Cyberwarfare and the enterprise: Is the threat real?

Most security geeks just scratched their heads and wondered how an average-size, rather unsophisticated botnet attack with relatively low impact managed to make it above the fold on the front page of the Wall Street Journal. A few public-facing government websites were slow or inaccessible for a few days, but there were no reports of financial damage or any serious service interruptions.

Why all the hype? Is cyberwarfare really something enterprise information security professionals should be concerned about?

DDoS attacks extremely unsophisticated, experts say The denial-of-service attacks that briefly shut down some U.S. and South Korean government websites were not likely carried out by a professional.

The botnet that made headlines last month was tame, but in general, the potential for damage due to cyberwarfare (or cyberaccidents) is huge -- not because of sophisticated enemies, but because our infrastructure is weak and not well maintained. In the U.S., critical infrastructure has come to depend on IT in ways that most people never realize. Skyscraper heating, cooling and access systems can be controlled via the Internet. Hospitals request heart transplants over VoIP phones. Those are just two examples, but there are many others that make it clear that a sophisticated, targeted cyberattack really could cause widespread chaos and even loss of life.

Cyberwarfare is just a small component of a much bigger problem: the need to design a stable, global IT infrastructure. Thoughtless teenagers have wreaked havoc on the Internet countless times without even trying. The Morris Worm of 1988, for example, caused greater devastation than the recent overhyped DDoS attacks, infecting thousands of major Unix machines. Our biggest problem is not that terrorists are out to kill us all, but that even twenty-three years after Morris, our networked infrastructures are about as structurally sound as a Jenga tower.

Even purely accidental network outages have caused major damage to critical infrastructure. Back in 2002, Beth Israel Deaconess Medical Center's network was flooded and brought to a standstill due to an accidental spanning tree loop. Suddenly doctors and lab technicians could not view patient charts, lab results or fill prescriptions over the network. Eventually the emergency room was shut down and patients had to be shuttled to other hospitals.

What would happen if someone actually tried to disrupt critical systems using the Internet?

Have a question? Send your questions about information security threats to Sherri Davidoff.

Last year at the SourceBoston security conference, security researcher Dan Geer explored what could have happened with a piece of malware from 2001 called the Nimda virus. Just a few days after September 11, 2001, Nimda spread across the Internet using five different infection vectors, infecting hundreds of thousands of computers within its first day. There is also another, older virus called E911, which caused infected systems to dial 911 over their modems repeatedly. Geer commented that, had the authors of Nimda considered including that functionality in their virulent code, Americans would have "gotten up the morning of Sept. 19 only to find there was no emergency service nationwide; it would have been turned off everywhere and all at once, like a light switch." That would have been just a few days after the nation was already reeling from a crisis.

How to defend against cyberattacks and cyberaccidents
It's hard to know what the next cyber crisis will be, but here are a few best practices that enterprise security teams should consider to avoid becoming victims.

1. Prepare for outages. Map your organization's information flow. Understand what systems/services depend on having critical network functionality. In many cases, companies simply cannot function without the network anymore. We don't have physical pens and paper or staff training to process all of our information. Develop communication and fallback plans for short-term (i.e. 1-hour), medium-term (i.e. 24-hour), and long-term (ie. multiple-day) network outages. Test them out, when possible. Be realistic; plan for what you can, and understand your limitations.

   With the economy's current struggles, many businesses do not have the resources to devote to disaster planning. As my mother says, just do your best.

2. Maintain systems. Patch all equipment routinely, including servers, workstations and network equipment. Be sure to include third-party applications. Audit routinely. Collect logs centrally. Even if you don't have time to proactively address disaster recovery, at least make sure to properly maintain the systems you have. Don't be the low-hanging fruit.

3. Share information. This might seem counterintuitive, but we're all in this together. If everyone in a particular industry is seeing the same types of probes or unusual activity, that can help us all identify precursors to incidents and avoid major catastrophes. Sharing information about effective and ineffective defense techniques can help us all respond more efficiently.

4. Be a good neighbor. Don't neglect non-critical systems. Even if there's "nothing important" on that Windows server in the corner, you don't want somebody infecting it and using it to attack other sites.

5. Don't overreact. Huge headlines about yet-another-cyberattack have unnecessarily fueled the fire. Now it seems that a relatively unsophisticated botnet can create global fear and potentially affect international relations, giving malicious individuals yet another incentive. We all have our share of security problems, and cyberwarfare is certainly one. If we all stay cool, however, attackers will have one less reason to launch cyberattacks.

The threat of "cyberwarfare" has been dramatically overhyped, but we are afraid for valid reasons: our national infrastructure is a mess. Accidents have caused just as much damage as "cyberwarfare" or other intentional attacks. "War" is not the problem; mismanagement, disorganization and fear are the real threat.

About the author:
Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Emerging Information Security Threats,   Information Security Threats,   Enterprise Data Protection,   Data Loss Prevention,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Server Message Block Version 2 security in question: Disable or patch? Preparing for future security threats, evolving malware Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Software security threats and employee awareness training Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets Data Loss Prevention Information Security magazine February 2010 issue download Disaster recovery plans and DLP solutions top 2010 priorities Endpoint DLP fills data protection gap Fact or fiction: Inside extrusion detection and prevention technology Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Layoffs prompt insider threat fears, cybersecurity survey finds Breach prevention: How to keep track of data and applications Trend Micro to address DLP after analyst report criticizes strategy How to secure USB ports on Windows machines RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.