http://www.theregister.co.uk/2005/09/13/katrina_security_lessons/ By Mark Rasch SecurityFocus 13th September 2005 In the waning days of August, a massive category four hurricane devastated the gulf coast of the United States, particularly devastating the city of New Orleans. In addition to the estimated $50bn in property damage, clean-up and reconstruction costs, and the hundreds of likely dead, and tens of thousands displaced, the hurricane and its aftermath have disrupted businesses throughout the southern United States. From this disaster, there are a few lessons IT staff, and IT security staff, as well as senior management should learn. The sad thing is that many won't take these lessons to heart. 1. Infrastructure is important Much of the devastation resulting from hurricane Katrina, particularly to the city of New Orleans, resulted not from the initial wind damage, but from the collapse of key portions of the infrastructure which were not designed to withstand an event that, at least in retrospect, was eminently predictable, if not inevitable. The collapse of key levees in the Big Easy caused tens of millions of dollars of damage and loss because they were designed to withstand only a category three hurricane. In most companies, the IT infrastructure has grown organically, based upon the needs or perceived needs of individual business units. Thus, the mix of hardware and software, applications, technologies and processes are generally not mapped, and generally not adequate. Most entities do not know what technologies that they have employed, what software (or versions) they are using, or even what the scope and extent of their network looks like. In addition, in most enterprises, "security" is a discrete item - it's an add-on, often an afterthought, yet it's frequently mentioned in one of those, "oh by the way" telephone calls after some new application is about to go (or has already gone) live. Infrastructure is fragile and brittle. Survivability, redundancy, and security have to be built into it at the outset. An elegant network or application is of no use if it is destroyed, insecure, or inoperable. Duh. 2. Infrastructures are co-dependant We typically think of IT as a single infrastructure, but it is not. Perhaps if your network and the Internet are seen as one of the same, it's easier to explain all those security breaches on "your" network. When the hurricane took down the electricity, the oil and natural gas refineries on the mainland of the gulf coast could not operate, nor could the pumping stations pump any oil or gas. A single catastrophic event will likely lead to the disruption of multiple infrastructures, each dependent upon each other. The same is true for both IT and IT security. Electricity, telecommunications, Internet, transportation, and people are all co-dependent. Knowledge of these facts should inform not only your disaster recovery plans, but also your initial design. Don't forget that hardware, software, policy, planning and training are also key elements of your infrastructure. 3. Prevention is cheaper than response (usually) Much of the work of prevention - knowing what the risks to the enterprise are, and mitigating these risks where it's cost-effective - can and should be done long before any attack or disaster affects an enterprise. It has been estimated that the costs of responding to an attack, including personnel costs, data recovery costs, diversion of attention from other priorities, direct economic damage and theft, and costs that damage one's reputation are often from 10 to 100 times the cost of preventing the damage in the first place. Right now, the tens of millions of dollars it would have cost to shore up and improve the levees looks like a sound investment. A month ago, it was government pork barrel spending. We typically tie IT security spending to a percentage of the overall IT budget, and then value security based upon the value of the IT infrastructure. Why spend $50,000 to secure an IT asset that itself only cost (or is worth) $5,000? This is the wrong way to analyze the situation. We need to address the cost not of the IT itself, but the value of the information that is being processed by, stored on, or transmitted through the infrastructure. The correct questions to ask are: "What would happen to my enterprise if this information was lost? Corrupted? Stolen? Unavailable?" What would happen to the company's reputation? To the ability to deliver services? Remember that in security we are protecting companies and agencies, not computers. 4. Cost of response is shifted A typical axiom in the tort law of negligence is that we impose the liability upon the party or entity best able to avoid the damage or risk. In the case of the New Orleans flooding, this would have been some combination of the local, state and federal governments, including the U.S. Army Corps of Engineers, and of course, the United States Congress that funds these projects, as well as the electorate that votes for these Members of Congress. Had better, stronger and more durable levees been constructed and maintained, billions of dollars of damage could have been prevented. However, in most situations, the people bearing the risk of loss are not the same people who have to make the decisions about prevention. Homeowners in New Orleans essentially had little say about whether the levees were built (although they could have chosen to live elsewhere - like San Francisco or Sri Lanka?) What is worse, drivers in Washington, D.C., those who are now paying $3.70 a gallon for gas that was just $2.50 before the hurricane, previously had little reason to support plans to build stronger levees or redundant distribution centers on the gulf coast. Operators of the closed Houston Astrodome also had little reason to appreciate the effects of a hurricane in Louisiana on their facility. In IT attacks, the same is true. The people whose information is affected by the attack may be distant - temporally, proximally or otherwise - from the decisions about whether or how to secure the IT. The cost of prevention may come from the IT budget, but the benefit goes to other business units' productivity and it is rarely captured. The same is true for the costs of avoidance. We need better metrics for the TRUE cost of NOT providing adequate security, and then we will be better able to make informed decisions about how much to spend on security. 5. Insurance is important In the aftermath of hurricane Katrina, many individuals who thought they had insurance (because they had been paying thousands of dollars in premiums, for years) to cover damages resulting from the hurricane find that they may not be insured for the damages. This is because most insurance policies have specific riders excluding coverage for damage resulting from "flooding." So if a hurricane blows out a levee causing water to crash into and submerge your house, the damage, although caused by a hurricane, may not be covered. Many insurance companies offer various forms of insurance to protect key parts of the IT infrastructure. These include general business interruption insurance, reputation insurance, theft, damage or loss insurance, critical document insurance, and various forms of cyber-insurance. However, these policies contain riders and exclusions that are often confusing and mutually contradictory. If there is "physical damage" to a computer that holds your critical documents, you may be covered, but "logical damage" may not be covered. If the hard drives are wiped out by a flood it may be covered, and similarly if they're wiped by a magnet or a power surge they may be covered - but if they're wiped by a virus or worm, they are excluded. Thus, in conducting risk assessment it is important to review all of your insurance policies (including your D&O policies) to make sure you have appropriate coverage. Also remember that when you are reducing your risk by implementing a comprehensive IT security program, you are also reducing the risk of your insurance company who ultimately would have to pay for covered losses. As a result, just as when you put in a smoke alarm or burglar alarm, you should contact the insurance company when you plan to make significant changes in your security to see whether they will reduce your premiums -- or better yet, pay for the improvements directly. Some companies, particularly those that offer cyber-insurance policies, will even pay for comprehensive audits or assessment themselves. Free security? What could be better? 6. Backup, backup and backup The day before I go to the dentist, I try to do about six months worth of flossing and brushing. Sure, we all know we need to do this, and there is nothing sexy about having a plan for backups, but we frequently don't do them properly - not only at the corporate level, but at the personal level as well. The hurricane also taught us that many of our plans for data recovery and disaster recovery may be too limited. For example, prior to September 11, 2001, both the federal, state and city disaster centers were located in close proximity to each other for planning, coordination and communications purposes. These were, of course, located in the World Trade Center. Not a bad decision to start with, but a very unfortunate result. Similarly, we often have wonderful backup plans to backup data and store it at a remote location just a few blocks or miles away. In the wake of the hurricane, we need to reconsider these decisions. Work locally and backup globally. Of course, this creates new problems. The more distributed information becomes, the more vulnerable it is to attack, disruption, and to the legal processes of the country in which it is located. Outsourcing data storage may solve some of these problems, but it may also create new problems itself. There are all fun things to think about. 7. Training and testing The ultimate defense against disaster are well trained and well equipped people. Too few companies bother to train their employees to recognize cyber attacks, and to respond appropriately to them. All the technology in the world won't help unless people know it exists and know how and when to use it. Awareness and training are critical to success. A cyber attack, like the breach of the New Orleans levees, is more than likely. The best enterprises will be prepared, and therefore will survive. Copyright © 2004 -=- SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Wed Sep 14 2005 - 01:42:31 PDT