Top HP security architect Donald Pipkin recently released the second edition of his book, "Halting the Hacker: A Practical Guide to Computer Security." Pipkin's book looks at threats, tools and responses with a focus on countermeasures to protect HP-UX, Linux or Unix systems.
The man with 15 years of network security experience tells eSecurityPlanet that network and security administrators need to figure out exactly what their data is worth and put that figure in line with how much they're spending on security. He also says he worries about all those stable old networks that were built before security was a major concern, and that users are adding devices and modems to corporate networks under IT's radar.
Q: Is there a general profile of today's corporate network hacker?
The hacker profile has become more diverse than it was a few years ago. Historically, the hacker has been the young, MIT student trying to figure out how things work and somewhat unaware of the consequences. Today, there are more people with malicious intent looking for ways to profit from hacking. Regular criminals have discovered that over the Internet they have greater access to people. A lot of it has to do with the amount of skill necessary. Early on, it required a lot of skill to know what worked. Today it's more plug-and-play. Hacker tools are exploding on the market. You don't have to create an exploit by yourself. It's almost point-and-hack. You really don't need to know anything but how to run the tools to break into a system.
Q: Are most companies adequately prepared for a network attack?
Most companies are taking basic precautions. There's a lot of denial and there's a lot of funding issues. Companies are spending money on viruses and things that have an immediate day-to-day impact. Those things have to be taken care of. But a lot of companies don't have a good risk understanding of what a disgruntled employee or someone from the inside can have. I don't think they've evaluated those risks. Employees can access porn sites. But they also can really do some damage. There's more of a need for companies to do a big risk analysis.
Q: What could IT and security administrators do to improve their preparedness?
Do some disaster planning. Know what your data is and what it's worth. What is the impact if that information is destroyed or disclosed or just taken and misused. It's not just that my business can't do business if the information is destroyed. But if it's taken and misused, you have privacy issues to deal with. What is my level of liability if someone is injured by the information that is stolen and disclosed? With health care, think of the information they have about people. What if someone gets access to those records and misuses it? You have health care providers and insurance companies and all these people who have the right to see some of this information. How do you control that? It's going to take a lot of time and resources to control that environment.
Q: What are a lot of companies doing wrong?
In the big picture, it's probably still, boiled all down, the way they budget for security. A lot of companies say they have x million dollars budgeted for computer hardware and 10% of that budgeted for security. Security doesn't just protect assets, but information. What is information worth? And shouldn't you be paying some percentage of that for security? Security departments find themselves underfunded for the work they have.
Q: What part of the corporate network is generally the most vulnerable?
Outside hackers are coming in through unsanctioned connections. Users are installing their own modem or their own little wireless connection. Companies have done a good job of securing what they know they need to secure. But sometimes they don't secure areas because they're not even aware they exist. The technology is simpler today. The end users don't have to rely on IT to do everything anymore. If they want to put in a modem and dial out to get their personal mail from somewhere on the Internet, they can do it. IT doesn't know that these things are going on. Companies need to have a good education program, explaining to people that they need to let IT know what they're doing so IT can help them do it safely. And companies should have a good scanning and monitoring system so they can tell when something ends up on their network.
Q: What tools are coming down the pike that you are most eagerly anticipating?
Centralized administration. I've always been a real big believer in enterprise security and enterprise management. We have such diversified systems scattered everywhere -- servers and desktops and email. You have to have a way to control those -- all the users and passwords and traffic and privileges. You have all kinds of problems there. Centralized administration will help with security because it will bring in consistency. You'll be able to standardize -- what passwords are changed and how often -- you can rapidly assign and remove people from resources...a person's ID is the same whether theyre on email or the mainframe or a server.
Q: What worries you the most?
My personal concerns have to do with the infrastructures that have been around for a long time. There are a lot of issues about when you have systems out there that are 15 or 20 years old. When you have old air traffic control systems or old systems running the oil pipeline across the country, there are security issues. When they get a system running, they leave it alone. But 15 or 20 years ago, people weren't concerned about hacking. There are a lot of old systems out there that are vulnerable.