Reflections of a Neophyte on Cyber Security
Sep 15, 2008

While preparing for this edition, I wanted to improve my own knowledge of cyber security. In my search, I discovered some rather interesting facts and some downright scary issues. As is usual in many matters related to security, I found the usual industry trick, which is to scare the customer, define the problem and sell your product to avoid it, and, eventually, improve upon this protection with even more costly technical fixes. As a neophyte, relying, as many, on conventional and well-known security programs, I wondered just how real and serious was this issue of the cyber threat and where I fit in neutralizing it.

To do this, I looked at some risk analysis authorities. The first was the Western Economic Forum Global Risks 2008 report. Within it were some startling issues such as looming food and health risks on the global scene. Additional issues appeared in the table of risks and impacts. The next authority that I examined was from the UK. I chose the UK because of the trying experiences to which they were subjected in recent years. I considered both of these sources pertinent to my quest about the seriousness of the cyber threat, and its estimated probability and consequence in the coming years. Information gleaned from these two sources was used to create Tables 1 and 2, below, to identify the seriousness of key risks.

More pertinently, in relation to electronic attacks, the UK report states:

“The risk and impact of electronic attacks on IT and communication systems varies greatly according to the particular sectors affected, and the source of the threat. Electronic attacks have the potential to export, modify or delete information or cause systems to fail.

“There is a known risk to commercially valuable and confidential information – in government and ­private sector systems – from a range of well-resourced and sophisticated attacks. Electronic attack may be used more widely by different groups or individuals with various motives.

“IT systems in government departments and various organizations, including elements of the national infrastructure have been and continue to be attacked to obtain the sensitive information they hold. Some of these attacks are well planned and well executed.”

This message indicates the real, ongoing, omnipresent and pervasive nature of the cyber threat.

The Cyber War
Among the many views relating to the “Cyber War”, I found that one by Dr. David Gewirtz expressed in an article entitled, The Coming Cyber War, published in the ­current issue of Counter Terrorism magazine, was the clearest and most interesting.

David Gewirtz, is ZATZ Editor-in-Chief, Cyber Terrorism Advisor to the International Association for Counter-terrorism and Security Profes­sionals, and a columnist for The Journal of Counterterrorism and Homeland Security International. I contacted him, and we shared some concerns.

Dr. Gewirtz’ s position is that “when it comes to a future cyber War, the issue is no longer if it will happen. Instead the concern is when it will happen, how bad it will be, and how many attacks we’ll have to withstand.” He goes on to point out that unlike traditional war, which he describes as “a bullet to the chest,” he considers that cyber war resembles a “cancer… just as dangerous and deadly, but far more torturous over the long term. And like cancer, we’ve yet to find a cure for cyber war.”

Attacks have already occurred, or at least they have been credibly reported to have occurred. Gewirtz points out that in May, the National Journal reported on a ­suspected Chinese cyberstrike when a “9,300-square-mile area, touching Michi­gan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.” There are, of course, the reported past attacks on Estonia as well as more recent reports of alleged cyber strikes against Georgia.

Dr. Gewirtz recognizes that without concrete evidence, such as hard drive dumps that he could examine, he could not corroborate these himself. Yet, like the need in more classical past wars to destroy the enemy’s command and control capabilities, it is quite reasonable to assume that some action would have been taken to neutralize web based communications – at least in the Georgian case. Both the technology and resources existed to meet this need by ­distributed denial of service (DDoS).

He is quick to point out that this war is not restricted to the classic clash of nation states. Take the case of collateral damage, for example: A DDoS attack was directed over the Memorial Day weekend and was aimed at a small Internet video broadcaster named Revision3. “They were attacked – a full, ­premeditated, no-holds-barred attack – by a company called MediaDefender.” MediaDefender’s clients have included Sony, Universal Music, and industry groups for both music and movies. Why did this happen? Dr. Gewirtz explains that Revision3 distributes legitimate programming through a legitimate network called BitTorrent. However, BitTorrent is also used to ­distribute pirated movies and music. MediaDefender, he says, has made it their business to initiate terrorist-like denial of service attacks against BitTorrent users. “A few more attacks like this,” says Gewirtz, “and Revision3 is out of business, with 20 or so families losing employment”

How powerful and how difficult are cyber attacks to deliver? In 2005, three young Dutch men aged 19 to 27 created what is described as a “botnet to steal identities from an American firm that resulted in them linking 1.5 million computers, all working in tandem, to attack U.S. Systems and computers.” They managed, says Gewirtz, to produce a “network with a computational capacity at least five times greater than any supercomputer on the planet.”

Cyber Defence
How do we protect ourselves, our companies and governments from this threat? Dr. Gewirtz wants us to realize just how much information we have now and how much our continuing use of the net for everything from toasters to home security systems makes us and our institutions vulnerable. For instance, the security guard of yore that had himself handcuffed to his briefcase vice today’s security guard who lost a memory stick with the whole of a ­terrorist investigation data… or the company employee who lost his Blackberry or cell phone. “Cyber defence like homeland defence really does begin at home with heightened awareness. Awareness that the portability of information increases risk and these things will happen. We must be prepared to mitigate and minimize the effects of these inevitable occurrences.”

What are the dangers and the impacts of losing such information? For instance, much of our infrastructure is monitored by Supervisory Control and Data Acquisition (SCADA) and “sometimes technical vulnerabilities are designed into these systems for convenience – such as open web-based maintenance verification systems. Some of these could be attacked, and technical solutions will not solve these issues,” asserts Gewirtz. “Stupidity will sometimes negate the most sophisticated security codes, or the effort of a normal-sized state will allow it to be broken. Business continuity contingencies must be in place before these inevitable failings occur outside our front door.”

Standards and Testing
Pursuing this further, I spoke with Lysa Myers who was recently named to West Coast Labs as director of research.

Myers spent 10 years working in the Avert Group at McAfee Security, during which time she wrote for the Avert blog and Sage magazine, among others. She also ­provided training demonstrations to new researchers within McAfee along with other groups such as the Department of Defence, and McAfee Technical Support and Anti-Spyware teams. West Coast Labs is more than a ‘testing house,’ its services help vendors validate functionality and ­performance of security products, while arming corporate end users with the data they need to make smart purchasing ­decisions.

In speaking with her, I determined that her expertise in this realm was both broad and practical. She describes the growing cyber environment as being an increasingly more mobile and web-based framework of information and communication. There would be, in both industry and government, a continually increasing need to protect data and information as well as access to the protected technical resources that house this information and communication capacity.

In dealing with the loss of information or communicating power, Lysa stresses that malicious attacks from various sources, be they commercial competitors, nation states, criminal organizations, terrorists or just hackers of all nature, will all contain and use the latest technology. She explains that all information theft is essentially for a profit motive of some form or another and that employees, and all citizens more broadly, need to be aware of the risks and probabilities of their information being attacked, stolen or destroyed.

This is not to scare people away from the use of technology but rather to instill in all of us, in our daily and business lives, the need for recognition of risks and the development of proper risk management in our constant and more mobile use of web-based information devices.

Lysa deals largely and foremost with businesses of all sizes and insists that the provision and design of cyber security move away from a “fear-uncertainty-doubt mode” to a more Risk Analysis and Return on Investment business-like framework.

Individuals and companies should know the value of their information and the cost to the company of its loss to theft or destruction. Think of the loss from a bank of all the credit card info of selected customers? Companies should then plan to spend what is necessary to protect that value, within reasonable risk parameters, to mitigate the damage if lost.

On the matter of cyber security standards, the evolution of technology is such that specific standards are often behind the development of new threats. On the other hand, the early adopter of new technology is often at risk of untested equipment or software, and unforeseen results. Therefore it is becoming more prevalent that lab testing by third parties for cyber security may, and often does lead, to tailored and more effective up to date security.

How often do we take our laptop home or elsewhere with important company or personal data on it? Do we open it in a location that is insecure, thereby opening up the possibility of attracting malware, trojans, or allowing a botnet to install itself and then defeat the company or personal firewall? What contingencies do we have when, not if, this occurs? When we plug our innocent laptop in at the office, are we aware of our security breaches… how about with our blackberry or cell phone?

No one can be completely invulnerable to cyber attacks. One can, however, mitigate both the occurrence and the results of these by good knowledge and responsible corporate habits. Attacks will occur… when there is a profit to be made, an attack will be attempted. The unknowns are who, what and where. Be responsible.

I trust that you feel a bit more at ease and knowledgeable and a little less of a neophyte about the need and challenges of cyber security. Good Lucccccck.

Clive Addy, the Executive Editor of FrontLine Security magazine, is the founding Chair of the National Security Group.
© FrontLine Security 2008