Cyberthreats are real, they're active and I believe just now they compromised my keyboard in hopes of engaging me into game of Cybergeddon Pearl Harbor.
I say this because it is obvious, the news agencies are telling me so. Not only did they tell me so, but so too did many policy makers who know as much about computers as my newborn puppy Kenji. Recently, the hot topic is: "Anonymous Will Take Over The Internet"  (no this is not a typo).
With an even more laughable comment: "NSA director Gen. Keith Alexander issued his warning in private government meetings, and Anonymous hasn’t yet been added to any public threat list." The comment is not only funny, but it can be misconstrued. Funny: "We haven't added them to any list yet"... Really? Who are you planning on adding? An individual, a Guy Fawkes mask?
Misconstrued: "You know enough about the individuals involved but haven't determined whether to arrest them?", or “you haven’t determined how you want to classify them? Non-enemy combatant, terrorist, i-Terrorist?”
We have calls for "Cyber Peace Keepers" , talks about "Cyber Grenades" , "Cyber Arms Race" , and so forth. It would seem that as long as an article has a wordcount of at least 200, the word "cyber" will be used no less than 50 times. Therefore, it MUST be true, and it MUST be worthwhile reading.
Enter the "Cyber Military Industrial Complex 101" expose you are now reading.
Common sense dictates that there is money to be made in “cyberlandia.” A lot of money and someone is going to make it. They will make it by using any boogeyman available. Cyber is definitely the new Gold Rush, however much of what is being portrayed to and by the media is blown out of proportion and unrealistic.
Let us take a look at Anonymous. The news theory goes (not my words): "Anonymous will take over a power plant, cut power..." chaos ensues and so forth. The reality is that our current infrastructure has been attacked millions of times since the inception of the Internet and, in fact, there are plenty of hardcore competent security individuals actively scoping out vulnerabilities in this sector.
For example, the talented crew over at Immunity and researchers at Gleg offer existing SCADA exploits . The world did not come to a halting stop because they have done so. No visible hackers are going on a global scale and shutting down each others’ electrical, water or gas infrastructures.
Unless there are gaping holes in the existing infrastructure, I do not foresee Anonymous doing much to attack it either. You see from the security perspective, Anonymous has yet to come out with vulnerabilities and or vulnerability research.
Anonymous has seemed to thrive on finding existing holes and social engineering. The vast majority of those holes have been SQL related from what I have read. They have exploited common human error or stupidity depending on your point of view.
Now, I hate to sound harsh but: “there is no patch or fix for stupidity.” Proper training in common security objectives; password re-use, proper policy, log monitoring and existing security technologies can keep hackers like Anonymous at bay. There is nothing that the group has done that I have read about to make me say “wow.”
This is not to say that they are low level hackers, on the contrary, they were smart enough to beat many so called security professionals.
I believe that any “security” downfall will come via way of the herding instinct where in the security industry, is rampant. An electrical or nuclear facility being compromised won’t likely come via way of a “zero-day” or "technical" exploit, but it will likely come via way of human error. Someone would have re-used their password, an engineer would have likely placed a critical machine in the wrong network.
This ultimately means that I anticipate either sheer stupidity – or lack of oversight (your choice) – or a client side attack will cause an event. I will not get into client side attacks for those who don't understand it (please Google the term client side attack).
So how do we a) Stop the attack and b) Stop the Fear-mongerers from continuously bombarding us with fictitious tales of “a bored hacker is (obviously) going to be mad enough and one day take over an Airplane, force it to crash and burn, while taking over a nuclear facility and blacking out the west coast.” Stop the attack – stop following the crowd.
Many documents regarding security defenses have been written, re-hashed, re-written, developed, deployed, tested, vetted and so forth. Many of these fail miserably. They fail not because an author didn’t understand security, but because the individual implementing it either had little clue, was only dealing with security measures to cross their T's and dot his I's. Security, wasn’t understood.
Individuals in an environment where interconnections between machines, and information technologies are a daily task need better training and awareness. Unlike the 80's and 90's where if a machine sprouted up on a network, it was given an address and fed to the sharks (anything on the network), today’s networks and interconnections need to be thought out thoroughly. Not only to keep them from the sharks in the ocean, but any threats within an organization.
The threat can be something as benign as an operating system update - as that too has the potential to cause the same type of damage as an attacker. Segregation of not only duties, but networks and machines need to be performed as well. Stop the fear-mongering – The Cyber Military Industrial Complex.
Individuals in security companies need to stop with their nonsensical games of FUD based marketing. Far too often, many are making outrageous claims and always have an agenda. That agenda is to sell security products:
“Look at the Whitepaper we’ve created, we have an uber-hyper staged attack that will scare you into submission. The attack? So far-fetched that you’d have a better chance at hitting the lottery than pulling this off. But hey! If we can think it, so can an attacker, therefore give us your cash and we’ll protect you!”
The reality is that many of these same companies offered and are offering you the same technology time and time again. The same technology that they swore would protect you long ago. First it was the firewall, then it was Intrusion Detection, followed by Intrusion Prevention. Now it is “Intrusion Tolerance” and Data Loss Prevention.
For all the technology they’re feeding you, companies are still getting compromised. It is not the technology that is the failure, it is the people and it is the implementation of these technologies. It is the lack of understanding of one’s own network.
When will security “evangelists” stop thinking of “unique” titles to add to their names and start focusing back on the core fundamentals of security? It is not that difficult as many security professionals would have you believe it to be.
Security isn’t a product, it isn’t a certification. Security is a procedure, it is a process, it involves thinking. Perhaps therein lies the problem, NIST has not created NIST1337 “A Critical Guide to Common Sense in the Security Industry”.