Cyber attacks caused fewer problems to communications networks than unrelated system failures and natural disasters, a study by an EU security agency has found. The European Union Agency for Network and Information Security (ENISA) reports that the average duration of cyber attacks was four hours whilst outages due to nature …
Not All Damage Brings Down the Network
I agree about both the limited sample and the self reporting angle. Not all intruders want their activities to be noticed. Some want to slip in, steal and go so they can use the data to , shall we say, 'improve' their own product. Not all costs are, or can be fully booked. Intruders and malcontent individuals are not going to come clean about their activities, likewise those who are testing minor sabotage. This is rather like the Japanese Tsunami. The water killed, what? About 30,000, knocked out power and transport and a good deal more, but now nuclear power gets the blame. I'm not saying that Tepco have no issues, clearly they have many points to answer, I'm not saying the placement on the beach was a great idea. I'm not saying the defences were 'industrial strength'. I am agreeing that disasters have such a huge scope that they tend to drown out anything we can expect to achieve - and No pun intended.
As a generalisation, we, as a species are still pretty cr*p at good planning and organisation. Whether this is against natural disasters, design flaws and if you are the NSA at staff vetting and management*.
*Note, other failures are also available.
...the 5 per cent where human error played a role...
If one of my former employers had been among those sampled, this number would have been inverted. I kept track as part of an internal security audit: almost 100% of local outages were caused by my boss or the home office (in that order). Neither party would admit they had done anything wrong, ever, even when confronted with clear documented proof. I suspect that this category of data is greatly under-reported in the study. It seems likely to me that there are plenty of other organizations out there with the sort of corporate environment that discourages reporting of mistakes and failures, especially to outside entities.
Weather and Natural Disasters
No shit the weather and natural disasters cause more damage than a few Humans. Weather makes and breaks invasions and is central to a countries wealth. It's easy to take the natural world for granted and believe that technology has tamed it: Not so and it will likely never be so.
Fire, because most wildfires are a side effect of weather.
Untypical survey ...
The ENISA survey is certainly valueable, but it should be kept in mind that the scope was very focussed - they looked specifically at fixed and mobile telephony and Internet services supplied by telecommunication providers. In no way did they look at conventional IT and typical data centers, where the results would be quite different and availability in general is worse. Telco's are a special breed and operate very reliable, they do very intense testing and do use specially hardened gear ("carrier grade").
Drawing conclusions from that ENISA telco survey for other ("plain vanilla") IT operations might be somewhat misleading ...
Cyber attacks/cyberwarfare = the new yeti?
Seriously, I wonder how many truly damaging cyber attacks really take place? Info Sec professionals get all hot under the collar about hackers, lather on about Stuxnet but the amount of truly damaging attacks that take place seem minimal outside some high profile cases (RSA, etc).
It's almost as if there's an industry to support.
Re: Cyber attacks/cyberwarfare = the new yeti?
TL;DR - Worry about 'cyber attacks' but don't stress too much about full-on 'hacking'.
It's pretty obvious, anecdotally at least, that completely non-malicious events are the main cause of downtime. That's not to say humans aren't to blame, because in my experience stupidity, laziness and false-confidence are the main causes of issues.
But, to headline a story "Forget hackers - storms and snafus are bigger threat" is a bit misleading.
Here's Dan's friendly advice: DON'T 'forget hackers' but DO realistically assess the risk.
Having been a consultant I have had many clients ask how safe they are from 'hacking'. I usually tell them that there is always more that could be done and there is always risk but that, realistically, no one would be interested in 'hacking' them.
That's the crux of it.
Cyber attacks come in four forms:
1 Un-targeted, mass-distributed attacks (malware, website XSS, etc...)
2 Opportunistic attacks
3 Targeted attacks from disgruntled employees/contractors
4 Targeted, concerted efforts
The first two are what 99.9% of companies should focus on and the strategy to mitigate those risks is simple - conceptually if not in implementation:
* Patch bugs and keep software up-to-date
* Keep a good security/virus/malware solution up-to-date
* Adhere to the principle of least privilege
* Prevent users from installing software (so far as feasible)
* Enforce a strong password policy
* Monitor your links and general server health for any anomalies
But perhaps most important: educate your users. Have a thorough written IT policy that is reviewed periodically and advertised regularly. Make sure all staff have read it and understood it and make them sign off to say they have read it and understood it. Repeat this at least once a year and whenever it is updated. Make sure there are clear disciplinary consequences for users who do not follow the policy.
As I tell my clients, the settings and restrictions implemented from the IT side is NOT an IT use policy - it is the means of enforcing and monitoring an IT policy.
<Got a bit sidetracked there - you can tell I've tried to get this across to more than one stubborn client.>
The third attack - one undertaken usually by people known to the company like previous or current employees - is not overly common compared to the first two but is still the most common TARGETED attack so is worth spending a bit of time addressing. The simplest and most prudent step to take is around your password and access policy; make sure everyone has a strong password that is regularly changed and that staff are made aware that they are fully responsible for their password and should NEVER give it to any other staff. That means that us Sysadmins are never to ask a user for their password - we must instead reset it.
Really, most of the steps for mitigating the first two attacks apply to this as well as such attacks will usually be of a low to intermediate technical level and if not successful at first, are likely to be dropped.
To get from protecting against the first three attacks, to protecting against the last is a BIG step. Sure there are little, sensible things you can do but in the end, a truly determined effort will breach most networks.
This is the 'hacking' most of my clients are talking about and the reality is that it's a non-issue for most companies.
An analogy for the whole thing might be dying. (Sorry for the dark tone.)
Natural causes, disease and accidents are the most likely causes. Have a smoke alarm, don't fiddle around with the electrics, look before you cross, exercise, eat healthy, etc...
Malicious attacks on your network are similar to malicious attacks against your person. Sure, they're less likely than disease or accident but that doesn't mean you shouldn't take reasonable steps to avoid being mugged.
Without drawing a parallel for every type of cyber attack, real 'hacking' is like being murdered by a hired assassin - exceptionally hard to protect yourself against but for the uncountable majority of people, it's just not an issue. Some people of course are more likely to be the target of an assassination attempt and so it is with companies and their IT systems. Those companies at risk of such an attack take very detailed, very expensive precautions and these require CONSTANT monitoring - just like (e.g.) presidential security.
Sherlock, because it does seem all rather elementary now that I've bashed it out.
CEO to developer staff - quick, develop software that can be marketed as protecting against storm attacks, there appears to be more money in it than anti-virus software.
Not all outages are created equal
An outage that requires me to reload a webpage is trivial and can be ignored.
An outage that allows a hacker to install a man in the middle and take my bank information is not so trivial and ignorable.