White House to Propose System for Wide Monitoring of Internet (fwd)
batz
batsy at vapour.net
Mon Dec 23 19:15:42 UTC 2002
On Mon, 23 Dec 2002 Valdis.Kletnieks at vt.edu wrote:
:Unfortunately, this is (or should be) part of the threat model. What makes
:you think that J Random Cyberterrorist is any stupider than the guys Stoll
:was chasing?
Because Random J Cyberterrorist would know that the probability of
success and scope of damage of his action is substantially less
than that of a physical attack, given the resources he has to spend
on it.
Also, this threat can be mitigated more cost effectively through
system and network hardening than by expanding the monitoring
infrastructure to be able to handle such a difficult to
codify threat (in any general sense).
Cyberattacks (again IMHO) are still in the realm of being opportunistic,
as we have seen that given as little as $5-10,000, the resources necessary
to reliably cause widespread damage are better spent on a plane ticket than
a hacker.
The cyberterrorist threat is based upon the exposure of network systems
and the motivation of the attacker. What is not taken into account in
this threat description is the other, more reliable and severe options
available to someone with the same resources and motives.
In the triage of sorting out what to protect and how to protect it,
we can exercise lots of control over our technology, and given a limited
threat model, we can be relatively successful. However, some threats
are best dealt with by limiting our assets exposure to them instead of
building in safeguards whose reliability is inversely proportional to
their complexity. :) Thus (IMHO again) there is limited value in using
what is ultimately a passive monitoring technology to combat the most
agile and directed threats against the network.
These agile threats being sophisticated hackers using multiple source
hosts and jurisdictions, who can evade sensors and who leverage the
inherant administrative overhead of tracking them. The only
defense against them is to keep your patch levels current, your
firewalls strict, and watch until they get lazy and make a mistake.
The only way to catch them is if they use multiple sources over a short
period of time with diverse attacks, thus your search token in the logs
would be the timeframe. Needless to say, given the amount of cruft
that sensors amass, this isn't very reliable.
I have a hacker koan that expresses this problem:
It does not matter who is watching if you are invisible. A
sensor can only see what it is looking for. A hacker cannot
be seen merely by looking.
Cheers:)
--
batz
More information about the NANOG
mailing list