Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


IT Admins Must Think Like Hackers



 By: Ryan Naraine
2005-04-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
IBM's security architect Jeff Crume reminds InfoSec World attendees of several important things hackers don't want others to know about.

ORLANDO, Fla.—Veteran IBM security architect Jeff Crume on Monday urged IT administrators to start thinking like malicious hackers to fully understand the ways in which a corporate network can be breached.

In a standing-room-only presentation at the InfoSec World conference here, Crume identified a long list of weaknesses targeted by attackers and recommended that businesses look beyond traditional firewalls, filter rules and anti-virus software.

"If youre a security administrator these days, its not a good time to be sleeping. The attacks these days are more voluminous and the dynamics arent working in our favor," Crume said, pointing out that attack mechanisms havent changed much over the last five to 10 years.

"Theres nothing more dangerous than presumed security," Crume warned. "There are some things you think you know but they come with many misconceptions."

First off, Crume said, the overdependence on perimeter firewalls gave businesses a false sense of security because that first line of defense can become the single point of failure. "Almost all attacks that are troublesome, firewalls can hardly prevent," he said. "The hacker doesnt want you to know that once he breaks past the firewall, hes in the network and can do whatever he wants."

"A firewall cant detect many types of attacks and it cant tell if a particular packet is malicious. A firewall cant defend against attacks that dont go through it, so if its only at the perimeter, theres a sitting duck aspect to it," he said.

Resource Library:

Even worse, Crume argued, a lot of malicious attacks have historically come from within an organization, making perimeter firewalls largely meaningless.

Interestingly, Crume recommended that business use more firewalls to fix the problem of overdependence. Because the "bad guys" can be sitting within the network, he suggested that businesses carve off separate security zones internally to block or limit access to parts of the network.

"If you look at how some worms propagate, it looks like an insider attack. If someone goes on the road with a laptop and picks up a Trojan, he is a risk to the corporate network when he returns. These are the types of internal risks that the firewall cant block," he said.

"[With] all the big worm attacks, if you look closely, the exploits start from outside but the big spread happens within the network," Crume said, likening the protection mechanism to the shutoff valve used by plumbers to minimize the damage from a burst pipe.

"The outsider is probing and stumbling around like a thief in the night. But the insider knows exactly where the data is and he knows his way around the intrusion detection system. He is a bigger threat to do damage unless you do a better job of implementing the separation," Crume said. "If the intranet holds the keys to the kingdom, you need to treat it as a semitrusted network."

Humans are the weakest link

Another vulnerability hackers prey on, Crume warned, is that humans are the weakest link in the security chain. "We can create all the technological defenses but nothing can stop an employee or user who wants to subvert the process. The human who doesnt understand or know what the process is is a big, big problem."

Cyber-security expert analyst Roger Cressey spoke at InfoSec World on the potential for an Internet-based terrorist attack. Click here to read more.

Crumes presentation included a segment on social engineering, the concept of tricking an authorized person into revealing IDs, passwords and other confidential information.

Social engineers use low-tech hacking methods to collect basic data that can be used to persuade insiders to give up passwords. In some cases, hackers go "dumpster diving," Crume said, explaining that an organizations trash often contains important clues for social-engineering tricksters.

"You can go through a dumpster to get a corporate phone directory which, to a social engineer, is gold. He can get names, titles and responsibilities of everyone in the company from that directory. He can assume the identity of someone on that list and do all kinds of dangerous things," Crume said.

The password problem

Another nightmare for the enterprise security admin is the inherent weakness that comes with depending on passwords. "Passwords arent secure. We know its a problem but were not doing anything about it. As an industry, we havent gotten better in the last ten years in dealing with this problem," Crume said.

For one thing, employees within the network use trivial passwords that can be easily guessed or cracked by readily available programs. "If your password is about you, its not a secret. If its based on public information about you, its probably likely that others will know. You then become a big target for a social-engineering attack."

He said businesses have tried implementing complicated password-creation schemes but in those cases the employees simply scribbled the passwords on yellow sticky notes and pasted them on the computer monitors.

Crume described using the LophtCrack tool to help a friend who had lost his password. "Some claim a 30-percent success rate with this program, which is scary."

With LophtCrack, a hacker can launch dictionary-based attacks in multiple languages if trivial passwords are used.

Crume recommended businesses invest in newer technologies like single sign-on tokens, smart cards or biometrics authentication. "These arent the holy grail of security and I dont want to oversell what they can offer. But, right now, they can help solve a lot of identity management-related problems."

Click here to read more about the challenges of identity management for todays enterprise.

Among other things hackers take advantage of, Crume said, are unprotected rogue Wi-Fi networks set up by employees; the availability of easy-to-use worm generators; the increased discovery of down-level software flaws; and the fact that virus defenses are largely inadequate.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: IT Admins Must Think Like Hackers
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr۸(;whkL"b+RJX+e)d>HJ"Hʶ2߼yoP/q*6I h47~vv(QuKGZOgܛƃ'ym ԃq='K?rdxsRheUu=|W-sdsak75v#<뉔7oE<|l 4j70,hԕ[s2"9QG/b 02Ka&`Q\l8lT@!j8:U7,1qD$k="?IDe5淌a}؁_ f8ALljL~>"R4يOqCرwkoEY㇝ u(lšF[k#2pj9*dF`VJ,gXo=ʋaz.G 9rx&T;#_tCSD-iTV72*%&Ӂc)yX(`p*jTP4GL'j CXul t.&$f4P=l~0kM .n\JxO,ӇwB0sc,O`e[YUxs~D;wJ 1KUoz㮫؀@ t[dzr$^Н)hejwDͺ)rtT%VÚyxx(<OZ]$#d`:(PdjAZ|]mUk_{}߮A"[Ccؚ`#TCAνCbs|"J]<L@%X\035fI9"3V= MV1p;g3R˼`W$%/+_P%PAI/c 5#z:]$ySDD='gKE4>BB7qj!TjP,je= N}X.Gs:GTZWMKxgS ƣk%η"R}'9>M C0HQtuF4"BQFe T * gscX"C@#'3 [N;;\/KI-TD8JnOpq$\8#/Js㙰tGE4n^ _ 23CEɴikN{06`bǼ32VU͜6,Ǧ6&&B~M`Z&FLio<`3Xu- SJ`ݑN86̜07ÚL ~Dg虉m>N5i+:ϧHږiCc67\gsݐC/2 W&i 2cOyUnYg ):a[m-M7)\IZfbd"U9eXScXNϠDC_ /0}31PbJJV ZhE梱x4ʷY fUbue"t J}oaXZ @.Ei ,-؋W7tjt0P*ڴmsqɰC/Pi]"^ |W@(MKсUruXkw2잵).0g7ay+lAkTtJDm  5[;6b^.!毻0kɰ\~l"9zD\8D}: BLΧRE\A - -YFN5 kMwu0$IM#RBЦPG ~S<2 iәZJo=:,*RgE`2C/ YS)E"I㻆;!P8Y_q,cm0^o>K}0֯>v^9ZQ:?b + ;SFO%OL_srߛyV`/ĨOU1#~ UIe[+;3؞?F'hE}hGf0&@ :Ms8 9\e=Q\U ɨ4V3CO=צkH)Xw]tD&ZE_@erX-ښO,#( ^3RX chwΒ)e{Aqٔm!zV~ʀWe)&2TN{ӟNOկ(7> Sm&-f]{mX75x8^ g(k{R}6e`W@Adū[u#}Re*WtE?Oﺬ(D׿):%2RC|!\{)=+VgP֛X4=P~Tivb:\ GqSVSW<ĶlU4uM4P UOAqu Y4gB8BVvi72 15'ӥt 3!EE-%yqѦ39anߠGu_R6я`;ՙmPkT"h\U@R 2㚚/SOi~<^VdY0_ 8x @YҒnw` CyrPNM /0:E*kZPK=Xd,ynch'`c(hmb2=侧jkQuzۤ*T$%Čq,`wU紨cDQK^ pL'xIHl9t)ȠfO0%B;q{/:7)@^) yJS]:%-hh^@L#jԚeDIa\%M-XU@j*LU.jwTe4*(jQCsOFt_zD tzߍdRԧ+}3݀;L+۱aC:ɹӁP>P mT)j?$ԄB.M]>⺆brQ.3X'CWeR;Kt۽vP0yuGՒBۀiо:mzDJ5o:Ne} qߢoRfB, F8{5bvu@ɶ3z~n 7 mu (.o9dٞhXu.9Isѹaj}:׼փ!5vy~uDye8B"DEy{hq\1nmF'EL>\>A\;CgW쐲C žtnN[7X9x?ѱB3ZMU> | AYj+<M?vҟZ V `!PHPsh$` X*9Xe2ݽh~e؋Nǣl x3%C'KP+bK)%DY lN['&# <<&9pDk\߃4~ y*~y:~_dxHԧ BY1GgR%VIOsOH 'E >_/ggwi!v27V_$E:Z7@GdlaGYk&Nh-ŧ [Olg^\BZQR9 գdLiv-mRRlM,vtώUʇnSw&L=cmNݙ bN~ؑqx4RThixSXs]nhJNх[En65HPޛ#5p꺟!LtP wv+רK-hhkQ<_? _B~o'ݺ>84Ǡ5,L>;+$cc2⒄ ,+S{wȘSۉ7R^~+<&i]%R -4/ Z-'8\~5߈:6"YcCƓd_:XP|=ߌ93{C4Wn ZSweלo_lXR|  7?Q=.B70@Q/soK[G+J86]b-^-IoLLViyii*KŮcmB(t(*9rI R'ܓ4I7=1I=I gF; / ;>1`0y45u"N̙z].ȕ}Xy-.Vᢞ_hH_#l^>i4ْGh9..;}0\; Mf}و`+-+だE7FTS4RzEy}laN^a05xRsG'!υ8v`~^hT01#u ?tX򵝄z?ss}t~\}rGv|NG#Gq3g9z+Br$~@,4ձc?FQNg}H݋$n ME~.!R6˫%ϝ,YU(kĈT\s@g%prÃcK#jP:rԊ觷OSuUdQF~;K;E1E2o\{,FdG+R4J)1~t_t(yGMq q 蚏EI'B|#g_@ojeE:5]=F쀉e6BAERP!R^7\Sz, G C]N-44:]!.ds(Hv(]FAx#t#ua. rgMq"er_ [v] e. ˂|E,BD XubT5<:#а4 H"Ācwo^]s$ 5QxC+~% =&e*nc@ð&e4F0Dƃ2$H߆枆9{(!ͽE΄.$ Sx'8Npg/O9eFxA doj( k[6j]c} GR§HŜqzl1;vFVנWp{ѼH)XD`1v2K(oGʓQx. Im US2t,}t {HM"7'Zurȹ_56b>$tc#C\8901QdBt $$g $!c BHߐx6NBt< 'Ze|Q2gFFFFoHYj[3Rj0ЎhBFuyCӓse2uI yaгmԯ_cM7.= tht, zc\A"N _=1vߪ<>%r- o x9iXKO_h~KhxG x '^tF,mpZƆ:[ k W[7m%c=B#pۛi׷m<-~rЏwL7ShEH0q٤Sce_f’%%܎glBua$ J/q)gL8ix (}~{̺a.YQ׷rmLx;ߌEicVΞe QcUJ#S-"WJJ /ȑ{zm!O6>.^a̷nᮦj0 Jk q{6ڈb ]-t4irˇh%=]OLzP#>b&$  Ĉ16YZmIr &khЙJW`7yBG*jh]2T?D8Eb!(aE$7@55!L2(uSJTn$|sZTibc40UA@"\p?:qkAa2?uc20t<21xkntd͡Q"I|8&L}G%nsK 釃1It.CK/HFzFsIwǦ拈c>$\c|EWo*WR%T~KE6gpa)h,ۥ wV3_Xı+Z+i+s9Aɑ!=} YF`j>UP }j]Y4ME'7^sE[[\>k_oW\`&FoTY煺DQ(;MzYy٢za4璅edȀWe. }QPYÁI{k0ųlyޖ1o:Ll+c'=ӛVdc+ε{xu3L8zy7^Z (Cc=WaLa `m]Nzs5BJy@ CFo[F ߬N?i63;HGJN?2O du,?3#\~5۫ۧF4#hgWvF?ts݌ϐyuȀ]2c|.Y\fK ̠Oѫ_}O~/HWF%_f^eU\]e_hO'Ct@t25u}\C7@?7Ӆw3߅w3e_WHuuG ?eC>eSn!6+6~oیon3/9 B< >k^qFz)8ΠREV SV:,2!=C%HϠXi7:Zeu\/^}VdF*oir]5.9eZ+ /Y[մV*q -s}}}/Q -CyikR!0AܠKXEó"D&Ь͗'hވu]j= gE)aIY-0?&UtZ./2Wޕ\~Sfy+tV1&R<uG|緶xvgY.͌j,7m(5q}³2l3h o\ce\*Y{~Rr&zeh$7=/"VxwΆl'x͔a9.^K`RHVr. =fwU$ʢ1?qJAz|X.e3E&iб ߚ(2m y'it };[|ފnZ|Qؖy@2gG۶Vf,io;@B!И#B.ܐOF{d)0XPywFo/y㲁F"= 3 ۆ 1>0j;;3m8Te.M}B1EB]`hJ -(O?5o'kn5y`w4ae n=]w O 7F>&n?5Cx"}_vs[<'B`̊-|~C\1F`]}űRɤ{i y 2 !yYev҅N袸ʍI,F`ڡ^d++)ؐ9r k0bO1,3Qf7=ÛǍTS*|J>rT.>Ͻͮf &Dطh\NwFL5xɇelewɴ;:++hި'O׬=LEܗ1u1G - `5>gvE&z>waX0>]4L?tBCc93a=E`0MZZ/|J/aH4ՊHv<#/ahBgybSS2sؔĽYߊwf@3O{IJj +#_te'sgݧ'{䏝7ooJO~^ #nߥ/# +_ŁXLt3//L༿uHưX )SA(ڇ_x_rD# k BLۃfJ |_Z-#h[h*|AY>s ]i֥IB;,W3% h4pv5\\z`Wګ$r0`CqhtTZ wYHN=[0TiHAeQ$%+J>*їeOdH;YA]-j(zGo3,?[7rTQ$\2&놥x}tkR5US!b7x GC8?j;,!>%aC E#w$K\&AKjm'|+Tд@]Tb?`~}?tf*ތ~ÅyxA\ Ҝx]PE%z?O|nӂVC+] V`6;.MtOn:*b/0+зꮃ*mzJ-q'4 O^WuNz`Tm;"Lc_%Z0xSB:U kqAmwi̪ἤ4A3 ]TvКT-z2o ߁@Tzt G yЈq`,8'یAdQ*IhF"~OfH 5rN都&_>j: mEM9ܥ2\0#Z7oO'VQrlb_(Yo.GhB$tbŖDPo&?LV!֎uxsiH,~,,}С&0 6/֍\g7iB7j*9<৕O$."P3װK ~`Wg0Qdj@:u^@[n-<ʸ<\d 񬧎0nܫa%,nTnLT˦: Ȥo/ǖ:tBȡ"i9,y4|uxL|m=Vыstbv.0*AHcAvp]φ؈ኸ'6DD# G&)B88XCx|8W>zY,4\A*Ls 8-'SIO ɻ8Kt -0knT@ 0aa{RJBwⶥI;fFrpHijnyZ0fJ^Vܶ{6$B lՈ1:ݯwݲG,}zQ9' HneMiwdZ0H ۵o11J4Ą?O4q '_%Bڦ ܜTXp5L׆o"%F'+{ x83u(ʳdf%JMnkD 5 cktXBԥ;o|PWL?e!"%N ǶH_bY@򬞧Ad'\8;I _& a bU K6eR=!bF:9yUJy<#`c`|!AW&,h&ѡrXN8Q[IF4;Ɍx :"m~cjHh̕ ~Txg@RV*h"$6o5Dc,CfmɡtP-b܂"b{k;a\z ,Bm?nD'!&Wf)P'b"1u}-wN76&7~6/C r6,_ {cm;<