COMBATING THE THREAT OF

CYBER TERRORISM

By: Kevin G. ColemanStrategic Management Consultant and Advisor

Presented at: Cyber Security and Information Infrastructure Research Workshop May 10-11, 2006 Oak Ridge National Laboratory

2

Agenda

• AGENDA• CRITICAL ISSUES• PRESENTATION FOCUS• VULNERABILITY TREND• IT RESPONSE• PATCH PROCESS• DAY-ZERO• CURRENT METHODS• CLANDESTINE THREAT• CONCLUSION• APPENDIX

– Bio– Definitions

Today we are ill-prepared to fight or respond to a serious cyber-terrorism attack!

3

Today• In the past minute there have been approximately 54,000

serious computer attacks reported to hackerwatch.org!– Five percent of businesses estimate the cost of systems disruption would

be over $5 million an hour and 60% of businesses do not know how must computer attacks costs them. Only 1% of business continuity plans address cyber attacks and only 3% address computer viruses.

• Today an unprotected PC connected to the Internet lasts only a few minutes before it is compromised!

• In a recent study conducted by the Computer Crime Research Center, 90% of respondents detected computer security breaches within the last twelve months.

• Today, 1.9 million IP addresses have been linked to Online Child Exploitation a $20 billion a year industry. (This problem falls under the umbrella of responsibilities of DHS.)

4

Three Critical Issues1. The quality of software must be increased in order to

significantly reduce the number of vulnerabilities that are exploited by cyber-criminals and cyber-terrorists.

2. The increased value of information weapons and tactics within the UnRestricted Warfare (URW) environment requires the development of new data weapons, alerting systems and tactical strategies in order to protect and defend the United States against cyber-crime and cyber-terrorism.

3. The current approach for securing information assets can only be described as reactive application of point fixes. A holisticapproach is necessary to make these systems markedly more secure.

5

Presentation Focus• Given the time restrictions, this presentation will focus only on

one of the these three critical problems.

– The quality of software must be increased in order to significantly reduce the number of vulnerabilities that are exploited by cyber-criminals and cyber-terrorists.

• It is critical to note that given our analysis, this is not the most pressing issue in combating cyber-terrorism. The implication of information systems in an UnRestricted Warfare (URW) represents the greatest threat.

– The increased value of information weapons and tactics within the UnRestricted Warfare (URW) environment requires the development of new data weapons, alerting systems and tactical strategies in order to protect and defend the United States against cyber-crime and cyber-terrorism.

6

Vulnerability Trend

0

1,000

2,000

3,000

4,000

5,000

6,000

2000 2001 2002 2003 2004 2005Data Source: CERT

7

IT Response to Vulnerabilities• It is an onerous task to apply the hundreds of fixes

that come out each year for operating systems, applications and other programs; but, an efficient patch management regime has become an increasingly critical requirement.

– 9% dealing with patches regularly once a week

– 9% carrying out fixes once a month

– 38% of organizations release patches as and when they see fit

8

Current Methods• The ability to eliminate software vulnerabilities during the development

process seem to be eluding the software industry. Software quality is an industry wide issue with nearly 1/3 of organizations stating

• Formal design and code inspections average about 65% in defect removal efficiency.– “Software Quality: Analysis and Guidelines for Success,” by Capers

Jones

• 38% of organizations believe they lack an adequate software quality assurance program.– Cutter Consortium

9

Current Methods• Most security vulnerabilities result from defects that are unintentionally

introduced in the software during design and development. – A typical IT organization in a multi-national, multi-billion business

applies over 2,500 patches annually.

• Tools to examine software vulnerability in the design and testing stages have existed for years. Yet the problem continues to plague software companies.– Static code validation and verification tools are just now entering

the software industry.

• Developers spend about 80% of development costs on identifying and correcting defects.– The National Institute of Standards and Technology

10

Vulnerability Day-Zero Cycle

Good GuysDiscover & Report

VulnerabilityTo Vendor

VendorAnnounces VulnerabilityAnd Patch Release Date

FirstExploit Code

Released

Black Hat SharingAnd Exploit Kit

Released

Vendor ReleasesPatch

$$ Window of Maximum Exposure $$

PatchTested &Applied

Reduced

17 hours 7 Days 7 to 30 Days

These attacks were very successful because cyber criminals were able to detect vulnerabilities and capitalize on them before patches could be made available.

11

Clandestine Operations• Off-Shore Outsourcing - Our inability to economically and efficiently

inspect the millions of lines of code in BIOS, as well as operating systems and applications, create a unique opportunity for criminals and terrorist to infiltrate our information infrastructure with back-doors and malicious code.– This is also true in the rapidly growing Open Source Community

and the numerous foreign supplied components that are used in virtually every piece of computer and communications hardware.

• For over a year now, discussion of a clandestine group believed to be operating in South America who has received significant funding to rapidly construct cyber-attack kits for reported and unreported software and systems vulnerabilities should be a wake-up call that the digital war is not just inevitable but currently underway.

12

Conclusion

• Unless we address these issues now, we are headed for a digital disaster!

– The time period from vulnerability identification until the appearance of exploitation has been reduced to near zero. We can no longer accept the exposure of vulnerabilities missed in the development and quality processes that create opportunities for cyber-terrorist and cyber criminals to disrupt the information that has become the lifeblood of our society.

– The solution will have to include regulations, new technology and education!

APPENDIX

14

Bio

• Kevin G. Coleman is a seasoned technology strategist with nearly two decades of experience. He brings with him a unique perspective on global risk management and security issues. Formerly the Chief Strategist of Netscape, he has also worked for leading consulting organizations such as Deloitte & Touche and Computer Sciences Corporation. During his career he has personally briefed fifteen executives from the Global 100 and nearly 400 CEOs worldwide as well as numerous government leaders. He is a strategic advisor to multiple companies and holds several board positions. Additionally, he has briefed both members of the House and the Senate on issues surrounding information security, protection and privacy. He has published more that thirty feature length articles on technology for homeland security and international intelligence and was quoted in Business Week and Washington Technology Magazine on Net Centric Warfare. He hold three technology related patents and received six product design awards. In 1998 he was nominated for the Presidential Medal for Technology. Currently, he is a Strategic Advisor and Senior Fellow at the Technolytics Institute where he advises clients in the public and private sectors.

15

Definitions• Cyber-Terrorism

– The FBI definition of terrorism:• "The unlawful use of force or violence against persons or property to

intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives."

– U.S. Department of State definition of terrorism:• "Premeditated politically motivated violence perpetrated against

noncombatant targets by sub-national groups or clandestine agents“

• Cyber-Crime– Cyber crime encompasses any criminal act dealing with computers and

networks. Additionally, cyber-crime also includes traditional crimes conducted through the Internet.

• Example; hate crimes, wire fraud, identity theft, credit card account thefts, extortion, espionage, and electronic trespass are all considered to be cyber-crimes when the illegal activities are committed through the use of a computer and the Internet.