If you know the enemy and know
yourself, you need not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you will also suffer a
defeat. If you know neither the enemy nor yourself, you will succumb in every
battle. – Sun Tzu

For
information technology professionals, it is an unfortunate fact of life that no
network can achieve an end-state that is totally secure. No matter how much you
may wish it to be otherwise, network security, regardless of platform, is a
continuous battle where engagement with intruding forces ebbs and flows with
the security
vulnerability
of the moment. The best you can ultimately achieve is a
stalemate where the risk of invasion is at a manageable level.

This state
of equilibrium is best achieved by knowing how malicious hackers enter a
network and, by extension, how you can stop them. This is the motivation that
drives the techniques outlined in the book Protect Your Windows Network: From Perimeter to Data, written by Jesper
Johansson and Steve Riley, and published by Addison Wesley Professional. A
chapter excerpt from that book, Anatomy
of a Hack—The Rise and Fall of Your Network
, is
available as a free download.

In the
following interview, authors Johansson and Riley discuss executive perceptions
of security, wireless networks, identity theft, and social engineering.


Protect Your Windows Network: From
Perimeter to Data

By Jesper
Johansson and Steve Riley

Published
by Addison Wesley Professional

ISBN:
0321336437; Published: May 20, 2005; Copyright 2005;

Web site

Chapter 2: Anatomy of a Hack—The
Rise and Fall of Your Network


Interview

[TechRepublic] One of the first concepts you
discuss in your book deals with the reality of computer networks – no network
can achieve an end-state that is totally secure. Instead, network security is
really the management of risk. Do you find it difficult to convince IT managers
and management executives that this is the way it is; the way it has to be?

[Johansson and Riley] Intuitively, they all understand
this already, they may just not think in these terms. They have been told so
many times that you can be “secure” or “impenetrable” or
“unbreakable” that it is a little bit of a mind-shift for them to
stop thinking that way. However, they already understand nuances of risk
management, and when you explain that network security is basically just
another risk management discipline, and then the argument makes sense to them.
One thing that helps is to use some kind of model that can rank your risk. There
are numerous mathematical models that can express risk financially — and we
all know that the language of business is money. Such an exercise helps you
think quantitatively about risk, which makes it easier to make the decision.
“We determine that loss results in a monetary exposure of
$, so we will spend $ to help mitigate the risk.” Of
course, the expenditure makes sense only if Z is less than Y!

[TechRepublic] You spend a great amount of space
in your book discussing protecting unauthorized access to a network. However,
it is well know that in many urban and industrial areas you can find open
wireless 802.11 routers. You point out that the best way to secure a
wireless network is with 802.1X and WAP, but these companies are still using
802.11 routers in their default configurations. Can you explain why this occurs
and what sort of security risk these businesses are facing?

[Johansson and Riley] These businesses are inviting
people inside the firewall. It is another example of how porous the firewall
really has become; predictions of the end of the firewall are becoming truer
every day. Of course, if you are using 802.11b only with static WEP, you are as
good as wide open too, so it really does not change things much — it’s
possible to crack a static WEP key with as few as 500,000 captured frames,
which a fully-utilized 802.11b access point will generate in about 8 minutes 20
seconds. Few of the wireless router vendors sell their gear with security
turned on.

They are
insecure by default. That means that people have to do something else to turn
on security, and that involves changing something that is already working.
Again, this is the fundamental tradeoff at work. The routers are cheap and
usable, but insecure. If you want them secure and usable, someone has to spend
money. As the margins are already razor thin in the wireless market nobody has
been able to make viable business selling routers that are secure and usable.
Microsoft gave it a valiant shot, but gave up since they could not compete on
price with the insecure cheap versions sold by everyone else. Another problem
is that some people just don’t seem to care. “Ah, our data isn’t that
important, no one will attack us.” Remember, not all attackers want to
steal data. Some of them want to steal your bandwidth; open wireless networks
are obvious invitations to the bad guys, enticing them to launder their attacks
through you. Other attackers could be interested in simply in trying to cause
you grief by launching a DoS attack against all your
access points. Use of the air as a transport is a fundamentally different thing
than wire or glass.

[TechRepublic] There have been several
high-profile stories in the mainstream press recently about identity theft and
stolen credit card information. These stories raise the public consciousness
for awhile, but the “outrage” seems to fade over time and we go back
to a status quo. Up to now, even though these security breaches are inconvenient
for those involved, they haven’t been disastrous. What major network security
vulnerability keeps you awake at night? What is your worst case scenario?

[Johansson and Riley] That would be classified
information. 🙂

The worst
attacks are those we do not notice. We always ask IT managers and execs how
long it would take them to notice that there is someone on their payroll that
does not belong there. Everyone looks uncomfortable when we ask that because it
is a scenario that we do not want to think about. The attack that goes on for
years that we do not notice, that is the worst attack. With that attack the
attacker can do anything. For instance, is stealing someone’s identity the
worst thing that can happen?

Or, is it
the modifications to the identity? In other words, is it the fact that someone
has your social security number that is bad, or the fact that they are using it
to open up credit cards, thereby tarnishing your reputation? In virtually all
cases, data modification is the bad attack, and those can be very stealthy.
Another example is keystroke
loggers
. Yeah, these things are really worrisome. They bypass just about
any other form of access control you might have and record everything you type.
A colleague of ours once sat down at a public kiosk and logged into his
corporate email account over the web. A few moments later a dialog popped on
the screen, offering to upgrade the software keystroke logger currently
installed! Now even the bad guys are building auto-update mechanisms into their
tools.

[TechRepublic] Even if you take every precaution
possible to protect your Windows server from attack, the security is only as
good as the people who are tasked with implementing it. You tell several
amusing yet disturbing stories in your book about sophisticated protection
schemes being circumvented by fickle human nature. Is social engineering the
real weak link in security? How does an organization combat the chaos that is
human behavior?

[Johansson and Riley] Well-designed and well-managed
networks are becoming more difficult to attack. Software has gotten better. So
we fear the attacks that just go around the security. Keystroke loggers are one
example; social engineering is another. Yes, social
engineering
is definitely the weak link. Why expend so much effort trying
to attack the system when it’s maybe easier to attack the sysadmin?
As we say in one of our presentations, the OS manufacturer cannot configure
your people for you.

It is up to
the organization to do that. Doing so is an education effort, but also includes
a mindset change. IT managers often got into IT to avoid people in the first
place, so we have a tendency to write off user problems as something we just
can’t deal with. That’s a mistake. People are potentially the strongest
security measure we have

— if you’ve “configured” them properly. They want to
do the right thing, but they do not know what the right thing is, let alone how
to do it. We need to put educational measures in place to teach them.