Fighting the Intruder -- Securing your Business
By Bob Cherry
Years ago, when I worked on and around secure projects, ther...
about identity theft on a massive scale. This is what happens with a reactive model to security that assumes some level
today. This leads to the question: What is the cost of security? It was this question that ultimately created the answer:
Upcoming SlideShare
Loading in …5



Published on

Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Fighting the Intruder -- Securing your Business By Bob Cherry Years ago, when I worked on and around secure projects, there was extremely tight security. Breeches of any kind were not to be tolerated. To achieve this, there was no connectivity to the outside world via Internet, dial up modems, etc. Any physical media (floppies and tape were the media of the day) that went into the building never went out. You could bring patches and such into the building but the media stayed there when you left. It would either be archived or shredded. There were no exceptions. You showed your purse and briefcases as you entered and left the facility. Sometimes you were asked to empty your pockets. It was routine. It was secure. Attacks from the outside world just didn't happen. Security was so tight that at one facility I worked at, I had to have blood test and FBI check EVERY DAY before I could even enter the central facility. Today when we talk about security, we have a new paradigm where there is an "acceptable" level of loss of secret data and information. China has made a huge use of this as they design their new J-20 series of fighter jets using stolen American technology. There is so much that their planes virtually look like ours inside and out. So, how does this happen? Our security paradigm is severely broken. In reality, there is little security -- just enough to make it difficult but, certainly not impossible. Unfriendly foreign governments and foreign hackers are making an art & science out of penetrating American systems. It's their job to get in, analyze, and hide their footsteps as they infiltrate system after system after system. They make millions of dollars in the process. It is a worthwhile endeavor for them. First of all, the new mindset is that we need to have Internet access at secure facilities for some reason. I'm not sure what those reasons are but, lets look at what that really means. Our electric grids across the nation are exposed. Our nuclear power plants are exposed. Our defense engineering is exposed. Our defensive systems are exposed. Our medical records are exposed. Our financial records and information is exposed. Our social security, credit card and banking records are exposed. And the list goes on and on. Our nation's security looks more like a sieve than a brick wall. A lot of what is in place was put in with a small budget and a lack of serious concern regarding security. Basically, to the bean counters, security cost too much. Feel-good security was enough. So, how much is an "acceptable" risk? Credit card companies spend billions of dollars a year on fraud. Target discount stores realized that all customer credit card information was compromised. I don't know how many times VISA has issued me new cards due to card information theft from somewhere. Foreign governments use our "secret" technology. Russian hackers are already into much of our infrastructure. China has even accessed some of our critical satellites. The problem is, we don't really know how bad we've been infiltrated. We do know that we have been and there are probably unauthorized people in our national infrastructure right now. Almost every web site in the world is under attack. The little ones contain user-names, passwords and email addresses. This information, once in the wrong hands, can then be used to access bigger and better targets like banks. The reason is that most public users use the same user- name and password on all the systems they use. The same one they use on Facebook is what they use for managing their bank or retirement accounts. One security firm states that over 30% of all home computers are already compromised. How many web sites containing personal information are? Sadly, the answer is: Most! If twenty contract agencies are working together on a top secret military program and each allows a small amount of information (data) to escape is that trivial? If the data by itself is pretty much worthless, then standing alone, then yes, it is. But, if the attacker is an unfriendly foreign government that only needed that one piece of the puzzle to build a major threat to our nation, then what is the value? It is no longer trivial. If that unfriendly government has actually acquired many pieces from all of those 20 contractors and has now rendered a multi-billion dollar project obsolete before it gets off the ground what was the value of that small loss of information? (see links below) This is the reason you cannot define what a single piece of lost information is worth. This is why there cannot be an "acceptable" level of risk. Any loss of top-secret information must be considered a substantial loss of unknown value. We plan security like a box full of rules. Hackers don't follow our rules. They don't recognize our box boundaries. So we assume that our methods are secure and, as we discover break-ins, we reactively respond to those to patch the leak. How much data and information got out before we patched is often not known. It seems that every few days we read
  2. 2. about identity theft on a massive scale. This is what happens with a reactive model to security that assumes some level of risk is acceptable. Rarely do banks and businesses publicize that they were compromised. Its bad for business. So they patch the leak, hide it and pay the damage and continue doing things as they always have. Loss of private information has become a cost of doing business. An acceptable unknown cost. That is a dangerous philosophy to run a business by. In my office, the primary system with client information, accounting, passwords, software keys, and other vital information is NOT on the Internet. It isn't even connected. The Linux system sits in a corner where it has been churning away for almost 12 years. When I need something off of it, I go to the system and work from there. If I need to transfer anything to/from it, I use a USB flash memory stick. The point being is that no hacker is going to get into the database full of artists names, addresses, phone numbers and their music business contact information. The system gets regular backups that are stored in the bank safety deposit box. Backups consist of an exact clone image of the drive. In this manner, if the drive fails, I simply install the backup, reboot and I'm up. Then I just bring over the database image from the real-time backup drive, apply the redo logs and I'm back. Today, we use routers, access control lists, filters and so on to secure out business environments. But, our comfort level isn't very high considering that there are router patches and updates almost daily. Every Tuesday, Microsoft puts out many fixes to their array of Windows products. Vendors are constantly putting out updates to their software products. My web site engine has at least a few security updates every week. Every one was probably the result of someone detecting an attack. These fixes come AFTER an attack has already occurred. We literally spend a ton of money and time securing our systems just so that we can have the convenience of having those systems on the Internet. We spend a lot of time and resources keeping our systems up to date to try and keep them secure. Is it really worth it? Does every system require Internet connectivity? Seriously, no. Why does accounting or human resources need Internet access? As a rule, they don't. Sure, it may be necessary to have one or two workstations that can connect but, certainly not all of them. The databases of personal information certainly do not require it. Anti-virus systems are critical as are rootkit scans, and more. With new virus variants coming out daily, it is amazing that there are still anti-virus vendors who only put out updates once a week. Systems using those products are unprotected until the weekly update. Other better products may put out eight updates a day! Those are the products to seriously consider. I run three layers of protection on my Internet connected systems and they are inside a router and a firewall. I was compromised a few years back even with all that. Anti-virus is not a cure-all. There is no such thing as a 100% safe operating system -- especially after you install a lot of third-party applications. Windows is always being compromised. Mac OS/X has been cracked and Linux and BSD systems have also. While some are more vulnerable than others, there is no such thing as a totally secure OS. Most attacks happen at the application layer and may third party software vendors don't put a lot of emphasis on security. Network games, email applications, web browsers, etc. are all examples of applications that expose the system to the outside world that communicate with. Rather than preventing an incident, we react to incidents that already happened. That is the new model. Because we allow risk, we need to react to it. If we eliminate the risk, then there is nothing to react to. Note I didn't say to be proactive. I said to eliminate it. There is a distinct difference. To prevent, one must eliminate all methods of outside intrusion and, you do that by not just closing the door but, by removing the door all together. If you connect to the outside, the outside connects to you. It's that simple. Total isolation is fine for a single installation site but, what happens when you have facilities scattered all over the place -- even around the world? Again, the Internet is a low-cost, available yet insecure method of interconnection. TCP/IP, by its very design is insecure. Using the Internet is a far cry cheaper than laying a dedicated OC3 or higher speed dedicated trunk between sites. As is common knowledge today, even the best laid plans of man are eventually cracked. It's the law of unintended consequences. Security is only as strong as the weakest link and to add to this problem, it is also fluid in its dynamics. What was the weakest link an hour ago, may not be the weakest link now. The environment changes constantly. What attack we dealt with yesterday has been replaced by an entirely new concept
  3. 3. today. This leads to the question: What is the cost of security? It was this question that ultimately created the answer: There is a certain amount of loss that is acceptable. But is it really? I believe the answer to be flawed. When considering security, one must also consider the real need for outside connectivity. Do those different facilities really need to be all over the country and then openly interconnected? Would it be more secure to relocate some of them to a single facility and eliminate the interconnection? What systems can be totally isolated from all outside connections and just exist on their own private network internally? It is a fact that systems connected to the Internet will incur an intrusion at some point. It isn't a matter of if, but rather, when. When it ultimately does happen, what will be the real value of that data loss? That loss can be financial, business, legal and most importantly, a matter of trust with your customers and users. If word got out that all your web site users private data was compromised, how would that impact your web business now and in the future? A few years back, I received a call from a big local real-estate office. They had a virus that managed to infect every system in their office and they couldn't work anymore. Windows were popping up all over the place on every PC in their office. The office relied on build-in Windows security and that was it. No firewall. No anti-virus software. Nothing. It required the better part of a day to disinfect their computers and network, configure their router, install a firewall and put anti-virus software on all their systems. Their office was basically down during this time. How much of their client information was compromised remains unknown but, their server was breached and most of the log files deleted. It had a simple password that was the same for the owner's PC which was easily guessable and, it was. They said they couldn't afford anti-virus software. After their attack, they ultimately decided they couldn't afford to be without it. It was an expensive and hard lesson. I know today's systems are no where near as secure as the systems I worked on in the 1980s because in those days many long years ago, there was no outside connectivity and, there was no acceptable measure of loss. It's something to think about in today's exploding network of interconnected businesses. It isn't a trivial issue today. Businesses can be held liable for private data getting out. How good is your security really? Now, here's the scary part. Virtually every web site in the world gets hit by attacks every day. If the top secret government sites with all kinds of layered network security using every means available is getting compromised, chances are your small business or even medium business site has also been compromised. Without security monitoring, tracking, logs and alerts in place, you probably have no way of even knowing whether you've been violated or not. Most have. A great deal of email spam points to sites that have been compromised and are used as the hyperlink target of the spam or virus attack. Quite often, if you look at the links, they point to a business web site that has obviously been compromised and the attacker has placed their infected payload on the unsuspecting website. Hundreds of these different E-mails go out daily. Have you really investigated if your site has been hit or not? Do your logs ever show a URL that had embedded SQL in them? How often do your check your error logs and access logs? Do you even check them? Has email with your return address domain been sent out to those on your subscription list? Are your site databases encrypted? The vast majority are not. Current estimates indicate that nearly 85% of all web sites have been hacked. If you sincerely believe yours hasn't been and you have not implemented any security, you're probably fooling yourself. If word got out that your site had been hacked, how would it impact your business? We are in a new Internet mine field and unless you are very careful, you may already have undesirable information leakage. Additional Reading: The Worst Security SNAFUS this Year So Far Chinese Data Theft Could Be 'Disastrous' For The US Military's Most Expensive Fighter Jet FBI: A Chinese Hacker Stole Massive Amounts Of Intel On 32 US Military Projects