Re: The Backhoe: A Real Cyberthreat? [ & Re: cyber-redundancy ]
Responding to both Sean Gorman's and Sean Donelan's posts: --- Sean Gorman, In your earlier reply you stated that Verizon will tell me that a cable is diversely placed, when in reality it is only 2mm away from the original path. Then you proceed to describe the considerations and the makeup of a data base that Verizon (using them as an example here) should use to document cable placements in order to give me the information that would be .... what? Which is it? I'm either naive to ask for a route statement, so I shouldn't bother. OR, I trust that they're going to be straightforward and wind up getting whacked with bogus information in the end, anyway? We've written numerous asset-tracking systems that list dozens of attributes, starting with geo-referenced path information at Layer Zero (spaces, pathways, roads, etc.) that is integrated parametrically with CAD software, and ending with the fire ratings of the sleeves and innerducts entering buildings, and everything, including all media attributes, in between. This is not a trivial undertaking when done to the demands of the craft (in addition to those that might be of interest to someone flying at 30,000 ft), but every cable pulling service provider/carrier/entity worth its salt has or should have one. Whether they are kept up to date or not is another story, entirely. To this point, some systems I've seen possess information that is so out of date and in such disarray that they actual represent a primary reason (shame) why an SP would not want to make them vieaable to end customers for viewing. But that's another story all its own. --- Sean Donelan., you make a good point by comparing financial institutions with carriers with respect to holding back information from one another, and sometimes to the customer, as well. You'll note in my earlier post I made allowances for a third party ("or agents") for this very reason, although I didn't elaborate on that point at the time. I've seen instances when trusted third parties, usually a then- big six CPA firm, would be mutually agreed to as the party of choice to hold and confirm route information for a client. Iâve seen this done for tower righs of way and for fiber optic paths, but nothing like this that I am aware of ever became widely available as a broking service to the general public, although I think it should. Have you come across this sort of arrangement in the past? Anyone? I've also been blessed with having to work through both of these industry groups on a single project. For example, I once orchestrated the client-side design and buildout of two IRU facilities (called optical fiber services, of OFS) back in 1987 for a financial institution across the street and down the block from the NYSE to the Teleport on Staten Island. Since Teleport (and TCG) was partially owned by Merrill Lynch back then, along with WU, NYCity and the Port Authority of NJ/NY, and the entrance point to the site was in Merrill's own building, I had to arrange for alternate penetration points and trenching from the perimeter of the park to a new building that was designed and constructed simply to circumvent the sharing of space and duct facilities with the client's chief competitor. To make this story more interesting, the two routes on the NJ side (which the routes traversed in order to get back to the Holland and PATH Tunnels on their way to 60 Hudson and the WTC, respectively) had a single cross-over point (single point of failure) in a large PSE&G vault in Journal Sq., which I refused to sign off on. I never would have detected this fault, except for my personal inspections of the physical route constructions against the design documents I was given by all parties concerned. It wound up costing seven digits to trench a path to an agreed upon distance from the vault before an order to commence pulling cable through those sections received a final go ahead. And so it went ... Frank ========================================================================= On Fri Jan 20 18:11 , sgorman1@gmu.edu sent: The difference being the financial system can use the knowledge to make themselves more resilient. How does the bank customer use the information you listed to make themselves more resilient? Further, the banks are a fairly trusted and well regulated group. There are a good number of bank customers that are not good guys. Is there a fear the banks will use provider information for malicious ends? Is that the reason the providers will not give the information? Could it be they do not want customers to know most of their SONET rings are collapsed? ----- Original Message ----- From: Sean Donelan <sean@donelan.com> Date: Friday, January 20, 2006 4:44 pm Subject: Re: The Backhoe: A Real Cyberthreat? [ & Re: cyber-redundancy ] > > On Fri, 20 Jan 2006, Frank Coluccio wrote: > > To answer Sean Donelan's question, yes, enterprise customers > and/or their agents > > _do _need to have specific information on the routes in which > their leased > > facilities (and even dark fiber builds) are placed, ephemeral as > those data might > > be at times due to SP outside plant churn. They need this data > in order to ensure > > that they're not only getting the diversity/redundancy/separacy > that they're > > paying for, but because of the more fundamental reason being > that it is the only > > way they have to provide maximal assurances to stakeholders of > the organization's > > survivability. > > Is the same thing also true for customers of financial > institutions? Why > are financial institutions so reluctant to give details about the > locations of their data centers, processing offices, money transport > routes and security procedures to their customers? Don't > customers of > financial institutions have the same concerns about the survivability > of the financial institutions as the financial institutions have about > their suppliers? > > Doesn't this just turn into Y2K all over again with every organization > demanding guarantees and copies of data from every other organization? ------ On Fri Jan 20 15:05 , sgorman1@gmu.edu sent: What data went into the system would depend on what questions you were looking to answer. I spend most of my time looking at the geographic diversity of fiber routes, so I'll use that as a very simple example. To answer that particular set of questions you would need the fiber routes for each provider, and they would need to be georeferenced. Other useful data would be the buildings lit by those fiber routes and lease costs. Users would then enter the buildings they want connectivity for. The system would find all the providers that could service that combination of buildings then calculate what the diversity of each provider is for that set of buildings, or what the diversity was if the user wanted to use more than one provider. Each provider would be given a score for that particular connectivity combination and a price, or the scores for each combination of providers. The user would then have a market indicator for diversity. You could have a vairety of metrics - the total distance between network paths, average distance, the variance, the number of times paths come with 100 feet of each other, the number of routes that are colocated etc. The providers do not give up any proprietary data and the customers have a set of indicators to make a more informed choice. Not the ideal solution, but the game was to come up with something that would be palatable to the providers. Companies like Last Mile Connections already keep provider supplied databases of lit buildings and prices to run auctions. This would just be another indicator for customers that also value diversity and resiliency. Protecting the master database would be important, but there are lots of mechanisms to do that effectively. The metrics are the key, and that of course is my angle on the game. ----- Original Message ----- From: Frank Coluccio <frank@dticonsulting.com> Date: Friday, January 20, 2006 1:53 pm Subject: Re: The Backhoe: A Real Cyberthreat? > > >My argument simply is if this kind of awareness > > >can be made more broadly available you end up with > > >a more resilient infrastructure overall. > > > > Sean, would you care to list the route, facility, ownership and > customer > attributes of the data base that you'd make public, and briefly > explain the > > access controls you would impose on same? > > > > If this is not what you originally intended, then please show me > the way ... thanks. > > > > > > Frank > > > > On Fri Jan 20 9:19 , sgorman1@gmu.edu sent: > > > > > > > > As you mentioned before this is largely because the customer > (SIAC) was savvy > > enough to set the reuirements and had the money to do it. A lot of > that saviness > > came from lessons learned from 9/11 and fund transfer. Similar > measures were > > taken with DoD's GIG-BE, again because the customer was > knowlegable and had the > > financial clout to enforce the requirements and demand the > information. An > > anonymous data pool is just one suggestion of a market based > mechanism to do it. > > > > ----- Original Message ----- > > From: Michael.Dillon@btradianz.com > > Date: Friday, January 20, 2006 5:37 am > > Subject: > > > > > > > > > Imagine if 60 Hudson and 111 8th > > > > were to go down at the same time? Finding means to > mitigate this > > > > threat is not frivolously spending the taxpayer's money, IMO; > > > > although perhaps removing fiber maps is not the best way to > > > > address this. > > > > > > No, removing fiber maps will not address this problem > > > now that you have pinpointed the addresses that they > > > should attack. > > > > > > Separacy is the key to addressing this problem. Separate > > > circuits along separate routes connecting separate routers > > > in separate PoPs. Separacy should be the mantra, not > > > obscurity. > > > > > > End-to-end separation of circuits is how SFTI and other > > > financial industry networks deal with the issue of continuity > > > in the face of terrorism and other disasters. In fact, now > > > that trading is mediated by networked computers, the physical > > > location of the exchange is less vulnerable to terrorists > because > > the real action takes place in redundant data centers connected > > > by diverse separate networks. Since 9-11 was a direct attack on > > > the financial services industry, people within the industry > > > worldwide, have been applying the lessons learned in New York. > > > Another 9-11 is simply not possible today. > > > > > > --Michael Dillon > > > > > > > > > > > > > > Frank A. Coluccio DTI Consulting Inc. 212-587-8150 Office 347-526-6788 Mobile > ================= Frank A. Coluccio DTI Consulting Inc. 212-587-8150 Office 347-526-6788 Mobile
participants (1)
-
Frank Coluccio