Phony Security Scare-Tactics
10, Mar, 2012We noticed this gem via Slashdot: Measuring China‘s Cyberwar Threat. It followed a similar entry from John Robb’s Global Guerrillas blog call You don‘t need a cyber attack to take down the north american power grid. We agree with John and take issue with the premise supported by the Network World article and the work it pointed at.
First, and probably most important, Symas Corporation’s Web site was the subject of several PHP code injections that eventually took our site down. We were “hacked” and “hacked off.” The hacks cost us a person week of recovery and we still haven’t recovered all the blog data that’s stuck in a couple of MySQL databases we haven’t decoded yet.
We doubt the People‘s Liberation Army of Communist China was the primary perpetrator of those hacks, though it is, we suppose, possible. We suspect folks who are peddling porn or drugs or running bot-nets for profit as more credible suspects. We didn’t bother doing very much forensic research to figure out who the culprits were. We just admitted we’d been hacked and moved on. The current main site has no scripting through which it can be attacked. This blog is an off-brand which we hope is less attractive than the big-names to the casual hacker community. We are turning comments off as a matter of principle, so the attack vectors are substantially reduced. There’s no reason other than convenience to run any scripting even for this.
The United States’ Federal Government has a responsibility to be as careful as we are or should be and to stop whining about “existential threats” from opportunists taking advantages of opportunities graciously offered them. Instead of hiring expensive contractors to tell you how bad it is, take the well documented and obvious actions including peer-reviewed inspections and continual logging and auditing. Eliminate the known weaknesses in both code and network design.
While they’re at it, they might consider decentralizing and disaggregating their networks, systems, and applications. Autonomous, independent, securely synchronizing collections of collaborating services are harder to attack and a successful attack puts less of your enterprise at risk.
But most of all, take the responsibility for cataloging users, their roles, and the security significance of each of those roles much more seriously and put hardened, audited, and effective authentication and authorization mechanisms in place using all that integrated user and role information. There are good standards emerging like NIST’s RBAC white paper. We’re investing to make it easier to get it all in place. We would suggest that a conversation with us might be a good starting point (800-LDAP-GUY or 650-963-7601).
- Posted by Symas in in