Wednesday, 16 July 2008

The New Face of Cyberterrorism?

There's been a bit of concern lately that terrorists would switch to cyber-terrorism and disable vital systems by hacking into mission-critical routers and servers.  The USA defence dept has devoted considerable resources to exercises playing out vaious scenarios.  I believe even Australia (under Kevin07's leadership) is beginning to understand the importance of securing vital infrastructure. 

Then also there's an IT tenet that your greatest security problems come from within your LAN, and the biggest security risk is generally the IT staff themselves, as evidenced by a recent report that stated that a significant percentage of IT staff admitted to poking around in files they had no business in. 

Kevin Mitnick is of the opinion, borne out by his personal record, that most successful attacks on IT systems also involve a large dollop of social engineering, i.e. talking people out of critical information such as passwords and access codes. 

So while I'm the kind of system administrator that blocks viruses on the most common  ingress points, and trojans and worms at the firewall, I'm under no illusions as to where my biggest security risks lie - and it's always within the organisation.  People take sensitive data home on USB drive, PDAs, and laptops.  Some even email this to themselves at home and then email the updated drafts back to themselves at work.  (How do I know this?  I *am* a system administrator, and I *do* investigate suspicious emails that are thrown up by the email server filters...  The old saying "I'm a sysadmin - I read your emails" was quite close to the mark, but for different reasons.)

One of the things I keep an eye out for is users logging in from unusual locations or at unusual times.  My IT staff at my various positions have been like me though - we log in from wherever we are when a problem arises, and do what we can by remote admin where possible - so it's difficult to establish what's "usual" and what's "unusual" for the IT staff. 

That's why a scenario like this is my worst nightmare.  What can an IT department do in order to prevent something like this happening?  Well, there are some multi-tiered procedures that can reduce the risk, but they mean involving more staff in callouts, changes to basic SOP, and so forth - most IT budgets would constrain this level of security, and in no time at all unofficial "channels" would appear that bypassed the most onerous security restrictions, and you're back to the earleir situation, only now you don't know all the "usual channels" any more.

And the worst thing of all, is that this ties back to my first paragraph.  Why would I bother to laboriously hack through layer after layer of protocols and firewalled ports and IDS, when all I really need to do is convince one of the existing system admins that my cause is just?  And what better way to prove that, than by waving a large wad of Holy Currency under said sysadmins nose? 

The best thing, from the point of view of the theoretical terrorist, is that the IT staffer you buy off will already know all the unofficial ways to bypass security.  So I reckon instead of spending zillions learning how to block incoming cyber threats, learn to manage human nature inside your networks. 

No comments: