NEW YORK - The age of terrorism ushered in over the past year has forced companies to rethink how to cope with emerging threats, including potentially more destructive cyberattacks. It also has encouraged IT security professionals to be more candid about their experiences.
Looking to share his lessons learned, Deloitte & Touche Director Steven Ross last week spoke about the company's experiences on Sept. 11 at the Information Systems Audit and Control Association (ISACA) conference in New York.
Deloitte & Touche found out about the shortcomings of its business-recovery plan when the company evacuated its New York office after the planes slammed into the World Trade Center towers across the street. Ross, an IT security specialist, authored the company's back-up and recovery plan.
Advertisement: |
"You can have all the back-up sites in the world, but if people can't get to them, it doesn't do any good," said Ross, who acknowledged that Deloitte & Touche hadn't tested or maintained its plan for years. Although the firm had an alternate data center site in New Jersey, it wasn't possible to get employees there.
In any disaster-recovery plan, "people issues are paramount," Ross said. One Deloitte & Touche employee died during the attacks. "We had counseling services made available immediately," he said.
In the aftermath of the destruction and the widespread telecom failures in New York, it was hard to track down employees, although as part of disaster-recovery planning before Sept. 11 everyone was given "emergency cards" to phone in their whereabouts. Deloitte & Touche's downtown New York office LAN was destroyed, though connectivity was restored a few weeks later at another location.
Corporate e-mail was unaffected. Voice mail was available for top executives immediately and eventually restored for the rest of the staff. Deloitte & Touche ended up leasing four floors in the Marriott Marquis hotel -- coincidentally, where the ISACA conference was held.
"Until Sept. 11, I never dealt with a client by asking 'What if you died?' What if all these people died?' But now I do. I have to," he said.
Many security professionals see the world darkening. An apocalyptic view of the Internet ravaged by computer worms, denial-of-service (DoS) attacks and routing-table meltdowns was forecast by keynote speaker Howard Schmidt, President Bush's cybersecurity adviser.
"The routing tables of the future will be unmanageable. There will be slowdown and failures, and malicious and criminal activity between 2002 and 2009 . . . all [of which] mean the Internet quits working," said Schmidt, underscoring the dire need to improve security now (see story).
|
That view might seem alarmist. But security professionals said at the conference that fending off worms such as Nimda (which debuted a week after Sept. 11), distributed DoS attacks, in which an attacker bombards a Web site or other device with IP floods from hundreds of compromised machines, and nonstop hacking attempts, have become their everyday battleground.
Fidelity Investments has managed to stave off incessant hacker break-in attempts, said Steve MacLellan, the investment firm's IT security-practice manager. "Hackers look at Fidelity and see money," said MacLellan.
Fidelity monitors danger via intrusion-detection systems, including those from Internet Security Systems and Cisco, which record anywhere between a half million and 1.5 million attempted break-ins or suspicious scans each day. Fidelity collects the data to create an overview, even hiring a mathematician to analyze patterns. "You have to put IDS across the firm," he said.
But on Sept. 18, Fidelity was hit by the Nimda worm, which forced the shutdown of 700 servers, minutes after a single employee's computer had been infected while using the Web.
"The shock of this told us we had to change what we were doing," MacLellan said. Nimda exploits unpatched holes in Microsoft Web servers and browsers. Three days is the fastest that Fidelity, a big Microsoft customer, can commit to patching all its enterprise software used by 32,000 employees.
As a new defensive measure, Fidelity is starting a content-inspection pilot project with Nortel that will have the Nortel-based VPN enforce a security policy that will restrict workers from using the network unless certain patches are installed along with up-to-date antivirus scanning software. Fidelity also is working with Microsoft to improve its patch-automation process.
Fidelity is on guard against distributed DoS attacks. It was hit by a large one in March.The attack was fought off by blocking IP traffic via a Top Layer Networks switch and by working with multiple ISPs to filter out attack traffic.
"You have to work with the ISPs on this," MacLellan said. "But one major ISP refused to work with us, even though the contract we had said they would." MacLellan, who declined to name the ISP, said Fidelity has since dropped it.
Fidelity also is looking into how specialized equipment might help defend against massive IP floods that come with a distributed DOS attack.
"We expect to be in firefighting mode for the next two to five years," MacLellan said, noting one of the biggest dangers is a hacker trying to tamper with Web-based e-commerce applications. Application security tools such as those from Sanctum, Foundstone and ISS can be of some help in filtering out such application-targeted attacks, he added.
RELATED LINKS
