North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: White House to Propose System for Wide Monitoring of Internet(fwd)

  • From: Richard Forno
  • Date: Tue Dec 24 00:09:00 2002

> Also, this threat can be mitigated more cost effectively through
> system and network hardening than by expanding the monitoring
> infrastructure to be able to handle such a difficult to
> codify threat (in any general sense).

I agree totally. However, it's unglamorous, and not as sexy of an
announcement - or as cool looking - as saying the Federal UberSOC is on its
way.  But it's Uncle Sam doing what he does best - reinventing a
less-capable wheel at a higher cost.

> Cyberattacks (again IMHO) are still in the realm of being opportunistic,
> as we have seen that given as little as $5-10,000, the resources necessary
> to reliably cause widespread damage are better spent on a plane ticket than
> a hacker.  

Definitely agree - 0911 was done for under $150K according to some reports,
and if you think about it, the terrorists got a heck of a return for their
investment, far more than they could hope to achive in a 'cyberwar' attack.

The motive of terrorism is to sow fear. There's much more visceral fear
seeing the WTC collapse than watching a graphic on television trying to show
how a buffer overflow worked on SCADA system.  :)

> The cyberterrorist threat is based upon the exposure of network systems
> and the motivation of the attacker. What is not taken into account in
> this threat description is the other, more reliable and severe options
> available to someone with the same resources and motives.

No, the cyberterrorist threat is a sensational concept based on FUD,
ignorance, and hype....and believed to be true by the same politicos who
think "Swordfish" was a realistic movie about INFOSEC.

If we're going to say there are cyberterrorists, then we've got to start
saying 0911 was the result of aeroterrorists. The manner in which the attack
is carried out doesn't matter -- terrorism is terrorism is terrorism.

As George Carlin might say, "there are no cyberterrorists."

In this case, instead of accepting responsibility for our actions (or
inactions) regarding INFOSEC, we point fingers at anyone else - such as
phantom cyberterrorists - to avoid responsibility and accountability. It's
nothing more than the latest version of Passing The Buck.  We see INFOSEC
incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus
BRING IT ON OURSELVES....either through poor management, bad system/network
administration and design, or shoddy software. (BTW, I meant "we" in terms
of the IT Society, not "we" meaning the experts here on NANOG!)

> threat model, we can be relatively successful. However, some threats
> are best dealt with by limiting our assets exposure to them instead of
> building in safeguards whose reliability is inversely proportional to
> their complexity. :)

Which goes along with what I tell students at NDU each month -- if
something's deemed a 'critical infrastructure system' (SCADA, banking, etc.)
it should not be on any publicly-accessible network, and the higher costs
associated with higher levels of security (eg, using dedicated,
privately-owned pipes vice a VPN over the Internet) must be an acceptable
and necessary part of the security solution.

If something's deemed 'critical' to a large segment of the population, then
security must NEVER outweigh conveinience. Period. Non-negotiable.

> inherant administrative overhead of tracking them. The only
> defense against them is to keep your patch levels current, your
> firewalls strict, and watch until they get lazy and make a mistake.

Amen!  This goes back to making sure system admins are competent, trained,
and have the time to ensure these security functions are carried out.
Unfortunately, I've found they spend most of their time hunting repeated
problems in certain mainstream OS environments -- which means that PROACTIVE
security routinely takes a back-burner to REACTING to the latest overflow,
trojan, worm, or virus....or to a 'new' problem injected by the
vendor-endorsed patches that allegedly fixed existing ones.

Of course, while no OS is perfect, if our systems weren't built on such a
flaky foundation, we'd have more time to work on securing them instead of
just keeping them operational and somewhat less-annoying while
simultaneously providing a self-inflicted target of opportunity for some

> It does not matter who is watching if you are invisible. A
> sensor can only see what it is looking for. A hacker cannot
> be seen merely by looking.

Hence the need for intelligent network monitoring and pattern profiling,
something I've been mulling over for a while now.

/rant.   :)