The Blending of Physical and Information Security Threats

The coming wave of security threats will increasingly be blended with physical and information components. CSOs who want to prepare for these attacks will have to meld their defenses to meet the challenge.

Forte notes that the "gray hat" phenomenon is also still on the rise, and he cautions CSOs to not only examine who their employees are but their contractors as well. In August 2002, 14 Italian hackersalmost all of whom were security professionals by daywere arrested and charged with hacking the networks of NASA, the U.S. Army and Navy, and various universities around the world.Which One of These Things Is Not Like the Others?Another buzz phrase that security experts frequently bandy about in discussions of future security threats is the importance of "anomaly detection"noticing that the CEO's account is active even though he's on an airplane, and recognizing when changes occur in the network that portend a potential threat or vulnerability. Security organizations will have to become even faster and more nimble. They will have to notice anomalies and institute fixes much faster.

Forte notes that the trend in viruses and worms is moving ever closer to "zero day" attacksany attack in which there is less than 24 hours between the announcement of a vulnerability and its exploit. "Hackers are increasing their research activity and trying to share secrets without releasing them to the public," he says. "I strongly believe that the time for [a virus to] spread will be reduced to a few minutes in the next couple years, and security managers will have to take care of their reaction time."

And, of course, there's always the unpredictable variable of luck. Script kiddies still account for 60 percent to 70 percent of denial-of-service and distributed denial-of-service attacks. Most of the time they download tools, but they don't really understand what they're doing. But one of these dayswhether it's intentional or notone of these kids is going to get lucky and will have a major impact on the critical infrastructure or some other important system. Still About the BasicsIt would be great to imagine a future in which security transcends the petty issues of patching and policy enforcement, but that doesn't seem to be in the cards for CSOs.

A majority of threats that are likely to plague security executives in the years to come will derive from a continued failure to adhere to basic best practices. Companies will keep trying to save money by connecting networks and leveraging a shared infrastructure, but these networks that were previously closed and isolated from the dangers of the Web will now be internetworked with potentially disastrous results. These closed networks are laid bare to a multitude of security threats that they are poorly equipped to withstand. Nuclear reactors, electrical substations and oil refineries all are run by process networks.