From your article --

"Much of what constitutes the 'cyberterror threat' comes down to the poor management of systems critical to the security and viability of the United States. In other words, traditional computer security vulnerabilities, not legions of phantom 'cyber-terrorists.'"

and,

"It does not require political appointees wringing their hands proclaiming “The sky is falling!” and demanding more money and more power. Nor does it require focusing on vague, shadowy threats instead of addressing the pressing needs and realities of information security today."

Agreed. I worked for United Airlines before 9/11 (and was shortly laid-off thereafter due to lack of work). I worked for new projects as a Internet systems and security engineer, one who interfaced between Information Security and management -- sometimes executive management (through other managers). The problem which exists today is not our lack of understanding technological terminologies (or its mumbo-jumbo); the problem exists insofar as to the risk that is at hand. With everything riding with executive managers today, the least amount of exposure about a company's weakness, the better their stock portfolio, and the happier their stock owners will be. Translation: "Corporate America" is more than aware of the risks, and the problems which exist within their infrastructure -- yet they would rather do nothing (in hopes that it will "go away") instead of facing the issue and "plugging up the holes in their corporate dike". Such was the case with UAL (not that I am slandering them, however, with someone who has vast knowledge of most entry-points of the company's networks, you would think that they would want to keep someone like that there to help "plug up the holes"). And UAL isn't the only company to follow these practices.

Other companies, such as SBC/Ameritech, Sears, etc. -- all are afraid of their stockholders and stock owners, and will do everything to make them happy -- EVEN IF IT MEANS LYING TO THEM! Unfortunately, most stockholders and owners today are now starting to see what "Corporate America" has been doing for the past 10+ years, and what little has been done to ensure that their stocks (and more importantly, their investments) are "safe and secure".

You want to destroy a large Fortune 500 or 1000 company? Make an *attempt* to infiltrate their site, then broadcast lies about the lack of their security mechanisms. Watch as their stock plummets -- that is the real threat. I figured this out one time a few years ago when someone asked me to "test" their network.

A friend of mine got connected via Internet broadband, and was connected directly with a Linux firewall. He thought that he was safe and secure, and was so certain that he was impenetrable. Then I did one thing which caused all sorts of chaos on his network -- I simply port-scanned him repeatedly over the next 36 hours. The idea was this: if you "door bang" long enough and loud enough, someone will "hear" it, then it becomes a feeding frenzy or swarm (depending on how you look at things). In reality, it doesn't take much for other people (hackers, crackers, phreakers -- all like) to know when their *might* be something there for the taking.

What says that that scenario wouldn't work on a corporate network? Or that someone from the *inside* provides network maps showing all the "boobytraps", etc. Knowing that it is illegal now, since when has this stopped hackers? If resourceful enough, this won't.

The article hit on a sensitive nerve, one that requires some careful thought process behind the (eventual) resolution. Unfortunately, "Corporate America" doesn't wan to hear it, saying that there are no security threats to their environments, and that most employees (and contractors) are periodically checked to make sure that problems don't arise. Then there's the matter of the policy.

How good is a countermeasure, when your policies are 5 to 10 years out-of-date?

Think about all of this, and then -- maybe something might come of it.

Power users won't be silent any more. Why should you?

-r

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/111/16720#16720