November 2002

The Mother of All Cyberwars
Online Emergency Alerts
Side-Channel Attacks
Consolidation Fever
CISSP Numbers Climb
Infosec Notebook
On the Move
M&As
@work
PROFILE: Jeff Jonas
By the Numbers
Infosec History

The Mother of All Cyberbattles?

Experts predict that an invasion of Iraq will spill over into a global cyberwar.

by Lawrence M. Walsh

If Saddam Hussein were writing this, he might seethe, "The mother of all cyberbattles will befall the infidels!"

Although rhetorical and inflammatory, such a declaration might not be far from the truth. Experts say a U.S.-led military campaign in Iraq, either to compel Iraqi compliance with United Nations security resolutions or to oust Hussein, could spark a worldwide cyberconflict larger than anything previously seen.

"If we go into Iraq, we know that groups not friendly to the U.S. are going to attack critical nodes," says John Bumgarner, president of CyberWatch and president of the Charlotte (N.C.) InfraGard chapter. "Iraq probably doesn't have the ability [to wage a cyberwar], but it does have the money to fund someone to do it."

Warnings of cyberwarfare and cyberterrorism have fallen on deaf ears, mostly because there's yet to be a coordinated attack that causes significant damage to critical infrastructure or economic targets.

Still, amateur cyberwarriors--mostly script-kiddies--chronicle a growing list of cyberwars. Israelis and Palestinians attack each other's Web sites and critical nodes. India and Pakistan frequently exchange digital fire. Chechen rebels throw cyberbombs at their Russian rulers. China routinely spars with its neighbors Taiwan, Japan and South Korea. And the list goes on.

The most recent and interesting major digital conflict was the 2001 Sino-American hacker war. Sparked by elevated tensions caused by the collision of a U.S. Navy intelligence plane with a Chinese jet fighter, loosely organized Chinese hackers defaced scores of American Web sites. Not to be outdone, American hackers rallied, causing equal--if not more--damage.

"Historically, when you look at what's happened in the past with the U.S. bombing of Bosnia and the bombing of the Chinese embassy, and the continuing strife in Israel, in almost all of them there's been some correlation for a cyberevent and armed conflict," says Sunil Misra, managing principal for worldwide security at Unisys.

Investing more in nuclear and conventional weapons programs, Iraq likely doesn't have the ability to orchestrate a cyberspace campaign. But what's worrisome to security experts is Iraq's ability to fund rogue hacker groups and organized crime syndicates, which could wage a proxy fight against the United States.

Already, infosec intelligence groups are monitoring increased probing of private-sector targets that represent the foundation of the U.S. economy and American culture. No one would identify specific targets. However, malicious and reconnaissance traffic from the Middle East remains relatively low.

The CIA and other government agencies are warning against the increased threat of terrorism, but neither the National Infrastructure Protection Center nor the White House's Office of Homeland Security would comment on the cyberwar threat.

Should a war with Iraq spill over into cyberspace, the first targets will likely be military sites and sites that support military operations--communications, transportation, etc. Disrupting these sites could hamper U.S. military operations in Iraq and the Persian Gulf.

"We won World War II because it was an industrial-based war. We had the biggest and the best industrial capacity in the world," says Michael Davidson, a retired U.S. Army general and infosec consultant. "Now we have an information-based world, and our reliance on information systems makes us uniquely vulnerable."

But civilian targets are more vulnerable and tempting for hackers, especially since most of the nation's critical infrastructure is privately controlled. Utilities (power, water, communications), transportation and commercial supply chains are all operated and secured by private corporations.

"To an enemy, there really isn't a dime's worth of difference between a military and a critical infrastructure site," says Davidson.

State-sponsored cyberwar is only part of the threat, says Tom Kellerman, a data risk specialist at the World Bank's Financial Strategy and Policy Sector. Hostilities in the Middle East could inspire hacker and organized crime groups to infiltrate U.S. government and corporate networks. Also, hostile nation-states might test U.S. cyberdefenses.

"Many organized criminal groups have made business plans around hacking because it's more lucrative than trafficking cocaine," says Kellerman. "You need to expect to be hit and be prepared to survive."

Cyberwarfare is one thing, but some say unreleased malicious code--viruses, worms and Trojans--could pose a far greater threat. Nimda caused widespread panic when it struck a week following the Sept. 11 terrorist attacks, which led some to speculate that a more destructive worm could prove an effective wartime weapon.

"Is there malicious code sitting on the shelf waiting to be used against us? We really can't say. But, if I were in charge of protecting information assets, I would sleep with one eye open and prepare for it," says John Frazzini, VP for intelligence operations at iDefense.

Since the Sept. 11 terrorist attacks, security companies have been advising their customers to ratchet up their digital defenses. The White House's recently released "National Strategy to Secure Cyberspace," which is undergoing a public comment period until Nov. 18, is designed to improve the overall computer security of the U.S. critical infrastructure.

For organizations that have security policies and proactive security programs, the threat of a cyberconflict is minimal. Many organizations say they're monitoring events in the Middle East, but aren't overly concerned about a cyberwar.

"If we go to war with Iraq tomorrow, we will continue to operate," says Tony Samms, director of security at Norfolk Southern railroad. "We've had heightened security with the crisis in the Middle East ever since 9/11. We can never be too alert, and we can never be too vigilant. We just need to keep ramping up."

We Interrupt Your Web Surfing...

Terra Lycos proposes an emergency broadcast system for the Internet.

"This is a test of the Emergency Broadcast System. If this were an actual emergency, the signal you've just heard would be followed by instructions from local authorities. This is only a test."

Anyone who's ever watched TV recognizes that message. EBS was designed in simpler times, when people got their real-time information from a handful of TV and radio stations. The Internet changed that, creating thousands of information portals.

The difficulty in navigating all those portals during emergencies gave Terra Lycos the idea for the Emergency Online Broadcast System (EOBS), a means for government agencies to quickly disseminate information on the 'Net.

"We know how to build very large-scale Web sites, and we know how to maintain them under huge demand," Terra Lycos CTO Tim Wright says. "The government doesn't have that requirement on a year-round basis. It only needs it in the event of an emergency."

Under the EOBS plan, government agencies--from the White House to local police departments--would send XML-authored emergency information to a secure "authority server" managed by Terra Lycos. Terra Lycos will mirror the information in a distribution server. In the event of an emergency, participating search engines and media sites will swap their usual home page for emergency pages containing links to specific pieces of information. Wright says the system can be activated within an hour.

EOBS obviously could be useful in the event of terrorist attacks, but Wright says the system is applicable to regional and local events. During natural disasters or emergencies, the system will be able to localize information based on ZIP codes.

Terra Lycos submitted the EOBS plan to the Office of Homeland Security last month as a comment on the National Strategy to Secure Cyberspace. Establishment and maintenance of the network will be free, Wright says. If accepted, the system could be operational by September 2003.

Terra Lycos isn't the only company planning for crisis communications. In September, AT&T unveiled a plan for a secure telephone system to keep CEOs in touch with each other and the government during emergencies. The Business Roundtable, a consortium of CEOs, is reviewing the Critical Emergency Operations Communications Link (CEO COM Link) proposal.
-Carl Weinschenk

Infosec Notebook

DMCA Open for Public Comment
Beginning Nov. 19, the U.S. Copyright Office will accept suggestions for new exemptions to the controversial Digital Millennium Copyright Act (DMCA). The law, enacted in 1998, is criticized for stifling security research by making reverse engineering and other white-hat techniques illegal. Officials are asking for specific examples of how the law restricts research or inhibits the marketplace. The Copyright Office says it won't consider issues of inconvenience or hypothetical problems. The comment period closes Dec. 18.

SANS, FBI Release Top 20 List
The SANS Institute and FBI last month unveiled their updated Top 20 List of Windows and Unix security problems. SANS says that by correcting these common vulnerabilities, for which patches and workarounds already exist, organizations will reduce their exposure to security breaches. Several security vendors, including Qualys, Foundstone, Internet Security Systems and eEye Digital Security, have announced that they'll incorporate the Top 20 List in their scanning products.

BSi Updates 7799 Certification
The British Standards Institute released an updated version of BS 7799 Part II, or the requirements for achieving certification under the Information Security Management System standard. According to BSi, the new version has improved definitions and clarification of the risk assessment process, and the selection of controls. It also includes more detailed requirements for management's responsibility in the certification review and improvement process. Although the International Organization for Standardization adopted ISO 17799 as a security standard, it currently offers no certification. However, BSi says BS 7799 Part II can be used to measure the effectiveness of an ISO 17799 program.

Consolidated Security

Market pressures, buying opportunities are driving the latest M&A wave.

By Keith Regan

The recent surge of merger-and-acquisition activity is nothing new to the security space. Takeovers were a regular occurrence in 2000 and, after a lull, are back with a vengeance.

Symantec set the tone in its July buying spree, when it spent $375 million to acquire four companies. The trend continued with IBM Tivoli, NetScreen Technologies, Network Associates and Internet Security Systems each making deals of their own. The most recent high-level deal is NetIQ grabbing PentaSafe for $255 million.

A common thread among the deals, say analysts, is companies looking to beef up their product and service menus by buying established firms rather than trying to develop technology in-house.

"Companies are hearing from customers that they want to get more services from a single provider," says Pacific Crest Securities analyst Scott Haugan. "It simplifies billing, it requires less training. It just makes things easier."

So where will the next shoe drop? Eric Hemmendinger, research director at Aberdeen Group, says some sectors have managed to avoid the acquisition rampage to date, but may be swept up before long. A prime area for acquisition fishing is denial-of service prevention. Hemmendinger says niche firms such as Mazu Networks and CS3 could be snapped up by larger networking companies to enhance their offerings.

Meanwhile, enterprises are expected to increase the amount of security work they outsource in coming years, says Forrester Research analyst Laura Koetzle. That will strain resources for some managed security service providers, which may prompt some to buy competitors to add capacity. And, if market conditions don't improve sharply enough for the resumption of IPOs, venture capitalists may pressure the security startups in their portfolio to take the M&A exit strategy.

"People are starting to realize that a turnaround may be farther off than we all thought. There's pressure to sell if there's a decent offer," says Gregory Sneddon, senior managing director of Consilium Partners, a Boston investment bank.

10,000th CISSP Crowned; More Coming

Jakob Frydendal Gereke, an enterprise risk services manager in Deloitte & Touche's Copenhagen office, received a singular honor that marks a milestone for the International Information Systems Security Certification Consortium. Gereke is the 10,000th Certified Information Systems Security Professional (CISSP), which is rapidly becoming the most common security management credential.

By the time Gereke was honored at (ISC)²'s annual meeting in London last month, the certification body was already well under way toward a new milestone--15,000 CISSPs.

Since embarking on an international expansion, (ISC)² has increased the CISSP ranks from 2,000 in 1999 to a projected 15,000 in 2003.

On The Move

Tom Noonan
National Infrastructure
Advisory Board

John W. Thompson
National Infrastructure
Advisory Board

Margaret Grayson
National Infrastructure
Advisory Board

Micki Krause
(ISC)2's Tipton
Award Winner

• The National Infrastructure Advisory Board appointed several infosecurity executives to its membership, including Tom Noonan, chairman and CEO of Internet Security Systems;
  John W. Thompson, chairman and CEO of Symantec; and Margaret Grayson, CEO of V-ONE. NIAB is assisting with the National Strategy to Secure Cyberspace.
• Asynchrony, a provider of secure wireless and Web applications, named Ted Haddad VP of sales.
• Michael Trubatch joined Business Layers, a secure e-provisioning provider, as VP of North American sales.
• Security appliance vendor eSoft appointed Gary Rupp VP of sales and Reid Hislop director of marketing.
• Jim Tiller was appointed global security portfolio and practice leader of International Network Services, a network consulting and security services firm.
• NetMotion Wireless, a wireless network security software company, named Gary Schofield senior VP of worldwide sales.
• Rohit Mehra was appointed director of product marketing and management of Bluesocket, a developer of WLAN security applications.
• META Security Group, a provider of infosec products and services, named Tim Wolter national sales director.
• Sourcefire, a provider of Snort IDS management tools, named Thomas M. McDonough president and COO, Allen Male VP of international sales, John C. McCurdy VP of western North America sales, John Negron VP of eastern North America sales and Paul Volkman VP of domestic channels.
• Kevin E. Leininger has joined ICG Inc. as its president and as a member of its board of directors. ICG provides security consulting and investigative services.
• Arthur Money, a former assistant secretary of defense and Department of Defense CIO, was elected to Rainbow Technologies' board of directors. Rainbow provides authentication solutions.
• Ecutel, a mobile VPN software provider, named Bill Cole VP of business development.
• Vulnerability assessment vendor Foundstone named Larry McIntosh CMO.
• Layer N Networks, a provider of semiconductors for security appliances, named Kenney Roberts COO.
• Phil Zimmermann, creator of PGP encryption and founder of the OpenPGP consortium, joined the Foundation for Information Policy Research, a U.K.-based think tank.
• Predictive Systems, a security services and consulting firm, named Shawn D. Kreloff executive VP of sales and business development.
• CloudShield Technologies, a developer of secure high-speed networks, named Richard Sweatt VP of product management.
• Computer Associates, a provider of enterprise security solutions, appointed Ron Moritz its senior VP of the eTrust security line.
• Micki Krause, CISO of Pacific Life Insurance, was awarded the International Information Systems Security Certification Consortium's Harold F. Tipton Award.

@work

Evaluation References

OK, so you get an interview for a great job--now they want references. You know plenty of good people, but finding them isn't easy. They've moved on to new jobs, gotten lost in corporate mergers or simply disappeared.

In a case like this, would a performance evaluation suffice? Sure, but it isn't the best solution.

"Performance evaluations are often filled out by mid-level managers who fail to take the time to conscientiously or thoroughly evaluate an employee," says Sharon L. Nelson, an employment attorney at the law firm Morris Polich & Purdy. "Consequently, performance evaluations are not a reliable gauge to evaluate an applicant's qualifications."

Recruiters say employers shouldn't rely primarily on references or performance evaluations in their hiring decisions.

"Performance reviews, like reference checks, can be subjective, and neither should be used exclusively," says Tracy Lenzner, president of LenznerGroup. "Alternate company personnel, peers, industry colleagues, subordinates and ex-employees can be useful in these situations."
-Shawna McAlearney

PROFILE/JEFF JONAS

Identifying the Enemy Within

by Anne Saita

Since the age of 14, when he sold a school project--an early word processor for a Commodore computer--to the Los Angeles school district, Jeff Jonas has shown a talent for technology. He has business acumen, too, and a hectic but healthy lifestyle as an amateur triathlete.

Jonas has it all, some would say, except a high school diploma.

"I got so excited that I thought I was a computer guy that I never finished high school," Jonas recalls. He never finished college, either. By the time he was 18, he had his own software company and 21 employees. A year later, he was bankrupt and living in his Mercedes in Northern California.

From his backseat, Jonas says, he created a software program that correlated disparate data to help hospitals identify freeloading patients trying to be readmitted under aliases. Today, the founder of Systems Research & Development has expanded on earlier work in "entity resolution" to identify insider threats, maybe even terrorists.

Non-Obvious Relationship Awareness (NORA) enables organizations to detect fraud and collusion across umpteen databases, all in real time. For instance, it instantly makes connections between employees and vendors by comparing individual data on each, or former employees to current ones, and pumps out an alert. It immediately picks up that job applicant Ric Smith also is Richard Smith, son of your top competitor's CEO.

But that necessarily doesn't mean Smith isn't legit. Once NORA makes the connection, it's up to an organization to investigate possible wrongdoing.

"What we do is perpetual analytics," Jonas, 38, says from his office in Las Vegas. "As fast as we ingest data, we tell the users of the system about things that are happening in the data. You don't have to start looking."

For example, if someone in accounts payable changes her address, NORA immediately picks up that the new address matches that of a vendor. "Nobody's having to ask the system everyday, 'Do any employees live with any vendors?' The moment it happens, you know."

Practical applications are obvious. Retailers use NORA to reduce organized theft. The gaming industry crunches data to keep con artists out of casinos. Now, SRD is trying to convince government of NORA's potential to track terrorist activity.

Jonas frequently refers to his tool as a "smoke detector," quick to pick up on suspicious connections but unable to prevent damage if warnings are ignored.

"The things we're finding are assumptions. We're finding facts that have been set and known to be interesting, like the security guy at the nuclear plant checking bags who used to be college roommates with the guy walking the stuff out. What you've got can be called interesting--you've got the watcher knowing the watchee."

People also are watching Jonas, who has become a popular speaker at conferences and business functions.

"It's sometimes a shock, as the chief scientist here, to come up with something that's pretty neat and to go speak at a big conference in Washington, where people who are trying to solve national problems come up and say, "Hey, this is really good. We don't have anything like this."

By The Numbers

583
Number of new vulnerabilities uncovered by the ISS X-Force in Q3 2002, a 65 percent increase compared to Q3 2001. (Internet Security Systems)

31.2 million
Total smart card shipments to the U.S. and Canada for the first six months of 2002, a 111 percent increase over the first half of 2001. (Smart Card Alliance)

$40.2 billion
Total insurance loss from the Sept. 11 terrorist attacks. The largest chunk of the total,  $11 billion, relates to claims for business interruption. (Insurance Information Institute)

64%
Percentage of corporate environments that are unprotected from Web-based threats.
(Blue Coat Systems)

7 out of 10
Portion of companies that don't participate in security information-sharing organizations. (InfoWorld CTO Network).

this month in INFOSEC HISTORY

NOVEMBER

1995
Christopher Pile becomes the first person convicted under the United Kingdom's Computer Misuse Act. Pile created several viruses, including Pathogen and Queeg.

1996
The Environmental Protection Agency shuts down its Mid-Atlantic region's network after a virus infected more than 15 percent of its servers and workstations.

1997
A former Forbes help desk operator is accused of sabotaging the magazine's computers, causing more than $100,000 in damage.

1998
Two teenage California hackers convicted of breaching 11 military networks are given three years probation and barred from using computers without adult supervision.

1999
AV experts issue warnings about the BubbleBoy worm and FunLove virus. BubbleBoy is a proof-of-concept, self-executing worm. FunLove patches the security kernel and makes all files accessible to any user.

Cryptographers crack a message encrypted with a 97-bit elliptic curve key in a contest sponsored by Certicom to prove its ECC algorithm is stronger than RSA Security's PKC. Experts say the results are inconclusive.

2000
IBM names Harriet Pearson its first chief privacy officer.

2001
The 43-nation Council of Europe adopts its controversial cybercrime treaty, which many say makes forms of security research illegal.

November 2002 Table of Contents

Copyright 2002 TechTarget