A rational approach to risk doesnt usually assume that everything that can go wrong will. But with computer security, and security in general lately, its tempting to do so.
Security researchers generally assume that if an attack is possible, someone will do it. If a vulnerability can be exploited, someone will exploit it. And if its possible to make a canned version of the attack so that any doped-up teenager can do it, thatll happen too.
It doesnt always happen, of course. But it does happen a lot, and when a sexy attack comes along its a guarantee that it will happen. The best examples are the RPC/DCOM and LSASS vulnerabilities, after which it was inevitable that worms would be developed.
And, of course, we know all too well that the world has no shortage of people seeking to disrupt our lives and livelihoods and are happy to die in the process. Clearly we have moved, from a homeland security perspective, from an assumption that just because something is possible it isnt necessarily likely to happen to a much more cautious approach.
But what are we to make of threats like the warnings of e-jihad on the 26th? From the moment I saw the report in RIA Novosti it seemed far-fetched to me. I was immediately reminded of last years July 4 Web page defacement contest run by a supposed underground hacker group. It turned out to be a big fat nothing, as most serious analysts expected.
There have been many other false reports like this, but there have been some real attacks too, such as attacks by the hacker group Indian Snakes against Pakistani Internet resources.
How can you look at a report like this and not sound Joe Friday-serious about it? You have to. But you dont have to spend a whole lot of time on it. Certain organizations are more likely targets than others, and those should always have elevated security anyway.
The e-jihad and associated threats are all interesting for a variety of reasons, but I see nothing about any of them that should make you change the practices you should already be following.
Without being a direct target of attack you can still be a victim if the infrastructure on which you rely is taken out. For this reason its good to have backup connections through a different ISP, but even better, you need to know how to get business done with outside connections off altogether. Previous experience with attacks, such as the one against Akamai, shows that this can last for several hours. Its not the end of the world, and some things can go down temporarily.
So dont get worked up about these reports. Assuming anything happens at all, odds are it wont affect you. And even if it does, you can probably be prepared for it. And if you really do get massively attacked, you probably couldnt have done anything to stop it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer