- Email: [email protected]
Cyberterrorism: hype or reality?
CYBERTERRORISM
Cyberterrorism: hype or reality? Mathieu Gorge Mathieu Gorge analyzes whether cyberterrorism is a real threat and what can be done about it. Given the current global political climate, the media tend to give the topic of terrorism a great deal of coverage. In the most recent years a new term has also hit the headlines: cyberterrorism. While everyone will agree that the Internet and so-called cyberspace can be used as a medium to carry out attacks, there are no official definitions. So what constitutes cyberterrorism? How does it work and who are the prime targets? In addition, what are governments and businesses doing to combat this new security threat?
Definition
At a very basic level one needs to look at the terms terrorism and cyberspace. There is no single definition for these two terms. However Wikipedia suggests a definition for the concept cyberterrorism: “Cyberterrorism is the leveraging of a target’s computers and information technology, particularly via the Internet, to cause physical, real-world harm or severe disruption with the aim of advancing the attacker’s own political or religious goals.” While this definition is very succinct, it might also be worth looking at the definition from the National Conference of State Legislatures: “Cyberterrorism can be defined as the use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples include: Hacking into computer systems, introducing viruses into vulnerable networks, website defacing, denial-of-service attacks and terrorist threats made via electronic communication.” Based on those two definitions one can already see a clear convergence February 2007
between cyber attacks and cyberterrorism. Both concepts are interlinked and need to be considered together. Indeed, there are other terms related to threats within the cyber world which are also included under the same umbrella term of cyberterrorism. They include: Cyber bullying: Harassment of targets over the Internet. Cyber stalking: Following a user’s “footsteps on the Internet. Cyber squatting: Taking over an IP address to host your own information thus preventing the real owner from using “their” cyberspace. Cybercrime: Any type of criminal activity conducted over cyberspace, typically refers to financial scams such as phishing, pharming and other 419 type scams. Cyber attacks: Generic term for attacks on the e-facilities of government, businesses and citizens. This includes spam, denial-of-service attacks, spyware, hacking and so on. The question then arises whether the strategic approach of combating cyberterrorism really differs from the counter measures taken against “traditional physical” terrorism. In essence, responses to an overall idea of cyberterrorism must include more than politically motivated acts disrupting cyberspace. It can be argued that more civilians can help fight cyberterrorism threats than traditional terrorism because employees (in the corporate world) and citizens (at home) do have easier ways and more potential to be proactive and defend against cyberterrorism tactics. This is done by implementing security measures on corporate and home networks and is
linked to the types of cyber threats exploited by cyberterrorists. There are two main streams of cyber attacks as follows. The first type includes Political acts of damage very close to traditional acts of terrorism. It includes the defacement of Danish websites in “response” to the cartoons of the Prophet Mohammed published by a Danish newspaper. Another example is websites used to show the murder of hostages live right through to the recruitment of terrorists over ICT systems. One also needs to consider non-political acts of damage which are typically ICT driven cyber attacks including: • Virus attacks (either blind or targeted at certain types of systems). • DoS & DDoS. • Racketeering and blackmailing. • Unauthorized access to private, corporate or government systems with the intention of viewing, copying and/or destroying data. While there has been some hype over what can and can’t possibly be done from a technical point of view, a number of existing cases must be considered to understand the full scope of cyber attacks and which attack may or may not be attributed to acts of terrorism. In 1989, the “Legion of Doom” hackers took over the South Bell telephone system simply to prove they could hack into the infrastructure. In 1994, an attacker hacked into the Salt River Project to try and gain control of water level features. In 1997, a hacker disabled the computer system of the control tower of Worcester Airport, Massachusetts, USA. In 1997 again, a Swedish hacker managed to jam a 911 telephone system in Florida. On a rather funnier note, a disgruntled Australian consultant hacked into a waste management system in 2000 and released raw sewage in revenge for losing his job at the city council. And then cybercriminals began to realise there was money to be made. In 2004, Paddy Power bookmakers and e-commerce firm 2Checkout, along with many others, were victims of a DDoS attack at the hands of extortionists whose aim was to bring down the websites unless a specified amount of money was paid. Computer Fraud & Security
9
CYBERTERRORISM The Mitsui Sumitomo London branch was hacked into in 2000; a keylogging scam was suspected. Since 2003, fighters in Iraq have also been using the Internet to show murders of Western hostages.
The Silent Killer
Moreover, additional scenarios also need to be taken into account. While some attack possibilities may not have been reported yet, it is easily conceivable that such cyber attacks could take place. The so known “Silent Killer” attack’s aim is to cause panic by releasing information on events affecting civilian’s health which may or may not have taken place. A possible attack would be to change the formulations of popular pre-packed food or pre-packed medicine. To do so, an attacker would merely need to hack into the computer systems of food processing or drug manufacturing organizations to change formulations. The potential consequences would have a disastrous effect on the population causing: • • • •
Illnesses. Commercial impact. Fear factor. Impact on trustworthiness of the industry and government.
Die Hard II
consists of a hack into a major airport or train station traffic control system to take over the network with a view to sending falsified on-route traffic information about train/aircraft position on the rail network or air space resulting in head on collision and off course traffic.
“
ICT actually constitutes a single point of failure for the
”
way we live
Potential consequences would also be disastrous: accidents, deaths, commercial impact, fear factor and an adverse impact on civilian trust of the industry and government.
How do cyber attacks work? How is a cyberterrorism attack organized?
Another type of attack is known as the “Die Hard II.” In this scenario, the objective is to disrupt rail and/or air traffic control. The technique for the attack
In order to understand how such attacks are executed one needs to consider them as traditional terrorist attacks from an intelligence gathering viewpoint. In reality, forensics investigations carried out on reported incidents show that a lot of pre-attack intel-
CI Sector/area of concern
Example – link to cyberterrorism
Banking & Finance
Country financial infrastructure.
Agriculture
Produces “raw” food for all citizens – supply chain is vulnerable.
Food Industry
Processes food and food sales – vital for all citizens.
Energy
The “engine” behind our way of living – any disruption creates havoc and has financial repercussions.
Drinking Water / Water re-processing facilities
In the US 170,000 public water systems to be protected.
Dams
Some are part of critical infrastructure, some are more symbolic (e.g. US or Paraguay/Brazil Dams).
Processing of chemical & other dangerous/ hazardous material
Turns dangerous raw material into required end products such as medicines, electronics, cars, construction materials, etc…
Potential risks to critical infrastructure from cyberterrorism
10
Computer Fraud & Security
ligence gathering work is completed before attacks are launched. Gathering information requires planning and successful attacks have always proved to have been well planned. Typically, it is safe to assume that the attacker has chosen a very specific target (government or business) and that he/she has a motive (political or non political) and an objective which can range from creating a nuisance through to money laundering or racketeering. It can also be assumed the attacker has good technical skills. However, it is important to understand that the intelligence gathered by attackers was made “readily” available by victims. Most times, appropriate security measures on the victim’s network were not in place. The security strategy was based on a technical solution only, rather than the necessary mixture of policies, technical solutions and user awareness. Indeed, internal users are often unwillingly and sometimes willingly responsible for the success of an attack and failure of security systems. They often provide information pertaining to the set-up and security levels of the corporate systems to third parties without realising they are doing so. This is a concept known as social engineering which is often associated with industrial and cyber-based espionage activities. Notwithstanding unintentional disclosure of information, attackers also benefit from the information freely available on the information superhighway. A simple “Google” search on the target coupled with free IP scans available from the Internet can provide very useful information including names, telephone numbers, naming conventions for email addresses and servers, information on the set up of the organization’s website and so on. The attacker will easily manage to build a profile of the target and be in a better position to tailor the attack to exploit vulnerabilities he/she has uncovered during the pre-attack phase. The next task is to understand what kind of opportunities a cyberterrorist might have. As explained earlier on, such opportunities can be summarised as follows: • Acts of damage (politically motivated or financial). • Propaganda (e.g. deface a website to promote their “values”). • Recruitment and “internal” communication platform. February 2007
CYBERTERRORISM There are key advantages of terrorists engaging in cybercrime activities rather than more traditional methods. Firstly, in cyberspace there are no borders as with physical control. It is sometimes even difficult to ascertain which legal framework applies to an attack which can be subject to several jurisdictions rather than one. The “legal confusion” regarding cyber attacks makes it easier for hackers. One example would be the idea of sending a denial-ofservice attack on any IP address, which is itself executing a DOS on a country’s ISP. However, if the attack originates from another jurisdiction it may not be legal to launch such an attack. Similarly should a “terrorist” email be sent from a Web mail address, the steps to lawfully intercept the email may not be straightforward. Altogether this offers would-be terrorists a low risk type of attack with great impact potential. The skill levels of the would-be attacker are decreasing while the impact of attacks increase. The Internet is the best platform to find new targets and collect information about them. Attackers can then launch a social engineering attack to gather key intelligence as well as use free technical means such as hacking tools available from the Internet to make use of the gathered intelligence.
Anatomy of an attack: step by step
1 The target is chosen by a terrorist group. It could be a part of a nation’s critical infrastructure such as the rail network, electricity grid or ATM network, government websites or financial institutions’ networks. 2 Terrorists start gathering information: – On the net: articles, press releases, studies etc. – On the actual website of the target. – Perform their own “pen-testing” on the Web. – Identify many technical elements (OS, versions, type, etc.) – Gather information via social engineering. Social engineering attacks take place – critical information is collected. February 2007
3 Cyber attack is launched. – Technical attack is launched. Access is gained and may be maintained by the attacker for a while. – Attack is either successful or foiled. If successful perpetrators may publicise it via the media. In any case attackers will try and cover their tracks. 4 Post-attack investigation takes place. – Internally if committed on a business. Through internal procedures if they are in place. External forensic experts might be called in. Authorities might also be involved. The target’s reactions to cyberterrorist attacks will vary depending on the type of attack especially on whether actual damage was done or whether the attack was purely aimed at creating a fear factor. If unprepared, it is likely victims will actually tamper with the evidence instead of preserving it until trained forensic experts are called in. It is worth noting that large enterprises as well as governments have established Computer Emergency Response Teams (CERTs), which are there to help manage crisis situations such as cyber attacks. In doing so CERTs are mindful to also consider the reaction of the general public in order to contain any potential fear factor, which might arise. Through the work carried out by CERTs, governments on a global basis are trying to provide this support infrastructure to organizations and citizens alike.
Critical Infrastructure
CERTs are also established to help protect every country’s critical infrastructure (CI) which is a term used by governments to describe material assets that are essential for the functioning of a society and economy. Most commonly associated with the term, CI, are facilities for: • • • •
Electricity generation and distribution. Telecommunication. Water supply. Agriculture, food production and distribution.
• Heating (natural gas, oil). • Public health. • Transportation systems (fuel supply, railway network, airports). • Financial services. • Security services (police, military). We should also bear in mind that all the above elements tend to be interlinked and that all of them rely on telecommunications to function. Telecommunications covers many areas: • Telephone (landlines and mobiles). • Email. • Internet-based messaging (webmail and Instant messaging). • Radio. • Television. • Satellite-based services (e.g. GPS). • ATM Networks – this is generally covered under the umbrella name of ICT. Because all elements of CI are interlinked, ICT actually constitutes a single point of failure for the way we live – a fact which cyberterrorists are well aware of and try to exploit. Citizens take critical infrastructure as a given while businesses do not think proactively about their dependence on all of the above ICT services. In terms of these “targets” for cyberterrorists, one must remember that a large proportion of them are privately owned – government intervention in securing this environment is therefore somewhat limited. There is a major requirement for public-private partnership and cooperation. Privacy issues are always at the forefront thus slowing or even preventing some government intervention aimed at increasing security levels. When one considers cybersecurity threats against CI, it is important to cover the topic of SCADA (supervisory control and data acquisition). SCADA systems are used to manage our CI and are unfortunately not always inherently secure. A SCADA system is a central system that monitors and controls a complete site including a technical solution, which is linked to physical devices (e.g. valves of a dam, elements of a manufacturing plant (e.g. pharmaceutical devices), output voltage of power plant and that which contains Distributed Control Computer Fraud & Security
11
WAR & PEACE IN CYBERSPACE Systems (DCS). It is also referred to in some publications as HMI (Human Machine Interface). Since SCADA is used as a control mechanism for chemical plants, electricity generation, electric power transmission, electricity distribution, district heating and other CI elements, SCADA systems themselves need to be protected against cyber attacks. The US 2002 Document on “21 steps to improve Cyber Security of Scada Networks” states: “SCADA networks [are] potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruption to the nation’s CI.” “Single points of failure must be avoided and cyber security defense must be layered to limit and contain the impact of any security incidents.”
The document is divided into rules giving clear guidelines as to what to address: • Rule 16: identify cybersecurity requirements and Rule 20: roles & responsibilities of all individuals. • Rule 19: establish back-up and disaster recovery plans. • Rule 21: deals with “social engineering” threats and user training requirements. Evidently, normal best practice security rules apply to the protection of SCADA networks including self-assessment, defence-in-depth, ongoing risk assessment, regular penetration testing, system hardening, minimizing external remote connections and so on. Security awareness programmes and campaigns are also key to the success of countermeasures against cyberterrorism. Notwithstanding the role of the governments who through CERT initiatives as well as other key legislation and standards
promote good governance (e.g. Sarbanes Oxley, European Data Protection Directive, Payment Card Industry Standard), there is a definite requirement for improved, more in-depth public-private cooperation to address the threat of terrorism through cyberspace. It is, however, early days and so far no human death has been clearly linked to cyber attacks whether they were terrorism or criminal acts. Nonetheless, this is an item which has become high on the agenda of many industry analysts and it is very likely the industry itself, along with the government initiatives, will continue to put pressure on businesses as well as citizens to take basic security steps to help fight cyberterrorism and protect our critical infrastructure.
About the author Mathieu Gorge is the Managing Director of Vigitrust – an Ireland-based security consultancy.
Profiles in cyber courage #1: Fred Cohen Richard Power and Dario Forte Dario Forte and Richard Power have identified a number of security gurus who have made a difference in the IT security field. Every second month our authors will interview an established expert. The first profile focuses on Fred Cohen, a pioneer who first described a computer virus. In the early 1950s, while recovering from back surgery, Sen. John F. Kennedy of Massachusetts (who would later become the 35th president of the US), wrote a book entitled Profiles in Courage. It became a bestseller and helped propel him to prominence on the national scene. Profiles in Courage highlighted the bravery and integrity of eight Senators, throughout US history, who defied political pressure and public opinion to do what was right. This year, every second month, the War & Peace in Cyberspace column will feature a new series – Profiles in cyber courage. In this ongoing series, we will focus on colleagues who have made 12
Computer Fraud & Security
significant contributions to the field of cybersecurity, and conduct in-depth interviews on timely and vital issues. Our first profile in cyber courage highlights Fred Cohen (http://all.net), who has been operating beyond the frontlines of cybersecurity for more than 25 years. Dr Cohen is a world-class researcher, educator and consultant. He is also a prodigious author. His “Chief Information Security Officer’s (CISO) Toolkit” is a collection of tools that CISOs can use to overcome the real-world challenges that confront them. His Fraud, Spies and Lies, and How to Defeat Them is an exhaustive exploration of techniques utilised by
Richard Power
Dario Forte
fraudsters and intelligence operatives. It shows how to conduct investigations and counterintelligence operations to protect yourself and your organizations.
Forte & Power: We all have CVs, and book jacket biography blurbs, but instead we would like to hear your thoughts along the following lines: How many years have you been working in cybersecurity? What do you think has been most rewarding about it? What do you think has been most disturbing or discouraging about it? What surprises you – if anything – about where the field is today versus where it was when you began your career? February 2007
Cyberterrorism: hype or reality? Mathieu Gorge Mathieu Gorge analyzes whether cyberterrorism is a real threat and what can be done about it. Given the current global political climate, the media tend to give the topic of terrorism a great deal of coverage. In the most recent years a new term has also hit the headlines: cyberterrorism. While everyone will agree that the Internet and so-called cyberspace can be used as a medium to carry out attacks, there are no official definitions. So what constitutes cyberterrorism? How does it work and who are the prime targets? In addition, what are governments and businesses doing to combat this new security threat?
Definition
At a very basic level one needs to look at the terms terrorism and cyberspace. There is no single definition for these two terms. However Wikipedia suggests a definition for the concept cyberterrorism: “Cyberterrorism is the leveraging of a target’s computers and information technology, particularly via the Internet, to cause physical, real-world harm or severe disruption with the aim of advancing the attacker’s own political or religious goals.” While this definition is very succinct, it might also be worth looking at the definition from the National Conference of State Legislatures: “Cyberterrorism can be defined as the use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples include: Hacking into computer systems, introducing viruses into vulnerable networks, website defacing, denial-of-service attacks and terrorist threats made via electronic communication.” Based on those two definitions one can already see a clear convergence February 2007
between cyber attacks and cyberterrorism. Both concepts are interlinked and need to be considered together. Indeed, there are other terms related to threats within the cyber world which are also included under the same umbrella term of cyberterrorism. They include: Cyber bullying: Harassment of targets over the Internet. Cyber stalking: Following a user’s “footsteps on the Internet. Cyber squatting: Taking over an IP address to host your own information thus preventing the real owner from using “their” cyberspace. Cybercrime: Any type of criminal activity conducted over cyberspace, typically refers to financial scams such as phishing, pharming and other 419 type scams. Cyber attacks: Generic term for attacks on the e-facilities of government, businesses and citizens. This includes spam, denial-of-service attacks, spyware, hacking and so on. The question then arises whether the strategic approach of combating cyberterrorism really differs from the counter measures taken against “traditional physical” terrorism. In essence, responses to an overall idea of cyberterrorism must include more than politically motivated acts disrupting cyberspace. It can be argued that more civilians can help fight cyberterrorism threats than traditional terrorism because employees (in the corporate world) and citizens (at home) do have easier ways and more potential to be proactive and defend against cyberterrorism tactics. This is done by implementing security measures on corporate and home networks and is
linked to the types of cyber threats exploited by cyberterrorists. There are two main streams of cyber attacks as follows. The first type includes Political acts of damage very close to traditional acts of terrorism. It includes the defacement of Danish websites in “response” to the cartoons of the Prophet Mohammed published by a Danish newspaper. Another example is websites used to show the murder of hostages live right through to the recruitment of terrorists over ICT systems. One also needs to consider non-political acts of damage which are typically ICT driven cyber attacks including: • Virus attacks (either blind or targeted at certain types of systems). • DoS & DDoS. • Racketeering and blackmailing. • Unauthorized access to private, corporate or government systems with the intention of viewing, copying and/or destroying data. While there has been some hype over what can and can’t possibly be done from a technical point of view, a number of existing cases must be considered to understand the full scope of cyber attacks and which attack may or may not be attributed to acts of terrorism. In 1989, the “Legion of Doom” hackers took over the South Bell telephone system simply to prove they could hack into the infrastructure. In 1994, an attacker hacked into the Salt River Project to try and gain control of water level features. In 1997, a hacker disabled the computer system of the control tower of Worcester Airport, Massachusetts, USA. In 1997 again, a Swedish hacker managed to jam a 911 telephone system in Florida. On a rather funnier note, a disgruntled Australian consultant hacked into a waste management system in 2000 and released raw sewage in revenge for losing his job at the city council. And then cybercriminals began to realise there was money to be made. In 2004, Paddy Power bookmakers and e-commerce firm 2Checkout, along with many others, were victims of a DDoS attack at the hands of extortionists whose aim was to bring down the websites unless a specified amount of money was paid. Computer Fraud & Security
9
CYBERTERRORISM The Mitsui Sumitomo London branch was hacked into in 2000; a keylogging scam was suspected. Since 2003, fighters in Iraq have also been using the Internet to show murders of Western hostages.
The Silent Killer
Moreover, additional scenarios also need to be taken into account. While some attack possibilities may not have been reported yet, it is easily conceivable that such cyber attacks could take place. The so known “Silent Killer” attack’s aim is to cause panic by releasing information on events affecting civilian’s health which may or may not have taken place. A possible attack would be to change the formulations of popular pre-packed food or pre-packed medicine. To do so, an attacker would merely need to hack into the computer systems of food processing or drug manufacturing organizations to change formulations. The potential consequences would have a disastrous effect on the population causing: • • • •
Illnesses. Commercial impact. Fear factor. Impact on trustworthiness of the industry and government.
Die Hard II
consists of a hack into a major airport or train station traffic control system to take over the network with a view to sending falsified on-route traffic information about train/aircraft position on the rail network or air space resulting in head on collision and off course traffic.
“
ICT actually constitutes a single point of failure for the
”
way we live
Potential consequences would also be disastrous: accidents, deaths, commercial impact, fear factor and an adverse impact on civilian trust of the industry and government.
How do cyber attacks work? How is a cyberterrorism attack organized?
Another type of attack is known as the “Die Hard II.” In this scenario, the objective is to disrupt rail and/or air traffic control. The technique for the attack
In order to understand how such attacks are executed one needs to consider them as traditional terrorist attacks from an intelligence gathering viewpoint. In reality, forensics investigations carried out on reported incidents show that a lot of pre-attack intel-
CI Sector/area of concern
Example – link to cyberterrorism
Banking & Finance
Country financial infrastructure.
Agriculture
Produces “raw” food for all citizens – supply chain is vulnerable.
Food Industry
Processes food and food sales – vital for all citizens.
Energy
The “engine” behind our way of living – any disruption creates havoc and has financial repercussions.
Drinking Water / Water re-processing facilities
In the US 170,000 public water systems to be protected.
Dams
Some are part of critical infrastructure, some are more symbolic (e.g. US or Paraguay/Brazil Dams).
Processing of chemical & other dangerous/ hazardous material
Turns dangerous raw material into required end products such as medicines, electronics, cars, construction materials, etc…
Potential risks to critical infrastructure from cyberterrorism
10
Computer Fraud & Security
ligence gathering work is completed before attacks are launched. Gathering information requires planning and successful attacks have always proved to have been well planned. Typically, it is safe to assume that the attacker has chosen a very specific target (government or business) and that he/she has a motive (political or non political) and an objective which can range from creating a nuisance through to money laundering or racketeering. It can also be assumed the attacker has good technical skills. However, it is important to understand that the intelligence gathered by attackers was made “readily” available by victims. Most times, appropriate security measures on the victim’s network were not in place. The security strategy was based on a technical solution only, rather than the necessary mixture of policies, technical solutions and user awareness. Indeed, internal users are often unwillingly and sometimes willingly responsible for the success of an attack and failure of security systems. They often provide information pertaining to the set-up and security levels of the corporate systems to third parties without realising they are doing so. This is a concept known as social engineering which is often associated with industrial and cyber-based espionage activities. Notwithstanding unintentional disclosure of information, attackers also benefit from the information freely available on the information superhighway. A simple “Google” search on the target coupled with free IP scans available from the Internet can provide very useful information including names, telephone numbers, naming conventions for email addresses and servers, information on the set up of the organization’s website and so on. The attacker will easily manage to build a profile of the target and be in a better position to tailor the attack to exploit vulnerabilities he/she has uncovered during the pre-attack phase. The next task is to understand what kind of opportunities a cyberterrorist might have. As explained earlier on, such opportunities can be summarised as follows: • Acts of damage (politically motivated or financial). • Propaganda (e.g. deface a website to promote their “values”). • Recruitment and “internal” communication platform. February 2007
CYBERTERRORISM There are key advantages of terrorists engaging in cybercrime activities rather than more traditional methods. Firstly, in cyberspace there are no borders as with physical control. It is sometimes even difficult to ascertain which legal framework applies to an attack which can be subject to several jurisdictions rather than one. The “legal confusion” regarding cyber attacks makes it easier for hackers. One example would be the idea of sending a denial-ofservice attack on any IP address, which is itself executing a DOS on a country’s ISP. However, if the attack originates from another jurisdiction it may not be legal to launch such an attack. Similarly should a “terrorist” email be sent from a Web mail address, the steps to lawfully intercept the email may not be straightforward. Altogether this offers would-be terrorists a low risk type of attack with great impact potential. The skill levels of the would-be attacker are decreasing while the impact of attacks increase. The Internet is the best platform to find new targets and collect information about them. Attackers can then launch a social engineering attack to gather key intelligence as well as use free technical means such as hacking tools available from the Internet to make use of the gathered intelligence.
Anatomy of an attack: step by step
1 The target is chosen by a terrorist group. It could be a part of a nation’s critical infrastructure such as the rail network, electricity grid or ATM network, government websites or financial institutions’ networks. 2 Terrorists start gathering information: – On the net: articles, press releases, studies etc. – On the actual website of the target. – Perform their own “pen-testing” on the Web. – Identify many technical elements (OS, versions, type, etc.) – Gather information via social engineering. Social engineering attacks take place – critical information is collected. February 2007
3 Cyber attack is launched. – Technical attack is launched. Access is gained and may be maintained by the attacker for a while. – Attack is either successful or foiled. If successful perpetrators may publicise it via the media. In any case attackers will try and cover their tracks. 4 Post-attack investigation takes place. – Internally if committed on a business. Through internal procedures if they are in place. External forensic experts might be called in. Authorities might also be involved. The target’s reactions to cyberterrorist attacks will vary depending on the type of attack especially on whether actual damage was done or whether the attack was purely aimed at creating a fear factor. If unprepared, it is likely victims will actually tamper with the evidence instead of preserving it until trained forensic experts are called in. It is worth noting that large enterprises as well as governments have established Computer Emergency Response Teams (CERTs), which are there to help manage crisis situations such as cyber attacks. In doing so CERTs are mindful to also consider the reaction of the general public in order to contain any potential fear factor, which might arise. Through the work carried out by CERTs, governments on a global basis are trying to provide this support infrastructure to organizations and citizens alike.
Critical Infrastructure
CERTs are also established to help protect every country’s critical infrastructure (CI) which is a term used by governments to describe material assets that are essential for the functioning of a society and economy. Most commonly associated with the term, CI, are facilities for: • • • •
Electricity generation and distribution. Telecommunication. Water supply. Agriculture, food production and distribution.
• Heating (natural gas, oil). • Public health. • Transportation systems (fuel supply, railway network, airports). • Financial services. • Security services (police, military). We should also bear in mind that all the above elements tend to be interlinked and that all of them rely on telecommunications to function. Telecommunications covers many areas: • Telephone (landlines and mobiles). • Email. • Internet-based messaging (webmail and Instant messaging). • Radio. • Television. • Satellite-based services (e.g. GPS). • ATM Networks – this is generally covered under the umbrella name of ICT. Because all elements of CI are interlinked, ICT actually constitutes a single point of failure for the way we live – a fact which cyberterrorists are well aware of and try to exploit. Citizens take critical infrastructure as a given while businesses do not think proactively about their dependence on all of the above ICT services. In terms of these “targets” for cyberterrorists, one must remember that a large proportion of them are privately owned – government intervention in securing this environment is therefore somewhat limited. There is a major requirement for public-private partnership and cooperation. Privacy issues are always at the forefront thus slowing or even preventing some government intervention aimed at increasing security levels. When one considers cybersecurity threats against CI, it is important to cover the topic of SCADA (supervisory control and data acquisition). SCADA systems are used to manage our CI and are unfortunately not always inherently secure. A SCADA system is a central system that monitors and controls a complete site including a technical solution, which is linked to physical devices (e.g. valves of a dam, elements of a manufacturing plant (e.g. pharmaceutical devices), output voltage of power plant and that which contains Distributed Control Computer Fraud & Security
11
WAR & PEACE IN CYBERSPACE Systems (DCS). It is also referred to in some publications as HMI (Human Machine Interface). Since SCADA is used as a control mechanism for chemical plants, electricity generation, electric power transmission, electricity distribution, district heating and other CI elements, SCADA systems themselves need to be protected against cyber attacks. The US 2002 Document on “21 steps to improve Cyber Security of Scada Networks” states: “SCADA networks [are] potentially vulnerable to disruption of service, process redirection, or manipulation of operational data that could result in public safety concerns and/or serious disruption to the nation’s CI.” “Single points of failure must be avoided and cyber security defense must be layered to limit and contain the impact of any security incidents.”
The document is divided into rules giving clear guidelines as to what to address: • Rule 16: identify cybersecurity requirements and Rule 20: roles & responsibilities of all individuals. • Rule 19: establish back-up and disaster recovery plans. • Rule 21: deals with “social engineering” threats and user training requirements. Evidently, normal best practice security rules apply to the protection of SCADA networks including self-assessment, defence-in-depth, ongoing risk assessment, regular penetration testing, system hardening, minimizing external remote connections and so on. Security awareness programmes and campaigns are also key to the success of countermeasures against cyberterrorism. Notwithstanding the role of the governments who through CERT initiatives as well as other key legislation and standards
promote good governance (e.g. Sarbanes Oxley, European Data Protection Directive, Payment Card Industry Standard), there is a definite requirement for improved, more in-depth public-private cooperation to address the threat of terrorism through cyberspace. It is, however, early days and so far no human death has been clearly linked to cyber attacks whether they were terrorism or criminal acts. Nonetheless, this is an item which has become high on the agenda of many industry analysts and it is very likely the industry itself, along with the government initiatives, will continue to put pressure on businesses as well as citizens to take basic security steps to help fight cyberterrorism and protect our critical infrastructure.
About the author Mathieu Gorge is the Managing Director of Vigitrust – an Ireland-based security consultancy.
Profiles in cyber courage #1: Fred Cohen Richard Power and Dario Forte Dario Forte and Richard Power have identified a number of security gurus who have made a difference in the IT security field. Every second month our authors will interview an established expert. The first profile focuses on Fred Cohen, a pioneer who first described a computer virus. In the early 1950s, while recovering from back surgery, Sen. John F. Kennedy of Massachusetts (who would later become the 35th president of the US), wrote a book entitled Profiles in Courage. It became a bestseller and helped propel him to prominence on the national scene. Profiles in Courage highlighted the bravery and integrity of eight Senators, throughout US history, who defied political pressure and public opinion to do what was right. This year, every second month, the War & Peace in Cyberspace column will feature a new series – Profiles in cyber courage. In this ongoing series, we will focus on colleagues who have made 12
Computer Fraud & Security
significant contributions to the field of cybersecurity, and conduct in-depth interviews on timely and vital issues. Our first profile in cyber courage highlights Fred Cohen (http://all.net), who has been operating beyond the frontlines of cybersecurity for more than 25 years. Dr Cohen is a world-class researcher, educator and consultant. He is also a prodigious author. His “Chief Information Security Officer’s (CISO) Toolkit” is a collection of tools that CISOs can use to overcome the real-world challenges that confront them. His Fraud, Spies and Lies, and How to Defeat Them is an exhaustive exploration of techniques utilised by
Richard Power
Dario Forte
fraudsters and intelligence operatives. It shows how to conduct investigations and counterintelligence operations to protect yourself and your organizations.
Forte & Power: We all have CVs, and book jacket biography blurbs, but instead we would like to hear your thoughts along the following lines: How many years have you been working in cybersecurity? What do you think has been most rewarding about it? What do you think has been most disturbing or discouraging about it? What surprises you – if anything – about where the field is today versus where it was when you began your career? February 2007