Cyberwar - A Threat to Business
By Gideon T. Rasmussen, CISSP, CISA, CISM, IAM
It's no secret that large U.S. businesses are in the crosshairs
of foreign government entities and terrorists. According to Maj. Gen. William
Lord, "China has downloaded 10 to 20 terabytes of data from the NIPRNet,"
the Department of Defense network used for transmitting sensitive information. It
is only a matter of time before military and terrorist organizations target
commercial organizations. In fact, the Department of Homeland Security recently
warned of potential Internet attacks on the U.S. stock market and banking Web sites.
Large businesses offer an attractive target and the potential impact is very high.
Known targets and threats
The Department of Defense secures its systems using world-class information security
standards and layered controls, thanks in large part to an abundance of financial
resources. Conversely, corporations have limited security budgets and can be weakened
by merger and acquisition activity. The
same hackers responsible for the Department of Defense breach noted above would have
an easier time compromising commercial systems -- and they know it. Any organization
that provides critical services to U.S. citizens is a potential target; examples
include telecommunications companies, financial institutions and Fortune 50
The threat of cyberwarfare is different from common Internet threats and most
organizations are not adequately prepared for it. Corporate defenses typically
concentrate on protecting data from theft or alteration. Cyberwarfare also seeks to
disrupt critical infrastructure and services. That brings availability, resiliency
and incident response into the mix. Expect malicious attacks by determined hackers.
They will be well trained and have ample resources.
The risk-reward ratio for cyberwarriors is also different. Many are not motivated
by profit and will expend a great deal of time and resources with the only reward
being disruption of service and chaos. Economic damage is very powerful and can
dishearten a country.
Considering the strength of the U.S. military, cyberwarfare offers an attractive
alternative. Cyberattacks can be conducted from overseas with little chance for
reprisal. Businesses need to take this threat seriously. Learn about current
cyberwarfare threats and keep appraised of developments.
Internet based attacks are becoming more sophisticated all the time. Cyberwarfare
threats warrant composite security defenses comprised of preventive, detective and
corrective controls. A successful defense strategy focuses on identifying critical
information and services and implementing layered controls to protect them.
Sound business practices are founded on the principle of action, not reaction. That
means security programs must be highly proactive in safeguarding sensitive data and
critical services, which means: fixing vulnerabilities hidden from auditors;
raising awareness of issues that exist because of politics or organizational gaps
and working collaboratively to address them; and preventing compensating controls
from being cited inappropriately. The layered controls specified by
best practices and applicable regulations are necessary to
maintain a strong security posture. Ensure critical suppliers comply with your
Senior management must actively support this approach by funding security
initiatives and advocating security as a business requirement. Information security
professionals can help their own cause by communicating effectively with senior
management through a targeted awareness program that includes presentations, metrics
and reporting. Solicit their support throughout the year.
Network breach prevention
Defining a network security perimeter can be difficult in a large enterprise, but
there are a number of best practices that can help. Start by documenting networks
and systems at each site. Next, contact your Internet service provider (ISP) and
determine available IP address ranges. After obtaining proper permissions, scan each
IP range during a maintenance window. Carefully examine the scan results for
vulnerabilities and rogue systems. Finally, monitor each IP range and configure
alerts if an unused IP address comes into use.
Ensure all external network access points are controlled through the use of firewalls
and encrypted virtual private networks (VPNs). Use two-factor authentication to
strictly control access into the network by requiring a login account, password and
Use network segmentation to further insulate the enterprise from risk. Start with
standard three-tiered architecture (Web, application and database layers). Use
granular firewall rules to control inbound and outbound traffic. Ensure each system
resides in an appropriate network (e.g. demilitarized zones [DMZs], extranets and
intranets). Segment networks internally and between offices as well (e.g.
Segregate wireless networks from sensitive systems using firewalls. Choose a wireless
architecture that rotates keys and uses strong encryption to help prevent compromise
(e.g. WPA2 AES-CCMP). Conduct wardriving exercises to identify rogue wireless access
Protect the network from operating system and firewall software vulnerabilities by
sandwiching DMZs between two firewalls from different manufacturers, running on
different operating systems. Use application proxies to protect against zero-day
exploits and application layer attacks.
Monitoring and hardening
Cyber warriors may be very stealthy and conduct custom attacks over weeks or
months. Tune Intrusion Detection Systems (IDS) software appropriately. Implement
filtering solution to detect unauthorized use of sensitive information and
prevent it from leaving the network. Monitor network performance to detect
denial of service (DoS) attacks.
Separately, using application vulnerabilities, hackers can sail in through layers of
world class infrastructure defenses such as firewalls. Become intimate with your
commercial applications' features. Hackers will discover which software is in use
through fingerprinting techniques. Next, they will download administrative guides to
learn methods to gain access (e.g. remote access to the administrative console).
Hackers will also look for known vulnerabilities, therefore applications must be
routinely patched. Finally, conduct an Internet search for commercial application
hardening guides and configure appropriately.
Ensure custom code is developed in accordance with
industry best practices and code reviews are routinely conducted.
NOTE: There is an increasing focus on application security by regulators (e.g. The
Payment Card Industry Council recently added mandatory code reviews or use of a
web application firewall into their PCI
Data Security Standard).
Availability isn't just a matter of business continuity or disaster recovery. Systems
must also be available when under attack. Prepare for network DoS attacks by
implementing intrusion prevention systems (IPS) to counter attacks in real-time.
Configure operating systems to discard DoS traffic. Examine custom applications for
DoS vulnerabilities and incorporate IDS/IPS functionality. Finally, contract ISPs to
work with you during a DoS attack to block unwanted traffic.
Government strength controls
Cyberwarfare threats require government strength controls to protect confidential
information, such as trade secrets. Consider implementing an air gap or physical
separation to protect sensitive networks. This is an absolute way to prevent data
leaks across networks. Most information security professionals agree that a
determined attacker will penetrate perimeter defenses. The principle of
defense-in-depth is founded on that assumption. Take a hard look at internal controls
and my Insider Risk Management Guide.
When establishing internal security standards, consider the
US-CCU Cyber-Security Check List and PCI Security Audit Procedures. They are prescriptive and take a
more conservative approach than generic information security standards like ISO
17799 and COBIT.
To protect Web infrastructure, consider recommendations from the
SANS Internet Storm Center. Use hardened operating systems, such as
Red Hat Inc.'s SELinux (developed by the NSA) or Solaris 10 (which includes security
features from Trusted Solaris). If a standard operating system must be used, harden it
in accordance with industry best practices.
And don't forget to enhance incident response procedures to include cyberwarfare. Get
security and IT teams together and discuss how a malicious entity might attack to
cripple the business and methods to prevent, detect and respond. Drills should include
cyberwarfare incidents, including contact with ISP and government representatives.
Knowing and exploiting your enemy
To be successful in fending off cyberattacks, it is necessary to understand how the
opposition thinks and anticipate their next move. Cyberwarriors are professionals and
utilize traditional warfare strategy and tactics.
In their book Unrestricted Warfare,
two Chinese generals discuss modern warfare (post desert storm). They mention the United
States' dependence on systems and describe eight "beyond limits" warfare
principles, which apply to cyberwarfare as well:
· Omnidirectionality: There are no boundaries to the battlefield, including
technological space. Ordinary people and experts may be targeted.
· Synchrony: Attack to completion, in different locations, at the same time.
"With modern, high-tech measures, this process may take the blink of an eye".
· Limited objectives: "When setting objectives, give full consideration
to the feasibility of accomplishing them. Do not pursue objectives which are unrestricted
in time and space".
· Unlimited measures: Rules of engagement do not apply when pursuing a combat
objective. The burning of the south in the U.S. Civil War is an example.
· Asymmetry: Do not confront the enemy head-to-head. Instead, be unpredictable
and use the tactics of guerrilla warfare, terrorism and network war. Strike where your
adversary does not expect to be hit and exploit their soft spots. This use of force will
result in a huge psychological shock.
· Minimal consumption: "Combine the superiorities of several kinds of
combat resources in several kinds of areas to form up a completely new form of combat,
accomplishing the objective while at the same time minimizing consumption".
· Multidimensional coordination: This principle refers to cooperation between
different forces in different spheres in order to accomplish a combat objective. Non-military
and non-war factors are included in the sphere of war.
· Adjustment and control of the entire process: "Modern, high-tech measures
may make the entire course of a war extremely short, and incidentally make adjusting and
controlling it much more difficult".
The generals' words are sobering. Since foreign entities consider cyberspace a soft target
and commercial industry to be fair game, these are principles worth considering when
formulating defensive strategies.
Do not allow compliance burden to weaken your organization's security posture. The threat
of cyberwar is just one of many reasons to harden perimeter and internal defenses. The key
difference here is a determined attacker, with no fear of capture or reprisal, whose reward
is damage and chaos.
The potential for a cyber pearl harbor exists. Security professionals and the U.S. government
have predicted it. The question is, will businesses take the threat of cyber warfare seriously
and make it a priority in their budgets? Fair warning...
Gideon T. Rasmussen is a Charlotte-based certified information security
professional with a background in fortune 50 and military organizations. His website is
1. Red Storm Rising (GCN)
Warns of Possible Cyber Biz Attack (AP)
3. The -They Shall Not be
Broken Into- Challenge (SANS)
4. Unrestricted Warfare (Qiao
Liang and Wang Xiangsui)