Attacks That Blend Threats Against People, IT Systems Predicted

In San Francisco on Thursday, William Hancock, VP of security practice and strategy and chief security officer of IT service provider Savvis Communications, told a group of IT professionals and reporters that the sky was falling.

Hancock said he expects the emergence of "blended-threat" attacks that combine war on critical infrastructure occurring simultaneously with attacks designed for large-scale fatalities such as biological terrorism. Hancock went as far as to predict that such attacks would exceed those on the World Trade Center in magnitude of disaster.

The cyberwarfare aspect of such an attack could happen in any number of ways. He described the migration of the power grid from protocols such as DECnet and OSI to TCP/IP as one area of increasing vulnerability. With more of these power-grid systems connecting directly to the Internet, he warned, they become susceptible to denial-of-service attacks that could cause blackouts across the United States.

As a more mundane example, a new PC connected to the Internet could become infected with a worm within 25 minutes--before it has completed downloading the patches necessary to protect it against the most current threats, Hancock said.

Layered defenses are necessary, he argued. "There's not a firewall made that you can't get through."Hancock, chairman of the National Reliability and Interoperability Council Focus Group 2B, Cybersecurity, a council of advisers to the Federal Communications Commission, said that while he didn't want to be an alarmist, the state of Internet security is alarming.

Testifying before Congress in September on identity theft--currently favored by worm writers and phishers--Hancock focused on what could be done, principally in the area of identity management.

"Identity management of the future cannot be simplistic password methods of the past," he said. "It will need to incorporate advanced concepts such as biometrics and cryptographically sound methods to ensure the identity of a device, application, or individual is permitted to access data elements in databases and other information repositories."

That's essentially what Microsoft chairman Bill Gates said at the Microsoft IT Forum in Copenhagen earlier this week, where he addressed the "weakness of the password."

In his keynote address, Gates said that we cannot rely on passwords to protect health data, financial data, or records access. "Therefore, moving to biometric identification, and particularly in moving to smart cards, is a way that is coming," he predicted. "This is something that has been talked about for several years, but now we finally see the leading-edge customers taking that step."0