Finding IT's Achilles Heels
However, Skroch, manager of IORTA's Red Teams, said the critics are off base. "My immediate reaction to [Kohlmann's] assertions is that he may have limited information, not being on the inside," Skroch told eWEEK.Another critic, Gabriel Weimann of the U.S. Institute of Peace, wrote in a December 2004 special report that "the potential threat, indeed, is very alarming. And yet, despite all the gloomy predictions, no single instance of real cyber-terrorism has been recorded. "Psychological, political, and economic forces have combined to promote the fear of cyber-terrorism. This raises the question: Just how real is the threat?" Finding ITs Achilles Heels Rest assured, Sandia-and several hundred clients-believes the threat is real. Red Team members search for vulnerabilities in IT infrastructures and find solutions or patches before a cyber-terrorist abuses the weakness. This practice is referred to as "red teaming." "Our experience has shown that one fixed methodology is insufficient to properly assess a given system, component or scenarios," Skroch said. "We have a spectrum of assessment methodologies and assessment types that we apply as needed to most efficiently meet customer goals and provide consistent, measurable and actionable results." IORTA claims there are eight natural categories of red teaming that are combined to drive all their assessments, from high-level evaluation of risk through sophisticated analysis. The eight categories are design assurance, hypothesis testing, benchmarking, behavioral red teaming, gaming, operational red teaming, penetration testing and analytic red teaming. One type or a combination of types is selected to achieve optimum results for a Red Team sponsor. The IORTA process and its subprocesses were composed and refined from those developed at Sandia and its 50-year history of design-assess techniques. The Red Teams also use external techniques such as fault trees and event trees, processes such as the COBIT (Control Objectives for Information and related Technology, a standard framework for information security) governance framework, as well as tools such as open-source computer and network security tools that are appropriate for a given assessment. They refine their own techniques through continued R&D activities, Skroch said. One recent example was a request from the Environmental Protection Agency to assess IT system security at all water distribution plants in the United States that serve more than 100,000 people. Theoretically, a local or regional water system could be compromised via a Trojan horse or another attack and be forced to add an incorrect measurement of chemicals to untreated water-for example, an amount far above the maximum safety zone. The resulting excess could poison the water. Experts say that cyber-criminals are still running amok. Click here to read more. But, "When we looked into this, we said, Whoa-we can't do that," Skroch said. "There was no way we could visit and assess all 350 such facilities. "So we selected five key systems-including [the Washington Aqueduct]-and produced our normal detailed assessments. From that, we distilled our methodology into an audit-type assessment tool called [Risk Assessment Methodology for Water, or RAM-W] that could be performed by the infrastructure owners once they received basic training on the process. "We developed the core training and transferred that to [the] industry so they could train the 350 sites." For example, since 9/11, security procedures at the Washington Aqueduct have been under new review and evaluation based on guidance and directives from the DHS and the Sandia Red Teams. "As a result, [the] aqueduct now has strengthened its guards against intrusion [including computer hacking], and we have increased our vigilance," an aqueduct spokesperson said. "Our security program uses a systems approach with controls on physical access, chemical storage and operational systems to safeguard the water." Next Page: Room for improvement.
"Not being inside the [anti-cyber-terrorist] group, he wouldn't be able to see exactly what they were seeing. There is a great deal of sensitive information that is never made public."