By Mark Rasch
13th September 2005
In the waning days of August, a massive category four hurricane
devastated the gulf coast of the United States, particularly
devastating the city of New Orleans. In addition to the estimated
$50bn in property damage, clean-up and reconstruction costs, and the
hundreds of likely dead, and tens of thousands displaced, the
hurricane and its aftermath have disrupted businesses throughout the
southern United States. From this disaster, there are a few lessons IT
staff, and IT security staff, as well as senior management should
learn. The sad thing is that many won't take these lessons to heart.
1. Infrastructure is important
Much of the devastation resulting from hurricane Katrina, particularly
to the city of New Orleans, resulted not from the initial wind damage,
but from the collapse of key portions of the infrastructure which were
not designed to withstand an event that, at least in retrospect, was
eminently predictable, if not inevitable. The collapse of key levees
in the Big Easy caused tens of millions of dollars of damage and loss
because they were designed to withstand only a category three
In most companies, the IT infrastructure has grown organically, based
upon the needs or perceived needs of individual business units. Thus,
the mix of hardware and software, applications, technologies and
processes are generally not mapped, and generally not adequate. Most
entities do not know what technologies that they have employed, what
software (or versions) they are using, or even what the scope and
extent of their network looks like. In addition, in most enterprises,
"security" is a discrete item - it's an add-on, often an afterthought,
yet it's frequently mentioned in one of those, "oh by the way"
telephone calls after some new application is about to go (or has
already gone) live.
Infrastructure is fragile and brittle. Survivability, redundancy, and
security have to be built into it at the outset. An elegant network or
application is of no use if it is destroyed, insecure, or inoperable.
2. Infrastructures are co-dependant
We typically think of IT as a single infrastructure, but it is not.
Perhaps if your network and the Internet are seen as one of the same,
it's easier to explain all those security breaches on "your" network.
When the hurricane took down the electricity, the oil and natural gas
refineries on the mainland of the gulf coast could not operate, nor
could the pumping stations pump any oil or gas. A single catastrophic
event will likely lead to the disruption of multiple infrastructures,
each dependent upon each other.
The same is true for both IT and IT security. Electricity,
telecommunications, Internet, transportation, and people are all
co-dependent. Knowledge of these facts should inform not only your
disaster recovery plans, but also your initial design. Don't forget
that hardware, software, policy, planning and training are also key
elements of your infrastructure.
3. Prevention is cheaper than response (usually)
Much of the work of prevention - knowing what the risks to the
enterprise are, and mitigating these risks where it's cost-effective -
can and should be done long before any attack or disaster affects an
enterprise. It has been estimated that the costs of responding to an
attack, including personnel costs, data recovery costs, diversion of
attention from other priorities, direct economic damage and theft, and
costs that damage one's reputation are often from 10 to 100 times the
cost of preventing the damage in the first place. Right now, the tens
of millions of dollars it would have cost to shore up and improve the
levees looks like a sound investment. A month ago, it was government
pork barrel spending.
We typically tie IT security spending to a percentage of the overall
IT budget, and then value security based upon the value of the IT
infrastructure. Why spend $50,000 to secure an IT asset that itself
only cost (or is worth) $5,000? This is the wrong way to analyze the
situation. We need to address the cost not of the IT itself, but the
value of the information that is being processed by, stored on, or
transmitted through the infrastructure.
The correct questions to ask are: "What would happen to my enterprise
if this information was lost? Corrupted? Stolen? Unavailable?" What
would happen to the company's reputation? To the ability to deliver
services? Remember that in security we are protecting companies and
agencies, not computers.
4. Cost of response is shifted
A typical axiom in the tort law of negligence is that we impose the
liability upon the party or entity best able to avoid the damage or
risk. In the case of the New Orleans flooding, this would have been
some combination of the local, state and federal governments,
including the U.S. Army Corps of Engineers, and of course, the United
States Congress that funds these projects, as well as the electorate
that votes for these Members of Congress. Had better, stronger and
more durable levees been constructed and maintained, billions of
dollars of damage could have been prevented.
However, in most situations, the people bearing the risk of loss are
not the same people who have to make the decisions about prevention.
Homeowners in New Orleans essentially had little say about whether the
levees were built (although they could have chosen to live elsewhere -
like San Francisco or Sri Lanka?) What is worse, drivers in
Washington, D.C., those who are now paying $3.70 a gallon for gas that
was just $2.50 before the hurricane, previously had little reason to
support plans to build stronger levees or redundant distribution
centers on the gulf coast. Operators of the closed Houston Astrodome
also had little reason to appreciate the effects of a hurricane in
Louisiana on their facility.
In IT attacks, the same is true. The people whose information is
affected by the attack may be distant - temporally, proximally or
otherwise - from the decisions about whether or how to secure the IT.
The cost of prevention may come from the IT budget, but the benefit
goes to other business units' productivity and it is rarely captured.
The same is true for the costs of avoidance. We need better metrics
for the TRUE cost of NOT providing adequate security, and then we will
be better able to make informed decisions about how much to spend on
5. Insurance is important
In the aftermath of hurricane Katrina, many individuals who thought
they had insurance (because they had been paying thousands of dollars
in premiums, for years) to cover damages resulting from the hurricane
find that they may not be insured for the damages. This is because
most insurance policies have specific riders excluding coverage for
damage resulting from "flooding." So if a hurricane blows out a levee
causing water to crash into and submerge your house, the damage,
although caused by a hurricane, may not be covered.
Many insurance companies offer various forms of insurance to protect
key parts of the IT infrastructure. These include general business
interruption insurance, reputation insurance, theft, damage or loss
insurance, critical document insurance, and various forms of
cyber-insurance. However, these policies contain riders and exclusions
that are often confusing and mutually contradictory. If there is
"physical damage" to a computer that holds your critical documents,
you may be covered, but "logical damage" may not be covered. If the
hard drives are wiped out by a flood it may be covered, and similarly
if they're wiped by a magnet or a power surge they may be covered -
but if they're wiped by a virus or worm, they are excluded. Thus, in
conducting risk assessment it is important to review all of your
insurance policies (including your D&O policies) to make sure you have
Also remember that when you are reducing your risk by implementing a
comprehensive IT security program, you are also reducing the risk of
your insurance company who ultimately would have to pay for covered
losses. As a result, just as when you put in a smoke alarm or burglar
alarm, you should contact the insurance company when you plan to make
significant changes in your security to see whether they will reduce
your premiums -- or better yet, pay for the improvements directly.
Some companies, particularly those that offer cyber-insurance
policies, will even pay for comprehensive audits or assessment
themselves. Free security? What could be better?
6. Backup, backup and backup
The day before I go to the dentist, I try to do about six months worth
of flossing and brushing. Sure, we all know we need to do this, and
there is nothing sexy about having a plan for backups, but we
frequently don't do them properly - not only at the corporate level,
but at the personal level as well.
The hurricane also taught us that many of our plans for data recovery
and disaster recovery may be too limited. For example, prior to
September 11, 2001, both the federal, state and city disaster centers
were located in close proximity to each other for planning,
coordination and communications purposes. These were, of course,
located in the World Trade Center. Not a bad decision to start with,
but a very unfortunate result.
Similarly, we often have wonderful backup plans to backup data and
store it at a remote location just a few blocks or miles away. In the
wake of the hurricane, we need to reconsider these decisions. Work
locally and backup globally.
Of course, this creates new problems. The more distributed information
becomes, the more vulnerable it is to attack, disruption, and to the
legal processes of the country in which it is located. Outsourcing
data storage may solve some of these problems, but it may also create
new problems itself. There are all fun things to think about.
7. Training and testing
The ultimate defense against disaster are well trained and well
equipped people. Too few companies bother to train their employees to
recognize cyber attacks, and to respond appropriately to them. All the
technology in the world won't help unless people know it exists and
know how and when to use it. Awareness and training are critical to
A cyber attack, like the breach of the New Orleans levees, is more
than likely. The best enterprises will be prepared, and therefore will
Copyright =A9 2004
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the
Justice Department's computer crime unit, and now serves as Senior
Vice President and Chief Security Counsel at Solutionary Inc.
Sept 16-18th, 2005
San Diego, California