Employees are not the enemy
Now that networks are well firewalled, you are supposed to start worrying about internal security breaches. Just remember that the serious nasties will still come from outside the company walls.
By John Silltow | Techworld | Published: 00:00, 20 June 2003
Pick up any survey you care to think of and it will blithely tell you that around 95 percent of all attacks are from your ‘trusted’ employees – those same people you’ve carefully recruited, screened, nurtured and then given to a manager who doesn’t listen to them.
Not long ago, disgruntled employees simply coated diskettes with superglue and stuffed them into the nearest drive slot whilst the more technically minded might use the silver paper off a Kit-Kat to short a few terminals on a cable causing an interesting support problem or two.
Then we were faced with employees who legitimately passed out through the firewall to attack the company from the ‘outside’. A few years back this became such a large problem that the National Computer Security Association (NCSA) amended the rules for their firewall certification process to include this as a recognised threat. According to their figures, at that time, around a third of firewalls were failing certification anyway.
But what then has happened to all the crackers and hackers outside the company who would attack your systems? Have they somehow gone into hiding because of the increased media hype about internal attacks?
If internal attacks account for 95 percent of disruption then external attacks account for the remaining 5 percent. The interesting thing is that while the 95 percent costs 5 percent to recover from, it is the 5 percent that costs 95 percent to recover from.
Why is that? Well, an internal attack is generally speaking limited. Most of them are simple errors:
• A new user has accidentally been given a sysadmin access level. When they encounter screens they do not recognise they start to panic, pressing the wrong keys and crashing the system.
• A user deletes a valuable database containing staff appraisal scores. Of course there is no backup because it is too sensitive to hold on the network.
• A user decides to download the entire Beatles repertoire and brings the whole network to a grinding halt.
Recovery is therefore more of an issue of time and resources than worry about deliberate damage, theft of valuable resources, or the compromising of sensitive information.
The tactics of an external attacker are almost precisely opposite. Crackers are seeking not to draw attention to themselves. They have all the time in the world at their disposal to attack a network. Indeed to illustrate this it is said that the Chaos Club (a cracking/hacking club) has computers in every room, including the toilets. There is no such thing as an interruption to business for them.
There are several motives that might guide the attacker, including gain, malicious intent, the desire to establish a base for attacking other systems and using an attack as a personal test of themselves and their programs. Whatever the reason, the problem is not so much keeping them out but, more importantly, knowing whether you are being attacked at all.
You might have log files and audit trails, as all systems will generate them given half a chance, but does someone have the responsibility and time to look at them? Would you know what you are looking for anyway? Have you employed filters to cut down the number of lines displayed? If you have, are they up to date? Attack methodologies change and your precious filters could now be keeping you in blissful ignorance of successful attacks.
Denial of service was a biggie a while back. There are no real answers to this one except to have redundancy in the connection. This means multiple connections, routers, firewalls and de-militarised zones (DMZ) hosting the checking software such as virus scanners, hostile applet scanners and remote access verification systems. This is an expensive option though and needs to be weighed against the business risks of being offline for a few days.
Do not think that the best option is to have a modem connection available. If there is one guaranteed weak spot it is that. Whether it is there for system support, or for an operator who’d rather work from home than come in for the midnight shift, it is still a weak spot. A bit of war dialling will soon discover the computer connections that could be in your building. The computer will just as happily accept input through the modem as through the keyboard.
To look for unknown modems, either undertake a hardware and software audit or adopt the low-tech approach of checking the phone bill looking for the high cost usage. If you really must have them obtain numbers outside your usual office range, do not publish the numbers and make the devices dial-out only. To be even safer, run their power supplies through a timer so they cannot be used out of hours.