KEEPING THE AMATEUR ROGUE OUT OF THE CYBER HOUSE

< Day Day Up >

KEEPING THE AMATEUR ROGUE OUT OF THE CYBER HOUSE

Finally, how do you keep amateur rogues out of the cyberhouse? Today, you probably can't; but, tomorrow (see Chapter 16, 'The Information Warfare Arsenal of The Future')-well, that's another matter.

Today however, motivated amateur rogue 'hacktivists' have grabbed headlines, announcing they've collected credit card and other personal data on some 2,500 business and political leaders by breaking into the database of the recent World Economic Forum. Increasingly, these amateur social activists have turned to hacking to make their point, breaking into computer systems and wreaking havoc on organizations they oppose. The Internet has turned out to be a remarkable tool for nonviolent protest on a scale activists could only dream of before.

As previously explained, the term 'hacktivist' was first applied to supporters of the Zapatista rebels in Mexico's southern state of Chiapas, who have sabotaged Mexican government Web sites since 1998 and held 'virtual sit-ins' designed to overload servers. More recently, the tactic has been used in Serbia, Pakistan, and India-and by both Palestinians and Israelis in the Middle East. In one case, Palestinian sympathizers broke into a Web site operated by a pro-Israel lobbying group in the United States, stealing credit card information and e-mail addresses.

However, the theft of private data is a relatively new tactic, which goes beyond defacing Web sites and electronic bombardment of servers. Antiglobalist protesters contend the WTO's trade treaties benefit big corporations and rich countries at the expense of the environment and workers. They consider the World Economic Forum, which holds its high-profile annual meetings in the Swiss resort of Davos, to epitomize the elitist dealmaking they oppose.

Protesters who showed up in person were largely stymied by a heavy police presence at the recent Davos meeting. On-line, however, they effectively surmounted physical barriers.

Another Frontier

The Net is another frontier for people to engage in these types of activities. The attacks against forum organizers showed just how far hacktivists could reach. They obtained the travel itineraries (including flight numbers ) of politicians from around the world, and published them on the Web. This poses operational security problems, and goes beyond what's been seen before.

Almost every major corporation and organization has been hit at one time or another by hacking, with McDonald's, Starbucks, and the WTO being favorite targets of hacktivists. During the WTO's last major meeting, in Seattle in December 1999, the organization faced attempts to shut down its system.

There were millions of bits of spam thrown at the WTO, but they had a good defense which bounced these right back like junk e-mail. People are still being misled by a copycat Web site that uses the WTO's old name (GATT) and looks nearly identical to the real WTO site.

In some respect, it is really quite clever and quite funny. But it is less funny when people believe it (as has been the case) and go to a lot of trouble and then are deceived.

< Day Day Up >

SUMMARY

It can be seen that the development of the Internet presents serious threats to the security of private companies, in addition to the much-touted opportunities it provides. It may also be that the more extreme scenarios discussed in this chapter may never eventuate-the possibility that they may, however, must be appreciated. It is not advisable for any risk-management approach to merely disregard the threats previously discussed on the basis that they are far- fetched and fanciful. In addition to the threats being technically feasible , either now or in the next two decades or so, the ability of intruders to gain entry to computer systems and disguise the very fact of entry makes this a peculiarly difficult threat to appreciate. Undetectability of many attacks per se may lead private companies to a false sense of security, and leave the companies vulnerable to serious disruption of total disablement in the event of an attack.

The possibility of means of attack this presents to aggressors, can help realistically guide the process of moving forward in dealing with the information warfare arsenal and tactics of private companies. The conclusions drawn from this follow next.

Conclusions Drawn from The Information Warfare Arsenal and Tactics of Private Corporations

As competition between corporations for profit increase, and consumer expectations grow, there may soon be a time that, for some private companies, even a limited disablement may be fatal, or nearly fatal, to its continued existence, surely one of the most important post-threat outcomes of any risk-management plan.
The growth in the number of aggressors must also be appreciated.
Added to the traditional aggressors identified by private companies, are the additional ones that may now see the companies as a visible surrogate of an entity that is either impregnable from attack or that it is inadvisable to attack.
Some private companies have always been the target of aggression, and the identity and number of aggressors may stay the same.
It must be appreciated, however, that new, and very powerful, tools of aggression may now be available to those traditional aggressors.
Traditional forms of risk management are, it is argued, not particularly suitable to the dynamic, desegregated forms of aggression that will now be presented.
The approach to determining risk and how to protect against and prevent network attacks must be revised; A fundamental rethinking of the way private companies organize themselves, and the way they leave themselves at risk will also be necessary.
Traditional forms of risk management represent an approach positioned in a hierarchical paradigm, which may not deal adequately or at all with new forms of threat posed to a dynamic network.
Until these fundamental issues are addressed, no private company can truly say that it has identified all forms of risk that are or will be relevant to that organization. Nor will it be able to say that it has treated them. These must be imperatives in an environment where any single risk could conceivably threaten the entity's very survival.

An Agenda for Action in Preparing for the Information Warfare Arsenal and Tactics of Private Corporations

Management of cyberterrorism risk must be considered an important issue for all aspects of society, not only for private companies. However, in view of the way in which the information network has developed, and the almost complete immersion of much of private enterprise in it, a company should analyze its vulnerabilities regardless of societal views.

The dangers in failing to recognize the risk could be serious. The dangers in recognizing the risk but not treating it, could be equally serious.

The United States government needs to set an agenda for action that goes beyond the work already done in preparation for protecting the information warfare arsenal and tactics of private companies. Action steps should include, but not be limited to the following 10 areas:

It is recommended that, traditionally, private companies be organized in a hierarchical way and also viewed as such. Much like a Norman mote and bailey castle, where a keep on a central raised mound was encircled by a ditch and a picket, private companies are viewed as entities that are, or should be, impervious to the outside world, allowing entry only at designated, protected points. Once within the structure, movement up to the pinnacle of command is meant to be within certain set parameters, and deviation from these parameters is not encouraged.
Flat management structures, it is recommended, should make the internal passage within the corporate entity somewhat less linear. Flat management does not allow for free ingress from the outside as one of its goals-it may allow for more points of contact between points inside the structure and outside, but these are monitored and controlled.
Over the years , layers of protection have accreted around the structure, much like the walls that were thrown up around the keeps of concentric castles . All of these concentric defenses should repeat the pattern of controlled and protected points of ingress and egress.
The growth of the information network and the increasing porosity of corporate entities should lead to a rethinking of the reliance on concentricity and control of entrances.
Corporate entities should have new points of ingress (such as telephony and internet access points)-consumers demand it. Added to this intentional accumulation of entry-points must be those that are either unwittingly left open by a corporate entity, because the advances of technology are not understood , or those that are left open through intention or negligence, where the possibility of unwanted or uncontrolled ingress is appreciated, but nothing is done about it.
Attention should also be paid to points of egress-much damage can be done by an information outflow caused by a disgruntled employee.
A hierarchical corporation, based on a fortress structure, may be vulnerable if an information flow is disrupted. This may be so even where a flat management structure exists within the fortress. The entity may be hard put to regroup and function without great delay.
A corporate entity based on a network may be much better placed to respond to a potentially disabling attack. Diversified information and command lines should be called into action and utilized should one line be cut. Such a corporation would be able to continue its core operations in a much shorter timeframe than a defensive-fortress structure. This does not mean to say that a corporation should abandon all controls of ingress and egress, and 'open its doors' to the world. Defenses from cyberterrorism should be put in place. This discussion highlights the first primary step in risk management-identification.
Potential threats should be identified and provided for. A simple treatment of defensive structures may not be wise, because the chaotic nature of the information network and the development of new technologies will inevitably mean that new forms of attacks and new holes in the armor will always open, often in unexpected places.
A diversified command-and-control structure, and the duplication of information supplies should go some way in both treating current risk, and coping with problems when unforeseen or currently nonexistent risks appear.