Cyber Terrorism &

Information Management Security

18 December, 2002
 Terms

Cyber terrorism – The use of the Net for terrorism.

Cyber crime – The use of the Net for criminal actions.
Cyber Attacks – Email bombs, viruses, intentional actions.
Information Warfare – Formalized governmental warfare
Netwar – Conducting warfare via Networks & the Net
Techno Terrorism – Use of technology by terrorist groups

18 December, 2002
The Cyber Threat According to the United Nations

“The rapid transnational expansion of large-scale

computer networks and the ability to access
many systems through regular telephone lines
increases the vulnerability of these systems and
the opportunity for misuse or criminal activity.
The consequences of computer crime may have
serious economic costs as well as serious costs
in terms of human security.”

18 December, 2002
 Terrorism & the Internet

“The use of the Internet and the computer networks will

represent a major challenge in the near future. Such use
could include use of the nets not only as a propaganda tool,
but also as a means of communication between militants of
terrorist organization and between various organizations.”
Dr. Ely Karmon, Intelligence and the Challenge of Terrorism in the 21st Century

18 December, 2002
 Netwar, Technology & Terrorism

“netwar refers to an emerging mode of conflict and crime

at societal levels, involving measures short of traditional
war, in which the protagonists use network forms of
organization and related doctrines, strategies, and
technologies attuned to the information age” – John Arquilla, David
Ronfeldt, Michele Zanini Networks, Netwar and Information Age Terrorism

18 December, 2002
 Terrorists & Information Technology

Terrorist groups are learning to use IT for

decision making and other organizational
purposes. They are using the same
technology as an offensive weapon to
destroy or disrupt.

18 December, 2002
 Middle East Terrorists & Netwar

Osama bin Laden and Al Queda could not

operate without the Internet. With the Internet
they target, plan, coordinate and execute
attacks.

18 December, 2002
 Middle East Terrorists & Netwar

• Hamas activists in the United States

use chat rooms to plan operations and
activities.
• Operatives use e-mail to coordinate
activities across Gaza, the West Bank,
and Lebanon.

18 December, 2002
 Middle East Terrorists & Netwar

The Internet is used as a propaganda tool

by Hizbullah, which manages three World
Wide Web sites its central press office,
another to describe its attacks on Israeli
targets, and the last for news and
information.

18 December, 2002
 Middle East Terrorists & Netwar

British Islamic activists use the World Wide Web to broadcast

their news and attract funding; they are also turning to the
Internet as an organizational and communication tool, and are
suspected in using the Islamic Gateway web site in the UK for
these activities.

18 December, 2002
 Middle East Terrorists & Netwar

The Global Jihad Fund claims, in an Internet Newsnet

article, that the Gateway’s Internet Service Provider
(ISP) can give “CIA-proof” protection against
electronic surveillance.

18 December, 2002
 Current Palestinian/Israeli Conflict

• Cyber Attacks Against U. S. Web Sites in On-going Middle

East Conflict with cyber denial-of-service (DoS) attacks against
Palestinian- and Israeli-related web sites.
• American-Israel Public Affairs Committee (AIPAC), differs from
previous attacks on other web sites in that it is the first of its
kind to have experienced theft of information.

18 December, 2002
 Post 9-11 Cyber Attacks

Since the September 11 terrorist

attacks there have been threats to the
U.S., and U.S. allies, information
infrastructure. Both pro-U.S.
protesters and anti-U.S. protesters
have been active.

18 December, 2002
 PRO-U.S. HACKERS

•Beginning on September 11, patriot hackers and hacking

groups called for active retaliation attacks on Pakistani
and Afghani web sites.
•On September 12, the official web site of the Government
of Pakistan was defaced.
•Other web sites defaced were those belonging to the
Afghan News Network, Afghan Politics, Taleban.com, and
Talibanonline.com.

18 December, 2002
 PRO-U.S. HACKERS

•Spam (unwanted mass e-mails) was also used to

encourage hackers to join together in attacking web
sites of Islamic fundamentalism and those supporting
terrorism.
•Denial-of-service (DoS) attacks were used by hackers.
E-mail bombing is a popular form of a DoS attack.

18 December, 2002
 PRO-U.S. HACKERS
•The official web site of the Presidential Palace of
Afghanistan was affected by a DoS attack that rendered it
inaccessible.
•The Usenet newsgroup soc.religion.islam was email
bombed by hackers and subsequently crashed.
•A group calling itself the Dispatchers has taken up the
task of striking out against Palestinian and Afghani web
sites. Their first known defacement, was the Iranian
Ministry of the Interior.
18 December, 2002
 PRO-U.S. HACKERS

•A prominent pro-U.S. hacking group was formed by German

hacker Kim Schmitz. Young Intelligent Hackers Against Terror
(YIHAT) has as its goal to gather information on terrorists and
give that information to the proper U.S. authorities.

•YIHAT has been forced to move its activities “underground”

and operate covertly to protect their members.

18 December, 2002
 PRO-U.S. HACKERS

•YIHAT also announced plans to seek state sponsorship

from a nation that would legalize their hacking activities
in their effort to fight terrorism.

•They also plan to open a hacking training center to

better train their members, estimated to be up to 800
members.

18 December, 2002
 ANTI-U.S. HACKERS

Fluffi Bunni defaced web sites numbering

in the thousands by compromising an
ISP domain name server and redirecting
those sites to a page created by himself.
The message was “Fluffi Bunni Goes
Jihad.”

18 December, 2002
 ANTI-U.S. HACKERS

•The LifeStages computer virus was renamed to

WTC.txt.vbs in order to infect computer users
who were curious about the World Trade Center.
•The e-commerce web site belonging to First
Responder Supplies was hacked by a group
claiming to be the Brazilian hacking group Illegal
Crew.

18 December, 2002
 ANTI-U.S. HACKERS

•The Pakistan Hackerz Club (PHC), including Doctor

Nuker, and GForce Pakistan have also been active in
hacking U.S. web sites.
•The primary stated motive is in protest of violence and
human rights violations against Muslims in Israel and
Kashmir.

18 December, 2002
 ANTI-U.S. HACKERS

•Groups of Pakistani hackers have declared cyber jihad

on the United States and are calling on all hackers of
Muslim faith to participate.
•GForce Pakistan has taken on a large role in building a
coalition to fight the United States as military operations
are taking place.

18 December, 2002
 ANTI-U.S. HACKERS

•The National Oceanic and Atmospheric Administration’s

web server was hacked in the name of GForce Pakistan
which threatened to attack other U.S. and British military
web sites unless the demands posted on the defacement
are met.
•GForce defaced a U.S. Department of Defense (DoD) web
site belonging to the Defense Test and Evaluation
Processional Institute.

18 December, 2002
 ANTI-U.S. HACKERS

•In Hungary, hackers compromised the Hungarian

National Security Office’s web site and defaced a
page with anti-U.S. propaganda.
•It is believed that the cyber protests, hacktivism, and
on-line defacements will continue and may escalate
as the United States and other countries continues
war against terror.

18 December, 2002
 The Threat is not Traditional

There is a new generation of radicals and activists just

beginning to create information-age ideologies, in which
identities and loyalties may shift from the nation-state to the
transnational level of global civil society.

18 December, 2002
 The Threat is Rising

• An increasing number of terrorist groups are

relying on information technology to support
such structures.
• Newer groups are more networked than
traditional groups.

18 December, 2002
 It Is Happening

Falun Gong, a Chinese spiritual

movement (oppressed in China) in
New York was used by the XinAn
Information Service Center in Beijing
– identified as part of the Ministry of
Public Security, to attack the U.S.
Department of Transportation.

18 December, 2002
 The Threat Is Real

Governments and their surrogates are using

the Internet to harass political opponents and
unfriendly neighbors, to go after business
trade secrets, and to prepare for outright
warfare. The government of Myanmar is
blamed for targeting the "Happy 99" E-mail
virus at opponents who use the Net to
advance their cause.

18 December, 2002
 Governments are Attacking Governments

Hackers from Azerbaijan ( thought to be government agents)

tampered with dozens of Armenian-related Web sites,
including host computers in the United States. Relations are
tense between Azerbaijan and Armenia - it wasn't long before
the Armenians retaliated in kind.

18 December, 2002
 The 3rd World Is Active

More than a dozen countries–among them Russia, China, Iraq,

Iran, and Cuba–are developing significant information-warfare
capabilities. A senior CIA official cited a Russian general who
compared the disruptive effects of a cyber attack on a
transportation or electrical grid to those of a nuclear weapon.

18 December, 2002
 Militaries Worldwide Are Active

China is considering whether to create

a fourth branch of its armed services
devoted to information warfare.
The U.S. military's offensive cyber
warfare programs are consolidated at
NORAD in Colorado.

18 December, 2002
 Cyber-Spying Is Occurring

Successful cyber war does not have

a face. Tapping into a command-and-
control/enterprise management
system could yield a gold mine of
data about plans, processes and
strategies. The longer a cyber spy
conceals his/her presence, the longer
the intelligence flows.

18 December, 2002
 Private Industry Is A Major Target

Governments, and industry, are hungry for

intellectual property, business processes,
and methodology will, and are, targeting
private industry as much as, or more so, than
other governments.

18 December, 2002
 Attacks Are On The Rise

A recent FBI survey found that 90 percent of respondents

detected security breaches within the last 12 months. 80
percent acknowledged financial losses due to security
breaches.

18 December, 2002
 Attacks Are Easier

18 December, 2002
 Attacks are More Frequent

• Based on FBI investigations and other

information, there has recently been an increase
in hacker activity specifically targeting systems
associated with e-commerce and other internet-
hosted sites.
• In most cases, the hacker activity had been
ongoing for several months before the victim
became aware of the intrusion.

18 December, 2002
 Attacks Are Doubling Every Year

18 December, 2002
 Common Types of Cyber Crimes

• Fraud by computer manipulation

• Computer forgery
• Damage to or modifications of computer data or programs
• Unauthorized access to computer systems and service
• Unauthorized reproduction of legally protected computer
programs

18 December, 2002
 Motivations for Cyber Attack

• Vandalism
• Anger (Insiders)
• Political
• Curiosity
• Notoriety
• Malice
• Personal Gain

18 December, 2002
 Assets That Need Protection

•Software, data and information

•Data-processing services
•Electronic data-processing equipment
•Electronic data-processing facilities

18 December, 2002
 Potential Cyber Security Risks

• Hosts running unnecessary services

• Outdated code
• Information leakage
• Misappropriated trust relationships
• Misconfigured firewall or ACL
• Weak passwords

18 December, 2002
 Potential Cyber Security Risks

• Misconfigured Web servers

• Improperly exported file sharing
• Misconfigured NT servers
• Inadequate logging and detecting
• Unsecured remote access
• Lack of defined security policy

18 December, 2002
 Cyber Vulnerabilities

• Policy vulnerabilities - i.e. simple passwords, unauthorized software or

hardware, authorization, etc.
• Configuration vulnerabilities - software with known problems, privileges
enabled, etc.
• Technology vulnerabilities - old technology, technology with known
vulnerabilities, etc.

18 December, 2002
 Cyber Vulnerabilities

• Density of information and processes

• System accessibility
• Complexity
• Electronic vulnerability
• Vulnerability of electronic data-processing media
• Physical security of building(s).
• Human factors

18 December, 2002
 Cyber Vulnerabilities

• Insider attacks!
• Software bugs
• Human errors and mis-configurations
• Enabled/unused services
• Susceptibility to denial of service attacks …in network
services and architecture, operating systems, applications

18 December, 2002
 The “Hacker” or “Cyber-terrorist” Attack
Five Common Attack Methods

•Network packet sniffers

•IP spoofing
•Password attacks
•Denial-of-service attacks
•Application layer attacks

18 December, 2002
 Network Packet Sniffers

A packet sniffer is a software application that uses a network

adapter card in promiscuous mode to capture all network
packets that are sent across a local-area network and send
that to an application for processing.

18 December, 2002
 IP Spoofing

An IP spoofing attack occurs when an attacker outside your

network pretends to be a trusted computer either by using an
IP address that is within the range of IP addresses for your
network or by using an authorized external IP address that you
trust and to which you wish to provide access to specified
resources on your network.

18 December, 2002
 Password Attacks

Password attacks can be implemented using

brute-force attacks, Trojan horse programs, IP
spoofing, and packet sniffers. Password
attacks usually refer to repeated attempts to
identify a user account and/or password;
these repeated attempts are called brute-force
attacks.

18 December, 2002
 Denial-of-Service Attacks

Denial-of-service attacks are different

from most other attacks because they are
not targeted at gaining access to your
network or the information on your
network -- They focus on making a
service unavailable for normal use.

18 December, 2002
 Distributed Denial of Service (DDoS)

• Same methods and tools as DoS

• Much larger scale attacks –Elephant hunting
• Uses hundreds or even thousands of attacking points to
overwhelm target
• Very difficult to determine difference between DDoS and
normal network outage

18 December, 2002
 Application Layer Attacks

Application-layer attacks exploit well-known weaknesses in

software commonly found on servers, such as FTP. Attackers
can gain access to a computer with the permissions of the
account running the application, which is usually a privileged
system-level account. Trojan horse program attacks are an
example.

18 December, 2002
 Where Attacks Come From

18 December, 2002
 Types of Attacks

18 December, 2002
 Computer Crime 1997-2002

18 December, 2002
 Estimated Dollar Loss (2002)

18 December, 2002
 The Cyber Security Process

• Security is the mitigation of risk associated with providing

network connectivity to employees, partners and customers.
• Organizations need to focus on their security requirements to
create a Security Policy and then allocate budget accordingly.
• Security is a Process with Security Policy being the
cornerstone of the customers’ security architecture.

18 December, 2002
 Security Costs Are A Factor

18 December, 2002
 Four Phases of Cyber Security

RECOVERY MITIGATION

Cyber
Threat

RESPONSE PREPAREDNESS

18 December, 2002
 Contingency Planning

Contingency planning refers to a coordinated strategy

involving plans, procedures, and technical measures that
enable the recovery of IT systems, operations, and data
after a disruption and generally includes one or more
approaches:
•Restoring IT operations at an alternate location
•Recovering IT operations using alternate equipment
•Performing some or all of the affected business processes
using non-IT (manual) means.
18 December, 2002
 Planning Steps for Cyber Security

18 December, 2002
 Business Process Evaluation

18 December, 2002
 Response Team

18 December, 2002
 Best Practice #1
General Management

Managers throughout the organization

must consider information security a
normal part of their responsibility and the
responsibility of every employee.

18 December, 2002
 Best Practice #2
Policy

Develop, deploy, review, and

enforce security policies that
satisfy business objectives.

18 December, 2002
 Best Practice #3
Risk Management

Periodically conduct an information

security risk evaluation that identifies
critical information assets (e.g.,
systems, networks, data), threats to
critical assets, asset vulnerabilities,
and risks.

18 December, 2002
 Best Practice #4
Security Architecture & Design

Generate, implement, and

maintain an enterprise-(or site-)
wide security architecture,
based on satisfying business
objectives and protecting the
most critical information assets.

18 December, 2002
 Best Practice #5
User Issues: Accountability and Training

Establish accountability for user actions,

train for accountability and enforce it, as
reflected in organizational policies and
procedures. Users include all those who
have active accounts such as
employees, partners, suppliers, and
vendors.

18 December, 2002
 Best Practice #6
User Issues: Adequate Expertise

Ensure that there is adequate in-

house expertise or explicitly
outsourced expertise for all supported
technologies (e.g., host and network
operating systems, routers, firewalls,
monitoring tools, and applications
software), including the secure
operation of those technologies.

18 December, 2002
 Best Practice #7
System & Network Management: Access Control

Establish a range of security

controls to protect assets
residing on systems and
networks.

18 December, 2002
 Best Practice #8
System & Network Management: Software Integrity

Regularly verify
the integrity of
installed software.

18 December, 2002
 Best Practice #9
System & Network Management: Secure Asset Configuration

Provide procedures and

mechanisms to ensure the
secure configuration of all
deployed assets throughout their
life cycle of installation,
operation, maintenance, and
retirement.

18 December, 2002
 Best Practice #10
System & Network Management: Backups

Mandate a regular schedule of

backups for both software and
data.

18 December, 2002
 Best Practice #11
Authentication & Authorization: Users

Implement and maintain appropriate

mechanisms for user authentication
and authorization when using network
access from inside and outside the
organization. Ensure these are
consistent with policies, procedures,
roles, and levels of restricted access
required for specific assets.
18 December, 2002
 Best Practice #12
Authentication & Authorization: Remote and 3rd Parties

Protect critical assets when providing

network access to users working
remotely and to third parties such as
contractors and service providers. Use
network-, system-, file-, and application-
level access controls and restrict access
to authorized times and tasks, as
required.

18 December, 2002
 Best Practice #13
Monitor & Audit

Use appropriate monitoring, auditing,

and inspection facilities and assign
responsibility for reporting, evaluating,
and responding to system and
network events and conditions.

18 December, 2002
 Best Practice #14
Physical Security

Control physical access to

information assets and IT
services and resources.

18 December, 2002
 Best Practice #15
Continuity Planning & Disaster Recovery

Develop business continuity and

disaster recovery plans for critical
assets and ensure that they are
periodically tested and found effective.

18 December, 2002
 The Cyber-Threat (REMEMBER)

Information Snooping – You are

being monitored.

Viruses – You will be attacked.

Equipment – Your equipment is

subject to physical intrusion and theft.

A chain is only as strong as its weakest link.

18 December, 2002
18 December, 2002