IT infrastructure risks key to averting major cyberattack

Predictions of a cataclysmic disaster have been around for awhile. But one security officer cites reasons why the Internet can never be brought down.

Continued from Page 1

Words of caution
Treece's faith may be justified. But if enterprise executives don't have their house in order, an invincible Internet won't do them any good, said Fred Cohen, an analyst specializing in disaster preparedness for Midvale, Utah-based Burton Group. The Internet may not suffer a collapse, but a physical or digital attack could still destroy a company's IT assets. And if it's your company that gets hit, it may as well be the Big One doomsday watchers warned about.

Cohen is especially concerned about enterprises that are growing faster than their IT security infrastructure can keep up. "As they grow from small to medium to large there are transition points, and rapid assessments in security aren't happening," he said. "The No. 1 cause of disasters that aren't recovered from is the failure of executives to analyze growth risks and understand the consequences of their business' size."

In "a lot" of the growth plans he has seen at the executive levels, Cohen said the information technology aspect was missing.

More on the series

Part 1: The threat with the most disaster potential

Supplemental Reading: Staying up when everything else is down

"One of biggest failures we see comes from data consolidations," he said. "When there are data center integrations, the interdependency risks aren't weighed. We've seen case after case of data center integrations leading to failure and the collapse of multi-billion-dollar businesses."

An invincible Internet also won't help companies that fail to address physical risks to the IT infrastructure, he said. "You need adequate redundancy," he said. "You have to decide the right amount of distance between redundant systems. In an earthquake you don't want redundancies to be down the road from the same fault line."

People redundancy is another thing companies often forget. "You need people in redundant locations," Cohen said. "You need to be able to switch to redundant operations as quickly as possible. In disasters detection is typically quick. We know there was an earthquake, an explosion or a bio-attack. You need a plan that says in the event of an incident, the backup system will need to be online in X amount of time. And you need to have drills before you work the plans into your system."

A stickler for authorized access
While Treece's experiences made him a believer in the Internet's survivability, it also made him acutely aware of the dangers Cohen outlined. That's why he said he's a stickler for authorized access and geographically widespread redundant systems.

"Redundancy is something we're very big on," Treece said. Every 24 hours everything on the network is backed up in two off-site facilities. Asked how spread apart they are, he responded: "The lesson of 9-11 is that the backups don't belong in the basement."

Vital pieces of Massport's IT infrastructure are also locked away in closets. "We're very careful about who gets access to those closets," he said.

Meanwhile, surveillance systems from Atlanta-based VistaScape Security Systems stand watch over Massport property, using software that allows activity throughout the Massport zone to be displayed on a single screen. Every moving object is classified and tracked. If a truck approaches a building, cameras zoom in to see if it's from a business partner or if its markings or movements look suspicious. In the latter case an alert is sent to security personnel who can respond before something bad happens, said VistaScape President P.J. Lynch.

Lynch said his customers are especially concerned about keeping an eye on the data centers and buildings where other IT infrastructure is housed, and that surveillance is a critical part of preventing attacks or catching the culprits if one succeeds.

"Look at the London attacks," he said, referring to the July terrorist assault on the city's subway and bus systems. "Right after the attacks they spent a lot of time looking over surveillance footage, and they were successful in catching suspects."

But the bad guys are also big on surveillance, scoping out locations before an attack, Lynch admitted. "We help organizations watch for this stuff. If someone is parked by a bridge for a long time, if someone is loitering, you know it can be trouble. And if you can see it ahead of time you can prevent an attack."

Each customer has unique problems that need monitoring. In the case of Logan airport, clam diggers on the outer flats are monitored in the event somebody moves too close to Massport property. It probably wouldn't take much for a terrorist to understand he can get close posing as a clam digger, Lynch noted.

The wonders of wireless
There's something else Treece likes about the VistaScape system: "It communicates over a wireless system," he said. Treece is as big a fan of wireless technology as he is a believer in the Internet's vitality, which might come as a surprise to those who have read all the reports about insecure wireless hotspots the bad guys can easily latch onto.

But the wireless system Massport uses is home grown with special security features that block out the war drivers. Treece envisions the day where wireless networks in general can be as robust as the Internet itself. In a wireless world, he pictures IT operations that can keep humming in the face of disaster, be it a hurricane like this month's Katrina or a bomb blast.

"Massport is moving toward a totally wireless structure," he said. "The VoIP, the laptops -- no wires. A wireless field is resistant to bombs and hurricanes. All over the world they've buried enormous wire capacity, but the last few miles are the tough part. That's where you have to worry about the backhoe slicing into your network. With wireless, the power stays on and you're more secure."

Most of the world might not share his enthusiasm for wireless right now, but Treece predicts that will change. "Terrorism will be the main driver," he said. "The first time we have a suicide attack in a subway in the U.S., it'll drive home the fact that all the cables down there are vulnerable, and people will ask if we still want to do things that way."

Power to the people
The Internet may keep getting stronger and the world may one day enjoy life within a wireless field. But in the end, those interviewed agree there's no substitute for a layered defense, a central point from which to manage and cooperation from employees and government agencies.

"We subscribe to the defense-in-depth philosophy, from the perimeter inward to individual work stations," the Chicago Stock Exchange's Lauger said. As part of that strategy, she uses a centralized monitoring and auditing system from TriGeo Network Security of Post Falls, Idaho. "There's no running from workstation to workstation in an emergency," she said. "It's also useful for change control. Our application development group gets alerts when someone logs into a system. And log management is easier."

She can also use the device to write rules to trigger an e-mail alert or respond to a certain event. "You can send out the alert to everyone from one place. And you can use system to correlate activity between one system and another," she said.

But companies shouldn't forget that people are a key ingredient to a strong defense, she said.

"The people side can't be neglected," she said. "You need employee awareness and training." As for partnering with other entities, she said being part of ChicagoFIRST won't prevent bad things from happening. But it'll probably help lessen the pain and help businesses survive.

Read more on Hackers and cybercrime prevention