Network Security Myopia - Open Your Eyes!
By Joel Maloff
February 2007

Security isn't simple or cheap. Neither is the Alternative.

Imagine a company that uses Internet as their source of revenue. Suddenly, executives of the company notice that customer lists are being accessed and servers disrupted. Some intrusions can be traced to the access codes of past employees. At the same time, current employees have Skype and file-sharing clients on their PCs, notorious for security holes that may make them ideal targets for “spambots.” The company tightens access control lists and disables suspect pass codes. Closing the bad ACL entries is thought to be enough.

Lock the windows. Go to sleep. Feel secure.

But wait! Are there other vulnerabilities? Are the bad guys still INSIDE? WE CANNOT KNOW!

Network security is NOT simple or cheap but the price for ignorance is high – for you and others.

The FBI extrapolated in 2006 that US businesses lost $67 billion due to cybercrime – a staggering number! There are thriving online sources for anything an ethically challenged person could want: Trojan programs available on the “black market” transferring funds between online accounts for $1000 to $5000; birth certificates, driver’s licenses, or social security cards - $100-$150; credit card numbers with security code and expiration date - $7-$25.

These people are well-organized with specific agendas. Their assaults on our buildings and people are obvious. The back-door attacks are more insidious. Ironically, we fund those that would destroy us, putting a very different spin on network infrastructure negligence.

Any company that relies on Internet connectivity MUST have network security policies and plans. Policies describe what you are protecting, from whom, and the value. Plans implement the policies, including tools, techniques and procedures.

As a part of these policies, organizations must change how they think about network security. In the Technology Risk Checklist (www.infragard.net/library/pdfs/technologyrisklist.pdf) published by the World Bank, the first question posed is “Does management view electronic security as an overhead expense or essential to business survivability?” Securing the computing and network infrastructure is strategically important and well beyond the annoyance level.

Our hypothetical company, upon discovering that they had been hacked, needed a network security policy and plan but there’s no time when you are bleeding revenue at 45 mbps! Close the windows but don’t stop there. Conduct a thorough network security audit. If you don’t have this capability (Few small to medium companies do but you can bet the “bad guys” do!), there are many out there that can help. This includes identifying traditional attacks and new ones using VoIP. Some of the more interesting include SPIT (Spam over IP Telephony) and VOMIT (Voice over Misconfigured IP Telephony). A Denial of Service (DOS) attack using SPIT could overwhelm a VoIP service provider or fill up corporate voice mail boxes, effectively shutting them down. Identified attack vectors can be targeted for remediation, closing the windows of vulnerability. These audits can also determine if any malicious code – such as sniffers – are present on your systems. Can any business afford not to know where they are exposed?

Unfortunately, that’s not the end of it. New attack vectors are emerging. Vulnerabilities in operating systems are posted on places like www.cert.org, allowing legitimate users and bad guys alike to find the holes. That’s why network security policies and plans are essential. Preparation and anticipation are primary tools in keeping intellectual assets secure.

There are resources ready to assist in creating more secure computing and network environments. One of these is the Infragard program (www.infragard.net) established by the FBI in 1996, with more than 80 chapters and 17,000 members. As a partnership between the FBI and private sector, Infragard helps organizations, especially in critical infrastructure areas, to ensure an acceptable level of security risk. Key infrastructure areas include telecommunications and information technology.

FBI Special Agent Kevin Parker stated, “Much cybercrime still goes unreported. In the past it was mostly nuisance attacks. Now it’s serious business. Organized crime has hackers conducting phishing attacks, and terrorist organizations generate funds via network theft for their physical attacks.”

Parker recommends that every CIO become involved with Infragard. The program fosters communication with peers to share information that can enhance protection BEFORE attacks occur. Once an incident has happened, this program assists in ensuring that evidence is preserved to support the investigation. To become a member of Infragard, the FBI performs background checks on all applicants so that you can be confident your peers have been certified.

There are other resources available in preparing network security policies and plans. The key is recognizing the magnitude of the threat and how insidious it has become. Practice safe computing! Treat this as a critical strategic area. Build your systems accordingly. We are relying on you!

Joel Maloff (www.maloff.com), a former COO, CTO, and GM with 30+ years of experience, focuses on emerging technologies and security. He can be reached at jmaloff@gmail.com .