“Rogue” states and criminal organizations have stepped up their capabilities to launch crippling online attacks, says technology strategist who has briefed U.S. members of Congress on threats of a “cyber war”.
That’s the bad news.
The worse news is that most businesses and governments here are ill-equipped to repel such assaults, according to Kevin Coleman, senior fellow and chief strategist of the Technolytics Institute, an independent technology and security management think tank based in McMurray, Penn. A co-author of three books Coleman has briefed members of U.S. Congress- both the House and Senate.
Coleman warned that North American e-businesses could lose in excess of $400 million each day should such an attack bring down Internet services here.
The failure of government agencies and enterprises to address such threats might be blamed on prevailing business attitudes and complacency, said Coleman, former chief strategist for Netscape Communications.
The relatively low corporate investment on information security is a measure of that complacency, he suggested.
For instance, he noted that North American businesses spent more than $17.5 billion in security alarms for their buildings, but only $6.2 billion on information security measures.
“Many IT organizations will tell you either the threats are too far fetched or that they’re adequately protected,” Coleman said during a talk titled: Preparing for the Coming Cyber War, presented at the World Conference on Disaster Management (WCDM) conference in Toronto.
Cyber warfare refers to the use of technology-based weapons such as electromagnetic devices that can knock-off electric equipment, computers or botnets that can launch viruses, spyware and other malicious code.
Such attacks can result in the relatively harmless defacement of Web sites to costly denial-of-service attacks to the ultimate crippling of nation-wide Internet or public services.
Coleman said countries with cyber war capabilities have increased from 20 in 2006 to more than 140 in 2008.
Skeptics, Coleman said, need only to refer to the rash of cyber attacks launched in 2007 against sensitive government sites in Britain, France, Germany, the U.S. and Estonia.
Of the five countries, Estonia was said to have suffered the most. Distributed denial of service type attacks from individual computers and botnets crippled Estonian banks, media outlets, government offices and the parliament.
In a country where nearly 97 per cent of retail transactions are done with credit cards, the nearly month-long assault was spelled disaster for many businesses.
The case, which is continually being studied by many countries and military planners for its effectiveness and sophistication, has been linked to Russian organized crime groups also called RBN (Russian business network) and Kremlin.
“A top ranking Estonian minister had this to say about cyber war to other countries: Don’t learn the hard way. Prepare for it,” said Coleman.
Cyber weapons are attractive to criminal and terrorist elements because they are relatively cheap – compared to other weapons or mass destruction – and easy to deploy.
“All it takes is a PC and a programmer and you can launch your attack from anywhere, anytime and the Internet guarantees the most extensive reach ever.”
He said government sites are subject to daily online attacks from thrill- seeking hackers to terrorist groups.
The Pentagon, for instance, repels hundreds of attacks each day, Coleman said. “The DoD (Department of Defense) recently reported losing 27 terabytes of data to hacker attacks.”
Businesses that want to protect themselves from such attacks should reconsider their network defensive stature, according to the Technoloytics strategist.
He recommends that organizations revisit their security systems regularly at least twice a year. This procedure can include testing systems to determine if they are up to peak performance levels or up to date with the latest security patches and upgrades as well as reviewing personnel preparedness.
Companies must also take a careful look at their procurement practices. Many companies purchase hardware without inspecting what sort of software is loaded in these devices, he said.
In January this year, the U.S. Federal Bureau of Investigation seized more than 360,000 counterfeit network devices and microprocessors, some of which ended up in computers at U.S. government agencies, he said.
Such a shipment which nearly went undetected, could have easily been used as a carrier of Trojan virus or malware that could take control of government computers and steal vital data, he added.
This was a practice that was applied to commercially available digital picture frames that could be hooked up to computers.
Authorities found out that the devices were set up to harvest personal information from host computers and send them back to a location in China.
However, many businesses are very lax when it comes to procurement practices, said Coleman. “One company official who recently purchased more than $10 million worth of computer equipment told me he was ordered to buy the equipment and that security was not ‘his issue’.”
He said businesses must deploy backup communication systems to ensure business continuity in case Internet systems go down.
Executives and employees on business trips abroad are also common targets for industrial espionage, he warned.
Never leave your laptop unattended in your hotel room, Coleman said.
He recalled numerous cases of business executives and government officials whose laptops were tampered with during their stay in foreign countries.
Apart from encrypting data, he suggests that teleworkers or travelers carry their laptops with them or transfer sensitive data onto a portable USB drive that they keep in their pocket.
Companies must not rely solely on Voice over Internet Protocol (VoIP) for their business communications. “VoIP is cheap but it also means you’re putting all your eggs in one basket.”
When evaluating your business’ communication systems, it is best to take a vulnerabilities assessment approach, said Sandy Gillis, associate director, enterprise solutions marketing for Bell Canada.
In his talk titled: Risky Business: Resilience in a Digital Age, Gillis presented WCDM attendees with five key disaster recovery strategies.
1. Apply a vulnerability approach
Don’t concentrate on disaster scenarios. Take a step back and look at what you have in your network. Seek out the vulnerabilities in your system and then strive to protect them against possible disaster or threat scenarios.
2. Know what is important and what’s not
Not everything in the organization enjoys equal importance and priority. Knowing what needs protecting first and to what extent, will go a long way towards avoiding chaos when disaster strikes, said Gillis.
One transportation company Gillis worked with placed equal importance on nearly all of its services.
“This meant that in a disaster it was equally important for them to keep the pretty pictures on their Web site up as it was to keep the fleet operational.”
3. Adapt to Thrive
Conduct a comprehensive assessment of your needs, equipment and practices. Make sure that disaster recovery (DR) plans are always up to date with regards to current business practices, personnel issues and technological realities.
“Many companies create a DR plan and forget all about it. In one company, we found that 40 per cent of the emergency numbers on their list were no longer valid,” said Gillis.
Gillis said DR assessments need to be conducted twice a year and could involve “table-top read throughs” or full-scale exercises.
4. It’s not just technology
Crisis planning is not limited to technology deployment. Systems rolled out to deal with emergencies, must be accompanied with appropriate personnel training and procedures.
Gillis says long before deployment, all stake holders must be in the loop of how new technology and practices will affect them and their work and how they figure in the scheme of things.
5. Crisis communication and coordination
Have a defined line of communication between company officials and employees, the company and essential services as well as the company and its clients.
Procedures must be set so that people in the organization know exactly who they are suppose to contact in an emergency as far as their responsibilities are concerned. This way the appropriate message is sent to the appropriate recipient at the right time.
