Cyberattacks: Prepare Your Enterprise Now

A significant increase in cyberattacks is likely to follow the events of 11 September 2001. Enterprises must understand this threat and take action to limit their vulnerabilities.

Experience shows that disasters are usually followed by an increase in criminal activities, including looting, fraud, acts of revenge and subsequent incidents; the aftermath of the 11 September terrorist attacks is unlikely to be an exception. As enterprises work to respond to these devastating events, they must prepare for a global increase in "cyberattacks" that will threaten their online systems.

Tactical Guidelines

Enterprises should immediately take the following security measures to counter the increased threat of cyberattack:

• Increase the enterprise's overall security posture. Place internal cyberincident response teams (CIRTs) on alert, and aggressively monitor Internet activity on all systems. Evaluate established security plans in light of recent events, and update as needed. If no CIRT exists, consider forming one or contracting with an external provider to evaluate systems. Define how the enterprise will notify and interact with law enforcement or other government agencies in the event of an attack (if this has not already been done).
• Evaluate and test physical security procedures, including access to facilities and interaction with electronic systems. Response to bomb threats — which may be received via e-mail, instant messaging or traditional sources — should be included in the evaluation. Review procedures for performing background checks: These checks should be conducted, at minimum, on individuals with access to key information and resources (e.g., e-commerce servers). Certain types of enterprises may require more-detailed checks, or checks on all employees. Remember that some low-level or contract staff (e.g., cleaners) may have access to all physical premises and the systems in them.
• Ensure that critical decision makers and the CIRT have multiple communication methods available to them. They should not have to depend on telephone service (landline or wireless), e-mail or any single communications method. Ensure that contact information (e.g., telephone numbers and e-mail addresses) is up-to-date and appropriately distributed.
• Immediately update all systems with current security patches. Remember that even a desktop computer can be used to compromise servers or launch internal and external attacks. Preparations should include remote laptops and home computers with virtual private network (VPN) access; remote users should be given simple procedures to follow to update their systems.
• Update virus signatures daily or more frequently. Scan for viruses at the firewall or server; do not depend on synchronization of the signature files of desktops and laptops. Perform full scans on all systems, using the latest signatures, to ensure that they are not already infected. Remember that many users may manually shut down their scans if they are executed during working hours.
• Initiate vulnerability assessments, including penetration testing. These assessments must be performed by trained security professionals, not overtaxed systems administrators. The enterprise's security program should include vulnerability assessment and penetration testing as part of its regular procedure.
• Disable all inactive accounts. Examine user account lists on all systems, removing all unnecessary default accounts. Change passwords on root and administrator accounts. Review help desk and password reset procedures, avoiding the use of information such as employee numbers, Social Security numbers or addresses for authentication of calls for password resets.
• Constantly monitor publicly accessible Web sites for possible security breaches. These checks should be performed at least every hour, and more frequently if the enterprise has been identified as a prime target of a cyberattack.
• Examine security practices for remote access, including dial-up lines, extranets and VPNs. Change encryption keys on all VPNs.
• Monitor security distribution lists for the latest updates and trends.
• If internal security procedures are immature and resources are unavailable, contact a managed security service provider (MSSP) or consultancy for immediate needs. Consider contracting with an MSSP for long-term services.
• Educate users to expect an increase in unwanted cyberactivity. Establish clear mechanisms — e.g., a telephone number and an e-mail address for reporting suspicious activities — that personnel can use to report any unusual online or offline activity. This is important, because users may not be able to recognize the difference between information security breaches and physical security threats.
• If enterprise IT functions, including Web hosting, are outsourced, review the outsourcers' security policies.

What Enterprises Can Expect

Gartner analysts and other observers have already noted a number of early indicators that an increase in a wide range of cyberattacks is to be expected. On 14 September 2001, the National Infrastructure Protection Center issued an advisory calling for increased awareness in anticipation of a rise in "cybercrime" incidents. A number of so-called “hactivists,” ostensibly sympathetic to the United States, are calling for "revenge" cyberattacks, which are likely to target inappropriate sites and could potentially interfere with the official response to the terrorist attacks. (Real-world criminal activities, such as looting in the area of the World Trade Center, bomb threats and fraudulent charities nationwide, have also been reported.)

Specific types of potentially damaging "cyberactivities" have different sources and different targets, and carry different levels of risk for enterprises. These types of activities include:

Hactivism

One of the more-unfortunate responses to the events of 11 September 2001 has been hacking in the name of patriotism. Hactivists are generally online troublemakers using tragedy to justify illegal activities. Although some hactivists may believe they are furthering U.S. interests, their activities are more likely to have the opposite effect. Systems unrelated to the terrorist attacks or perpetrators will likely be compromised and used as staging points for cracking, distributed denials of service or other types of attack. These attacks will, however, probably be initiated by individuals and groups without the resources to cause loss of life or property. The majority of cyberattacks in response to recent events will be launched by hactivists; they will little effect and can be easily managed.

Cybercrime

Cybercrime — i.e., online criminal activity undertaken for financial gain — is also expected to rise as criminals attempt to take advantage of perceived uncertainties in financial systems. Fraudulent online solicitations for nonexistent charities also appeared within 24 hours of the terrorist attacks (see "Beware Disaster-Related E-Mail Fraud," FT-14-5178). No new types of cybercrime are expected to emerge from the 11 September 2001 events, but an increase in criminal activity is likely.

"Cyberterrorism"

We expect cyberterrorism — i.e., computer-based crime intended to cause loss of life or property in pursuit of political goals — will increase in the near future. These activities, which may come in response to U.S. reprisals for the recent terrorist attacks, will likely target U.S. government facilities, as well as infrastructure centers and nongovernmental organizations such as relief agencies. Enterprises, particularly financial institutions, public utilities, telecommunications companies, online trading firms and e-commerce sites, are also likely to be targeted. Some cyberterrorists will have the benefit of extensive resources and will be highly technically proficient. The goal will be to cause direct financial and personal loss, and to disrupt communication and services. Overall, very few attacks will constitute true cyberterrorism; these few attacks will, however, have the potential to cause significant damage.

Enterprises should not panic about the anticipated increase in cyberattacks. They should, however, evaluate their security postures and implement standard security procedures.

This research is part of a set of related research pieces. See AV-14-5238 for an overview.