ORLANDO - The more Jeff Crume clicks on security bulletins, the more he realizes that the daily infestation of...
the IT world by viruses and vulnerabilities isn't really all that new.
"We keep finding the same problems over and over again," the consulting and IT security specialist told InfoSec attendees Tuesday. "It's like Groundhog Day (the movie) -- the same thing over and over. There are very few new attacks. Most of them are variations on a theme."
Crume outlined to a large group of security pros the ins and outs of hackers and exactly what they want and don't want you to know.
Hackers, he said, carry a two-pronged definition. At their core, they are problem-solving, computer programming experts. In the same breath, however, they can use their skills in illicit fashions, illegally gaining access to systems and tampering with their contents. "Hacker is one of the few words in the dictionary that can have exactly opposite meanings," Crume said.
Crume stressed that security pros must learn the way hackers think, examining their habits to learn how they penetrate a system's defenses.
"You need to know your enemies and what they are after," Crume said. "They are not necessarily after what you thing they are after. To them, you have value because these hackers look for different motivations."
Many hacks are for monetary or political gain. Others, Crume said, are just pranks with the bigger the IT catch, the greater the figurative point value the hacker gains in his community.
"They often do it because they can," Crume said.
In addressing a cross-section of showgoers, from financial executives to IT security pros, Crume outlined a unique approach to hacker defense, namely discovering what they know about your system that you don?t.
Perimeter firewalls, for example, Crume said, are just the first line of defense in securing a system. "They don't detect every type of attack and they can't tell if an information packet is malicious or not. Firewalls that stand on the perimeter don't guard against insider attacks."
Crume echoed a prevailing theme at InfoSec that a growing number of security breaches are coming from inside the firewall from trusted employees. Crume stressed that companies must create zones of security, intranet firewalls.
Management, he said, is the key.
"Of the (security) policies I've seen, most are garbage," Crume said. "If a company's security policy is inaccessible, burdensome and contrary to what it takes to get a job done, it's going to collect dust and not be followed. You have to balance the functionality of the ability to do one's job with security. If it interferes, it won't be followed."
An extension of this policy question, Crume said, has led to the social engineering that hackers use to penetrate a system, either through e-mail viruses or more conventional methods like the telephone.
"It's three-to-four times easier to attack a system through social engineering than by technical means," Crume said. A solid policy would assist in eliminating a help-desk faux pas, where passwords are physically kept at each individual workstation.
"Most studies indicate that half of IT employees don't know what their company's security policy is. And the half who do, don't follow it," Crume said. "A good policy is one that teaches."
"As the user base increases, the technical sophistication level lowers," said G. Mark Hardy, senior scientist and managing director of Waltham, Mass.-based Guardent Inc., a consultant group. "The stupidity of the Internet population grows geometrically."
FOR MORE INFORMATION:
SearchSecurity Best Web Links on hackers