Anthrax may be getting all the headlines, but the next lethal infection may be the technological kind. Hackers have posed a threat for years, but the attacks on the World Trade Center and the Pentagon have raised fears that terrorist groups might wreak havoc on the Internet.
According to security experts, the danger is imminent. “I firmly believe that not only is the threat of a cyber-attack real, but the first phase is already under way,” says Mark Fabro, president and chief scientist at Terrasec Corp., an information security consulting firm based in Toronto. Fabro maintains that the preliminary scanning, or information-gathering, process has left an electronic trail. He points to the Intrusion Detection logs of large multinational corporations. “When closely and correctly cross-referenced,” he says, “they show precise data-gathering operations in which outsiders are looking at network structure, points of weakness, and infrastructure locations of weak security.” Fabro says that since 1998 there have been no less than three global scanning projects sponsored by “rogue” nations.
Despite such warnings, corporate executives appear relatively confident in their current security procedures. While not downplaying the risk of cyberterrorism, those interviewed for this story stress that their fundamental approach to computer security has not changed since September 11.
Security professionals argue that current approaches are inadequate. With companies increasingly using the Internet to connect to suppliers and customers, they say, organizations place too much faith in technology to protect their data, while not paying enough attention to security education and awareness. “Companies always assume the technology–including firewalls, VPNs (virtual private networks), intrusion detection systems, and authentication mechanisms–will take care of a security problem,” Fabro says. But the technology won’t work, he contends, unless everyone in the company is educated about information security.
That awareness must start with the technology team, which, while aware of security issues, often has other priorities. “In most instances, the tech people are [just] worried about keeping the network up and applications running,” says Ron Baklarz, CISO (chief information security officer) for the American Red Cross in Falls Church, Virginia. “When you introduce the security component, there’s concern about how they’re going to support their users because of the increased complexity.”
One problem is that many servers are unprotected, explains Fred Rica, a PricewaterhouseCoopers partner and national leader for its National Threat and Vulnerability Assessment Practice in Florham Park, New Jersey, either because they were installed improperly or because patches were never installed. Another problem is that in the rush to keep up with the demand of electronic- business systems, organizations have often turned to off-the-shelf software, much of which is released without thorough security testing, thus making entire systems vulnerable. Ultimately, the corporate consumer must determine where the holes are and fix them, says Baklarz.
The Corporate Defense
That is the undertaking facing Baklarz, who joined the Red Cross last March as its first CISO. He says his approach is to better implement security measures at all levels of the technology infrastructure. “There are a lot of things in place or readily available,” he says. “The questions are: Do you have discipline to use them properly, and are they being used effectively? ” He believes that cyberterrorism is a real possibility, but maintains that his approach to security hasn’t changed all that much since September 11, because, “The posture I take is, you’re always under attack.”