[Previous] [Next] [Index]
[Thread]
Re: Need a Security Consultant
At 09:53 AM 7/7/96 -0400, webnaster@webdoor allegedly wrote:
>Frank,
>
>I used to work for General Electric Corporate Telecommunications. We ran
>the entire internet for the GE
>Domain. And we were constant targets for attack against hackers. It
>seems that they had us on a Hit List for
>Targets, cause GE was so big that many of the hackers had formed Gangs to
>try to break in. They worked
>together in teams to break into the GE Domain. The NBC/Friends thing
>that occurred a while back really stirred
>things up too. But my point is that if you are part of Corporate America
>and are a high profile company, I
>think that the Gangs of Hackers and Phreakers are not just going to GO
>AWAY. They will continue to fight ya to
>get in and if you are a Corporation, YOU ARE A CONSTANT TARGET. Making
>things harder for them to get in, well,
>that doesn't stop them or deter them. They have you on a HIT LIST, and
>will ALWAYS try to HACK IN!
I agree - you will be a *constant* target and they will *always* try to
get in - which makes the task of keeping the hackers at bay so difficult.
Some hackers will spend *years* going after a corporation.
FWIW, at the company I was with, we took a pounding while I was there and
I assume things haven't changed that much since I left. Major corporations
& defense industries are two primary targets of hackers. GE happens to be
a major corporation AND heavily involved in the defense industry. This
helps to make it attractive to more groups of hackers.
>So, I give your theory on making it too hard to scare people into giving
>up about 1 penny.
I agree (but it isn't my theory & I don't recall anything about trying
to scare people). IMHO, trying to scare them doesn't enter into the
equation. An attempt to try to scare a hacker would eventually involve
revealing information about your security setup. After that point, it
is just a matter of time before you get taken out.
>Cause they weren't
>deterred by anything we tried. In fact, it just made it more fun for
>them. But we ran a pretty good security
>system there, with Firewall and Proxy systems and Port Filters on all
>Routing, etc.
Security doesn't stop at just firewalls or other technical solutions.
It is as much a people/management problem as it is a technical one.
A case in point - one organization (which you have probably heard of)
had a pretty decent firewall and were still taken out by hackers. It
is my understanding that an employee using a PC with a built-in modem
connected to an ISP via a SLIP/PPP connection - effectively bypassing
the firewall - where a hacker was waiting with open arms.
IMHO, good InfoSec relies on a multitude of things working well together.
If done right, this should result in InfoSec being integrated at *ALL*
levels of the corporation. A lack of attention to any one of these
details could result in a compromise. A few of these details are:
o Upper manager support of InfoSec. (Without this, you're just
whistling while walking past the graveyard)
o Well-written, *enforceable* InfoSec policies
o Adequate InfoSec tools
o Monitoring of compliance to policies on a regular basis
o Monitoring of connections on a regular basis
o (InfoSec) Security awareness at all levels of the corporation (from
the lowest employee in the food chain up to the CIO/CFO/CEO.
o A friendly attitude toward employees & management. Strong-arm
tactics may work for the short term, but I don't recommend them
as they are counterproductive to good InfoSec over the long haul.
They will polarize employees against security (and the ISO) and
that will ultimately result in the compromise & demise of that
corporation. IMHO (& from experience), a good ISO should be a
tool to *help* business - not block it or prevent it from achieving
its objectives. Working WITH people rather than against them will
go far in achieving your objectives. Please note that this doesn't
mean that good ISOs should be megawimps who have the backbone of
cooked spaghetti. They should never compromise on ethics or good
infosec practices. Be ready to compromise on the little things
which have no bearing on the security of your connection, but don't
compromise on the important things.
o etc, etc.
>And, if you don't think those Gangs exist, well, then now they are
>forming a Web Ring around the net. Check out
>http://www.cei.net/~woodruff/ice.htm
>where they give ya all the new aspiring hacker needs to get started
>probing around. So this kinda thing of hacking will always be around.
While I knew about the coordinated efforts of hackers to penetrate
different sites, I do appreciate the pointer you provided. Thanx.
I'll check it out from another account at my leisure. Aside from
the threats of the Gangs, foreign intelligence agencies (France to
name one) are a major obstacle to good security (like when you have
to give your encryption key to the french gov't so they can decrypt
it your confidential data & send it to your french competitors.)
BTW, while the hackers are coordinating their efforts, we strongly
recommend a similar strategy for corporations - keep tabs on 3
different groups - the law enforcement agencies (FBI, BKA, federal,
state, local police), InfoSec colleagues who work for other subsidiaries
or companies, and various hacking sources. After all, since the hackers
are pooling their resources, shouldn't the good guys do the same?
FWIW, a good way to meet fellow ISOs & network with them is to attend
security conferences like CSI, ISSA, etc.
Speaking from my own experience, I found this to be very beneficial
in a past life while working for another company. I found that this
helped a company I used to work for escape unscathed during some major
hacking sweeps which went across Europe a couple of years ago. Usually,
I would have about 1-2 weeks before the pounding at the doors would start.
The least advance notice I had was @2 hours - giving us just enough time
to double-/triple-check our security defenses before the attacks started
& the alarms started going off. (Everything was OK, but it really felt
good to know that our defenses were up while going through the storm.
There is a lot to be said for peace of mind). While you always want to
be prepared, *any* advance notice you get of an attack on the horizon
is a very welcome opportunity to shore up your defenses.
Last, but not least (lest someone else try to harp on the same thing)
- I never said that the company I was with had invincible security
(mainly, because there is no such thing). What I did say was that it
was apparently adequate enough to withstand numerous attacks without
any successful breakins.
Interesting mail. Thanks for posting it.
Best Regards,
Frank
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist