Imagine a natural disaster the likes of Hurricane Katrina or a terrorist attack on a major U.S. city wipes out business operations. In the mad dash to get back online as quickly as possible, security protocols and procedures take a back seat to regaining business continuity. And that's when a second catastrophe occurs: Information systems are vulnerable to attackers, who see an opportunity in the chaos as companies are forced to rely on backup operations (or even pen and paper). That's just one example of the worst-case security scenarios that emerged during recent discussions with customers and industry experts. Others include targeted cyberattacks in which precious corporate jewels, such as intellectual property, are held for ransom; biometrics and other identity-verifying techniques disrupting essential functions; and the emergence of a new type of denial of service that keeps companies from communicating with their customers and halts the flow of genuine information across the Internet. A few of these security-disaster scenarios have happened, but the majority are exaggerations of current technology, processes and policies that probably haven't occurred yet but aren't out of the realm of possibility. Such scenarios and how to prepare for them will be a topic at the Security Standard event to be held in Boston next month. When a natural disaster or terror attack halts business, for instance, security weaknesses emerge because people are distracted by what's happened or by the rush to get business running again. "When bad stuff happens there's chaos and panic. Everyone has procedures [to follow], but it's not clear that people even know where they are," says Charles Palmer, CTO of security and privacy with IBM Research. "When you're in a hurry to get back online, especially if you're losing lots of money each minute, you're going to do what it takes to get online." That period of lax security could open a back door to the same attacker or a new one. Or depending on the level of devastation, it could allow someone to walk out the front door with sensitive information. "I wouldn't necessarily classify natural disasters as security issues, with one caveat - out of chaos bad actors seek to take advantage," says Paul Kurtz, executive director of the Cyber Security Industry Alliance, a public policy and advocacy group based in Arlington, Va. Such behavior happened in New Orleans in the aftermath of Katrina when nonvictims tried to benefit from government relief funding, he says. Closer to the forefront of most security professionals' minds are targeted attacks that seek to damage a specific company by stealing sensitive information or interrupting business. Most companies have taken measures to block mass attacks, such as viruses and worms that spread across the Internet; now they're grappling with what to do if a cybercriminal attempts to steal sensitive company or customer information. "Corporate espionage is so dangerous . . . that you may not realize what's happening," says Johannes Ullrich, CTO of the SANS Institute's Internet Storm Center. "For example, a targeted worm could go undetected, and it's not like suddenly [your users experience] a blue screen and you're dead, but then you see your competitors having strategic advantages over you because they're being fed your information." One particularly frightening type of targeted attack is happening today, says Sara Santarelli, CISO of Verizon Business, who has been on conference calls with clients dealing with ransom threats. "The scenario is, someone at a high level of the company gets an e-mail that says 'If you don't send me X amount of dollars I'm going to start attacking your assets,'" says Santarelli, who declined to specify how many ransom threats she has firsthand knowledge of, but says they definitely exist. With the proliferation of zombie computers on the Internet that are controlled by hackers, few corporations can defend themselves from what amounts to an attack from a supercomputer, says Paul Judge, CTO of security company CipherTrust. "There are 7 million machines on the Internet controlled by someone other than their owner. These hackers are controlling a massive amount of power on the Internet," Judge says. While law enforcement advice is never to pay the ransom, because you'll probably just become a target again, the alternative also can be painful. "These are very complicated attacks. In many cases you start getting attacked from thousands of sources, so you can't just black-hole them," Santarelli says, adding that Verizon Business offers services that block such attacks by stopping the traffic before it hits the customer's site. Still, such a service can't protect a company in the case in which an insider has helped orchestrate the theft of sensitive information, such as intellectual property or future product plans, which now sit in the hands of the attacker, who insists on cash or he'll sell the information to a competitor. That brings up another worst-case security scenario - not being able to trust the people operating the computers. "The human element is a security risk," says Matt Stevens, CTO of security vendor Network Intelligence. "Even the best police organizations in the world have a separate body to monitor them, the chance for abuse of power is so high they have to have checks and balances." Trust means having confidence not just in the people who work for you, but in anyone you communicate with electronically. "You're faced with trusting strangers across the Internet, whether it's your bank or eBay. . . . It's the whole idea of trusting strangers at a distance," says IBM Research's Palmer, who says customers often ask how they can trust, for example, a company in a foreign country that they've outsourced business to. "How do we know they're not running off and selling our intellectual property? Well, you don't. It's a hard thing to deal with. We're never really going to get away from the people thing," he says. As transactions that once were done via phone, mail, fax or in person increasingly go online, knowing whom you're dealing with becomes even more important, CipherTrust's Judge adds. "We have a customer with the mandate that by 2010 all of their transactions with partners are going to happen over Web services," he says. "Where are we with policies around identification? We need to run faster and really get ready for all of the applications that are going to go online." Biometrics are often touted as a possible solution to the identity issue, because authenticators such as fingerprints and retinal scans are difficult to tamper with. To be effective, however, such measures have to be integrated into an organization's workflow in a way that they will be used. "In a hospital setting, if a doctor has to check on a patient stat. in the ER, the doctor has to remove his gloves in order to get a fingerprint scan. . . . That takes time, and what happens if it's denied, does the patient still get treated?" says an IT director for a healthcare organization who requested anonymity. "Here in healthcare, I'd be hard-pressed to convince people that [biometrics] are a good idea." Perhaps the most frightening worst-case scenario is one in which the Internet becomes so clogged with spam, viruses, spyware and other malicious code that people stop relying on it as a source of information and a means of communication. In some ways, that's already happening. "Look at Citibank and others like them; these are some of the largest and most powerful entities on Earth, but they're at the point that their customers don't trust e-mail from them," says CipherTrust's Judge. "When you can't communicate with your customers, that's a different type of denial of service." SIDEBAR Security check There's no such thing as 100 percent security, but there are some steps organizations can take to avoid, or at least lessen the impact of, a worst-case security scenario: When planning your disaster recovery/backup strategy, make sure the level of security mirrors that of the primary system, and that related policies and procedures are well understood by the staff. Identify what data is the most critical to the company and give that the highest level of protection. That way, in case of a security breach, that information will be the most difficult to get to. Turn your security plan into a risk-management plan. That's what Verizon Business did internally, says CISO Sara Santarelli. "Security experts have to move away from an operations security program and get to the point where everything you do is about mitigation of risk to your enterprise," she says. "There needs to be a lot more intellectual information around operational action." Talk about the "what ifs." "I don't think there's any value in bringing these conversations to the CXO level, but I do think there's value at the information security/architecture level, keeping the information in your head and doing exercises with other smart people in the organization to determine what is the impact," says Neil Buckley, manager of network security at Partners Healthcare System. Establish policies regarding what information can and cannot leave the company, make sure employees are aware of them and consider using technology that helps to enforce those policies.
