From 1983, when the movie War Games told the story of a teenager who hacked into the Pentagon's nuclear weapons system and almost started World War III, the American public has been aware of the possibility of a catastrophic computer attack. However, there's no record of anyone having actually been killed by a terrorist using a computer. Subsequently, there has been some controversy over what constitutes cyberterrorism.
For the purposes of this article, we're going to stick with the definition proposed by the National Infrastructure Protection Center (now a part of the Department of Homeland Security) in 2002: Cyberterrorism is a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.
In 1996, Barry Collin, then a senior research fellow at the Institute for Security and Intelligence in California , released a paper called “The Future of CyberTerrorism” in which he described several possible cyberterror scenarios that fit the NIPC definition. In one scenario, cyberterrorists hack into an air control system and cause two commercial aircraft to collide. Another scenario involves cyberterrorists changing the iron supplement level in cereal and causing a nation of children to get sick and die. A third has cyberterrorists remotely altering the formulas of pharmaceutical manufacturers and wreaking havoc worldwide.
As you can see from these examples, cyberterror is not only an issue for federal and state entities; it can target private enterprise as well. In a sense, all the nation's businesses can consider themselves on the front lines in this battle, and they should all be prepared to fight it.
Why Cyberterror?
Why would terrorists turn to cyberterrorism? Because it has certain advantages over the traditional physical methods of terrorist attacks. The Internet is the instrument of a political power shift. A many-to-many communications system, the Internet is cheap, relatively safe (doesn't require any dangerous handling of explosive materials) and secretive (not even revealing the terrorist's location or identity). A cyberterror attack can be conducted from almost any locale in the world and is capable of worldwide impact. It's been hypothesized that the new, modern cyberterrorist can do more damage via the Internet than with a bomb.
But analysts and politicians have always thought that human involvement in computer systems would prevent anything disastrous from happening. The responsibility falls on mankind to make sure there is always sufficient human oversight and intervention to prevent a catastrophic occurrence.
Complex Enterprises Require Complex Security
Enterprise security is rapidly taking on new dimensions. While building a fortress model and protecting it with a firewall has been the norm, the expanding use of mobile devices and wireless networking exposes many shortcomings of that traditional approach. Multi-vendor security environments and hybrid offerings that combine security hardware and software create additional challenges in the manageability of security measures and solutions.
What's a security director to do to protect enterprise systems against cyberterrorism when faced with the broader scope of attacks and the increased complexity of managing the solutions? Security needs to take a holistic, proactive approach to this mission-critical concern. Although it won't provide total security, the best approach to protecting enterprise systems from cyberterrorism is layered network security that is accepted and practiced by all levels of management and staff.
Layering can consist of multiple applications of the same or similar technologies. The most cost-effective network security solutions are integrated, expandable systems capable of being upgraded. With that in mind I've compiled some basic guidelines encompassing six layers of necessary security that should be implemented in the corporate environment.
First Things First
Before any solutions can be considered, each enterprise must conduct an initial detailed and articulated threat assessment report. How much protection security countermeasures will provide depends on the number and strength of the security measures deployed, all of which frequently depend on available budget. It's ironic with our increased knowledge of existing security threats that money is still difficult to come by, but getting money to spend on security is always difficult. Still, the reality is that it's more cost effective to spend money on security to prevent incidents and related damage than it is to repair the damage after the incident occurs.
Level One: Administration
The first layer of security is the general or administrative layer, which impacts all the layers after it. This layer includes security policies, standards and procedures; human resource requirements; security level designations; and business continuity/disaster recovery (BCP/DR) contact lists, instructions and plans.
The security policies define what the company wants to protect and what is expected of system users. The standards and procedures explain how users interact with enterprise systems and what their actions should accomplish. Because networks now encompass wireless, e-mail, distributed processing, and data storage/warehouses, companies frequently need separate security policies for each area. All policies, standards and procedures should be published and explained to employees and other system users, such as vendors and consultants who access the corporate network.
In conjunction with these written directions, human resources needs to clearly define and implement screening and hiring practices that include job descriptions, hiring requirements, background checks and specialized testing. Another important requirement is to clearly define the access required by each job description and level or group so that the security officer can set access parameters for each.
The BCP/DR contact lists and directions detail the order of contact for individuals when an emergency occurs—who has which responsibilities, and what actions should be taken.
Layer Two: The Perimeter
The second or perimeter layer of defense includes both the physical and system perimeters. For physical perimeter security, an enterprise should use a combination of barriers including locks, keypads, magnetic key cards, RFID access cards, and biometrics for authorized users to gain access to facilities and devices.
Perimeter layer defense also includes the use of firewalls for traffic control, address translation and VPN termination; strong passwords for access control, VPN encryption to create secure connections between the network and remote devices, and antivirus scanning software and hardware to protect the servers that are exposed to the Internet from being contaminated by viruses and worms resulting in denial-of-service (DoS) attacks.
Layer Three: The Network
The third or network security layer includes the internal LAN and WANS. Situated behind the perimeter layer, this layer includes servers, desktops, laptops and remote locations that regularly communicate with each other. This is the layer where intrusion detection systems (IDS) and intrusion protection systems (IPS) are installed to analyze network traffic more deeply than the firewall does.
Additional software and hardware installed on this layer includes system monitoring devices that can be set to monitor automatically and continually. The purpose of monitoring software and devices is to check for vulnerabilities that appear as a result of upgrades, patches, and the addition and removal of devices and users. This layer includes endpoint security that ensures that security standards are met by endpoint devices before they are permitted on the network.
Layer Four: Host Security
The host security layer, which is the fourth layer, consists of all the devices on the network. These include routers, switches, desktops and servers that all have configurable parameters. With so many devices on the network, a configuration error could create an exploitable security hole. There are IDSs for the host layer, too, and these monitor traffic on the individual devices instead of traffic on the network. Host-based monitoring systems can also be installed on this layer, and, just as with the IDSs, the monitoring systems are constrained to each particular device.
Additionally, network access control hardware or software can continually monitor each host for infections and harmful applications as well as for security software and up-to-date releases. Device-specific anti-virus applications that sit on this layer work in conjunction with anti-virus tools from the network layer. This layer includes more group and individual access control via the use of software that defines user groups and individuals, plus strong passwords and authentication.
Layer Five: Applications
The fifth layer is the application security layer. Since network applications are increasingly placed on the Web for access by remote employees, it's become very important to safeguard the applications at this level. An application shield or firewall works to ensure the permissibility of incoming and outgoing requests. Although users never notice this shield because it is integrated with the device, the shield provides a high level of security.
At this level, too, through passwords, encryption, biometrics and strong authentication, users' access to applications is controlled and monitored. To further protect the applications, input validation occurs via software, monitoring and verification. Overall, application-level security allows better control of applications as well as enhanced security.
Level Six: Transmittal
The data security or transmittal level is the sixth level of security about which managers need to be concerned. This can be rather tricky because it often depends on data ownership, something that is frequently in dispute. Ensuring security at this level requires strong encryption to disguise the data and strong access control and authentication to control access.
Security at this level relates directly back to Level One security, which emphasized policies, standards and procedures. Successful security in level six depends on the already published policies and the defined access discussed in Level One. Sometimes when ownership of data is in contention, managers decide in favor of who has custodianship of the data and responsibility for data integrity.
Don't Set It and Forget It
Every department in a company depends on the network for applications and communication. The mission of layered network security is to ensure with a proper combination of security countermeasures that confidentiality, integrity and availability of the network, services and data are available. But to protect against cyberterrorism, a good security program also requires the installation and refinement of program upgrades.
It's essential to keep up with the latest developments in order to provide adequate protection. Since implementation is only the beginning, a security director must upgrade the company systems regularly to keep up with, if not be ahead of, the terrorists.
D.E. Levine CISSP, CFE, FBCI, CPS, a contributing editor to ST&D and co-author of several security books, can be reached at [email protected].
