Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Insider Threat Examples: HIPAA Violations Go UnPenalized In Iowa | Main | Despite 45+ U.S. Federal Laws, SSNs Still Widely Misused & Breached...Why? »

Many, Many Methods Of Cyberattacks

Yesterday CNN ran an interesting story, "U.S. at risk of cyberattacks, experts say."

For those of you in the information security biz this is not new news, I know. We've known and discussed the massive and insidious types of damage that could be done through cyber attacks for several years. However, there is still not enough being done.

"The Web sites of key government security agencies, such as the Pentagon and the Central Intelligence Agency, are difficult to bring down, experts said. So are the computer networks of large American banks. But experts say a successful, large-scale attack on U.S. computer systems could hobble electric-power grids, transportation networks and industrial-supply chains.

"You'd see some disruption of essential services, like electricity. You'd definitely see espionage," said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. "Would it be decisive? No. Nobody's going to win a conflict with the United States in cyberspace. But would it be disruptive and irritating? Yes.""

Knowing the lack of security and controls in many of the existing applications and existing systems, I believe it could be much more than just irritating.

A rather different slant that was not discussed was considering our horrible economy along with world unrest...

I'm surprised the article did not talk about the actual types of economic disruption that could be done through cybercrime that could have a huge and devastating impact. Not necessarily from the large cyber attacks discussed in the article, but from changing data, systems and applications code. And if the cybercriminals did it just a little bit here and there, consistently over time, imagine the huge problems it could cause to banks, insurance companies, medical providers, energy companies, communications companies, and so on.

Just a few scenarios that could happen through vulnerable applications code and poor access controls to databases...

  • What would happen if the stock prices were lowered by a few cents, or dollars, for some companies or raised for others, by cybercriminals a little bit each day or week over a period of time?
  • What would happen if the code in hospital networks were changed so that amounts of automatic drug doses were all changed by a decimal point?
  • What would happen if the data was changed slightly for the power grid roll-over points?
  • What would happen if the car factory computer systems had the locations for the bolt attachments changed by just a quarter inch to the left or right of the proper location?

We could keep brainstorming this list ad infinitum.

The article focuses on cybercriminals from the outside and the need for firewalls and other perimeter protections; all important.

However there is perhaps even greater risk from insiders, along with poorly engineered and poorly controlled and protected applications and systems. More attention needs to be paid to those before something major happens.

Just some food for thought.

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 19, 2008 11:02 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/789

Comments

This is truly scary. I think most people go about their daily lives and business without a second thought to this very real possibility -- likely hoping and expecting someone else to take care of things. Thanks again for bringing it to our attention so that we can be aware.

Posted by: Caroline | August 19, 2008 10:44 PM

National security and cyberattacks should be a major concern of our government. Although I understand the committment to free enterprise, this is an area that should not just be left to private companies to protect. A huge vulnerability exists in the millions of home computers nationwide. Most do no have firewalls, many have no antivirals or antispyware. Many home computer operators have no idea what these terms even mean, they have a computer at home and just use it. Why else would there be the ability to turn so many home computers into "botnets" for attacks?

It would be very easy for the government to develop public domain antiviral, antispyware, and firewall software that citizens could download for free from a goverment website to install on their computers.

Forgive me Norton, McAfee and all the others, but allowing citizens to take control of protecting themselves from attack for national security purposes, is more important than your corporate profits. You might even be able to get a government contract to help in the public service effort. Cyberattacks on citizens would be just as damaging to our country and morale as attacks on banks and power grids. Our government can help us by giving us the tools and helping us use them to protect ourselves.

Posted by: Anonymous | August 20, 2008 9:32 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.