CNET también está disponible en español.

Ir a español

Don't show this again


Asleep at the wheel?

IT observer Jon Oltsik says a decade's worth of corporate network defenses was set up to protect against the wrong enemy.

When it comes to beating back hackers, too many companies are still asleep at the wheel.

Set up to guard against old-style black hats, their defenses have ignored a newer class of sophisticated attackers who take advantage of Internet back alleys and technology loopholes to penetrate corporate networks.

Old-style hacking attacks were direct brute-force affairs: I found some information about your network. Then I went poking around and effectively jiggled the doorknobs of various systems to find an entry point and something worth stealing. All the while, I would make a lot of noise and leave a bunch of fingerprints. So if you were entirely oblivious, I'd be home free.

This is Security 101, reminiscent of Mitnick-like hacks from the 1980s. Most information technology shops understand how to lock their doors and windows and monitor for suspicious behavior.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

A couple of well-placed security devices and a semicapable administrator can defend against this attack perfectly well.

Modern hacks aren't quite so obvious. Remember the old "Three Stooges" skits when the boys would knock out some guards, dress up in their uniforms and then skip freely past a watchman? That's kind of how it works.

Hackers look for a place with a lot of traffic; a university or an Internet service provider network with many unaffiliated users is perfect. The hacker compromises every system in this high-traffic network by attacking well-known vulnerabilities. This brings in the booty: PCs with virtual private network (VPN) connections to corporate networks. Don't look now, but Larry, Curly and Moe have taken out your security staff and are about to come through the door!

With a VPN connection at hand, the hacker simply enters the network, compromises one internal system after another--and then steals your customer information, credit card numbers or source code. Worst of all, you have no idea that anything is wrong until the barrage of phone calls comes in from irate customers, banks and business partners. Better pour some coffee and call your attorneys; it's going to be a long night.

The scenario I just described is the exact reason why we have information security in the first place. How could this happen?

First of all, many shops are still focused on the proverbial low-hanging security fruit like perimeter gateway devices, some antivirus software and the occasional intrusion detection software. This simple architecture is defenseless against malicious code, blended threats, and application-layer attacks--let alone any type of sophisticated attacks.

Don't look now, but Larry, Curly and Moe have taken out your security staff and are about to come through the door!
With the onslaught of Internet worms (SQL Slammer, MSBlast, and Sobig) and spam, numerous companies have bolstered basic gateway defenses with IPS devices, internal firewalls and antispam software.

Security managers at shops like these had to fight for every security dollar, so they breathe a sigh of relief when they are not affected by the latest Internet malware attack.

The danger here is the false sense of security. Unfortunately, there is no 80-20 rule when it comes to security. In other words, if you don't have the skills, processes and technology to defend your network against all types of attacks, you are far more vulnerable than you believe. A rogue employee, determined hacker or misconfigured device could end up costing the company millions of dollars in intellectual-property theft, public relations damage, litigation and regulatory fines.

What can be done? The executives have to comprehend and buy into information security. Understanding is key. The CEO can approve the budget for some new security widget, but if she doesn't get what she's paying for, she'll eventually cut off the money supply.

Security managers should also conduct a risk assessment and security audit to understand what to protect and how to protect it. There must be a contingency plan for every possible situation.

Finally, for the stealthy hacker attack described above, the only defense is a full understanding of network behavior--security gurus need to watch the network for anomalies. If a server is acting like a client, alarm bells ought to ring somewhere.

I think that Alvin Toffler nailed it in his book "Future Shock." Like it or not, we are beholden to our computers. They can either make us profitable and productive or stab us in the back.

Personally, I'd rather do all I can to defend against intruders than take a dagger between the shoulder blades.