(Updated from my previous blog)
I came across several different books on the subject area lately, some of them pretty good, and others may as well be fiction. Jeffrey Carr’s Inside Cyber Warfare is one of the better ones, and serves as a decent ‘beginners’ guide’ to the ‘cyber war’ thing the media’s again become fixated on. Unfortunately the media’s job these days is to report, without investigating or asking questions. Inside Cyber Warfare, despite the title, helps nail the myths and sensationalism, and provides a good assessment of the situation.
Inside Cyber Warfare is a largely non-technical book, but it has plenty of case studies we can draw the following points from:
* Most attacks on networks rely on some element of social engineering.
* The attack methods are still fairly basic, mostly consisting of DDoS, reconnaissance and site defacements.
* All the politically-motivated incidents accompany real-world events.
* The incidents themselves are mainly isolated, with individual organisations being targeted.
Conventional Warfare as an Analogy
One of my pet hates is the heavy usage of military terms prefixed by the word ‘cyber’, as if making analogies between two entirely different things – conventional war and ‘cyber war’ – accurately reflects the situation. It doesn’t. Whenever politicians talk about ‘cyber pearl harbour’, ‘cyber 9/11’, etc. they’re actually still making comparisons to physical events because there can be no online equivalent.
The objectives in most network-based attacks, the ones hardly mentioned in the media, are centred around disrupting comms, propaganda distribution, and sometimes intelligence gathering. These efforts are more accurately termed and limited to something known as ‘information operations’. Where nation states are involved, the efforts are more likely industrial espionage and economic, and they’ll happen over a prolonged period.
A few arguments recently put forward by politicians go something like: ‘the bad guys have cyber weapons, so we need a range of capabilities’, and ‘we must compete in the cyber arms race’. Those statements are guaranteed to make the front pages, but they have no practical meaning in a world where malware and countless security programs are freely available. There’s also very little to differentiate ‘cyber weapons’ from common malware, and even harder to differentiate between their use from the actions of a common script kiddy, regardless of how it’s legitimised.
Almost all the examples of ‘cyber weapons’ in Carr’s book were generic, outdated and obsolete. Many of them are still infecting computers around the world, but life carries on as normal. All of them had a very limited impact and could be defeated with basic security measures.
Little has changed here since Inside Cyber Warfare was published. Many of the ‘cyber weapons’ used internationally by governments, traded at ISS World, and exposed by Wikileaks, Cryptome.org and Privacy International, are in fact traditional malware produced by companies like DigiTask.
This also means the only useful security strategy is network defence, and the observations I made earlier provide a much better foundation for that.
I’m always more interested in the technical aspects of network security, but social engineering happens to be a common ingredient of security threats. People are often easier and quicker to bypass than physical, hardware and software security. Looking at the Sophos blog, the reader will notice all the malware requires some form of social engineering to actually work, and that was also true of the examples of malware in Carr’s book.
Espionage and Disinformation
Carr assigns a whole chapter to a security threat that’s hardly mentioned: espionage. Today’s social networks make it easier and more efficient in several ways. An agent could build a convincing identity on any social network, join the right groups, make the right contacts, etc. and gather information over the course of several online debates. This can also be done over a much longer period with multiple sources, than was possible before. The latency involved also allows a closer analysis of those discussions. Carr also identifies the potential for multiple online identities targeting and manipulating a single person.
This aspect of information security needs closer attention, as Carr provided the rsults from a couple of surveys that revealed a surprising number of government and military personnel made public their occupations, places of work, the positions they held and their social and family lives.