The Changing Threat

Oct. 27, 2008
Have you had your threat checkup this year?

Dateline: March. Chicago O'Hare International Airport.

As I took the long linoleum march through O'Hare today, I walked past the display of World War II aircraft that had been flown by the famed aviator from whom this airport takes it name. Some of the pictures and gear on display reminded me of my father and took me back to my childhood. I found myself musing about an incident long ago ...

Five minutes before our geography class, Miss Pearson dispatched my friend Chuck and me to the audio/visual supply room to retrieve a filmstrip projector. As we made our way to the disorderly AV closet, preparing to trundle the now laughably antiquated device back to the room on its large, battleship-grey, two-shelf rolling cart, we noticed a door ajar at the end of the hallway.

It was a door neither of us had ever seen anyone enter. It was always locked, and it wasn't labeled, so we assumed it was a broom closet. But we were 10-year-old boys, and our curiosity quickly got the jump on our discretion. We abandoned our assignment and headed for the door, pushing it open to reveal a dark stairwell. We called down. Echoes. No answer.

After a shared look and a mischievous grin, we switched on the light and jumped back, preparing to be accosted. A single bare bulb above the door jamb illuminated a metal staircase descending into darkness. Soon, the buzz and click of awakening fluorescents emerged from the shadowy gloom below, and lights grudgingly came to life. We peered down the stairs into a room filled with boxes, cardboard barrels, electronic gear, and even some helmets. We just had to investigate.

Chuck and I decided that he would stay up by the door. We had to concoct a plausible story should we be discovered. We also had to ensure a passing janitor wouldn't secure the door, only to open it three years later to discover two kid-sized skeletons in rat-gnawed school uniforms.

I descended the steps with trepidation and scanned the subterranean room from the first landing. The line of large boxes stretched into the darkness beyond. Soon I recognized a common trait among the supplies. They each sported a familiar triangle design with the letters CD inside.

I remembered seeing that logo each time we had a nuclear attack drill at school. After the siren had sounded through the school's public address system, we would crouch beneath our desks awaiting the terrible missiles the Soviets would be sending to our town in Illinois . The person assigned to give our classroom the “all clear” always wore a helmet that bore that same triangle marked CD: Civil Defense.

I was just beginning to decide what box needed investigating first when I heard two loud raps on the upstairs door. Chuck's warning signal! As I started back to the stairs I heard Miss Pearson's voice. We were caught!

Luckily, Chuck was a smooth talker. As I tip-toed up the stairs I could hear the story pouring out of him like water from a hose. He was saying we were doing what any teacher would have expected of us. We had come to get the projector and noticed the door open, and I had gone downstairs to make sure we weren't going to lock anyone in the basement, since we planned to shut the door to help out whoever had made the mistake of leaving it open. Chuck said he knew Miss Pearson would agree that it would be a tragedy if someone (maybe even two students) were to be locked in the basement by accident, only to have their skeletons discovered three years later.

We were in luck that day. Miss Pearson was in her first year as a teacher. Instead of trundling us both off to the vice principal for corporal punishment as we anticipated, she kindly explained that this was a Civil Defense storeroom, and that yes, someone must have mistakenly left it open. She explained that the boxes, barrels, and communications gear were there in case of a real nuclear attack. They contained food, water, and other vital survival supplies. We stood there dutifully looking earnest and sincere while copping relieved glances at one another.

Throughout the 1950s and 1960s, American schoolchildren were constantly practicing their minor role in nuclear attack response. The Soviet nuclear threat was very real to us back then, and we took it seriously. It always lurked in the background of my formative years.

A decade and a half earlier, my father had been fighting in the Pacific Theater of World War II. He faced a very different but no less deadly array of threats to his personal well-being. My father was confronted with machine gun fire, aerial bombardment, and tropical diseases. In fact, the aircraft carrier on which he served as an aviation metal smith was sunk by an enemy torpedo bomber and accorded him the first of his two Purple Hearts. In 1945, as he and his war bride contemplated starting a family in the post-war era, he was unaware how quickly the Cold War would change the threat landscape.

In the post 9/11 world, our national threat has once again changed. The nuclear threat is still there, but the international actors have all changed places. We are concerned for targeted attacks and dirty bombs, and schools no longer practice the drills that were as much a part of my elementary education as reading and arithmetic.

For those of us in information security, the threat has changed as well. Remember when there were almost monthly virus and worm warnings in The Washington Post and on national radio programs? Remember the hacker profiles and related geeky discussions on the news channels? Have you noticed they are gone?

The threat to our corporate and personal information has changed dramatically in just the last three years. We have all but claimed victory in the virus war. There are several reasons for this. Primarily, most individuals and companies use effective anti-virus software. The major vendors who provide these products even have the ability to detect new or previously unknown viruses based on heuristic and behavioral characteristics. Additionally, virus writers no longer have the publicity cache working in their favor.

When the virus threat first emerged in the late 1980s, no one had yet appropriated the name Spam™ for unwanted e-mail, nor had spyware come to the attention of the public at large. The computer users' lexicon also did not contain entries for phishing or pharming, and even today, my spell checker underscores these terms with a red squiggly line. Who in their wildest dreams just a few years ago would have guessed that a lame scam in which an e-mail writer poses as a Nigerian prince seeking a safe U.S. bank account would ensnare anyone?

The current threats to our information often take the form of identity theft, and the relative anonymity of digital relationships allows thieves to bilk money from unsuspecting victims. The thief may try to persuade his target to voluntarily disclose sensitive information, or may take it by guile or force.

As security professionals, we must stay tuned to the dramatic changes in the threats we are tasked with thwarting. There has been a sea change in the focus and tactics of information thieves and scammers. No longer are these perpetrators simple virus coders or curious hackers. A new generation of threats has emerged, and that change is no less significant than the one that took place at the end of World War II.

The change in threats affected my family on a very personal level. Ultimately, my father found the most significant danger to his safety was not the bullets and bombs of Japan , but the good living in America during the post-war boom. We buried my father just 20 years after he came home from the war to start and raise his family. He died from multiple cancers of the colon and lungs arising from a high-fat, sugary diet and a two-pack-a-day cigarette habit.

I took that lesson to heart when I stopped smoking, and I now go for yearly checkups and blood work. I know my children will need to be similarly attuned to ongoing changes that will affect their lives in the future. The Civil Defense stash in the school basement was an anachronism decades ago. Now we have calls for each of us to maintain a home survival kit. All security professionals need to closely monitor the ever-evolving threat landscape to ensure we take prudent and effective security countermeasures on behalf of our clients and employers, as well as ourselves. Have you had your threat checkup this year?

John McCumber is a security and risk professional. He is the author of Assessing and Managing Security Risk in IT Systems: A Structured Methodology from Auerbach Publications. Mr. McCumber can be reached at [email protected].

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].