Perimeter
5/17/2010
02:44 PM
50%
50%

Lessons From The Volcano

I had a chance to fly rather close to Iceland's Eyjafjallajokull volcano last week. On a flight back from Frankfurt, the pilot somehow got permission to divert from the scheduled flight path as we crossed Iceland to give us a closer look of the volcano.

I had a chance to fly rather close to Iceland's Eyjafjallajokull volcano last week. On a flight back from Frankfurt, the pilot somehow got permission to divert from the scheduled flight path as we crossed Iceland to give us a closer look of the volcano.The volcano was a bit surrounded by clouds, but there was no mistaking the billowing rise of the black plume of ash. I snapped a picture that you can, if you like looking at smoke, view here. There are lessons in that smoke.

Just for starters, there's the embarrassment of having a threat with a name you can't really pronounce: Eyjafjallajokull. Then there's the problem of figuring out what the risk is -- not in terms of downed airplanes, but in terms of flight delays and cancellations.

Obviously, there's some continued risk. As I write this, several airports were reopening after a night of not receiving inbound flights that would have crossed through the ash cloud. On the one hand, there will, of course, continue to be flights in and out of these airports most of the time. On the other hand, there's the more or less completely open question of how often there will be too much ash to fly. Plus there's a surprisingly hard-to-answer question: How much ash is too much to fly safely?

This is a case where metrics are everything: How much ash can we fly through? We don't yet have that "key performance indicator." There's a good chance that, in the interest of an understandable desire to err on the side of caution, we're grounding flights that we don't need to be grounding. That's fine if this is a one-time blast of ash. But given what we don't know about volcanoes, there's no expert insight, as was apparent in a recent CNN story:

There's no way to know how long the volcano will continue spewing ash into the air, Georgia Tech scientist Josef Dufek told CNN. "It could go on another year," he said, noting that an eruption lasted that long in 1820.

If the ash clouds continue, presumably intermittently during the next year, then the question of whether it is safe to fly an airplane will become one that we deal with regularly.

It's kind of like the question we deal with in IT security: "Is this system secure?" We are not very good at answering this question except in the most formal and impracticable of scenarios. Still, there are more and less useful ways of framing this question. My expectation (and fervent hope) is that we demand a fairly precise answer, or at least one with a wide margin for safety, when it comes to asking whether it's safe to fly in this or that amount of ash. In the case of the airlines, I think this is a safe expectation.

Not so, alas, with computer security. Half the time we're not particularly clear about what the metrics are. Sure, it's simpler where crashing airplanes are concerned, but there are still better and worse security metrics, and a lot of work has been done on the job of sorting them into their respective piles. The other half of the time, we're measuring things without being confident that getting the right scores actually means you have good security. Within the security industry, we've been talking about this for a while. At CSI, we ran a nice article with an overview of different approaches to security reviews, answering the question, "Is this secure?" Five years later the key takeaways of the article remains frighteningly current.

Not much has changed. It's time to wake up and ingest the ash cloud.

Robert Richardson directs content and programs at the Computer Security Institute -- gocsi.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5312
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.

CVE-2012-6662
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo.

CVE-2014-1424
Published: 2014-11-24
apparmor_parser in the apparmor package before 2.8.95~2430-0ubuntu5.1 in Ubuntu 14.04 allows attackers to bypass AppArmor policies via unspecified vectors, related to a "miscompilation flaw."

CVE-2014-7817
Published: 2014-11-24
The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".

CVE-2014-7821
Published: 2014-11-24
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?