By Matthew Friedman
Sept. 6, 2005
For all the complexity of security, the most common security dangers
are downright mundane. They're not due to the arcane arts of the most
skilled hackers or some cunning exploit; they're out there in plain
"A successful attack depends on a combination of four things that
don't have a lot to do with the attacker," says Forrester Research
analyst Paul Stamp. "It's usually something like social engineering, a
breakdown in process or the absence of process. It could have
something to do with a simple technical vulnerability or insider
abuse. But it's usually a combination of two or more of those four
The thing that should send chills up the spine of anyone who manages a
network open to the Internet -- which is to say, virtually all
networks -- is the fact that all of these vulnerabilities can be
easily caught and fixed. Because they're so common, obvious, or at
least mundane, however, they are often the last place you'll look for
Social Engineering: It's humbling to remember that superstar hacker
Kevin Mitnick wasn't much of a code warrior. However, he was a
first-rate social engineer who raised the "Hi, how are you, what's
your password?" approach to network delinquency to the level of a
With the constant warnings about protecting passwords and not opening
unsolicited attachments, you'd think that network users would be wise
to what is, after all, the oldest trick in the hacker's book. But they
aren't. Stamp says, "You'd be surprised how often social engineering
Just this summer, the British Department of Defence -- which should be
on the list of people who should be wise to this -- was subjected to a
targeted Trojan attack. "People were sent CDs with marketing
material," Stamp says. "In fact, it installed a targeted Trojan that
collected confidential information."
The bottom line is that even smart people can be sucked-in by social
engineering. The first step toward protection, Stamp says, is as basic
as education. "It truly is a boring recommendation, but we have to
educate users and back that up with action," he says. "The time has
passed for us to tolerate fools. We have to be serious about this and
take disciplinary action against people who don't do what they're
supposed to do. The stakes are too high." Process Errors: It seems
that there is always a technological fix for every security problem
but that, in itself, is part of the problem, Stamp says. "We do a very
good job of going out and looking at technical vulnerabilities," he
says. "But people don't do a very good job of taking apart processes
and seeing where those are vulnerable."
It could be that the process has no oversight mechanism, or that
someone has forgotten to check something that should have been checked
out, but the results are the same: a lot can go wrong if you're not
looking. Stamp points to the Choicepoint case earlier this year as a
prime example of a breakdown in process.
"Criminals were able to open fraudulent accounts with Choicepoint
because the process for opening an account didn't involve checking to
see if the client was a real company," he says. "It was as simple as
Moreover, if companies are going to use technologies like networks,
wireless and mobile devices, they have to have some way of dealing
everything from absent-mindedness to incompetence and malice. Mistakes
happen, of course, but they can turn into disasters if you don't
respond to them effectively.
"It could be something as simple as someone leaving a Blackberry in a
cab," Stamp says. "Surprising few companies have policies for dealing
with Blackberries when they're out of the office, and the whole point
of a Blackberry is to be out of the office."
Technical vulnerabilities: Enterprise networks, with their passels of
routers, switches, access points and other kinds of hardware, are
fundamentally complex organisms. And that's a problem. It's easy to
keep a door locked when you only have one door, but add a few more,
some windows and a skylight, and the security problem increases
exponentially. With so many devices and connections to watch on a
network, there are also so many opportunities to miss something.
"Normally, at some point along the way, there's something that hasn't
been patched, or something that hasn't been configured properly, and
that leaves the whole network vulnerable," Stamp says. "Complexity is
a big part of it. Complexity is the enemy of security, but the CIO's
and CSO's job is complexity management."
Inside Abuse: No one suspects family, but maybe they should. The
Computer Security Institute-FBI computer crime survey has found every
year for the last five years that at least half of all security
breaches originate on the inside of the network.
"Inside abuse is network security's dirty little secret," Stamp says.
"We've been too trusting so far. It comes back to the reality that
some people are being malevolent, and sometimes is accidental. But you
need policies to stop the malevolent ones and minimize the accidents."
Part of the problem is that no one wants to believe that one of their
own could be the problem, and inside abuse is often swept under the
carpet. But Stamp is adamant that just because you can't or chose not
to see the problem doesn't mean it isn't there. At the end of the day,
all of these common dangers can be dealt with, it only takes the will
to clean up processes, patch systems, and make sure that users are
doing what they're supposed to be doing. "It has to be both a change
in attitude and the adoption of newer, smarter technologies," Stamp
says. "That means designing the network to be secure from the ground
up, and that includes the people as well as the technology."
Sept 16-18th, 2005
San Diego, California