A quote from the DHS's recently released report about their Cyberstorm exercise in Feb: http://www.dhs.gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge. The cyber incident response community was generally effective in addressing single threats/attacks, and to some extent multiple threats/attack. However, most incidents were treated as individual and discrete events. Players were challenged when attempting to develop an integrated situational awareness picture and cohesive impact assessment across sectors and attack vectors. And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying? --Michael Dillon
On Thu, 14 Sep 2006 Michael.Dillon@btradianz.com wrote:
A quote from the DHS's recently released report about their Cyberstorm exercise in Feb: http://www.dhs.gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf
Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge. The cyber incident response community was generally effective in addressing single threats/attacks, and to some extent multiple threats/attack. However, most incidents were treated as individual and discrete events. Players were challenged when attempting to develop an integrated situational awareness picture and cohesive impact assessment across sectors and attack vectors.
And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying?
On the level of response and mitigation on networks, they have a lot to learn. On coordinated response and strategic view of situations across networks, we all definitely can learn from them, only that I don't believe such issues affect the work of individual network operators to that level. "Is my network up and running?" Is the Internet up and running or is my competitor up and running is secondary until the point where it affects you. I don't see it as a bad thing, as that's the job description, but that will become more apparent in the future.
--Michael Dillon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael.Dillon@btradianz.com wrote:
Finding 3: Correlation of Multiple Incidents between Public and Private Sectors. Correlation of multiple incidents across multiple infrastructures and between the public and private sectors remains a major challenge... And a question: Do network operators have something to learn from these DHS activities or do we have best practices that the DHS should be copying?
First impressions; The point here relates specifically to awareness across organizational lines, and I'd say that both public and private industries have issues with sharing information with anyone outside their organization, especially with competitors (ideological, national, or financial). It doesn't really matter whether you're public or private; what matters is how broad your scope is. I'm sure that backbone providers have a broader view than a leaf node, and that the networking unit in a particular government department is equally situated when compared to an individual remote site. I think that with cryptography we could alleviate some of the concerns with information sharing between enterprises; that allows us to establish a larger, shared view of things. This has a few benefits; we see the problems earlier than the average leaf, and we have more data to analyze trends than the average leaf. However, I think that nobody has made a proper business case for expending the effort, or if someone has that they have not communicated it widely enough. It's not enough for technicians to know, you have to have simple slogans or tragedies large enough that you can point to them and say "that's what this would have avoided". I would say that large banks have the best combination of bigness and resources that they can employ, and IIRC have some sort of exclusive information-sharing arrangement about security incidents; they are not allowed to share that information, even with the government, except perhaps under subpoena. Well, that was true in the pre-PATRIOT act days. I know that they are big enough to see malware on occasion before the anti-virus companies see it. Sadly, governments almost always seem to be preparing for the last war, or avoiding yesterday's problem. I believe that this is a direct consequence of the fact that they attract the most risk-averse employees. In the clearance world, being a risk-taker is considered a disqualifying factor. There's a lot of competitiveness for the limelight, and a lot of decisions are made based on trying to make others appear foolish, or to cover up your own mistakes, not only because they desire job security, but also because a lot of the attention is negative. It seems like the government's failures are usually public, and their successes unquantifiable. How many intrusions did you stop? Who knows? When it can't be quantified, or it's really technical, it's subject to internal spin or scapegoating or... well, politics. Also, government agencies have an inherent limitation on efficiency. An unregulated corporation can choose not to enter an unprofitable market. Governments are not allowed this luxury, in general. They also have to balance the desires of different constituents; privacy advocates complaining about any intelligence-gathering, lassez-faire libertarians who think the private sector would do a better job at everything, jingoists and politicians who want to score a point by blaming them for not stopping every bad possibility for every citizen everywhere, all the time, and so on. Personally, I'm not worried about terrorism. Not that long ago, we were worried about the entire planet being made uninhabitable and humanity quickly extinct by mutually assured destruction. Now we only have to worry about a cause of death with roughly the same probability of being killed by a snake bite. I didn't hear anyone calling for a war on snakes (not even on planes). I consider this excellent progress. PS: This is an excellent blog on security, technology, and homeland security: http://www.schneier.com/blog/ - -- The whole point of the Internet is that different kinds of computers can interoperate. Every time you see a web site that only supports certain browsers or operating systems, they clearly don't get it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFCixYPlSPhv5tocwRAisUAJ479RRbCOGTvhxPye3hxYkdTz1jVQCfc7Vq bGsuq5FuT+srq7usqQaN8Tw= =h775 -----END PGP SIGNATURE-----
participants (3)
-
Gadi Evron -
Michael.Dillonļ¼ btradianz.com -
Travis Hassloch