The only way to avoid hackers is to pull up your enterprise drawbridge and pull the plug from the Internet. Seventy-eight per cent of the respondents to the 2003 Computer Security Institute/FBI Computer Crime and Security Survey identified the Internet as a primary point of attack.
And the attacks
are expensive. The survey’s 251 respondents estimated that they collectively lost more than $70 million (US) to information theft in 2003. Viruses accounted for $27.4 million. Even “”script kiddies,”” teenaged digital vandals who typically cause more trouble than expense, cost them $65.6 million in denial of service attacks.
The most dangerous hackers, however, are the ones who are armed with knowledge about your system’s vulnerabilities. “”The difference between someone who is successful at actually getting into a system and a script kiddy is understanding and knowledge,”” says Justin Peltier, a Michigan-based security consultant who leads seminars that teach corporate IT managers how to “”think like a hacker.””
A tiny fraction of malicious hackers are what Peltier calls “”wizards,”” the professional elite of the digital underground. These are veteran network virtuosos who have been testing systems for years — often decades. “”Because of their experience with systems, they don’t usually break into systems for fun,”” Peltier says. “”They work for hire, for organized crime or industrial espionage.””
The hacker elite write their own code and perform “”zero-day”” exploits of security vulnerabilities even before vendors publish patches. “”It’s probably 95 per cent research and five per cent execution,”” says Jeff Posluns, chief innovations officer of WhiteHat in Toronto. They pore through published APIs and tech libraries to see how systems work and how to compromise them. “”At their most advanced, there are guys who can reverse-engineer systems,”” he says. “”Some guys with 20 years of experience can potentially read assembly like a first language.””
With their extraordinary skills and specialized knowledge, the wizards can penetrate systems and steal sensitive information without detection. They can be difficult to defend against, but they are very rare, says Stuart McClure, president of Foundstone Strategic Security Inc. and author of the book Hacking Exposed. “”The vast majority of the time, it’s not that romantic. It’s just mundane social engineering, or they steal a laptop.””
Together with dumpster-diving for logins and passwords, social engineering is an old hacker stock-in-trade. In one classic strategy, the hacker, posing as a corporate IT technician, calls one of your employees ostensibly to repair a network problem, but really to acquire access information.
They can also take advantage of simple greed within the company. “”It depends on how much it’s worth to them,”” Posluns says. “”An elite hacker being paid a few million for a job wouldn’t think twice about taking $10,000 to buy a company’s passwords from a disgruntled employee.””
More often, hackers — both elite and common — simply patrol vendor Web sites and their own online communities, waiting for software faults to be discovered and announced. As anyone who runs a Windows server knows, the complexity of modern software has made security faults frequent and inevitable. If there is any time lag between the announcement of a fault and the availability of the patch to fix it, hackers will take advantage of it. In the race between the exploit code and the patch, the former usually wins — it takes time for users to get the notice, find time in the production cycle to take systems offline and apply the fix. And things are getting worse. According to McClure, five years ago, it took 188 days from the publication of a vulnerability for a hacker to create a worm that exploited it. By 2003, that gestation period was 10 days.
THE LAYERED LOOK
“”Things are so heavily slanted against the defenders at this point,”” Peltier says. “”If a sysadmin goes on vacation, you could have a week or two when patches aren’t done.””
Apart from unplugging your router and doing all of your business by phone and fax, what can you do? “”There are things you can do to reduce risk, but you can never eliminate it,”” Peltier says. Like hackers, companies should patrol vendor Web sites regularly, looking for vulnerability reports and patches. “”No one likes doing system patches, and with their frequency, it can be hard to keep up with them,”” Peltier says.
The key is to add layers of defence to increase the complexity of unraveling your security, Posluns says. If there’s a vulnerability in your Web server, put a reverse proxy in front of it to keep people from accessing it directly. If a worm breaks out, deploy intrusion detection to buy time to patch.
But technology can’t solve everything. In the age of integrated e-business, you’re only as secure as your partners. “”Someone might hack into Company A, which is a partner of Company B,”” McClure says. “”That means that, by getting into some small Taiwanese supplier with lax security, they can exploit trust into a big company.”” The bottom line is it comes down to people, process and technology together. “”You have to educate people and have the processes in place,”” he says. “”And you need the technology. But you have to do all of these things, and act quickly. You have to understand the mindset of the folks who are out to get you.””