Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense).
I agree totally. However, it's unglamorous, and not as sexy of an announcement - or as cool looking - as saying the Federal UberSOC is on its way. But it's Uncle Sam doing what he does best - reinventing a less-capable wheel at a higher cost.
Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker.
Definitely agree - 0911 was done for under $150K according to some reports, and if you think about it, the terrorists got a heck of a return for their investment, far more than they could hope to achive in a 'cyberwar' attack. The motive of terrorism is to sow fear. There's much more visceral fear seeing the WTC collapse than watching a graphic on television trying to show how a buffer overflow worked on SCADA system. :)
The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives.
No, the cyberterrorist threat is a sensational concept based on FUD, ignorance, and hype....and believed to be true by the same politicos who think "Swordfish" was a realistic movie about INFOSEC. If we're going to say there are cyberterrorists, then we've got to start saying 0911 was the result of aeroterrorists. The manner in which the attack is carried out doesn't matter -- terrorism is terrorism is terrorism. As George Carlin might say, "there are no cyberterrorists." In this case, instead of accepting responsibility for our actions (or inactions) regarding INFOSEC, we point fingers at anyone else - such as phantom cyberterrorists - to avoid responsibility and accountability. It's nothing more than the latest version of Passing The Buck. We see INFOSEC incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVES....either through poor management, bad system/network administration and design, or shoddy software. (BTW, I meant "we" in terms of the IT Society, not "we" meaning the experts here on NANOG!)
threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :)
Which goes along with what I tell students at NDU each month -- if something's deemed a 'critical infrastructure system' (SCADA, banking, etc.) it should not be on any publicly-accessible network, and the higher costs associated with higher levels of security (eg, using dedicated, privately-owned pipes vice a VPN over the Internet) must be an acceptable and necessary part of the security solution. If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable.
inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake.
Amen! This goes back to making sure system admins are competent, trained, and have the time to ensure these security functions are carried out. Unfortunately, I've found they spend most of their time hunting repeated problems in certain mainstream OS environments -- which means that PROACTIVE security routinely takes a back-burner to REACTING to the latest overflow, trojan, worm, or virus....or to a 'new' problem injected by the vendor-endorsed patches that allegedly fixed existing ones. Of course, while no OS is perfect, if our systems weren't built on such a flaky foundation, we'd have more time to work on securing them instead of just keeping them operational and somewhat less-annoying while simultaneously providing a self-inflicted target of opportunity for some n'er-do-well.
It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking.
Hence the need for intelligent network monitoring and pattern profiling, something I've been mulling over for a while now. /rant. :) Rick Infowarrior.org