The Blending of Physical and Information Security Threats

The coming wave of security threats will increasingly be blended with physical and information components. CSOs who want to prepare for these attacks will have to meld their defenses to meet the challenge.

By Daintry Duffy

December 01, 2003 — CSO — Which of the following incidents poses a threat to your company's security?

A. Your parking lot is full of SUVs set ablaze to protest America's profligate consumption of the world's natural resources.

B. Your CEO's user account is active and accessing the latest R&D reports for a new product at 1 a.m. while he's supposed to be on a flight to Asia.

C. An enterprising young man in the Ukraine is siphoning credit card numbers off the Web for his employer, a criminal syndicate, which compiles and sells them in bulk to the highest bidder.

Unless you own a car dealership or hold an executive position with Amazon.com, you're probably going with "B," right?

Ah, if only it were that simple. Unfortunately for CSOs, each one of those diverse scenarios illustrates a trend that is a clear, present and growing danger to corporate security. In spite of the fact that security is finally getting the attention and resources it deserves, the list of threats that CSOs will have to handle during the next few years continues to expand at an alarming rate.

And it's no longer just the antisocial basement-dwelling hacker, cracker or script kiddie behind such attacks. The collection of ne'er-do-wells with an interest in undermining your corporate security has metastasized during the past few years into a multifarious cast of characters: industrial and state-sponsored spies, cyberterrorists, ecoterrorists and international mafiosi, just to name a few.

But does it really matter who's behind a security breach? Plenty of gee-whiz stories have been written that delve into the culture of the Russian mafia or the potential threat of cyberterrorism, and these issues are usually covered with a breathless fascination resembling the bravura of the bad guys. Sure, they make for great stories, but they provide little assistance to CSOs in strengthening their defenses.

"Whether it's a hacker taking credit card numbers or organized crime, often they're exploiting the same vulnerabilities," says Dorothy Denning, professor at the Department of Defense Analysis of the Naval Postgraduate School. "It's not so much who the actor isit's what they're doing."

Still, there are some definite trends that security executives should pay attention toevolutionary changes occurring within the underground. Here's how you should structure your security defenses to keep pace.Convergence TheoryAsk any security expert to forecast the future, and after he finishes the requisite hemming and hawing over the impossibility of such a task, he'll usually profess at least one certainty: that "convergence" will occur. By that, he means that criminal groups will band together to attempt larger attacks, and that those efforts will likely include blended attacks that have a physical and cyber component to them.