[ISN] Security Through Soundbyte: The 'Cybersecurity Intelligence' Game

From: InfoSec News (isnat_private)
Date: Tue Nov 19 2002 - 06:30:23 PST

  • Next message: InfoSec News: "RE: [ISN] Crackers steal 52,000 university passwords"

    Forwarded from: Richard Forno <rfornoat_private>
    Security Through Soundbyte: The 'Cybersecurity Intelligence' Game
    Richard Forno
    Essay #2002-12
    (c) 2002 Richard Forno. Permission granted to reproduce and distribute in
    entirety with credit to author.
    Full article with in-line URLS is available at:
    Some say that cyberspace is the new battlefield, with its own unique
    rules, challenges, and concerns for those charged with defending it.  
    If one does consider cyberspace a modern battlefield, intelligence
    must naturally play a key role in developing appropriate, proactive
    defenses. Regarding battlefield intelligence, military strategist Sun
    Tzu wrote that "what is called foreknowledge cannot be elicited from
    spirits, nor from gods, nor by analog with past events, nor from
    calculations. It must be obtained from men who know the enemy
    situation."  That's sound advice.
    During recent months, hardly a week goes by without some reference to
    some firm's findings or statistics on hackers, crackers,
    cyberterrorists, and the general state of internet security as they
    see it.  Many times these reports are marketed as cybersecurity
    The latest player in the internet security industry is UK-based mi2g,
    and the subject of this article. mi2g offers a suite of security
    products (essentially they're a systems integrator focused on
    security), but is best known perhaps as a "security intelligence
    provider" providing research, assessment, and analysis services on the
    state of the cybersecurity.
    As a security professional - and someone 'on the front lines' of the
    cyberspace battlefield - I'm both curious and dubious about the whole
    'cybersecurity intelligence' business concept, and wonder what it
    takes to both become a 'cybersecurity intelligence' expert and make
    money at it, too.
    For example, a spooky November 11 briefing by mi2g talks about the
    need for "counter-attack-forces" to deal with the threats of "digital
    terrorism" in the "5th dimension defence shield" against "digital mass
    attacks" and notes that it's "not a question of if, but when" such
    attacks will occur.
    As we've seen elsewhere, coining neat buzzwords in the cybersecurity
    realm makes for interesting reading, but does little to offer real
    solutions to the security challenges faced today. Such only serves to
    fan the flames of public misperception.  Even more disturbing is the
    report's feeble attempt to capitalize on the public's visceral fear of
    real terrorism by trying to relate the 'insider threat' of disgruntled
    employees to the al-Qaeda members responsible for the September 11
    mi2g claimed that in November 2002 there were 57,977 'overt digital
    attacks' to date, and that such 'overt' attacks will cost $7.3 billion
    worldwide for 2002. The firm estimates that the total economic damages
    of all attacks - overt, covert, virus, and worms - will be between $33
    and $40 billion worldwide for the year.
    It's never really clear how mi2g differentiates an 'overt' attack
    versus a 'covert' attack. Does a website defacement count as an
    'overt' attack? How does one know when a 'covert' attack occurs? Isn't
    that what being 'covert' is all about? And how can one credibly
    forecast billions of dollars lost from cyberattacks, especially from
    'covert' ones the victim doesn't know have occurred?
    One wonders how much mathematical masturbation takes place when
    analyzing and generating these numbers. After all, it's quite popular
    - and easy - to cite economic losses resulting from cyber-attacks,
    especially since proving them is next to impossible. But it sure
    sounds impressively frightening to gullible reporters and ignorant
    business leaders.
    Personally, much of what security experts deem an 'overt' attack is
    nothing more than a nuisance event - web defacements, ping attacks,
    network compromises, or viruses - and not an act of cyberterrorism.
    Yet so much noise is made by firms over these nuisance events, you'd
    think the end of the digital world was approaching with each new
    vendor security alert. Perhaps if mi2g included unexpected port scans
    or pingsweeps as types of 'overt attack' they could generate even more
    frightening statistics for their audience, too. That, in turn, might
    generate more customer interest in their products and help their
    bottom line. Of course, security product and service vendors would
    benefit as well, so this continual public threat inflation is a
    win-win for everyone in the security industry, regardless of whether
    any real security enhancements take place.
    Also in November, mi2g claimed that "just one motivated individual
    cannot usually perpetrate complex cross-boundary physical or digital
    terrorism" yet a statement from a 1999 internal mi2g memo - now used
    as part of a marketing white paper - notes that [information-based]
    'warfare' is "readily available to groups and individuals at anytime,
    anywhere in the world. So which is it?
    This sounds suspiciously like former US National Security Advisor
    Anthony Lake's FUD-filled remarks in his book 'Six Nightmares" where
    he believes that if you're under thirty and have a computer and access
    to the internet, you can become a potential cyberterrorist and
    Harbinger of Global Digital Evil.  Of course, Lake, mi2g, and other
    private and government-sector folks - like Senator Schumer of New York
    - continue to preach that cyber-attacks will cause airplanes to fall
    from the sky (a favorite scenario for these cyber-Chicken-Littles) and
    that the end of the world will occur not with a bomb but a directed
    TCP/IP packet, even though recognized terrorism experts regularly
    challenge this fear-based belief.
    So, given all its media coverage and gloomy forecasts of electronic
    and economic doom, what's the real-world experience mi2g is drawing on
    to generate its assessments?  At first glance, you'd think the firm's
    been focused exclusively on internet security for almost a decade, and
    filled to the brim with recognized cybersecurity wizards akin to an
    Eeye or @Stake.
    Sadly, that's not the case.  Cybersecurity FUD-buster (and VMyths
    owner) Rob Rosenberger conducted his own ongoing review of mi2g over
    the past few years, and his observations make for some interesting
    reading. In the interest of time, I'll summarize the mi2g mystique in
    two paragraphs, and let you form your own conclusions.
    Scouring the web, we find that in the mid-1990s, mi2g started off as
    an e-business enabler focused on operating portal sites (such as
    Carlounge.Com and Lawlounge.Com) under the corporate motto "Bringing
    The Web To The World." Suddenly, in 1999 with the digital apocalypse
    of Y2K looming ahead, the firm morphed into an internet security
    company that "by integrating state-of-the-art software engineering
    technology with super computing capability is revolutionising the
    world of eCommerce and for the first time maximising the return from
    the internet whilst minimising the risk."  This was the same time when
    internet security companies were sprouting up faster than the kudzu in
    my backyard, bringing them to where they are today, as a provider of
    'security intelligence' and other security-related products. One
    wonders what new market mi2g will be exploiting three years from now.
    The firm's current website reveals little about the background of its
    staff; most appear to be folks without significant operational IT
    security experience. It's interesting that only DK Matai, mi2g's
    founder and CEO, seems to speak or write publicly on security topics
    (few if any mi2g folks are active in the security discussion
    community, it seems) and although a seemingly talented academic,
    apparently has never been involved in the trenches of day-to-day IT
    security in the real corporate world.
    Compare this to other commercial firms founded to focus exclusively on
    IT security that employ many well-known, highly-experienced, and
    frequently-quoted security experts to help draft formal analyses on
    the state of cybersecurity.  Who would you trust when being presented
    analysis and estimations about the state of cybersecurity? Soundbytes
    alone don't make a credible security expert.
    George Orwell wrote that if you preach something loud and often
    enough, you can get folks to believe it as truth, no matter how
    far-fetched your message. Those that blindly accept continual reports
    of impending gloom and doom, the need for "counter-attack-forces" to
    prevent "digital mass attacks" and minimize dubious economic losses
    will never be able to implement effective information security
    programs. They are basing their defenses on the customized opinions of
    self-monikered 'experts' - trying to make a profit - who have never
    set their proverbial foot on the cyber-battlefield and only know the
    enemy by what they've read or heard about them.
    And that's a very dangerous thing, no matter what battlefield you're
    Further Reading
    Study makes less of hack threat (Wired)
    Special Thanks to McW and Rob for their help in drafting this article.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 15:16:25 PST