A new kind of war

“Oh, my, god. Oh, my, god.” It’s all I could say when I heard of the attacks on the World Trade Center (WTC), listening to the radio on my way to work; and I’m not religious. Stunned silence followed as I learnt from slashdot.org (one of the few news sites which remained up in the hours following) that the towers had both collapsed, and the Pentagon had also been hit.

While a truly horrendous act of cowardice, the attack demonstrates with tragic clarity just how vulnerable we really are, despite, or perhaps because of, our status as an advanced industrialized society. Our own infrastructure was used against us, and the sad reality is that despite the sophisticated coordination, the attacks were relatively easy to accomplish.

Anyone who has traveled by air transport lately will know that security checks at airports have been amazingly incomplete. On several recent international flights I have passed through security without even being asked to demonstrate that any of my electronic gadgets (and I travel with a few) actually worked. Our own complacency is partially to blame for the September 11th (9-11) disasters.

Those in the Information Security (infosec) community have been quite worried for the last few years that similar complacency in computer and network security deployment could be used to strike at the western world. Now that huge numbers of computer systems are interconnected, most similar and vulnerable to a wide range of exploits, the risk is huge and real.

Those who are responsible for computer and network security would be well advised to take the WTC attacks as a tragic wake up call, and to carefully examine the organization’s security policies and posture. Those dependent on others who themselves rely on IT infrastructure might want to gain assurances, in writing, that the risk is being managed appropriately.

The steps needed to be undertaken to secure a computer network fill books, and are best managed by those who have been doing computer security for many years. At a minimum, an organization’s network (no matter how small) should be protected by at least one firewall, and depending on the situation, possibly several.

In addition, every computer and piece of networking hardware should be audited for software revisions, and all patches and updates applied. This is true of both Unix and Windows boxes — no computer system is safe after being installed from the distribution CD-ROM. Apply the vendor updates, even if a firewall is in place! For those who use a regular computer as a firewall, it is important that that computer do nothing else.

It is a truism in security matters that the humans are generally the weakest links in a security system, and so constant education is required. Common examples include using the same password on all systems, and launching e-mailed attachments. Opening or forwarding ports through the firewall in order to make services available for workers outside the office is quite common, as is the downloading and installation of unauthorized software on machines in the supposedly safe zone behind the firewalls.

It’s the unavoidable compromise between convenience and security. Users don’t like having to remember multiple passwords, or to change them regularly, but it must be done. Similarly, firewalls often introduce inconveniences which users resist, but to not have even this most basic of defenses is just asking for disaster.

Those who already have what they feel is an appropriate security posture may wish to test their defenses. At a minimum, using port-scanning tools like nmap can determine what ports and services are exposed. More concerned organizations can hire “white-hat” crackers to try to compromise their security and determine weaknesses. Many groups offer these services, with some offering an arrangement such that they’re not paid unless successful — they generally get in.

One recent analysis suggests most computers on the Internet could, with a sophisticated attack, be infected by a well-designed worm and destroyed within an hour. In fact, the recent waves of worms (Code Red, etc.) have been relatively benign solely because of restraint of the worm authors; it takes very little code to format all attached hard-drives. Many modern computers can be truly destroyed by overwriting the FlashROM boot image on the motherboard.

September 11th will, and should, cause us to look very closely at how we work and live, and the safety of the infrastructure upon which we’ve become dependent. A network attack can be carried out anonymously, from anywhere on the planet. Sadly, it is likely a question of when, not if, such an attack will take place.

Be prepared. We live in houses of cards.

Published in the Victoria Business Examiner.

Write a comment