Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    IT Admins Must Think Like Hackers

    By
    Ryan Naraine
    -
    April 4, 2005
    Share
    Facebook
    Twitter
    Linkedin

      ORLANDO, Fla.—Veteran IBM security architect Jeff Crume on Monday urged IT administrators to start thinking like malicious hackers to fully understand the ways in which a corporate network can be breached.

      In a standing-room-only presentation at the InfoSec World conference here, Crume identified a long list of weaknesses targeted by attackers and recommended that businesses look beyond traditional firewalls, filter rules and anti-virus software.

      “If youre a security administrator these days, its not a good time to be sleeping. The attacks these days are more voluminous and the dynamics arent working in our favor,” Crume said, pointing out that attack mechanisms havent changed much over the last five to 10 years.

      “Theres nothing more dangerous than presumed security,” Crume warned. “There are some things you think you know but they come with many misconceptions.”

      First off, Crume said, the overdependence on perimeter firewalls gave businesses a false sense of security because that first line of defense can become the single point of failure. “Almost all attacks that are troublesome, firewalls can hardly prevent,” he said. “The hacker doesnt want you to know that once he breaks past the firewall, hes in the network and can do whatever he wants.”

      “A firewall cant detect many types of attacks and it cant tell if a particular packet is malicious. A firewall cant defend against attacks that dont go through it, so if its only at the perimeter, theres a sitting duck aspect to it,” he said.

      Even worse, Crume argued, a lot of malicious attacks have historically come from within an organization, making perimeter firewalls largely meaningless.

      Interestingly, Crume recommended that business use more firewalls to fix the problem of overdependence. Because the “bad guys” can be sitting within the network, he suggested that businesses carve off separate security zones internally to block or limit access to parts of the network.

      “If you look at how some worms propagate, it looks like an insider attack. If someone goes on the road with a laptop and picks up a Trojan, he is a risk to the corporate network when he returns. These are the types of internal risks that the firewall cant block,” he said.

      “[With] all the big worm attacks, if you look closely, the exploits start from outside but the big spread happens within the network,” Crume said, likening the protection mechanism to the shutoff valve used by plumbers to minimize the damage from a burst pipe.

      “The outsider is probing and stumbling around like a thief in the night. But the insider knows exactly where the data is and he knows his way around the intrusion detection system. He is a bigger threat to do damage unless you do a better job of implementing the separation,” Crume said. “If the intranet holds the keys to the kingdom, you need to treat it as a semitrusted network.”

      Humans are the weakest link

      Another vulnerability hackers prey on, Crume warned, is that humans are the weakest link in the security chain. “We can create all the technological defenses but nothing can stop an employee or user who wants to subvert the process. The human who doesnt understand or know what the process is is a big, big problem.”

      /zimages/4/28571.gifCyber-security expert analyst Roger Cressey spoke at InfoSec World on the potential for an Internet-based terrorist attack. Click here to read more.

      Crumes presentation included a segment on social engineering, the concept of tricking an authorized person into revealing IDs, passwords and other confidential information.

      Social engineers use low-tech hacking methods to collect basic data that can be used to persuade insiders to give up passwords. In some cases, hackers go “dumpster diving,” Crume said, explaining that an organizations trash often contains important clues for social-engineering tricksters.

      “You can go through a dumpster to get a corporate phone directory which, to a social engineer, is gold. He can get names, titles and responsibilities of everyone in the company from that directory. He can assume the identity of someone on that list and do all kinds of dangerous things,” Crume said.

      The password problem

      Another nightmare for the enterprise security admin is the inherent weakness that comes with depending on passwords. “Passwords arent secure. We know its a problem but were not doing anything about it. As an industry, we havent gotten better in the last ten years in dealing with this problem,” Crume said.

      For one thing, employees within the network use trivial passwords that can be easily guessed or cracked by readily available programs. “If your password is about you, its not a secret. If its based on public information about you, its probably likely that others will know. You then become a big target for a social-engineering attack.”

      He said businesses have tried implementing complicated password-creation schemes but in those cases the employees simply scribbled the passwords on yellow sticky notes and pasted them on the computer monitors.

      Crume described using the LophtCrack tool to help a friend who had lost his password. “Some claim a 30-percent success rate with this program, which is scary.”

      With LophtCrack, a hacker can launch dictionary-based attacks in multiple languages if trivial passwords are used.

      Crume recommended businesses invest in newer technologies like single sign-on tokens, smart cards or biometrics authentication. “These arent the holy grail of security and I dont want to oversell what they can offer. But, right now, they can help solve a lot of identity management-related problems.”

      /zimages/4/28571.gifClick here to read more about the challenges of identity management for todays enterprise.

      Among other things hackers take advantage of, Crume said, are unprotected rogue Wi-Fi networks set up by employees; the availability of easy-to-use worm generators; the increased discovery of down-level software flaws; and the fact that virus defenses are largely inadequate.

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Avatar
      Ryan Naraine

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×