Thinking Like a Terrorist

The latest strategies IT managers are considering to protect their infrastructures from possible attacks go well beyond computer hardware.

The latest strategies IT managers are considering to protect their infrastructures from possible attacks go well beyond computer hardware.

Since Sept. 11, the scenario building has led security-conscious users down three distinct paths: securing facilities, data and, especially, people.

With mirrored facilities and data backups offering protection from outright attacks on buildings, the focus has shifted to the sorts of assaults with which users are more familiar—viruses and denial-of-service attacks—as well as more subtle attacks, such as infiltrating a large company with data saboteurs.

Social hacking, as it is called, is far easier than most companies are willing to admit, said Christopher Leach, a partner with accounting company Grant Thornton LLP, in Chicago, which performs security audits for clients. In a test for one client, Leach pretended to be a worker returning from a coffee run. With both hands full, carrying two dozen doughnuts and coffee, he requested help opening a door leading to a secure floor and got it from an unsuspecting worker. "They didnt know me from Adam," he said.

Another social hacking ruse is to call in pretending to be the spouse of a sick employee who has security clearance and request a password on behalf of the spouse. Leach tried this successfully at a different company. "Both companies had policies in place, but they werent paying attention," he said.

"You have to make sure that everyone is checked in and checked out, including vendors and consultants," said Paul Tinnirello, executive vice president for a leading information provider in the financial services industry and an eWeek columnist.

"Sixty to 70 percent of attack vulnerability resides in the people area," said John McCarthy, director of critical infrastructure services at KPMG, in Washington. McCarthy also said that most social hacking breaches are a result of not following correct procedures. "It has to do with people putting passwords on sticky notes and putting passwords into e-mail traffic," he said.

Although dealing with hack attacks and viruses has become commonplace, many companies are more alert to these threats in the wake of Sept. 11. "I asked my staff, How does someone get into this company electronically? I want to shut all the windows and doors," Tinnirello said.

Some of the proposed solutions can be Draconian. "The most obvious thing to do is to shut down your e-mail system and use it only for internal use," Tinnirello said. He also suggested that companies might consider shutting down Internet surfing by employees.

"Nimda scared the living daylights out of us. It was just a nuisance infection that had a salvo of four or five viruses in one," said Tinnirello. "Destructive variants are a given."

While experts remain vigilant for new virus strains, Leach recommends strictly adhering to the practices of keeping virus scanning software up-to-date and making sure backups are done.