Cатсн²² (in)sесuяitу / ChrisJohnRiley

Jayson was no bikini model, but he did his best

Unlike the snow in Washington, Shmoocon has come and gone. What an experience… People always said it was a one of the best conferences to attend, and now I know why. Everybody there was friendly, knowledgable and certainly up for a party. Just the right kind of environment to learn something new, meet new faces and catchup with others. Still, as I sit on a plane winging its way back to Austria, I can’t help but think about the total chaos caused by the Washington snow.

If you were anywhere near Washington the last few days you can’t fail but to have been effected by the snow storms and the resulting aftermath. As you can imagine, it was a source of much discussion at Shmoocon, especially for me and Benny (@security4all), as we were booked into a hotel 10 minutes walk from the conference. That’s 10 minutes without the snow 😉

In among these discussions, an idea came up that intrigued me. If you think about it, the snow wasn’t the real problem. After all, lots of countries get this kind of snowfall on a regular basis. Personally, I deal with this kind of thing for ~4 months of the year back home in Austria. So what was the problem? what caused all this disruption? The problem was that Washington wasn’t prepared to deal with the issues that came up as a result of the snow. There was nobody to clear the streets, the airports couldn’t clear the runways, and the metro lines were blocked. This is all normal stuff, and if it snows regularly, you’ve got response plans in place. Everybody knows their roles, and does them well. In Washington, this kind of snow is such a rare occurence, that nobody knew what to do. At least that’s how it appeared from the point of view of an onlooker. There just wasn’t enough people ready to deal with things in a timely manner. Those that were ready didn’t have the resources or experience to deal with things quickly and well.

Gotta love regedit

You can’t fail but see the connection to many of issues we face in information security. Some companies have a incident handling plan in place, others don’t. Everybody gets hit by a security breach sooner of later. How fast your company recovers is all about doing the work now, and not hoping that you can just work it out when it hits. If you’re left scrambling around at 3am, like we saw in Washington, then you’ve already lost the battle. Without planning your resources are going to waste. I saw people on the streets of Washington at 3am, shoveling snow off the pathways. Normally I’d applaud that. After all it was a quick response and it was pro-active. Clear the streets before the morning. However, it was still snowing as hard as before, so for every inch that was cleared, another 2 inches of snow were still to come. Add to that the fact that 10 or even 20 people with shovels aren’t going to make a dent in the amount of snow. A typical case of having  the right tool for the right job… or in this case, not having the right tool.

This is typical knee-jerk reaction to an issue. Get out there as quick as you can and clear it up. Still, what can you achieve if the cause of the problem (in this case snow) still isn’t resolved. If an attacker got into your servers, you wouldn’t start rebuilding them before you’d plugged the hole used to exploit them. It’s a vicious circle, that won’t stop until you plan for what could, and eventually will happen. Worse still, in Washington, they knew it was coming before hand, an advantage you won’t often get when it comes to attacks. I could draw analogies here to an IDS warning you of attack attempts, but I think you get my point here. I don’t know who first said it, but “If you fail to plan, you plan to fail”.