An absolutely secure network is not possible, but the risk can be managed
Takeaway: No network can claim to be 100 percent secure. Hackers are clever and motivated to access your network. The best way to protect against these attacks is by knowing their tricks and planning counter measures to defeat them.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu
For information technology professionals, it is an unfortunate fact of life that no network can achieve an end-state that is totally secure. No matter how much you may wish it to be otherwise, network security, regardless of platform, is a continuous battle where engagement with intruding forces ebbs and flows with the security vulnerability of the moment. The best you can ultimately achieve is a stalemate where the risk of invasion is at a manageable level.
This state of equilibrium is best achieved by knowing how malicious hackers enter a network and, by extension, how you can stop them. This is the motivation that drives the techniques outlined in the book Protect Your Windows Network: From Perimeter to Data, written by Jesper Johansson and Steve Riley, and published by Addison Wesley Professional. A chapter excerpt from that book, Anatomy of a Hack—The Rise and Fall of Your Network, is available as a free download.
In the following interview, authors Johansson and Riley discuss executive perceptions of security, wireless networks, identity theft, and social engineering.
Protect Your Windows Network: From Perimeter to Data
By Jesper Johansson and Steve Riley
Published by Addison Wesley Professional
ISBN: 0321336437; Published: May 20, 2005; Copyright 2005;
Web site
Chapter 2: Anatomy of a Hack—The Rise and Fall of Your Network
Interview
[TechRepublic] One of the first concepts you discuss in your book deals with the reality of computer networks – no network can achieve an end-state that is totally secure. Instead, network security is really the management of risk. Do you find it difficult to convince IT managers and management executives that this is the way it is; the way it has to be?
[Johansson and Riley] Intuitively, they all understand
this already, they may just not think in these terms. They have been told so
many times that you can be "secure" or "impenetrable" or
"unbreakable" that it is a little bit of a mind-shift for them to
stop thinking that way. However, they already understand nuances of risk
management, and when you explain that network security is basically just
another risk management discipline, and then the argument makes sense to them.
One thing that helps is to use some kind of model that can rank your risk. There
are numerous mathematical models that can express risk financially -- and we
all know that the language of business is money. Such an exercise helps you
think quantitatively about risk, which makes it easier to make the decision.
"We determine that loss
[TechRepublic] You spend a great amount of space in your book discussing protecting unauthorized access to a network. However, it is well know that in many urban and industrial areas you can find open wireless 802.11 routers. You point out that the best way to secure a wireless network is with 802.1X and WAP, but these companies are still using 802.11 routers in their default configurations. Can you explain why this occurs and what sort of security risk these businesses are facing?
[Johansson and Riley] These businesses are inviting people inside the firewall. It is another example of how porous the firewall really has become; predictions of the end of the firewall are becoming truer every day. Of course, if you are using 802.11b only with static WEP, you are as good as wide open too, so it really does not change things much -- it's possible to crack a static WEP key with as few as 500,000 captured frames, which a fully-utilized 802.11b access point will generate in about 8 minutes 20 seconds. Few of the wireless router vendors sell their gear with security turned on.
They are insecure by default. That means that people have to do something else to turn on security, and that involves changing something that is already working. Again, this is the fundamental tradeoff at work. The routers are cheap and usable, but insecure. If you want them secure and usable, someone has to spend money. As the margins are already razor thin in the wireless market nobody has been able to make viable business selling routers that are secure and usable. Microsoft gave it a valiant shot, but gave up since they could not compete on price with the insecure cheap versions sold by everyone else. Another problem is that some people just don't seem to care. "Ah, our data isn't that important, no one will attack us." Remember, not all attackers want to steal data. Some of them want to steal your bandwidth; open wireless networks are obvious invitations to the bad guys, enticing them to launder their attacks through you. Other attackers could be interested in simply in trying to cause you grief by launching a DoS attack against all your access points. Use of the air as a transport is a fundamentally different thing than wire or glass.
[TechRepublic] There have been several high-profile stories in the mainstream press recently about identity theft and stolen credit card information. These stories raise the public consciousness for awhile, but the "outrage" seems to fade over time and we go back to a status quo. Up to now, even though these security breaches are inconvenient for those involved, they haven't been disastrous. What major network security vulnerability keeps you awake at night? What is your worst case scenario?
[Johansson and Riley] That would be classified information. :)
The worst attacks are those we do not notice. We always ask IT managers and execs how long it would take them to notice that there is someone on their payroll that does not belong there. Everyone looks uncomfortable when we ask that because it is a scenario that we do not want to think about. The attack that goes on for years that we do not notice, that is the worst attack. With that attack the attacker can do anything. For instance, is stealing someone's identity the worst thing that can happen?
Or, is it the modifications to the identity? In other words, is it the fact that someone has your social security number that is bad, or the fact that they are using it to open up credit cards, thereby tarnishing your reputation? In virtually all cases, data modification is the bad attack, and those can be very stealthy. Another example is keystroke loggers. Yeah, these things are really worrisome. They bypass just about any other form of access control you might have and record everything you type. A colleague of ours once sat down at a public kiosk and logged into his corporate email account over the web. A few moments later a dialog popped on the screen, offering to upgrade the software keystroke logger currently installed! Now even the bad guys are building auto-update mechanisms into their tools.
[TechRepublic] Even if you take every precaution possible to protect your Windows server from attack, the security is only as good as the people who are tasked with implementing it. You tell several amusing yet disturbing stories in your book about sophisticated protection schemes being circumvented by fickle human nature. Is social engineering the real weak link in security? How does an organization combat the chaos that is human behavior?
[Johansson and Riley] Well-designed and well-managed networks are becoming more difficult to attack. Software has gotten better. So we fear the attacks that just go around the security. Keystroke loggers are one example; social engineering is another. Yes, social engineering is definitely the weak link. Why expend so much effort trying to attack the system when it's maybe easier to attack the sysadmin? As we say in one of our presentations, the OS manufacturer cannot configure your people for you.
It is up to the organization to do that. Doing so is an education effort, but also includes a mindset change. IT managers often got into IT to avoid people in the first place, so we have a tendency to write off user problems as something we just can't deal with. That's a mistake. People are potentially the strongest security measure we have
-- if you've "configured" them properly. They want to do the right thing, but they do not know what the right thing is, let alone how to do it. We need to put educational measures in place to teach them.
Print/View all Posts Comments on this article
What makes you squirm?
Mark W. Kaelin | 08/05/05
|
 
actually, there are 2 way
Jaqui | 08/13/05
|
|
Not Much...
Praetorpal | 08/13/05
|
SponsoredWhite Papers, Webcasts, and Downloads
- Oracle Web 2.0 Resource Library Oracle
- Real-Time Capacity Optimization Solutions Storwize
- UltraDNS Services: DNS Security and Network Reliability NeuStar
- Cut energy costs with the powerful IBM BladeCenter JS22 Express blade IBM
- Live Webcast: Visibility: The Key to Maximizing Network Resources Blue Coat Systems
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
