Perimeter
5/17/2010
02:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Lessons From The Volcano

I had a chance to fly rather close to Iceland's Eyjafjallajokull volcano last week. On a flight back from Frankfurt, the pilot somehow got permission to divert from the scheduled flight path as we crossed Iceland to give us a closer look of the volcano.

I had a chance to fly rather close to Iceland's Eyjafjallajokull volcano last week. On a flight back from Frankfurt, the pilot somehow got permission to divert from the scheduled flight path as we crossed Iceland to give us a closer look of the volcano.The volcano was a bit surrounded by clouds, but there was no mistaking the billowing rise of the black plume of ash. I snapped a picture that you can, if you like looking at smoke, view here. There are lessons in that smoke.

Just for starters, there's the embarrassment of having a threat with a name you can't really pronounce: Eyjafjallajokull. Then there's the problem of figuring out what the risk is -- not in terms of downed airplanes, but in terms of flight delays and cancellations.

Obviously, there's some continued risk. As I write this, several airports were reopening after a night of not receiving inbound flights that would have crossed through the ash cloud. On the one hand, there will, of course, continue to be flights in and out of these airports most of the time. On the other hand, there's the more or less completely open question of how often there will be too much ash to fly. Plus there's a surprisingly hard-to-answer question: How much ash is too much to fly safely?

This is a case where metrics are everything: How much ash can we fly through? We don't yet have that "key performance indicator." There's a good chance that, in the interest of an understandable desire to err on the side of caution, we're grounding flights that we don't need to be grounding. That's fine if this is a one-time blast of ash. But given what we don't know about volcanoes, there's no expert insight, as was apparent in a recent CNN story:

There's no way to know how long the volcano will continue spewing ash into the air, Georgia Tech scientist Josef Dufek told CNN. "It could go on another year," he said, noting that an eruption lasted that long in 1820.

If the ash clouds continue, presumably intermittently during the next year, then the question of whether it is safe to fly an airplane will become one that we deal with regularly.

It's kind of like the question we deal with in IT security: "Is this system secure?" We are not very good at answering this question except in the most formal and impracticable of scenarios. Still, there are more and less useful ways of framing this question. My expectation (and fervent hope) is that we demand a fairly precise answer, or at least one with a wide margin for safety, when it comes to asking whether it's safe to fly in this or that amount of ash. In the case of the airlines, I think this is a safe expectation.

Not so, alas, with computer security. Half the time we're not particularly clear about what the metrics are. Sure, it's simpler where crashing airplanes are concerned, but there are still better and worse security metrics, and a lot of work has been done on the job of sorting them into their respective piles. The other half of the time, we're measuring things without being confident that getting the right scores actually means you have good security. Within the security industry, we've been talking about this for a while. At CSI, we ran a nice article with an overview of different approaches to security reviews, answering the question, "Is this secure?" Five years later the key takeaways of the article remains frighteningly current.

Not much has changed. It's time to wake up and ingest the ash cloud.

Robert Richardson directs content and programs at the Computer Security Institute -- gocsi.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.