Business Technology: Security Tips That Will Scare--And Help--You - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

11:43 PM
Bob Evans
Bob Evans

Business Technology: Security Tips That Will Scare--And Help--You

Security nightmares are swirling all around us--more sophisticated, more malicious, more damaging--and perhaps the next theater in the battle will be industrial networks: energy generation, power transmission, utilities, transportation, telecom, etc. Feel overwhelmed? A great place to start looking for ideas, Bob Evans says, could be InfraGard.

With InformationWeek's annual Security Survey coming out today, I wanted to share with you some of the valuable but frightening things I found on a security-related site that until one week ago I'd never heard of:

  • The beat goes on: "The LexisNexis break-in was set in motion by a blast of junk E-mail. Sometime in February a small group of hackers, many of whom knew each other only through IRC, sent out hundreds of E-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her keyboard. A police officer in Florida was among those who opened the infected E-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account. And the beat goes on. ..." -- From "Navigating The New Threat Landscape," by Internet Security Systems' Patrick Gray

  • Corporate irresponsibility? "Sept. 2004: Sven Jaschan of Rotenberg admitted writing Sasser worm and being part of Skynet (authors of Netsky). Soon thereafter, SecurePoint, a German security firm, offers him a job. July 11, 2005: Jaschan receives 21-month suspended sentence, 30 hours community service." -- From "Taking Control Of Enterprise Security," by the Computer Security Institute's John O'Leary, listed here

  • Application-server vulnerabilities: "Oracle Database Server: multiple vulnerabilities exist that vary in severity; the most severe include remote execution of arbitrary SQL commands, disclosure of sensitive information, and denial of service; Microsoft SQL Server: multiple vulnerabilities exist that could allow remote attackers to cause denial-of-service conditions, bypass database policies, disclose sensitive information, and potentially execute arbitrary code." -- From "Security Threats, Insecure Protocols, And Common Vectors," by Cisco's Allan Weaver, listed here

  • CEO cluelessness? "Few C-Suite occupants grasp the case for investing in safeguards against hackers, worms, and the like. It is the duty of every CIO, CISO, and CSO to banish that innocence." -- Patrick Gray's "Navigating The New Threat Landscape," cited above

    Those are just a few quick samples of the rich security-related content to be found on the Web site of InfraGard, a national association I mentioned in this space last week after FBI Director Robert Mueller spoke at InfraGard's annual conference. So what is InfraGard, and why is it pulling together this and other valuable cybersecurity content? Formed in 1996 by the FBI to enlist the help of the IT industry and academia for the bureau's investigations into cybercrime, InfraGard today is "an association of businesses, academia, institutions, state and local law-enforcement agencies, and others dedicated to sharing information and intelligence to prevent hostile acts against the United States." Its 11,270 members include representatives from 68 of the Fortune 100 and are organized into local chapters around the country. So InfraGard is one of those outfits that actually does think globally while acting locally, and while my exposure to InfraGard has been admittedly brief, I would urge you to evaluate what the chapter near you is doing.

    Here's another one: Know what "Scada" is? A study presented at an InfraGard chapter taught me that it stands for "Supervisory Control and Data Acquisition"--more directly, industrial process-control systems that monitor and control equipment such as motors, valves, pumps, relays, and sensors. Know why Scada is going to become a lot more important to traditional IT operations? Here's an example from that study: "Terrorists aside, what about sabotage of Scada systems by others, such as insiders? In 2000, in Maroochy Shire, Queensland, Vitek Boden released millions of litres of untreated sewage using a wireless laptop, apparently taking revenge against former employers. He was arrested, convicted, and jailed."

    "With about 85% of the nation's critical infrastructure--energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial services--in the private sector, it's no wonder there have been so many attempts to create services that keep these companies apprised of threats to their IT networks. But there's a problem: Most companies aren't eager to share their adventures in cybersecurity with each other or the government."

    -- InformationWeek, Larry Greenemeier, Aug. 24

    Think of the infrastructure connections to your business--energy generation, power transmission, water, sewer, telecom, transportation, and more--and these Scada links don't seem so obscure. As Joe St. Sauver's paper points out, the Slammer worm in 2003 crashed the network of an Ohio nuclear power plant. The plant was offline at the time, but the worm did crash its safety-monitoring system for five hours.

    But while the potential for massive damage via cyberattacks is increasing, the good news is that the IT industry is beginning to take note. The paper, given at an InfraGard chapter meeting late last year in Eugene, Ore., by St. Sauver of the University of Oregon's Computing Center, said, "Cisco deserves a big 'atta boy' for its Critical Infrastructure Assurance Group," and he also cites the Cyber Security Industry Alliance, whose members include more than a dozen security-related vendors.

    And finally, St. Sauver's presentation completed the circuit with this advice: "Much of what's being faced in the Scada world has already been hashed through and fixed in the enterprise IT world. Those solutions, where suitable, need to be 'thrown over the wall' to Scada networks and systems so Scada folks don't 'reinvent the wheel.' IT folks need to visit with the process-control guys and gals."

    The worlds of industrial-control networks and more-traditional enterprise IT networks are coming together, inevitably and inexorably. Are you ready? Either way, InfraGard is probably a pretty good outfit to get to know.

    Bob Evans
    Editorial Director
    [email protected]

    To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

    To find out more about Bob Evans, please visit his page on the Listening Post.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Print  | 
    More Insights
  • 2021 State of ITOps and SecOps Report
    2021 State of ITOps and SecOps Report
    This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
    InformationWeek Is Getting an Upgrade!

    Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

    How SolarWinds Changed Cybersecurity Leadership's Priorities
    Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
    How CIOs Can Advance Company Sustainability Goals
    Lisa Morgan, Freelance Writer,  5/26/2021
    IT Skills: Top 10 Programming Languages for 2021
    Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
    Register for InformationWeek Newsletters
    Current Issue
    Planning Your Digital Transformation Roadmap
    Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
    White Papers
    Twitter Feed
    Sponsored Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
    Sponsored Video
    Flash Poll