[iwar] [fc:Who's.Protecting.Our.Infrastructure?]

From: Fred Cohen (fc@all.net)
Date: 2001-09-19 18:55:35


Return-Path: <sentto-279987-2086-1000950933-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 18:57:10 -0700 (PDT)
Received: (qmail 25488 invoked by uid 510); 20 Sep 2001 01:56:01 -0000
Received: from n29.groups.yahoo.com (216.115.96.79) by 204.181.12.215 with SMTP; 20 Sep 2001 01:56:01 -0000
X-eGroups-Return: sentto-279987-2086-1000950933-fc=all.net@returns.onelist.com
Received: from [10.1.1.222] by b05.egroups.com with NNFMP; 20 Sep 2001 01:55:37 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 20 Sep 2001 01:55:33 -0000
Received: (qmail 52897 invoked from network); 20 Sep 2001 01:55:32 -0000
Received: from unknown (10.1.10.27) by 10.1.1.222 with QMQP; 20 Sep 2001 01:55:32 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 20 Sep 2001 01:55:35 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA09707 for iwar@onelist.com; Wed, 19 Sep 2001 18:55:35 -0700
Message-Id: <200109200155.SAA09707@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 19 Sep 2001 18:55:35 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Who's.Protecting.Our.Infrastructure?]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

SEPTEMBER 18, 2001 

SECURITY NET 
By Alex Salkever 

Who's Protecting Our Infrastructure?

No one.  Computer-security standards that would thwart hacker terrorism
against utility, telecom, health-care, or power systems don't exist


€ Find More Stories Like This Chris Wysopal, a computer-security expert,
was scheduled to brief the Senate Governmental Affairs Committee in
Washington, D.C., on Wednesday, Sept.  12.  But when the Federal
Aviation Administration grounded all national air travel after two
hijacked planes struck the World Trade Center towers and a third set the
Pentagon ablaze, Wysopal's appearance was postponed indefinitely. 

His message, however, should not get drowned out in the din of war talk. 
A noted good-guy hacker and the research director of Web-security
company @stake, Wysopal planned to deliver a candid assessment of how
utilities, telecoms, and other critical national infrastructure
providers protect their computer networks. 

A HODGEPODGE.  Wysopal's assessment? Much work remains to be done. 
While some critical infrastructure providers have rock-solid
protections, all too many have neglected even the basic steps of
encrypting databases, auditing their networks, and patching security
holes on all their servers.  When it comes to network security, "there
need to be some minimum requirements," says Wysopal.  "There are none
now."

With major military action looming and the economy reeling, shoring up
computer security among infrastructure providers might not seem a top
priority.  It would cost money, obviously, and might be inconvenient. 
Nevertheless, President George W.  Bush should add the protection of
infrastructure -- and the crucial computer systems that control it -- to
the growing list of mandates under the rubric "Homeland Defense."

The very backbone of what makes America strong is the reliable provision
of water, power, communications, and health care.  Without these
services, our ability to wage a war and to project power would be
severely diminished.  Furthermore, the disruptions to normal life
unleashed if determined, malicious hacker-terrorists were successful
could could be disastrous. 

A BIT SHOCKING.  How shaky is the protection of the computer networks
embedded in our critical national infrastructure? That's hard to tell
right now.  Says Wysopal, who has audited security at a number of
infrastructure providers: "It varies across the board.  I have seen some
excellent security in some places and very poor in others."

That's about par for a field where no national standards have been
developed.  But it's a bit shocking considering what's at stake. 
Imagine the chaos that could ensue should a terrorist act of mass
destruction be combined with induced power or telecom outages. 

Obviously, cell phones played a crucial role in the aftermath of the New
York disaster.  For many, they were the only means of contact with the
outside world.  Yet earlier this summer, Verizon Wireless, the nation's
largest cell-phone provider, encountered horrendous problems after
someone hacked into a customer database and dumped credit-card records
into various Internet chat rooms.  Many security experts commented, in
the wake of that incident, that Verizon should do a total security
audit.  In response, the company said it would vigorously investigate
the issue and put in place preventive measures. 

POROUS 911.  Here's another truly terrifying tale from a man who should
know -- Thomas Noonan, the CEO of Internet Security Systems.  One of the
largest computer-security companies in the world, ISS builds software
and sells protection services.  That makes Noonan a personal target for
nefarious hackers.  Small wonder a police officer shows up at his front
door at least once a week in response to "calls" by hackers who break
into the 911 system.  "It's just their way of letting me know that they
can find me if they want," says Noonan.  It also means that the 911
system, a decentralized but critical part of the infrastructure, needs a
major network security overhaul. 

No question, the cost of bringing infrastructure providers' systems up
to snuff could well stretch into the billions.  But what's a few more
billion, considering the types of spending the U.S.  is now looking at
in the name of Homeland Defense? Computer-security standards for
critical companies could end up being well worth the cost. 

Salkever covers computer security issues twice a month in his Security
Net column, only on BW Online Edited by Douglas Harbrecht

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT