gartner - forensics

8/9/2019 Gartner - Forensics

http://slidepdf.com/reader/full/gartner-forensics 1/11

'Digital Pearl Harbor': DefendingYour Critical Infrastructure

y 4 October 2002y | y ID:LE-18- 4077

Gartner and the U.S. Naval War College held a war game to examine scenarios for cyberattacks on national criticalinfrastructure. Participants came away with a vivid sense of what cyberterrorism could do.

y Print Document

AR CHIVE This research is provided for historical perspective; portions of this document may not reflect current conditions.

DOCUMENT RA TING

y Currently 0/5 Stars.

0 User Ratings

R ate this Document:

Low

y 1 y 2 y 3 y 4 y 5

High

A nalyst(s):

y French Caldwell

y | y Richard Hunter

S H AR E THI S S UMM AR YShare this summary with your colleagues



A nalysisIn July 2002, Gartner and the U.S. Naval War College hosted a three - day, seminar - style war game called " D igital PearlHarbor" ( DPH). Gartner analysts and national security strategists gathered in Newport, Rhode Island, with business and ITleaders from enterprises that control parts of the national critical inf rastructure. Our objective was to develop a scenariofor a coordinated, cross - industry cyberterrorism event.

Results of a post - game survey indicate that the DPH game experience had a profound impact on the participants : 79 percent of the gamers said that a strategic cyberattack is l ikely within the next two years.

DPH participants played the roles of terrorists, devising coordinated attacks against four national critical inf rastructureareas : the electrical power grid, financial service systems, telecommunications and the Internet. Their goal was todetermine if a cyberattack could create a crisis of confidence that would shift the strategic balance of power, at leasttemporarily. Since the game did not test defenses against cyberterrorism, the questions of whether a real attack wouldachieve the goals set in the game and how much economic damage it would cause are still open.

The question as to whether cyberterrorism is a realistic threat is resolved. DPH skeptics abound, of course, and level manycriticisms, but two criticisms stand out.

The first criticism is that by engaging in this type of exercise, we are opening Pandora's box, showing those with maliciousintent what could be done. Good point, but before we started, we ran this issue by national security officials, and as one of those officials succinctly put it : "The bad guys already have the knowledge of these systems, and they know what they aregoing to do." The purpose of the DPH game was to get inside the opponents' heads. All of the data and information createdin the DPH game underwent a national security review before we published our analyses.

The second criticism is that there are no new lessons to be learned from the DPH game. Good point, and really a verydaunting criticism. Yet, how often do we hear from these same critics : "If only enterprises (or users) would follow good ITsecurity practices ..." But good practices are very difficult to follow. How many readers have ever installed a new operatingsystem or application on their home PC, only to spend the next several days trying to get the PC to work again? Multiplythat experience by thousands when you are talking about enterprises installing new applications, security patches andsystem connections on hundreds or thousands of servers, mainframes and PCs. Preventing such downtime requires

deliberate, linear steps that take time, people and money. DPH - type exercises help identify the threats, improve riskmanagement processes and, in turn, prioritize resources for IT security activities. As one military commander put it : "Wemust shoot the closest wolf first."

Nevertheless, the skeptics have history on their side (as do all Luddites at the dawn of a new era) ² there has never beena cyberterrorism event. Or has there? Electrical power grid failures in some parts of the world, such as Western India, areso common that tampering with the grid to test cyberattacks could go unnoticed. This path leads to conspiracy theoryoblivion, which is one of the reasons we ran the DPH game : determine what is really possible by a cyberattack.

Even skeptics of a DPH - type attack must acknowledge that our enterprises are under small - scale cyberattacks every day;hence, we are confident most readers will find our analyses of the DPH war game at least somewhat useful and veryinteresting.

F eatured R esearch

"' Digital Pearl Harbor' War Game Explores 'Cyberterrorism'" By F rench Caldwell, Richard Hunter and John Bace

"Security Best Practices Will Do Most to F oil Cyberterrorists" By Paul Schmitz, John Mazur and Rich Mogull

"Cyberterror Poses Growing Threat to F inancial Services" By John Bace, Annemarie Earley, Vincent Oliva and DavidF urlonger

"Utilities Should Upgrade the Security of Their Operations" By John Dubiel, Kristian Steenstrup and Paul Pechersky

"Prepare for Cyberattacks on the Power Grid" By John Dubiel, Kristian Steenstrup and Paul Pechersky



"Telecom Is Secure but Not a Cause for Complacence" By David F raley and Ron Cowles

"Could Terrorists Bring Down the Public Switched Telephone Network?" By David F raley and Ron Cowles

R ecommended R eading and R elated R esearch

"F orce Vendors to Make Software More Secure" By Arabella Hallawell and Rich Mogull

"Cyberattacks and Cyberterrorism : What Private Business Must Know" ( www.gartnerg2.com/qa/qa -0902 - 009 1 .asp ) ByRich Mogull and Richard Hunter

"Dealing With Cyberterrorism : A Primer for F inancial Services" ( www.gartnerg2.com/qa/qa -1 002 - 0 1 04.asp ) By DavidF urlonger

"Terrorists Could Hijack the Internet" By Ron Cowles and John Mazur

F inancial S ervices Providers Must

BetterR

eport Cybercrimey 5 November 2004y | y ID: G00 1 24797

The recent U.S. Secret Service arrest of alleged cybercriminals shows why financia l service companies must proactivelydisclose cybercrimes to consumers affected.

y Print Document

AR CHIVE This research is provided for historical perspective; portions of this document may not reflect current conditions.

DOCUMENT RA TING

y Currently 0/5 Stars.

0 User Ratings

R ate this Document:

Low

y 1 y 2 y 3 y 4 y 5



High

A nalyst(s):

y Avivah Litan y | y Richard Hunter

S H AR E THI S S UMM AR YShare this summary with your colleagues

Financial Service Providers: How to Initially Respond to Tragedy News A nalysis

Event

On 29 October 2004, the U.S. Secret Service announced it had arrested 2 8 members of an alleged cybercrime ring. Thesuspects, from eight U.S. states and six countries, have been charged with identity theft, computer fraud, credit card theftand conspiracy.

y Return to Top

A nalysis

Authorities say that the members of thi s alleged crime ring stole 1 .7 million credit card numbers with financial lossesestimated at $4. 3 million. This translates into slightly more than $2.50 of fraud per stolen card number. Although thisnumber is plausible ² credit card thieves sometimes charge small amounts to large numbers of cards ² Gartner doesn'tbelieve the official reports give the entire picture.

Card acceptors often won't process charges of l ess than $ 1 0 because the cost of processing exceeds the profit. Also, of the1 .7 million card numbers the thieves allegedly stole, they likely used only a small number of them to perpetrate big frauds,since fraud - detection software protects most credit card transactions.

Who notifies consumers that their cards have been stolen when there have been no illegal transactions using those stolencards? Most of the time, card issuers don't tell consumers when their cards a re stolen unless it results in a theft. Theissuers reason that they don't know whether the card theft will ever result in fraud, and that it costs too much (about $ 1 0)

and poses too much inconvenience to close an account and issue a new card. But the stolen card information will likely beused one day to commit either new account fraud or card fraud. Consumers would be better protected if they knew theircard number had been stolen.

Very few credit card thefts end in arrests. According to Gartner's April 2004 survey of 5,000 online consumers, only 4percent of credit card thefts affecting consumers resulted in an arrest. But even when it does, as in this case, unaffectedconsumers likely won't find out about it until it's too late.

R ecommendation: F inancial service providers should proactively notify consumers about card theft. This will prevent latertheft and will protect consumers from other forms of identity theft fraud that use the stolen card number but don'tnecessarily result in illegal credit card use



Training Is Necessary but notEnough to F ight Cybercrime

y 4 December 200 1 y | y ID: F T-1 5 - 0466

y F rench Caldwell

A deal with Computer Sciences Corp. will provide the U.S. Department of Defense with cybercrime -fighting training, but the government should take at least three other steps to combat hackers andcyberterrorists.

News A nalysis

Event

On 2 8 November 200 1 , the U.S. General Services Administration (GSA) announced it had awardedComputer Sciences Corp. (CSC) with an eight - year, $ 8 6. 8 million task order ² under GSA's F ederalTechnology Service Millennia contract ² to train U.S. Department of Defense employees ininvestigating and preventing cybercrime.

y Return to Top

A nalysis

This award to CSC represents at least a 50 percent increase in annual global spending on cybercrimeinvestigations. As the Web has changed the economics of business, it has changed the economics of crime. The Web offers criminals a vastly expanded range of opportunities for criminal activity. Inprevious research, Gartner has stated that securing the safety of citizens, businesses and nationalinstitutions from criminal, terrorist or military threats will require focused investment to enable lawenforcement and the military to assess and respond to Internet threats. As of March 200 1 , the totalbudget for cybercrime investigations across all nations did not exceed $20 million annually, a seriousunderfunding of cybercrime competencies in government. About one - half of global law enforcementspending aimed specifically at investigating computer crime was spent in the United States as mostnational governments spend negligible amounts preparing for the cybercrime threat.

Significantly, the money in the GSA/CSC deal goes entirely to developing skills and competencies.With it, the Defense Department becomes a leader in fighting cybercrime. The training will includecomputer search and seizure, computer intrusions and forensic computer media analysis. As otherfederal agencies follow the Defense Department's lead, the federal government must still do thefollowing in its fight against cybercrime :

y F urther train the prosecuting attorneys and judges as well as the investigators who pursuecybercrooks.



y Accelerate the development of international institutions to enforce laws in a man - madeenvironment that has no geographic or political boundaries (i.e., the Web) ² the cybercrimetreaty developed with the Council of Europe makes a good start.

y Improve information and knowledge management for a national alert and response capabilityagainst military, criminal and terrorist threats targeting U.S. critical infrastructure.

Data Encryption Not Enough toPrevent F TP Credential Theft

y 6 July 2009y | y ID: G00 1 695 8 4

y L. F rank Kenney y | y Peter F irstbrook

The reported theft of 88 ,000 F TP credentials reaffirms that using SS L technologies or encrypting thepayload is not enough to secure managed file transfer solutions and avoid regulatory and complianceaudits.

News A nalysis

Event

On 26 June 2009, security researchers at the security tool vendor Prevx announced they haduncovered a cache of stolen F TP credentials belonging to a variety of corporations, includingSymantec, McAfee, Bank of America, Amazon and Cisco Systems. Prevx claims that a trojan stoleapproximately 88 ,000 unencrypted F TP logins. The company has set up a page where users can checkwhether their logins have been compromised, at http : //www.prevx.com/ftplogons.asp .

y Return to Top

A nalysis

Companies are becoming increasingly aware of the risks posed by transmitting data over nonsecure

or unmanaged F TP solutions. The F TP credential theft reaffirms that simply using SS L technologies orencrypting the payload is not enough to ensure secure F TP. Malware such as the Zeus trojan iscapable of stealing and exporting SS L credentials and exploiting F TP servers as distribution points formalware. Compromised Web sites already serve as a prime channel for distributing malware tounsuspecting Web site visitors. The F TP focus of this attack indicates that Internet - facing F TP serversmay be the next target.

In this particular case, it is not clear that the credentials were actually used; nevertheless, the factthat attackers were able to access an F TP site poses sufficient risk. Gaining access to the F TP serverenables attackers to host malware on a legitimate, trusted resource. Crafty social engineering of file



names (for example, naming the malware ³ Executive salary.exe´) would be enough to ensure thatusers downloaded malware into their systems and continued its propagation. Legitimate F TP serverscould also become unwitting vehicles for the trafficking of illicit and pirated media, applications anddata. Data protection is essential, the server and users' credentials must also be safeguarded. Theattraction of a simple, easy - to - use F TP site should not outweigh security considerations, particularlywhen a plethora of security technologies is available, ranging from low - cost and downloadable toglobal - class solutions, such as Axway¶s Synchrony, Group Logic¶s Mass Transit and Ipswich¶s Moveit.

y Return to Top

R ecommendationsEnterprises: I f you have deployed an F TP site that handles high - value data or application areaswithout proper mechanisms for managed and secure file transfer, data at rest, and file server andclient administration, immediately consider deploying a managed file transfer solution with appropriatedata loss protection capabilities. Data encryption is mandatory, but is not the end of yourresponsibilities with regard to file transfer. Consider placing F TP servers behind secure Web gatewaysto monitor F TP traffic for the upload and download of malicious applications.

F raud Case F ocuses UnwelcomeA ttention on Indian Outsourcing

y 1 4 April 2005y | y ID: G00 1 2724 1

y F rances Karamouzis y | y Arabella Hallawell

A highly publicized fraud case may make some observers believe that offshore business processoutsourcing (BPO) presents special risks. The entire industry ecosystem must act decisively to counterthis largely incorrect perception.

News A nalysis

EventOn 1 3 April 2005, MphasiS confirmed to Gartner that 1 0 people ² including four former and onecurrent employee of its BPO unit, Msourc E ² had been arrested in India for allegedly misappropriatingmore than $ 3 50,000 from customers of a large U.S. financial institution. The misappropriationallegedly occurred when customers of the financial institution, which outsources certain customer careprocesses to Msourc E, were inappropriately persuaded to share their passwords over the telephone.

y Return to Top



A nalysis

Gartner has long predicted that a major fraud case or intellectual -property issue would focusunwelcome attention on the security of offshore outsourcing. Nonetheless, we do not believe that thishighly publicized incident will seriously damage the Indian BPO industry. F rauds of this type canhappen anywhere, and are just as likely to occur in an insourced or captive center.

Nonetheless, the entire Indian offshore industry ecosystem ² including other vendors, the NationalAssociation of Software and Service Companies, local law enforcement and the Indian government ²must act quickly and decisively to counter the perception that Indian BPO poses a severe security risk.

Gartner believes that in the short term (through Y E05) this incident will increase businessdevelopment cycles for offshore services, leading to a slight decline in signed deals. In the long term,it will l ikely be seen as a minor event. Security concerns will, however, increase the competitiveadvantage of the largest, most established providers, which can commit greater resources to security.

R ecommendations

y Perform comprehensive security due diligence before outsourcing (onshore or offshore) andconsider the cost of such due diligence when making sourcing decisions.

y Assign an individual or group with security expertise to manage security and privacy issuesthrough the entire life cycle of a sourcing agreement.

y Require detailed service - level agreements that focus on specific outsourcing security issues(for example, identity and access management controls, such as time frames for closing deadaccounts and access to sensitive data).

y Assess region -specific security risks and special requirements (for example, the difficulty of employee screening or monitoring due to the labor laws or the absence of national creditrating or information databases).

y Establish a corporate communications/public relations plan to explain offshore or outsourcingefforts if an incident occurs.

Develop a Policy for R eportingCybercrime

y 1 0 April 2002y | y ID: F T-1 6 - 2009

y John Pescatore

A survey by the U.S. F ederal Bureau of Investigation ( F BI ) shows firms don't report most cyberattacksto authorities. Enterprises should define when they do need to report attacks.

News A nalysis

Event



On 7 April 2002, the F BI and Computer Security Institute released the results of a survey oncybercrime. The survey polled more than 500 U.S. corporations, government agencies anduniversities. Among the most startling findings, only 3 4 percent of respondents said they reportedcyberattacks to the authorities.

y Return to Top

A nalysis

F or the most part, enterprises will benefit little from reporting cyberattacks to law enforcement.Collection of such statistics may support security vendor advertising and justify the cyberbudgets of law enforcement, but it won't do much for shareholders. Reporting cyberattacks to law enforcement :

y Can result in bad publicityy Tie up IT personnel to support investigationsy Rarely serves to reduce future attacks

Most hacking attacks are simple experimentation or relatively unsophisticated vandalism. Bypublicizing susceptibility to these kinds of attacks, enterprises can actually increase the likelihood of more of the same. Although increased enforcement and prosecution of hackers should have adeterrent effect against criminals, it rarely deters sophomoric pranks.

Local and national law enforcement agencies have shown little ability to protect the information of cyberattack victims from further hacking, the discovery requests of defense lawyers or F reedom of Information requests. Enterprises should notify law enforcement of all cyberattacks that :

y Cause tangible lossy Involve regulations such as the Gramm -Leach - Bliley Act and the Health Insurance Portability

and Accountability Act in the United States, and Europe's Data Privacy D irectivey Must be reported under cyberinsurance policies

Corporate legal counsels should develop policies for all other types of cyberincidents to determinebeforehand when and how the enterprise should provide attack - related information to lawenforcement.

A nalytical S ource: John Pescatore, Information Security Strategies

Written by Dean Lombardo, Gartner News

Need to Know: R elated R esearch and R ecommended R eading

y "Information Security Policies" ( DF -1 5 - 2 3 27 ). Enterprises should establish enterprisewidedefinitions of information security requirements and a baseline set of information securitypolicies. By R oberta Witty

y "Internet Vulnerability Risk Rating Methodology" ( TU-1 4 - 900 3 ). Provides a simple method forclassifying and prioritizing software security vulnerabilities. By John Pescatore

F inancial S ervice Providers: Howto Initially R espond to Tragedy



y 11 September 200 1 y | y ID: F T-1 4 - 4959

y Richard J. De Lotto y | y David F urlonger y | y Susan Landry y | y Vincent Oliva y | y David Schehr y | y F rank W. Schlier

As financial services providers begin their recovery and ensure the continuity of operations, theyshould also prepare for the possibility that cyberterrorism and market manipulation could follow theseattacks.

News A nalysis

Event

On 11 September 200 1 , a series of attacks destroyed or damaged a number of prominent targets inthe United States, including the World Trade Center in New York City's financial district. F inancialmarkets in the Americas suspended trading immediately after the attack.

y Return to Top

A nalysis

The devastating attack on New York's World Trade Center was a symbolic blow against financialpowers. However, it will also have a clear and dramatic worldwide impact on financial institutions andmarkets. F inancial services providers ( F SPs) must accept that events such as these are likely to be apermanent part of the new world ² and prepare to survive them. I t is important to remember thatthese attacks are a wave of physical strikes. F SPs must plan for other possibilities that includecyberterrorism and market manipulation.

ManyF

SPs, like businesses in every industry, are reeling from the tragic personal toll associated withthis attack. Nonetheless, they must find ways to respond, compassionately yet effectively. Afterattending to the most essential task ² assessing the human costs of the event, and ensuring thatemployees and their families are offered any possible assistance ² these F SPs should take steps tobegin their recovery and ensure the continuity of their operations.

Gartner recommends that F SPs take the following steps :

y Assemble key staff ² preferably "virtually," in dispersed locations, to avoid concentratingthem in the event of further attack (as President George W. Bush did in assembling a virtual



National Security Council meeting after the attack) ² to ensure that recovery plans can bedeveloped and executed.

y Assess who remains with the enterprise on a global basis, i.e., who can take over theoperational responsibilities of those who may have been directly or indirectly impacted by theattack.

y Begin simultaneous discussions with their peer enterprises which, in the short term, can helpsupport business operations ² as well as mitigate the market effects of this event, aspermitted by law.

Despite the terrible human impact of these events, Gartner urges F SP decision - makers not to panic,and to stay the course. Although the financial markets and the United States will be uncertainfollowing these events, a number of governmental and regulatory bodies have taken steps to mitigatemarket impact : The U.S. F ederal Reserve Board has taken measures to ensure continued liquidity inthe market, and the Organization of Petroleum Exporting Countries has promised uninterruptedsupplies of oil. Historically, the capital markets have rebounded following outbreaks of war and othersuch events. Most important, the financial markets are now too global and too interconnected forevents of this kind to damage them irreparably.

Nonetheless, F SPs should be concerned with the continuing human and operational effects of theseevents, and with the possibility that they are only the first wave of attacks. F SPs should also be

concerned about the possibility of a wave of cyberterrorist attacks, and about market manipulation ²whether premeditated or opportunistic ² following these events. The most important measures F SPscan take under these circumstances will be to restore effective communication and soundmanagement. F SPs should also plan for further human and organizational issues as a result of suchattacks.

As always, Gartner's F inancial Services analysts stand ready to assist enterprise decision makers inassessing and responding to these events.

A nalytical S ources: Richard De Lotto, David F urlonger, Susan Landry, Vincent Oliva, David Schehrand F rank Schlier, F inancial Services Delivery Systems

Written by Terry Allan Hicks, gartner.com

y Return to Top

gartner - forensics

Documents