[ISN] War, ethics and security

From: InfoSec News (isnat_private)
Date: Thu Apr 10 2003 - 00:25:53 PDT

  • Next message: InfoSec News: "[ISN] Microsoft Patches Critical Virtual Machine Flaw"

    http://www.computerworld.com/securitytopics/security/story/0,10801,80185,00.html
    
    By Marcia Wilson
    APRIL 09, 2003
    Computerworld
    
    The cyberwar has intensified along with the war in Iraq, or so we
    hear.
    
    I honestly thought our entire telecommunications infrastructure was
    going to be brought to its knees when the war started. Not because I
    professionally believed it was possible, but because I was personally
    frightened by the thought of war.
    
    Silly me. Well, not so silly. Cyberwarfare, a.k.a. cyberannoyance, has
    increased and been highly publicized in online security circles. The
    TV media has been completely engrossed in blow-by-blow accounts of the
    war in Iraq. Print media isn't far behind. The world of
    cybercommunication isn't constrained by the size of a newspaper or
    airtime minutes. There are plenty of information security Web sites to
    peruse and endless e-mail security alerts to read. But have there been
    any real attacks on the infrastructure?
    
    It appears that the "attacks" are primarily composed of Web
    defacements and obnoxious anti-something attempts. AlJazeera.net, the
    online version of the Arabic news channel, has been the hot discussion
    topic in recent weeks. Hackers took down numerous servers and defaced
    the site with pro-war statements (see story). Recently, the servers
    were knocked off-line. Whodunit is being debated.
    
    There's a group of Chinese hackers who are planning attacks on U.S.-
    and U.K.-based Web sites in protest of the war. There is a group in
    Malaysia that's threatening "suicide cyberattacks" if America launches
    a war in Iraq. Oops, too late! Defacement -- ad nauseum. An article
    from the Detroit Free Press states, "Think of it as the Information
    Age's electronic equivalent of graffiti protests." Sounds a little
    immature, doesn't it?
    
    The FBI's National Infrastructure Protection Center issued a warning
    that we should be on guard against Iraq sympathizers and antiwar
    activists, whatever that means. OK, so I'm sitting in my office and I
    look through the window into the cubicle area. I notice a guy in a
    turban in one of the cubes. He's a programmer. He's hammering away at
    the keyboard and talking rapidly in Arabic on the phone at the same
    time. Should I be on alert and ask the security guys to start
    monitoring his phone calls, e-mail conversations and Internet usage?  
    Or should I recall that he's been working with the company for 10
    years, is an excellent programmer cramming to finish a project and is
    talking to his wife about one of the kids whose teacher just called
    from school?
    
    No, wait! I've got it. I should stop buying sundries at the 7-Eleven
    store because I'm sure "they" are funding terrorist activities from
    those questionable magazine sales. No, that can't be it. Come on now!  
    Give me something more to do, will ya? How ignorant are we? More
    important, what is it that we are supposed to do? The Washington Post
    recently published an article that suggests "vigilance is par for the
    course" in these troubled times.
    
    What's the right thing to do? Follow this simplistic thinking for a
    moment:
    
    * A child runs out to the street and plays ball with friends. The
      mother sees the child playing unsafely in the street. The mother
      runs into the street screaming at the child, grabs the child and 
      takes the child to safety.
    
    * Ten years later, the child is a teenager. The teenager goes to a
      party, drinks too much, gets behind wheel, tries to drive home,
      makes it; Mom and Dad aren't paying attention; no harm, no foul.
    
    * Ten years later, a young woman goes bar-hopping, makes an attempt to
      drive home, crashes head-on into another car, survives but kills a
      young family including an infant who was thrown from the vehicle.
      She goes to jail for 15 years and everyone wonders how this could've
      happened in "such a good family."
    
    What's wrong with each scenario? The wrongness comes from not
    controlling the environment in an effective way, not penalizing each
    event to the degree to ensure that it won't ever happen again. Spank
    the child. Educate the child. Stay up until the child gets home to
    assess the condition of the child. Take away the car keys. Safety
    requires vigilance in all aspects of our lives, not just in
    cyberspace. Keep with me now.
    
    Do any of these terms sound familiar? Awareness, access control,
    authentication, authorization.
    
    Technologists need to apply some "tough-love" thinking to operational
    controls that will assure the safety of our information assets from
    terrorists or antiwar protesters or other hackers and only grant
    access on a "need-to-know" basis.
    
    Awareness isn't about acting unethically in our day-to-day activities
    by defacing Web sites, promoting unfair discriminatory policies or
    generally being overreactive and hysterical. Awareness is about
    applying the necessary access controls and requiring authentication
    and appropriate authorization to access of information.
    
    A news article in The Idaho Statesman suggests a link between
    cybersecurity and al-Qaeda, but there isn't any proof yet that the
    student studying advanced cyberterrorism prevention at the University
    of Idaho has done anything wrong other than having been named Sami
    Omar Al-Hussayen. His graduate adviser says, "We should recall what it
    means to be American and what we cherish about our country." Oh, this
    is so hard for us, isn't it? According to The Statesman, a university
    policy prevents those without U.S. citizenship from working on
    government projects. That's an adequate control mechanism. Web site
    defacements can be prevented by adequate controls and patching
    servers.
    
    Other recent stories of hack attacks involve Americans breaking into
    U.S. systems. The New York Post tells the story of a 17-year-old son
    of a computer security executive who was arrested after allegedly
    hacking and stealing credit card numbers. I feel for this father,
    since I have an unusually bright son myself.
    
    Another recently publicized event from The Atlanta
    Journal-Constitution describes how computer hackers broke into a
    database at Georgia Tech and copied names, addresses and credit card
    information for 57,000 patrons of the Ferst Center for the Arts.
    
    It's apparent that the order of the day is to spend time securing our
    environments, rather than spending time protesting or defacing Web
    sites. What is the right thing to do?
    
    
    
    Marcia J. Wilson holds the CISSP designation and is the founder and
    CEO of Wilson Secure LLC, a company focused on providing independent
    network security auditing and risk analysis. She can be reached at
    marciaat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 10 2003 - 02:54:41 PDT