StratVantage Consulting, LLC — Mike’s Take on the News 10/11/01
Clipped from: http://www.stratvantage.com/news/101101.htm
The News – 10/11/01
In this Issue:
Someone to Watch Over Us
In the wake of the terrorist attacks, many people have wondered if one of the new battlefronts will be cyberspace. In fact, in a previous SNS, I reported the cracking of a German Islamic extremist Web site and the posting of subscribers’ names on a Swiss server. How well are we prepared for infowar? And who will fight it?
One of the forces that will fight to protect US networks is InfraGard , a cooperative undertaking between the FBI and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants. InfraGard’s mission is to ensure the security of critical US infrastructures such as energy, banking and finance, water systems, government operations, emergency services, telecommunications and the Internet. To do so, they work with the National Infrastructure Protection Center (NIPC), a governmental organization that is dedicated, in part, to “detect, deter, assess, warn, respond, and investigate unlawful acts involving computer and information technologies and unlawful acts, both physical and cyber, that threaten or target our critical infrastructures.”
The NIPC and the InfraGard are responding to the requirements of Presidential Decision Directive (PDD) –63, which President Clinton created on May 22, 1998. The directive orders the strengthening of the nation’s defenses against emerging unconventional threats to the United States to include those involving terrorist acts, weapons of mass destruction, assaults on our critical infrastructures, and cyber-based attacks. PDD-63 calls for a national-level effort to assure the security of the increasingly vulnerable and interconnected infrastructures of the United States.
While the FBI has called for managers of physical infrastructure to go to a high alert status, it may be even more important for networking and computer professionals to be on alert. This is because many physical infrastructure resources are controlled by computers, and the security of these computers has been compromised in the past. For example, several times this past spring, crackers attempted to gain access to the servers at California’s Independent System Operators (Cal-ISO), the agency that manages the state’s electrical supply and decides when rolling blackouts will occur. The crackers apparently got close to disrupting the flow of power in California during the rolling blackouts that occurred in May.
Many pieces of critical infrastructure today are controlled by Supervisory Control And Data Acquisition (SCADA) systems, which are basically networked computer systems. Like any networked computer system, SCADA systems can be vulnerable to attacks. Some of these systems, like GE SmallWorld’s PowerOn ™ electrical distribution system or Encorps Virtual Power Plant power dispatching system, are based on Microsoft Windows products, and many have Internet-enabled features (using Microsoft’s Internet Information Server (IIS)) for convenience.
Regular readers may remember I am not a fan of Microsoft products being exposed to the Internet. Well, I’m obviously not alone. Industry analyst GartnerGroup agrees:
IIS security vulnerabilities are not even newsworthy anymore as they are discovered almost weekly . . . As Gartner warned in 1999, pulling complex application software into operating system software represents a substantial security risk . . . Microsoft has discussed its Secure Windows Initiative, which details a well-thought-out program for improving Microsoft’s development processes to avoid repeating the same security mistakes that led to vulnerabilities in Windows NT and Windows 2000. However, the same old buffer overflow problems appearing in beta Windows XP code raises doubts over whether the security assurance tools Microsoft has implemented will effectively reduce the number of well-known security bugs that continue to show up in Microsoft products. For Microsoft’s vision of .NET and Web services to succeed, Windows XP will have to be significantly more secure than Windows 2000 has proven to be; otherwise, Microsoft risks losing some enterprise business to more-secure implementations of Web services.
To reduce their vulnerability, Windows-based SCADA systems may be hardened and protected by third party software, such as that available from Visual Automation . But the fact remains that many critical infrastructure systems are run by software from a vendor that has, to date, had serious problems with security vulnerabilities. And that makes me, for one, more than a little worried. It’s one thing for Web sites to be hacked. Even if the companies attacked lose millions, it’s only money. It’s yet another thing for critical infrastructure systems to be attacked, by joyriding script kiddies or by terrorists; the result could be disastrous. Here’s hoping the newly created Homeland Security Agency will act to bolster groups like InfraGard and will issue strong new guidelines for the use and protection of the software that controls vital services.
In the spirit of acting locally, here are some steps, courtesy of InfraGard, that you can take to improve your personal and company security:
- Use strong passwords. Choose passwords that are difficult or impossible to guess. Give different passwords to all accounts.
- Make regular backups of critical data. Backups must be made at least once each day. Larger organizations should perform a full backup weekly and incremental backups every day. At least once a month the backup media should be verified.
- Use virus protection software. That means three things: having it on your computer in the first place, checking daily for new virus signature updates, and then actually scanning all the files on your computer periodically.
- Use a firewall as a gatekeeper between your computer and the Internet. Firewalls are usually software products. They are essential for those who keep their computers online through the popular DSL and cable modem connections but they are also valuable for those who still dial in. [Editor’s note: I prefer ZoneAlarm , which is free for personal
- Do not keep computers online when not in use. Either shut them off or physically disconnect them from Internet connection.
- Do not open email attachments from strangers, regardless of how enticing the Subject Line or attachment may be. Be suspicious of any unexpected email attachment from someone you do know because it may have been sent without that person’s knowledge from an infected machine.
- Regularly download security patches from your software vendors.
You can also learn more about computer security at the StratVantage Security page. If these measures fail, and your company is a victim of a cyber break-in, it’s important to preserve the evidence so the perpetrators can be located. ZDNet recommends you take the following steps:
- Record every action you take. Include the date and time.
- Preserve evidence, no matter how small.
- Think prosecution–every action you take should help build a possible court case against the perpetrators.
- Notify key personnel immediately.
- Limit the scope of the attack as quickly as possible.
- Preserve all audits (disable any system log purges or overwrites).
- Implement additional security, if necessary or available.
- Review the incident response plan in light of the recent event and revise accordingly. Remember that any response plan is just a “work in progress.“
You may be wondering whether you’ll be able to prosecute even if you catch the criminals. The National Security Institute maintains a list of computer crime laws by state.
And hey, hey, hey! Let’s be careful out there!
- Shameless Self-Promotion Dept.: I’ve added a new directory to the Directories section of the StratVantage Web site: Email Newsletters. After conducting a fruitless search for a central place listing interesting email newsletters, I decided to establish one myself. I’ve seeded it with newsletters I receive and find useful. If you’ve got a favorite, send it along and I’ll add it.
- Advertising Has Changed: Stan Hustad, a performance coach with PTM Group, quoted a discussion with advertising executives John Partilla and Mike Campbell in his recent newsletter. The pair discussed how advertising will change in the post Tragedy world: “Cynicism will go by the wayside. It’s just not cool anymore. Relevance will be really important in terms of how you try [to] tie in what’s happened. I see every piece of work that goes out of the agency, [to see] if it has humor in it, if there is humanity in it, a humility that feels appropriate. You don’t need big focus groups [to
determine what people want]. You can see it in the faces of people on the street. People are really tender right now. They don’t want to be presented with advertising that is too in-your-face.” Words to remember if you’re planning an advertising campaign. Stan’s newsletter, The Coaching Connection, offers tips on self-improvement and performance optimization as well as business and marketing tips. I heartily recommend it.
- Toshiba Rolls Out Handheld: Last week, Toshiba became the latest vendor to embrace Microsoft’s Personal Digital Assistant (PDA) Pocket PC platform. Microsoft also announced its latest revision of the system, dubbed Pocket PC 2002, available now. This is the first year-named product that Microsoft has released ahead of the year, as far as I can remember. Toshiba, on the other hand, doesn’t even mention their new product on their US Web site. Now that’s a great way to roll out a brand new product! While many industry analysts predict Microsoft will continue to take share from Palm, the price and still-poor usability will slow their momentum. The Palm platform got a boost recently when Samsung rolled out a new color PDA/cell phone for use on Sprint’s cellular network. The unit uses the Palm operating system, comes with 8MB of memory and supports Wireless Application Protocol (WAP), HTML and i-mode’s cHTML.
- First US GPRS Network Expands: AT&T, which established the first General Packet Radio System (GPRS) cellular network in Seattle a few months ago, is expanding the network to three more cities: Las Vegas, Phoenix and Portland. Unlike the Seattle area, coverage in these new cities seems to be fairly extensive. GPRS offers voice and data, with data speeds as high as 144 Kbps. Typical performance, however, is likely to be 56Kbps, the speed of today’s wireline modems. The company said it’ll roll out Detroit in the next few weeks, serve about 40 percent of current customers with GPRS by the end of the year, and serve all its markets by the end of 2002.
- Are U Ready 4 a New Buzzword? Let’s see. We’ve had eBusiness and e-Tail (stupid buzzword alert), eCommerce and m-Commerce (mobile commerce). Next, we’ll start hearing about u-Commerce, or ubiquitous, universal commerce. In the future, according to Accenture’s think tank, Accenture Institute for Strategic Change, you can wirelessly buy anything from anyone anywhere in the world. (Lest we get too starry-eyed, we need to realize there are places in the world where livestock is the only going currency.) The company predicts 630 percent growth worldwide for net-connected wireless devices over the next four years. Despite its breathlessness, I more or less agree with this forecast. As I’ve predicted in the TrendSpot , I fully expect ubiquitous computing, where computing becomes not a place you go, but a service you get from your environment, to arrive by the end of the decade. Local area networking schemes like 802.11b (or successors) and Bluetooth are starting to make this happen today. Will this new acronym stick? Well, a casual perusal of the Web using Google turns up some supporters: Visa (who apparently coined the buzzword), the Association for Computing Machinery , and South Africa’s McCarthy Online .
- How Can You Be In Two Places At Once, When You’re Not Anywhere At All? A company called Teleportec has the coolest technology I’ve seen in a long while. Using three ISDN lines (roughly 384Kbps), a person using their $70,000 Teleportec Podium can project his or her image from the waist up to a remote location and appear lifesized and in 3D. Only one of the men in the picture to the left is really there; the other is hundreds of miles away. The company has tried it out with several businesses. It also makes a large Teleportec Theatre that is 20 feet across with an 11 foot wide “teleportation zone” designed for panel discussions or telemeetings. Given the recent events, all kinds of virtual meeting technology will likely be given a boost (witness WebEx’s 30 percent stock rise on the first day of trading after the terrorist attacks). If Teleportec’s technology is as good as they say it is, look for them to put the others in the shade quicker than you can say, “Help me, Obie-Wan!” The applications aren’t limited to distance learning and business conferencing, however, as illustrated by the Digie award given Teleportec by Realcomm, a realty eCommerce conference.
- Encryption a Threat? Alert SNS Reader Jeff Ellsworth sends along this article regarding the role encryption may have played in the recent tragedy. There is evidence that terrorists have used commonly available Public Key Encryption techniques as well as the more sophisticated steganography methods in their communications. Steganography is the embedding of secret messages in binary files such as image files or music files. The sender changes a few bits in the file and the result is invisible when viewed or listened to. There have been claims that the terrorists regularly used pornography files to communicate. Now Sen. Judd Gregg (R-N.H.) has proposed making it mandatory that software developers give government security agents the “keys” to encryption programs when they are created. The government tried this once before, in 1993 with a technology called the Clipper Chip . The idea was everyone would use the government’s encryption scheme, which had a “law enforcement back door.” This scheme was roundly criticized as unworkable by pretty much every knowledgeable security expert. Three main criticisms illustrate the folly of the Clipper Chip:1) Because the government would keep the Clipper methodology secret, the security community couldn’t point out any deficiencies
2) Crackers would inevitably find ways to use the back door to their advantage
3) Nobody in their right minds outside of the US would ever use this technology if the US government could eavesdrop on them, thus it would be useless in protecting us from foreign terrorists
I really hope we don’t need to go down the Clipper path yet again. Phil Zimmermann, the creator of Pretty Good Privacy, a popular encryption technology, believes human footwork will be more useful in catching terrorists than more surveillance technologies: “It’s not practical to frisk everyone on the planet to find the one person with a box cutter.”
- Unsafe At Any Speed? Alert SNS Reader Bill Lehnertz sent along a pointer to a McKinsey Quarterly article, How Fast is Too Fast? It’s a nice analysis of the “Internet time” mania that gripped many of the dot-coms. The authors studied 80 Internet companies, including business-to-consumer (B2C) companies, business-to-business (B2B) companies, and infrastructure providers. They tried to determine the speed with which each built its business—and the outcome. One of the companies examined is my favorite dot-com/exchange success story: Altra Energy.
McKinsey Quarterly (registration required)
Return to Mike’s Take