Cyber Security: Battleground of the Future?

April 1, 2004
The war against cyber terrorism has been raging on for years and promises to grow increasingly difficult.
Use the metaphor of a battleground in relation to a discussion of cyber security, and the term "cyber terrorism" immediately comes to mind. Even some of the terminology we commonly use to describe certain types of cyber activity evokes the image of a battleground. Consider the terms "war driving" and "cyber attack," for instance. Referencing cyber security as the battleground of the future, however, belies the fact that the battle has been raging for a long time and continues to grow increasingly more intense.

The term "cyber terrorism" is likely to evoke a variety of images among security professionals. In Congressional testimony before the Senate Select Committee on Intelligence in February 2002, the FBI defined cyber terrorism as "the use of cyber tools to shut down critical national infrastructures … for the purpose of coercing or intimidating a government or civilian population."

While common application of the term often lends it a broad connotation, most of us would agree that we would know cyber terrorism if we saw it.

• An al Qaeda operative, secreted somewhere in a safe house abroad (or in a public library or cyber cafe somewhere in the United States), sits hunched over a laptop, surfing the Internet to assess some sector of America's critical infrastructure as a potential target. His plans for delivery of the attack might involve a truck, aircraft or other transportation conveyance, some other part of our critical infrastructure or the Internet itself.

• The same individual launches a malicious virus aimed at disrupting a vital component of the U.S. financial infrastructure or some other major symbol of America's economic power. (By Osama Bin Laden's own admissions, the September 11 attacks were as much about striking a blow at the U.S. economy as they were about causing massive loss of life.)

• A small group of young protesters in an American city coordinates a distributed denial of service attack against the Web page of a multinational financial interest to protest its foreign lending policies on the eve of a major economic summit.

While the political motivation behind these scenarios clearly places them in the category most would consider cyber terrorism, this distinction has not always been easy to make. The series of hacking attacks dubbed Solar Sunrise, aimed at the Pentagon from February 1 through February 26, 1998, occurred concurrently with U.S. military preparation for possible action in Iraq. Based upon the events that had preceded the attacks, the attacker's target, and the apparent sources of the attacks, the activity at first was believed to have been an organized act of cyber terrorism or a state-sponsored act of cyber warfare intended to disrupt U.S. military response to potential hostility in the region. The attacks appeared to come from the United Arab Emirates, Israel, France, Taiwan and Germany. The investigation of this case ultimately led not to known foreign terrorists, but to two teenagers located in California and one in Israel.

The Threat Is Real
There are two areas of concern regarding the potential for cyber terrorism that have become the subject of extensive discussion among security experts in government and private industry. These are both areas in which the cyber world and the physical world could potentially collide. The first involves the potential for perpetration of a mass-casualty attack immediately preceded by a cyber attack against the communications sector to disable first responder and other emergency capabilities. The second, more insidious threat, involves exploitation of the potential cyber vulnerabilities of distributed control systems, SCADA (supervisory control and data acquisition) devices and digital control processors. In this case, a computer-based attack would be staged to interfere with critical industries such as electrical power, natural gas, oil, and water and wastewater. Such an attack would also create potential life safety hazards.

All of these scenarios are well within the realm of possibility, and there is strong evidence that our adversaries have examined some of them as options. In January 2002, the National Infrastructure Protection Center issued a notice to the water industry warning that al Qaeda had been seeking information on SCADA systems from various resources on the Internet. Also in early 2002, the FBI disseminated information regarding possible attempts by terrorists to use U.S. municipal and state Web sites to obtain information on local energy infrastructures, water reservoirs, dams, enriched uranium storage sites, and nuclear and gas facilities.

The Barbarian is Inside The Gates
Large-scale virus and worm propagation, hacking, distributed denial of service attacks, identity theft, and data hijacking and extortion are often referred to as acts of cyber-terrorism even absent the elements of intimidation or political goals. There has been little evidence to date of any confirmed attempts by terrorist adversaries to use cyber methods to achieve mass disruption. While it is important to recognize the potential use of cyber space as a terrorist weapon, the threats to cyber security that we most frequently encounter, and those that have been the most damaging, are far more ordinary in their points of origin.

The barbarian seeking to slay us in cyber space is more likely to be inside the gates than out, particularly in business enterprise. The IT industry estimates that approximately 80 percent of reported network compromises are insider cases, in which there was some involvement on the part of an employee, former employee, contractor, vendor, or some other person who either holds or previously held some degree of trusted access status.

This degree of access, coupled with the insider's familiarity with the enterprise's mission-critical assets, makes insider cases more damaging than outsider incidents. Quite often, investigators need look no further than the human resource or procurement records of a victim institution to find the name of the perpetrator.

The insider threat is believed to be so serious that the United States Secret Service and Carnegie Mellon CERT/CC have embarked jointly on the Insider Threat Study to analyze the physical and online behavior of insiders prior to and during network compromises, as a means of developing information that might aid in the preventative effort.

Weapons Easy to Obtain
The greatest threat in cyber space is traditional criminal enterprise. Carnegie Mellon CERT reports that computer-related crime has increased by a factor of 36 since 1997. Citing FTC statistics released in September 2003, the Joint Council on Information Age Crime reports that there were 27.3 million identity theft victims in the United States in the past five years, with business, financial-institution and consumer losses exceeding $53 billion in the past year.

Just as technology has enhanced the capabilities of legitimate business, so has it better enabled the processes of criminal enterprise. Information Age tools have provided new and more ingenious ways of committing age-old crimes. The ability to commit traditional crimes such as fraud, illicit drug dealing and child pornography has been greatly enhanced by the means of communication now available in cyberspace. Unauthorized access to data is often both an end goal of criminal cyber activity and an enabler of additional crime. The Internet is used as a means of facilitating communication for a variety of violent crimes, including child luring and enticement and homicide.

The application of new and emerging technology brings both business advantages and new risk. New technology is often employed in new and ingenious ways that are well outside the imagination and scope of a creator's imagination or initial intention, thus opening up new vulnerabilities to be exploited. It's said that the bad guys don't just work at it eight hours a day, five days a week, but eight days a week, 26 hours a day. It is often this level of effort and commitment on the part of the offender that leads to his discovery of new ways to exploit existing technology, or to gain insight on how to abuse new technology almost immediately upon its introduction into the marketplace.

The Internet has made readily available many sources of information ripe for exploitation by the technically savvy. Additionally, the well-versed social engineer need not have the technical skills to hack his way onto a network when he can more easily talk his way onto it. Social engineering techniques are being used with increasing frequency to disguise viruses and worms and to dupe users into unwittingly engaging in further on-line activity designed to increase the rate of infection.

The specificity and type of information willingly made available to the public by an enterprise on its Web page also may pose significant risk in terms of operational security. In January 2002, the National Infrastructure Protection Center released an advisory entitled Internet Content Advisory: Considering the Unintended Audience. The advisory provided a seven-question evaluation aimed at assisting an enterprise in examining the potential risk posed by the content it publicly displays on the Internet.

The tools available to the enemy as weapons in the battle have become more potent, more readily available, and easier to use. Whereas hacking was once considered an activity limited to those with more advanced computer skills, the tools with which to engage in hacking are easily acquired and shared on the Internet, and now require much less skill to put into play. The attacks are at the same time becoming more widespread, more damaging, increasingly more complex, and more difficult to detect. The stealth and e-mail disguise capability of the MyDoom virus was a key reason behind its rapid dispersal.

Often the discussion of the weapons available against us in the war focuses on the deployment of the latest version of a known virus or worm, or the exploitation of a zero day vulnerability. Equally important to consider are the threats posed by the exploitation and malicious deployment of new types of technical devices. The widespread exploitation of devices such as key loggers and skimmers has lead directly to the increase of cyber-based credit card fraud and identity theft, while the techniques employed in war driving present a persistent threat in the wireless community. Not too long after the initial exploitation of key loggers was discovered, use of wireless versions began to be deployed in the commission of some cyber based crimes.

Staying Current on the Threat
The complexion of the battleground is continually changing and the nature of the threat constantly evolving. The challenge from the security perspective is to stay abreast of new and emerging technology and the ingenious ways in which it can be exploited by the potential cyber terrorist.

Thomas Bello is a senior security consultant with Sako & Associates Inc. Located in Houston, TX, Mr. Bello has experience cyber security and electronic crimes through his service with the United States Secret Service, where worked on the HITEC Electronic Crimes Task Force. To learn more about Sako, visit its Web site at www.sakosecurity.com.