[lit-ideas] Re: Misunderstanding The information Age

I still haven't fully recovered from trying to explain
the basics of IT sec to bunch of social scientists
into "cyber warfare" couple years back. But, for the
sake of discussion, let's assume we are talking about
someone trying to bring down or cause significant
disruption tp the computer systems in USA (and by
extension pretty much everything connected to
Internet.)

Normally, people doing this are basicly kids with
limited skills using ready made tools. It's vandalism.
There are serious cyber-criminals, but they are not
interested in causing havoc unless profit can be made
out of it (extorsion, mainly.) As for
cybet-terrorists, well fortunately a server crash
isn't particullary good TV.

Now, professional attackers with goverment protection,
backing and resources is something completely
different. Asking whether average US corporation, or
pretty much any civilian institution, can defend
against such attack is kind of like asking whether
they have defences against aerial bombardment.

There are various degrees of badness to aim at here.
One is systems shutting down, which would cause
significant damage, but recovery is fairly easy.
Second is data loss, which is worse, but while backups
tend to be nowhere as good as they should be, most of
the data can be restored from them. Third is data
corruption, the problem here is figuring out exactly
what got corrupted and this would be very, very bad.

Fourth, is silent data corruption, that is addresses
in db change, bank account balances turn negative,
files become unreadable... and you don't notice until
it is too late. Sophisticated Trojans for instance
could be used that, but most likely an attacker would
combine various methods: insiders, so called social
hacking, physical attacks (by which I mean cutting
power, causing a fire alarm, etc.) and so on. There is
no way I see to recover from the last attack, and yes
I think this is easily withing the capability of a
state funded cyber attack operation. However, as Phil
Enns noted, it would be impossible to contain damage
just to USA.

Other thing to note is that in practice balance is
struck between cost/convience and security in any
field of life, and IT is no exception. The fundamental
reason IT sec is so bad is because we don't believe
the extra security is worth the costs and
inconvenience (how many of you has the same user id /
password combo for several purposes?) Even the threat
of cyber warfare could push organizations of all kinds
to take drastic measures: private networks, plugging
desktops of the net, dragonian controls on users and
so on. Basicly turning the clock back ten years. I've
worked on and heard off millitary grade security
systems: they are very cool, very expensive and very
inflexible.

On the bright side, yours truly would be chasing off
head hunters with a stick. Bring em on, I say.


Cheers,
Teemu
Helsinki, Finland


                
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com
------------------------------------------------------------------
To change your Lit-Ideas settings (subscribe/unsub, vacation on/off,
digest on/off), visit www.andreas.com/faq-lit-ideas.html

Other related posts: