November 1st, 2011 by peter.bassill

Caution – Rant within

Cyber

Well the press have gone mad for “Cyber” now. Everywhere is awash with news on massive Cyber attacks being conducted against the UK’s infrastructure and enterprise, but it leaves a burning question in my head; Why are all these systems susceptible to attack? If these systems are that important, air gap that shit. Don’t have it connected to the public Internet in the first place.

Cyber is !news

“Cyber attacks on the UK are at “disturbing” levels” states the director of Britain’s biggest intelligence agency. Well, if the systems are open to the public Internet, and have vulnerabilities on their systems that date back almost 20 years then what do you expect? I would hazard a guess that the businesses experiencing “disturbing” levels do not have a CISO in post, probably do not carry out end to end holistic penetration testing offered by the likes of Pentest Partners and very probably do not carry out daily vulnerability scans.

“The Foreign Secretary William Hague revealed in February that computers  belonging to the government had been infected with the “Zeus” computer virus,  after users opened an e-mail purporting to come from the White House and followed a link.” Isn’t it amazing that government, despite having tools such as the National Secrets Act, and possibly the best Data Classification system, completely fail at providing thier users with mandatory User Awareness Training? These things are a matter of course for diligent businesses but something the government just do not seem to get correct.

Cyber is a distraction from businesses with bad security practises

With all this public focus on the whole cyber aspect (radio 4 talked around Cyber Warfare, Cyber Espionage and Cyber Attacks) it does leave the Security Professional wondering why no-one is talking about the solution. Cyber Warfare will never replace conventional Kinetic warfare because you will always need boots on the ground to occupy space. Cyber Espionage may be easier that traditional espionage, but at the end of the day if you want a list of customers from a competitor then it will always be easy to get a job as a cleaner at your target company or pay a phone operator a couple of hundred quid for inside information.

The real solution is for business and government to pull their finger out and start embedding a security culture into their operations.

Still, these things at least give me something to rant about.