Sage security advice: close the door!

“You can have the best burglar alarm system in the world, but somebody’s going to come along and figure out how to break it.”

That opinion from Rosaleen Citron, CEO of WhiteHat Inc., an information technology security provider in Burlington, Ont., is probably not what you want to be reading. But, given the way this year started, it can hardly be a surprise.

Citron suggests that it was improper procedures, not outsourcing that caused the breach in security at ISM where a hard drive went missing for a while. “Is it a good idea to have that many people, that many companies and that much data on one hard drive? Well, no, it’s not. As these things happen, people are obviously going to change things to make them better. But understand that no matter what we do, you can build a bigger mousetrap, but a bigger mouse will come along.”

She reports that most of the financial institutions they do business with, including the big banks and credit companies, use a layered approach to security. This typically includes firewalls on the outside, a demilitarized zone, a zone in the middle for Internet applications for employees and then a firewall behind that, plus an intrusion detection system. They may have firewalls on desktops as well as anti-virus and other tools for extra security. Strong authentication is usually in place so people can dial in only by using a PIN number. Or, they might even have biometrics governing access, which Citron reports is being rolled out a lot now.

“When you start layering it, it’s sort of like you have your front door, you have a regular lock and then you have a dead bolt, and behind that you’ve got a Doberman Pincer and behind that you have a guy with a shotgun. Then you’ve got a safe behind that,” she explains. “The problem with all that is, if you do all that and then you leave a back door open somewhere, you’ve left a port open or some employee has put a modem on their desktop that hasn’t been authorized, all of a sudden, somebody has the ability to get in through a tiny hole, and boom. So no matter how much you do, sometimes it’s just the common denominator or the weakest link that opens that hole.”

Slammer vulnerability

Not keeping virus defences up to date, for example, resulted in a preventable attack of the Slammer worm that hit 650,000 servers according to Network Associates Inc. The company reports 400,000 machines were infected in North America, most of those within three hours of the start of the attack on January 25.

“A lot of companies got hit and there’s no reason for that,” claims Jack Sebbag, Canadian general manager and vice-president of Network Associates Inc. in Montreal. “The vulnerability was well known; Microsoft had posted a patch since July 2002.”

IDG reported Slammer as representing a significant milestone in the evolution of worms and was by far the fastest spreading worm yet seen.

Sebbag warns that as virus writers and hackers learn from each other, threats will continue to evolve into more powerful and complex – and more damaging. He says with each outbreak, they get stronger and more dangerous.

His recipe for protection is threefold: invest in security vulnerability assessment; put in place a block and tackle defence in the event a worm gets onto your network; and run a network management tool. Network Associates’ product line includes McAfee ThreatScan, for detecting virus-related vulnerabilities throughout a corporate network, and Sniffer, a range of monitoring and analysis products to anticipate, isolate and diagnose network faults and performance problems.

Citron notes that when Slammer hit, their alarms “went insane” as they detected the worm growing exponentially and hammering away at the Internet. She says the concern goes beyond just staying ‘up’ but also having the Internet stay rock solid in spite of “people out there who, for some reason, decide it is fun to bring it down.”

She recalls the recent credit card hacking of what she reports was one per cent of credit cards in the United States as “the largest magnitude that we’ve seen that’s been publicized. We’ve had everything from card hacks to Sympatico and eBay spoofing. This is the electronic world and as people learn to live in it, people learn how to break it.

“People can get all over your Web site or worse, take the information and do things with it. That has to be locked down. Every single thing that a corporation does, especially in the financial sector, has to have a security posture around it. You have to have somebody trained to look at it and say ‘yea, we do have an issue here, we’ve got to fix it’ or ‘look at this, somebody’s really trying to attack us, we better strengthen or fortify those areas.”

Flypaper for hacks

Fortunately, there are equally determined minds on the good side, such as those who created what’s called a honeypot. A flypaper for hacks, its value lies in being probed, attacked and compromised, Citron explains.

“A honeypot is basically a virtual machine that sits out there, that might have false credit card information and corporate information that looks very tasty to a hacker, and by the time they figure out it’s a honeypot, or it’s false, they’ve left their signature, they’ve left a lot of evidence,” she reports.

“They can’t physically see what they’re touching and to them they found something and they say, ‘Oh, look at this, I’m in.’ They don’t know if they’re in a legitimate network or if they’re in a honeypot. It takes them some time before they figure that out, and believe me [the honeypot administrators] get an awful lot of profile information before they get out of there. They might only be in what, 30 seconds before they figure something out, but we’ve got enough information that we are able to profile them.”

She says honeypots have been around maybe three and a half years, but they’ve just come to the forefront. There is also a honey net – ( – which Citron describes as an open source project that a lot of people are getting involved with so they can develop products to gather information about “black hats”, i.e. the hackers, which they then share amongst the group.

“There are some very funky new tools coming out,” adds Citron. “There’s one right now called Honeyd which is actually an open source product, and this thing is so funky that you can actually make a network look like it’s full of supercomputers if you want. It just creates this entire network that looks really yummy to someone who’s a Black Hat, and off they go.”

Honeyd was created at the University of Michigan (

“It actually goes to a much deeper level than any of the honeypots that we’ve seen so far, so you can see that they’re enhancing these products as they move through time. The tools we have are going to get better,” she says with a definite note of optimism.