It seems like everyday there is gloomy news for those security professionals charged with the responsibility of keeping their organization’s computer networks safe. Whether it’s a data breach involving the theft of personal information or some new vulnerability that could be exploited by hackers to take command of a facility’s automated systems; the threats are never ending.
Just this week, the Department of Homeland Security announced that it was looking into a vulnerability discovered by a researcher in industrial control systems software that could enable cyber criminals to launch attacks against power plants and other critical infrastructure sites. The researcher reportedly made a presentation recently at a conference where he showed that he was able to eavesdrop on traffic moving through networking equipment made by Siemens.
While advancements in technology have certainly made many things easier in our every day lives, it has also opened the door a little bit more for those will ill intentions. Even something as simple as a door lock is now susceptible to hackers. Lock maker Onity was recently in the news after a hacker, using less than $50 worth of equipment, demonstrated that he could tap into the company’s hotel door locks using an exposed port located underneath the lock. The company has since announced that it will be providing its customers with a mechanical cap to place over the port or a firmware upgrade to address the issue.
Technology solutions provider CDW recently conducted a data loss straw poll of more than 650 IT professionals to gauge the biggest cyber threats as seen by the IT community. Data loss (32 percent) was considered to be the top threat among survey respondents, followed by malicious attacks (18 percent). Half of the survey participants said that personally identifiable information including customer, student, employee and patient data, were the most likely targets of cyber attacks. Only 35 percent of respondents gave their data loss security programs an “A” grade.
The concerns surrounding the cyber security of critical infrastructure have become so great that President Obama is considering issuing an executive order following Congress’ failure to pass legislation that would have bolstered the government’s ability to ward off potential attacks.
"So far, no one has managed to seriously damage or disrupt our critical infrastructure networks. But foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day," the president wrote in an op-ed article last month. "It doesn't take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill."
I agree with the president that our networks are more at risk than they have been at any time in the past, however, I don’t know if an executive order would really accomplish his goal. According to the industry experts I’ve spoken with, most companies take cyber threats seriously, but they’re engaged in a constant cat and mouse game with their attackers, waiting to see what new virus or piece of malware they will have to protect against.
"It’s an arms race at the end of the day," Thales e-Security’s Mark Knight told me in a recent interview. "Whatever the IT community does, the attackers are always looking for new techniques to counter that."