Re: Need a Security Consultant

• To: www-security@ns2.rutgers.edu
• Subject: Re: Need a Security Consultant
• From: Frank Willoughby <frankw@in.net>
• Date: Sun, 7 Jul 96 22:21:29 -0400
• Cc: webmaster@webdoor.com

At 09:53 AM 7/7/96 -0400, webnaster@webdoor allegedly wrote:

>Frank,
>
>I used to work for General Electric Corporate Telecommunications.  We ran
>the entire internet for the GE
>Domain.  And we were constant targets for attack against hackers.  It
>seems that they had us on a Hit List for
>Targets, cause GE was so big that many of the hackers had formed Gangs to
>try to break in.  They worked
>together in teams to break into the GE Domain.  The NBC/Friends thing
>that occurred a while back really stirred
>things up too.  But my point is that if you are part of Corporate America
>and are a high profile company, I
>think that the Gangs of Hackers and Phreakers are not just going to GO
>AWAY.  They will continue to fight ya to
>get in and if you are a Corporation, YOU ARE A CONSTANT TARGET.  Making
>things harder for them to get in, well,
>that doesn't stop them or deter them.  They have you on a HIT LIST, and
>will ALWAYS try to HACK IN!


I agree - you will be a *constant* target and they will *always* try to 
get in - which makes the task of keeping the hackers at bay so difficult.  
Some hackers will spend *years* going after a corporation.

FWIW, at the company I was with, we took a pounding while I was there and 
I assume things haven't changed that much since I left.  Major corporations 
& defense industries are two primary targets of hackers.  GE happens to be 
a major corporation AND heavily involved in the defense industry.  This 
helps to make it attractive to more groups of hackers.


>So, I give your theory on making it too hard to scare people into giving
>up about 1 penny.  

I agree (but it isn't my theory & I don't recall anything about trying 
to scare people).  IMHO, trying to scare them doesn't enter into the 
equation.  An attempt to try to scare a hacker would eventually involve 
revealing information about your security setup.  After that point, it 
is just a matter of time before you get taken out.


>Cause they weren't
>deterred by anything we tried.  In fact, it just made it more fun for
>them.  But we ran a pretty good security
>system there, with Firewall and Proxy systems and Port Filters on all
>Routing, etc.

Security doesn't stop at just firewalls or other technical solutions.  
It is as much a people/management problem as it is a technical one.
A case in point - one organization (which you have probably heard of)
had a pretty decent firewall and were still taken out by hackers.  It
is my understanding that an employee using a PC with a built-in modem
connected to an ISP via a SLIP/PPP connection - effectively bypassing
the firewall - where a hacker was waiting with open arms.

IMHO, good InfoSec relies on a multitude of things working well together.
If done right, this should result in InfoSec being integrated at *ALL*
levels of the corporation.  A lack of attention to any one of these 
details could result in a compromise.  A few of these details are:

o Upper manager support of InfoSec.  (Without this, you're just 
   whistling while walking past the graveyard)
o Well-written, *enforceable* InfoSec policies
o Adequate InfoSec tools
o Monitoring of compliance to policies on a regular basis
o Monitoring of connections on a regular basis
o (InfoSec) Security awareness at all levels of the corporation (from 
   the lowest employee in the food chain up to the CIO/CFO/CEO.
o A friendly attitude toward employees & management.  Strong-arm 
   tactics may work for the short term, but I don't recommend them 
   as they are counterproductive to good InfoSec over the long haul.
   They will polarize employees against security (and the ISO) and 
   that will ultimately result in the compromise & demise of that 
   corporation.  IMHO (& from experience), a good ISO should be a 
   tool to *help* business - not block it or prevent it from achieving 
   its objectives.  Working WITH people rather than against them will
   go far in achieving your objectives.  Please note that this doesn't 
   mean that good ISOs should be megawimps who have the backbone of 
   cooked spaghetti.  They should never compromise on ethics or good 
   infosec practices.  Be ready to compromise on the little things 
   which have no bearing on the security of your connection, but don't
   compromise on the important things.
o etc, etc. 


>And, if you don't think those Gangs exist, well, then now they are 
>forming a Web Ring around the net.  Check out
>http://www.cei.net/~woodruff/ice.htm
>where they give ya all the new aspiring hacker needs to get started 
>probing around.  So this kinda thing of hacking will always be around.

While I knew about the coordinated efforts of hackers to penetrate 
different sites, I do appreciate the pointer you provided.  Thanx.
I'll check it out from another account at my leisure.  Aside from 
the threats of the Gangs, foreign intelligence agencies (France to 
name one) are a major obstacle to good security (like when you have 
to give your encryption key to the french gov't so they can decrypt
it your confidential data & send it to your french competitors.) 
BTW, while the hackers are coordinating their efforts, we strongly 
recommend a similar strategy for corporations - keep tabs on 3 
different groups - the law enforcement agencies (FBI, BKA, federal, 
state, local police), InfoSec colleagues who work for other subsidiaries 
or companies, and various hacking sources.  After all, since the hackers
are pooling their resources, shouldn't the good guys do the same?
FWIW, a good way to meet fellow ISOs & network with them is to attend 
security conferences like CSI, ISSA, etc.

Speaking from my own experience, I found this to be very beneficial
in a past life while working for another company.  I found that this
helped a company I used to work for escape unscathed during some major 
hacking sweeps which went across Europe a couple of years ago.  Usually, 
I would have about 1-2 weeks before the pounding at the doors would start.
The least advance notice I had was @2 hours - giving us just enough time 
to double-/triple-check our security defenses before the attacks started 
& the alarms started going off.  (Everything was OK, but it really felt
good to know that our defenses were up while going through the storm.  
There is a lot to be said for peace of mind).  While you always want to 
be prepared, *any* advance notice you get of an attack on the horizon 
is a very welcome opportunity to shore up your defenses.

Last, but not least (lest someone else try to harp on the same thing) 
- I never said that the company I was with had invincible security 
(mainly, because there is no such thing).  What I did say was that it 
was apparently adequate enough to withstand numerous attacks without 
any successful breakins.  

Interesting mail.  Thanks for posting it.

Best Regards,


Frank
  
Any sufficiently advanced bug is indistinguishable from a feature.
	-- Rich Kulawiec

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting 
http://www.fortified.com     Phone: (317) 573-0800     FAX: (317) 573-0817     
Home of the Free Internet Firewall Evaluation Checklist

• Previous: RE: COMMENT: Cookie dough (fwd)
• Next: Re: SSLv3 MAC calculation
• Index(es):
  • Index
  • Thread