-1

What practical methods should citizens be using to protect themselves against, and reduce the impact of an attack against critical national infrastructure

A lot of recent news about critical network infrastructure under DDoS attacks, for example GoDaddy. Furthermore with the discovery of APTs like Stuxnet and flame the danger of cyber war is beginning. The U.S. Defense Secretary said that if we don't secure our computer systems and networks they will be on the way to destruction. So I'm wondering, what practical methods should citizens be using to protect themselves against, and reduce the impact of a Cyber Pearl Harbor?

According to my threat model I divided computer systems into tiers. Each higher tier should follow everything lowers tiers do and more. The lowest is regular computer users - primarily they need to protect against becoming infected as part of a zombie botnet, but also becoming infected so that any removable media could not infect their workplaces (a higher tier priority).

Regular people:

  • Strong (high entropy and salted) Passwords Changed Monthly
  • Full Disk Encryption and External Hard Drive (reduce the attack surface to modify your computer data to one of: physical access, remote code execution..) compartmentalizing threat models. with regular backups.
  • Firewall and no unnecessary services:
  • Disable vulnerable software java and flash
  • HTTPS everywhere (block interception and man in the middle attacks.. make sure all devices check certificates correctly)
  • Tor over VPN (anonymity + privacy).
  • ensure wireless router is not usable for DDOS by reflection attacks
  • Cryptographically Signed Daily Software Upgrade (protection against all patched exploits: only have to worry about 0-days).
  • System installer disks: If you get a virus or suspect a rootkit just wipe the computer and start again
  • Offline computers: A "backup" computer not connected to the internet at all

Businesses:

  • Regular business security practices and certifications plus:
  • Encrypted Cloud Services: check that cloud computer services you use encrypt so that they cannot leak information to cyber attackers
  • Large scale Cooperation with LE via Counter surveillance of alien packets.
  • PGP encrypted emails.
  • 2 factor Authentication to protect against phishing and social engineering.
  • Censorship of propaganda against for recruitment: UN report urges internet strategy against terrorism

CAs: It is unknown how Certificate Authority should operate in a time of cyber war. Due to the danger of another DigiNotar it should perhaps be supported by the web of trust, also using "offline" methods such as IPoAC to issue certificate revocations.

Drones: hackers may attempt reprogram surveillance drones to operate offensively.

This is the highest priority so they will have the strictest security measures of all include the Obama "red button" to completely disable network operation of the country. Also in dire circumstances maybe assemble a "hack back" counter attack team to produce a worm which is capable of shutting down the entire worlds internet parallel to the cold war standoff?

jdoe
  • 337
  • 2
  • 9
  • 3
    Hi @jdoe - what is a Cyber Pearl Harbor? It really doesn't mean much. Can you revise your question to get at the core of the problem you are trying to fix, and we can then see how we can answer. Currently I can't really identify a real question in there. – Rory Alsop Oct 26 '12 at 12:40
  • Good question, although it's unclear what exactly a cyber pearl harbor the threat is real and so it's important to think about protection against state actors. – jdoe Oct 26 '12 at 12:43
  • "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country... a cyber-Pearl Harbor ..." - http://www.cnbc.com/id/49544152 – jdoe Oct 26 '12 at 12:44
  • Shwed echoed the Secretary of Defense's comments saying "the risk is absolutely there. But it isn't just government and infrastructure agencies that need to be on guard. Every individual with a computer is at risk. These organizations, wherever they are, can infect tens of thousands or even millions of computers." – jdoe Oct 26 '12 at 12:45
  • 3
    So is your question really: what practical methods should citizens be using to protect themselves against, and reduce the impact of an attack against critical national infrastructure? If so, edit the question and we can answer it! Otherwise I think it will be closed pretty soon. – Rory Alsop Oct 26 '12 at 12:47
  • 1
    Cyber troll is sneaky. – bonsaiviking Oct 26 '12 at 17:30

2 Answers2

13

Cyber Pearl Harbor is a really stupid term used by people who don't know the first thing about IT security, or those who do but want to get in the newspapers. "Cyber warfare" and "Cyber terrorism" are also examples of terms being bandied about by those looking to get sound bites or a higher IT security budget. It's all complete, total nonsense, and using these types of phrases could cause the industry lose credibility. It is also short-termist thinking. These problems are going to go away because the USAF builds a "cyber-command center".

Don't get me wrong, IT Security is a big, expensive problem which needs the investment of time and money from governments, organizations, and individuals to maintain. However, the notion of there being some sort of massive, all-out cyber attack that could "cripple a nation's infrastructure" and "bring it to its knees" is all hollywood.

The main problems with most of the infrastructure at risk from "cyber warfare" is that it's badly managed and out of date. People talk about the threat of these massive government-sponsored cyber warfare groups as if they are incredibly knowledgeable and sophisticated to be able to hack into things, when in reality it's the complete lack of patching and basic protective mechanisms making it easy for them to do. Most of the threat vectors into this critical infrastructure are well-known and solved vulnerabilities, so if they simply patched the systems and put in some basic network security measures it would make intrusion an order of magnitude more difficult. The talking heads are saying we need a "cyber response", when I say we need patching!

All this talk about cyber this and cyber that annoys me, and talk of "do this list of things and you'll be protected from the cyber pearl harbor" is misleading, because that list is out of date or incomplete by the time you click on submit. IT security is ever-evolving, not preparation for some sort of single cataclysm event. It's still going to be just as relevant 100 years from now, so start thinking long-term!

GdD
  • 17,399
  • 2
  • 42
  • 64
  • 6
    +1 for clearly explaining the root cause of this quasi-scientific nonsense: media ratings. – Polynomial Oct 26 '12 at 13:53
  • Good point about the real problem, but the question still remains largely unaddressed. What can Joe Citizen do to minimize the impact such an attack would have upon them? D.W.'s answer does well to make mention of that. – Iszi Oct 26 '12 at 19:37
5

The phrase Cyber Pearl Harbor is silliness, typically used by people who are trying to drum up money for their agency or business among politicians in Washington, DC.

I suspect you are asking what we can do to protect ourselves from attacks on our critical infrastructure. If so, here's my take:

What can citizens do? Nothing. You can't do anything to make critical infrastructure more secure. Talk to your representatives in government, if you really care.

More realistically, you can stock up bottled water, canned goods, a first aid kit, and other supplies in your basement so that if there is a natural disaster or other failure of infrastructure, you can last for a few weeks on your own. This is just good practice regardless of any "cyber"-hype, as everyone who lives in earthquake country lives.

See also Schneier's take on this subject.

Last word. No discussion of this subject is complete without a reference to the following web site: http://willusingtheprefixcybermakemelooklikeanidiot.com/

D.W.
  • 99,525
  • 33
  • 275
  • 596
  • 1
    Add to the bottled water/canned goods bit: A backup generator, HF/VHF/UHF radios, and first aid supplies, etc. – Iszi Oct 26 '12 at 19:35
  • 1
    Yep, this is just another example of Faraday cage-salesman fear mongering for profit. – Henning Klevjer Oct 26 '12 at 19:48
  • D.W. I disagree about the privacy intrusion issue. Reality is there are big systems out there for data collection/analysis (email, phone calls etc), and it has proven very effective in the past (ie, up to at least 90 years ago). – Christian Oct 27 '12 at 20:48