Cyberwarfare and the enterprise: Is the threat real?

Most security geeks just scratched their heads and wondered how an average-size, rather unsophisticated botnet attack with relatively low impact managed to make it above the fold on the front page of the Wall Street Journal. A few public-facing government websites were slow or inaccessible for a few days, but there were no reports of financial damage or any serious service interruptions.

Why all the hype? Is cyberwarfare really something enterprise information security professionals should be concerned about?

The botnet that made headlines last month was tame, but in general, the potential for damage due to cyberwarfare (or cyberaccidents) is huge -- not because of sophisticated enemies, but because our infrastructure is weak and not well maintained. In the U.S., critical infrastructure has come to depend on IT in ways that most people never realize. Skyscraper heating, cooling and access systems can be controlled via the Internet. Hospitals request heart transplants over VoIP phones. Those are just two examples, but there are many others that make it clear that a sophisticated, targeted cyberattack really could cause widespread chaos and even loss of life.

Cyberwarfare is just a small component of a much bigger problem: the need to design a stable, global IT infrastructure. Thoughtless teenagers have wreaked havoc on the Internet countless times without even trying. The Morris Worm of 1988, for example, caused greater devastation than the recent overhyped DDoS attacks, infecting thousands of major Unix machines. Our biggest problem is not that terrorists are out to kill us all, but that even twenty-three years after Morris, our networked infrastructures are about as structurally sound as a Jenga tower.

Even purely accidental network outages have caused major damage to critical infrastructure. Back in 2002, Beth Israel Deaconess Medical Center's network was flooded and brought to a standstill due to an accidental spanning tree loop. Suddenly doctors and lab technicians could not view patient charts, lab results or fill prescriptions over the network. Eventually the emergency room was shut down and patients had to be shuttled to other hospitals.

What would happen if someone actually tried to disrupt critical systems using the Internet?

Last year at the SourceBoston security conference, security researcher Dan Geer explored what could have happened with a piece of malware from 2001 called the Nimda virus. Just a few days after September 11, 2001, Nimda spread across the Internet using five different infection vectors, infecting hundreds of thousands of computers within its first day. There is also another, older virus called E911, which caused infected systems to dial 911 over their modems repeatedly. Geer commented that, had the authors of Nimda considered including that functionality in their virulent code, Americans would have "gotten up the morning of Sept. 19 only to find there was no emergency service nationwide; it would have been turned off everywhere and all at once, like a light switch." That would have been just a few days after the nation was already reeling from a crisis.

How to defend against cyberattacks and cyberaccidents
It's hard to know what the next cyber crisis will be, but here are a few best practices that enterprise security teams should consider to avoid becoming victims.

1. Prepare for outages. Map your organization's information flow. Understand what systems/services depend on having critical network functionality. In many cases, companies simply cannot function without the network anymore. We don't have physical pens and paper or staff training to process all of our information. Develop communication and fallback plans for short-term (i.e. 1-hour), medium-term (i.e. 24-hour), and long-term (ie. multiple-day) network outages. Test them out, when possible. Be realistic; plan for what you can, and understand your limitations.

   With the economy's current struggles, many businesses do not have the resources to devote to disaster planning. As my mother says, just do your best.

2. Maintain systems. Patch all equipment routinely, including servers, workstations and network equipment. Be sure to include third-party applications. Audit routinely. Collect logs centrally. Even if you don't have time to proactively address disaster recovery, at least make sure to properly maintain the systems you have. Don't be the low-hanging fruit.

3. Share information. This might seem counterintuitive, but we're all in this together. If everyone in a particular industry is seeing the same types of probes or unusual activity, that can help us all identify precursors to incidents and avoid major catastrophes. Sharing information about effective and ineffective defense techniques can help us all respond more efficiently.

4. Be a good neighbor. Don't neglect non-critical systems. Even if there's "nothing important" on that Windows server in the corner, you don't want somebody infecting it and using it to attack other sites.

5. Don't overreact. Huge headlines about yet-another-cyberattack have unnecessarily fueled the fire. Now it seems that a relatively unsophisticated botnet can create global fear and potentially affect international relations, giving malicious individuals yet another incentive. We all have our share of security problems, and cyberwarfare is certainly one. If we all stay cool, however, attackers will have one less reason to launch cyberattacks.

The threat of "cyberwarfare" has been dramatically overhyped, but we are afraid for valid reasons: our national infrastructure is a mess. Accidents have caused just as much damage as "cyberwarfare" or other intentional attacks. "War" is not the problem; mismanagement, disorganization and fear are the real threat.

About the author:
Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threats and security advisories Preventing phishing attacks: Enterprise best practices The value of booting from a VHD in Windows 7 What to do with network penetration test results How to prevent memory dump attacks How to prevent phishing attacks with social engineering tests How to avoid botnet attacks How to ensure the validity of Microsoft Windows updates How to defend against rogue DHCP server malware Mac OS memory flaws pose challenges for enterprise endpoint protection How to prevent a cross-site tracing vulnerability exploit Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data breach costs continue to rise in 2009, Ponemon study finds Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.