White House to Propose System for Wide Monitoring of Internet (fwd)

batz batsy at vapour.net
Mon Dec 23 19:15:42 UTC 2002

On Mon, 23 Dec 2002 Valdis.Kletnieks at vt.edu wrote:

:Unfortunately, this is (or should be) part of the threat model. What makes
:you think that J Random Cyberterrorist is any stupider than the guys Stoll
:was chasing?

Because Random J Cyberterrorist would know that the probability of
success and scope of damage of his action is substantially less
than that of a physical attack, given the resources he has to spend
on it. 

Also, this threat can be mitigated more cost effectively through
system and network hardening than by expanding the monitoring 
infrastructure to be able to handle such a difficult to 
codify threat (in any general sense). 

Cyberattacks (again IMHO) are still in the realm of being opportunistic, 
as we have seen that given as little as $5-10,000, the resources necessary 
to reliably cause widespread damage are better spent on a plane ticket than 
a hacker.  

The cyberterrorist threat is based upon the exposure of network systems
and the motivation of the attacker. What is not taken into account in 
this threat description is the other, more reliable and severe options 
available to someone with the same resources and motives. 

In the triage of sorting out what to protect and how to protect it, 
we can exercise lots of control over our technology, and given a limited
threat model, we can be relatively successful. However, some threats 
are best dealt with by limiting our assets exposure to them instead of 
building in safeguards whose reliability is inversely proportional to 
their complexity. :) Thus (IMHO again) there is limited value in using
what is ultimately a passive monitoring technology to combat the most
agile and directed threats against the network. 

These agile threats being sophisticated hackers using multiple source 
hosts and jurisdictions, who can evade sensors and who leverage the 
inherant administrative overhead of tracking them. The only 
defense against them is to keep your patch levels current, your
firewalls strict, and watch until they get lazy and make a mistake. 

The only way to catch them is if they use multiple sources over a short
period of time with diverse attacks, thus your search token in the logs
would be the timeframe. Needless to say, given the amount of cruft 
that sensors amass, this isn't very reliable. 

I have a hacker koan that expresses this problem:

It does not matter who is watching if you are invisible. A
sensor can only see what it is looking for. A hacker cannot
be seen merely by looking. 



More information about the NANOG mailing list