The Blending of Physical and Information Security Threats

Which of the following incidents poses a threat to your company’s security?

A. Your parking lot is full of SUVs set ablaze to protest America’s profligate consumption of the world’s natural resources.

B. Your CEO’s user account is active and accessing the latest R&D reports for a new product at 1 a.m. while he’s supposed to be on a flight to Asia.

C. An enterprising young man in the Ukraine is siphoning credit card numbers off the Web for his employer, a criminal syndicate, which compiles and sells them in bulk to the highest bidder.

Unless you own a car dealership or hold an executive position with Amazon.com, you’re probably going with “B,” right?

Ah, if only it were that simple. Unfortunately for CSOs, each one of those diverse scenarios illustrates a trend that is a clear, present and growing danger to corporate security. In spite of the fact that security is finally getting the attention and resources it deserves, the list of threats that CSOs will have to handle during the next few years continues to expand at an alarming rate.

And it’s no longer just the antisocial basement-dwelling hacker, cracker or script kiddie behind such attacks. The collection of ne’er-do-wells with an interest in undermining your corporate security has metastasized during the past few years into a multifarious cast of characters: industrial and state-sponsored spies, cyberterrorists, ecoterrorists and international mafiosi, just to name a few.

But does it really matter who’s behind a security breach? Plenty of gee-whiz stories have been written that delve into the culture of the Russian mafia or the potential threat of cyberterrorism, and these issues are usually covered with a breathless fascination resembling the bravura of the bad guys. Sure, they make for great stories, but they provide little assistance to CSOs in strengthening their defenses.

“Whether it’s a hacker taking credit card numbers or organized crime, often they’re exploiting the same vulnerabilities,” says Dorothy Denning, professor at the Department of Defense Analysis of the Naval Postgraduate School. “It’s not so much who the actor isit’s what they’re doing.”

Still, there are some definite trends that security executives should pay attention toevolutionary changes occurring within the underground. Here’s how you should structure your security defenses to keep pace.Convergence TheoryAsk any security expert to forecast the future, and after he finishes the requisite hemming and hawing over the impossibility of such a task, he’ll usually profess at least one certainty: that “convergence” will occur. By that, he means that criminal groups will band together to attempt larger attacks, and that those efforts will likely include blended attacks that have a physical and cyber component to them.

The threat of a blended attack is one that the intelligence community takes very seriously. Harold Hendershot, section chief of the computer intrusion section of the FBI’s cyberdivision, characterizes the prospect of such an attack as a force multiplier.

“Imagine if the 9/11 attacks had been coupled with a denial-of-service attack on telephones in Washington, D.C., or New York,” he says. “It’s a force multiplier because it increases the perception of damage. [Terrorists] can inflict a lot of physical damage, but if the government is suddenly silent or slow to respond, it creates psychological damage.”

Most experts agree that while terrorism groups have indicated an interest in using IT attacks to undermine critical infrastructure (and are using the Internet extensively as a communication medium by burying messages in spam), they haven’t matched up the intent with the capability yet. But it’s likely not too far away.

“These are educated, smart, well-funded and reasonably motivated individuals, and there’s a lot they can do,” says Bill Hancock, CSO of telecommunications company Cable & Wireless. “The entry point for cyberterrorism is different from [bioterrorism] where you have to pay people to develop things for you. The entry point for cyberterrorism is the cost of a PC.”

Hancock asks his fellow CSOs to consider the panic that would ensue if a widespread cyberattack were to hit the financial community. Millions of people could lose their life’s savings. “What is money, after all, but an entry in a database?” he says.

Of course, “bombs have a better byline” than a computer attack, notes Hendershot grimly, but high-concept attacks such as walking into a stadium event with a bomb is getting harder to pull off. The prospect of tying a lower-grade kinetic event with a cyber component that might delay first-responders or cause additional chaos is likely to be more attractive to terrorists as a way to increase the event’s efficacy.

“If you’re looking at convergence as the possibility to launch a coordinated attack physically and virtually, I think that we’ll see the effect of that fear in the next five years,” says Dario Forte, security adviser to the European Electronic Crimes Task Force. “But if you are looking at this phenomenon for a cyberevent like the Blaster worm to have an impact on physical security, I think we’ll see that in the next two years.”

In fact, in September the State Department had to temporarily shut down its electronic CLASS system (the Consular Lookout and Support System), which checks visa applicants for terrorist or criminal histories because of an infestation of the Welchia virus. Forte predicts that those kinds of incidents are only going to increase in frequency.

For CSOs, the pressure is on to knit the physical and cybersecurity departments closer together, if not merge them entirely. “Going forward, the modern and forward-thinking company will need to demand a holistic approach to risk management. That means combining [physical and IT security] to work together for common results,” says Hancock. “The truly ‘bad boys’ of the terrorist world do not differentiate between methods to terrorize a specific target,” he notes. “Whatever works best and quickly is always preferred.”

Hancock is quick to add that, if the opposition is going to use multiple methods and blended methods to debilitate a company, the company being attacked can’t think in “old ways” to deal with a modern threat.

Perpetrators are indicating a willingness to pool their resources and pull off ever larger exploits. Hackers are countering increased network resistance to old-style attacks by working in gangsharnessing their collective brain and computing power. And even crime syndicates have developed a very sophisticated set of technology skills.

The worry is that those skills might be hired out to a terrorist organization, providing an out-of-the-box cyberterrorist capability, notes Matthew Devost, a founding director of the Terrorism Research Center. “They have their own laptops and accounting systems and command-and-control networks, and everything that a billion-dollar multinational would have,” he says.

Groups that are interested in pulling off purely physical attacks are also combining forces with like-minded individuals. The ALF (Animal Liberation Front) and the ELF (Earth Liberation Front) have long been on the list of the FBI’s top domestic terrorism concerns, but recently a splinter group called the Revolutionary Cells has formed, creating a front group for militants across the so-called liberationary movement spectrum. The group characterizes its membership as “anarchists, communists, antiracists, animal liberationists, earth liberationists, Luddites and feminists,” among other things, and their tactics are brutal. The group recently claimed responsibility for bombings outside the California offices of Chiron, a company that has had business dealings with Huntingdon Life Sciencesa longtime target of animal-rights activists. Security Gets Personal In the coming years, facility security and i.t. security may be joined by a third and equally important area of security practicepersonal security. This issue was once only a concern for celebrities, high-profile executives and dignitaries, but it’s starting to go mainstream as citizens and employees are targeted for an employer’s perceived transgressionsand sometimes for no reason at all.

Groups such as ALF, ELF and SHAC (Stop Huntingdon Animal Cruelty) used to target mostly pharmaceutical companies, fur farms or logging companies in the Pacific Northwest, and it was fairly easy to predict whether your company might be a target of their activities. But recently the groups have taken to targeting the secondary business partners as an effective strategy in undermining the primary business target.

For instance, Shaklee Corp., a personal and home care product and nutrition supplement company, is a subsidiary of a pharmaceutical company that animal rights groups want to target. Individuals who have a secondary relationship to such companies have also been targeted. In one instance, members of SHAC posted personal information online for a stockbroker for Huntingdon Life Sciences. When that had no effect, they posted the personal information of his neighbors.

Such threats will also carry over to employees as they travel overseas. “Today’s modern executive needs good physical protection measures and proper intelligence so they know what to avoid when traveling,” says Hancock.

Several high-profile executives have had ransom demands delivered and negotiated via cyberspace when a family member was kidnapped, and their personal information has been stolen for identity theft (see “Q&A: Frank Abagnale,” Page 42). Hancock notes that the home computers of executives will continue to be targeted for “harvesting” by competitors, and CSOs will have to ensure that their departments work closely with every employee who has access to sensitive information so that they can secure their computing environments no matter where they work.Keep Friends Close Sun Tzu might rethink his philosophy of keeping friends close and enemies closer if he were contemplating the security challenges of a Fortune 500 company. One of the threats that CSOs faceparticularly those working in the critical infrastructureis the possibility of employing a hacker, corporate spy or other individual who wants to gain a trusted position within a corporate network for nefarious reasons. “Hiring practices and background checks haven’t kept pace with threats,” notes the Terrorism Research Center’s Devost, “and there’s increasing concern that it might be easy to get someone hired into a legitimate position and have them collocate with a target inside the firewall to engage an attack.”

Fueling the espionage aspect of that problem is a tight economy; people are looking for illegitimate ways to use their skills and earn more money, and corporations are desperate to find any way to gain a competitive edge. Most of the time, a skilled corporate spy can get in and out of a network without anyone ever knowing he was there. “You can spend a lot of money to protect against the attack from the outside, but once you bring somebody into camp, the threat goes way up because the greatest damage comes from an inside threat,” says the FBI’s Hendershot.

Not only should companies review their background check and hiring procedures, but they should also review who has access to which systems and documents. “Determine where you will draw that line of trust,” Hendershot suggests. “Should a person in sales be reviewing R&D documents? Should a person in finance be looking at our marketing theory? CSOs turn on intrusion detection for the outside, but what’s going on inside, and does it make sense?”

Forte notes that the “gray hat” phenomenon is also still on the rise, and he cautions CSOs to not only examine who their employees are but their contractors as well. In August 2002, 14 Italian hackersalmost all of whom were security professionals by daywere arrested and charged with hacking the networks of NASA, the U.S. Army and Navy, and various universities around the world.Which One of These Things Is Not Like the Others?Another buzz phrase that security experts frequently bandy about in discussions of future security threats is the importance of “anomaly detection”noticing that the CEO’s account is active even though he’s on an airplane, and recognizing when changes occur in the network that portend a potential threat or vulnerability. Security organizations will have to become even faster and more nimble. They will have to notice anomalies and institute fixes much faster.

Forte notes that the trend in viruses and worms is moving ever closer to “zero day” attacksany attack in which there is less than 24 hours between the announcement of a vulnerability and its exploit. “Hackers are increasing their research activity and trying to share secrets without releasing them to the public,” he says. “I strongly believe that the time for [a virus to] spread will be reduced to a few minutes in the next couple years, and security managers will have to take care of their reaction time.”

And, of course, there’s always the unpredictable variable of luck. Script kiddies still account for 60 percent to 70 percent of denial-of-service and distributed denial-of-service attacks. Most of the time they download tools, but they don’t really understand what they’re doing. But one of these dayswhether it’s intentional or notone of these kids is going to get lucky and will have a major impact on the critical infrastructure or some other important system. Still About the BasicsIt would be great to imagine a future in which security transcends the petty issues of patching and policy enforcement, but that doesn’t seem to be in the cards for CSOs.

A majority of threats that are likely to plague security executives in the years to come will derive from a continued failure to adhere to basic best practices. Companies will keep trying to save money by connecting networks and leveraging a shared infrastructure, but these networks that were previously closed and isolated from the dangers of the Web will now be internetworked with potentially disastrous results. These closed networks are laid bare to a multitude of security threats that they are poorly equipped to withstand. Nuclear reactors, electrical substations and oil refineries all are run by process networks.

Hancock, for one, fears that as more of these networks are interconnected to save money, disastrous repercussions will ensue.

“Think about the basics of safe computing and the spread of viruses,” advises Hendershot. “Sobig, Cornucopia, Code Red have taken known exploits to propagate themselves. Security people have to make sure that when new technologies come out, they are familiar with the vulnerabilities. What door are you opening?”

The future holds unknown challenges in store for the CSOeveryone’s crystal ball seems to agree on that much. But the biggest danger that security executives are sure to face is failing to address the vulnerabilities that they already have today.