(This week's Economist has a special section on Information Security
which is well worth a read as it is well researched (in comparison to
the usual cybergeddon article).
P.S. I have been contacted by a Pentagon Reporter who is looking for a
PsyOps expert. He is 'writing a story about possible PSYOPS should the
U.S. decide to invade Iraq. The story would look at past operations,
particularly Panama, and the challenge of carrying out such an operation
in the teeming city of Baghdad. Would like to talk to either operators
or experts in the field.' If any list member is interested please let
me know. WEN)
On digital terrorism:
'... It is true that utility companies and other operators of critical
infrastructure are increasingly connected to the Internet. But just
because an electricity company's customers can pay their bills online,
it does not necessarily follow that the company's critical control
systems are vulnerable to attack. Control systems are usually kept
entirely separate from other systems, for good reason. They tend to be
obscure, old-fashioned systems that are incompatible with Internet
technology anyhow. Even authorised users require specialist knowledge to
operate them. And telecoms firms, hospitals and businesses usually have
contingency plans to deal with power failures or flooding. ...'
'... Like eco-warriors, he observes, those in the security industry-be
they vendors trying to boost sales, academics chasing grants, or
politicians looking for bigger budgets-have a built-in incentive to
overstate the risks.
...' (Nice quote which is so true. WEN)
Senior Management Support for InfoSec
'...A second, related misperception is that security can be left to the
specialists in the systems department. It cannot. It requires the
co-operation and support of senior management. Deciding which assets
need the most protection, and determining the appropriate balance
between cost and risk, are strategic decisions that only senior
management should make. ...
... Senior executives do not understand the threats or the technologies.
"It seems magical to them," says Mr Charney. Worse, it's a moving
target, making budgeting difficult. ...
Threats/Risk:
'... Even senior managers who are aware of the problem tend to worry
about the wrong things, such as virus outbreaks and malicious hackers.
They overlook the bigger problems associated with internal security,
disgruntled ex-employees, network links to supposedly trustworthy
customers and suppliers, theft of laptop or handheld computers and
insecure wireless access points set up by employees. ...'
'... One of the biggest threats to security, however, may be
technological progress itself, as organisations embrace new technologies
without taking the associated risks into account. ...'
Virus:
'... Viruses are a nuisance, but the coverage they receive is
disproportionate to the danger they pose. ...'
Firewalls:
'... Firewalls are no panacea, however, and may give users a false sense
of security. To be effective, they must be properly configured, and must
be regularly updated as new threats and vulnerabilities are discovered.
...'
IDS:
'... Compared with anti-virus software and firewalls, detection is a
relatively immature technology, and many people believe it is more
trouble than it is worth. The difficulty is tuning an IDS correctly, so
that it spots mischievous behaviour reliably without sounding too many
false alarms. ...'
MS:
'... Microsoft's policy of tight integration between its products, which
both enhances ease of use and discourages the use of rival software
makers' products, also conflicts with the need for security. ...'
'... The Windows operating system is the largest piece of software ever
written, so implementing security retrospectively is a daunting task.
...'
Human Element of Security:
'... If correctly handled, a management-based, rather than a solely
technology-based, approach to security can be highly cost-effective.
...'
'... But there are other, more subtle ways in which management and
security interact. "More than anything else, information security is
about work flow," says Ross Anderson of Cambridge University's Computer
Laboratory. The way to improve security, he says, is to think about
people and processes rather than to buy a shiny new box. ...'
Biometrics:
'...The first is that the technology is not as secure as its proponents
claim. ...'
'... The second and more important problem is that biometric technology,
even when it works, strengthens only one link in the security chain.
...'
'... In short, biometrics are no panacea. The additional security they
provide rarely justifies the cost. ...'
Bottom Line:
'... Security, in sum, depends on balancing cost and risk through the
appropriate use of both technology and policy. The tricky part is
defining what "appropriate" means in a particular context. It will
always be a balancing act. Too little can be dangerous and costly-but so
can too much. ...'
-----------------------------------------------
Articles:
Securing the cloud
Tools of the trade
The weakest link
Biometric fact and fiction
When the door is always open
Putting it all together
The mouse that might roar
Securing the cloud
-----------------------------------------------
Securing the cloud
Oct 24th 2002
>From The Economist print edition
Digital security, once the province of geeks, is now everyone's concern.
But there is much more to the problem-or the solution-than mere
technology, says Tom Standage
WHEN the world's richest man decides it is time for his company to
change direction, it is worth asking why. Only rarely does Bill Gates
send an e-mail memo to the thousands of employees at Microsoft, the
world's largest software company, of which he is chairman.
http://www.economist.com/surveys/displayStory.cfm?story_id=1389589
-----------------------------------------------
Tools of the trade
Oct 24th 2002
>From The Economist print edition
How a box of technological tricks can improve (but not guarantee) your
security
ASK a non-specialist about computer security, and he will probably
mention viruses and attacks by malicious hackers, if only because they
are so much more visible than other security problems. Take viruses
first. Like their biological counterparts, computer viruses are nasty
strings of code that exploit their hosts to replicate themselves and
cause trouble. Until a few years ago, viruses merely infected files on a
single computer.
http://www.economist.com/surveys/displayStory.cfm?story_id=1389575
-----------------------------------------------
The weakest link
Oct 24th 2002
>From The Economist print edition
If only computer security did not have to involve people
THE stereotype of the malicious hacker is a pale-skinned young man,
hunched over a keyboard in a darkened room, who prefers the company of
computers to that of people. But the most successful attackers are
garrulous types who can talk their way into, and out of, almost any
situation. In the words of Mr Schneier, the security guru, "Amateurs
hack systems, professionals hack people."
http://www.economist.com/surveys/displayStory.cfm?story_id=1389553
-----------------------------------------------
Biometric fact and fiction
Oct 24th 2002
>From The Economist print edition
Body-scanning technology has its drawbacks
YOU'VE seen them in spy films and science-fiction movies: eye-scanners,
fingerprint readers, facial-recognition systems. Such body-scanning or
"biometric" systems, which can make sure that somebody really is who he
claims to be, are touted as the ultimate in security technology. Systems
protected by passwords are unlocked by something you know (the
password), which others can find out. Systems protected by keys or their
high-tech equivalents, smart cards, are unlocked by something you have
(the key), which others can steal. But systems protected by biometrics
can be unlocked only by a bodily characteristic (such as a fingerprint)
that no one can take from you. Your body is your password.
http://www.economist.com/surveys/displayStory.cfm?story_id=1389565
-----------------------------------------------
When the door is always open
Oct 24th 2002
>From The Economist print edition
The more that companies open up and interconnect their networks, the
bigger the risk of security problems
NOT long ago, at the height of the dotcom boom, you could chart the rise
and fall of companies by looking at the garish artwork sprayed on the
walls of loft buildings in San Francisco's Multimedia Gulch district.
But now, thanks to wireless technology, there is a better way. Driving
around the city on a warm night a few weeks ago, Bill Cockayne, a
Silicon Valley veteran, opens his car's sunroof. His friend Nathan
Schmidt posts what looks like a small fluorescent tube through the open
roof and plugs it into a laptop computer. "Metro/Risk", says the
computer in a clipped female voice as the car makes its way through
North Beach. "Admin network. BCG." Then a robotic male voice booms out:
"Microsoft WLAN. Archangel. Whistler. Rongi."
http://www.economist.com/surveys/displayStory.cfm?story_id=1389541
-----------------------------------------------
Putting it all together
Oct 24th 2002
>From The Economist print edition
Security spending is a matter of balancing risks and benefits
TOTAL computer security is impossible. No matter how much money you
spend on fancy technology, how many training courses your staff attend
or how many consultants you employ, you will still be vulnerable.
Spending more, and spending wisely, can reduce your exposure, but it can
never eliminate it altogether. So how much money and time does it make
sense to spend on security? And what is the best way to spend them?
http://www.economist.com/surveys/displayStory.cfm?story_id=1389499
-----------------------------------------------
The mouse that might roar
Oct 24th 2002
>From The Economist print edition
Cyber-terrorism is possible, but not very likely
IT IS a devastating prospect. Terrorists electronically break into the
computers that control the water supply of a large American city, open
and close valves to contaminate the water with untreated sewage or toxic
chemicals, and then release it in a devastating flood. As the emergency
services struggle to respond, the terrorists strike again, shutting down
the telephone network and electrical power grid with just a few mouse
clicks. Businesses are paralysed, hospitals are overwhelmed and roads
are gridlocked as people try to flee.
http://www.economist.com/surveys/displayStory.cfm?story_id=1389531
-----------------------------------------------
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
