Recent reports by the U.S. Department of Commerce suggest that already more than half of all Americans use the Internet, with more than 2 million people logging on for their first time each month. Europe is not far behind, and may even surpass the U.S. in some countries. Each month there are more new Internet users then the previous month.
While this is generally good news for ISPs, business-to-business (B2B) and network providers, it is also a clarion call to arms for security engineers to implement network security services to serve and protect this ever-growing (and on average increasingly naïve) population from the ominous threat of cyberterrorism. Therefore, network security services have become the new 'virtual foot soldier' on which engineers must fully rely to repel these attacks.
A knowledgeable and well-trained security engineer is indispensable to the critical communication infrastructure systems upon which we are increasingly reliant. The U.S. Federal Reserve chairman, Alan Greenspan, attributes the unprecedented length of the last growth cycle to the increased productivity of the American digital worker, which is in turn dependant on the communication infrastructure. The role of each security engineer is vital both to the continuity of global industrial success and to all of our national and international security. However, acting alone we are limited in what we can accomplish.
The problems to be overcome are formidable. The cyberterrorist adversaries have a growing network in which to hide, and a growing range of potential vectors of terrorist attack. They are increasingly organized and focused. Digital attacks can be coordinated such that no single victimized entity has enough evidence to track and trace the attack. The cyberterrorist attacks are similar to guerrilla warfare in that they can strike from hiding and disappear quickly after the attack. The vulnerable systems include every modern aspect of transportation, infrastructure, commerce and health: from electronically manipulating food ingredient lists during manufacture, to the creation, destruction or transfer of wealth resources in banking institutions. Acting alone our security engineers cannot successfully repel these attacks or trace the attackers. The required information is typically split among separately managed networks. So what can an individual do to fit into the larger society of information security workers?
There are many opportunities and resources available and each of them is important. One good place to start is to organize or to join an existing computer emergency response team/computer security intrusion response team (CERT/CSIRT) within your organization. If your organization already has such a group it is important to have periodic non-emergency focused meetings to share information, coordinate security projects, mentor new hires and to organize strategies and logistics. If your organization does not have a CERT group in place then there is a ready format for creating one by following the Internet Engineering Task Force's (IETF) published best-practices guidelines in RFC 2350 (www.cis.Ohio-State.edu/cgi-bin/rfc/rfc2350.html).
For companies with a strong internal security group there is an international organization you should consider: the Forum of Incident Response and Security Teams, appropriately titled FIRST.ORG. This group brings together a variety of commercial, governmental and academic security response teams for regular meetings and for sharing resources in the fight against cyberterrorism. There are different levels and categories of membership, which are detailed on its web site: www.first.org.
As important as it is to have a knowledgeable team in place in case of emergency, it is not the only method for the security engineers to coordinate efforts to repel online terrorism attacks. Many countries have government programs that can assist security engineers in their efforts to be productive. If your organization has operations in the United States you may take advantage of the U.S. National Infrastructure Protection Center (www.nipc.gov), which is coordinated by the FBI to assist companies operating in the United States in fending off cyberterrorism. A deeper affiliation with this group, as well as daily updates of threats and vulnerabilities of international and national concern can be gained by joining one of the local InfraGard chapters (www.infragard.net). Such an affiliation can be a great asset to an anti-cyberterrorism security engineer, as it creates a face-to-face network of like-minded individuals in local companies and institutions that would share the same goals and methods.
As for our European counterparts, the Council of Europe has instituted the Convention on Cybercrime (ETS No.185), which as of this writing has been signed by 32 countries though not yet ratified by any. It is the latest treaty to be opened for signing and its primary focus is to establish a common criminal policy aimed at protecting society against cybercrime. The current status and text of this treaty are available from the Council of Europe (http://conventions.coe.int/treaty/EN/cadrelistetraites.htm). National borders do not in any way confine cyberterrorists, but law enforcement is severely impeded by jurisdictional limits. The bad guys still have the edge from a legal standpoint. All they have to do is attack from places without extradition treaties and they are practically immune from the law.
On a purely practical basis, if one of the desired ultimate outcomes is a successful prosecution of criminal behavior, it is important when investigating an incident to apply good forensic evidence-handling techniques. It is necessary to have staff fully trained in these methods prior to the occurrence of an incident of cyberterrorism or there is very little chance of your evidence being admissible in court. Simple practices such as never altering the original data and working only from copies is a good start, but it is only the beginning. There is an excellent free tool called Data Digger, available from Data Triage Technologies (www.datatriage.com), which is better than most comparable tools costing thousands. The need to preserve evidence in its native state cannot be underestimated. Computer evidence is particularly vulnerable to evidence tampering defenses, as well as being highly perishable. Logging data is typically not preserved except as needed for billing or reporting purposes, and such logs are not typically what would be needed to convict a terrorist. There are some excellent general methods and suggestions from SANS on their web site: http://rr.sans.org/intrusion/investigations.php.
What else can be done to prepare for the cyberterrorist? Here are some basic suggestions. I recommend distributing these to your staff as well as keeping them handy yourself as an overall guideline:
- Maintain a high level of personal alertness as well as vigilance toward your systems. If it is feasible to increase the level of logging without impacting performance, do so. If it is feasible to increase the level of real-time monitoring on a system without impacting performance, do so.
- Report all suspicious activity immediately to the appropriate authority. If you do not know whether it is important or not, report it anyway. Now is not the time to put it off. Ask yourself, "If not now, when? If not I, who?"
- Follow the best-practices guidelines that are available for your different system types. If you do not know what these are, and you have some responsibility for building systems, escalate this issue to your management. In general, use and encourage strong passwords, disable unnecessary services, etc.
- Secure your corporate assets by assuring that all security patches and virus-scanning profiles are up to date on all systems that you use. Do not ever bring any system online in an unprotected environment. All critical systems should at a minimum be protected by a firewall and regularly backed up. If you are not sure whether a system with which you interact meets this minimum criteria, escalate this to your management.
- On your networks, affirm that incoming and outgoing filtering is in place on all network equipment to the level possible to protect against denial-of-service attacks. This means effective firewalls, router access control Lists, and most importantly, packet prioritization (so that the important traffic gets through even under attack). Make sure your network providers are doing this as well. Traffic prioritization is one of the most important defenses in the modern network.
And finally remember an adage commonly attributed to the late Jon Postal, Internet pioneer: "Be conservative in what you send, liberal in what you accept." This applies to the anti-cyberterrorist security engineer in all things. Keep aware at all times and do not yield your secrets to the adversaries. They are always waiting for the opportunity to cause damage.
Joseph Vaughn-Perling, CISSP, is employed as a senior security consultant for Infonet Services Corporation's strategic network security services (www.infonet.com).