In 2004 per a formal survey conducted by the



A Comprehensive Approach to Managing Cyber-Security

(including Privacy Considerations)

[pic]

Darin Hancock () LaWanda Jones

2007 PMBA UMSL Cohorts/ IS6800

December 9, 2005

Executive Summary

In 2004, Security and privacy issues were ranked 3rd amongst CIOs and other IT manager. This ranking has grown over the last several years due to computer systems, and the data they store, being constantly bombarded with attacks from cyber criminals known as hackers.

Computers are used in nearly all facets of business today. As the world becomes more electronically interconnected through the use of the Internet, it is more important than ever for companies and government to protect the vast amounts of data that is stored electronically. Hackers are attacking computer systems at increasing rates in order to steal confidential data or to cause problems to computer networks. Hackers have many weapons at their disposal to wreak havoc on computer networks and this paper defines those tools, and explains solutions to combat these attacks.

The Computer Crime Survey which is conducted on an annual basis by the Computer Security Institute and the Federal Bureau of Investigation provided many statistics for this report. Also, the 2003 and 2004 E-Crime Watch survey conducted by CSO Magazine, in conjunction with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center provided additional data

In order for management to best devise a comprehensive plan to safeguard companies against security threats, it is important to understand the basic facets of the world of security. This includes a brief analysis of the source of cyber threats, the victims, and the available resource. The source of cyber threats consist of individuals or sophisticated gang. The victims are primarily companies that characteristically do not like to share information regarding their attacks but at the same time are partly responsible because of their frequent mismanagement of information. Then there is the victim by default, the individual, who screams- privacy please. And the emerging resources consist of legislation, government agencies, educational institutions, partnerships, insurance providers and security professionals (some of which are reformed hackers).

Consequently, once managers become aware and considers the future expectations of increased hacking, better technology, stronger alliances, improved execution of legislation, in addition to the new and emerging acts such as economic espionage and cyber terrorism, managers must seriously take action and devise an effective security plan. To do this, managers must also understand that there is no such thing as 100% security. Therefore, expensive plans to secure everything are a waste. A comprehensive plan best utilizes funds to safeguard the critical business components while implementing and reinforcing the simple processes to maintain security.

Best Practices for this ongoing process, also consist of various elements such as self or outsourced assessments. Assessment examples provided are exercises with Black Ice and Dark Screen. Although, there are some global references made, this best practices of this report is primarily for United States managers

MANAGER’S CONCERN FOR SECURITY & PRIVACY ISSUES

In 2004, according to a formal survey conducted by the Society for Information Management (SIM), security and privacy issues were ranked as the top third concern amongst CIOs and other IT managers.[1] Approximately 10 years early, managers ranked security and privacy issues with an importance level of 19. Looking at similar trends and the recent realities associated with security and privacy, the increased concern is understandable. There is no doubt that the September 11, 2001 tragedy spurred an awaking to this concern. However there are thousands of other recorded and unrecorded accounts that have reinforced this importance.

Notable Hacks

In 1989 an attack was launched against the National Aeronautics and Space Administration (NASA) and exposed a weakness in the Agency’s computer network.2 On October 16, 1989, (two days before a scheduled space shuttle mission), two juveniles from Australia launched the WANK (Worms Against Nuclear Killers) Worm

against NASA. The two youths managed to infect thousands of computers throughout the Agency by gaining access to the machines using default passwords that were included in the systems when they were shipped from the manufacturer. When the NASA technicians installed the new hardware, they didn’t take the time to change the passwords and this allowed the hackers access into the system. Within weeks, the worm had spread to various other agencies across the world.

On March 26, 1999, a 30 year old computer programmer by the name of David Smith unleashed the Melissa Virus on unsuspecting users of Microsoft’s email program Outlook.3 The Melissa virus was distinct because it was the first macro virus that was spread through email. Once a computer was infected, the virus would send copies of itself to the first 50 names in the user’s email address book. When the recipient received the message, the subject line would read, “An important message from…..” The recipient would then open the message thinking that it was something important from their acquaintance and then the process would start all over again. Because of this unique way of distribution, the virus spread feverishly through thousands of computers. As a result of the virus, many companies had to shut down their email servers, including Microsoft. The total estimated damage caused by the Melissa Virus was approximately $80 million and David Smith received approximately 20 months in prison.

Even though the Melissa Virus is one of the most notorious virus attacks, it does not compare to the estimated damage caused by some other lesser known viruses. According to a December 2004 Forbes article, the top 5 most costly viruses are listed below:

• Sasser Virus—$17 billion

• Klez Virus—$21 billion

• SoBig Virus—$38 billion

• Netsky Virus—$63 billion

• MyDoom Virus—$83 billion

In April 2001, even a computer network giant, Cisco Systems, was victimized.4 Two of their ex employees transferred approximately 230,000 shares of Cisco stock into their own personal brokerage accounts. The stock was valued at approximately $6.3 million and as a result of their brazen, and somewhat foolish act, the two ex employees spent approximately 34 months in prison.

Spam, another type of cyber threat has recently emerged as a major problematic issue. Spam is an anonymous or disguised, unsolicited email sent in mass delivery. Spam comes in all languages and accounts for 70 to 80 percent of all email traffic. Spam first started to surface in 1997 with moderate amounts of deliveries. Today it is not uncommon for a company to receive approximately 100 million spam emails per month. In a recent October 2005 discussion, James Burdiss

Smurfit Stone VP and CIO estimated that of the 1.2 million Smurfit Stone emails received each month, 80 % is spam. He further noted that approximately 82% of the 80% penetrates their anti-spam blocks. At an estimated market value of $1095 million annually it is likely that spam will continue to grow for some time. With spam, the damage lies in valuable company time expended to sort through mail that successfully penetrates anti-spam filtration.

Last but not least, the first hacker to have his photograph on an FBI’s most wanted poster was Kevin Mitnick. Mitnick is a self proclaimed liar and he used his social engineering skills to hack into the computer systems of Nokia, Fujitsu, Motorola and Sun Microsystems. As a result of his crime, Mitnick spent five years in prison.

Hacker’s Toolbox

The previous accounts of computer attacks are merely a few examples of the damage that can and has occurred. Hackers have many tools at their disposal to wreak havoc on a company’s computer system and/or to steal information. The next section provides a list of some of the methods of attack.

Cookies—programs that store information about web sites that a person has visited. Most cookies are used for legitimate purposes.

DoS - Denial of Service Attack—an assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted.

Key Logger—a program that records passwords and IDs by recording keystrokes from the computer keyboard and either logging them or sending them to its creator.

Phishing—a scam to steal valuable information when an official-looking email is sent to potential victims pretending to be from their Internet Service Provider, bank or retail establishment

Phreaking—the act of breaking into the telephone system in order to obtain free phone service.

Remote Administration Tool (RAT)—a program that has been embedded into an unsuspecting victim’s computer. This is the most dangerous of all hacking tools as it allows complete and total control of an infected computer.

Salami Attack—a series of minor computer crimes that together results in a larger crime.

Spam—unsolicited email advertisements.

Spyware—a program embedded on a computer that records passwords, Internet visits, cookies and can sometimes control computer services and remotely execute commands.

Trojan Horse —a program that appears legitimate but performs some illicit activity when it is run.

Virus—software used to infect a computer. Once the program is executed, the virus code is activated and attaches copies of itself to other programs in the system. Effects range from pranks to destruction of programs.

Worm —a destructive program that replicates itself throughout disk and memory, using up the computer’s resources and eventually taking the system down

While most of the information gathered by hackers to conduct their attacks is obtained through electronic means, hackers also obtain the information through physical means, or a combination of both.

Dumpster Diving—the act of sifting through the trash of an office or a technical installation to extract confidential data.

Wiretapping—the act of listening in on a phone conversation by a third party, usually through covert means.

Physical Masquerading—the act of using forged documents to physically gain access to secure areas.

Social Engineering—the act of manipulating others into revealing sensitive data.

CSI/FBI Computer Crime Survey

The Computer Crime Survey is conducted on an annual basis by the Computer Security Institute and the Federal Bureau of Investigation. In 2004, approximately 700 companies and government entities responded to questionnaires regarding computer security issues (see Figure 1 for breakdown). The number of responses in 2004 was the highest since the survey started in 1995 and there were some key findings in this year’s survey.

First of all, virus attacks continue to be the source for the greatest amount of financial losses. As illustrated in Figure 2, viruses accounted for nearly $43 million of the total $130 million in losses reported. Unauthorized access and the theft of proprietary information rounded out the top three greatest financial losses with approximately $31 million each.5

Another key finding of the CSI/FBI survey is that the financial loss per incident decreased significantly from the prior year. In 2004, a total of 639 respondents reported a total loss of $130 million whereas in 2003, a total of 269 respondents reported a total loss of approximately $141 million. The losses per respondent decreased from $526,000 to $203,000 or 61%.1

[pic]

Figure 1.

Figure 2. [pic]

The final key finding regarding the number of security breaches reported was the number of web site incidents. According to the respondents, web site incidents increased dramatically from 2003 to 2004. In 2003 approximately 89% of the respondents reported between one and five web incidents. However, in 2004, 95% of the respondents reported more than ten web incidents. Even though the increase is quite substantial, web site incidents still represent the smallest dollar amount of financial losses incurred by the respondents.

The financial losses shown in Figure 1 are rough estimates at best. Some of the losses associated with a cyber attack are easily measured, such as the cost of new software, the repair of an infected network or lost time. However, many of the losses experienced by businesses are not as easily measured, such as the financial loss associated with the corruption of data, redirection of staff tasks or the loss of customers. If these items were quantifiable, the total calculated loss would prove to be much higher.

2004 E-Crime Watch Survey

Another survey conducted in 2003 and 2004 was the E-Crime Watch survey conducted by CSO Magazine, in conjunction with the United States Secret Service and Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center. The survey results were based on 500 completed surveys by various sectors, both public and private. Similar to the results of the CSI/FBI survey results, the financial losses associated with cyber crime are large. Following are some of the findings based on the survey.

First of all, 30% of the 500 respondents reported no intrusion while 43% of the respondents reported an increase in attacks from the year before. Of the 500 respondents, approximately 32% of them don’t track losses associated with e-crime or intrusions. Of those organizations that track losses, a staggering 49% of them didn’t know the amount of loss incurred due to cyber crime. The total estimated losses from cyber crime or intrusions were approximately $666 million. 6

According to the survey, 40% of the organizations reported that the greatest cyber security threats were from hackers and 22% of the organizations reported current employees as the greatest cyber security threats.6

Similar to the findings from the CSI/FBI survey, viruses were the number one method of attack; approximately 77% of the organizations surveyed reported being attacked with viruses or other malicious software. Denial of service attacks came in second at approximately 43% of the respondents experiencing these types of attacks. 6

Based on the findings in both surveys, cyber crime produces substantial measurable losses and even greater non-measurable financial losses.

ANALYSIS OF THE WORLD OF SECURITY

In order for management to best devise a plan to safeguard companies against security threats, it is important to understand the basic facets of the world of security. This includes a brief analysis of the source of cyber threats, the victims, and the available resources.

Source

Individuals or groups of individuals known as hackers are by and large responsible for the countless number of security threats and cyber attacks. The term hacker was originally characterized as a positive person whose motivation did not involve ill intent. A hacker was once defined as a person who passionately held a sincere curiosity about computers and improving its software. However, irregardless of intent, accidents can happen. Case in point, in November 1988, Robert Morris, a computer researcher, erroneously launched a worm infecting several thousand of systems. Thus, the infamous Morris worm was born. In addition, hacking is not a recent problem, as some seem to think. As early as 1970, the hacker John Draper, better known as Cap n Crunch used a toy whistle from a cereal box to get free phone usage. Today, cracker is the new term used to define cyber abusers. However, the term has not yet caught on universally. Consequently the terms to hack, hacking and hackers is understood to signify unconstructive behavior. With the increasing number of global attacks as well as the destructive severity of attacks, other terms are becoming common, such as cyber-terrorism, information warfare, economic espionage and data pirating.

Money and personal profit would appear to be a hacker’s main motivation. However, goals to gain attention, to thrill, for challenge, for political impact, to vandalize, or to cause serious damage can rank higher than monetary gains. For example, the hacker Electron from the NASA break in, expressed, “Initially I saw it as a challenge, as time passed it became more of an obsessive addiction, with challenge becoming a secondary motivator.” Also, the famous reformed hacker, Kevin Mitnick gave some insight to his motives “…I was hacking for the curiosity, and the thrill to get a bite of the forbidden fruit of knowledge.”

Managers should also be aware of the hacker underworld and its high level of sophistication where 90% of abusive hacking is done. There are numerous gangs connected across the globe. For example, the Shadow Crew is said to be 4000 members strong operating worldwide from America to Brazil to England to Russia to Spain. These secretive and dangerous networks of professionals, although similar to other organized crime, keep abreast of current hacking skills through public resources. Hackers can take advantage of hacking chat rooms or attend hacker conventions such as Def Con in Las Vegas or Hope (Hacker on Planet Earth) in New York, to polish up on hacker tips, tools, and guides.

These groups know how to best utilize its members. In many instances, while certain members are responsible for mapping out the strategies, younger members are given the orders to execute the dirty work. Thus, if caught, penalties are minimal. For example, Canadian teenager, Mafiaboy, was merely given a slap on the wrist because of his age. His punishment consisted of eight months in youth detention for issuing a DoS attack on several websites including Yahoo, eBay, Amazon, and CNN. Yet in still, punishment has proven to be lean for most convicted hackers. In 1995, Vladmir Levin, a Russian mathematician was sentenced to three years in prison and required to pay $240,015 in restitution after hacking into Citibank and stealing $10 million. To date there has been only one case where death was issued as the punishment. In 1998, two Chinese hackers, Hao Jinglang and Hao Jingwen, were sentenced to death for hacking into a bank and stealing 720,000 yaun, equivalent to $87,000 US dollars. Nonetheless, hacking has continued to increase. In 2000, USCERT reported approximately 22,000 hacking incidents. In 2003, this number increased to over 137,000 incidents. Therefore based on these numbers, it is reasonable to say that managers will not be free of hackers and their mayhem anytime soon.

Victims

It is the financial institution (17%), the high tech companies (15%) and the federal government (9%) that receives the majority of cyber attacks. Figure 1 shows the percentage of attacks against various company sectors. The high profile, large companies are most susceptible because of the opportunity for a greater hacker challenge. Again, Electron from the NASA break in says, “I’d begun targeting specific systems I saw as high profile or high challenge.” During the earlier days of computer crime, most of the larger companies considered direct attacks as a mere cost of doing business and therefore did not have basic security safeguards in place. In addition, small companies found no real need to safeguard themselves. The fact that these small companies were small provided a type of safeguard in itself. Today companies are taking better security measures to address this issue and have placed monies in their budget specifically for security management. Fifty percent of the respondents surveyed by CSI/FBI early this year indicated 1-5 % of their IT budget is dedicated to managing security issues. See Figure 3. These numbers correspond with recent October 2005 discussions with James Burdiss. Mr. Burdiss mentioned 1% of Smurfit Stone’s IT budget is currently spent on security and that this percentage may increase to 5% this year. However, most companies tend to not share information regarding their attacks for fear of more attacks. It is also not uncommon for companies not to divulge their information to avoid negative publicity which in return could alarm customers, investors and business partners.

[pic]

Figure 3: Percentage of IT Budget Spent on Security

Although companies are clearly the victims of many hacking expeditions, companies can be held equally responsible for some of these senseless events. This responsibility or lack thereof can be attributed to companies’ frequent mismanagement of information. This age of information has allowed companies to collect massive amounts of sensitive information, however, in the same token, some companies have not been good stewards with protecting this information. In 2004, H. Jeff Smith, professor of management at Babcock Graduate School of Management at Wake Forest University in a December 2004 MISQE Vol.3, No 4 report, shared his research regarding types of frequently observed mismanagement. See Figure 4. In many of the observations listed, lack of security and inadequate privacy controls was exposed. On the other hand, according to discussions with the UMSL (University of Missouri St. Louis) IT Department, sensitive data appears to be under control. Mr. Voss, the director of IT stated, “There are many regulations regarding private and sensitive data. As we are entrusted with many different types of information, we feel it is incumbent upon us to keep that information in the greatest of confidence. Since our focus is sharp on this issue, we have been prepared for most new requirements that have come up.”

|Action |Frequent Types of Mismanagement |

|Collection & Storage |More data collection than needed |

| |Unclear or obfuscating about future uses of data |

|Secondary Use |Policies/practices ignore privacy implications of internal data re-use |

| |Inattentiveness to privacy implications of external data sharing |

| |Excessive liberalism regarding “affiliate sharing” |

|Data Accuracy |Lax security controls (enable deliberate errors) |

| |Quality control lapses in data collection or manipulation (accidental errors) |

|Authorized Access |Weak security controls (technical) |

| |Inattentiveness to “need to know” implementation |

|Automated Judgment |Excessive reliance on implementation of standard operating procedures (w/o rational referrals |

| |for human judgment) |

|Profiling |Lack of clarity regarding provisions on external sharing of data (or violations of clear |

| |provisions) |

Figure 4: Frequent Types of Company Mismanagement

Although rarely targeted directly, individuals such as customers of the aforementioned large and small companies are by default considered a victim. Moreover, because companies have frequently displayed their lack of inattentiveness to personal information, the concern for privacy has increased. This is supported by many reports like the one from Wall Street Journal, which reported personal privacy as Americans number one concern in the 21st century according to an NBC poll. Furthermore, the public’s outcry to maintain their privacy rights is being heard. Recently, Walmart canceled a store test involving RFIDs (radio frequency identification devices) with their partner Gillette, after a public outcry of opposition. These devices or chips, available as small as grains of rice, contain identifying data which can be automatically read from a distance. Perfect for tracking packages or customers and their purchasing history.

Available Resources

Although still emerging, there are existing resources external to company sources in place to assist with security issues. Such resources include but are not limited to legislation, government agencies, educational institutions, partnerships, insurance providers and security professionals.

Legislation

The 1986 Computer Fraud and Abuse Act is one of the major laws in place used to deter computer crimes. Violation of this act can carry a maximum penalty of 20 years in prison as well as a determined monetary restitution. More recently the Sarbanes-Oxley Act of 2002 requires proper management of customer information and sensitive data by conducting proper protocol. Also, the 2002 Public Health Security and Bioterrorism Preparedness and Response Act requires critical public infrastructures to conduct regular vulnerability assessments (VA) and prepare and maintain emergency response plans (ERP). Critical infrastructures, such as community water systems with large customer bases can assess their system weaknesses with the VAs and better handle emergencies with an ERP in hand. In addition, HIPAA, the Health Insurance Portability and Accountability Act is recent legislation used to restrict secondary use of medical data. Violating this act can incur a maximum of 10 years prison sentence and a $250,000 in fines.

Government Agencies

The FBI, Federal Bureau of Investigation, through the US Justice Department’s NIPC (National Infrastructure Protection Center) is the major governing agency dedicated to protecting the nation’s telecommunications, technology and transportation systems. Fighting cyber crimes is ranked 3rd on FBI’s to do list, while fighting terrorism and counterintelligence are first and second. This year $150 million of a $5 billion fiscal budget, is projected toward keeping the cyber world safe. USCERT is an additional viable government resource. USCERT is the United States Computer Emergency Response Team established in the late 1980s by US defense agencies. They are located at the Carnegie Mellon University in Pittsburgh, Pennsylvania and are dedicated to investigating attacks on computer networks and providing solutions.

Educational Institutions

The SANS Institute is geared toward educating security professionals through their variety of training programs. The SANS Institute is also responsible for establishing the GIAC (Global Information Assurance Certification). This certification helps to validate the skill level of individuals who claim to have certain information security knowledge.

There are also vast opportunities to attend conferences to learn more security tips. For example, on March 21-24, 2006, the Secure IT 2006 fourth annual information and network security conference will be held in Anaheim California. Here topics such as current security tools, trends, legislation, products, services and strategies will be discussed. With the increased concern for security many varying associations and even companies will offer training and educational seminars.

Partnerships

Partnerships such as ISACs, Information Sharing Analysis Centers, are valuable resources to keep abreast of current security information. A center for each company sector is available such as water, financial and manufacturing and so forth. Members can access incidents reports affecting their particular industry, warnings regarding potential threats and solutions.

Insurance Providers

Managers can now also purchase insurance policies to assist with losses incurred by cyber threats. Companies such as CISCO, AIG, Chubb, and Counterpane offer cyber policies. Approximately 25% of companies carry some level of cyber insurance. However, as cyber losses are better quantified and insurance companies improve their plans with more attractive premiums, companies may better utilize this resource.

Security Professionals

Security consultants such as Symantec, Security Focus, Unisys and Internet Security Systems Inc. offer various products and plans to assist managers with their security concerns. Cyber security software, virus protection, firewalls, customized programs and self penetration tests are some of the products used to assist clients with reducing company vulnerability and preventing cyber attacks. Also, many reformed hackers such as Kevin Mitnick and John Draper have begun their own companies offering similar services. Today less than 40% of companies are reported to utilize such outsourced services.

[pic]

Figure 5: Percentage of Security Function Outsourced

Below is and example of a generic program designed by Unisys. See Figure 6 Although, one program can not meet all the needs of each type of company, this example showcases some of the significant elements to include when designing a security plan. The Functional Elements such as the Education and Communications can be a major component to a security plan. When implemented correctly education and communication tools can roughly wipe out the hazardous effects that social engineering play on security plans. In addition the organizational interactions such as with the vendor and partner management are important. When Card Systems, a credit card processing company for Visa, Mastercard and various other revolving account companies, database was broken into, direct damage was not only incurred by Card Systems but also to these parent companies. Approximately 40 million credit cards were succumbed to identity theft. If an effective security and privacy program regarding the organizational interactions between these companies had been in place, such damages could have been minimized.

[pic]

Figure 6: Critical Security Plan Elements

FUTURE

Now that there is a better understanding of the existing realities of the world of security and privacy, managers should also be aware of the expected following trends for the near future. Expect continued hacking attacks at a greater level of devious sophistication. Expect implementation of cyber security technology such as RFIDs and biometrics. Currently, at 20 to 30 cents each, wide adoption of RFIDs is not economically feasible. Consequently, greater care for the public’s personal rights will be needed to assure that rights will not be forsaken for technological security improvements. Expect the emergence of stronger alliances to assist with the fight against cyber criminals along with improved international collaboration to quickly catch and punish cyber criminals. In addition, expect stronger penalties to match the crime. Although security and privacy threats are now some thirty years in the making, the measures, resources and legislation to properly address these threats are slowly starting to gain momentum. Since the security momentum is still fairly new, it may prove beneficial for managers to proactively participate and influence this momentum in order to set standards for what is best for their members and the company’s ways of doing business.

As managers look at the aforementioned expectations, they should also pay close attention to two acts gaining more and more attention, economic espionage and cyber terrorism. Damages of these acts could result in a company losing valuable information which may be vital to our nation’s defense and could result in devastating effects to our current way of living, such as the shutdown of our financial systems, or even the shutdown of our power grid. The two acts referred to are relatively new to the world of IT.

Economic Espionage

According to Louis Freeh, former director of the FBI, economic espionage is the greatest threat to our national security since the Cold War. Some statistics show that economic espionage and the theft of trade secrets cost U.S. businesses more than $250 billion in 2004 and $1.2 trillion in the last decade. 7

Economic espionage is being perpetrated on many United States businesses by companies and governments of both ally and enemy countries. These countries, that include China, South Korea, Pakistan, India, France, Israel and Japan, are quietly spying on United States companies and stealing technology and trade secrets. 8 These spies are targeting companies that are contracted with the United States military and could have severe consequences when it comes to the ability of the United States to defend itself from attacks, both cyber and traditional. These countries could be stealing vital information regarding our military, such as the technology used in our aircraft, sea vessels, tanks etc…

The methods used by these foreign entities include the traditional types of spying, for example, paying off United States citizens who are already inside the company, or sending spies posing as foreign business people and scientists. These foreign countries and business are also using the computer to hack into the United States companies’ networks to steal data.

The threat of economic espionage is certainly real and it is likely causing billions of dollars of damage but there is even possibly a greater threat to our nation’s security: cyber terrorism.

Cyber Terrorism

On September 11, 2001, our nation experienced the largest traditional terrorist event on American soil. A team of radical militants hi jacked four passenger aircraft and succeeded in crashing the aircraft into three of America’s most famous landmarks. The fourth aircraft fell short of its target due to the heroic acts of its passengers. Even before September 11, cyber terrorism was an issue that struck fear in most Americans. After witnessing the horrific acts of September 11 and realizing how vulnerable the United States is, American’s fear of cyber terrorism is greater today than ever before.

Cyber terrorism is simply defined as any major computer based attack that is premeditated, politically motivated and designed to call attention to a cause and to create panic, through the breakdown of a widely used information system. What makes cyber terrorism so frightening is that some of the nation’s most vital networks, such as water treatment plants, oil refineries, power grids and transport networks are also some of the least protected. The networks and computer programs that control these services are so complex that it makes 100% protection impossible. In theory, a highly motivated, highly trained terrorist/hacker with only a computer and a mouse could cause pollution of our water supplies, power disruptions or even worse, a meltdown of a nuclear reactor. The more technologically advanced a country is, the more vulnerable it becomes to cyber attacks against its infrastructure.

Take for example, the terrorist group Al Qaeda: this group of fairly well organized terrorists committed the September 11 attacks, and many other attacks against United States interests. Al Qaeda has become one of the first terrorists groups to move from physical space to cyber space. Since the United States invasion of Afghanistan, Al Qaeda’s refuge, the terrorist group was forced to disband and retreat to other countries around the world. Now that the Al Qaeda is scattered throughout the world more than ever, the group uses the Internet to further its agenda. Al Qaeda now uses the Internet to build online libraries of training material, some even supported by experts who answer questions on message boards or in chat rooms, covering subjects such as how to make deadly poison to how to make Improvised Explosive Devices (IED). The Internet has become a vast communications network for Al Qaeda, and other terrorist groups who share their views.

Why is cyber terrorism such an attractive option for terrorist groups such as Al Qaeda? There are several reasons such as:

• It is cheaper than traditional terrorist methods.

• Cyber terrorism is more anonymous than traditional terror attacks.

• The variety and number of targets are enormous.

• Cyber terrorism can be controlled remotely.

• Cyber terrorism has the ability to generate greater media coverage, which is usually the ultimate goal of a terrorist organization.

Fortunately, to this day, Al Qaeda has not committed any cyber terrorism attack against the United States, but it would be naïve to think that they have not considered it. It is quite possible that they are in the planning stage which could take several years to complete; much like the planning of the September 11th attacks.

BEST PRATICES

The next section equips managers with solid action tasks to incorporate and align with their agency’s business strategies despite meager security budgets. As Figure 7 indicates we will look at a GOOD plan, a BETTER plan and a BEST plan.

|Company Executives |ALL Users |

|Agency Strategic Plan |Cyber-Security Plan |

|GOOD |ACTION |

|BETTER |ACTION |

|BEST |ACTION |

Figure 7: Aligned Action Plan

A GOOD plan consists of implementing the basics such as physical upgrades or perimeter defensives to enhance security measures. Refer to Figure 8. However, the GOOD plan is insufficient in providing a comprehensive plan.

|Company Executives |ALL Users |

|Agency Strategic Plan |Fundamental Standards |

|GOOD |Utilize applications for perimeter defenses: |

| | |

| |Firewall |

| |IDS – Intrusion Detection System |

| |Anti-spam |

| |Anti-virus |

| |VPN – Virtual Private Network |

| |Encryption |

Figure 8: GOOD Plan

A BETTER plan consists of educational implementation for the human element. . Educating employees of the importance of regularly destroying confidential material and utilizing appropriate password selections will enhance security measures. Refer to Figure 9 for additional action tasks. In addition, frequently reviewing these practices will reinforce these actions. Moreover, a security conscious will be created as the expected behavior when top level management buys in. Gary Clayton, Founder and Chairman for the Privacy Council, points out, “Privacy & Security do not work if you do not have top level buy-in.” (2004 UMSL cohort Mastercard Report) This plan combined with the basics listed above will create a BETTER plan. However, this plan is also insufficient in providing a comprehensive plan.

|Company Executives |ALL Users |

|Agency Strategic Plan |Cyber-Security Plan |

|BETTER |Shred Paper |

| |Password Protection/ Better Selection |

| |System Removal (old employees) |

| |Training |

| |Establish process for all users (identify steps; answer who, what, |

| |how) |

| |Track attacks |

| |Better Information Management |

| |Top level buy in |

| |GOOD plan tasks |

Figure 9: BETTER Plan

A BEST plan consists of first understanding that obtaining 100% security is unreal due to the many facets of the world of security interrelated with the numerous and complex dynamics of the fast-paced information age. Additionally, among various other local aspects, economics do not support such idealism. Therefore, managers should classify their critical business components and use available resources to best protect these areas first. Furthermore, all new business strategies, in addition to existing ones must be integrated and designed with security measures. Assessments are also an important part of the BEST plan. According to CSI/FBI’s 2005 report, assessments are commonly used by 87% of most companies. Next let’s take a closer look at what an assessment may entail.

Black Ice

Black Ice was a book published in 2003 that highlights a 1997 exercise conducted by the National Security Agency. 9 The exercise was code named “Eligible Receiver” and it was conducted to test the security of the some of the United States’ national security systems. In this exercise, the National Security Agency instructed 35 hackers to attempt to hack into any Pentagon network but they were not allowed to break any United States laws and they could only use software that was readily available over the Internet. The hackers began their assault by obtaining passwords through the use of password breaking software and social engineering. Once the passwords were obtained, the hackers were able to enter the various networks, create user accounts, delete information and even shut down the systems. The hackers were able to do this with ease and they did so without being traced or identified by authorities.

The results of this experiment were quite astonishing and the officials from the National Security Agency who reviewed the data, along with data from other research, found that much of the private sector infrastructures could be invaded and abused in much the same way.

Cyber terrorism, and its possibly devastating effects, has been the focus of many debates. Much of the public, including policymakers, has a tremendous fear of cyber terrorism and feel that more can, and should, be done to protect Americans. However, other experts feel that the threat of cyber terrorism has been exaggerated. The experts who feel that the threat of cyber terrorism is exaggerated support their argument by citing the fact that the nation’s most critical networks, such as the defense and intelligence systems, are “air gapped” and that there is no possible way for those systems to be breached. 10 “Air gapped” is a term used to describe a system that does not have any connection to the Internet and is a totally internal system. These experts also cite the fact that there hasn’t been any act of cyber terrorism perpetrated on the United States to this day. But as the events of September 11 demonstrated, when it comes to any type of terrorism, the United States must be prepared; and it is imperative that we be proactive instead of reactive.

Assessment Considerations

The decision to conduct assessments through internal or external sources is an important one. When dealing with outside sources, although the objective to discover weaknesses may be realized more effectively with the use of outside sources, the risk to do so is high. Therefore, if an external source is selected, certain considerations should be taken into account. See the following considerations:

• Does the external source have liability insurance?

• Does the external source request knowledge of the network configuration prior to the assessment?

• Can the external source uncover a bogus weakness planted by your firm early in the process?

• What areas of the computer system should be off limits to this assessment?

Once the appropriate source has been selected, a typical assessment should answer the following questions, Who, What, When and How. In mid 2001, Dark Screen, a cyber security assessment exercise conducted with various company participants located in San Antonio, Texas answered such critical questions. See a modified list of questions below:

• Who should be notified in case of a security breech?

• What steps does your organization use to protect itself?

• When is information regarding this security breech released?

• How would information regarding a security breech be transmitted to appropriate authorities?

As a result, a security policy will include measures to address all items found to be deficient in the assessment.

Moreover, it is imperative that managers keep abreast of current security and privacy issues and events and know that addressing security and privacy issues is an ongoing process. Steve Epner of Brown Smith Wallace, a St. Louis technology consulting firm made this quote, “You have to continue to train and implement new security. It needs to be something you do everyday.” Therefore, to best way to stay on top of this issue, is to assign overall responsibilities of security and privacy tasks to a specific manager, such as a CISO or Chief Information Security Officer. Consequently, the aforementioned elements of this BEST plan combined with the GOOD plan and the BETTER plan will create a sufficient comprehensive approach to managing cyber security.

|Company Executives |ALL Users |

|Agency Strategic Plan |Comprehensive Management Cyber-Security Plan |

|BEST |Understand can’t provide 100% protection, therefore set security goals|

| |according to classification |

| |During IT design stage link security with business strategies |

| |Assessments: self penetration tests |

| |Keep abreast of current news/ join partnerships |

| |Ongoing Process |

| |GOOD plan |

| |BETTER plan |

Figure 10: BEST Plan

Works Cited

viewed 12/04/2005

viewed 11/15/2005

viewed 11/20/2005

viewed 10/26/2005

viewed 10/05

viewed 12/01/2005

viewed 12/04/2005

viewed 11/06/05

viewed 11/22/2005

viewed 10/03/2005

http:// criminal/cybercrime/FBI2005.pdf viewed 10/23/2005

viewed 12/1/2005

MIS Quarterly Executive Vol.4 No.2/June 2005

State Legislatures, May 2003, Vol. 29 Issue 5, p22, 4p

USA Today, May 10, 2004

viewed 10/05

MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005

viewed 10/05

viewed 10/05

MISQ Information Privacy and its Management Vol. 3 No.4/December 2004

viewed 10/05

viewed 10/05

-----------------------

[1] MISQ Dark Screen: An Exercise in Cyber Security. Vol. 4 No.2/June 2005

2 viewed 11/05

3 viewed 10/05

4 viewed 10/05

5 http:// criminal/cybercrime/FBI2005.pdf viewed 10/23/2005

6 viewed 11/20/2005

7 viewed 12/01/2005

8 viewed 12/1/2005

9 viewed 12/1/2005

10 viewed 12/1/2005

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download