March 10, 2008
Cyber Storm II was launched recently. Darren Pauli covers it here in ComputerWorld.
Did we learn much from the last one? I’m not close enough to anyone involved so I can’t really say. On the face of it, who’s doing what and how, to come to a conclusion that it will add value? That would be interesting to know.
I know there’s a heap of companies I’d rather have testing security than the ones mentioned but maybe I’m over-complicating things by suggesting some really bad-arsed hacker dudes get a shot at this. It is termed an “international hacking exercise” in the article though.
Edith Cowan University IBM professor of Computer and Information Security, Bill Hutchinson raises some good points.
I think you will find that Microsoft, Verizon, McAffee and Telstra are not doing that testing, they are playing supporting roles. Each of these companies plays a very important role in hosting / protecting government systems. They need to be a part of the process in the war games as they are in ‘real life’.
eg, Telstra needs to know what to do with a DoS on a government system, Verizon need to know what an attack looks like in their logs (they host a log ot gov servers), McAffee need to fine tune their IDPS / AV etc etc
AG’s and DSD would be doing most of the testing, I would imagine.
It all depends on your definition of ‘valuable’, DD.
Now DD, remember that home security penetration test you asked me to do for you. Does 5pm tomorrow sound ok ? Will you be home ? Is it ok if I try the kitchen window, then the doors ? What sort of locks do you have ? I promise not to break anything (its not a ‘real’ break-in, after all). Afterwards, we’ll light up your bbq, crack open a coldie or two & pat each other on the back for your great home security.
Do you reckon this’d be a valuable exercise ?
Aside from the bbq & beer, it’d be an exercise in sheer wankery.
Prof Bill Hutchinson alluded to it, but he was far too polite. Prof Bill is obviously a gentleman, unlike BG.
So I’ll say it instead. Cyber Storm is a wankfest – on a global scale.
BG.
PS. Cyber Storm III will be held in Mar-Apr ‘08. So much for the element of surprise, eh? When was the last time you heard of a hacker giving 12 months warning of an impending attack ?
Turkeys.
@BG
To be fair, it depends on what you are testing. When are dealing with large systems across multiple organisations / departments / governments logistics plays a huge part. This isn’t just about “if we attack you, can you see us?” Its also about if we are being attacked, what do we do?
When I was doing incident response, my biggest PITA was finding the right person to talk to, and for them to have any idea what I was talking about. You would call the specified contact at 3am saying that they had been compromised and they would say “um, sure great – so what does that mean?, what do you want me to do?”
This allows governments to know what it means, to train the staff in knowing what to do, going through the process of rolls and responsibilities and establishing the relationships between organisations to do things efficiently when it is an emergency.
As I alluded to in my first comment, this goes way, way beyond the technical “Can we see the traffic” and into organisational risk management. Of course, it is also about the technical aspect, and the PR but they are not *all* that it is about.
@ Dec.
I fully stand by my comments, and those of Prof Bill Hutchinson.
Sure, by all means – test your systems, logistics etc. No argument there. Police, fire & ambos run simulated disaster tests all the time, have been doing it for years, and the outcomes are generally very helpful to everyone concerned.
Generally there is very little warning of those tests, but for a few in the higher echelons – sworn to secrecy. And thats how tests should be run. So its as close as possible to reality.
My point is, if you remove the element of surprise, what are you testing ? And what is the value of it ?
Bugger-all, thats what. But thats just my opinion. I’m sure there are plenty of others that hold the opposite opinion, Dec.
BG.
@BG,
>Sure, by all means – test your systems, logistics etc. No argument there. Police, fire & ambos run simulated disaster tests all the time, have been doing it for years, and the outcomes are generally very helpful to everyone concerned.
yep – but they are mature organisations..
If there was a suprise war games attack on any government I know exactly what the outcome would be – pwnage. Complete and total pwnage.
You have to walk before you can run
@Dec,
In which case they should consider re-naming it
Cyber Storm … in a teacup.
rofl
**”It’s imperative we test our preparedness and response capabilities. This is why we have Cyber Storm II,” McClelland said.**
Kind of sounds like we’re expecting something and assuming nothing has happened to date…..while news report continue like this one:
http://www.securityfocus.com/brief/696
Fact is that most organisations have no idea if they are being attacked or already have owned systems. (Many already are and have). We’ve touched on this in a few posts here, most recently, Dec’s IDS/IPS talk on Risky Business:
http://beastorbuddha.com/2008/02/11/busting-your-idsips-declan-ingrams-kiwicon-talk-on-risky-business/
Many/most organisations also have no idea what footprint they have on the Internet nor internally. That’s the basics of risk management – knowing what you have first – otherwise, you are in Ostrich Risk Management territory. It’s hard to protect something if you don’t know what it is you have to protect and I put it out there that a good deal of our critical infrastructure falls into that category. I know of a large organisation that would be classified as CI, (not Australian based) that is 2-3 years down the track in still trying to identify what it actually owns sitting on the Internet. That is scary. Are they the exception?
So while I expect such exercises add *some* value, I doubt they make a big difference unless there’s some part of the “testing” scope that gives testers a bit of free reign to see how *prepared* organisations are against their unknowns so to speak..
In addition, unless more information is fed back to the community in general post such activities, what’s the point? I don’t recall one company doing anything different as a result of the previous exercise. Few even knew it happened. Maybe I just didn’t hear about it. Happy to be told otherwise!
We cannot undertake IT exercises like this like we do real-world like war games and emergency scenarios because other factors need to be considered. If we do undertake such exercises and make known and understand the limitations of what we are doing, then that makes it a more positive and realistic thing.
Flame on!
DD
@BG,
How long before someone uses that term now in the press. LOL
DD
I’ll add something from Marcus Ranum from:
http://beastorbuddha.com/2007/11/19/interview-with-marcus-ranum-blunt-industry-assessment/
BorB: While more and more breaches are being reported in the press, how bad do you really think it is? My take is that less than 1% of breaches actually come to light and most organisations would not even know is something has happened.
MjR: I think that the situation is definitely very bad, and I agree with you that a great many organizations would have no idea if they were, in fact, compromised. When you look at compromises like TJX or the Veteran’s Administration, I think it’s also pretty clear that organizations are unable to accurately assess the scope of a break-in – or are shockingly
willing to lie about it.
Now I’m going to sound like a paranoid for a minute; hand me my tin-foil hat, OK? The stuff that I really worry about is the potential for severe leakages of information regarding advanced technology, military deployments, and intelligence. I look at the US Government’s
security and how bad it is, and imagine it must be like a gigantic shopping mall for intelligence operatives from other powers. That’s a deeper threat than just “information leakage” – I’m worried about things like potential Sovereignty-ending events like losing an
economic or military war as a result of having exposed too much information.
Problems like that can take generations to mature and our society does not do a good job of thinking in terms of multi-generational threats or how to defend against them. But consider, for example, the FBI’s email system being hacked.
( http://www.gcn.com/online/vol1_no1/35019-1.html )
Do you think there might be anything interesting in there? What if 20 years from now we discover that we’re no longer a superpower because someone else had been reading the National Security Council’s Email for a decade? Sound implausible? So does the idea that the FBI’s Email would be hosted on AT&T’s public mail servers.
So, I think the situation is bad – but I’m vastly more concerned about the long-term threats. Those represent problems that we may never recognize specifically as coming from a particular exposure or source – but it won’t matter.
From a recent talk on a Cyber Terrorism round table:
http://bsdosx.blogspot.com/2007/12/tell-it-like-it-is-boys.html
And another with Rob Thomas, but another “cooler” name ‘FROWARD EDGE II”.. yeah baby!
http://www.forwardedge2.com/videoPlayback.aspx?file=forwardThinking&format=flash Actually really great commentary by Richard Clarke.
My take: http://bsdosx.blogspot.com/2007/05/infosec-video_5580.html
I think the analogies thus far with the traditional emergency services are not well founded. Unfortunately guys the physics, costs and time/resources are fundamentally different. It is a new paradigm of tightly coupled ubiquitous IP systems(including SCADA/IP bridged) that may be attacked from relative anonymity, geographical opacity and the most fundamental issue… that of time and parallellism.
Dan Geer has a great paper here that explains the time cost tradeoff and convergence of physical and cyber security:
http://geer.tinho.net/ieee.geer.0606.pdf
Dex
Oooops meant ‘FORWARD’ not ‘FROWARD’…. interesting slip though…
“froward |?fr?(w)?rd|
adjective
(of a person) difficult to deal with; contrary”
Muuhuhuhuhuhahaahahahahaha!
http://www.theregister.co.uk/2008/03/10/cyber_storm_ii_exercises/comments/
FYI
Are we talking about Cyber Storm II – the global IT systems test, or Cyber Storm II – the computer game ?
Cyber Storm II was a *game* produced in 1998 by Sierra.
http://www.itreviews.co.uk/games/g22.htm
Quote from game:
“Your task is to successfully bite the ankles of the other seven corporations – which can be played either by the computer or by other humans – in an attempt to dominate the Typhoeus system.”
This is becoming so ridiculous, its almost worthy of an entirely new thread.
BG.
[...] “Cyber Storm II in Australia”: as above. Waiting on a report on this to get more information but given the summary of activity presented, I stand by the questions and statements here. [...]