Protecting infrastructureCyber threats now targeting traditional companies

The FBI and the U.S. intelligence community know the threats that corporate America is under from both foreign intelligence services and global organized crime, but they typical business person probably does not. Tom Patterson, chief security officer at MagTek, writes in Computerworld that these combined communities do a commendable job understanding potential threats to business information systems, ranging from corporate espionage, insider threats, organized crime, theft of property, and even foreign government attacks. What they have not yet mastered, though, is how best to use this information to reach out and help the million small and mid-sized companies that make up the bulk of America’s critical infrastructure.

Patterson notes that the government has divided these companies vital to America’s overall economy into 17 sectors, including:

• Information technology
• Telecommunications
• Chemicals
• Transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems
• Emergency services
• Postal and shipping services
• Agriculture, food (meat, poultry, egg products)
• Public health, health care, and food (other than meat, poultry, egg products)
• Drinking water and waste water treatment systems
• Energy, including the production refining, storage, and distribution of oil and gas, and electric power
• Banking and finance
• National monuments and icons
• Defense industrial base

Any one of these sectors is vulnerable to a determined attack that could seriously ruin your day, and definitely degrade our quality of life. “Even more distressing is that each sector is made up of tens of thousands of small businesses that have never received a call from Washington warning them about what to watch out for and informing them of their recourse actions,” Patterson writes.

 If your company works in a critical infrastructure sector (read more here from DHS), you face greater threats than the shops down the street making pizza, pillows, or perfume. If your business is directly or indirectly working in any one of these 17 sectors, there are foreign intelligence services from nations both friendly and not so friendly that are looking at you as domino in a line to destabilize America. By definition, your risks are both broader and deeper than you suspect. “So when you devise and execute your security plans, take time to appreciate these additional threats and account for them in your plans. If not for your country, do it for your own bottom line,’ Patterson writes.

The best place to start is by joining the local chapter of Infragard.org, which started out as a combined outreach effort from the Secret Service and FBI and now is an independent non-profit that has very strong ties with the FBI. Also, each of these 18 sectors have Information Sharing and Analysis Centers (ISAC), which share sector-specific critical security information among the members.

Right now, the financial services sector is probably the most well organized of the 18 sectors through their FS/ISAC group, and is moving proactively to shut down threats and close security gaps where they find them, even moving now toward shutting down the risks from counterfeit credit/debit cards that banks and merchants face by implementing a system that can detect fraudulent cards.

 Patterson writes that while most malware is still focused on stealing from you (information or money), and some just wants to destroy stuff, the most dangerous area might well be “delayed destruction testing,” whereby an adversary is probing you now, identifying your soft spots, figuring out ways to exploit them, and then offering that knowledge for sale to anyone who might want to take you down. In the banking sector, a “test” was performed, using exactly 100 counterfeit ATM cards to steal over $9 million dollars in exactly 30 minutes. They were testing the security, but also advertising their abilities.

To buy these hostile capabilities, all that is needed is money, Patterson notes. These eBay-like threat bazaars are all over the Internet, and if you are in one of the critical infrastructure sectors, your very business might be for sale to the highest bidder. Simple denial of service attacks (where they essentially shut down all of your Internet connect services like web sites, Web e-mail, and VPNs), are available for about $2,000/day for most businesses. No technical sophistication needed — just a credit card or two (often counterfeit). More sophisticated one-time attacks, like manipulating your information on demand in a synchronized attack do cost more, but are highly sought after on the global stage. “No longer is it safe to hide behind your relatively small size or remote locations,” Patterson warns. “If your business is involved in any of the critical infrastructure activities described above, you need to get engaged with your industry-specific security groups, and start to match your countermeasures to the real threats that face you.”