It's no secret that large U.S. businesses are in the crosshairs of foreign government entities and terrorists. According to Maj. Gen. William Lord, "China has downloaded 10 to 20 terabytes of data from the NIPRNet," the Department of Defense network used for transmitting sensitive information. It is only a matter of time before military and terrorist organizations target commercial organizations. In fact, the Department of Homeland Security recently warned of potential Internet attacks on the U.S. stock market and banking Web sites. Large businesses offer an attractive target and the potential impact is very high.
Known targets and threats
The Department of Defense secures its systems using world-class information security standards and layered controls, thanks in large part to an abundance of financial resources. Conversely, corporations have limited security budgets and can be weakened by
The threat of cyberwarfare is different from common Internet threats and most organizations are not adequately prepared for it. Corporate defenses typically concentrate on protecting data from theft or alteration. Cyberwarfare also seeks to disrupt critical infrastructure and services. That brings availability, resiliency and incident response into the mix. Expect malicious attacks by determined hackers. They will be well trained and have ample resources.
The risk-reward ratio for cyberwarriors is also different. Many are not motivated by profit and will expend a great deal of time and resources with the only reward being disruption of service and chaos. Economic damage is very powerful and can dishearten a country.
Considering the strength of the U.S. military, cyberwarfare offers an attractive alternative. Cyberattacks can be conducted from overseas with little chance for reprisal. Businesses need to take this threat seriously. Learn about current cyberwarfare threats and keep appraised of developments.
Internet based attacks are becoming more sophisticated all the time. Cyberwarfare threats warrant composite security defenses comprised of preventive, detective and corrective controls. A successful defense strategy focuses on identifying critical information and services and implementing layered controls to protect them.
Sound business practices are founded on the principle of action, not reaction. That means security programs must be highly proactive in safeguarding sensitive data and critical services, which means: fixing vulnerabilities hidden from auditors; raising awareness of issues that exist because of politics or organizational gaps and working collaboratively to address them; and preventing compensating controls from being cited inappropriately. The layered controls specified by best practices and applicable regulations are necessary to maintain a strong security posture. Ensure critical suppliers comply with your standards.
Senior management must actively support this approach by funding security initiatives and advocating security as a business requirement. Information security professionals can help their own cause by communicating effectively with senior management through a targeted awareness program that includes presentations, metrics and reporting. Solicit their support throughout the year.
Network breach prevention
Defining a network security perimeter can be difficult in a large enterprise, but there are a number of best practices that can help. Start by documenting networks and systems at each site. Next, contact your Internet service provider (ISP) and determine available IP address ranges. After obtaining proper permissions, scan each IP range during a maintenance window. Carefully examine the scan results for vulnerabilities and rogue systems. Finally, monitor each IP range and configure alerts if an unused IP address comes into use.
Ensure all external network access points are controlled through the use of firewalls and encrypted virtual private networks (VPNs). Use two-factor authentication to strictly control access into the network by requiring a login account, password and authentication device.
Use network segmentation to further insulate the enterprise from risk. Start with standard three-tiered architecture (Web, application and database layers). Use granular firewall rules to control inbound and outbound traffic. Ensure each system resides in an appropriate network (e.g. demilitarized zones [DMZs], extranets and intranets). Segment networks internally and between offices as well (e.g. hub-and-spoke VPN).
Segregate wireless networks from sensitive systems using firewalls. Choose a wireless architecture that rotates keys and uses strong encryption to help prevent compromise (e.g. WPA2 AES-CCMP). Conduct wardriving exercises to identify rogue wireless access points.
Protect the network from operating system and firewall software vulnerabilities by sandwiching DMZs between two firewalls from different manufacturers, running on different operating systems. Use application proxies to protect against zero-day exploits and application layer attacks.
Monitoring and hardening
Cyberwarriors may be very stealthy and conduct custom attacks over weeks or months. Tune intrusion detection systems (.pdf) (IDS) software appropriately. Implement a content filtering product to detect unauthorized use of sensitive information and prevent it from leaving the network. Monitor network performance to detect denial-of-service (DoS) attacks.
Separately, using application vulnerabilities, hackers can sail in through layers of world class infrastructure defenses such as firewalls. Become intimate with your commercial applications' features. Hackers will discover which software is in use through fingerprinting techniques. Next, they will download administrative guides to learn methods to gain access (e.g. remote access to the administrative console). Hackers will also look for known vulnerabilities, therefore applications must be routinely patched. Finally, conduct an Internet search for commercial application hardening guides and configure appropriately.
Ensure custom code is developed in accordance with industry best practices and code reviews are routinely conducted. NOTE: There is an increasing focus on application security by regulators; the Payment Card Industry Council recently added mandatory code reviews or use of a Web application firewall into their PCI Data Security Standard (.pdf).
Availability isn't just a matter of business continuity or disaster recovery. Systems must also be available when under attack. Prepare for network DoS attacks by implementing intrusion prevention systems (IPS) to counter attacks in real-time. Configure operating systems to discard DoS traffic. Examine custom applications for DoS vulnerabilities and incorporate IDS/IPS functionality. Finally, contract ISPs to work with you during a DoS attack to block unwanted traffic.
Government strength controls
Cyberwarfare threats require government strength controls to protect confidential information, such as trade secrets. Consider implementing an air gap or physical separation to protect sensitive networks. This is an absolute way to prevent data leaks across networks. Most information security professionals agree that a determined attacker will penetrate perimeter defenses. The principle of defense-in-depth is founded on that assumption. Take a hard look at internal controls and my Insider Risk Management Guide.
When establishing internal security standards, consider the US-CCU Cyber-Security Check List and PCI Security Audit Procedures. They are prescriptive and take a more conservative approach than generic information security standards like ISO 17799 and COBIT.
To protect Web infrastructure, consider recommendations from the SANS Internet Storm Center. Use hardened operating systems, such as Red Hat Inc.'s SELinux (developed by the NSA) or Solaris 10 (which includes security features from Trusted Solaris). If a standard operating system must be used, harden it in accordance with industry best practices.
And don't forget to enhance incident response procedures to include cyberwarfare. Get security and IT teams together and discuss how a malicious entity might attack to cripple the business and methods to prevent, detect and respond. Drills should include cyberwarfare incidents, including contact with ISP and government representatives.
Knowing and exploiting your enemy
To be successful in fending off cyberattacks, it is necessary to understand how the opposition thinks and anticipate their next move. Cyberwarriors are professionals and utilize traditional warfare strategy and tactics.
In their book, Unrestricted Warfare, two Chinese generals discuss modern warfare (post Desert Storm). They mention the United States' dependence on systems and describe eight "beyond limits" warfare principles, which apply to cyberwarfare as well:
Omnidirectionality: There are no boundaries to the battlefield, including technological space. Ordinary people and experts may be targeted.
Synchrony: Attack to completion, in different locations, at the same time. "With modern, high-tech measures, this process may take the blink of an eye."
Limited objectives: "When setting objectives, give full consideration to the feasibility of accomplishing them. Do not pursue objectives which are unrestricted in time and space."
Unlimited measures: Rules of engagement do not apply when pursuing a combat objective. The burning of the south in the U.S. Civil War is an example.
Asymmetry: Do not confront the enemy head-to-head. Instead, be unpredictable and use the tactics of guerrilla warfare, terrorism and network war. Strike where your adversary does not expect to be hit and exploit soft spots. This use of force will result in a huge psychological shock.
Minimal consumption: "Combine the superiorities of several kinds of combat resources in several kinds of areas to form up a completely new form of combat, accomplishing the objective while at the same time minimizing consumption".
Multidimensional coordination: This principle refers to cooperation between different forces in different spheres in order to accomplish a combat objective. Non-military and non-war factors are included in the sphere of war.
- Adjustment and control of the entire process: "Modern, high-tech measures may make the entire course of a war extremely short, and incidentally make adjusting and controlling it much more difficult".
The generals' words are sobering. Since foreign entities consider cyberspace a soft target and commercial industry to be fair game, these are principles worth considering when formulating defensive strategies.
Do not allow compliance burden to weaken your organization's security posture. The threat of cyberwar is just one of many reasons to harden perimeter and internal defenses. The key difference here is a determined attacker, with no fear of capture or reprisal, whose reward is damage and chaos. The potential for a cyber Pearl Harbor exists. Information security professionals and the U.S. government have predicted it. The question is, will businesses take the threat of cyberwarfare seriously and make it a priority in their budgets? Fair warning...
About the author:
Gideon T. Rasmussen is a Charlotte-based certified information security professional with a background in fortune 50 and military organizations. His Web site is http://www.gideonrasmussen.com/.
This was first published in February 2007