Truth About Computer Security Hysteria
'Precautionary disconnect' — a disturbing new trend
Sunday, 20 June 1999
A REUTERS NEWSWIRE says Boeing once again disconnected from the Internet as a precaution — this time due to ExploreZip worries. Other reports say the aircraft giant noticed the virus on some systems and disconnected email as a precaution against "wider damage." Boeing possibly also disconnected from the web to stop employees from using free web-based email services as a workaround.
I feel sorry for network gurus at a time like this. Can you imagine the calls they get from frustrated users? "Network admin, this is Peter. Hey, Kathy. Nope, web & email aren't broken, we just shut them down as a precaution. Yes, because of a virus. No, I don't know when Security will let us turn it back on. Yes, we did spend millions to increase the reliability of our Internet connection..."
It makes no strategic sense to disconnect from portions of the Internet more than once as a precaution. In Boeing's case, the computer security office should just nail the door shut. No surfing, no email, no telnet, no RAS, no corporate website, no DNS, no firewall, no pings, no nothing. Boeing can further reduce the threat of über-viruses by returning to DOS, WordStar, and Banyan VINES.
Absurd, you say? Suicide, you say? Tell it to the Army general who recently waved a white flag. He thinks the military should surrender unconditionally in the war against 14yr-old hackers and virus writers. Why not Boeing, too? Why not everybody else?
Something in your brain knows the general's argument won't hold water, yet you can't quite grasp it. Let me help you — the military frets too much about its websites and 14yr-old wannabees. You can't fault the general's logic if you take his perceptions of threat at face value.
Boeing acts on a perceived threat when they unplug from the Internet as a precaution. We can "Monday morning quarterback" them from two angles: (1) Boeing's perceptions and (2) Boeing's actions. Let's start by taking their perceptions at face value. Why, why, why do they let employees use the Internet at all if they occasionally stop trusting its safety? Threats don't magically shrink just because you updated the antivirus package. Didn't Boeing learn anything from Win95.CIH? Didn't they learn anything from Melissa? Nail the door shut, guys.
CIOs should ponder these questions of perception:
USAF Air Combat Command ordered a precautionary disconnect for at least 17 bases when ExploreZip surfaced. A well-placed source said each base rejoined the Internet only after "all workstations and servers were 100% verified protected" against the virus.
- If the computer security office lets employees surf the Internet most of the time, do they let employees use Java & ActiveX most of the time?
- If the computer security office rationalizes a precautionary disconnect as "the price we pay for safety," do they rationalize a forced disconnect (i.e. denial of service attack) as "the price we pay for safety failures"?
- If email attachments pose a "critical threat" to the firm, why does the computer security office let employees send/receive email attachments?
- If some employees threaten the firm because they won't practice "safe hex," why does the computer security office let them use a computer?
Peter and Kathy would love it if Boeing's CIO called the computer security manager onto the carpet. "Craig, you stop Java at the firewall because it's not safe. Is this a gut feeling you have? Or can you show me where Sun's Java security model fails to meet your rigid standards? Because if it's just a gut feeling, I've got some other questions to ask you..."
Fictitious people, by the way. I don't know who runs computer security at Boeing and I don't know if they stop Java at the firewall. At this rate I'll never see their logo on my pay stub, either.
"No, I don't know when Security will let us turn it back on. Yes, we did spend millions to increase the reliability of our Internet connection..."
ASK YOURSELF WHERE this "precautionary disconnect" trend came from. Answer: Microsoft made an unintended fashion statement when they pulled the plug during an email infrastructure attack. Hundreds of corporate & government lemmings disconnected in fear when Melissa swamped Redmond on 26 March. The U.S. Senate and the FBI added to the trend's popularity when their websites temporarily remained offline after high-profile attacks.
Cop: "hundreds of marathon runners jumped in the river because one guy suffered heat exhaustion?"
The roots of precautionary disconnects go back to an Air Force website hack in 1996. Embarrassed Pentagon officials shut down dozens of websites as a preventive measure ... but corporate America didn't consider precaution fashionable before Microsoft's recent escapade.
I interviewed Microsoft computer security employee Daryl Pecelj, who described his company's battle against Melissa. Pecelj alerted his bosses when tens of thousands of messages poured in from infected outsiders. Microsoft did not disconnect from the Internet because of the onslaught — they disconnected because gateway antivirus software failed to stop the onslaught. Pecelj correctly labeled it a "distributed coordinated attack," an obscure term coined by pioneer virus expert Fred Cohen. Redmond implemented procedures to deal with Melissa while they waited for a vendor to come up with antivirus solutions.
Bystander: "it was a preventive move. They might have experienced heat exhaustion after passing by the river."
Cop: "you're saying all but one lost the race as a precaution?"
Bystander: "marathon runners sometimes pay a high price for their safety."
Microsoft walked away from Melissa with only a few scratches. Pecelj's use of the term "distributed coordinated attack" tells me his office recognizes the larger concept of "email infrastructure security." Compare this to NIST director Raymond Kammer — his recent congressional testimony indicates he does not adequately understand email infrastructure security. NIST's Melissa FAQ further reinforces my belief. (I'll bet a soda Kammer read the GartnerGroup analysis.)
Hundreds of companies and government agencies played "follow the leader" just because the media said Microsoft pulled the plug. Sounds kind of stupid, doesn't it? Computer security offices rely on strength in numbers when they get caught doing stupid things like this. "Everybody went overboard because of Melissa." Then they rationalize it with a worst-case scenario: "imagine what could've happened if we didn't react this way..." CIOs seem to accept this as a valid excuse! "My people were forced to overreact."
Parents scold children who flip the light switch on & off. Users will get just as angry at people who flip the Internet switch on & off. "CNN reported another über-virus! Shut down Air Combat Command!" This kind of hysteria feeds the egos of 14yr-old wannabees, you know. "Five bytes, huh? Well, I can scare Boeing offline just by changing four bytes in this old virus."
Thankfully, some firms learned valuable lessons when they disconnected as a precaution for the first and only time. They used it as an excuse to flex unused political muscles, or they dusted the cobwebs from procedures never before tested. CIOs should embrace computer security managers who filed a candid "lessons learned" report. Look for this telltale conclusion: "we'll know what to do if we ever need to disconnect as a fallback measure..."
Newsbytes coverage of ExploreZip: "mail servers were reported brought down at numerous firms ... either by fear of the bug or by the bug itself."
I KNOW THE question burning on your lips. "What's email infrastructure security?" I'll tell you this much — ISS doesn't correctly scan for it yet. Neither does WorldSecure. Neither does MimeSweeper. Nail the door shut, guys.