Cyber Security: Prepare for Attack

In the wake of recent cyber security threats such as the Conficker virus scare and reports that the U.S. electrical grid was penetrated by cyber spies earlier this month, a former top U.S. cybersecurity official is sending out a reminder that no one is protected in this new, heavily-interconnected world, and that the best defense to the ever-increasing threat of cyber attack is a comprehensive response plan.

“Even organizations with the best security practices, and tremendous technical expertise and acumen, are susceptible to compromise,” says Amit Yoran, former Director of the U.S. Department of Homeland Security’s National Cyber Security Division, and current Chairman and CEO of Herndon, Virginia-based NetWitness Corp. “Gone are the days of protecting yourself by behaving like an ostrich. The real question is how do you adequately monitor, detect and respond when attacks do occur because they inevitably will,” he adds.

According to Yoran, who will be presenting his insights into cybersecurity at the 2009 World Conference on Disaster Management, the use of cyberspace as a means for conducting malicious intent is not only growing at an alarming rate but is also becoming increasingly sophisticated. Recent reports from the U.S. Federal Bureau of Investigation (FBI) indicate that more than 100 nations now have formal cyber offensive capabilities in place, including both Western nations and countries such as China and Russia, primarily for the purpose of gathering intelligence.

“Years ago people would broadly scan the Internet looking for vulnerable systems and attempt to compromise them by delivering spam or initiating denial of service attacks,” says Yoran. “What we’re seeing now are far more focused operations where attackers are literally attempting to steal information; they’re targeting individual systems in highly specific ways in order to get the information they’re after.”

Last April, for example, when perpetrators from outside the U.S. wanted to gain access to classified aviation and weapons technology relating to the Joint Strike Fighter program – the U.S. government’s next-generation fighter aircraft – they targeted a specific individual within BEA Systems, the lead contractor on the program. After spoofing an e-mail address from a legitimate source at the Pentagon, they sent an official-looking e-mail containing an exploit that essentially compromised the BEA Systems employee’s computer, establishing a command and control tunnel back to the perpetrators who could then gain access to confidential information. “Even somebody sensitive to cyber security issues would open an attachment like that,” notes Yoran.

Ironically, one of the factors leading to the growing prevalence of cyber attacks is our increasing reliance on technology to deliver critical infrastructure services. People don’t think twice about accessing corporate resources from a home computer, conducting Internet banking or looking at an account statement on-line. But how many of us actually understand what’s taking place behind the scenes.

“We take incredibly complex activities and we basically try to reduce them to a mouse click,” says Yoran. “Any time you ask a computer to do something on your behalf, you don’t really understand what’s happening behind the scenes and that creates a grey zone that leaves you open to vulnerability,” he explains.

Another factor is the increasing level of interconnectivity between systems. By connecting metering and production systems to business processes and business systems, energy companies are able to drive efficiencies for consumers, such as being able to offer on-line access to account statements or perform remote meter readings. At the same time, however, they expose themselves to increased risk by connecting systems that weren’t intended to be connected in the first place, and therefore may not have been designed with the proper levels of security in mind.

While he tends not to be an alarmist, Yoran will be sharing some practical cyber security advice with attendees at the upcoming World Conference on Disaster Management. Building on the premise that “you don’t know what you don’t know,” he will be urging risk management decision makers to gain a better technical understanding of their computer environments as a starting point for preparedness. Secondly, he will underscore the need for a responsible decision process when it comes to managing the interconnectivity of systems.

“You cannot unplug in today’s environment; you cannot disconnect. It’s a ­practical impossibility,” says Yoran. “So the question becomes how can you adequately risk-manage the points where you do ­connect.”

Yoran says he has received too many phone calls at 2:00 a.m. over the years to be optimistic about the likelihood of an event occurring. That’s why he treats a cyber threat like most other threats: you put the best protection in place and then ultimately it comes down to managing the incident when something bad happens.

“Should you shut down access to the compromised system? How should you contain the problem? Do you have the information needed to understand the attack, and engage the help of law enforcement and other experts? These are the types of incident response methodologies and decisions that need to come into play,” says Yoran. “It’s a matter of preparedness and you need to ask yourself, ‘How prepared am I for the kind of unnatural disasters than can occur in cyberspace?’”

___
Amit Yoran, former Director of the U.S. Department of Homeland Security’s National Cyber Security Division, and current Chairman and CEO of NetWitness Corporation.
© FrontLine Security 2009