There has been a lot of news recently about the potential for the coming Cyber Pearl Harbor. A cyber attack that would mirror the devastation that hit the naval base in Pearl Harbor during the beginning of WWII. According to an article in CSO Magazine on October 18, 2012, the United States is concerned of a coming cyber attack. The concept of comparing the attack to Pearl Harbor has been around for several years. It wasn’t until a recent a speech by U.S. Secretary of Defense Leon Penetta in New York that this has become more of a topic.
The article states the following:
The results of cyberttacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid “could be a cyber Pearl Harbor — an attack that would cause physical destruction and the loss of life,” Panetta said. “In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”
Panetta also invoked the image of a cyberattack on the level of 9/11. “Before September 11, 2001, the warning signs were there. We weren’t organized. We weren’t ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment,” he said.
In a follow-up article in CSO Magazine November 7th, the opposing viewpoint was brought forth. Many in the security industry feel that the concept and description of a Cyber Pearl Harbor is nothing more than hot air. Experts including Bruce Schneier have chimed in. Bruce has reduced the extent to which he believes the concept to be exaggerated but according to he article:
Critics argue argue that not only is the threat of a catastrophic cyberattack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to “build security in” to the control systems that run the nation’s critical infrastructure.
Bruce Schneier, author, Chief Technology Security Officer at BT and frequently described as a security “guru,” has not backed off of his contention made at a debate two years ago that the cyber war threat “has been greatly exaggerated.” He said that while a major attack would be disruptive, it would not even be close to an existential threat to the U.S.
“This [damage] is at the margins,” he said, adding that even using the term “war” is just a, “neat way of phrasing it to get people’s attention. The threats and vulnerabilities are real, but they are not war threats.”
The reality is that it is probably somewhere in the middle of the two viewpoints. It can be likened to the Y2K issue a little over a decade ago. The world was going to come to an end and the dark ages would re-emerge. The reality was that preparation help minimize what little impact there may have been. Security is a risk decision, but most risk decisions are defensive in nature. The other decision of a preemptive cyber capability is another aspect of the decision-making that needs to be addressed. Should the U.S. begin cyber strikes on perceived threats? What is the impact of doing this on the long-term? The world has already seen a small view of what can be done with Stuxtnet and will these type of state-sponsored cyber attacks the new nuclear deterrent…that is yet to be seen.
Regardless of the direction that gets taken, business needs to look at potential cyber attacks/hacks as a real potential threat and determine what risk is willing to be accepted and what will need to be mitigated. Whether the issue is the size of a country or your home computer, measure twice, cut once is still the best direction.
Millions of people are feeling the effects of Hurricane Sandy along the East Coast of the United States. Natural disasters occur all the time all of over the world, but many times some of the basic precautions do not get addressed in advance. Many will ask how this topic deals with technology or security, but the answer is simple…it just does. Most businesses will have a process or procedures if a server crashes or the phone system or Internet goes out for a couple of hours, but how many businesses address the longer term impacts of flooding or the fact that your cloud provider lost one or more of its data centers.
The reality is that business continuity planning and disaster recovery planning should include these types of scenarios. Scenarios and planning for short and long-term outages. Whether it is an earthquake, tornado/hurricane, or flooding, the planning needs to be there and how it could impact your business from a safety and financial stand point. If you take this recent storm as an example, many businesses lost power and will be flooded for days potentially having a strong negative impact for their customers. In fact, the NYSE closed for multiple days as a result of the storm and that has not occurred for weather related issues since the early 1900s.
The bottom line is to plan. Make business continuity and disaster recovery a part of your process and then also test those processes. The last thing your business needs during an outage is to go to a process that does not work or has never been tested. Now we know that security and business has to evaluate risk. If not being prepared is an acceptable risk, then that is the business decision you will need to make…
On October 16, 2012 Apple released yet another Java update for OS X. This update is a security update to correct multiple vulnerabilities in Java. This update applies to Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion v10.8 or later. Specifically, the update addresses the following according to the Apple site:
Description: Multiple vulnerabilities exist in Java 1.6.0_35, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_37. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html
As usual, Java is a security concern. If you haven’t already done so, disable/uninstall Java unless you absolutely need it. In addition, make sure you update your Java if needed.
SOAP BOX: For Oracle, if Java is going to continue to be used…FIX IT…
A recent article in The Hacker News (THN) discusses a brute force vulnerability in the Cisco Call Manager, also known as the Unified Communications Manager, identified by Roberto Suggi Liverani. He is the founder of the OWASP (Open Web Application Security Project) New Zealand chapter. In his blog he details the vulnerability and gives proof of concept examples. He states:
“During a security review, I have found a quick way to perform PIN brute force attack against accounts registered with a Cisco Unified Communications Manager (Call Manager).”
For those not familiar with all Manager, this gives some interesting insight into how the Cisco VoIP system works between the manager and the phone…