Article

Digital doomsday can be avoided with preparation

Bill Brenner, Senior News Writer

A common nightmare scenario in the business world is that a hacker will crack a company's digital defenses, steal sensitive data or disable the network. Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit (US-CCU), an independent organization that churns out information security data on behalf of the government, says enterprises face a darker possibility.

Online outlaws could quietly penetrate the network and, over six to eight months, alter critical data so that it's no longer accurate. For instance, an attacker could access a health insurance company's patient records and modify information on a person's prescriptions or surgical history. Or an attacker could access an automotive company's database and tamper with specifications on various car parts.

"The big worry shouldn't be that someone's going to shut down a company's computer system," Borg said. "If you shut down almost anything in our economy for a couple days, the damage is minimal. We have enough inventory to time shift our activities so we're not badly hurt. But if the attacker causes physical damage or makes it so the business process is faulty, the damage can be horrendous."

Borg and US-CCU research director John Bumgarner have developed a draft checklist designed to help businesses examine such digital doomsday scenarios so they can thwart them or at least mitigate the consequences. It was unveiled at last week's GovSec conference in Washington, D.C., and Borg and Bumgarner

    Requires Free Membership to View

    Login

ultimately hope the U.S. Department of Homeland Security (DHS) will adopt the checklist as part of an official standard. DHS has not yet approved the draft.

The checklist consists of 478 questions meant to help enterprises assess their ability to handle a variety of cyberattacks. It is divided into six categories:

  • Hardware: Physical equipment and physical environment.
  • Software access: Identity authentication, application privileges, input validation and appropriate behavior patterns.
  • Network: Permanent connections, intermittent connections and network maintenance.
  • Automation: Remote sensors and control systems, as well as backup procedures.
  • Human operator: Security training and accountability.
  • Software supply: Internal policies for software development and dealing with vendors.

    In the human operator section, for example, enterprises are asked such questions as:

  • Does the corporation handle downsizings in a manner that minimizes hostile feelings on the part of former employees?
  • Does the corporation offer a procedure that allows employees to report outsiders' attempts to extort their cooperation in circumventing security, without having the basis for that extortion widely revealed or made part of that employee's permanent record?

    For more information

    The threat with the most disaster potential

    Why the catastrophic cyberattack may never come

    Who best to avert disaster: Government or business?

    Home is where the heart (and disaster back-up plan) is

    Cybersecurity czar: DHS overhaul will improve preparedness
    The document also examines how the cybersecurity environment has changed in recent years, Borg said, and offers more specific guidance to deal with threats as they would impact different business sectors.

    At GovSec and other conferences, Borg said he's been trying to "wake people up" to the scenarios the US-CCU checklist is designed to address. In some industries, he said, not taking the proper precautions as soon as possible could be disastrous.

    "If hospitals are denied access to someone's insurance information, it's a nuisance," he said. "If someone accesses a hospital computer [and] changes numbers, tampers with dosage schedules and announces his handiwork six months later, panic could ensue, people would be afraid to go to a medical facility and the health industry could suffer massive lawsuits and bankruptcies."

    In the auto industry, tampering with auto parts data could lead to cars failing on the road, people getting injured or killed and the auto manufacturer going belly-up. "People would stop buying cars," Borg said.

    He acknowledged these kinds of attacks aren't happening much right now. But, he said, there have been isolated cases in the financial sector. Other intelligence suggests the digital underground has the ability and motivation to do a lot more damage.

    "Our job is to look at some of these scenarios and help people prepare," he said, "but I can tell you that we have seen some worrisome signs. Last spring we started getting evidence of a shift" in the digital underground, with emphasis shifting from worms to what could be done with unfettered access to a corporate network.

    One result has been the mountain of corporate data breaches this past year. But the bad guys have plenty of motivation to go beyond simply extracting someone's personal data for the sake of identity theft.

    "If you can cause a huge economic event, you can make a huge profit off it," he said. "If you can damage an industry and radically change demand for a commodity, there are ways to make an awful lot of money in the process."

    He noted that right after the Sept. 11 terrorist attacks, there was speculation in the security community that members of Al Qaeda had cashed in some airline stocks before the attacks.

    Is Borg's warning resonating with audiences? He believes so.

    "GovSec was attended by a lot of police officers and people in government," Borg said. "Some in the audience said they hadn't previously appreciated the concept of the threat as I articulated it. A lot of people say they hadn't looked at it this way."


    • Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top