|
By
Randall W. Rice
With the
recent terrorist attacks, many security experts are concerned about the
threat to information assets in the United States. While information
security has been a key concern since the proliferation of computer
networks, the increased levels of concern has prompted me to
devote more resources to help combat this threat.
As
described in the November 5th issue of Information Week magazine, "The
effort to improve computer security is driven by two truths that aren't
likely to change: Networks need to be open, and software is essentially
imperfect - both of which mean hackers will find their way in." The
article goes on describe new ways that research is being conducted in
securing systems besides the traditional firewall approach. The problem
with firewalls is that there are holes and the crackers seem to have
skills at finding and exploiting them. You can read the article at http://www.informationweek.com/story/IWK20011102S0012.
One of
the conclusions that IT security professionals and researchers have
reached is that future attempts to realize effective security will
require creative and fundamentally different approaches. We know that
we can't rely on vendor solutions alone because to date the levels of
quality don't meet the requirements of hack-proof software. At the same
time, we know that people need access to certain systems. To make
matters even more complicated is the impact of "human engineering"
where intruders can fool humans into giving them access to otherwise
secure systems.
Until
that time when new and creative solutions are realized, interim
measures will need to be applied diligently. As many security experts
will testify, it's the loose security of others that cause problems for
everyone else. Hopefully, it won't take a major cyberterrorism attack
to bring a sense of urgency to this issue. In this spirit, I write this
article and hope to give you both a background on the topic and ways to
prevent attacks. In addition, I will also discuss strategies to help
you test the adequacy of security solutions.
What
is Cyberterrorism?
According
to the U.S. Federal Bureau of Investigation, cyberterrorism is any
"premeditated, politically motivated attack against information,
computer systems, computer programs, and data which results in violence
against non-combatant targets by sub-national groups or clandestine
agents."
"Unlike
a nuisance virus or computer attack that results in denial of service,
a cyberterrorist attack would lead to physical violence or extreme
financial harm. According to the U.S. Commission of Critical
Infrastructure Protection, possible cyberterrorism targets include the
banking industry, military installations, power plants, air traffic
control centers, and water systems."
"Cyberterrorism is sometimes
referred to as electronic terrorism or information war."
As if
the cyberterrorism threat is not enough, there is the related threat of
organized cybercrime, which has been blamed in recent cases of
e-commerce extortion and online fraud. As Phil Williams, Professor of
International Security Studies at the University of Pittsburgh writes,
"Organized
crime groups typically have a home base in weak states that provide
safe havens from which they conduct their transnational operations. In
effect, this provides an added degree of protection against law
enforcement and allows them to operate with minimal risk. The
inherently transnational nature of the Internet fits perfectly into
this model of activity and the effort to maximize profits within an
acceptable degree of risk. In the virtual world, there are no borders,
a characteristic that makes it very attractive for criminal activity.
When authorities attempt to police this virtual world, however, borders
and national jurisdictions loom large -- making extensive investigation
slow and tedious, at best, and impossible, at worst."
"The
Internet itself provides opportunities for various kinds of theft,
whether from online banks or of intellectual property. But it also
offers new means of committing old crimes such as fraud, and offers new
vulnerabilities relating to communications and data that provide
attractive targets for extortion, a crime that has always been a staple
of mafia organizations."
Williams'
conclusion is not very encouraging. "In sum, the synergy between
organized crime and the Internet is not only very natural but also one
that is likely to flourish and develop even further in the future. The
Internet provides both channels and targets for crime and enables them
to be exploited for considerable gain with a very low level of risk.
For organized crime it is difficult to ask for more. It is critical,
therefore, to identify some of the ways in which organized crime is
already overlapping with cybercrime."
From
professor Williams observations and predictions, the threat of cyber
crime is one to be taken just as seriously as cyber terrorism. A major
issue is getting people at the grass roots level in organizations to
realize the credibility of the threats.
How
Real is the Threat?
This
threat is certainly a clear and present danger. Consider the following:
"Preparedness for cyber
terrorism, which we have described often in our discussions as a weapon
of mass disruption, if you will. But make no mistake about it, this
disruption can be a very deliberate attack on the capabilities of the
United States to respond to any other type of attack, or even to end
civilian life if in fact our processes through the Internet, and our
other information technology capabilities are attacked deliberately.
Our
preparedness for cyber terrorism must be broader, to include all levels
of private and public activity. Critical local, state, regional and
national systems are computer controlled -- computer controlled -- that
is the world that we now live in. Power grids, communications,
airlines, hazardous materials, hospital life support, the nation's
economy, and our national defense.
For
years terrorism has been viewed as the exclusive domain of national
security. That view requires a reality check. The federal government
must recognize that states, communities, governors, mayors, and
citizens all have responsibilities, and important vital roles in
dealing with the terrorist threat."
Gov.
James Gilmore Chaiman, Advisory Panel to Assess Domestic Response
Capabilities for Terrorism Involving Weapons of Mass Destruction
How
are we Doing?
Based on
recent surveys and the information presented to congressional hearings,
we have a long way to go before security threats are adequately
addressed.
"according
to InformationWeek Research's 2001 Global Information Security Survey,
fielded by PricewaterhouseCoopers from April to July. Almost half of
2,131 U.S. companies surveyed had no formal security policies in place,
and most relied primarily on user passwords and multiple logons for
protection."
"Only 49% of U.S. companies had
plans to raise user awareness of policies and procedures in the next 12
months."
"What's more, only half of 150
companies surveyed by InformationWeek Research one week after the
terrorist attacks say they plan to reassess the security of their
facilities in light of those events. 'We need more people to be doing
more creative thinking about computer security,' U.S. Rep. Sherwood
Boehlert, R-N.Y., said in a House of Representatives Science Committee
hearing last week on the security of the nation's corporate IT
infrastructure. 'That's what our adversaries are doing.'"
How
Could the Threats Play Out?
In
December, 2000 the Advisory Panel to Assess Domestic Response
Capabilities for Terrorism Involving Weapons of Mass Destruction (aka
The Gilmore Commission) released their second annual report which
stated two possible cyber terrorist scenarios. First, "It is easy to
envision a coordinated attack by terrorists, using a conventional or
small-scale chemical device, with cyber attacks against law enforcement
communications, emergency medical facilities, and other systems
critical to a response."
Second,
"it is conceivable that terrorists could mount a cyber attack against
power or water facilities or industrial plants - for example, a
commercial chemical plant that produces a highly toxic substance - to
produce casualties in the hundreds of thousands."
The
report adds that "the most likely perpetrators of cyber-attacks on
critical infrastructures are terrorists and criminal groups rather than
nation-states."
Best
Practices
So, what
can be done proactively to prevent cyberterrorism and cyber crime
attacks? One source of best practices for security can be found at the
Computer Emergency Response Team's (CERT) web site at http://www.cert.org/security-improvement.
This is a rich resource for anyone looking to implement or improve
security practices. I highly recommend it!
CERT's
five areas of practices are divided into:
1.
Harden and secure your systems by establishing secure configurations
2.
Prepare for intrusions by getting ready for detection and response
3.
Detect intrusions quickly
4.
Respond to intrusions to minimize damage
5.
Improve your security to help protect against future attacks
Other
people advise protective measures such as:
1. All
accounts should have passwords and the passwords should be unusual,
difficult to guess.
2.
Change the network configuration when defects become know.
3.
Check with venders for upgrades and patches.
4.
Audit systems and check logs to help in detecting and tracing an
intruder.
5. If
you are ever unsure about the safety of a site, or receive suspicious
email from an unknown address, don't access it. It could be trouble.
How
To Test For The Adequacy Of Anti-Cyberterrorism And Anti-Cyber Crime
Methods
One
could make a good case for the futility of security testing. After all,
there are so many points of vulnerability (holes) and so many sources
of attack (crackers), that it would be impossible to test security
measures exhaustively. However, you could make the same point in
software testing in general. We know that we need to perform some level
of security testing, so how do we get the most value for the time and
effort expended?
In our
security testing class module from RCS, we divide security testing into
two distinct methods:
- Verification
methods to review and assess that defined security
methods and protocols are being followed by the organization.
- Validation
methods to test the correctness and performance of the
security measures that have been implemented.
Just
like any other type of quality control methods, both of these views are
needed to give a complete assessment of security levels in an
organization.
The
following is the security testing process we teach in our training
module on Testing Internet Security.
Step
1 - Determine Test Strategy and Tools
Like
other forms of testing, in this step you define the scope of the test,
who will perform it, what will be needed, which tools are available and
most helpful. This can usually be accomplished in just a few hours with
assistance from people knowledgeable in the security methods of an
organization.
At this
first step in the process, you will be faced with some basic decisions,
such as, is it possible to perform an adequate level of security
testing with manual methods or will we need to invest an automated
security testing tools?
Step
2 - Perform Security Assessment
In the
second step of the security testing process, you'll need to assess the
current level of security. This includes examining that data is at
risk, the value of the items at risk, who should be able to access
security items, and the presence of security controls.
In
addition, the security assessment should determine if the controls are
effective and actually protecting the assets at risk. The security
assessment should also determine if security measures have been tested
and which intervals are they continually tested. The tasks in this step
can include:
Obtain
or develop the organizational cyber security strategy
Obtain
or develop the organizational cyber security practices, including
response measures
Review
existing security tools
Interview
those responsible for IT security
Step
3 - Develop the Security Policy
The
third step in the security testing process is to develop a security
policy that addresses responsibilities, assets at risk, acceptable and
appropriate security measures, response in the event of the security
break-in, and testing strategies for security.
Step
4 - Identify Security Risks
Functional
risks include insuring that access rights have been correctly
established, that authorization levels are correctly enforced, and that
procedural controls (such as used in transactions) are correctly
administered and are effective.
Much of
the functional testing for security will resemble security tests for
legacy and client/server systems, and can be performed using
traditional test case methods.
Structural
risks include insuring that firewalls are adequate, have been correctly
implemented and maintained, insuring that network configuration is
correct and networks have been correctly maintained. Also, a structural
risk is the adequacy and correctness of encryption levels used for
transferring data across the network.
Step
5 - Script Functions to be Tested
The
fifth step in the security testing process is to design test scripts
that will validate security measures based on the functional risks.
This will require that points to be tested have already been
established. The security test scripts can be based on scenarios that
simulate transactions that are exposed to potential security breaches.
These
would include scenarios such as testing access rights, authorization
levels, and transaction controls.
For this
type of security testing, traditional test cases and test scripts can
be used effectively.
If the
test must be repeated often, they can be added to automated test
scripts and test cases that you may have currently in place, or you may
choose to purchase a tool just for the purpose of automating security
functions.
A test
plan can be developed that focuses on the cyber security strategy and
practices. The security policies and procedures serve the same function
as requirements serve in a development project. If the security
documents do not exist, that is the first finding of the security test
and the test should be discontinued until they have been defined.
Step
6 - Design Automated Security Tests
A
functional security test can be automated if you intend on performing
them often. These types of tests can first be performed manually, and
then recorded into automated test cases and test scripts.
Other
types of automated security testing tools, such as vulnerability
checkers can be used effectively without developing test cases in
advance. Vulnerability scanners work by attempting to access the system
in many different ways to test firewall effectiveness.
Step
7 - Perform Test and Report Results
This
final step of the security testing process involves performing the
designed test, whether manual or automated, and analyzing the results.
These tests might need to be repeated until the expected level of
security has been validated. In addition, some of these tests such as
vulnerability scanning might need to be run on ongoing basis to detect
security breaches.
The
security test report should be detailed enough to describe clearly the
findings and recommendations from the test. As with any other type of
test reporting, test results should be objective and standardized to
eliminate any political or cultural subjectivity. One of the best ways
to keep test reporting consistent, objective, and standardized is to
make it part of the overall Web testing process.
Conclusion
The
cyberterrorism threat is real and not enough people are prepared to
prevent or detect an attack. This impacts other organizations that may
be well-prepared. Cyber security is a community issue. Like anything
else, testing can only validate what has already been done. However,
quality professionals can be important advocates for the awareness of
IT security. By keeping our eyes open and applying effective
techniques, organizations can go a long way to prevent attacks and
recover quickly in the vent of an attack.
References
Report
from the Institute for Security Technology Studies at Dartmouth College
– Cyber Attacks During the War on Terrorism: A Predictive
Analysis – http://globaldisaster.org/cyberattacks.pdf
National
Infrastructure Protection Center – www.nipc.gov
Cyberterrorism
Testimony Before the Special Oversight Panel on Terrorism, Committee on
Armed Services, U.S. House of Representatives by Dorothy E.
Denning of Georgetown University - May 23, 2000 - http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html
Gilmore
Commission Report - http://www.rand.org/nsrd/terrpanel/
Organized
Crime and Cybercrime: Synergies, Trends, and Responses by
Phil Williams Professor of International Security Studies, University
of Pittsburgh http://usinfo.state.gov/journals/itgic/0801/ijge/gj07.htm
All materials on this site
copyright 1996 - 2008, Rice Consulting Services, Inc.
Rice
Consulting Services, Inc.
P.O. Box 892003
Oklahoma City, OK 73189
405-691-8075
"Leaders
are made, they are not born. They are made by hard effort,
which is the price which all of us must pay to achieve any goal that is
worthwhile." -- Vince Lombardi
|
