Anthrax may be getting all the headlines, but the next lethal infection may be the technological kind. Hackers have posed a threat for years, but the attacks on the World Trade Center and the Pentagon have raised fears that terrorist groups might wreak havoc on the Internet.
According to security experts, the danger is imminent. “I firmly believe that not only is the threat of a cyber-attack real, but the first phase is already under way,” says Mark Fabro, president and chief scientist at Terrasec Corp., an information security consulting firm based in Toronto. Fabro maintains that the preliminary scanning, or information-gathering, process has left an electronic trail. He points to the Intrusion Detection logs of large multinational corporations. “When closely and correctly cross-referenced,” he says, “they show precise data-gathering operations in which outsiders are looking at network structure, points of weakness, and infrastructure locations of weak security.” Fabro says that since 1998 there have been no less than three global scanning projects sponsored by “rogue” nations.
Despite such warnings, corporate executives appear relatively confident in their current security procedures. While not downplaying the risk of cyberterrorism, those interviewed for this story stress that their fundamental approach to computer security has not changed since September 11.
Security professionals argue that current approaches are inadequate. With companies increasingly using the Internet to connect to suppliers and customers, they say, organizations place too much faith in technology to protect their data, while not paying enough attention to security education and awareness. “Companies always assume the technology–including firewalls, VPNs (virtual private networks), intrusion detection systems, and authentication mechanisms–will take care of a security problem,” Fabro says. But the technology won’t work, he contends, unless everyone in the company is educated about information security.
That awareness must start with the technology team, which, while aware of security issues, often has other priorities. “In most instances, the tech people are [just] worried about keeping the network up and applications running,” says Ron Baklarz, CISO (chief information security officer) for the American Red Cross in Falls Church, Virginia. “When you introduce the security component, there’s concern about how they’re going to support their users because of the increased complexity.”
One problem is that many servers are unprotected, explains Fred Rica, a PricewaterhouseCoopers partner and national leader for its National Threat and Vulnerability Assessment Practice in Florham Park, New Jersey, either because they were installed improperly or because patches were never installed. Another problem is that in the rush to keep up with the demand of electronic- business systems, organizations have often turned to off-the-shelf software, much of which is released without thorough security testing, thus making entire systems vulnerable. Ultimately, the corporate consumer must determine where the holes are and fix them, says Baklarz.
The Corporate Defense
That is the undertaking facing Baklarz, who joined the Red Cross last March as its first CISO. He says his approach is to better implement security measures at all levels of the technology infrastructure. “There are a lot of things in place or readily available,” he says. “The questions are: Do you have discipline to use them properly, and are they being used effectively? ” He believes that cyberterrorism is a real possibility, but maintains that his approach to security hasn’t changed all that much since September 11, because, “The posture I take is, you’re always under attack.”
Even before the terrorist attacks, he points out, everyone was dealing with the Code Red and Nimda worms. “I get about 100 E-mails a day [about] vulnerability alerts, so I know that it’s a continuous battle.”
Other organizations are also staying the course with security. Micki Krause, director of information security at PacifiCare Health Systems, based in Santa Ana, California, says her company has not modified its network protection systems, because security entails “a continual, ongoing risk assessment, with a comprehensive approach to network security.” Like Baklarz, she says the company strategy takes every component of the enterprise into account from a risk perspective and then defines and prioritizes risk mitigation for each component. Krause has instituted a Computer Incident Response Team (CIRT), an internal group whose charter is to determine how serious a network breach is and how to respond. “Security really is a business issue,” she says.
Baklarz, who co-authored the 1999 book The Art of Information Warfare, says that although he will request additional funding for 2002, measures can be taken to leverage existing technology as well. For example, he points out that some routers incorporate technology that allows for filtering at the application level, which can prevent viruses from infecting Web servers.
As for new spending, Terrasec’s Fabro estimates that in North America, companies devote 4 to 6 percent of their IT budget to security. “Not only is that not enough, but the money itself is not being spent on a dedicated line item called ‘security,’” he says. Only when security is a dedicated line item in the budget does management recognize it, he maintains.
Because of the terrorist attacks, Fabro projects that security spending will double by the second quarter of 2002. “Companies are revisiting their budgets, and if they’re serious about security, they will spend up to 15 percent of the IT budget on information security.”
How much companies should spend on security depends on the value of the information to be protected, says PwC’s Rica. Devoting 10 percent of the IT budget to security may be enough for an informational Web site. For an E-tailer or online brokerage firm, the figure may be much higher, he says.
“You really need to figure out what are the crown jewels of your company, what are the absolute ‘must’ things,” says Jay Ehrenreich, senior manager of the Cybercrime Prevention and Response Practice at PricewaterhouseCoopers in Tarrytown, New York. “Then you have to ask, If [a security breach] happens, what will the implications be? Spending must match your risk profile, but you have to know what your risk profile is.”
Advice from the Experts
Companies should approach security as they did remediating systems for Y2K, says Rica. They should analyze the entire infrastructure–firewalls, routers, applications, operating systems, Web applications, and databases–for weak spots. “The weakest link can compromise the strongest,” he says.
Fabro says that more often than not, a successful attack takes advantage of a service or function inside the server that is never or only rarely used. This “additional functionality” should be removed, he advises, and the operating system secured so attackers cannot get the necessary toehold on the system.
Above all, companies should make sure that they bring plenty of human intelligence to bear. “Careful inspection of the frequency, type, and source of attacks can lead to insights that the intrusion detection software can’t provide,” says Fabro. That may motivate more companies to create a CISO position, but whether a company designates an information security czar or not, making all the troops aware of the dangers is the first line of defense.
Esther Shein writes regularly for eCFO.