Business Technology: Security Tips That Will Scare--And Help--You - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:43 PM
Bob Evans
Bob Evans

Business Technology: Security Tips That Will Scare--And Help--You

Security nightmares are swirling all around us--more sophisticated, more malicious, more damaging--and perhaps the next theater in the battle will be industrial networks: energy generation, power transmission, utilities, transportation, telecom, etc. Feel overwhelmed? A great place to start looking for ideas, Bob Evans says, could be InfraGard.

With InformationWeek's annual Security Survey coming out today, I wanted to share with you some of the valuable but frightening things I found on a security-related site that until one week ago I'd never heard of:

  • The beat goes on: "The LexisNexis break-in was set in motion by a blast of junk E-mail. Sometime in February a small group of hackers, many of whom knew each other only through IRC, sent out hundreds of E-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her keyboard. A police officer in Florida was among those who opened the infected E-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account. And the beat goes on. ..." -- From "Navigating The New Threat Landscape," by Internet Security Systems' Patrick Gray

  • Corporate irresponsibility? "Sept. 2004: Sven Jaschan of Rotenberg admitted writing Sasser worm and being part of Skynet (authors of Netsky). Soon thereafter, SecurePoint, a German security firm, offers him a job. July 11, 2005: Jaschan receives 21-month suspended sentence, 30 hours community service." -- From "Taking Control Of Enterprise Security," by the Computer Security Institute's John O'Leary, listed here

  • Application-server vulnerabilities: "Oracle Database Server: multiple vulnerabilities exist that vary in severity; the most severe include remote execution of arbitrary SQL commands, disclosure of sensitive information, and denial of service; Microsoft SQL Server: multiple vulnerabilities exist that could allow remote attackers to cause denial-of-service conditions, bypass database policies, disclose sensitive information, and potentially execute arbitrary code." -- From "Security Threats, Insecure Protocols, And Common Vectors," by Cisco's Allan Weaver, listed here

  • CEO cluelessness? "Few C-Suite occupants grasp the case for investing in safeguards against hackers, worms, and the like. It is the duty of every CIO, CISO, and CSO to banish that innocence." -- Patrick Gray's "Navigating The New Threat Landscape," cited above

    Those are just a few quick samples of the rich security-related content to be found on the Web site of InfraGard, a national association I mentioned in this space last week after FBI Director Robert Mueller spoke at InfraGard's annual conference. So what is InfraGard, and why is it pulling together this and other valuable cybersecurity content? Formed in 1996 by the FBI to enlist the help of the IT industry and academia for the bureau's investigations into cybercrime, InfraGard today is "an association of businesses, academia, institutions, state and local law-enforcement agencies, and others dedicated to sharing information and intelligence to prevent hostile acts against the United States." Its 11,270 members include representatives from 68 of the Fortune 100 and are organized into local chapters around the country. So InfraGard is one of those outfits that actually does think globally while acting locally, and while my exposure to InfraGard has been admittedly brief, I would urge you to evaluate what the chapter near you is doing.

    Here's another one: Know what "Scada" is? A study presented at an InfraGard chapter taught me that it stands for "Supervisory Control and Data Acquisition"--more directly, industrial process-control systems that monitor and control equipment such as motors, valves, pumps, relays, and sensors. Know why Scada is going to become a lot more important to traditional IT operations? Here's an example from that study: "Terrorists aside, what about sabotage of Scada systems by others, such as insiders? In 2000, in Maroochy Shire, Queensland, Vitek Boden released millions of litres of untreated sewage using a wireless laptop, apparently taking revenge against former employers. He was arrested, convicted, and jailed."

    "With about 85% of the nation's critical infrastructure--energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial services--in the private sector, it's no wonder there have been so many attempts to create services that keep these companies apprised of threats to their IT networks. But there's a problem: Most companies aren't eager to share their adventures in cybersecurity with each other or the government."

    -- InformationWeek, Larry Greenemeier, Aug. 24

    Think of the infrastructure connections to your business--energy generation, power transmission, water, sewer, telecom, transportation, and more--and these Scada links don't seem so obscure. As Joe St. Sauver's paper points out, the Slammer worm in 2003 crashed the network of an Ohio nuclear power plant. The plant was offline at the time, but the worm did crash its safety-monitoring system for five hours.

    But while the potential for massive damage via cyberattacks is increasing, the good news is that the IT industry is beginning to take note. The paper, given at an InfraGard chapter meeting late last year in Eugene, Ore., by St. Sauver of the University of Oregon's Computing Center, said, "Cisco deserves a big 'atta boy' for its Critical Infrastructure Assurance Group," and he also cites the Cyber Security Industry Alliance, whose members include more than a dozen security-related vendors.

    And finally, St. Sauver's presentation completed the circuit with this advice: "Much of what's being faced in the Scada world has already been hashed through and fixed in the enterprise IT world. Those solutions, where suitable, need to be 'thrown over the wall' to Scada networks and systems so Scada folks don't 'reinvent the wheel.' IT folks need to visit with the process-control guys and gals."

    The worlds of industrial-control networks and more-traditional enterprise IT networks are coming together, inevitably and inexorably. Are you ready? Either way, InfraGard is probably a pretty good outfit to get to know.

    Bob Evans
    Editorial Director
    [email protected]

    To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

    To find out more about Bob Evans, please visit his page on the Listening Post.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
  • State of the Cloud
    State of the Cloud
    Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
    Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
    Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
    How Startup Innovation Can Help Enterprises Face COVID-19
    Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
    Enterprise Guide to Robotic Process Automation
    Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
    Register for InformationWeek Newsletters
    Current Issue
    IT Careers: Tech Drives Constant Change
    Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll