  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
CYBER-TERRORISM: IS YOUR COMPANY A TARGET?Source: CPA2Biz.comPosted on September 23, 2001 by Albert J. Marcella, Jr., Ph.D., CDP, CISA Terrorism, as defined by the FBI, is the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population or any related segment, to further political or social objectives. By broadening this definition to include information technology, we can expand the scope and impact of a terrorist's attack to include infrastructure, or the services critical for continued operations at a national or corporate level. Using information technology as a strategic weapon has never been a more accurate metaphor, when attempting to critically define the concept of cyber-terrorism. Cyber-terrorism is a threat of "information warfare" in which a rogue nation, terrorist group or criminal cartel could perform a "systematic national intrusion" into computer systems, with effects comparable to the strategic bombing of infrastructure during the World War II. Until recently, most of our exposure to such terrorist activities was limited to pure fiction-the movies and creativity of Hollywood producers and writers. However, the reality is that cyber-terrorism is all too real and poses a serious threat on a global level to corporate and national infrastructure. As a result, cyber-terrorism is flourishing and has transformed itself into several sub-classifications, all of which are lethal to organizational and operational infrastructures. In addition to typical cyber-terrorism, we can now look forward to such technical and tactical operations as "cyberwars" and "netwars." Cyberwar refers to conducting military operations based on information-related principles, and disrupts or destroys information and communications systems. Perpetrators attempt to know everything about an adversary while keeping the adversary from knowing much about oneself. The balance of information and knowledge is turned in one's favor, and uses knowledge so that less capital and labor may have to be expended. On the other hand, Netwar refers to information-related conflict at a grand level between nations or societies. It means trying to disrupt or damage what a target population knows or thinks it knows about itself and the world around it. A netwar may focus on public or elite opinion, or both. It may involve diplomacy, propaganda and psychological campaigns, political and cultural subversion, deception of or interference with local media, infiltration of computer networks and databases, and efforts to promote dissident or opposition movements across computer networks. Whether it be cyberwars, netwars, or cyber-terrorism, there is the potential for devastating financial repercussions within an organization, both financially and legally. Like it or not, organizations face the legal, ethical, and more often, the social responsibility of securing data, which resides within their computer systems. Failure to establish adequate internal controls exposes the organization to financial loss(es) and legal liabilities, as well as the loss of consumer confidence. We must realize that cyber-terrorism in its broadest reaches, is not solely restricted to national infrastructure targets, and is not solely carried out by rogue nation states, activist groups or camouflaged, munitions touting individuals. Cyber-terrorism can be directed at an individual organization by a competitor, for example, in an effort to eliminate the targeted organization's ability to compete in the marketplace. Cyber terrorism is the 21st century version of the ever-present corporate espionage threat. The distributed denial of service (DDoS) attacks in February 2000 thrust the subject and capability of cyber-terrorism into the mainstream conscience of the global community. While officially dubbed DDoS attacks, the goal is to cripple a device or network so those external users no longer have access to network resources. Without hacking password files or stealing sensitive data, a hacker simply fires up a program that will generate enough traffic to your site so that it denies service to the site's legitimate users. As a result, the global village witnessed its first coordinated, cyber-terrorist attack. Most of the online community was caught, obviously, unprepared. These events were just another in a long line of attacks on corporate and national IT infrastructures. During 1999, some of the organizations that fell victim to cyber-terrorist attacks against their posted Web sites included the Department of the Interior, Federal Bureau of Investigation, the U.S. Senate, Vermont state government, the White House and Brookhaven National Labs, just to name a few. In addition, over the past several years, various groups and individuals have carried out the following attacks on critical national and international infrastructure: - a hacker known as "Infomaster" penetrated the Bureau of Land Management network in Portland, then skipped on to Sacramento where (s)he obtained root access to the computers that controlled every dam in northern California - a Massachusetts teenager broke into the Bell Atlantic system and disabled communication at the Worcester airport, cutting off services to the airport's control tower and preventing incoming planes from turning on the runway lights - a Tamil guerrilla group known as the Internet Black Tigers launched a DDoS attack on the Sri Lankan embassy computers throughout Europe, North America and Asia for two weeks, paralyzing the network - ten thousand Internet activists calling themselves the Electronic Disturbance Theater began a DDoS attack on the Pentagon, Frankfurt Stock Exchange and Mexico presidential Web servers in support of Zapatista rebels in Chiapas, Mexico - the Illinois Power Sub-station Attack occurred on May 30, 1999 when an unknown person or group threw a 20-foot chain over a security fence onto a 35,000-volt transformer. This caused a flash explosion that destroyed three regulators, an electrical tower and the main transformer. Power was knocked out in three counties, putting thousands of people out of electrical service and causing an estimated $500,000 damage This last example could easily be seen as simple vandalism. However, had this same sub-station been located a block west of Pennsylvania Ave. or in Rosemont, IL, just east of Chicago's O'Hare International Airport, would it be just ordinary vandalism? Does the target have to be a nationally recognized building, airport, bridge or financial network in order for the destructive act to be labeled a "terrorist attack?" Reality of Cyber-TerrorismThe rise in cyber-terrorism has steadily increased over the past several years, as detailed in the Computer Security Institute's (CSI) 1999 report on the topic. Seventy percent of Federal agencies responding to a survey compiled by the San Francisco-based Computer Security Institute and the San Francisco FBI Computer Intrusion Squad (CSI/FBI) said they were victims of unauthorized use of computer systems in 1998, up from 61 percent in 1997. More than half of the Federal agencies surveyed said independent hackers and disgruntled Federal employees were the most likely sources of computer attacks and abuses. The Defense Department confirmed that a major cyber-attack against its critical information systems has been under way for the past several months. Theft of trade secrets is one of the most serious threats facing business today. The latest CSI/FBI Computer Crime and Security Survey found that of 12 types of computer crime and misuse, theft of proprietary information accounted for the greatest reported financial losses during the reporting period. According to the survey, more than $66.7 million worth of trade secrets were stolen from 66 organizations who were able to quantify their losses from this type of breach. Based on information from 237 of CSI's members, 70 percent reported serious security attacks, including theft of proprietary information, financial fraud, systems penetration from outsiders, DDoS attacks, and sabotage of data or networks. Over a 17-month period, some 1,100 documented incidents of intellectual property theft were identified, worth an estimated $44 billion. If you think cyber security is expensive, try getting hacked! Domestically, U.S. companies could be losing more than $250 billion annually to information thieves, according to a 1997 American Society for Industrial Security (ASIS) survey of Fortune 1000 firms and the 300 fastest growing U.S. companies. For example, someone deliberately set on sabotage could devastate a corporate electronic commerce initiative, where a simple change in a posted price or telephone number could easily go unnoticed until it had caused considerable damage. Given society's ever increasing global dependency on IT, no organization is safe from the impact of cyber-terrorism. Hacker vandalism can carry a steep price when it affects services delivered by business or government Web sites or networks. Potential targets for cyber terrorists include: - banks, international financial transactions and stock exchanges that cause people to lose confidence in the economic system - air-traffic control systems, resulting in collisions of civilian aircraft - medication formulas at pharmaceutical manufacturers - natural gas lines; by increasing pressure, terrorists could cause widespread valve failures and explosions - the electrical grid, causing blackouts Protection of Critical National InfrastructureInfrastructure protection, which requires a systemic approach and accounts for a wide range of vulnerabilities, could fall under both "information/cyber" and physical attacks. There is no need to destroy a electric power system if you can block the delivery of coal to the power plant, and that may be the best example today of infrastructure vulnerability. Critical infrastructure consists of the information and telecommunications, gas and oil production, transportation, continuity of government, emergency services, electrical power systems, banking and finance, and water supply systems To evaluate the security of internal systems, the U.S. Government conducted a series of exercises called "Eligible Receiver" that revealed serious vulnerabilities in the government's information systems to the extent that 62 to 65 percent of all U.S. Federal computer systems have known security holes that can be exploited. As an example, in 1996 alone, between 250 and 600 Department of Defense systems were broken into by savvy hackers. Monitored user access to a specific but unnamed Defense Department system detected 4,300 intrusion attempts during a three-month period. More than 120 countries or foreign organizations have or are developing formal programs that can be used to attack and disrupt critical Information Systems Technology (IST) used by the United States. Because of the ambiguous nature of information attacks, it can be extremely difficult to know, even in the midst of an attack, what is really happening. Are computer outages the result of equipment failure or deliberate attack? Internet SecurityGiven the uncontrolled (and in reality, the uncontrollable) nature of the Internet, it is easy to see and understand why there are so many security issues and problems. Specifically: 1.companies are not assigning sufficient resources to improve and maintain overall security 2.personnel are not given senior management support or authority to implement strategic security measures 3.vendors continue to ship systems with poor default security configurations, and customers still buy these systems even with the known defaults 4.companies still fail to install vendor patches for known security weaknesses 5.companies fail to monitor or restrict network access to their internal hosts 6.companies do not implement stringent authentication or authorization systems for remote access 7.companies do not enforce security policies or standards when installing new equipment on their networks 8.organizations continue to place too much emphasis on "security through obscurity" - many organizations still hold to the idea that their systems are not important enough to interest a hacker or terrorist, and therefore they see no need (especially financially) to spend time, effort and money to secure them beyond the rudimentary controls. These security weaknesses and internal control problems give way to the all-to-common Internet attacks such as: - exploitation of weaknesses embedded in vendor programs - exploitation of /bin vulnerabilities - e-mail bombing, spamming and relaying through other host sites - exploitation of miss-configured anonymous FTP and Web servers - exploitation of mail transfer agents and mail readers - DDoS attacks using various methods sending hostile code and attack programs (i.e., viruses) as e-mail attachments - spoofing unauthorized system sites through known secure sites. Infosecurity personnel (internal and external auditors, data and network security officers, and others), should be aware of the strategic security weaknesses presented by these known exposures. An assumption that a firewall will solve all your problems, that security is sufficient, and that no further security checks or controls are needed, could be a fatal mistake. Additional exposures can be found in the ease at which analog lines (used to connect to ISPs) can be requested and installed, therefore bypassing any protection from the security perimeter. Some network services (e.g., ftp, tftp, http, sendmail) which will be routed to internal hosts, are passed through the organization's security perimeter unscreened. Access lists often are outdated and configured incorrectly, and as a result, allowing unknown and potentially dangerous services to pass through freely. The logging of connections made through the security perimeter is either insufficient and/or not reviewed on a consistent basis, and in addition, the growing use of VPNs (Virtual Private Networks) and subsequent encrypted tunnels fail to consider the security or lack thereof at the tunnel's endpoints. The Internet is an unsecured environment yet, organizations are climbing over themselves, racing to establish a "net presence" with wild abandonment and a competitive feeding frenzy. Organizations hear the hypnotic call of the Internet luring them into making decisions and taking chances, which under different circumstances, they would not make or take. Organizations that fail to think and act prudently, ignore the warnings and falter in their efforts to implement stringent security protocols, before throwing open their organization's doors to the Internet, will inevitability see their efforts thwarted. Given these potentially crippling and inherent weaknesses within the current Internet environment, infosecurity professionals should be constantly vigilant, and should engage in continual monitoring their organization's internet security profile, and make modifications to that profile on a regular basis as both changes in the Internet and its enabling technologies warrant. Part two of this article will address such issues as developing a portrait of a cyber terrorist, identifying what "weapons" are used by this individual and how an organization can take steps to neutralize the threat of a cyber terrorist attack. Profile of the Cyber-terroristSo what exactly or rather who exactly, is this elusive 21st Century mischief maker - the cyber-terrorist? Potential attackers range from national intelligence and military organizations, lone terrorists, criminals, industrial competitors, hackers and disgruntled or disloyal insiders. Phreakers, crackers, newbies, coders, script kiddies and hacktivists. Whatever name you give them, collectively, they cause hundreds of millions of dollars in losses to businesses and organizations each year. In the early days, a hacker or hacking was considered more benign, more of a "closet" activity, reserved for those individuals society labeled "geeks." Over time, the term, along with the concept of hacking, has evolved, as did the technology with which the hackers ply their trade. 1960s: Hackers were the more creative programmers and scientists 1970s: Hackers were viewed as "computer revolutionaries" 1980s: Hackers were described as individuals, actively involved in breaking copyright on computer games 1990s: Hackers are now commonly referred to as "criminals or cyberpunks" Hackers are no longer the technical elite; greed, power, revenge and malicious intent motivate them. A new taxonomy breaks down the term "hackers" into novices, cyberpunks, insiders, coders, professionals, cyber-terrorists, and perhaps a category of malicious political activists known as hacktivists (www.infowar.com, 1999). Novices, also known as newbies or script kiddies, have limited computer skills, use hacking software that can be found on the Internet, and basically "stage" nuisance attacks. However, they can cause extensive damage to networks because they don't understand how the software works, and sometimes unleash more than they accounted for in the beginning. While cyberpunks have better skills and tend to engage in malicious attacks, "insiders" are very computer literate and often fall into the category of disgruntled ex-employee or current employee. Coders are highly technically skilled and write the scripts and programs others use to hack systems. They often mentor novices and cyberpunks and are motivated by power and prestige. Cyber terrorists are very highly trained, use state-of-the-art equipment and are highly motivated. The professional group comprises criminals, thieves, corporate spies and general guns-for-hire. While cyber-terrorists overlap with professionals, are well-funded and mix political rhetoric with criminal activity, they pose a serious threat to national governments. Understanding this broad overview of the evolution of hacking and the hacker in general, we are able to compile a reasonably accurate profile of today's hacker. Most hackers are white, middle-class males, 12 to 28 years old, have limited social skills, and although they are loners, hackers "crave membership" They tend to perform poorly in school, yet have good computer skills. This is not to say that all hackers are cyber-terrorists. However, given the recent spat of distributed denial of service attacks (DDoS), talk to any network manager, CEO, CFO or user of the firms targeted in these recent attacks, and you might get a different opinion. Ask if these perpetrators were simply creative programmers or individuals intent on malicious destruction and interruption of national or corporate infrastructure (i.e., commerce, communications, etc.). Cyber-terrorists are among us, and they are assuming many forms and disguises. Weapons of the Cyber-TerroristIn the battle of bits, bytes and bandwidth, the cyber-terrorist brings with him (and most cyber-terrorists are male), a formidable arsenal of tools and techniques. Traditional weapons of choice include: - computer viruses (such as logic bombs that wake up on a certain date, worms and Trojan horses) - cracking (accessing computer systems illegally) - sniffing (monitoring Net traffic for passwords, credit card numbers and other data) - social engineering (fooling people into revealing passwords and other information) - dumpster diving (sorting through the trash) Details of intrusion attempts involve multiple attackers working together from different IP addresses, many of which are in different countries and continents. The intent apparently is to make the attacks more difficult to detect, increase the "firepower" and acquire more data. Another advanced cyber-terrorist tool is monitoring computers, fax machines, printers and other devices by picking up their electromagnetic radiation. If someone truly desires your most sensitive information, and has the time, patience and capital, almost any information can be obtained, most often without the owner's knowledge. In an attempt to plug this leakage of information, organizations that process sensitive information should consider the installation of TEMPEST (Transient Electro-Magnetic Pulse Emanation Standard) hardened and certified hardware. TEMPEST products exist to protect against leakage of electromagnetic emissions. Although such protection is available, it is not generally available in the commercial sector; an organization that wants to acquire TEMPEST-hardened products will have to demonstrate a need, as well as secure a place on an approved purchaser's list. For more information, try www.nsa.gov/isso/bao/tempest1/index.htm. TEMPEST-hardened devices are designed to shield radiation leakage(s) that can come from monitors and connecting cables, thus preventing cyber spies from intercepting your password, proprietary business plans or even an embarrassing love letter. All of these can clearly be displayed on an external monitoring device in the cyber spy's van parked across the street from your office. Surveillance reports indicate that such electromagnetic monitoring devices can intercept computer emissions from a distance as far away as 1 kilometer or further, if the cyber snoops are using special fast-Fourier-transform chips. If this is not enough to scare you, just over the horizon are High-Energy Radio Frequency (HERF) guns. No, this isn't science fiction or prototype hype, but actual weapons of critical mass destruction, which can be constructed via plans downloaded from the Internet and with supplies purchased at your local Radio Shack. Radio Frequency (RF) weapons consist of a power supply, transmitter and an antenna. One type of RF weapon, a HPM (high-power microwave), generates gigawatts (billions of watts) of short, intense energy pulses focused into a narrow beam-capable of silently burning out electronic equipment. Potential targets of HERF weapons include: - computers and other electronic devices used in the national telecommunications systems - the national power grid - the national transportation system; and - finance and banking systems, including a bank's ability to dispense cash Just how credible is the threat of a HERF attack? Members of the Irish Republican Army reportedly intended to acquire powerful radio frequency (RF) weapons for use against the London financial system, and Swedish authorities claim RF weapons have already been used against their financial institutions. Another flashy but stable tool in the cyber-terrorist's arsenal is a Unix-based port scanner for security auditing. Nmap (network mapper) (www.insecure.org/nmap/index.html) surveys remote machines to see what services can be exploited. This is easier to install and run than other port scanners, and one of the few programs that does TCP/IP fingerprinting, a way to identify which operating system is running on a remote machine. Nmap also is one of the most popular attackers' tools. Terrorists' .38 SpecialBuffer Overflow attacks are not glamorous, but they are often devastatingly effective! A buffer overflow occurs when data input from a program is longer than the buffer (a temporary memory storage area) can handle. A bug in an application causes more input data to be sent to the buffer than it can properly execute. When the buffer overflows, the hacker/terrorist can overwrite the internal stack space of a program to trick the system into executing arbitrary commands. With carefully written code, the attacker can even gain root-level access on the system. Table 1 lists some additional tools that average cyber-terrorist will have in a tool kit to use against what you believe to be your protected and secure system. Neutralizing the Terrorist ThreatWhile the threat of a cyber-terrorist attack can never really be totally eliminated, the potential of an attack and its devastating aftermath can be mitigated through the implementation of logical, physical and technical controls. Proactive steps to protect against the Terrorists' .38 Special (Buffer Overflow attacks), keep abreast of CERT (Coordination Center at Carnegie Mellon University), CIAC (Computer Incident Advisory Capability - U.S. Department of Energy) and vendor advisories that describe different types of buffer overflow attacks and their "patches." You also should consider implementing intrusion detection software tools to identify active attacks. Examples of Various AttacksThe following paragraphs identify several known cyber-terrorist attack profiles and provide suggested control philosophies. The reader is reminded that each attack can be slightly different and can produce unanticipated results. The best defense against a cyber-terrorist attack is to be prepared, informed and have a viable back up plan in place. SYN AttacksFirewall vendors have incorporated features into their products to shield your downstream systems from SYN attacks. In addition, your firewall should make sure that outbound packets contain source IP addresses that originate from your internal network, so that source IP addresses can't be forged (or spoofed) from the network. Land AttacksDefend your network against the Land attack by having your firewall filter out all incoming packets with known bad source IP addresses. Packets coming into your system with source IP addresses that identify them as generated from your internal system are obviously bad. Filtering packets will neutralize exposure to the Land attack. Smurf AttackTo prevent your network from becoming the intermediary, you can turn off broadcast addressing if your router allows it (unless you need it for multicast features), or you can let your firewall filter the ICMP echo request. To avoid becoming the victim you must have an upstream firewall, preferably a border router, that can either filter ICMP echo responses or limit echo traffic to a small percentage of overall network traffic. The User Datagram Protocol (UDP) FloodTo prevent a UDP Flood, you can either disable all UDP services on each host in your network, or have your firewall filter all incoming UDP service requests. Since UDP services are designed for internal diagnostics, you could probably get by with denying UDP service access from the Internet community. But if you categorically deny all UDP traffic, you will rebuff some legitimate applications. Coordinated Large-scale AttacksAttacks and probes occur when multiple attackers are clearly working together toward a common goal from different IP addresses. Often these IP addresses are also physically separated in different countries or even different continents. Navy's SHADOW (Secondary Heuristic Analysis for Defensive Online Warfare) software can detect and track such attacks. (Download SHADOW free at www.nswc.navy.mil/ISSEC/CID for Unix/Linux/FreeBSD). Haxor - Intrusion DetectionHaxor is a program developed by IBM, that detects intrusions by monitoring the traffic over a company's network. It recognizes hundreds of telltale electronic signatures of attempted attacks, such as the several thousand efforts per second to log on to the system that give away a hacker's program trying a dictionary's worth of possible passwords. Haxor also includes scanning technology for stealth attacks, such as low-bandwidth hacks and coordinated attacks from different geographic points, and an ability to detect mangled and overlapping packets. Foiling Cyber AttacksStopping the elusive cyber-terrorist will require a heightened combination of both logical and physical controls. In addition, organizations will have to establish stringent policies and procedures designed to train IT users in better safeguard measures/methods. What's AheadCyber-terrorism can be as obvious as the DDoS attacks played out against several prime dotcom companies in early February, or as transparent as a seemingly loyal employee, who is actually an industrial spy for one of your competitors. Cyber-terrorism can, and will assume many forms, organizations must be vigilant, and ready for all of the potential forms such aggressive acts and actions will take. Cyber-terrorism is a reality, it can not be wished away. Corporations, governments, and private citizens are all at risk, and equally are all responsible for preventing such attacks. There is no equivalent "neutron bomb" that affects only infrastructure and spares individuals. A cyber- terrorist's strike, coordinated against infrastructure, will certainly result in loss of life. Society has yet to truly experience and witness the breadth and devastation of a cyber-terrorist's attack capability. The recent outbreaks of malicious code, DDoS attacks and system failures, may simply have been the beta testing of the individual pieces of a more organized, coordinated and comprehensive cyber-terrorist strategy. Corporations, governments, and private citizens responsible for securing infrastructure must invest the time, energy, and the resources to continually monitor critical systems and to be ever vigilant to the growing threats to those systems. While completely insulating your system or a national infrastructure from the ravages of a cyber-terrorist attack may be impossible, there are several steps, which can be taken to help reduce and prevent the potential of such attacks. Implementing good internal control procedures/structures, aggressive IT audit programs, subjecting systems to third-party, controlled penetration tests, and proactively attacking, defending and prosecuting malicious intrusions are steps which if aggressively pursued, can help to minimize the exposure from random as well as coordinated cyber attacks. Organizations should continue the monitoring of high-speed Internet connections, so that these connections can not be used as part of a DDoS attack. Before we become victims, know where to find the latest security patches and updates of cyber-terrorist activities. Know how to access resources from such sites as the CERT and ensure that all systems are adequately protected with multiple firewalls and hard-to-guess passwords. Verify that backup and recovery plans exist, are implemented, and that they work. At the end of the day, each of us is responsible for ensuring that we remain watchful of the shifting that engulfs our expanding virtual markets and our virtual society, and realize that each and every one of us is at risk. Contact Albert Marcella at marcela@webster.edu
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |