Thinking Like a Terrorist

By Stan Gibson  |  Posted 2001-10-22 Print this article Print

The latest strategies IT managers are considering to protect their infrastructures from possible attacks go well beyond computer hardware.

The latest strategies IT managers are considering to protect their infrastructures from possible attacks go well beyond computer hardware. Since Sept. 11, the scenario building has led security-conscious users down three distinct paths: securing facilities, data and, especially, people.
With mirrored facilities and data backups offering protection from outright attacks on buildings, the focus has shifted to the sorts of assaults with which users are more familiar—viruses and denial-of-service attacks—as well as more subtle attacks, such as infiltrating a large company with data saboteurs.
Social hacking, as it is called, is far easier than most companies are willing to admit, said Christopher Leach, a partner with accounting company Grant Thornton LLP, in Chicago, which performs security audits for clients. In a test for one client, Leach pretended to be a worker returning from a coffee run. With both hands full, carrying two dozen doughnuts and coffee, he requested help opening a door leading to a secure floor and got it from an unsuspecting worker. "They didnt know me from Adam," he said. Another social hacking ruse is to call in pretending to be the spouse of a sick employee who has security clearance and request a password on behalf of the spouse. Leach tried this successfully at a different company. "Both companies had policies in place, but they werent paying attention," he said. "You have to make sure that everyone is checked in and checked out, including vendors and consultants," said Paul Tinnirello, executive vice president for a leading information provider in the financial services industry and an eWeek columnist. "Sixty to 70 percent of attack vulnerability resides in the people area," said John McCarthy, director of critical infrastructure services at KPMG, in Washington. McCarthy also said that most social hacking breaches are a result of not following correct procedures. "It has to do with people putting passwords on sticky notes and putting passwords into e-mail traffic," he said. Although dealing with hack attacks and viruses has become commonplace, many companies are more alert to these threats in the wake of Sept. 11. "I asked my staff, How does someone get into this company electronically? I want to shut all the windows and doors," Tinnirello said. Some of the proposed solutions can be Draconian. "The most obvious thing to do is to shut down your e-mail system and use it only for internal use," Tinnirello said. He also suggested that companies might consider shutting down Internet surfing by employees. "Nimda scared the living daylights out of us. It was just a nuisance infection that had a salvo of four or five viruses in one," said Tinnirello. "Destructive variants are a given." While experts remain vigilant for new virus strains, Leach recommends strictly adhering to the practices of keeping virus scanning software up-to-date and making sure backups are done.
Stan Gibson is Executive Editor of eWEEK. In addition to taking part in Ziff Davis eSeminars and taking charge of special editorial projects, his columns and editorials appear regularly in both the print and online editions of eWEEK. He is chairman of eWEEK's Editorial Board, which received the 1999 Jesse H. Neal Award of the American Business Press. In ten years at eWEEK, Gibson has served eWEEK (formerly PC Week) as Executive Editor/eBiz Strategies, Deputy News Editor, Networking Editor, Assignment Editor and Department Editor. His Webcast program, 'Take Down,' appeared on He has appeared on many radio and television programs including TechTV, CNBC, PBS, WBZ-Boston, WEVD New York and New England Cable News. Gibson has appeared as keynoter at many conferences, including CAMP Expo, Society for Information Management, and the Technology Managers Forum. A 19-year veteran covering information technology, he was previously News Editor at Communications Week and was Software Editor and Systems Editor at Computerworld.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel