[iwar] [fc:Cyberattacks:.Prepare.Your.Enterprise]

From: Fred Cohen (fc@all.net)
Date: 2001-10-16 15:28:33


Return-Path: <sentto-279987-3018-1003271314-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 16 Oct 2001 15:29:07 -0700 (PDT)
Received: (qmail 22924 invoked by uid 510); 16 Oct 2001 22:28:15 -0000
Received: from n3.groups.yahoo.com (216.115.96.53) by 204.181.12.215 with SMTP; 16 Oct 2001 22:28:15 -0000
X-eGroups-Return: sentto-279987-3018-1003271314-fc=all.net@returns.onelist.com
Received: from [10.1.4.52] by n3.groups.yahoo.com with NNFMP; 16 Oct 2001 22:28:34 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 16 Oct 2001 22:28:34 -0000
Received: (qmail 34053 invoked from network); 16 Oct 2001 22:28:34 -0000
Received: from unknown (10.1.10.142) by m8.onelist.org with QMQP; 16 Oct 2001 22:28:34 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 16 Oct 2001 22:28:33 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id PAA23917 for iwar@onelist.com; Tue, 16 Oct 2001 15:28:33 -0700
Message-Id: <200110162228.PAA23917@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 16 Oct 2001 15:28:33 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Cyberattacks:.Prepare.Your.Enterprise]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Cyberattacks: Prepare Your Enterprise 
Rich Mogull, Gartner News, 10/16/2001
<a href="http://www3.gartner.com/1_researchanalysis/focus/aftermath.html">http://www3.gartner.com/1_researchanalysis/focus/aftermath.html>

A significant increase in cyberattacks is likely to follow the events of
11 September 2001. Enterprises must understand this threat and take
action to limit their vulnerabilities.

Bottom Line 
Key Issue How will enterprises arm themselves to address increasing
information security risk? 
Tactical Guidelines 
Increase the enterprise's overall security posture. Evaluate and test
physical security procedures, including access to facilities and
interaction with electronic systems. Ensure that critical decision
makers and the CIRT have multiple communication methods available to
them. Immediately update all systems with current security patches.
Update virus signatures daily or more frequently. Initiate vulnerability
assessments, including penetration testing. Disable all inactive
accounts. Constantly monitor publicly accessible Web sites for possible
security breaches. Examine security practices for remote access,
including dial-up lines, extranets, and VPNs. Monitor security
distribution lists for the latest updates and trends. Contact an MSSP as
needed. Educate users to expect an increase in unwanted cyberactivity.
Review external service providers' security policies. 
Experience shows that disasters are usually followed by an increase in
criminal activities, including looting, fraud, acts of revenge and
subsequent incidents; the aftermath of the 11 September terrorist
attacks is unlikely to be an exception. As enterprises work to respond
to these devastating events, they must prepare for a global increase in
"cyberattacks" that will threaten their online systems.

Tactical Guidelines

Enterprises should immediately take the following security measures to
counter the increased threat of cyberattack:

Increase the enterprise's overall security posture. Place internal
cyberincident response teams (CIRTs) on alert, and aggressively monitor
Internet activity on all systems. Evaluate established security plans in
light of recent events, and update as needed. If no CIRT exists,
consider forming one or contracting with an external provider to
evaluate systems. Define how the enterprise will notify and interact
with law enforcement or other government agencies in the event of an
attack (if this has not already been done). Evaluate and test physical
security procedures, including access to facilities and interaction with
electronic systems. Response to bomb threats - which may be received via
e-mail, instant messaging or traditional sources - should be included in
the evaluation. Review procedures for performing background checks:
These checks should be conducted, at minimum, on individuals with access
to key information and resources (e.g., e-commerce servers). Certain
types of enterprises may require more-detailed checks, or checks on all
employees. Remember that some low-level or contract staff (e.g.,
cleaners) may have access to all physical premises and the systems in
them. Ensure that critical decision makers and the CIRT have multiple
communication methods available to them. They should not have to depend
on telephone service (landline or wireless), e-mail or any single
communications method. Ensure that contact information (e.g., telephone
numbers and e-mail addresses) is up-to-date and appropriately
distributed. Immediately update all systems with current security
patches. Remember that even a desktop computer can be used to compromise
servers or launch internal and external attacks. Preparations should
include remote laptops and home computers with virtual private network
(VPN) access; remote users should be given simple procedures to follow
to update their systems. Update virus signatures daily or more
frequently. Scan for viruses at the firewall or server; do not depend on
synchronization of the signature files of desktops and laptops. Perform
full scans on all systems, using the latest signatures, to ensure that
they are not already infected. Remember that many users may manually
shut down their scans if they are executed during working hours.
Initiate vulnerability assessments, including penetration testing. These
assessments must be performed by trained security professionals, not
overtaxed systems administrators. The enterprise's security program
should include vulnerability assessment and penetration testing as part
of its regular procedure. Disable all inactive accounts. Examine user
account lists on all systems, removing all unnecessary default accounts.
Change passwords on root and administrator accounts. Review help desk
and password reset procedures, avoiding the use of information such as
employee numbers, Social Security numbers or addresses for
authentication of calls for password resets. Constantly monitor publicly
accessible Web sites for possible security breaches. These checks should
be performed at least every hour, and more frequently if the enterprise
has been identified as a prime target of a cyberattack. Examine security
practices for remote access, including dial-up lines, extranets and
VPNs. Change encryption keys on all VPNs. Monitor security distribution
lists for the latest updates and trends. If internal security procedures
are immature and resources are unavailable, contact a managed security
service provider (MSSP) or consultancy for immediate needs. Consider
contracting with an MSSP for long-term services. Educate users to expect
an increase in unwanted cyberactivity. Establish clear mechanisms -
e.g., a telephone number and an e-mail address for reporting suspicious
activities - that personnel can use to report any unusual online or
offline activity. This is important, because users may not be able to
recognize the difference between information security breaches and
physical security threats. If enterprise IT functions, including Web
hosting, are outsourced, review the outsourcers' security policies. 
What Enterprises Can Expect

Gartner analysts and other observers have already noted a number of
early indicators that an increase in a wide range of cyberattacks is to
be expected. On 14 September 2001, the National Infrastructure
Protection Center issued an advisory calling for increased awareness in
anticipation of a rise in "cybercrime" incidents. A number of so-called
"hactivists," ostensibly sympathetic to the United States, are calling
for "revenge" cyberattacks, which are likely to target inappropriate
sites and could potentially interfere with the official response to the
terrorist attacks. (Real-world criminal activities, such as looting in
the area of the World Trade Center, bomb threats and fraudulent
charities nationwide, have also been reported.)

Specific types of potentially damaging "cyberactivities" have different
sources and different targets, and carry different levels of risk for
enterprises. These types of activities include:

Hactivism

One of the more-unfortunate responses to the events of 11 September 2001
has been hacking in the name of patriotism. Hactivists are generally
online troublemakers using tragedy to justify illegal activities.
Although some hactivists may believe they are furthering U.S. interests,
their activities are more likely to have the opposite effect. Systems
unrelated to the terrorist attacks or perpetrators will likely be
compromised and used as staging points for cracking, distributed denials
of service or other types of attack. These attacks will, however,
probably be initiated by individuals and groups without the resources to
cause loss of life or property. The majority of cyberattacks in response
to recent events will be launched by hactivists; they will little effect
and can be easily managed.

Cybercrime

Cybercrime - i.e., online criminal activity undertaken for financial
gain - is also expected to rise as criminals attempt to take advantage
of perceived uncertainties in financial systems. Fraudulent online
solicitations for nonexistent charities also appeared within 24 hours of
the terrorist attacks (see "Beware Disaster-Related E-Mail Fraud,"
FT-14-5178). No new types of cybercrime are expected to emerge from the
11 September 2001 events, but an increase in criminal activity is
likely.

"Cyberterrorism"

We expect cyberterrorism - i.e., computer-based crime intended to cause
loss of life or property in pursuit of political goals - will increase
in the near future. These activities, which may come in response to U.S.
reprisals for the recent terrorist attacks, will likely target U.S.
government facilities, as well as infrastructure centers and
nongovernmental organizations such as relief agencies. Enterprises,
particularly financial institutions, public utilities,
telecommunications companies, online trading firms and e-commerce sites,
are also likely to be targeted. Some cyberterrorists will have the
benefit of extensive resources and will be highly technically
proficient. The goal will be to cause direct financial and personal
loss, and to disrupt communication and services. Overall, very few
attacks will constitute true cyberterrorism; these few attacks will,
however, have the potential to cause significant damage.

Bottom Line 
Enterprises should not panic about the anticipated increase in
cyberattacks. They should, however, evaluate their security postures and
implement standard security procedures.

This research is part of a set of related research pieces. See
AV-14-5238 for an overview.

Entire contents © 2001 Gartner, Inc. All rights reserved. Reproduction
of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from
sources believed to be reliable. Gartner disclaims all warranties as to
the accuracy, completeness or adequacy of such information. Gartner
shall have no liability for errors, omissions or inadequacies in the
information contained herein or for interpretations thereof. The reader
assumes sole responsibility for the selection of these materials to
achieve its intended results. The opinions expressed herein are subject
to change without notice. 
Resource ID: 341001

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:55 PST