[ISN] Is Your DR Plan Vulnerable to an Attack?

InfoSec News isn at c4i.org
Thu Mar 23 04:49:44 EST 2006


Opinion by John Webster
MARCH 22, 2006

Sorry, I have to do this. I have to rant. Here's what I have to get
off my chest. News item: "DHS Scores F on Cybersecurity Report Card."  

Last week, a congressional oversight committee gave the U.S.  
Department of Homeland Security a failing grade on its annual
cybersecurity report card. Congress says that when it comes to
protecting the country's data infrastructure -- an entity that in
itself has become critical to the continued functioning of the U.S.  
economy -- the DHS is a D-U-N-C-E. Appalling.

Shortly after 9/11, I published an article at SNWonline.com that
stated that an aggressive and well thought-out attack on our financial
information systems could be economically devastating. Furthermore, I
wrote that the attacker didn't have to strike by exploding a dirty
bomb or hijacking a plane. In fact, the attack could be executed
without taking a single life. An attacker using electronic means could
even be smart and resourceful enough to disable disaster recovery (DR)  
capabilities just before launching an attack.

To be sure, I didn't expect Washington to hear this particular warning
because at the time, there were many more audible voices saying the
same thing. But the very sad truth is that the current administration
wasn't listening to them either. In fact, the DHS has been handed the
cybersecurity dunce cap three years running. The rest of us knew that
Al Gore was just joking when we claimed to be the creator of
cyberspace. The DHS must have taken the joke seriously because they
behave like cyberspace is a place where only liberals live.

If you are an IT professional, I think it is safe to assume that the
DHS doesn't get it and won't -- that it's not even interested in
locking the door at night. I think that means that you, the IT
professional, have to double-down on security measures. This would
include scrutiny of firewalls and adding storage-based security. And,
here's another thought I have in that regard: Is your DR plan
vulnerable to an attack? Said another way, could an attacker disable
your DR capability prior to launching an attack? In essence, does your
DR plan have a DR plan?

We now live in a society in which very powerful -- and potentially
harmful -- information technologies can be had at a cost of something
between cheap and free. As an attacker, all you really need to add to
the mix is brain power. In fact, I personally think that all it will
take is one devastating cyberattacker to prove to us that bombs are
obsolete. So I ask again. Is your DR plan safe from attack?


John Webster is senior analyst and founder of research firm Data 
Mobility Group LLC. He is also the author of numerous articles and 
white papers on a wide range of topics and is the co-author of the 
book Inescapable Data: Harnessing the Power of Convergence (IBM Press, 
2005) [1]. Webster can be reached at jwebster at datamobilitygroup.com. 

[1] http://www.amazon.com/exec/obidos/ASIN/0131852159/c4iorg

More information about the ISN mailing list