[iwar] [fc:CIA.Warns.of.Cyber.Pearl.Harbor;.The.Internet.Is.My.Neighborhood]

From: Fred Cohen (fc@all.net)
Date: 2002-06-22 12:33:33
Next message: Fred Cohen: "[iwar] [fc:Congress.Cannot.Ignore.Corporate.Control.of.the.Media]"
Previous message: Fred Cohen: "[iwar] [fc:Kremlin's.New.Web.Site.Stands.Up.to.Hacker.Threats]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200206221933.g5MJXXF28517@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sat, 22 Jun 2002 12:33:33 -0700 (PDT)
Subject: [iwar] [fc:CIA.Warns.of.Cyber.Pearl.Harbor;.The.Internet.Is.My.Neighborhood]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

CIA Warns of Cyber Pearl Harbor; The Internet Is My Neighborhood 
Mortgage Technology, 6/21/02  http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=8377

Imagine this: You show up for work on some future Monday morning to find
your chief information officer nervously pacing around your desk. He's
talking somberly into his cell phone. Another voice is booming from
speakerphone on your desk. Your CIO spots you and holds up one finger
indicating that he needs a moment. He thanks his callers and hangs up. 
It's all gone," he says. "Gone, scrambled, erased, nada. We've been
hacked." 
"What do you mean, 'hacked?'" you ask. "Actually, 'hacked' is the wrong
term. We've been demolished." 
He tells you that sometime over the weekend someone broke into your
company's servers and corrupted all data files, payment histories, loan
files, customer names, loans in process, everything. 
The phone rings. It's one of your servicing contractors wanting to know
if your server is down, because they can't access data they need to
process payments. In your customer-service department borrowers are
calling wanting information about the status of their loans. Processing
tells you escrow companies are jamming the phone lines asking for payoff
figures. 
You are dead in the water. Your information is all gone. To make matters
worse, your CIO suspects the servers are still infected with several
unknown viruses, so he can't even begin to tell you when he will be able
to reload the files from Friday's backups. And, he can't guarantee that
the intruder did not plant a Trojan horse that will pop up later and
destroy the backups as well. 
This is a scenario those in the 
financial services industry must begin taking seriously. A new, more
determined, more dangerous breed of hackers has surfaced. 
In April the US Central Intelligence Agency revealed that one of the
highest priorities of the Chinese military is the development of
cyber-attack capabilities. The CIA reported that hundreds of Chinese
military cadets are trained each year in the arcane art of hacking into
the West's commercial computer networks. 
Embracing hacking as a weapon is seen by the Chinese military as a way
of balancing the military scales. With only a handful of nuclear
weapons, CIA analysts believe the Chinese have determined that America's
weak underbelly is now our dependence on computers and computer
networks. 
The goal of such an attack would be to throw a major monkey wrench into
the West's interdependent commercial networks. Such an attack would cost
our economy billions of dollars in lost business. When would it come?
Perhaps China would coordinate such a cyber-attack with a move against
Taiwan, for instance. A major financial disruption could provide China a
dandy (if risky) way to slow US intervention on behalf of Taiwan. 
Last year, according to the CIA, Chinese hackers may have provided the
US a demonstration of their hacking skills. Shortly after a military
surveillance plane collided with a Chinese fighter last April, the
Chinese allegedly launched a two-week cyber-attack against the US. More
than 1,200 attacks were made against US government and commercial
websites, and some of these sites were brought to their knees. According
to the CIA assessment, China's "nonstate hacking community continues to
pose the most immediate threat to U.S. computer networks." The CIA
warned that those 'nonstate' hackers in China "appear to be organizing
for cyber-attacks again this spring, particularly during student breaks
early next month and around the anniversary of the EP-3 (surveillance
plane) incident." That anniversary has passed, but the threat remains. 
China is not the only foreign power to notice this chink in our national
armor. Middle Eastern groups have also been busy probing our business
networks. The next attack from that part of the world may well be a
hacker flying a store- bought Pentium III desktop into CitiBank's
servers. 
Security experts say that the prime target of such attacks will be our
financial network infrastructure. A report issued in April by Riptech,
Inc., a computer security firm in Alexandria, Va., analyzed data from
attacks on its clients. They had logged 128,678 attacks during the last
six months of 2001. Riptech's findings should be of concern to the
mortgage and banking industries. 
The Riptech data showed that the hacks were concentrated in a handful of
industries. Financial services companies were the top targets of
attackers from the Asia Rim. Power and energy companies are targets of
choice for attackers from the Middle East. 
Other Riptech findings: 
* Once a company has at least 500 employees they enter the highest-risk
category for attack. 
* Public companies were more likely to be attacked than private
companies. 
* Private companies with a high public profile also become likely
targets. 
Ever since computers first became tools of business, we have known the
little buggers can be unreliable and have learned the hard way about
backing up important data files. But the new threat you face goes far
beyond simple computer crashes and lost files. The offensive weapons in
our enemy's cyber-arsenal are as sophisticated as any of their
conventional weapon systems. They are strategically designed for
stealth, maximum destruction and effective frustration of traditional
data-recovery schemes. 
The Gartner Group addressed these new threats this year by stressing
that businesses need to rethink all their security and recovery plans.
"Know yourself as you know your enemy,'' the report advised.
(Prioritizing Security Efforts: Create Structure from Disorder, Jan.
2002; Gartner/G2, www.GartnerG2.com). 
Data and source documents should be stored at a site separate from the
location of the production systems. Data security experts estimate that
each megabyte of your commercial data would cost an average of $50,000
if it had to be reconstructed from scratch. They say it costs $18,000 an
hour when the average commercial local area network goes down and a
hefty $75,000 an hour for a full-blown Unix networks. The costs of data
recovery alternatives must be balanced off against those benchmarks. 
These may seem like extreme measures, but the price of procrastination
may be very high. In fact, you may need to do more. 
Hardening your Defenses 
Depending on your IT budget, there are several defensive solutions you
can choose from. 
Maintain a Cold Site: This is the cheapest option. A Cold Site is really
nothing more than a room you maintain - at your headquarters or a remote
office - that contains enough space, communication lines, power, cables,
software and gear you would need in the event some kind of disaster took
out your primary working system. Everything is there your IT department
needs to build a new working network. This case is a "cold" start, and
could take anywhere from a week to two weeks before it is assembled,
tested and up and running. But, since it just sits in pieces, it costs
very little to maintain. You have to balance immediate cost-savings with
the more expensive Hot Site option. The Cold Site option, while it
replaces your physical network, still does not address the security of
your daily working data files. 
The Hot Site 
The Hot Site option is a facility that houses a complete mirror image of
your company's physical systems and data. A Hot Site should be able to
pick up your operations without missing a beat if your primary system
goes down, for whatever reason. A Hot Site should also contain the
necessary resources to manage unexpected situations that could cause a
business to lose customers, market share - or even its very existence -
in the event of a service interruption. 
A Hot Site can be housed at your main headquarters or a remote location.
Which choice you make is a strategic decision. If you believe your
company may be a hack target but an unlikely physical target, then
having your primary and Hot Site systems in the same building may be
more cost effective. Of course a tornado rather than a terrorist may hit
your headquarters, so Hot Sites come in two flavors: Internal and
Outsourced. 
An Internal Hot Site is just what it implies: your business uses its own
resources to set it up and operate it. The advantage is that you can
engineer the site for a more seamless response if your main systems are
destroyed or disabled. And the internal site can be tested at will. 
An outsourced Hot Site is run by an outside contractor off your campus.
You lose some control, but it frees up your CIO and other systems
personnel to concentrate on your normal daily business. It also means
that if your physical location is physically stricken, your Hot Site
will be safe. Your data should be backed up to the Hot Site at least
once each day. 
Reciprocal Agreements 
For those who choose the Cold Site option, data security still needs to
be addressed. The most cost-effective solution is a reciprocal agreement
with one of your working partners. This solution works best for
businesses that have trusted vendor partners with whom they routinely
share data anyway. Under these agreements each company agrees to
maintain daily backups of the other's files. Of course, the companies
must have an excellent working relationship and a mutual interest in
data security and recovery. 
This solution does not provide complete security, though. A hacker might
stumble across the backup pathway you maintain with your partner, wiping
out both companies files. 
Tape Vaulting 
This is the oldest - and most secure - form of data storage. Primitive
as it may be, it cannot be hacked because you ship backup tapes to a
secure vault environment at the end of each business day. While this is
a simple solution, recovery time is slower than with online backups. And
the cumbersome process of shipping tapes each day causes some companies
to slack, setting backup cycles weekly rather than daily. 
Who knows, maybe your data security protocols are just fine. Maybe. 
However, as you slip off to sleep tonight, remember that half a world
away a couple of hundred eager Chinese Army cyber-cadets are just
beginning their day.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Free $5 Love Reading
Risk Free!
http://us.click.yahoo.com/3PCXaC/PfREAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Congress.Cannot.Ignore.Corporate.Control.of.the.Media]"
Previous message: Fred Cohen: "[iwar] [fc:Kremlin's.New.Web.Site.Stands.Up.to.Hacker.Threats]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:33 PDT