Digital risk trends 2008: hacking. Cyberwarfare. Identity theft. Ten years ago these risks were barely on the radar of most organizations. Today they are ubiquitous. With new threats appearing every day, Risk Management takes a look at some of the most frightening digital risks that have made headlines this past year

Risk Management, Oct, 2008

Internet Under Siege

He who controls DNS, controls the internet.

Recently, security researcher Dan Kaminsky revealed the existence of a basic design flaw in the internet's addressing system that essentially exposed every online network to hackers. The flaw was in the net's Domain Name System (DNS), the system that translates website domain names into numbered IP addresses that computers can route. It opened up all networks to what are known as "DNS cache poisoning attacks" in which hackers redirect internet users to fraudulent websites even after they have typed the correct address. The attacks can affect not just website visits but all internet traffic, including e-mails and instant messaging. Hackers can intercept these messages, read them and then forward them to their intended destination unbeknownst to the sender or receiver. Cache poisoning of this scale can give hackers access to the personal information of any internet user, regardless of whether or not their activity was conducted on a "secure" server. By controlling DNS, a hacker can essentially control the internet itself.

After his discovery, Kaminsky quietly notified many of the largest vendors and internet service providers and a patch was created so that most site operators were able to fix the problem months before he notified the public in July. Despite the advance warning, however, not all ISPs have been fixed. Experts have recommended that while end-users cannot correct the problem themselves, they can consult online tools that can test the vulnerability of specific servers to see if their ISPs have run the patch. The grim reality, however, is that the patch is only a temporary solution to an inherent weakness in internet security. While it does make conducting the attacks extremely difficult, enterprising hackers will likely find a work-around--if they haven't already. And next time, "good guys" like Kaminsky may not be the first to make the discovery.

--Morgan O'Rourke

0P3N F1R3

The latest international battlefield is online.

Last June, the Chinese military pulled off a major cyberwarfare victory when it successfully hacked into the Pentagon, prompting the Department of Defense to shut down part of the system to contain the intrusion. While China and the United States are believed to routinely crack into each other's military computer networks, the Chinese hack showed that Pentagon systems could be compromised at a critical time. Although Beijing denied the attack, Germany also raised concerns that it too had been hacked by the People's Liberation Army. And while the Pentagon believed no critical data was downloaded, the intrusion did prompt a review of how data is handled throughout the Department of Defense, especially through Blackberries and other wireless devices.

It wasn't the first time that cyberwarfare has been conducted, however. A few months before, Estonia came under a nationwide denial-of-service attack widely believed to have come from Russia--either with the tacit or implicit support of the government. At issue was Estonia's removal of a Soviet-era World War II memorial from its original spot in Tallinn to elsewhere in the Estonian capital. The move enraged ethnic Russians within Estonia as well as the Kremlin, and the nationwide hack that followed shut down Estonia's electronic architecture for days. Thankfully, NATO cyberdefense experts happened to be in country that weekend and fixed things quickly.

For years, the asymmetrical nature of cyberwarfare made it a likely terrorist tactic, especially after 9/11, but no major terrorist cyberattacks have surfaced. The adoption of cyberwarfare by standing militaries leaves no room to breathe easy, however. For IT security experts, the Estonian and Pentagon incidents showed that after a long germination as a hypothetical threat, cyberwarfare has become a real danger, especially to civilian and commercial entities with online assets to protect.

Russia proved that this year when it waged a brief, one-sided war against Georgia over Georgia's breakaway regions of South Ossetia and Abkhazia. Although the shooting started in August, security experts noticed large-scale denial-of-service attacks hitting Georgia as early as June. Like the Estonia attacks, these were also thought to have originated within Russia. If so, it marks the first time that a cyberattack presaged an actual military action, though it seems unlikely it will be the last. In fact, cyberwar might become a routine element of conventional military practice. Cyberattacks cost virtually nothing to mount compared to the replacement costs of a tank or a plane, and they can produce substantial results in terms of disrupting an enemy's command and control capabilities. And they only require a handful of skilled, dedicated cyberwarriors for a major campaign.

At risk are highly visible assets like communications, transportation, media and government sites--in both the Estonian and Georgian attacks, those were the hardest hit targets. The good news for the United States, at least, is that its online architecture is too massive to be so easily brought to its knees. But as the Pentagon hack showed, specific military assets are not untouchable and, as such, defensive strategies must be developed, tested and employed by any army looking for security in an increasingly cybernetic world.