OPINION: Though technology is great, we have to make sure we have the human side of security covered if we want to get some sleep at night.
The recent SNMP vulnerability alert makes me wonder whether, when it comes to security, we are missing the forest for the trees.
To illustrate, I'll summarise some of the material which has crossed (or been lost on) my desk recently:
- Oulu University's Secure Programming Group in Finland published a paper outlining major flaws in Simple Network Management Protocol (SNMP). This apparently "raises the spectre of a massive vulnerability", given the ubiquitous usage of the SNMP protocol.
- A certain Adrian Lamo, a "soft-spoken 21-year-old snoop from San Francisco who hacks with nothing more than a laptop, a Web browser, and a Net connection at the local coffee shop", recently broke into The Times computer network. He had previously hacked into other organisations including Yahoo! and Microsoft. He's never been prosecuted, as he has always warned the companies about their flaws (after the fact) and offered to help fix them for free.
There are many schools of thought on white hat hacking, but I wonder if you'd really want hundreds of garage mechanics hotwiring your car and taking it for a test-drive to see if it has any kinks.
- Following his release from jail, legendary hacker Kevin Mitnick was called before the US congress to discuss his exploits. He commented that he was so successful at social engineering (employee manipulation) that he rarely resorted to any kind of technical attack. Maybe I'm being too simplistic, but while the exploits of hackers, and the continual alerts and security vulnerabilities, should raise the awareness of the need for security measures, a more holistic approach seems desirable, if not essential.
To continue with the vehicle analogy, most car owners would not apply the same liberal view of hacking if the concept was transferred to their car being "borrowed" from the car park every time they left it there (even if it was returned with a note explaining the flaw in the central locking system!). Like network security, car security consists of several elements:
This is the same process we use in advising customers on how to achieve a secure environment (with the addition of a security policy, which goes beyond the security infrastructure and takes into account the people, processes, and the technology).
One common weakness is a reliance on prevention--typically firewalls which (even if they are correctly configured) are of little help if they are breached at 2am. Detection (typically IDS and vulnerability assessments) and reaction (24x7 monitoring via an in-house helpdesk or managed security providers) are gradually being accepted as essential part of the security mix, rather than an expensive option.
Just as importantly, while all the alerts and vulnerabilities focus on the technical side of the equation, good security is having a policy to deal with the human side of security. As Mitnick commented, he rarely needed to resort to technical means to gain access to networks.
A recent study showed that the majority of security breaches originated from within the organisations (again, firewalls don't help much!). A security policy defines protection, detection, and reaction, but goes further than just the technology and considers people and processes.
Who is responsible for implementing the policy. Do all staff know they should question strangers in the office not wearing a badge? Who calls the maintenance provider if equipment fails?
No organisation will ever be 100 percent hacker-proof--a security solution will balance the individual level of risk against how much to spend mitigating that risk.
However, in the midst of information overload on security alerts, breaches, and vulnerabilities, an effective approach to security needs to combine a range of complementary technologies, where the failure of one piece doesn't compromise the whole network. Maybe this is too idealistic. I'll give it some more thought on the drive home, if I can remember who I left the car keys with!
Oliver Descoeudres is marketing manager at network IP/Internet network infrastructure builder and solutions provider NetStar Australia. He can be contacted at marketing@netstarnetworks.com or on 02 9805 9759.
