While a lot has been said about the threat of cyberterrorism, enterprises should be more worried about curious users snooping around their systems.
"We haven't seen a cyberterrorist attack yet," said Roger Cressey, chief of staff for the President's Critical Infrastructure Protection Board. "But it's not a question of if we see such an attack, but when."
Yet, there is a fine line between taking necessary preparations and yelling "the sky is falling." Companies face a far greater risk from employees than cyberterrorists, Cressey said.
The majority of security incidents involve curious users, said Vic Wheatman, vice president and research area director at Gartner. The damage from insider infractions tend to be minimal. Vandals who deface Web sites can be damaging, but are more often nuisances. Hacktivism and cybercrime are where pretty significant damage can occur.
September 11 has shown that one cannot plan for the future by solely looking at past activity. The prospect of planes being hijacked and flown into the World Trade Center was unimaginable.
Yet as early as 1997, there were reports advising better information sharing among airlines and for a national program to better train baggage screeners. "We can't make the same mistake with IT," said Cressey while addressing Gartner's Information Security Conference 2002 last week.
Traditional approaches to crisis management don't work with cyberthreats. "It would be over before you even start responding," Cressey said.
Possibly cyberterrorist attacks could be blended with more conventional attacks. For example, a mass distributed denial-of-service attack on banks on September 11 would have caused even greater damage, Cressey said.
In fact, distributed denial-of-service attacks are the greatest threat for such an attack, Cressey said. Another possible weapon are "blended threats," worms such as Nimda that can spread in various ways.
Terrorists are hardly technophobes. Groups such as Hamas, Hezbollah and Al Qaeda use the Internet today though mostly for recruiting purposes. Recently, computers belonging to Al-Qaeda were found in Afghanistan containing structural information about U.S. dams and other potentially damaging information. It's not a stretch to wonder whether such groups would go a few steps forward and use computers themselves for attacks.
Moreover, rogue states could also use computer attacks. The covert nature of such an attack would be attractive to states that would never consider a more conventional assault. "Attacks can come from anywhere in the world. If they are spoofed, they cannot be traced," Cressey said.
Richard Hunter, vice president of Gartner's G2, sees cyberterrorism as an "oversold threat." Yet there are things that can be done to combat terror attacks (and generally improve cybersecurity to boot). Packet filtering at the enterprise and ISP level could help prevent distributed denial-of-service attacks.
Additionally, keeping systems updated with patches and antivirus updates are important. Many security incidents involve known vulnerabilities for which patches are available. "Administrators are not keeping their systems up to date," Hunter said.
Finally, Hunter offers an analogy. Automakers have added systems to cars that can pinpoint their location and even call emergency services if a crash is detected. However, have these "smart" cars made the roadways safer? This is an analogous situation for information security. Overall security will only improve if users are educated about the technology they are using.