Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Cyberattackers will find the path of least resistance

Jim Reavis
Network World on Security, 08/16/99

Editor's note: Beginning today, we welcome Jim Reavis, the editor of securityportal.com, as our new author of the security newsletter. Jim is an analyst with over 10 years' experience consulting with Fortune 500 firms on networking and security-related technology projects.

Military analogies and warfare terminology are often applied to the presentation of Information Security issues - and for good reason - that's where Information Security came from. But I also find that a basic principle from biology provides a great guide to analyzing network security issues: the path of least resistance.

Advertisement:

Today, commercial information security solutions do an excellent job of providing network perimeter security, a mediocre job of securing shrink-wrapped operating systems and nothing to protect you from social engineering and corporate policy violations.

This is not necessarily an indictment of security vendors - there are too many factors out of their control, ranging from legacy technology lacking a strong security foundation to failures in corporate HR departments to adequately educate employees about recommended security practices. So while it is relatively easy to deploy firewall technology that provides robust protection against remote TCP/IP attacks, these only provide greater incentive for the cracker to find the backdoors to your network.

In some cases, the path of least resistance is going to be extremely hard to control: It might be an employee who has financial problems and could be persuaded to steal legitimate data; a slick operator who is able to socially engineer themselves onto a restricted area of your premises; even an employee planted by the competition intent on sabotage. The cost of protecting your network against these types of risks is extremely high and never foolproof - even the CIA had its Aldrich Ames.

On the other hand, there are other common paths of least resistance that are easier to block, or at the very least, easier to quantify the cost benefit of increasing your protection:

*Modems - They seem to be the dandelions of many large networks. Whether it's for a legitimate legacy application, or just someone trying to get around the restrictive policies of your Internet connection, modems seem to keep popping up just when you thought they were weeded out. Whatever their purposes, they risk making your firewalls redundant. Some network administrators have taken to regularly scanning their own phone switches with war dialers to look for rogue modems that are set for dial-in access.

*Telecommuting VPNs - Sending employees home with a cable modem or asymmetric DSL connection is a great way to save money and increase productivity, so we add virtual private network (VPN) protection to encrypt all of the traffic between their home PC and the corporate network. However, it is much easier for a cracker to compromise your employee's home PC and grab data files from it than to try to intercept traffic anyway. It is one thing if you are only using your VPN to encrypt TN3270 sessions to your mainframe, but if the user is also downloading files, you have a problem that a simple VPN will not solve. It may be that a personal firewall solution that blocks incoming connections may be required. (Oh, and don't allow employees with children to be telecommuters.)

You have keycard access to the data center, what about your network jacks? What are you protecting by restricting access to the computer room that can't already be accessed across your intranet? Before you go looking through your Black Box catalog for tiny little Master Locks for your RJ45 jacks, the real point is that we need to start treating our intranets like the Internet. Internal systems can be compromised too easily to maintain our current systems of trust. We need to start moving towards internal networks that physically secure as many components as possible, encrypt all network traffic, provide stronger authentication than simple passwords and provide the same monitoring and intrusion detection capabilities we are coming to expect for our big iron.

*Windows 98 - Microsoft appears to have plans for good old Windows well into the next millennium, despite the fact that it completely lacks a real security architecture and that Microsoft already has a much better alternative in Windows NT. Malicious executables that completely zap an entire network of Windows 98 machines in minutes are coming. There are more secure ways to get your job done than through reliance on Windows 98, and security managers will sleep better when it has been displaced by alternatives.

We are all increasingly recognizing the fact that it is impossible to build an impenetrable wall around an unsecured private network. We recommend you analyze the security measures you have taken in your supposedly trusted private network before the path of least resistance finds you.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

SonicWall's Web site

NetworkICE's Web site

The Future of Information Security: Trust No "1."
Article about future trends in security technology from the Security Research Alliance

Trust in CyberSpace
National Research Council report on the problems of relying upon network perimeter security and the need for more comprehensive security models

Hacker Kevin Mitnick to be released by early 2000
Network World, 08/10/99

Start-up's 'decoy' server helps track down hackers
Network World, 08/09/99

Chaos club offers hackers holiday
Network World, 07/27/99

Security services becomes part of the fabric
Network World, 07/19/99

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.