Monthly Archives: December 2015

Lessons learned from Tom Clancy’s ‘Novel Red Strom Rising’

14 December 2015

In the past weeks I listened to Tom Clancy’s ‘Novel Red Strom Rising’ during my ride to the office. Red Storm Rising is about a Third World War in Europe around the mid-1980s. From a IT security point of view one of the most impressive scenes is about a missile attack against the carrier Nimitz.

Nimitz has a layered defense system which successfully destroys all missiles except of two which cause severe damage. However, the continual emergency drill was successful, the carrier achieves the dry dock under its own steam and is soon back in combat.

In the IT world we are facing similar problems when a cyber attacker manages to get across first line of defense, i.e. the firewall which separates the company network from the internet. In the best case, if a Information Security Management System (ISMS) is in place, everyone reacts the right way and serious damage is prevented.

But reacting the right way requires some practice, and the lack of practice is the crux of the matter. Is all software available to rebuild a system from scratch? Have you ever performed a restore test to make sure your backup concept works and your business critical systems could be restored to the required point in time, and in the defined time frame?

Practicing of security procedures is often avoided because of the risk for the systems and the costs. But without practicing you cannot ensure the effectiveness of your ISMS. It is all a question of finding the proper balance.

I digged somewhat deeper into military strategy in the past weeks. In publication ‘The Strategic Game of ? And ?‘ John Richard Boyd shows the direction to a strategic approach to defense in cyber war:

The Strategic Game is one of Interaction and Isolation. A game in which we must be able to diminish adversary’s ability to communicate or interact with his environment while sustaining or improving ours.

Seems to be a good motto for 2016.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all and the best wishes for health, happiness and prosperity in the New Year.

Christmas Trees

Cyber breach at the Australian Bureau of Meteorology

5 December 2015

When I read the headline of Warwick Ashford’s report ‘Australia blames China for cyber-attack on supercomputer’ my first thought was: Why would anyone go after a number cruncher? It can’t be all that bad, because under normal conditions number crunchers don’t store business critical information.

In the evening I started gathering information about the attack and found some really worrying details.

In Ashford’s report we read ‘The BoM supercomputer contains a lot of research, but could be viewed as a potential gateway to a host of government agencies that have even more sensitive information.’

In an ABC report one reads ‘In the event of a conflict, compromising Australia’s ability to accurately forecast weather would affect the operation of military and commercial aircraft. Beyond that, the bureau provides a gateway to other agencies.’

The Bureau of Meteorology (BoM) provides services to other agencies. Since a login is required, it is very likely that login credentials have been compromised. This makes attacks on other agencies very likely because login credentials are frequently re-used across services.

In addition both sources report that the BoM provides a gateway to other services. Hopefully the networks of the Australian government agencies are better isolated from each other than the OPM network from other U.S. agency networks. If properly isolated it’s much harder for the attackers to move across the gateways into other networks.

In ‘Cyber breach at the Bureau of Meteorology: the who, what and how, of the hack’ we read

‘The damage is actually … to then make sure that the hackers have not left behind any software that is continuing to spy or providing hackers with renewed access, …’

The author talks only about confidentiality issues, but what about integrity issues? Who checks whether the results of the computations are still the same as before the attack? Slight changes to algorithms may have a major impact on forecast information and could end up in the worst case in a plane crash.

Have a good weekend.