Zombies. Few issues are as compelling for government CIOs -- especially when the zombies are coming to get you.
Zombies were front and center in Montana last night when someone hacked into a television station's emergency warning system and broadcast the news of an imminent zombie apocalypse.
The incident is just the latest in a series of false zombie alerts spread through official channels. Several years ago, hackers in Gainesville, Fla., changed the message on a mobile traffic alert sign to warn of attacking zombies.
Zombie Attack Sign
Portable traffic signs have come under attack from zombie-loving hackers.
An article in The Gainesville Sun reassured readers that no attack was in progress, but the fact that official warning mechanisms can be hacked is an issue that government CIOs must deal with. I spoke with Nelson Hill, CIO of the Florida Department of Transportation, who explained that his department takes a multi-dimensional approach to keeping signs and other FDOT assets secure.
"Obviously protecting anything that is public-facing is something we're very careful about," Hill said. He continued, "We take every precaution to make sure they're protected against hacking." The first step the department takes is segmenting the network into three major components.
Hill explained that the network is divided into the "traditional" network, known as MyFlorida.net; the Intelligent Transportation System (ITS), which is the traffic control, monitoring, and notification network; and the network used by the Florida Turnpike system, which handles the financial transactions of the millions of cars passing through toll plazas each month. Hill says that the segmented system carries both benefits and costs for IT executives.
He began explaining, "The larger and more segmented the network, the more difficult it is," but quickly amended his response. "It makes things more difficult from a security policy perspective, but it makes them easier from an operational standpoint," Hill said. As an example, he said, "I don't have to worry about back-door attacks from ITS because [the networks are] segmented," adding that ITS has far more points of access from the Internet due to its function as an alert and information system for the public.
Other segmenting benefits come from the cost side of things. Hill says that the turnpike authority's financial transactions create a special burden. He explained:
Because they deal with credit card data they're under PCI standards. They require those operations to have very, very strict security controls because they handle millions of credit card transactions per month. If we didn't have a firewall between the traditional network and the turnpike then we'd have to put the entire network under PCI standards.
The traditional part of the network is protected by the next security step, the firewalls, and anti-malware software that every CIO demands for the networks under their control. Even so, Hill says that these well-understood threats aren't his most pressing concerns. He said:
It's easier to protect against things like that rather than phishing scams, where a bad guy will send an email that looks like it's from someone you know and has a link. When you click on the link it installs a piece of software that sniffs your data. These advanced persistent threats are much more costly to protect against.
Software development practices and standards sit at the third level of protection for the FDOT networks. "We have coding standards that protect against things like SQL injection. We can help mitigate against cross-site scripting. You can put things in place when you build your website to protect against these attacks," Hill said. The multiple levels and approaches help keep threats at a manageable level for most situations.
Ultimately, though, zombie attacks and hackers must be handled with a common set of criteria and response possibilities. Hill said, "You have to look at the risk and decide what you're willing to accept based on the money you have available to protect against the threats." Where do you put the money for a zombie response in your budget? The hackers would surely love to know.
@kstaron: I agree with you. With the endless access to so many online content, anyone who has the slightest interest in the field of hacking can get expertise and then test it in the "field". I don't know if this is ever going to end.
After I stopped laughing at seeing the "zombie attack, evacuate now" sign. I can appreciate the seriousness of this. Even though this was a kid that was too bored for his own good and decided to be funny, the ease with which he breached the system means there are far too many people with more malicious intents tht could strike, and they are way more scary than zombies.
Wait a minute. This sounds ironic to me. Are the companies and organizations that are getting hacked the same companies and organizations that claim there is a skills shortage out there? Are these the companies and organizations that are getting rings run around them by the unwashed, unskilled masses out there?
@Sara- I wish I had been thrown out of the best hotels in Vegas.
Seriously, we've got to get rid of the Robin Hood attitude around hacking. This looks like a victimless crime, but it isn't because it shows the way for others. Oh well, I don't think there's anything that can be done about it until someone goes too far.
The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Please join us for the "IT Convergence Strategies: Why, When and How " to learn more about:
• 5 truths about infrastructure convergence today that go beyond the hype
• How to exploit the 4 phases of convergence maximum efficiency and agility
• Key milestones to plan for on the convergence journey
• Why integrated management is a critical component of convergence plans
• The importance of an open, modular approach, such as Dell’s active infrastructure, to building a converged data center
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: email@example.com
Dell's Efficiency Modeling Tool The major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise. Read the full report
Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
There's a lot of hype about virtualization of networks, NaaS, and SDN, but there's a couple of proven applications that enterprises could adopt right now and potentially save money and improve operations.
Skype/Outlook UC integration means we're going to have competition and fragmentation of UC client architectures, but is that bad? Modern devices can support IM, email, voice, and video clients, so maybe it's the back end of UC we need to be worried about.
Workers are now used to portable device support throughout their everyday lives. We should be looking at the policy of providing fixed-desk devices to support stationary workers. Could portable support be smarter?
Input devices run the gamut, from the humble Missile Command-style trackball to advanced speech recognition. Unfortunately, these input devices can be used for evil as well as good. Case in point: mobile ads that want you to talk to them.
Enterprises want three things in storage systems: First is some speech-recognition way of capturing videoconference data for indexing; second is semantic/AI analysis of emails and IM for content indexing; third is a better system for managing hierarchical layers of storage.