[ISN] Best place for a break-in? The front door

From: InfoSec News (isnat_private)
Date: Wed Mar 20 2002 - 01:19:58 PST

  • Next message: InfoSec News: "[ISN] Firms undergo NSA infosec rating"

    By Jeanne-Vida Douglas 
    ZDNet Australia
    March 19, 2002, 7:15 AM PT
    MELBOURNE, Australia--Daniel Lewkovitz has been known to resort to 
    some fairly unorthodox measures to demonstrate security flaws. 
    "One CIO was so sure I wouldn't get past his firewall he just about 
    promised to eat his hat," Lewkovitz said. "I donned a suit and walked 
    in through the front doors, in fact some of his staff even held the 
    doors open for me, unplugged the box and asked what kind of sauce he 
    wanted with his hat as I placed it on his desk." 
    This attitude is probably a good one, because his role as senior
    information security consultant for IT service provider CMG requires
    him to break into IT systems considered unbreakable. And armed with a
    background in physical security, he emphasizes the importance of going
    beyond the firewall, encouraging companies to focus on the physical
    and procedural aspects of security as well as the technology.
    Suggesting that much of the information malicious hackers would need
    to break into a system is easily obtained from unwary company sources,
    he advocates not only the application of a company-wide, standard
    operating environment, but a deliberate limiting of internal
    information availability.
    As well as many recognized anti-hacking measures involving blocking
    unnecessary ports and services, hardening servers, applying multiple
    security layers, and consistent log analysis, Lewkovitz used a
    presentation for Hack 2002 to call for increased emphasis on
    company-wide education measures and policies.
    "All the infrastructure imaginable can be undone in a second if anyone
    within the company fails to recognize a suspect e-mail and opens it
    anyway," Lewkovitz said. "Policy, people and infrastructure have to
    interact effectively to provide real security within an organization."
    Identifying the threat
    With IT security breaches mushrooming globally, the term hacker tends
    to conjure up images of long-haired, spotty-faced "script kiddies",
    blindly wielding tools they barely understand to cause generalized
    mischief in systems throughout the world.
    According to Dr. Tim Cranny, senior scientist with 90East, whose role
    sees him monitoring a quarter of all Federal Government agencies,
    probe packets detected at the top layer of these networks has
    increased from 300,000 to 1.2 million since the September 11 attack on
    the World Trade Center and subsequent war in Afghanistan.
    "We have seen a significant increase in those emanating from the
    Middle East and South East Asia," he said.
    While he concedes many of these attacks are relatively harmless, he
    said that the sheer quantity served to mask some of the more
    sophisticated and targeted attacks.
    "It is not uncommon for a hacker to use quite sophisticated tools to
    break into a Unix box, then not know what to do when they get there.  
    We end up catching these people because they don't know how to log
    off," Dr. Cranny said. "Even if most attacks aren't serious, they
    serve as masks for more sophisticated operations."
    Also speaking at Hack 2002, Cranny pointed out that with over a
    trillion dollars now passing through Internet transactions throughout
    the world, and rapid diversifications of the devices connected to the
    Internet, it would not be long before IT security began to affect the
    wider community in more tangible ways.
    "I see the turning point coming when there is a multimillion dollar
    hack which turns off the refrigeration at the local meat works," Dr.  
    Cranny said, also warning of as yet unknown difficulties associated
    with emerging wireless protocols. "IT Security is increasingly a
    business issue, as we see it integrated into insurance policies and
    the resulting premiums, as well as due diligence and company
    Like Lewkovitz, Dr. Cranny used his presentation to call for more
    flexible, scalable, proactive and ubiquitous security measures to be
    implemented throughout the business sector.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 04:45:47 PST