IT Admins Must Think Like Hackers

IBM's security architect Jeff Crume reminds InfoSec World attendees of several important things hackers don't want others to know about.

ORLANDO, Fla.—Veteran IBM security architect Jeff Crume on Monday urged IT administrators to start thinking like malicious hackers to fully understand the ways in which a corporate network can be breached.

In a standing-room-only presentation at the InfoSec World conference here, Crume identified a long list of weaknesses targeted by attackers and recommended that businesses look beyond traditional firewalls, filter rules and anti-virus software.

"If youre a security administrator these days, its not a good time to be sleeping. The attacks these days are more voluminous and the dynamics arent working in our favor," Crume said, pointing out that attack mechanisms havent changed much over the last five to 10 years.

"Theres nothing more dangerous than presumed security," Crume warned. "There are some things you think you know but they come with many misconceptions."

First off, Crume said, the overdependence on perimeter firewalls gave businesses a false sense of security because that first line of defense can become the single point of failure. "Almost all attacks that are troublesome, firewalls can hardly prevent," he said. "The hacker doesnt want you to know that once he breaks past the firewall, hes in the network and can do whatever he wants."

"A firewall cant detect many types of attacks and it cant tell if a particular packet is malicious. A firewall cant defend against attacks that dont go through it, so if its only at the perimeter, theres a sitting duck aspect to it," he said.

Even worse, Crume argued, a lot of malicious attacks have historically come from within an organization, making perimeter firewalls largely meaningless.

Interestingly, Crume recommended that business use more firewalls to fix the problem of overdependence. Because the "bad guys" can be sitting within the network, he suggested that businesses carve off separate security zones internally to block or limit access to parts of the network.

"If you look at how some worms propagate, it looks like an insider attack. If someone goes on the road with a laptop and picks up a Trojan, he is a risk to the corporate network when he returns. These are the types of internal risks that the firewall cant block," he said.

"[With] all the big worm attacks, if you look closely, the exploits start from outside but the big spread happens within the network," Crume said, likening the protection mechanism to the shutoff valve used by plumbers to minimize the damage from a burst pipe.

"The outsider is probing and stumbling around like a thief in the night. But the insider knows exactly where the data is and he knows his way around the intrusion detection system. He is a bigger threat to do damage unless you do a better job of implementing the separation," Crume said. "If the intranet holds the keys to the kingdom, you need to treat it as a semitrusted network."

Humans are the weakest link

Another vulnerability hackers prey on, Crume warned, is that humans are the weakest link in the security chain. "We can create all the technological defenses but nothing can stop an employee or user who wants to subvert the process. The human who doesnt understand or know what the process is is a big, big problem."

/zimages/4/28571.gifCyber-security expert analyst Roger Cressey spoke at InfoSec World on the potential for an Internet-based terrorist attack. Click here to read more.

Crumes presentation included a segment on social engineering, the concept of tricking an authorized person into revealing IDs, passwords and other confidential information.

Social engineers use low-tech hacking methods to collect basic data that can be used to persuade insiders to give up passwords. In some cases, hackers go "dumpster diving," Crume said, explaining that an organizations trash often contains important clues for social-engineering tricksters.

"You can go through a dumpster to get a corporate phone directory which, to a social engineer, is gold. He can get names, titles and responsibilities of everyone in the company from that directory. He can assume the identity of someone on that list and do all kinds of dangerous things," Crume said.

The password problem

Another nightmare for the enterprise security admin is the inherent weakness that comes with depending on passwords. "Passwords arent secure. We know its a problem but were not doing anything about it. As an industry, we havent gotten better in the last ten years in dealing with this problem," Crume said.

For one thing, employees within the network use trivial passwords that can be easily guessed or cracked by readily available programs. "If your password is about you, its not a secret. If its based on public information about you, its probably likely that others will know. You then become a big target for a social-engineering attack."

He said businesses have tried implementing complicated password-creation schemes but in those cases the employees simply scribbled the passwords on yellow sticky notes and pasted them on the computer monitors.

Crume described using the LophtCrack tool to help a friend who had lost his password. "Some claim a 30-percent success rate with this program, which is scary."

With LophtCrack, a hacker can launch dictionary-based attacks in multiple languages if trivial passwords are used.

Crume recommended businesses invest in newer technologies like single sign-on tokens, smart cards or biometrics authentication. "These arent the holy grail of security and I dont want to oversell what they can offer. But, right now, they can help solve a lot of identity management-related problems."

/zimages/4/28571.gifClick here to read more about the challenges of identity management for todays enterprise.

Among other things hackers take advantage of, Crume said, are unprotected rogue Wi-Fi networks set up by employees; the availability of easy-to-use worm generators; the increased discovery of down-level software flaws; and the fact that virus defenses are largely inadequate.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.