Network Security: What are you waiting for?

Contact:[email protected]

http://www.securityfocus.com/templates/forum_message.html?forum=2&head=5560&
id=5560

Network Security: What are you waiting for?
by Daniel Tatone ([email protected]
)
Mon May 07 2001
The field of computer Security is basically one big horror story after
another. Major attacks are continuously being identified on the media:
In early 2000,Yahoo, eBay, and CNN were victims of denial of service attacks
launched by �Mafiaboy�
CNN � October 27th, 2000: Hackers have broken into Microsoft's computer
network in what the company has described as "a deplorable act of industrial
espionage."
Trend Micro � May 18, 2000: Major Virus Outbreak Alert from Trend Micro �
VBS_LOVELETTER Hits Users Worldwide The �love bug� caused billions of
dollars of damage worldwide.
With the advent of high-speed Internet access, and the massive underground
�hacker� community that has developed in cyberspace, organizations and
companies put their image (websites) and their data (confidential
information) at high risk when establishing a connection to the Internet
that is not securely implemented.
Attrition.org reported a record 1542 website defacements for the month of
April 2001, mostly due to the �Cyber-War� currently on the go between China
and the United States. That more than quadruples the number of defacements
in April 2000, and is up 570% from the reported defacements in April 1999.
Do you see a trend?
Internet Security breaches are on the rise, and most companies are virtually
unaware of the trend or are portraying the �Ostrich Syndrome� (sticking
their heads in the sand) and avoiding the issue altogether, thinking: �that
won�t happen to me, why would someone want to attack me�my presence on the
Internet is minimal�. But from a Hacker\�s perspective it is easier to
attack a small/medium size business who has a mistakenly connected their
backbone directly onto the Internet with no firewall or means of access
control rather than a government agency or large firm (the �big boys� like
Microsoft or Cisco) who have invested a large amount of resources in
securing their infrastructure. Once a small/medium business has been
compromised the attacker could then launch attacks anonymously against the
�Big boys� from there.
There are principally three types of attackers: The first we will discuss is
the Amateur Hacker also known as a �cracker�. Crackers have developed an
underground community often comprised of young individuals in their teens
known as �Script Kiddies�. These Script Kiddies pride themselves on their
web defacements, denial of service attacks (as seen against Yahoo and eBay
in January 2000) and system breaches. They usually do not understand the
technical details behind the attacks that they perform; they rather collect
and rely on already made hacker tools and scripts to perform their system
breaches. They usually sign their �Hacker Alias� or �Hacker Group� on the
website they deface, greet their fellow hackers, dismiss their �rivals� in
the hacker community and occasionally post a political message. Often the
messages left on the defaced site include comments to the administrator of
the site, indicating that no �real� damage has been inflicted on the system
and a backup of the original web page is available. By not actually deleting
any information they assume it is merely a prank showing their �hacking�
ability. However, what they do not realize is that the defacement costs the
victim companies unavailability and downtime, leading to loss of revenue,
loss of confidence for the company\�s clients and shareholders, and a
massive amount of auditing work that will be generated to ensure no other
system has been affected. These types of hackers are usually a nuisance, yet
may cost a company a large sum of money due to down time and assurance.
The second type of hacker is the Professional Hacker. These are individuals
who are often paid to perform corporate espionage and the likes to gain
sensitive corporate information from companies for their competitors. These
Hackers enjoy the challenge of the hack, and are extremely meticulous in
covering their tracks. Their technical abilities are second to none, they
understand the details and inner workings of networking and information
systems, and are masterminds at social engineering . Unlike the crackers,
they do not flaunt their deeds, and are virtually unknown in the underground
community. These are the seriously dangerous kind of hackers that we should
all be afraid of, since no matter how hard we may try to secure an
organization, these individuals will stop at nothing to circumvent it�it is
their livelihood.
The third type of hacker is the disgruntled employee or the disgruntled
ex-employee, who through his/her technical know how and internal access to
the information systems of the corporate network can wreak havoc on the IS
infrastructure. Deleting data via a time bomb or incorporating a virus are
prime examples of the trouble such a person could cause. If smart enough,
little or no trace of the attack is left leading back to the perpetrator.
You may ask, why are companies allowing such risk to take place? The answer
is easy and can be summarized in three security concepts. The first and
foremost is awareness. Corporate decision makers are frequently unaware of
the potential risk that is involved with minimal Internet security. They
rely on functionality and will usually not invest in a solution that will
not show an immediate benefit to the firm or organization. Also, employees
are not usually aware of the risk of sharing passwords or the use of simple
dictionary-based passwords, nor are they aware of the implications of
opening questionable executables or attachments in their e-mail that may
contain extremely dangerous viruses. A well-known example of this is the �I
Love You� virus of May 2000, which caused downtime and in turn a massive
loss of revenue worldwide. Implementing policies and training users is key
in bringing awareness to employees.
Secondly, in a corporation, IT resources are typically focused on user
support and satisfying the functionality of a network (running as many
services as possible). When security measures are implemented there is a
trade off with functionality. Network administrators are not security
professionals, and therefore their primary mission is not establishing a
secure network, but rather a functional one. What must be evaluated is how
much risk is acceptable, and therefore what level of functionality will be
sacrificed to ensure a reasonably secure network with an acceptable level of
risk.
Thirdly, information systems and networks must be designed and implemented
to establish a strong foundation and architecture to incorporate security,
business continuity, and growth. Most often, corporate network systems are
thrown together like a modern art paining, growing as the company grows.
Careful planning is necessary to provide seamless integration of new
technologies as a company grows. In terms of security this means
compartmentalizing the network so that sensitive services and data are
separated from those that are publicly accessible. The identification of
access points into a network (the Internet, modem access, etc), and
establishing the appropriate access controls (firewalls) and monitoring
solutions (intrusion detection systems) is necessary. And finally, updating
and patching software is essential to prevent known vulnerabilities in a
particular service or software from being exploited.
Essentially, it is a trivial issue; without security, business stops. And
this can be seen with the recent statistics and trends that security
breaches are on the rise. It is necessary in these times to avoid
overlooking security in order to protect our organizations and corporations
from becoming a security horror story themselves.


Back to the Index