| By Patrick Hynds |
Article Rating: |
|
| February 7, 2006 11:30 AM EST |
Reads: |
19,392 |
Information Storage & Security Journal Co-Editor-in-Chief Patrick Hynds writes: The U.S. deparment of Homeland Security is performing a readiness test this month called Cyber Storm, after rescheduling. The Cyber Storm exercise is about ensuring and testing against a computer based attack or hack against public infrastructure targets as well as some parts of the private sector. This has caused some (on Slashdot.org for example) to decry it as idiocy that will only "break the Internet". These are likely the same people who would apportion blame if an attack came and we found ourselves unprepared.
You can't have it both ways. Either organizations should prepare for and test against potential attacks or they should not. Anyone who understands security knows that what does not get checked does not get done (that also applies to pretty much everything else in the world as well).
A point brought up in the critical banter on Slashdot was that by announcing the exercise, they were providing a perfect time for hackers to mask their activities. Had a detailed schedule and list of targets been provided then I would agree, but to expect a hacker to gain an advantage from the vagueness of the announcement would show that the speaker does not understand either side of the game.
During the course of my career, I have participated often in security audits, some of which included overt hacking attempts. In every case, I am certain that the exercise has greatly improved the security of the organizations involved and in some cases has headed off what would certainly have been devastating losses. Security is like any system maintenance that must be done. It can be done well or it can be done badly. More than once a misguided administrator has brought down a critical server with an error in scheduling or other configuration. To assume that the Cyber Storm will produce a negative result is cynical and if the cynics predict doom often enough they will certainly be correct eventually.
I say we avoid criticizing organizations that take steps to improve systems and hold the apportioning of blame until after there is something worthy of blame. I hate cynics.
Patrick Hynds, MCSD, MCSE+I, MCDBA, MCSA, MCP+Site Builder, MCT, is the Microsoft Regional Director for Boston, the CTO of CriticalSites, and has been recognized as a leader in the technology field. An expert on Microsoft technology (with, at last count, 55 Microsoft certifications) and experienced with other technologies as well (WebSphere, Sybase, Perl, Java, Unix, Netware, C++, etc.), Patrick previously taught freelance software development and network architecture. Prior to joining CriticalSites, he was a successful contractor who enjoyed mastering difficult troubleshooting assignments. A graduate of West Point and a Gulf War veteran, Patrick brings an uncommon level of dedication to his leadership role at CriticalSites. He has experience in addressing business challenges with blended IT solutions involving leading-edge database, Web, and hardware systems. In spite of the demands of his management role at CriticalSites, Patrick stays technical and in the trenches, acting as project manager and/or developer/engineer on selected projects throughout the year.
Subscribe to Virtualization Journal Email News Alerts
Subscribe via RSS
