Each year, your risk for a hack attack grows. In 1999, 9,859 security incidents were reported to Carnegie Mellon University's CERT Coordination Center, a premier computer emergency response team. By June 2000, the number had already reached 8,836. Better awareness accounts for some of the increase, but not all: People submitted information on 417 software vulnerabilities to CERT in 1999. By mid-year 2000, that number had already reached 442.

Best-kept secret No. 1: Most security holes hired experts find are well-known vulnerabilities with easily accessible patches.

Most Internet-related hacks are traceable to a dozen security holes. These tend to be months -- even years -- old and easy to discover, says Phil Cox, a consultant for security firm SystemExperts in Sudbury, Mass., and former member of the Department of Energy's Computer Incident Advisory Capability team. The Systems Administration, Networking and Security (SANS) Institute keeps a list of the top 10 Internet security threats at www.sans.org/topten.htm. These are all preventable -- "all of them are [due to] a simple lack of configuration management," he says.

For example, the SANS Institute found that, in mid-1999, as many as 50% of Domain Name System servers were running vulnerable copies of the popular Berkeley Internet Name Domain program. Yet this same warning appears on the list today. Much the same can be said of others: An FTP vulnerability, called FTP Bounce, was reported in 1997. A malicious Visual Basic Script, known as network.vbs, was discovered in March. A vulnerability in the rpc.statd command found in several Linux variants was discovered in August. If you run any of this software, you have no excuse for not patching these holes.

You also have no justification for not configuring firewalls to block Internet Control Message Protocol (ICMP) pings originating externally, Cox says. It's well known that numerous attacks tunnel through in that protocol's echo reply. You should also block outgoing ICMP pings, lest your network be an accessory in a distributed denial-of-service attack.

While security consultants will happily take your money to find such obvious flaws, why not better apply your cash and their talents?

Best-kept secret No. 2: Contrary to common practice, scanning for vulnerabilities and patching holes does not constitute good Internet security.

Even if you check for vulnerabilities and are vigilant about security software upgrades, don't assume you're doing Internet security right, says Ian Poynter, founder of Jerboa, a security consulting firm in Cambridge, Mass. He believes this "find-and-fix" method serves the security industry's need for profit more than it serves a company's need for protection. With find and fix, vulnerabilities are identified via an attack or by antivirus, intrusion-detection and other so-called preventative software tools. The result is a never-ending spiral -- hackers keep inventing new ways to attack, and you're constantly investing in updated security tools.

Poynter contends it is better to apply the concepts of hardware reliability engineering to Internet-related network security. A hardware vendor can calculate the probable mean time between failures for each system component

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine