I started focusing on computer security as a career back when power control SCADA systems started getting connected to corporate networks and the Internet at the demand of the federal government. The fed.gov demanded opening up the transmission market for competitive access, which led to previously closed, air-gap security, networks being made much more vulnerable through connection to other networks.
That focus on learning how to build "secure" networks took me through companies large and small, the .com bubble, and onto government and military network security. I hope I've learned a few things about security over the years. I do not think that either government or private industry has a monopoly on good security practices, they just go about things in slightly different manners.
While the cyberwar industry makes for entertaining movies and books, they are dependent on the assumptive premise that western civilization will completely collapse after two to three days (or weeks) of life without the Internet, or the television, or power. Cyberwar is not a cold war or something unto itself, it has only proven effective as a prelude, used to stun and confuse a population during an actual, physical, attack.
Computer security, or information assurance, or smart business, is about managing risk. No mere computer attack could wipe out everyone's credit card debt, only a destruction of the debt collection mechanisms, society at large, could wipe out your credit card debt. In the face of catastrophe, people are going to be far more worried about food, survival, and shelter than their mortgage payment.
When lives are at stake, organizations build redundant, physically separated (air gapped) networks to increase security and lower risk. Data is kept in multiple locations, including offline and off grid locations that are not subject to the effects of the risks being guarded against.
If you truly want to believe that civilization will completely collapse in a psychotic fit of withdrawal from the Internet, you really need to unplug and take a vacation somewhere with no Internet. Bonus points for vacationing in a place with no phones or no power.
Wednesday, June 02, 2010
Subscribe to:
Post Comments (Atom)
2 comments:
When President Obama was discussing cyberwar with his cabinet,he said that he wanted a mechanism in place so he could shut down the internet at a moments notice, I sat there with my mouth open and then started an uncontrollable fit of laughter. I was stunned that no one in all of the presidents resources told him that wasn't possible or very difficult at best.
I have not been in information security as long as you have , but it seems to me companies are focused on getting their accreditation paperwork passed through rather than providing a layered defense and instituting a best security practices philosophy. I have seen holes in firewalls large enough to drive a semi through or a firewall administrator who got the position because he/she could spell firewall.
Cybersecurity is something that needs to be practiced on a daily basis not every 3 years when you need the accreditation to go through. NASA has started to approach security from an angle previously unheard of in government circles.
http://fcw.com/articles/2010/05/24/web-nasa-fisma-memo.aspx
I like this as I believe it will create a much stronger environment to operate in.
Odd. I read the article through and the stuff that is being trumpeted as "breaking new ground", such as continuous scanning and patch management has been SOP on the .mil side for several years. It took a couple of years to get the kinks ironed out, but there are no longer excuses allowed. You will be disconnected if your system is not kept clean and up to date.
On the .gov side I made a very good living for several years going into agencies and cleaning up firewalls, etc, that had been built by GS lifers. I've been out of that loop for a bit, so I can't say whether or not it is any better.
Accreditation paperwork is just that. If passing the accreditation requires layered defense, tight firewalls, and ongoing monitoring and management, that is what you will get.
It's getting better, I hope. :)
Post a Comment