Electronic Pearl Harbour
Leading security expert Professor Bill Caelli says Australian organisations are taking the threat of cyber terrorism nowhere near seriously enough.
Terrorism today is about working small, smart and fast. Known as asymmetric warfare, the new terrorism is not about taking hostages, it’s about using the least resources to create the greatest damage.
As global tension boils over, the great fear is that asymmetric warfare lends itself perfectly to cyber terrorism. Wielded remotely, the Internet can become a potent weapon to immobilise a nation’s critical infrastructure.
Distinguished security expert, Professor Bill Caelli, believes it’s just a matter of time before this happens on a national scale.
“The problem we’ve got is the likelihood that a national information infrastructure will be attacked in order to bring down critical national infrastructure,” says Caelli. “In the US, they talk about it as an electronic Pearl Harbour.”
Caelli is a veteran of computer security with 30 years’ experience in this area. Currently head of the school of software engineering and data communications at Queensland University of Technology (QUT), he is also an officer (AO) in the general division of the Order of Australia.
Among other things, he is on the board of the international security body, the Colloquium for Information Systems, and is a member of the Vienna-based Information Federation for Information Processing technical committee
11 on information systems security.
Virtual battlefield
About 20 years ago, Caelli was in a London train station when an IRA bomb exploded 500m away from him. The psychological impact of that bomb was such that Caelli now dismisses incidents such as defaced Web sites and denial of service attacks as mere skirmishes on the outskirts of the virtual battlefield.
He’s also wary of labelling an attack as political when it could just as well be criminal, mischievous or simply accidental.
“To be absolutely honest, cyber terrorism is a threat, but at present we don’t have any real evidence of it – as yet,” says Caelli. “I’ve been working in IT security for nearly 30 years and I can’t point you to a well-documented cyber terrorist attack on an infrastructure or computer network with the overall effect of achieving a national or political end.”
Perhaps because of this, Caelli contends, corporate Australia is in a state of denial about the condition of its information security.
Few organisations apart from the military and some large companies such as Ford and Shell are taking the threat seriously enough. So far, organisations have got away with a lax attitude to security. The worst offender is the commercial Government sector, especially where the information systems are outsourced, says Caelli.
“The Government’s business is information and in that sense it is outsourcing its core responsibility,” he says. “We’ve been lucky for 20 years, but our luck is starting to run out.”
Caelli describes the state of Web services across organisations nationally as “an absolute catastrophe” with gaping security holes in areas such as authentication and identification management.
New technologies such as wireless technology are “a screaming disaster”. Detection, prevention, response and recovery are poorly determined and yet security continues to be regarded as a “cost centre”. Despite this, security threats overall are growing.
A report by anti-virus vendor Symantec found network-based attacks spiked 20 per cent in the last six months of 2002, compared with the same period in 2001. It also found power and energy companies attracted 60 per cent of targetted attacks, with telecommunications and financial services companies following close behind. These attacks have made investors wary of organisations that cannot demonstrate business continuity.
“During the next five years, boards will be required to make very strong statements about their information systems structure from the point of view of the investor,” says Caelli.
Caelli says the expertise to perpetuate such attacks against Western interests is widespread.
He cites as an example the recent identification of hacker groups operating in China. “The other side does have the technological know how,” he says, adding that technology education in China is far better than it is in the West. A typical course in China will teach the nuts and bolts of how technology works^; in Australia and the US, the education focuses on applications.
“What has been wound back is training in fundamental technology so our people don’t understand the internal control infrastructure and internal security. Windows is just a black box,” says Caelli. “Other countries are not going that way. We may have to assume that their people could be better trained.”
War boosts cyber terrorism
Caelli believes the threat of cyber terrorism has burgeoned as a result of the Iraq war, which he says may set loose radical fringe groups. He quotes Egypt’s President Hosni Mubarak’s warning that the war would spawn 100 Osama bin Ladens. Essentially, any business that’s online could be a target.
“That is why intelligence is critical. It will let us ascertain the depth and level of an attack,” he says. “One of the most important aspects of our relationship with the US is our intelligence sharing, because this will give you leadership in the 21st century.” That intelligence is now becoming critical because of the happy-go-lucky approach of the past.
Caelli contends the biggest problem to security in the past 20 years has been the move to commodity commercial systems. He blames the proliferation of the PC and domination of its operating system for our heightened vulnerability. The PC was never designed to be a commercially secure technology – it was meant to empower the knowledge worker. Nevertheless, it has proliferated because it was a cheap computing solution.
“So the problem we have is that we’ve built a national infrastructure both at the desktop and at the server level.”
Australian organisations have always regarded technology as a cost and aimed to use the cheapest systems for the job.
“The result is total vulnerability,” says Caelli. “Standardisation has been bad news for security, except in cases where the technology has been specifically designed to heighten those safeguards. The worst thing for security is to have a monopoly because the hacker knows what to go after. The good news is that we’re starting to see an alternative in Linux.”
Although Caelli believes Australia’s information systems and its links to the outside world are intrinsically weak, he says the Internet itself is robust. Attacks are predominantly made on the nodes of the Internet rather than the protocols and an attack made a year ago on 12 route name servers was unsuccessful. Caelli advocates a concerted effort to “harden” the nodes.
Outside the organisation, CIOs need to inquire about their ISPs’ security practices and appropriate routing strategies. Internally, “we should be looking at the next generation of secure operating systems,” says Caelli. He cites as examples Secure Linux, Trusted Solaris and Hewlett-Packard’s Virtual Vault.
Although such a move would require an initial capital outlay, overall technology costs would not be very high, says Caelli. The difference would amount to about A$6,000 for a major server and only a few hundred dollars for a workstation. Indeed, the main cost would come with training of users.
Nevertheless, it is a cost that has to be undertaken, particularly in those industry sectors most at risk of attack by cyber terrorists – healthcare, energy, water and financial services.
“We have to up the security profile of the computer system,” says Caelli. “Our organisations are not taking security seriously enough, because the minute they do, they will acknowledge the problem and litigation might occur. There is denial going on and security is the cost.”
Caelli says CIOs need to demonstrate security is an enabler that can provide new trusted services to customers. “They need to implement mandatory security control systems that can’t be bypassed – policies that are set up by management.”
All systems should have a minimum security level of B1 by the Information Technology Security Evaluation and Certification, a body that provides a uniform standard of security certification. B1 certification requires mandatory access control over named subjects and objects. “All Internet connected servers should fall into that area.”
Where new technologies such as wireless are introduced, virtual private networks should sit above it to provide the security in a different way such as full application end-to-end encryption.
“That should be the minimum due diligence for IT governance – but we are nowhere near that now,” says Caelli. “I am very pessimistic that boards of directors will head the call to up the ante on computer security.”
WHAT TO DO TODAY
Begin investigating the next generation of secure technology, such as Trusted Solaris Version 8, SE Linux or Hewlett-Packard VirtualVault.
Be wary of Web services. Get clear answers from vendors on security. Take up a watching brief on Web services and do not commit until you are absolutely certain your solution will be secure.
Commit to educating and training IS staff on IT governance including the possible legal obligations that may result from IS system failure.
SECURITY: WHAT ELSE CAN YOU DO?
Initiate a review of your firewalls and check the current rule sets in the firewall.
Check the position of the firewalls in the network and ensure it sits in front of any routers and switches. It should be the primary entry point to your organisation.
Make sure you’re up to date on all patches.
Designate responsibility for security and ensure that this person is given training and the clout to be effective.
Join AusCert (www.auscert.org.au).
Source: www.misweb.com
Cybercrime News Archive
^macro[showdigestcomments;^uri[];Electronic Pearl Harbour]