http://www.computerworld.com/securitytopics/security/story/0,10801,109795,00.html
Opinion by John Webster MARCH 22, 2006 COMPUTERWORLD Sorry, I have to do this. I have to rant. Here's what I have to get off my chest. News item: "DHS Scores F on Cybersecurity Report Card." Last week, a congressional oversight committee gave the U.S. Department of Homeland Security a failing grade on its annual cybersecurity report card. Congress says that when it comes to protecting the country's data infrastructure -- an entity that in itself has become critical to the continued functioning of the U.S. economy -- the DHS is a D-U-N-C-E. Appalling. Shortly after 9/11, I published an article at SNWonline.com that stated that an aggressive and well thought-out attack on our financial information systems could be economically devastating. Furthermore, I wrote that the attacker didn't have to strike by exploding a dirty bomb or hijacking a plane. In fact, the attack could be executed without taking a single life. An attacker using electronic means could even be smart and resourceful enough to disable disaster recovery (DR) capabilities just before launching an attack. To be sure, I didn't expect Washington to hear this particular warning because at the time, there were many more audible voices saying the same thing. But the very sad truth is that the current administration wasn't listening to them either. In fact, the DHS has been handed the cybersecurity dunce cap three years running. The rest of us knew that Al Gore was just joking when we claimed to be the creator of cyberspace. The DHS must have taken the joke seriously because they behave like cyberspace is a place where only liberals live. If you are an IT professional, I think it is safe to assume that the DHS doesn't get it and won't -- that it's not even interested in locking the door at night. I think that means that you, the IT professional, have to double-down on security measures. This would include scrutiny of firewalls and adding storage-based security. And, here's another thought I have in that regard: Is your DR plan vulnerable to an attack? Said another way, could an attacker disable your DR capability prior to launching an attack? In essence, does your DR plan have a DR plan? We now live in a society in which very powerful -- and potentially harmful -- information technologies can be had at a cost of something between cheap and free. As an attacker, all you really need to add to the mix is brain power. In fact, I personally think that all it will take is one devastating cyberattacker to prove to us that bombs are obsolete. So I ask again. Is your DR plan safe from attack? -=- John Webster is senior analyst and founder of research firm Data Mobility Group LLC. He is also the author of numerous articles and white papers on a wide range of topics and is the co-author of the book Inescapable Data: Harnessing the Power of Convergence (IBM Press, 2005) [1]. Webster can be reached at [EMAIL PROTECTED] [1] http://www.amazon.com/exec/obidos/ASIN/0131852159/c4iorg _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org