Slashdot Mirror
Operation 'Cyber Storm' Starts Tomorrow
cyberbian writes "Federal Computing Week reports that the Department of Homeland Security have moved up their rescheduled cyber security exercise, designed to test enterprise and private sector alike. The tests are expected to run from February 6-10, and are intended to gauge the state of readiness for a cyber attack on critical infrastructure. FCW also reports that the scope of the fake attacks will be global, and they are coordinating with partners in Australia, Canada and the UK."
I'm glad that they are doing something like this, in the UK people have been estimating that "in the city" only around 50% of companies are anything like prepaired for an attack of this nature, hopefully this will show people what needs to be done...
I hope no real attacks take place during this time though...
*''I can't believe it's not a hyperlink.''
So all you need to do is find one unlucky zombie on a government IP, and use it to break in to random computers, and people will assume you're a good guy?
Exactly what can be expected in regard to online use just after the Superbowl? Will there be more or fewer people online during that time? I expect there'll be more. People will want to celebrate and complain about whomever won or lost. If we were under a cyberattack, then certainly that would be the best time to do these tests.
Last time i saw something like this, our 'organizataion' was tested.
They caused more damage to us with childhood tactics ( like locking out system accounts ) than doing 'real' tests. We were screwed for a week trying to undo damage, and trying to figure out how it was happening again and again.
Posting anonymously for obvious reasons.
This is like Microsoft checking its own code for security holes. If there is a weakness then resources could be better used by trying to eliminate the weakness instead of finding theoretical ways it could be exploited - because there's always the way you didn't think of and THAT's the one that's going to get you.
Homeland security is going to turn around and tell everyone that we're NOT ready for a "terrorist cyber attack"? No, it makes much more political sense to say "see? Our networks can survive millions of nerf-ball hits; more funding please."
Seven puppies were harmed during the making of this post.
Hrm, wonder how this will affect companies planning stress tests of their systems during that time period. Like for example the DDO stress test that starts on the 7th. It's wonderfully nice of the government to move the schedule at the last minute like this. I'm sure they won't be specifically targeting a small internet games company like Turbine... but I'd feel for any company who's planned tests will get nice and invalidated because the government decided that'd be a nice day to DDOS them.
All network admins know that the damage caused by attackers is insignificant compared to the damage caused by upper management and government meddling.
All admins do not necessarily agree with this. Most of messes I have to clean up are from malware, fraud, "traditional" crime (and attempts at such) that have taken on a 'net communications component, and the usual tsunami of noise and bot blather that lands on every public-facing port I have open.
Tiered internet? That's a misnomer, I think. Big internet users pay for the bandwidth they (or their visitors) use. More traffic means higher costs. I don't care if some Comcast user has already paid for "his" bandwidth... serving up a streaming video to him isn't only using his bandwidth. I don't know where people get that idea. But regardless, if SBC or Verizon or any other carrier wants to screw with per-site or per-visitor metering or biasing, they're welcome to. Other ISPs will just set a price that's easier to predict and work with, and win the business away from the people trying to make it more complicated. But how much time do I have to give "upper management" or "government meddling" vs. attempted attacks, fraud killing, malware, etc? It's not even close. The bad guys are much more of an issue.
Don't disappoint your bird dog. Go to the range.
...the government didn't really do any testing at all, and just used this as a trap to find real hackers. Just stay extra-vigilant for a few days, and find the people attempting to go under the radar...
From the sound of it, this is a paper exercise. The Government more than anyone is scared of the impact of actual pen testing. More than likely this will consist of everyone sitting in the same room or VTC'd in. They'll go, "ok, a hacker just disabled electrical junction boxes shutting down power to Boston, how do you respond?" and then they'll talk it over for a while. End the end they'll realize, "humm, we don't know how" or "well we know how but we rely on group X for help and group X didn't know they'd need to be involved" or something like that.
I do security
FCW also reports that the scope of the fake attacks will be global, and they are coordinating with partners in Australia, Canada and the UK."
I didn't know that computers only speak English.
Hmmm... learn sumthin new evry day.
While I think this article is talking about a table top or paper drill, it does hint at a bigger question. How do you do realistic pen testing on a system that must be 100% configuration controlled? I think you have to assume that the Pen Testing will take the system into an unknown state though you should know the range of that unknown state, (it may not effect the entire system.) From that you can conclude you need to have a plan to take the system or parts of the system from an unknown configuration state back to the current baselined configuration state. But is this possible? How long does it take? What methods do you use? Does anyone on slashdot have any experience with such a plan? Has anyone had to write one or even enact one?
I do security
Was the massive blog outtage yesterday part of this, and someone just jumped the gun a little? What's to stop the feds from shutting down huge pieces of the net, or replacing pages with look-a-likes that have information they want you to believe, as opposed to real information? Phed Phishers in other words, geek goose stepping order followers.
This crap is weird. I fully expect them to pull off another false-flag terrorist attack and use that as an excuse to do real damage to the freedom parts of our society, they have already shown that is their primary agenda and that is exactly what they have been doing. Controlling the web could be part of it.
The type of test I participated in wasn't invalidated by this lack of surprise because it was deliberately designed to expose procedural flaws and systematic gaps that fell between different areas of responsibility. The lack of surprise was a nuscience in the design of the test, but it was planned for and accounted from the very beginning. Having an announced testing window was a necessary security feature and not a flaw in the test.
These tests either were performed within the announced window of time or they were cancelled outright. Delay was out of the question. Delay was insecure. Cancelled tests were a nuscience for the test teams because it meant almost a month delay before they'd be allowed to perform the test, but the insecurity introduced by saying "Oh wait, the tests are back on schedule" or "Oh we'll just delay the test window a few days" was unnaceptable to security.
I've heard a time (though I didn't participate) in a test where a piece of equipment failed the day before the two day test window. Without this piece of equipment data measurements would be fuzzed by an order of magnitude on one part of the test. A replacement was ordered but on the day the tests were to begin it still required a day of prep time. To you and me our first inclination might be to simply delay the test a day. That was not acceptable to the security team. The test went on with the bad piece of equipment and the test results were compromised but in only that part of the test. Another test window was scheduled six weeks in the future and the test team's budget was increased to have redundant pieces of certain test equipment on hand and ready as part of the design of new testing procedures.
What seems almost absurd was the idea of moving forward the timeframe of an announced security test. There were times when test teams were very ready ahead of time, but they used the time to double and triple check their preparation, take documentation for next test, meet and discuss the game plan, and use the extra time productively while waiting for the arrival of the upcoming announced testing window. Why not just go ahead with the tests? Because once again, moving the announced test window was a security risk. And performing the test outside a test window was considered a break-in by security, and unnecessary for properly designed tests by the test teams.
I know banking security differs from computer security, but it still seems rather insecure and dangerous to move an announced test window period at all. What's worse is that it seems unnecessary, unusual, and odd to move the test period forward. If the test requires surprise, then it's either a poorly designed test or it was compromised by having an announced test window to begin with. If we're dealing with computer security on an international scope, then it would seem incredibly helpful to take the extra test time and double check the game plan. Tests inside a single banking company with far fewer issues of timing, language, and politics welcomed an extra week to plan and prepare before most tests of even moderate complexity. It seems arrogant, ignorant, or careless to say "Oh, we don't need this extra time before the tests. We'll deliberately tamper with our security and throw away this extra time we could use to prepare and coordinate this very complex international test."
So what's really going on here?