THE RISING THREAT OF CYBER-TERRORISM

LIZA CASABONA / Additional reporting by Michael Garry

Bob Schoening's reaction to the seemingly endless onslaught of computer worms and viruses is not unusual, and is perfectly understandable. "I'm befuddled by what is going on," said Schoening, chief information officer, Pathmark, Carteret, N.J.

"We are able to see the amount of pounding on the outside of our firewall," he added. "And the amount of virus traffic roaming around the Internet has been at all-time levels the last several months." For an IT expert responsible for keeping a $6 billion business's computer network running smoothly, the extent to which hackers are developing worms and viruses and putting them onto the Internet can be discouraging, he acknowledged.

Of course, the problem is not new. During a presentation at Food Marketing Institute's Marketechnics show last February in Dallas, Randy Breault, manager of information security for Hannaford Bros., cited a 2001 study conducted by the FBI and the Computer Security Institute that found 85% of companies reported a computer security breach in the year prior to the survey, and 64% acknowledged financial losses as a result of those breaches (SN, March 10, 2003).

Yet, retailers, like other businesses, are seeing a decided upturn in the problem. Breault said he has seen a huge increase in the amount of traffic "deflected" because of viruses. Food Lion, Salisbury, N.C., has also seen a rise in virus threats, making network security a higher priority every day, a spokesman said.

Last summer, the virus problem got a lot of press as computer networks around the world were hammered twice. In early August, the Blaster worm exploited a flaw in the Microsoft operating system; less than two weeks later came a round of attacks by the SoBig worm. Some food retailers were left with a time-consuming system clean-up. Following that experience, retailers have been paying greater attention to operational policies designed to inoculate company networks.

Most retailers contacted by SN said the problems created by viruses and worms fall into the category of nuisance. However, their potential to cause greater problems is increasing as more viruses with faster execution times continue to challenge existing security devices. While the complexity of viruses has increased, the learning curve for virus writers is diminishing as more virus code becomes available online, said David Loomstein, group product manager, Symantec Security Response, Cupertino, Calif. Breault said he only sees the virus problem growing for retailers, pointing out that it took only 20 days after Microsoft's latest system woe was revealed for the Blaster worm to be discovered. With earlier viruses like Nimda, he said, retailers had a couple of months.

"The viruses are getting faster and better at causing problems," Breault noted. Network security has been his group's priority for awhile, he said, but in the last 18 to 24 months it has been an enterprise-wide focus.

Part of the issue for retailers is the enticement of their customer-specific data like credit card numbers, home addresses, phone numbers and bank information, said Neel Mehta, research engineer, Internet Security Systems, Atlanta. Hackers will go to extraordinary lengths to get choice, sensitive information, he stressed, adding that organizations should go to the same lengths to protect it.

What to Do

Most retailers have the basic security pieces in place to guard their networks, such as firewalls, virus scanners and intrusion-detection software. Yet, legacy systems can go out of date, communication can break down within an enterprise, and smarter worms are finding loopholes into organizations that think they are safe. Thus, savvy retailers advocate a best practices approach to combating viruses, employing constant vigilance.

"The real key is stepping back, taking a look at the problem from an organizational standpoint to identify where all the risk areas are, and then making sure that something is put in place to mitigate future problems," said Pathmark's Schoening. "Then just stay vigilant, kind of like our whole country. We're all vigilant for something; we're all sitting at Code Yellow."

At Food Lion, where the impact has been limited to "mostly nuisance in nature," the chain has still devoted considerable IT resources to continually scan for -- and apply software patches to prevent -- virus proliferation throughout enterprise back-office systems, said Doug Miller, director of store systems, Food Lion.

Russ Ross, CIO for Giant Eagle, Pittsburgh, said his store environment was impacted by the Blaster worm for several hours, while his IT department worked to get a security patch applied to all PCs. The attack also highlighted weak areas in the enterprise, he said.

"The worm blaster made us aware that we need to address virus security with vendors that are supplying devices such as blood-pressure monitors or deli kiosks that include a PC in the device," Ross told SN. "The e-mail virus has been a nuisance, but to a much lesser extent. Our virus protection software did a good job of minimizing the impact." Hannaford uses all the traditional security tools, but has added some strategies. For example, the company uses a firewall structure known as a "Demilitarized Zone" (DMZ) that attaches separate firewalls to the Web and a company's internal network to create a safe zone between the company and the Internet.

Additionally, Hannaford makes use of a service from Symantec as well as other mailing lists that update him and his team continually on new virus threats and system vulnerabilities.

ISS' Mehta cautions that while many widely deployed security technologies continue to be necessary, they're not going to protect systems from every worm. "Firewalls are deployed virtually everywhere, but these worms have an uncanny way of getting around them," he said.

Historically, Mehta added, businesses have been lucky that worms don't usually carry very destructive payloads. Often, they just gather e-mail addresses or play some prank, but there's no guarantee that luck will hold out.

CYBER-SECURITY 101

The following is a brief glossary of key terms used in the Internet security arena.

Virus -- Software used to infect a single computer. Virus code becomes buried in an existing program. When that program is used, the virus is activated and begins replicating itself and attaching to other programs. It usually needs to be attached to e-mail by a user to infect other computers.

Worm -- In contrast to a virus, a worm generally relies less or not at all on users to spread to other computers, copying itself over a network. Within a given computer, it replicates itself, using up resources until it eventually pulls the whole system down. Examples include Slammer, Blaster and SoBig.

Blaster Worm -- This worm exploited a weakness in the Microsoft 2000 and XP operating systems to insert a file deep into the operating system's registry, where most of the basic operating rules are stored. It then caused computers to restart without warning, and spewed out thousands of connection requests per minute looking for other machines to infect. So much memory on individual computers was eaten up that users couldn't do very simple tasks like moving the mouse across the desktop.

Trojan Horse -- A program that appears to be legitimate but performs an illicit activity when it is run. It is similar to a virus, except that it does not replicate itself. It resides on a computer's hard drive, looking for information like passwords, destroying data, or allowing someone located remotely to take control of the computer. Trojan Horses often sneak in with a game or other utility.

Firewall -- A security measure designed to keep a network secure from intruders. Usually, firewalls that protect a whole network are a hardware installation, but software firewalls are also available to protect individual computer stations. It can use a single router to filter out unwanted packets of data, or employ a combination of routers and servers that perform some type of firewall processing.

DMZ (demilitarized zone) -- Also called a perimeter network. It is a safe middle ground created between an enterprise's internal network and an untrusted external network, such as the Internet.