Chapter 4. Select Targets for Monitoring
Reese: Anyone who’s trying to use the override would have to hack through the reactor’s firewall. That would take massive computer power, which NRC could see coming a mile away.
Jack: Is it possible that NRC could miss this due to unusually heavy traffic on the Internet?
Reese: I don’t follow.
Jack: Well, less than an hour ago millions of computers around the world were streaming the trial of the Secretary of Defense. Is it possible that this trial was just some kind of a Trojan horse to disguise a massive attack on nuclear power plants’ firewalls?
Reese: That might be possible.[22]
Successful enterprise security monitoring demands focus. In this fictitious attack from Fox’s popular television series 24, the network security team (NRC) missed a targeted, critical attack due to a decoy surge in network traffic. The depicted scenario demonstrates how difficult it is to monitor effectively when all systems are given “equal” attention. Focused monitoring requires considerable tuning and quick recognition of benign traffic. For example, an Oracle 11i-based ERP system will generate thousands of messages per hour from its various components. Without tuning and a strong understanding of the environment, the network monitoring staff will waste their time following dead ends.
Example 4-1 contains an example of a Snort alert that could result from monitoring an Oracle system.
Example 4-1. Snort alert from monitoring an Oracle system[23]
[**] [1:2650:2] ORACLE ...