War, ethics and security

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,80185,00.html

By Marcia Wilson
APRIL 09, 2003
Computerworld

The cyberwar has intensified along with the war in Iraq, or so we
hear.

I honestly thought our entire telecommunications infrastructure was
going to be brought to its knees when the war started. Not because I
professionally believed it was possible, but because I was personally
frightened by the thought of war.

Silly me. Well, not so silly. Cyberwarfare, a.k.a. cyberannoyance, has
increased and been highly publicized in online security circles. The
TV media has been completely engrossed in blow-by-blow accounts of the
war in Iraq. Print media isn't far behind. The world of
cybercommunication isn't constrained by the size of a newspaper or
airtime minutes. There are plenty of information security Web sites to
peruse and endless e-mail security alerts to read. But have there been
any real attacks on the infrastructure?

It appears that the "attacks" are primarily composed of Web
defacements and obnoxious anti-something attempts. AlJazeera.net, the
online version of the Arabic news channel, has been the hot discussion
topic in recent weeks. Hackers took down numerous servers and defaced
the site with pro-war statements (see story). Recently, the servers
were knocked off-line. Whodunit is being debated.

There's a group of Chinese hackers who are planning attacks on U.S.-
and U.K.-based Web sites in protest of the war. There is a group in
Malaysia that's threatening "suicide cyberattacks" if America launches
a war in Iraq. Oops, too late! Defacement -- ad nauseum. An article
from the Detroit Free Press states, "Think of it as the Information
Age's electronic equivalent of graffiti protests." Sounds a little
immature, doesn't it?

The FBI's National Infrastructure Protection Center issued a warning
that we should be on guard against Iraq sympathizers and antiwar
activists, whatever that means. OK, so I'm sitting in my office and I
look through the window into the cubicle area. I notice a guy in a
turban in one of the cubes. He's a programmer. He's hammering away at
the keyboard and talking rapidly in Arabic on the phone at the same
time. Should I be on alert and ask the security guys to start
monitoring his phone calls, e-mail conversations and Internet usage?  
Or should I recall that he's been working with the company for 10
years, is an excellent programmer cramming to finish a project and is
talking to his wife about one of the kids whose teacher just called
from school?

No, wait! I've got it. I should stop buying sundries at the 7-Eleven
store because I'm sure "they" are funding terrorist activities from
those questionable magazine sales. No, that can't be it. Come on now!  
Give me something more to do, will ya? How ignorant are we? More
important, what is it that we are supposed to do? The Washington Post
recently published an article that suggests "vigilance is par for the
course" in these troubled times.

What's the right thing to do? Follow this simplistic thinking for a
moment:

* A child runs out to the street and plays ball with friends. The
  mother sees the child playing unsafely in the street. The mother
  runs into the street screaming at the child, grabs the child and 
  takes the child to safety.

* Ten years later, the child is a teenager. The teenager goes to a
  party, drinks too much, gets behind wheel, tries to drive home,
  makes it; Mom and Dad aren't paying attention; no harm, no foul.

* Ten years later, a young woman goes bar-hopping, makes an attempt to
  drive home, crashes head-on into another car, survives but kills a
  young family including an infant who was thrown from the vehicle.
  She goes to jail for 15 years and everyone wonders how this could've
  happened in "such a good family."

What's wrong with each scenario? The wrongness comes from not
controlling the environment in an effective way, not penalizing each
event to the degree to ensure that it won't ever happen again. Spank
the child. Educate the child. Stay up until the child gets home to
assess the condition of the child. Take away the car keys. Safety
requires vigilance in all aspects of our lives, not just in
cyberspace. Keep with me now.

Do any of these terms sound familiar? Awareness, access control,
authentication, authorization.

Technologists need to apply some "tough-love" thinking to operational
controls that will assure the safety of our information assets from
terrorists or antiwar protesters or other hackers and only grant
access on a "need-to-know" basis.

Awareness isn't about acting unethically in our day-to-day activities
by defacing Web sites, promoting unfair discriminatory policies or
generally being overreactive and hysterical. Awareness is about
applying the necessary access controls and requiring authentication
and appropriate authorization to access of information.

A news article in The Idaho Statesman suggests a link between
cybersecurity and al-Qaeda, but there isn't any proof yet that the
student studying advanced cyberterrorism prevention at the University
of Idaho has done anything wrong other than having been named Sami
Omar Al-Hussayen. His graduate adviser says, "We should recall what it
means to be American and what we cherish about our country." Oh, this
is so hard for us, isn't it? According to The Statesman, a university
policy prevents those without U.S. citizenship from working on
government projects. That's an adequate control mechanism. Web site
defacements can be prevented by adequate controls and patching
servers.

Other recent stories of hack attacks involve Americans breaking into
U.S. systems. The New York Post tells the story of a 17-year-old son
of a computer security executive who was arrested after allegedly
hacking and stealing credit card numbers. I feel for this father,
since I have an unusually bright son myself.

Another recently publicized event from The Atlanta
Journal-Constitution describes how computer hackers broke into a
database at Georgia Tech and copied names, addresses and credit card
information for 57,000 patrons of the Ferst Center for the Arts.

It's apparent that the order of the day is to spend time securing our
environments, rather than spending time protesting or defacing Web
sites. What is the right thing to do?



Marcia J. Wilson holds the CISSP designation and is the founder and
CEO of Wilson Secure LLC, a company focused on providing independent
network security auditing and risk analysis. She can be reached at
marcia () wilsonsecure com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.