ACDC with a Nightmare on Elm street twist
“One, two, Freddy's coming for you. Three, four, Better lock your door…”.
I thought I’d try to take a stroll down memory lane and tie up InfoSec challenges with ACDC and The Nightmare on Elm street. Why? Growing up in the 80’s made quite an impression on me. Technology was making leaps forward (my Commodore 64 could prove THAT) music was at its best as ACDC peaked with Back in black (still going strong…. Sort of) and cable networks opening in Finland.
In short. The promised land laid ahead for a would-be film buff and Gizmo freak. I indulged it all and I loved it. With horrified amusement, I watched Nightmare on Elm street and my heart might have skipped a beat or two as Robert Englund played out the horrors of Freddy Krueger.
I was reading The Hacker News and came across an article that covered the "Active Cyber Defense Certainty" (ACDC) Act — “a term that empowers victims to make use of "limited defensive measures that exceed the boundaries of one's network" in order to stop and identify digital attackers”. So, in short, It might be open season on the Freddy Kruegers of today, BUT, is that really a god idea?
Freddy Krueger is fiction (I know that now). But as technology has changed we have managed to create a digital world to millions of users. There was no way to lock out Mr. Krueger then and it seems that it is increasingly difficult to lock out the digital Freddy Kruegers of today from our digital lives, our networks and Gizmos. The IoT-era has been here for quite some time now but still we’re not learning fast enough. We build our castle (fortress) and think that we’re safe and then tend to the real business.
Why is that?
Priorities, cost efficiency, the price of risk and business decision might have something to do with it. The ones with insight and might not be able to make the needed decisions or it might be so that organisations have a dysfunctional information flow. The decision makers make their decisions based on incorrect information but the reason for this state is irrelevant, the question is what happens next?
How does this play out?
Since we all are connected to each other in one way or another when it comes to security related issues we can not only focus on our own agenda. We also must consider the actions of others so that we aren’t the “lame duck” left behind as the info sec herd has moved along. The likelihood for a breach is bigger if you have neglected your security issues and failed to integrate them in an ongoing business-as-usual process.
This leaves us with a scenario where, thanks to the proposed ACDC-act, breached companies (probably the ones that have neglected security related issues for one reason or another) will get a card blanche to pursue the attackers.
I am not convinced that this is a smart step to make. It feels that it merely is a way to react on the symptoms instead of addressing the REAL problem, priorities. We could at least try to keep the modern age monsters out.
Kirjoittajan lyhyt Bio
Marcus Björk, Deductive Labs
Marcus on ongelmanratkaisuun keskittyvä taloustieteilijä, joka toimii Compliance ja PCI-DSS konsulttina. Hän pyrkii ratkaisemaan kokonaisuuksia projektinhallinnoinnin näkökulmasta ja annetun tehtävän logiikan ja viitekehyksen käytännönläheisellä ymmärryksellä.
Vieraskynä palstastalla käsitellään ajankohtaisia tietoturva- ja tietosuoja-aiheita. Kirjoittajina toimivat sekä Tietoturva ry:n yhteisöjäsenten edustajat että muut maamme mielenkiinoiset tietoturvapersoonat. Palstalla esitetyt ajatukset eivät välttämättä kuvaa Tietoturva ry:n kantaa tai esittäjiensä organisaatioiden virallisia kantoja.