The belief that security tools will work properly and that security policies will be followed exactly is an illusion. So although the networks may have been scanned maybe the routers or some servers were excluded because they were considered “mission critical”, so they were excluded from vulnerability testing
By Christos Venetis, Senior Scholar, Program on Information Security Strategy
A resent published post by David Maynor, from Errata Security Co, urged me consider about the cyber defense methods and policies keeping by the global community. There is a general opinion that severe cyber attacks (originated by Lulzsec, Anonymous and other groups) did security a favor by really showing the need for security.
The writer of the article expresses his strict disagreement considering that Lulzsec has show how ineffective the security community and marketplace really is. These incidences were not a simple web game but instead we talk about millions of dollars spending on security issues. We must consider that “security tools are devices that helps all of us to accomplish a goal, not a magic device that will accomplish the goal by itself.”
In each infrastructure -public or private- there are some systems that really are important and it will be an operating problem if they go down. Once these complex “Frankenstein” networks and systems are working nobody wants to touch them in fear of breaking something that make take much time of the night to fix.
The belief that security tools will work properly and that security policies will be followed exactly is an illusion. So although the networks may have been scanned maybe the routers or some servers were excluded because they were considered “mission critical”, so they were excluded from vulnerability testing. But this is no excuse for keeping some systems off limits for testing. If we exclude anything from vulnerability testing we will fail on managing security tasks. We do believe that Lulzsec or any other hacker will respect no scan list on our network?
Cyberspace is far more than the web emails and social networks. It is a digital medium in which it is possible to reflect or express all human activities, from communication and calculation, to decision making and implementation. It involves software; hardware, from chips to satellites; structures and managerial procedures; and people, from developers to end-users.
Technology changes fast, and so are the new methods used by cyber criminals. Organizations and companies are making up best practices and standards along the way but the criminals appear ahead of the curve. Consequently, the strategy should not be focused solely on defeating the attackers in cyber space. Finding out the motivation and determine the punishments for such crimes may be more effective than merely creating security layers in cyber space. Resolving cyber security concerns is therefore more than a technology issue. It has to be dealt with from the human angle but, more important, understanding the source and motivation of the threats.
Now days governments and businesses are increasingly aware of the dangers of cyber crimes that variate from small online tricks unto severe provocations against governments. They are acknowledging that they need to worry about the risks and the consequences of such attacks. Cybercrimes are unpredictable, change fast and cross nations borders. Governments have to consider how and who is to legislate, regulate and enforce laws especially when such crimes are cross border. On the previous article “The European Union facing the new challenges of cyber threats” some of the EU initiatives have been referred.
The global community may have to redesign their political structure and come up with international laws to fight the cyber war. After all education of Internet users remains a key strategy in combating cyber crimes. And this issue, the need of users education, will be a next theme to discuss in the near future.
Take a bow everybody, the security industry really failed this time, by David Maynor
Cyber Security: Why Should I Care?, by Dave DeWalt- Mark Foster-Vikas Kapoor-Christophe Nicolas-Bruce Schneier
This is cyber-war!, by Guy-Philippe Goldstein
Copyright © 2011 Strategy International. All rights Reserved.
All opinions and statements made reflect solely, the author. They do not reflect nor represent any govenrments or any organizations. They do reflect the policy opinions of Strategy Internation