http://informationweek.com/story/showArticle.jhtml?articleID=170700829 By Matthew Friedman Networking Pipeline Sept. 6, 2005 For all the complexity of security, the most common security dangers are downright mundane. They're not due to the arcane arts of the most skilled hackers or some cunning exploit; they're out there in plain sight. "A successful attack depends on a combination of four things that don't have a lot to do with the attacker," says Forrester Research analyst Paul Stamp. "It's usually something like social engineering, a breakdown in process or the absence of process. It could have something to do with a simple technical vulnerability or insider abuse. But it's usually a combination of two or more of those four factors." The thing that should send chills up the spine of anyone who manages a network open to the Internet -- which is to say, virtually all networks -- is the fact that all of these vulnerabilities can be easily caught and fixed. Because they're so common, obvious, or at least mundane, however, they are often the last place you'll look for danger. Social Engineering: It's humbling to remember that superstar hacker Kevin Mitnick wasn't much of a code warrior. However, he was a first-rate social engineer who raised the "Hi, how are you, what's your password?" approach to network delinquency to the level of a black art. With the constant warnings about protecting passwords and not opening unsolicited attachments, you'd think that network users would be wise to what is, after all, the oldest trick in the hacker's book. But they aren't. Stamp says, "You'd be surprised how often social engineering succeeds." Just this summer, the British Department of Defence -- which should be on the list of people who should be wise to this -- was subjected to a targeted Trojan attack. "People were sent CDs with marketing material," Stamp says. "In fact, it installed a targeted Trojan that collected confidential information." The bottom line is that even smart people can be sucked-in by social engineering. The first step toward protection, Stamp says, is as basic as education. "It truly is a boring recommendation, but we have to educate users and back that up with action," he says. "The time has passed for us to tolerate fools. We have to be serious about this and take disciplinary action against people who don't do what they're supposed to do. The stakes are too high." Process Errors: It seems that there is always a technological fix for every security problem but that, in itself, is part of the problem, Stamp says. "We do a very good job of going out and looking at technical vulnerabilities," he says. "But people don't do a very good job of taking apart processes and seeing where those are vulnerable." It could be that the process has no oversight mechanism, or that someone has forgotten to check something that should have been checked out, but the results are the same: a lot can go wrong if you're not looking. Stamp points to the Choicepoint case earlier this year as a prime example of a breakdown in process. "Criminals were able to open fraudulent accounts with Choicepoint because the process for opening an account didn't involve checking to see if the client was a real company," he says. "It was as simple as that." Moreover, if companies are going to use technologies like networks, wireless and mobile devices, they have to have some way of dealing everything from absent-mindedness to incompetence and malice. Mistakes happen, of course, but they can turn into disasters if you don't respond to them effectively. "It could be something as simple as someone leaving a Blackberry in a cab," Stamp says. "Surprising few companies have policies for dealing with Blackberries when they're out of the office, and the whole point of a Blackberry is to be out of the office." Technical vulnerabilities: Enterprise networks, with their passels of routers, switches, access points and other kinds of hardware, are fundamentally complex organisms. And that's a problem. It's easy to keep a door locked when you only have one door, but add a few more, some windows and a skylight, and the security problem increases exponentially. With so many devices and connections to watch on a network, there are also so many opportunities to miss something. "Normally, at some point along the way, there's something that hasn't been patched, or something that hasn't been configured properly, and that leaves the whole network vulnerable," Stamp says. "Complexity is a big part of it. Complexity is the enemy of security, but the CIO's and CSO's job is complexity management." Inside Abuse: No one suspects family, but maybe they should. The Computer Security Institute-FBI computer crime survey has found every year for the last five years that at least half of all security breaches originate on the inside of the network. "Inside abuse is network security's dirty little secret," Stamp says. "We've been too trusting so far. It comes back to the reality that some people are being malevolent, and sometimes is accidental. But you need policies to stop the malevolent ones and minimize the accidents." Part of the problem is that no one wants to believe that one of their own could be the problem, and inside abuse is often swept under the carpet. But Stamp is adamant that just because you can't or chose not to see the problem doesn't mean it isn't there. At the end of the day, all of these common dangers can be dealt with, it only takes the will to clean up processes, patch systems, and make sure that users are doing what they're supposed to be doing. "It has to be both a change in attitude and the adoption of newer, smarter technologies," Stamp says. "That means designing the network to be secure from the ground up, and that includes the people as well as the technology." _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Wed Sep 07 2005 - 23:43:51 PDT