between hype and trust and preparations
If you have been around on the ITsec newsstream on the internet for some years, you start trusting nothing and after so much hype and salesstuff taking notice of nothing, thinking it will all go over without much damage.
Afterwards you have some people saying that off course nothing happened, but how could they have known ? And if something happened how would they have reacted ? So, lets take this one step further and take three major internet security events in Belgium from the last weeks under the microscope.
First the Turkish hacker attack against Belgian sites was first discovered here. The facts were that only a few Belgian sites were hacked but with an explicit warning by a member of a very important Turkish hacker clan. A week later about 100 .be sites were hacked but not with the same message. Last week only a few Belgian sites were hacked of which the REHACK of parts of antwerpen.be made the news. The levels of defaced Belgian sites seem more normal now but this does not mean that your sites can't fall victim if they aren't defended as they should be. It looks like the leadership of the clan didn't want to launch a concentrated full attack on our networks and we hope it will stay that way. Were we right to call the alarm ? Yes because too many sites in Belgium aren't looked after and the webmasters should have been more alert as the Antwerpen.be case proved.
Thirdly the e-jihad. This has been the hype of the last week and there have been two or better said three sides to the discussion. The first was that we were going to be attacked and that it would be all hell would break lose. This has not been the case, as in the previous two announcements of cyberwar. The other side said that there was no attack that was going to take place and that everybody who says so is naive or stupid. THe position in between is based on the fact that even if the controlserver is nowadays offline, there is no technical reason it couldn't be brought online again elsewhere and could be sending its attack lists or updates to its clients/members. This wasn't the case, but who could be 100% sure ? The other argument that as Belgian sites are not that accustomed to DDOS attacks they should use this alert as a basis to do an exercise to see how their response-time and procedures are (and how their partners would execute under such situations). We weren't saying more than that.
So it is very easy to play the wise guy afterward. There are no laws, axioma's or scientific weather reports on the internet. All the time you have to collect information, look at all the details and make assumptions and plan accordingly. You have to prepare for the worst sometimes and be happy that didn't materialize, but that meanwhile you have adapted your defenses based on the lessons learned during the preparations.
This means that your boss can trust that whatever the hype next week you will be prepared for the worst if necessary.