Last Updated: 2010-02-21 00:24:41 UTC
by Marcus Sachs (Version: 1)
At 8 pm EST (0100 UTC) on February 20th and 21st CNN will air a program called "Cyber Shockwave" which was filmed last Tuesday in Washington, D.C. I was invited to be in the studio audience during the taping of the program. I am frankly disappointed with the way it turned out. First, the scenario used as a backdrop is not realistic. The presumption is that a smartphone application is used to crash large portions of the nation's cellular phone system, which then leads to outages in the POTS (plain old telephone system) networks, which leads to loss of air traffic control, disruptions at the New York Stock Exchange, and massive power outages. As most of our readers know, such a cascading effect across multiple networks and systems is not likely. Not saying it's impossible, just not likely. The second issue is the fact that the people playing the role of National Security Council members failed to recognize the role of the private sector until well into the second hour. The government does not own or operate the communications infrastructure in the United States. To leave the private sector out of the conversation is a massive oversight. To be fair, the panel does recognize that the private sector has a role, but it comes after a long deliberation about how helpful the government should be.
My fear is that the average viewer will come away from this program convinced that the scenario is real (after all, why would CNN show something that is not real?) and that only the government can help lead us into a world of peaceful coexistence in cyberspace. As most (hopefully all) of our readers know, cyberspace is very complex and security comes not from just the private sector or just the government but jointly, with each party playing a very important role.
I invite you to watch the program then post your comments or thoughts below using the COMMENT feature.
ps - watch the two maps, the one of the cell phone outages and the one of the electric grid failures. The cell phone maps show "green" where there is 100% operation, including areas of the country where there is no coverage at all. The electric power map is actually a map of the highway system. Watch the highways go dark later in the simulation. I've never seen highways go dark during a power failure (unless it's at night.)
Director, SANS Internet Storm Center
Last Updated: 2010-02-20 21:51:41 UTC
by Mari Nichols (Version: 1)
I was reading my morning newspaper one day this past week (a real treat since my cataract surgeries) and I came upon several articles concerning a local municipality that experienced a self-imposed DOS due to a massive malware infection. The CIO explained that "curiously, only those employees who had turned off their computers at night were infected". Now, in security, we understand fully why this happened and it is not curious at all. This statement causes flashbacks to all the times I have experienced many a cost-conscious "green" dept. heads, with good intentions, requesting their employees to turn off their computers at night to save money and the planet. Hey, I'm as green as the next guy, but at some point, penny pinching and IT just don't mix.
Maybe we aren't explaining this situation well enough, (more likely CIO support for security was non-existent), but it seems to me that the IT security department at this municipality needed to explain to the CIO and advise city employees that the majority of security updating is completed during off hours as to not interfere with production. Yes, we do have ways to kick off updates after the computer is turned on in the morning, but at the same time, we have allowed production requirements to interfere with those updates by allowing the users to stop scans or generally override any security setting which may interfere with the goal of production. That said, our main responsibility must be to keep our domains as up-to-date as possible to combat the barrage of morphing attacks. And we realize even that isn't enough, when that one "green guy" opens an infected PDF file or is redirected to a malware spewing site. A site directing attacks to the third-party software we can't find the budget or time to patch with any regularity.
The recent news of the ZeusBot revelations (not to us) and the whole Google/China mess shows what can happen when employees are not educated about their role in keeping the enterprise secure. Employees must have the "big picture" to be of any help. Counting on updating our AV program is just is not a viable methodology any more. While it is imperative that we keep doing our jobs by keeping definitions as updated as possible, (and prevent over-ride of security settings), we are still back to the subject of application patching. All the glorious AV definitions in the world will not prevent an employee from making that search that redirects, or opening an attachment that starts the proverbial ball rolling toward weeks of clean-up and bad press via media hype.
Maybe the publicity helps our cause. At one point I did believe that. Do you think we are still making in roads with the non-security folks with continuous media exposure? Or is it just possible that the public and our CIO's have come to accept these violations as a way of life? I'd like to hear your comments.
Handler on Duty