Finding IT's Achilles Heels

By Chris Preimesberger  |  Posted 2006-09-03 Print this article Print

However, Skroch, manager of IORTA's Red Teams, said the critics are off base.

"My immediate reaction to [Kohlmann's] assertions is that he may have limited information, not being on the inside," Skroch told eWEEK.

"Not being inside the [anti-cyber-terrorist] group, he wouldn't be able to see exactly what they were seeing. There is a great deal of sensitive information that is never made public."

Another critic, Gabriel Weimann of the U.S. Institute of Peace, wrote in a December 2004 special report that "the potential threat, indeed, is very alarming. And yet, despite all the gloomy predictions, no single instance of real cyber-terrorism has been recorded.

"Psychological, political, and economic forces have combined to promote the fear of cyber-terrorism. This raises the question: Just how real is the threat?"

Finding ITs Achilles Heels

Rest assured, Sandia-and several hundred clients-believes the threat is real. Red Team members search for vulnerabilities in IT infrastructures and find solutions or patches before a cyber-terrorist abuses the weakness. This practice is referred to as "red teaming."

"Our experience has shown that one fixed methodology is insufficient to properly assess a given system, component or scenarios," Skroch said.

"We have a spectrum of assessment methodologies and assessment types that we apply as needed to most efficiently meet customer goals and provide consistent, measurable and actionable results."

IORTA claims there are eight natural categories of red teaming that are combined to drive all their assessments, from high-level evaluation of risk through sophisticated analysis. The eight categories are design assurance, hypothesis testing, benchmarking, behavioral red teaming, gaming, operational red teaming, penetration testing and analytic red teaming.

One type or a combination of types is selected to achieve optimum results for a Red Team sponsor.

The IORTA process and its subprocesses were composed and refined from those developed at Sandia and its 50-year history of design-assess techniques.

The Red Teams also use external techniques such as fault trees and event trees, processes such as the COBIT (Control Objectives for Information and related Technology, a standard framework for information security) governance framework, as well as tools such as open-source computer and network security tools that are appropriate for a given assessment.

They refine their own techniques through continued R&D activities, Skroch said.

One recent example was a request from the Environmental Protection Agency to assess IT system security at all water distribution plants in the United States that serve more than 100,000 people.

Theoretically, a local or regional water system could be compromised via a Trojan horse or another attack and be forced to add an incorrect measurement of chemicals to untreated water-for example, an amount far above the maximum safety zone. The resulting excess could poison the water.

Experts say that cyber-criminals are still running amok. Click here to read more.

But, "When we looked into this, we said, Whoa-we can't do that," Skroch said. "There was no way we could visit and assess all 350 such facilities.

"So we selected five key systems-including [the Washington Aqueduct]-and produced our normal detailed assessments. From that, we distilled our methodology into an audit-type assessment tool called [Risk Assessment Methodology for Water, or RAM-W] that could be performed by the infrastructure owners once they received basic training on the process.

"We developed the core training and transferred that to [the] industry so they could train the 350 sites."

For example, since 9/11, security procedures at the Washington Aqueduct have been under new review and evaluation based on guidance and directives from the DHS and the Sandia Red Teams.

"As a result, [the] aqueduct now has strengthened its guards against intrusion [including computer hacking], and we have increased our vigilance," an aqueduct spokesperson said.

"Our security program uses a systems approach with controls on physical access, chemical storage and operational systems to safeguard the water."

Next Page: Room for improvement.

Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel