With the recent terrorist attacks, many security experts are concerned about the threat to information assets in the United States. While information security has been a key concern since the proliferation of computer networks, the increased levels of concern has prompted me to devote more resources to help combat this threat.
As described in the November 5th issue of Information Week magazine, "The effort to improve computer security is driven by two truths that aren't likely to change: Networks need to be open, and software is essentially imperfect - both of which mean hackers will find their way in." The article goes on describe new ways that research is being conducted in securing systems besides the traditional firewall approach. The problem with firewalls is that there are holes and the crackers seem to have skills at finding and exploiting them.
One of the conclusions that IT security professionals and researchers have reached is that future attempts to realize effective security will require creative and fundamentally different approaches. We know that we can't rely on vendor solutions alone because to date the levels of quality don't meet the requirements of hack-proof software. At the same time, we know that people need access to certain systems. To make matters even more complicated is the impact of "human engineering" where intruders can fool humans into giving them access to otherwise secure systems.
Until that time when new and creative solutions are realized, interim measures will need to be applied diligently. As many security experts will testify, it's the loose security of others that cause problems for everyone else. Hopefully, it won't take a major cyberterrorism attack to bring a sense of urgency to this issue. In this spirit, I write this article and hope to give you both a background on the topic and ways to prevent attacks. In addition, I will also discuss strategies to help you test the adequacy of security solutions.
What is Cyberterrorism?
According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents."
"Unlike a nuisance virus or computer attack that results in denial of service, a cyberterrorist attack would lead to physical violence or extreme financial harm. According to the U.S. Commission of Critical Infrastructure Protection, possible cyberterrorism targets include the banking industry, military installations, power plants, air traffic control centers, and water systems."
"Cyberterrorism is sometimes referred to as electronic terrorism or information war."
As if the cyberterrorism threat is not enough, there is the related threat of organized cybercrime, which has been blamed in recent cases of e-commerce extortion and online fraud. As Phil Williams, Professor of International Security Studies at the University of Pittsburgh writes,
"Organized crime groups typically have a home base in weak states that provide safe havens from which they conduct their transnational operations. In effect, this provides an added degree of protection against law enforcement and allows them to operate with minimal risk. The inherently transnational nature of the Internet fits perfectly into this model of activity and the effort to maximize profits within an acceptable degree of risk. In the virtual world, there are no borders, a characteristic that makes it very attractive for criminal activity. When authorities attempt to police this virtual world, however, borders and national jurisdictions loom large -- making extensive investigation slow and tedious, at best, and impossible, at worst."
"The Internet itself provides opportunities for various kinds of theft, whether from online banks or of intellectual property. But it also offers new means of committing old crimes such as fraud, and offers new vulnerabilities relating to communications and data that provide attractive targets for extortion, a crime that has always been a staple of mafia organizations."
Williams' conclusion is not very encouraging. "In sum, the synergy between organized crime and the Internet is not only very natural but also one that is likely to flourish and develop even further in the future. The Internet provides both channels and targets for crime and enables them to be exploited for considerable gain with a very low level of risk. For organized crime it is difficult to ask for more. It is critical, therefore, to identify some of the ways in which organized crime is already overlapping with cybercrime."
From professor Williams observations and predictions, the threat of cyber crime is one to be taken just as seriously as cyber terrorism. A major issue is getting people at the grass roots level in organizations to realize the credibility of the threats.
How Real is the Threat?
This threat is certainly a clear and present danger. Consider the following:
This year, the Code Red virus infected over 760,000 computers worldwide and was the fastest spreading virus seen to date over the Internet.
- "Symantec's CTO Rob Clyde notes that there are now so many free tools on the Internet that hackers needn't be experts to cause problems; all they have to do is run readily available scripts. And with 97% of the world's money supply in digital form, hacking as an intellectual exercise will rapidly give way to cybercrime for profit, he predicts."
- "Following the United States' first strikes against sites in Afghanistan, Attorney General John Ashcroft said last week that the FBI and other federal law-enforcement officials had advised thousands of CIOs, chief technology officers, and IT managers that their IT systems may be targeted in retaliatory terrorist attacks-or used to launch them. As companies heed Ashcroft's advice to maintain 'the highest state of alert,' the way they do business may change."
- "In the aftermath of the 11 September attacks, hacking groups have formed and participated in pro-U.S. and anti-U.S. cyber activities, fought mainly through web defacements. There has been minimal activity in the form of DDoS attacks, mostly between opposing protesting groups. NIPC has reason to believe that the potential for future DDoS attacks is high. The protesters have indicated they are targeting web sites of the U.S. Department of Defense and organizations that support the critical infrastructure of the United States, but many businesses and other organizations - some completely unrelated to the events - have been victims."
"Preparedness for cyber terrorism, which we have described often in our discussions as a weapon of mass disruption, if you will. But make no mistake about it, this disruption can be a very deliberate attack on the capabilities of the United States to respond to any other type of attack, or even to end civilian life if in fact our processes through the Internet, and our other information technology capabilities are attacked deliberately.
Our preparedness for cyber terrorism must be broader, to include all levels of private and public activity. Critical local, state, regional and national systems are computer controlled -- computer controlled -- that is the world that we now live in. Power grids, communications, airlines, hazardous materials, hospital life support, the nation's economy, and our national defense.
For years terrorism has been viewed as the exclusive domain of national security. That view requires a reality check. The federal government must recognize that states, communities, governors, mayors, and citizens all have responsibilities, and important vital roles in dealing with the terrorist threat."
Gov. James Gilmore Chaiman, Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction
How are we Doing?
Based on recent surveys and the information presented to congressional hearings, we have a long way to go before security threats are adequately addressed.
"according to InformationWeek Research's 2001 Global Information Security Survey, fielded by PricewaterhouseCoopers from April to July. Almost half of 2,131 U.S. companies surveyed had no formal security policies in place, and most relied primarily on user passwords and multiple logons for protection."
"Only 49% of U.S. companies had plans to raise user awareness of policies and procedures in the next 12 months."
"What's more, only half of 150 companies surveyed by InformationWeek Research one week after the terrorist attacks say they plan to reassess the security of their facilities in light of those events. 'We need more people to be doing more creative thinking about computer security,' U.S. Rep. Sherwood Boehlert, R-N.Y., said in a House of Representatives Science Committee hearing last week on the security of the nation's corporate IT infrastructure. 'That's what our adversaries are doing.'"
How Could the Threats Play Out?
In December, 2000 the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction (aka The Gilmore Commission) released their second annual report which stated two possible cyber terrorist scenarios. First, "It is easy to envision a coordinated attack by terrorists, using a conventional or small-scale chemical device, with cyber attacks against law enforcement communications, emergency medical facilities, and other systems critical to a response."
Second, "it is conceivable that terrorists could mount a cyber attack against power or water facilities or industrial plants - for example, a commercial chemical plant that produces a highly toxic substance - to produce casualties in the hundreds of thousands."
The report adds that "the most likely perpetrators of cyber-attacks on critical infrastructures are terrorists and criminal groups rather than nation-states."
So, what can be done proactively to prevent cyberterrorism and cyber crime attacks? One source of best practices for security can be found at the Computer Emergency Response Team's (CERT) web site at http://www.cert.org. This is a rich resource for anyone looking to implement or improve security practices. I highly recommend it!
CERT's five areas of practices are divided into:
1. Harden and secure your systems by establishing secure configurations
2. Prepare for intrusions by getting ready for detection and response
3. Detect intrusions quickly
4. Respond to intrusions to minimize damage
5. Improve your security to help protect against future attacks
Other people advise protective measures such as:
1. All accounts should have passwords and the passwords should be unusual, difficult to guess.
2. Change the network configuration when defects become know.
3. Check with venders for upgrades and patches.
4. Audit systems and check logs to help in detecting and tracing an intruder.
5. If you are ever unsure about the safety of a site, or receive suspicious email from an unknown address, don't access it. It could be trouble.
How To Test For The Adequacy Of Anti-Cyberterrorism And Anti-Cyber Crime Methods
One could make a good case for the futility of security testing. After all, there are so many points of vulnerability (holes) and so many sources of attack (crackers), that it would be impossible to test security measures exhaustively. However, you could make the same point in software testing in general. We know that we need to perform some level of security testing, so how do we get the most value for the time and effort expended?
In our security testing class module from RCS, we divide security testing into two distinct methods:
- Verification methods to review and assess that defined security methods and protocols are being followed by the organization.
- Validation methods to test the correctness and performance of the security measures that have been implemented.
Just like any other type of quality control methods, both of these views are needed to give a complete assessment of security levels in an organization.
The following is the security testing process we teach in our training module on Testing Internet Security.
Step 1 - Determine Test Strategy and Tools
Like other forms of testing, in this step you define the scope of the test, who will perform it, what will be needed, which tools are available and most helpful. This can usually be accomplished in just a few hours with assistance from people knowledgeable in the security methods of an organization.
At this first step in the process, you will be faced with some basic decisions, such as, is it possible to perform an adequate level of security testing with manual methods or will we need to invest an automated security testing tools?
Step 2 - Perform Security Assessment
In the second step of the security testing process, you'll need to assess the current level of security. This includes examining that data is at risk, the value of the items at risk, who should be able to access security items, and the presence of security controls.
In addition, the security assessment should determine if the controls are effective and actually protecting the assets at risk. The security assessment should also determine if security measures have been tested and which intervals are they continually tested. The tasks in this step can include:
Obtain or develop the organizational cyber security strategy
Obtain or develop the organizational cyber security practices, including response measures
Review existing security tools
Interview those responsible for IT security
Step 3 - Develop the Security Policy
The third step in the security testing process is to develop a security policy that addresses responsibilities, assets at risk, acceptable and appropriate security measures, response in the event of the security break-in, and testing strategies for security.
Step 4 - Identify Security Risks
Functional risks include insuring that access rights have been correctly established, that authorization levels are correctly enforced, and that procedural controls (such as used in transactions) are correctly administered and are effective.
Much of the functional testing for security will resemble security tests for legacy and client/server systems, and can be performed using traditional test case methods.
Structural risks include insuring that firewalls are adequate, have been correctly implemented and maintained, insuring that network configuration is correct and networks have been correctly maintained. Also, a structural risk is the adequacy and correctness of encryption levels used for transferring data across the network.
Step 5 - Script Functions to be Tested
The fifth step in the security testing process is to design test scripts that will validate security measures based on the functional risks. This will require that points to be tested have already been established. The security test scripts can be based on scenarios that simulate transactions that are exposed to potential security breaches.
These would include scenarios such as testing access rights, authorization levels, and transaction controls.
For this type of security testing, traditional test cases and test scripts can be used effectively.
If the test must be repeated often, they can be added to automated test scripts and test cases that you may have currently in place, or you may choose to purchase a tool just for the purpose of automating security functions.
A test plan can be developed that focuses on the cyber security strategy and practices. The security policies and procedures serve the same function as requirements serve in a development project. If the security documents do not exist, that is the first finding of the security test and the test should be discontinued until they have been defined.
Step 6 - Design Automated Security Tests
A functional security test can be automated if you intend on performing them often. These types of tests can first be performed manually, and then recorded into automated test cases and test scripts.
Other types of automated security testing tools, such as vulnerability checkers can be used effectively without developing test cases in advance. Vulnerability scanners work by attempting to access the system in many different ways to test firewall effectiveness.
Step 7 - Perform Test and Report Results
This final step of the security testing process involves performing the designed test, whether manual or automated, and analyzing the results. These tests might need to be repeated until the expected level of security has been validated. In addition, some of these tests such as vulnerability scanning might need to be run on ongoing basis to detect security breaches.
The security test report should be detailed enough to describe clearly the findings and recommendations from the test. As with any other type of test reporting, test results should be objective and standardized to eliminate any political or cultural subjectivity. One of the best ways to keep test reporting consistent, objective, and standardized is to make it part of the overall Web testing process.
The cyberterrorism threat is real and not enough people are prepared to prevent or detect an attack. This impacts other organizations that may be well-prepared. Cyber security is a community issue. Like anything else, testing can only validate what has already been done. However, quality professionals can be important advocates for the awareness of IT security. By keeping our eyes open and applying effective techniques, organizations can go a long way to prevent attacks and recover quickly in the vent of an attack.
Report from the Institute for Security Technology Studies at Dartmouth College – Cyber Attacks During the War on Terrorism: A Predictive Analysis – http://globaldisaster.org/cyberattacks.pdf
National Infrastructure Protection Center – www.nipc.gov
Cyberterrorism Testimony Before the Special Oversight Panel on Terrorism, Committee on Armed Services, U.S. House of Representatives by Dorothy E. Denning of Georgetown University - May 23, 2000
Gilmore Commission Report - http://www.rand.org/nsrd/terrpanel/