http://www.computerworld.com/securitytopics/security/story/0,10801,80185,00.html By Marcia Wilson APRIL 09, 2003 Computerworld The cyberwar has intensified along with the war in Iraq, or so we hear. I honestly thought our entire telecommunications infrastructure was going to be brought to its knees when the war started. Not because I professionally believed it was possible, but because I was personally frightened by the thought of war. Silly me. Well, not so silly. Cyberwarfare, a.k.a. cyberannoyance, has increased and been highly publicized in online security circles. The TV media has been completely engrossed in blow-by-blow accounts of the war in Iraq. Print media isn't far behind. The world of cybercommunication isn't constrained by the size of a newspaper or airtime minutes. There are plenty of information security Web sites to peruse and endless e-mail security alerts to read. But have there been any real attacks on the infrastructure? It appears that the "attacks" are primarily composed of Web defacements and obnoxious anti-something attempts. AlJazeera.net, the online version of the Arabic news channel, has been the hot discussion topic in recent weeks. Hackers took down numerous servers and defaced the site with pro-war statements (see story). Recently, the servers were knocked off-line. Whodunit is being debated. There's a group of Chinese hackers who are planning attacks on U.S.- and U.K.-based Web sites in protest of the war. There is a group in Malaysia that's threatening "suicide cyberattacks" if America launches a war in Iraq. Oops, too late! Defacement -- ad nauseum. An article from the Detroit Free Press states, "Think of it as the Information Age's electronic equivalent of graffiti protests." Sounds a little immature, doesn't it? The FBI's National Infrastructure Protection Center issued a warning that we should be on guard against Iraq sympathizers and antiwar activists, whatever that means. OK, so I'm sitting in my office and I look through the window into the cubicle area. I notice a guy in a turban in one of the cubes. He's a programmer. He's hammering away at the keyboard and talking rapidly in Arabic on the phone at the same time. Should I be on alert and ask the security guys to start monitoring his phone calls, e-mail conversations and Internet usage? Or should I recall that he's been working with the company for 10 years, is an excellent programmer cramming to finish a project and is talking to his wife about one of the kids whose teacher just called from school? No, wait! I've got it. I should stop buying sundries at the 7-Eleven store because I'm sure "they" are funding terrorist activities from those questionable magazine sales. No, that can't be it. Come on now! Give me something more to do, will ya? How ignorant are we? More important, what is it that we are supposed to do? The Washington Post recently published an article that suggests "vigilance is par for the course" in these troubled times. What's the right thing to do? Follow this simplistic thinking for a moment: * A child runs out to the street and plays ball with friends. The mother sees the child playing unsafely in the street. The mother runs into the street screaming at the child, grabs the child and takes the child to safety. * Ten years later, the child is a teenager. The teenager goes to a party, drinks too much, gets behind wheel, tries to drive home, makes it; Mom and Dad aren't paying attention; no harm, no foul. * Ten years later, a young woman goes bar-hopping, makes an attempt to drive home, crashes head-on into another car, survives but kills a young family including an infant who was thrown from the vehicle. She goes to jail for 15 years and everyone wonders how this could've happened in "such a good family." What's wrong with each scenario? The wrongness comes from not controlling the environment in an effective way, not penalizing each event to the degree to ensure that it won't ever happen again. Spank the child. Educate the child. Stay up until the child gets home to assess the condition of the child. Take away the car keys. Safety requires vigilance in all aspects of our lives, not just in cyberspace. Keep with me now. Do any of these terms sound familiar? Awareness, access control, authentication, authorization. Technologists need to apply some "tough-love" thinking to operational controls that will assure the safety of our information assets from terrorists or antiwar protesters or other hackers and only grant access on a "need-to-know" basis. Awareness isn't about acting unethically in our day-to-day activities by defacing Web sites, promoting unfair discriminatory policies or generally being overreactive and hysterical. Awareness is about applying the necessary access controls and requiring authentication and appropriate authorization to access of information. A news article in The Idaho Statesman suggests a link between cybersecurity and al-Qaeda, but there isn't any proof yet that the student studying advanced cyberterrorism prevention at the University of Idaho has done anything wrong other than having been named Sami Omar Al-Hussayen. His graduate adviser says, "We should recall what it means to be American and what we cherish about our country." Oh, this is so hard for us, isn't it? According to The Statesman, a university policy prevents those without U.S. citizenship from working on government projects. That's an adequate control mechanism. Web site defacements can be prevented by adequate controls and patching servers. Other recent stories of hack attacks involve Americans breaking into U.S. systems. The New York Post tells the story of a 17-year-old son of a computer security executive who was arrested after allegedly hacking and stealing credit card numbers. I feel for this father, since I have an unusually bright son myself. Another recently publicized event from The Atlanta Journal-Constitution describes how computer hackers broke into a database at Georgia Tech and copied names, addresses and credit card information for 57,000 patrons of the Ferst Center for the Arts. It's apparent that the order of the day is to spend time securing our environments, rather than spending time protesting or defacing Web sites. What is the right thing to do? Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC, a company focused on providing independent network security auditing and risk analysis. She can be reached at marciaat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 10 2003 - 02:54:41 PDT