A lot of vendors are using the war in Iraq as a platform to trumpet the threat of cyberterror (or cyberwar, or whatever they call it). Sorry to be a party pooper, but this is a convenient excuse to convince you to buy new stuff, whether you need it or not.

I won't discount the possibility of a cyberwar component to Gulf War II. But it's far more likely that the impact will be along the lines of "cybernuisance." A couple of viruses, some Web defacements, maybe a DoS or two. Nothing you can't handle or aren't already prepared for.

Security is all about windows of opportunity. Our adversaries live by this rule. So should we.

War has a unifying effect on people. Like everyone else, your managers have a need to "do something." The risk is that, lacking your guidance and input, they'll throw money at stuff you don't really need. Meanwhile, you'll have missed your opportunity to shore up one of the most-often overlooked areas of infosecurity: business continuity planning.

• Media protection, storage, backup. The CISO of a Fortune 500 firm recently told me that his data ops guy, in a cost-cutting maneuver, has been overwriting backup tapes 200 times instead of the manufacturer-prescribed 20. The CISO is now using the war and the continued threat of physical and biological terrorism to convince his higher-ups that this is not exactly an area they should be skimping on.
  
• DR and physical security. A recent Gartner Dataquest survey shows that only about half of all organizations have a crisis management team. When's the last time you did a structured walk-through test with department managers? When's the last time you audited the physical security of your data centers? When did you last check the fine print in your DR reciprocal agreement? What are you waiting for?
  
• The human element. Employees are the last line of defense in most security matters. If you haven't already, send out an all-company bulletin from someone high up in management about the importance of facility access control and simple security awareness. Reinforce the importance of preventing "piggybacking" or "tailgating" into secure areas. Religiously enforce package delivery policies--when, where, who. Tell employees it's OK to ask, "Who are you?" or "Can I help you?" Ounce of prevention and all that. Also, probably not the best time for your CIRT team leader or response staff to go on vacation.
  
• Monitoring and scanning. It won't hurt to set your IDS alert threshold down a notch or two. What may have been a low-priority alert 1,000 times before may now be the start of something real and serious. Of course, your patience level for false positives will also need to increase, as will your effort to verify that they are, after all, false.

If you're still not convinced, keep the following story in mind. After Sept. 11, most companies took a hard look at their security program, both digital and physical. In one case, the CEO of a company told the CSO that he wanted personal bodyguards. The CSO told him, in effect, that that was silly and unnecessary.

A couple weeks later, the CSO was demoted--not because he didn't support the bodyguard idea, but because he didn't respond to the CEO's need to "do something" in the wake of the terrorist attacks. True story.

Security is all about windows of opportunity. Our adversaries live by this rule. So should we. The best time to ask for more budget is right after you've been hacked. And the best time to shore up your business continuity plan and security awareness program is when the threat of discontinuity is most visible. Whether that threat ever materializes is inconsequential.

About the author:
Andrew Briney is editor-in-chief if Information Security.

01 Apr 2003