Why are only moneymen doing cyber resilience testing? • The Register Forums

Monday 30th November 2015 13:19 GMT Bc1609

Herd immunity

"...true cybersecurity will take a large dose of herd immunity...".

"Herd immunity" is not a term I've heard used in connection with "cyber" security before, and it's interesting to try and concoct a scenario in which it might exist. In its original sense, herd immunity refers to the idea that if enough members of a group are immune to a particular disease, even those who are not immune can enjoy a degree of protection due to the reduced avenues for infection.

This sort of makes sense if one is talking about certain types of self-propagating malware (the "I love you" virus, for example), where an infected business could infect another, but my understanding is that the threats faced by large organizations are usually in the form of spear-phishing, social engineering and other, more targeted attacks that are unlikely to spread from one business to another because they are being instigated by the attacker and tailored to the company in question. This would, one supposes, be especially true of attacks against infrastructure targets, which often have rather idiosyncratic systems.

I suppose it is possible that someone wishing to attack the infrastructure of the Grid, say, might go about it by infecting the systems of a supplier or contractor with whom they have regular contact, and so trick a Grid employee into opening an infected file which they think is from a trusted source, but I'm not sure that's what the article is driving at.

Can anyone think how the quote above might be true? The only other thing I can think of that remotely relates to "herd immunity" is stuff like Macs being (supposedly) less prone to malware because of the smaller number of people using them - but that's because the potential reward for writing Mac malware is lower than that when writing for Windows, and isn't really the same thing at all.

6 0 Reply
1. Monday 30th November 2015 14:10 GMT Anonymous Coward
  
  Re: Herd immunity
  
  I think somebody thought it sounded nice, and used it regardless of its (lack of) actual relevance.
  
  I'll be delighted to be proved wrong.
  
  6 0 Reply
2. Monday 30th November 2015 15:58 GMT Tom 13
  
  Re: Herd immunity
  
  Reading that entire paragraph, I think what we have here is a Buzz Word Bingo player. Or to mangle Inigo Montoya: "I do not think that phrase means what he thinks it means."
  
  Honestly with sophisticated malware being what it is today, I don't think you'll get herd immunity effects even for opportunistic stuff. It's too easy to have a C&C that scans for vulnerabilities once the initial payload reports in.
  
  4 0 Reply
3. Monday 30th November 2015 16:07 GMT Anonymous Coward
  
  Re: Herd immunity
  
  I think the concept of herd immunity can apply in this context. Most malware re-uses kits or techniques, and the less targets that will fall to a particular technique, the less productive developing a kit around it would be.
  
  If most organisations have good patching routines and strong "cyber security" policies in place, the less fruitful these types of attacks will be, and so less attacks will happen (because the people developing the attacks, whether criminals or state actors, are better off using their resources persuing other avenues towards the same goals, either by having girls in short skirts hanging around outside the air traffic control tower, or mugging old ladies when they collect their pension).
  
  3 0 Reply
  1. Tuesday 1st December 2015 05:36 GMT Anonymous Coward
    
    Re: Herd immunity
    
    And with shared attack and mitigation information, the fewer successful attacks by any one or few targets. That's the idea in theory. In practice I am of the belief that the low signal to noise ratio will preclude detection until well beyond effective mitigation. It's in the nature of the beast and has as its purest example the NSA & FBI. {Shrug} They won't learn so I, for one, will wait to greet our new post-apocalyptic overlords.
    
    0 0 Reply
  2. Tuesday 1st December 2015 06:21 GMT werdsmith
    
    Re: Herd immunity
    
    If there are 30 houses in my street, 20 have prominent burglar alarms and other physical security measures, and 10 don't, then which houses are going to be targeted. Herd immunity won't help here.
    
    Or a herd of antelope, most of them are fit and healthy and can run fast, a few are weak. Which get preyed upon?
    
    same will apply where hackers go looking for a victim, they will seek out and find the vulnerable, and herds won't help them at all.
    
    The scenario where herd immunity might help is by reducing the number of nodes that can take part in a DDOS attack.
    
    1 0 Reply
    1. Tuesday 1st December 2015 08:34 GMT Bc1609
      
      Re: Herd immunity
      
      Or a herd of antelope... Which get preyed upon?
      
      That's it, I think - the analogy is not one of disease and infection, but of predation. Well done.
      
      1 0 Reply
    2. Tuesday 1st December 2015 09:34 GMT Tomato42
      
      Re: Herd immunity
      
      > If there are 30 houses in my street, 20 have prominent burglar alarms and other physical
      
      > security measures, and 10 don't, then which houses are going to be targeted.
      
      > Herd immunity won't help here.
      
      but if 29 have, yours might simply get overlooked
      
      remember, if it's hard to find "in the wild" vulnerable systems it is also hard to develop probes for them
      
      and as you rightfully pointed out, having less vulnerable systems on the 'net also means it is harder to round them up to significant sizes for a big DDOS attack
      
      0 1 Reply
Monday 30th November 2015 13:32 GMT Known Hero

Hey !!! I have a great Idea

The stakes could hardly be higher – if our electricity supply, or our air traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost,” he added.

Lets put a load of smart meters out there that can't be replaced !!!

*Just found out that my smart electric meter that developed a glitch cannot be repaired or replaced. They will have to replace the entire smart meter, Oh and replace the Gas meter whilst they are at it so I am told!

Only 2 years in and already obsolete :(

5 0 Reply
1. Monday 30th November 2015 22:40 GMT dcluley
  
  Re: Hey !!! I have a great Idea
  
  I had a long correspondence with my local electricity board last year when they wanted to put in a smart meter. I think I shot down every single reason they put up for installing it; but I suspect the killer was that at the time the British Standard for these things had not yet been agreed. They admitted that there was a possibility that the then current design might not comply with the standard when it was eventually agreed. Since then I haven't checked to see whether one has yet been agreed.
  
  1 0 Reply
  1. Tuesday 1st December 2015 13:08 GMT Anonymous Coward
    
    Re: Hey !!! I have a great Idea@dcluley
    
    Officially the answer is that it isn't a British Standard, it is the DECC SMETS standards. SMETS2 is supposedly the defintitive version and was ISTR finally agreed about November 2014. Some non-compliant meters can be upgraded in firmware, some can't, and all those will need to be upgraded to, or replaced with SMETS2 compliant meters.
    
    Even with a compliant meter, they can't force you to have one operating in smart meter mode. They can in theory (since it is their meter) replace the asset without your consent and run it in dumb mode, although even that is next to impossible because safety rules mean they have to have access to the consumer side electrics, and if you're not willing to be in, or not willing to have supply interrupted then they can't do it.
    
    Eventually the bureaucrats at DECC will have you on a smart meter, whether you like it or not, because you don't have an option to have a pre-existing meter removed or deactivated. Most of the population will take the pill and swallow it, and when the anti-smart meter types move house their chances of avoiding a meter are greatly reduced.
    
    1 0 Reply
    1. Wednesday 2nd December 2015 22:15 GMT dcluley
      
      Re: Hey !!! I have a great Idea@dcluley
      
      Yes - I was using a bit of shorthand when I referred to a British Standard. Sorry - I should have checked to get the right one; but the principle is still the same. Either way the concept is flawed. They say it is designed to cut down on usage to save generating capacity. But the times of peak demand coincide with family meal times and program breaks in TV programs and no amount of smart meter installation in domestic premises is going to make any difference to that. There is a case for smart meters for industrial/business users who can be more flexible.
      
      Other problems are the reliance on wireless communication for meter reading which I suspect is highly susceptible to hacking and that is a whole unwanted dish of works.
      
      0 0 Reply
2. Tuesday 1st December 2015 03:30 GMT Charles Manning
  
  "developed a glitch"
  
  Do you mean it had a hardware failure or that the software stopped working due to the infrastructure it communicates with changing?
  
  Smart Meters are a great wheeze. Get the numptie government to push them through at huge expense.
  
  When they fail to deliver promised benefits, show them V2 which really is so mush better. Fit those.
  
  Rinse and repeat with V3, V4, ...
  
  0 0 Reply
  1. Tuesday 1st December 2015 08:59 GMT Known Hero
    
    Re: "developed a glitch"
    
    @charles, The display unit throws a wobbly and reports massive electricity use and sounds off alarms. this causes people to wake up in the middle of the night :(
    
    they cannot replace it as it isn't made any more, and to repair it, they need to replace all our meters :/
    
    0 0 Reply
Monday 30th November 2015 13:35 GMT Anonymous Coward

Why are these systems even on the internet?

11 0 Reply
1. Monday 30th November 2015 14:23 GMT Paul Crawford
  
  A very good question and the answer is usually one or more of three options:
  
  1) Cost savings
  
  2) Convenience
  
  3) Trendy, as everyone else is apparently doing it
  
  Sadly there has been nothing serious to place responsibility on those in charge to do it properly. And by that I mean to consider security from the very beginning: How it is protected, how it is partitioned to control damage, how it is tested, how it is patched [repeat from start]. Dangle serious fines and jail time over managers and things will then be done, otherwise its business as usual until the shit hits the fan...
  
  5 0 Reply
2. Monday 30th November 2015 14:49 GMT PaulyV
  
  This was going to be my question as I have little knowledge regards such systems.
  
  There must have been a logical rationale for having, say, air traffic control linked to 'the internet' in some manner, but I cannot understand what it would be.
  
  Can anyone shed light on this for me?
  
  0 0 Reply
  1. Tuesday 1st December 2015 15:58 GMT Vic
    
    There must have been a logical rationale for having, say, air traffic control linked to 'the internet' in some manner, but I cannot understand what it would be.
    
    ATC is a dispersed operation; it runs from controllers in larger airfields. Having those controllers get data updates from neighbouring areas makes a lot of sense - flight plans (and changes thereto) get updated automagically all along the flightpath. This reduces the number of unnecessary search & rescue operations.
    
    It should all be running atop a seriously hardened VPN, though. I have no knowledge as to whether or not it is.
    
    Vic.
    
    1 0 Reply
3. Monday 30th November 2015 16:05 GMT Tom 13
  
  Re: Why are these systems even on the internet?
  
  Because proper planning and testing for these systems runs 5-20 years and computer tech doubles in power rather more quickly than that. Back in '99 I did a stint visiting various US airports for Y2K scans. Some of the places were still running 386 desktops. So their refresh cycles are slow.
  
  Remember, all these systems were set up decades before the arrival of the internet. Initially they were setup as separated systems. Air gap firewalls were automatic. Building connections was expensive and data transfer was slow. When the internet became widely and cheaply available it was too efficient at transferring data to NOT use it. But the implementations don't take into account the risks associated with it.
  
  0 0 Reply
  1. Monday 30th November 2015 17:18 GMT phil dude
    
    Re: Why are these systems even on the internet?
    
    How about point-to-point VPNs (choose your flavour) and impose a secure network topology?
    
    Surely in this day and age of COTS a retro fit might cost *money* but is a long way from "new"?
    
    P.
    
    1 0 Reply
    1. Tuesday 1st December 2015 09:39 GMT Tomato42
      
      Re: Why are these systems even on the internet?
      
      @phil dude: ask Iran how their airgapped systems are working
      
      by making the network larger you're only making it easier to find the idiot that sticks a pendrive he found on the street into the work computer and infects the whole network
      
      0 0 Reply
Monday 30th November 2015 13:58 GMT Mr_Pitiful

Paris is worse

Air traffic control is still being run on windows 3.1 machines

http://metro.co.uk/2015/11/16/flight-chaos-as-airport-admits-its-air-traffic-control-pcs-still-run-windows-3-1-5505950/

1 0 Reply
1. Monday 30th November 2015 16:06 GMT Tom 13
  
  Re: Paris is worse
  
  Ironically these days that might actually make them safer than the ones running Win7 or later.
  
  4 0 Reply
2. Tuesday 1st December 2015 05:47 GMT Anonymous Coward
  
  Re: Paris is worse
  
  Yep, and I still can maintain it. Then again I can recall calling my Mom on how to diagnose and repair a TACAN (VORTAC) from when she wore the uniform. So having W 3.x around, among other packages, 5.25/3.5" drives around, well I keep it ready. Come to think of it, putting all my most secret stuff on 3.5" disks would be diabolical.
  
  0 0 Reply
3. Tuesday 1st December 2015 14:46 GMT Steve Todd
  
  Re: Paris is worse
  
  To be fair it's not the ATC system that is running Windows 3.1, it's the box that was used to get weather data from their met office. You could have pretty much done that on an 8 bit machine.
  
  1 0 Reply
Monday 30th November 2015 14:19 GMT Paul Crawford

Typo

"We see from this place every day the malign scope of our ~~adversaries’~~ advertisers' goals"

0 0 Reply
Monday 30th November 2015 14:58 GMT Anonymous Coward

Why would they - they are PRIVATE companies.....

The Tory government sold off lots of things and the Labour government sold off NATS.....

As a private company - if you dont have to spend money - why bother!

1 3 Reply
1. Monday 30th November 2015 15:27 GMT Primus Secundus Tertius
  
  Re: Why would they - they are PRIVATE companies.....
  
  But they are not supposed to be negligent, whatever they are.
  
  0 0 Reply
  1. Monday 30th November 2015 17:25 GMT Will Godfrey
    
    Re: Why would they - they are PRIVATE companies.....
    
    When did 'supposed' have anything to do with ~~ripoff~~ business decisions?
    
    0 0 Reply
2. Tuesday 1st December 2015 10:00 GMT Anonymous Coward
  
  Re: Why would they - they are PRIVATE companies.....
  
  Oh why the thumbs down ???
  
  This is the truth - NATS is a private company these days.....not owned by the government - but a consortium of airlines who were appalled at trying to make money from safety ......
  
  Get with the plan..... understand that even not for profit private companies cannot just spend money they dont have - and when its a company who cannot really make money from selling anything - where is that money coming from ?
  
  The airports get the main amount of money from the landing fees.....
  
  The government made the decision to both sell off BAA and then decided that BAA was too big once Ferovial bought it....so now we have money grabbing companies like GIP trying to squeeze every single penny they can from passengers and airlines alike.....so what are they doing about paying NATS.....???
  
  0 0 Reply
  1. Tuesday 1st December 2015 11:35 GMT Bronek Kozicki
    
    Re: Why would they - they are PRIVATE companies.....
    
    Banks are private companies and they actually care (although not enough) about security. Why? Because the only unique selling point they have is customers' trust. Lose it and you lose the business, as many banks proved few years ago.
    
    On the other hand, as experience tells me, government driven "enterprises" do not give a shi* because their unique selling point is that you have no choice. Just fuck off and be thankful they provide any services at all, secure or not.
    
    1 1 Reply
Monday 30th November 2015 15:19 GMT Stevie

Bah!

Squirrels? Get real. MBAs are the real danger.

The biggest failure of the power grid to date in the USA is pretty much founded in the power company solely at fault firing everyone who had any experience of running a power generation and distribution network and replacing them with IT professionals and meter readers.

The results, as explained in the official report, were an almost purpose-built grid crasher employing a highly redundant design of military grade. Viz:

Closing down the most important of seven power generation facilities for maintenance during its heaviest load season.

Failure to properly maintain the grid infrastructure (i.e. not trimming trees).

Ignoring field reports of shorts and fires because the computer generated instrumentation was not agreeing with eyewitness statements.

A clueless IT team who at no stage of the diagnoses and fixing of the underlying problem causing those instruments to disagree with the field reports showed any awareness that their job *wasn't* just to keep some servers running and therefore had no situational awareness of their own contribution to the building fiasco.

A complete failure to recognize the consequences of a local power shortage problem and remediate it before it caused a massive overload of the whole network because no-one at the desk knew jack about how power stations must work in a national context and what a local network must never do.

And my personal favorite: Once the problems were acknowledged and recognized for what they were (a disaster in the making), working the problem solution playbook (a replacement for actual people who knew what they were doing) from the wrong failover scenario because the down-for-maintenance power generation facility had already put them in a "class one failover" and no-one realized it.

The importance of squirrels when placed in the context of this sort of Long Range Directorial Uckfup is, I submit, so small as to be negligible.

10 0 Reply
1. Tuesday 1st December 2015 12:32 GMT Bronek Kozicki
  
  Re: Bah!
  
  From your description I would say that in said company, squirrels are in charge.
  
  0 0 Reply
Monday 30th November 2015 15:22 GMT Anonymous Coward

Unicorns

Luckily, for our spider-security protection purposes , the number of actual (non false-flag) infrastructural attackers is still close to zero (+/- a few percent)

Hence why they are referred to as spider-attacking unicorns

(For management: cyber-attacking jihadis in CESG speak)

Of course, I do suggest that we urgently improve the spider-defences of our infrastructural blocks

0 1 Reply
Monday 30th November 2015 16:08 GMT drewf74

Accidental connections

Unfortunately there are many instances of facilities which are run by people who don't believe they are connected to the internet, but since other people have been careless, or have added unauthorised bits of kit, they just happen to gain this connectivity.

Another slight problem - critical pieces of equipment which are being leased on a photocopier-style business plan, and the owners remotely VPN/dial-in (sometimes really dial-in on a modem) for maintenance and to read the meter. When there's the potential for plant-wide connectivity from that kit, securing that access point can be tricky. The bean-counters are not generally the same people as are responsible for security. Money saved at one end, could cost the entire corporation at the other.

Many of the industrial plants are believed to be secure since they are air-gapped. Worked a treat with Stuxnet though, didn't it? Since so many places are still running on XP (and will continue to do so for years, since it's not as easy as you might imagine to simply replace/upgrade equipment), getting a piece of malware to take root is not too hard. Patches? Not usually. A/V? Not usually... Will the engineer download something at home onto a laptop and take it inside the control network? Yep...

Big industry players are certainly aware of the issues, and plenty have programs to deal with it. Could be many years before most of those programs are really effective though.

3 0 Reply
1. Monday 30th November 2015 17:28 GMT Will Godfrey
  
  Re: Accidental connections
  
  "The bean-counters are not generally the sane people ..."
  
  FTFY
  
  1 0 Reply
2. Tuesday 1st December 2015 21:01 GMT Bob Dole (tm)
  
  Re: Accidental connections
  
  >>Could be many years before most of those programs are really effective though.
  
  I'd hazard a guess that the *only* way those systems will get a real security overhaul is after one or more plants are taken off line by a verifiable attack. Then the governments will actually demand the owners fix the problems.
  
  0 0 Reply
Monday 30th November 2015 19:42 GMT Cynic_999

Nuclear power stations

The new nuclear plants being built in the UK are bound to be secure from cyber attacks because they will be made by China, which can be trusted with such matters.

6 0 Reply
Monday 30th November 2015 22:37 GMT Disgruntled of TW

Credentials ...

I'm sorry, but why should we listen to anything Osborne says about information systems security?

It's as if getting voted in suddenly endows politicians with years of experience and knowledge that they didn't have before they won an election.

Get some experts involved, not mouth puppets.

3 0 Reply
Tuesday 1st December 2015 00:59 GMT Trixr

The US != the entire world

Just because the US doesn't do basic testing doesn't mean nowhere else in the world does. Whether they act appropriately on such testing is something else.

0 0 Reply
Tuesday 1st December 2015 13:28 GMT Alan Bourke

Always loved that NORAD display.

... and I always wondered why Grand Forks looked like buying the farm first in 'War Games'. Granted, Grand Forks AFB is there but I always wondered if it was an in-joke from someone involved in the film.

0 0 Reply
Tuesday 1st December 2015 15:27 GMT Anonymous Coward

Bank of England

Cyber resilience tests are currently mandatory for the financial sector, and this is enforced by the bank of England.

Ahh, The BoE have been busy working out what computers are. That could explain why they were asleep in the run up to the financial crisis, and why they've done nothing to make the banks learn the lessons since, and UK household debt is now a larger share of GDP than before the crisis, and house prices average five times earnings.

1 1 Reply