• PC World
• » Networking & Wireless

WASHINGTON--At the inaugural SECTOR5 conference that opened in Washington, D.C., Wednesday, the talk of cyberterrorism is talk of an IT doomsday. In it, weapons of mass disruption replace weapons of mass destruction, and instead of a "dirty bomb" filled with radioactive material hitting a city, terrorists pack "logic bombs" in their bag of nasty tricks.

Conference officials kicked off the event with a dark scenario involving the New York Stock Exchange and a group of terrorists who gain access to the trading floor data center by taking temporary jobs there as IT employees. In the scenario described, the terrorists plug into open ports in the data center and use accounts issued to them as employees.

Doomsday Scenario

Their dirty work begins with the release of a fast-spreading worm that takes over all servers associated with the trading floor. This worm penetrates Windows, Linux, and other operating systems in a variety of ways, burrowing into security holes in Web servers, browsers, e-mail, and network applications. To avoid detection it changes its appearance and behavior as it spreads.

Anti-virus software is no help, according to the scenario, because the worm travels so quickly and because it exploits previously unknown vulnerabilities--known as zero-day exploits--in various servers. The worm's spread consumes most of the bandwidth on the trading floor network for several minutes, making it appear that a mere temporary surge in bandwidth usage has occurred. Things return to normal when the worm falls dormant on the servers, and systems administrators breathe a sigh of relief.

Then the logic bomb is dropped. It initially dupes systems administrators into thinking everything is okay, by allowing them to check the integrity of the data and showing it to be valid. But it destroys the data when they want to use it to restore their systems by overwriting it seven times with alternating ones and zeroes.

These events are just the opening act of the simulation, which goes on to employ a variety of techniques including denial of service attacks to bring down servers on the trading floor and elsewhere. The end result is the compromising of millions upon millions of computers worldwide and the effective disabling of the Internet.

Jolted to Attention

Farfetched? Not in the post-September 11 world, where vendors and government officials participating in SECTOR5 believe terrorists will do anything to make their point.

"It sounded like the simulation really got people thinking," said Peggy Weigle, chief executive officer of Sanctum, a software security vendor. "From our experience doing audits or hacking demonstrations, it still amazes people how easy it is to breach systems at the application level or at the system level."

Sanctum broke into 98 percent of the 350 large corporate sites it has audited, compromising the security in an average of two hours, Weigle says. Often Sanctum accessed the directory structure containing things like the master file for passwords. In the case of an unnamed airline reservation site, Sanctum accessed back-up files of source code for Web application interfaces.

"We did this sitting at a Web browser. People don't believe it until they see it," Weigle said.

Charles Sander, vice president and managing principal of Unisys' airports practice, referred to his work on a new security infrastructure for airlines after the PanAm 103 explosion over Lockerbie, Scotland. One of the best tools was that the U.K. government agreed to impose a standard that essentially legislated how airlines handle security, he said.

Practical Paranoia

Qinetiq is one of several co-sponsors of the SECTOR5 conference, which derives its name from the title Summit Exploring Cyber Terrorism. The company espouses the intrusion management model, which suggests viewing cyberterrorism as inevitable. Consequently, the industry can reallocate its efforts to be more effective and more precise in determining how it might happen, said Michael Corby, president of Qinetiq.

But industry wants the government to guide minimum security standards for all companies, Corby said. The U.S. government alone is expected to spend billions of dollars on IT once the new Department of Homeland Security is in place. But Corby said it will be at least six months after that before vendors know what standards they will be expected to follow in their products.

Many in the SECTOR5 audience of about 300 government and private sector IT professionals, as well as vendors, appeared to support a government plan for security certification. It would be similar to a recent Congressional act requiring chief executive officers and chief financial officers to certify under legal penalty that financial results are accurate. The audience broke into applause at the certification suggestion.

Some attendees also saw significance in the participation by representatives of the three U.S. government agencies slated to be part of the new Department of Homeland Security. They are the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office, and the Secret Service.

"You are going to see a lot more coordinated effort among the CIAO, NIPC, and the Secret Service," said John M. Frazzini, special agent in the secret service. The result will be "a lot more synergy and a more coordinated government approach," he added.

Vendors have requested a single contact to deal with the government on critical infrastructure projects, Frazzini said.

• See more like this:
• cyberterrorism,
• cyberterrorists,
• cyberattack,
• security,
• Department of Homeland Security,
• National Infrastructure Protection Center,
• Critical Infrastructure Assurance Office,
• Secret Service,
• CIAO,
• NIPC