly those working in the critical infrastructure – is the possibility of employing a hacker, corporate spy or other individual who wants to gain a trusted position within a corporate network for nefarious reasons. “Hiring practices and background checks haven’t kept pace with threats,” notes the Terrorism Research Center’s Devost.
They should also review who has access to which systems and documents. “Should a person in sales be reviewing R&D documents?” Hendershot asks. “Should a person in finance be looking at our marketing theory? CSOs turn on intrusion detection for the outside, but what’s going on inside, and does it make sense?”
Forte notes that the “gray hat” phenomenon is also still on the rise, and he cautions CSOs to not only examine who their employees are but their contractors as well.
Another buzz phrase that security experts frequently bandy about in discussions of future security threats is the importance of “anomaly detection” – noticing that the CEO’s account is active even though he or she is on an airplane, and recognizing when changes occur in the network that portend a potential threat or vulnerability. Security organizations will have to notice anomalies and institute fixes much faster.
Forte notes that the trend in viruses and worms is moving ever closer to “zero day” attacks – any attack in which there is less than 24 hours between the announcement of a vulnerability and its exploit.
And, of course, there’s always the unpredictable variable of luck. Script kiddies still account for 60 per cent to 70 per cent of denial-of-service and distributed denial-of-service attacks.
A majority of threats that are likely to plague security executives in the years to come will derive from a continued failure to adhere to basic best practices. Companies will keep trying to save money by connecting networks and leveraging a shared infrastructure. These networks that were previously closed and isolated from the dangers of the Web will now be inter-networked with potentially disastrous results. These closed networks are laid bare to a multitude of security threats that they are poorly equipped to withstand. Nuclear reactors, electrical substations and oil refineries all are run by process networks.
Hancock, for one, fears that as more of these networks are interconnected to save money, disastrous repercussions will ensue.
“Think about the basics of safe computing and the spread of viruses,” advises Hendershot. “Sobig, Cornucopia, Code Red have taken known exploits to propagate themselves. Security people have to make sure that when new technologies come out, they are familiar with the vulnerabilities. What door are you opening?”
The future holds unknown challenges. But the biggest danger that security executives are sure to face is failing to address the vulnerabilities that they already have today.
Four basic protection reminders for you or your staff
By Stuart J. Johnston PC World (U.S.)
1. Update your virus definitions regularly, ideally on a daily basis. Just as often, visit sites that document the latest threats to find out what subject lines and file-attachment names the newest viruses are using. Look at McAfee, Symantec Corp. and Trend Micro Inc.
2. Install Microsoft’s “critical” updates (go to Microsoft Windows Update), but be careful. I always look out for any serious problems with patches before I adopt them, though I don’t wait longer than a week or so. I usually visit support forums to read users’ descriptions of problems. My favorites: Microsoft Technical Communities, Tech Support Forum, and WinGuides Support Forums. If I read any reports about a patch causing crashes, problems with the operating system I use, or conflicts with installed programs (such as a particular antivirus application), I steer clear of the patch for a while.
3. Be skeptical about e-mail attachments even from people you know, unless you are expecting something; the same advice goes for strange subject lines. Avoid looking at suspicious e-mail messages in preview mode. Better yet, disable the preview feature entirely.
4. Whenever you step away from your computer, put your machine into hibernation or standby mode. Doing so will help stop attacks like Blaster, which infected systems by wandering the Internet looking for PCs with communications ports left unguarded.
The bot threat
Some of the most serious threats networks face today are "bots," remotely controlled robotic programs that strike in many different ways and deliver destructive payloads, self propagating to infect more and more systems and eventually forming a "botnet."