1996-08-29 - Thoughts on CyberTerrorism {per request}

Header Data

From: “William H. Geiger III” <whgiii@amaranth.com>
To: isi@hooked.net
Message Hash: a24bd3a83e76febae114d8123a2b7b2edda3c30df350051fdbe99d78d9cf19b3
Message ID: <199608291012.FAA10548@mailhub.amaranth.com>
Reply To: <199608290618.XAA12301@mom.hooked.net>
UTC Datetime: 1996-08-29 12:41:29 UTC
Raw Date: Thu, 29 Aug 1996 20:41:29 +0800

Raw message

From: "William H. Geiger III" <whgiii@amaranth.com>
Date: Thu, 29 Aug 1996 20:41:29 +0800
To: isi@hooked.net
Subject: Thoughts on CyberTerrorism {per request}
In-Reply-To: <199608290618.XAA12301@mom.hooked.net>
Message-ID: <199608291012.FAA10548@mailhub.amaranth.com>
MIME-Version: 1.0
Content-Type: text/plain


In <199608290618.XAA12301@mom.hooked.net>, on 08/28/96 at 10:55 PM,
   "Institute for Security and Intelligence" <isi@hooked.net> said:


My opinions on the topic of CyberTerrorism:


The issue of cyberterrorism can be divided into 3 main parts:

-What is the threat.
-Who is the threat.
-How to respond to the threat.


What is the threat?
===================

This can be subdivided into 3 classifications:

Catastrophic Terrorist Attack
-----------------------------

This type of attack results in the loss of life, or major disruption of society.

Examples:

   - A cyberterrorist cause the major economic disruption by infiltrating international banking systems.

   - A cyberterrorist causes loss of life by infiltrating mass transit system.
        - Air Traffic Control
        - Train systems
        - Subway systems

   - A cyberterrorist causes loss of life/major economic disruption by infiltrating public utility systems.

        - Meltdown of Nuclear Power Station
        - Shutdown of Major Power Grids
        - Oil/Gas Spills

   - A cyberterrorist causes loss of life/major economic disruption by infiltrating military systems and gaining access to military weapons.


Major Criminal Attack
---------------------

This type of attack results in a financial loss or civil liberty infringement but is not of the scale of a Catastrophic Attack.

Examples:

    - A criminal infiltrates a bank computer and illegally transfers funds.

    - A criminal obtains credit card information and uses fraudulently.

    - A criminal obtains personal information and uses illegally.
         - Blackmail
         - Job discrimination
         - credit denials
         - insurance denials


Minor Hacker Attacks
----------------------

This type of attack results in little or no financial loss.

Examples:

    - A hacker breaks into the DOJ webserver and changes the webpages.

    - A hacker breaks into a system and snoops around.

    - A hacker breaks into the school computer and changes his grades.



Who is the Threat?
==================

The CyberTerrorist
------------------

This is a sophisticated, well organized, State sponsored Terrorist.

His goals are the same as any other terrorist. He wishes to reak havok on society to further his political agenda.


The CyberTerrorist/Mad Scientist
--------------------------------

Though his means are the same as the CyberTerrorist his goals are different. He is just a nutcase. Out for the thrill or for his 5min. of fame.


The Computer Criminal
---------------------

These will come in varying levels of sophistication and ability. They will range from the petty thief to the super-hacker that can hack banking systems.

The Hacker
----------

Average age: 15-25 Above average intellegence.

Basically he is in it for the challenge. To brake in a system no one else has broke into. For the most part harmless.



How to Respond to the Threat?
=============================
      
This all depends on which threat you are responding to.

CyberTerrorist
--------------

This one is a tough one. Outside of standard security measures including redundancy & isolation of critical systems the weakest link is going to be the personnel running the systems {what is known as an inside job}.

Deterrents could play a BIG factor in this. If every time a country supported a terrorist attack we turned one of their cities into a glass bowl there would be allot less of this type of thing going on. This would not help with the true diehards/nutcases.

Computer Criminal
-----------------

The best way to defend against the computer criminal is information & training.

System administrators must be aware of potential security risks to their systems.

Software vendors should be open and forthcoming about security holes when they are found.

End users should be familiar with what types of risks are involved when "on-line".
      - what type of information is covertly being gathered about them. {Thank-You NetScape}
      - what type of information should and should not be transmitted in the "open"
      - what is PGP, how to use it, when to use it. Every user should have a copy.

The Hacker
----------

The same as above. If sys-admins are sloppy about security they have much more to worry about than some school kids pranks. Most of the Hackers activities are harmless and can be a mixed blessing in disguise to a sys-admin. A Hackers prank may awaken him to the sad shape of his security and move him to make changes before he gets hit by the Computer Criminal or Cyber Terrorist.



Well that's my basic thoughts on the matter. I restrained from going too indepth as I did want to keep this under 1000 lines (bad spelling and all). :)

I am willing to discuss this more indepth on a point by point basis.


--
-----------------------------------------------------------
William H. Geiger III  http://www.amaranth.com/~whgiii
Geiger Consulting    WebExplorer & Java Enhanced!!!
Merlin Beta Test Site - WarpServer SMP Test Site

Author of PGPMR2 - PGP Front End for MR/2 Ice

Look for MR/2 Tips & Rexx Scripts
Get Work Place Shell for Windows!!
PGP & MR/2 the only way for secure e-mail.
                            
Finger whgiii@amaranth.com for PGP Key and other info
-----------------------------------------------------------
 
MR/2 Tag->2.0 is better than 1; 3.0 is better than 2.






Thread