With InformationWeek's annual Security Survey coming out today, I wanted to share with you some of the valuable but frightening things I found on a security-related site that until one week ago I'd never heard of:

The beat goes on: "The LexisNexis break-in was set in motion by a blast of junk E-mail. Sometime in February a small group of hackers, many of whom knew each other only through IRC, sent out hundreds of E-mails with a message urging recipients to open an attached file to view pornographic child images. The attachments had nothing to do with child porn; rather, the files harbored a virus that allowed the group's members to record anything a recipient typed on his or her keyboard. A police officer in Florida was among those who opened the infected E-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department's account. And the beat goes on. ..." -- From "Navigating The New Threat Landscape," by Internet Security Systems' Patrick Gray Corporate irresponsibility? "Sept. 2004: Sven Jaschan of Rotenberg admitted writing Sasser worm and being part of Skynet (authors of Netsky). Soon thereafter, SecurePoint, a German security firm, offers him a job. July 11, 2005: Jaschan receives 21-month suspended sentence, 30 hours community service." -- From "Taking Control Of Enterprise Security," by the Computer Security Institute's John O'Leary, listed here Application-server vulnerabilities: "Oracle Database Server: multiple vulnerabilities exist that vary in severity; the most severe include remote execution of arbitrary SQL commands, disclosure of sensitive information, and denial of service; Microsoft SQL Server: multiple vulnerabilities exist that could allow remote attackers to cause denial-of-service conditions, bypass database policies, disclose sensitive information, and potentially execute arbitrary code." -- From "Security Threats, Insecure Protocols, And Common Vectors," by Cisco's Allan Weaver, listed here CEO cluelessness? "Few C-Suite occupants grasp the case for investing in safeguards against hackers, worms, and the like. It is the duty of every CIO, CISO, and CSO to banish that innocence." -- Patrick Gray's "Navigating The New Threat Landscape," cited above Those are just a few quick samples of the rich security-related content to be found on the Web site of InfraGard, a national association I mentioned in this space last week after FBI Director Robert Mueller spoke at InfraGard's annual conference. So what is InfraGard, and why is it pulling together this and other valuable cybersecurity content? Formed in 1996 by the FBI to enlist the help of the IT industry and academia for the bureau's investigations into cybercrime, InfraGard today is "an association of businesses, academia, institutions, state and local law-enforcement agencies, and others dedicated to sharing information and intelligence to prevent hostile acts against the United States." Its 11,270 members include representatives from 68 of the Fortune 100 and are organized into local chapters around the country. So InfraGard is one of those outfits that actually does think globally while acting locally, and while my exposure to InfraGard has been admittedly brief, I would urge you to evaluate what the chapter near you is doing. Here's another one: Know what "Scada" is? A study presented at an InfraGard chapter taught me that it stands for "Supervisory Control and Data Acquisition"--more directly, industrial process-control systems that monitor and control equipment such as motors, valves, pumps, relays, and sensors. Know why Scada is going to become a lot more important to traditional IT operations? Here's an example from that study: "Terrorists aside, what about sabotage of Scada systems by others, such as insiders? In 2000, in Maroochy Shire, Queensland, Vitek Boden released millions of litres of untreated sewage using a wireless laptop, apparently taking revenge against former employers. He was arrested, convicted, and jailed." OTHER VOICES
"With about 85% of the nation's critical infrastructure--energy utilities, manufacturing and transportation facilities, telecommunication and data networks, and financial services--in the private sector, it's no wonder there have been so many attempts to create services that keep these companies apprised of threats to their IT networks. But there's a problem: Most companies aren't eager to share their adventures in cybersecurity with each other or the government."

-- InformationWeek, Larry Greenemeier, Aug. 24


Think of the infrastructure connections to your business--energy generation, power transmission, water, sewer, telecom, transportation, and more--and these Scada links don't seem so obscure. As Joe St. Sauver's paper points out, the Slammer worm in 2003 crashed the network of an Ohio nuclear power plant. The plant was offline at the time, but the worm did crash its safety-monitoring system for five hours. But while the potential for massive damage via cyberattacks is increasing, the good news is that the IT industry is beginning to take note. The paper, given at an InfraGard chapter meeting late last year in Eugene, Ore., by St. Sauver of the University of Oregon's Computing Center, said, "Cisco deserves a big 'atta boy' for its Critical Infrastructure Assurance Group," and he also cites the Cyber Security Industry Alliance, whose members include more than a dozen security-related vendors. And finally, St. Sauver's presentation completed the circuit with this advice: "Much of what's being faced in the Scada world has already been hashed through and fixed in the enterprise IT world. Those solutions, where suitable, need to be 'thrown over the wall' to Scada networks and systems so Scada folks don't 'reinvent the wheel.' IT folks need to visit with the process-control guys and gals." The worlds of industrial-control networks and more-traditional enterprise IT networks are coming together, inevitably and inexorably. Are you ready? Either way, InfraGard is probably a pretty good outfit to get to know. Bob Evans
Editorial Director
[email protected]

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post. To find out more about Bob Evans, please visit his page on the Listening Post.