[ISN] The Worst-Case Hack Scenario
isn at c4i.org
Tue Jan 24 01:27:41 EST 2006
By Jack M. Germain
January 23, 2006
A flurry of data breaches at major corporations late last year seemed
to confirm a growing consensus among computer-security experts that
2005 was the worst year yet for such transgressions. Incidents at
Marriott International, Ford Motor Company, and ABN Amro Mortgage
Group served as eerie reminders to CIOs that they could be the next
victims of thieves looking to poach Social Security and credit-card
numbers, or of business-process breakdowns that cause sensitive
information to fall into the wrong hands.
Most CIOs will tell you that getting hacked is inevitable. But there
is getting hacked, and then there is getting sacked.
As the volume of information increases and criminals grow more brazen,
the chances of companies suffering a worst-case scenario seem less
remote every day. Part of any CIO's duty is to convince the boss that
the company is ready for the very worst security crisis imaginable.
Tales of Tech Terror
An example of just how easily a security problem can hit a company is
the data breach Ford Motor Company reported in the first week of
January. Ford officials reported the theft of a computer with files
that have the names and Social Security numbers of approximately
70,000 current and former employees of the company.
Adding insult to significant injury, that theft had nothing to do with
network intrusion or social-engineering tricks typically employed by
data thieves. Neither did the disappearance in December of a box
containing information on some two million customers of ABN Amro
Mortgage Group, one of the nation's largest mortgage lenders.
ABM Amro's customers learned that their Social Security numbers and
other personal information were lost by a DHL courier on the way to
the credit bureau Experian. A month later, a DHL worker found the
unlabeled carton of data in the same DHL facility where it had been
Meanwhile, someone at the corporate offices of Marriott Vacation Club
International, in Orlando, Florida, either misplaced or removed
computer backup tapes containing data about some 206,000 associates,
timeshare owners, and customers. The company reported the missing
tapes in late December.
Marriott officials mailed notifications to the affected people. In an
effort to quell panic about possible identity theft, corporate
officials said that the tapes require specialized equipment to read
their content. Marriott is investigating how the tapes went astray and
will monitor for unusual activity or possible misuse of the data.
We Have a Situation
Data security is a topic most corporate CIOs are reluctant to discuss.
The consensus is, the less said, the better for the corporate image.
But that does not mean CIOs are sitting around with their hands in
their pockets wondering how to convince their bosses that the sky is
not about to fall.
"Actually, believe it or not, many CIOs do already have a worst-case
scenario list," said Ed Moyle, manager of Information Security
Services at CTG and an analyst at Illuminata. "The specific
terminology varies from firm to firm, but a situation report is one
common way that a CIO can keep an eye on how the firm's I.T.
infrastructure is impacted by developments in the outside world such
as worms, viruses, and fraud activity."
The situation report might be prepared by CIO staff and contain
high-level information about threats in the environment and the
company's position with respect to each threat. Moyle said the staff
might draw on data from Web sites like the SANS Internet Storm Center,
which actively monitors and warns of attacks, or they might
collaborate with peers to gauge the effectiveness of their security
Keeping a list of threats is only the first step in crisis management,
Moyle said. Most large companies also are likely to have an
incident-response plan that details how I.T. personnel will respond to
particular types of threats, including information about whom to call
when a threat occurs and how to make sure the right people are
Opening It Up
At General Motors, the approach to crisis management is very different
than it was a few years ago. Back then, responding to worst-case
scenarios was much like applying triage to a catastrophe, said Eric
Litt, chief information security officer for Global Information
Security at GM Information Systems and Services.
"Now we try to assess threats and decide how to handle them before the
crisis hits," he said.
GM is unique in that it outsources 100 percent of its I.T. By
necessity, the global operation requires around-the-clock scrutiny,
and that includes preparation for nightmare scenarios. "We operate
24-7 so computer security incidents and events are handled no
differently than other kinds of incidents," Litt said.
GM follows a model that aligns Litt with each sector of the corporate
structure while allowing him oversight of the operations and support
of the I.T. department. Because the company is always functioning at
multiple locations worldwide, the data security infrastructure is more
expansive, and concerns over data breaches are not treated as a
separate entity linked only to I.T.
Litt said that this is a big change in the way he approaches his job.
"I no longer worry about what could go wrong," he said.
Assessing Risk Clearly
Today's CIOs are more keyed in than ever on the risks that hackers
pose, said Paul Stamp, an analyst at Forrester Research. That focus
has strengthened the defenses around company perimeters and shifted
focus somewhat to threats from within.
"CIOs are now better equipped to stay ahead of the security curve,"
said Stamp. "The feeling now is that the perimeter holes have been
licked." In fact, he said, studies have shown that most security
breaches in the last two years have come fairly consistently from
Despite this recent success against outside threats, CIOs are still
struggling with how to communicate specific threat information to the
bosses, said Moyle. "That's where the situation gets tricky," he said.
Since CEOs are focused on increasing the profitability of the firm, he
said, many of them regard security as an expense that draws money away
from investment in the business. To win over the CEO, information
officers must demonstrate how activities within their purview affect
the bottom line.
"By using data from their threat-tracking efforts, the CIO can
demonstrate how I.T. investment impacted the bottom line in terms of
cost savings," said Moyle. In other words, if a CIO can prove that
money spent resulted in money saved, it could ease the pain involved
in outlining a worst-case scenario.
"Granted, it is very difficult to get anything but a rough estimate
from these metrics," Moyle said, "but a rough estimate is better than
no estimate at all."
As to the degree of worry that CIOs have, Moyle conceded that quite a
few CIOs are worried about attacks, incidents, and other types of
security threats. And to him that is not a good sign.
"Worry in a CIO reflects uncertainty in the management process," said
Moyle. For example, in a well-prepared company, a CIO might have
metrics to help predict how likely an incident is to occur and how
much it is likely to cost the company. He or she can then look at the
balance sheet and make a considered determination as to how much to
But if CIOs are panicked, it's a sign that their confidence in that
process is not there for one reason or another, Moyle said. "The
metrics might be so skewed as to be useless. They might not have
metrics at all. They might have no way of tracking threats, or they
might not have a defined response process, and so on."
The Best Defense
Moyle likened the role of the CIO in handling risk management to
having flood insurance. Financial officers do not stay up late at
night worrying whether there will be a flood, and adequately prepared
CIOs shouldn't lose any sleep either.
The CIOs who manage risks effectively have become successful in
showing their bosses the need to build computer systems from the
ground up rather than to bolt on fixes, according to Forrester's
Stamp. "[Risk management] is now a laundry list of things to do.
Security is no longer a separate department. Rather, it is integrated
into business practices," he said.
That integration seems to be the key to understanding and preparing
for a worst-case scenario. Instead of having a plan waiting behind a
pane of glass, to be broken out only in case of emergency, CIOs would
seem to be best served telling their bosses that the systems are
already in place to respond to a data-security crisis.
Besides, as GM's Litt sees it, a worst-case scenario, in the truest
sense of the term, is one that is not survivable. The best CIOs can do
is to have a plan in place to mitigate attacks effectively and be
ready to follow it whenever needed.
"That doesn't mean an attack will never have an impact on the
business," Litt said. "There is no such thing as a perfect security
More information about the ISN