What we DO NOT look out for.

This was born out of two sequences of events:

(1) Attending the SANS webcast Virtual rountable: featuring Ed Skoudis, Mike Poor, and Hal Pomeranz, the discussion point concerning cyber warfare / cyber attack was raised due to the current activity against South Korean and US government networks.

(2) During the same week I was reading “The Management of Network Security” which the authors raised the concept, Properties of a Good Network Environment. The authors discuss the need for protection concerning the physical attributes of the network like, power, wiring, conduits, etc.. They refer to a few lessons learned from the hurricane Katrina and New Orleans disaster.

These two events got me thinking from an audit perspective how often we tend to down play (with very low risk probability) the risks around network connectivity reliability, IF we even have them on our risk assessment list in the first place. Remembering the Internet outage of Dec. 2008 “Mass Internet outages in Egypt” in which three Internet cables were accidentally cut off the coast of Sicily, causing a massive outage throughout Egypt.

I started to look around a little wondering about the frequency of “Internet outages caused accidentally by backhoes”. First I was surprised at the result 170 links (Isn’t our favorite search tool, Google, just great who can’t go a day without say thing thank you, but I digress.) In thinking about some discussions I have had with other IT auditors, we only tend to address Internet connectivity outages as a very rare thing, and thus do not much to pay much attention too it, also we often look at it with only one question “What if we were to lost Internet connectivity?”. I pose we should have an additional question: “OR what if, our main business supplier(s) lost connectivity and we can not access them?”

Looking through some of the links from the above Google search a few things become very apparent

• It is often completely accidental. My favorite quote was “An idiot with a backhoe, accidentally cut the line while digging.” Of course it could not have been done by a sane or non-idiot person.
• It often takes a few hours or more to find a quick/temporary solution and reroute the traffic. IF, that is even possible. It takes months to get a complete repair done and for things to go back to normal

• These are not small companies that have suffered these types of incidents (Verizon, Sprint, AT&T, to name a few) and they mostly are recent 2008 / 2009
• The backup solutions tend to be magnitudes slower than the mainstream connection.

• This is not only a US issue, but an International one, which leads me back to my point what if it is our business supplier lost connectivity. What with many companies using overseas call centers, overseas programming teams, overseas technology support hubs, etc…) Perhaps outsourcing IT resources is going to come back and haunt us someday?

So why then do we as IT security auditors down play the issue? Forward thinking IT administrators often secure redundant circuits from their Internet Service Provider. But, how often is the last leg into the building following the same non-redundant path? Or we secure two different means with two different bandwidth connection speeds, after all who is going to be able to justify paying for a second 10/20/30 M bps connection that is used, perhaps, well, never if all goes well? Should we as IT security auditors even worry about such issues and just declare them under AOG => Acts of God and uncontrollable?

My 2c from small town America