So you haven't been hacked, but don't count on it
 |
COMMENTARY--Network security people have always been lamenting the sad decrepit state of network security in Malaysia, from the lax evaluation done when awarding infotech projects, all the way down to the "tidak apa" attitude of the Malaysian in general. Let's use the following story as an example of what's going on these days…
You have this SME-type company, which is certainly no newcomer to using the Internet and technology, but it has only ventured so far as to use it for email and perhaps for resource purposes. However, it's now looking to "dot-com" itself and move into e-commerce and having an online Web presence.
It has two choices at this point in time: It can either outsource the Web-hosting project, or get itself a dedicated leased line, and do it itself.
Now after much deliberation, the upper-level managers decide that getting their own DSL line in and doing the job themselves would be the best course of action. It makes sense, doesn't it? Get an always-on high-speed network connection, save on hosting costs, and get a higher level of control over the machine. So they get themselves a 2Mbps DSL line, get the telecom people in to set it up, and they're on their way. But wait, they haven't set up their Web and mail servers. Oh that's quite all right, their in-house graphics designer knows about "these things" and will see to it himself.
They purchase a server and a firewall, snap it all together and start serving their pages. For six maybe 12 months, nothing "bad" happens, and the director is pleased. Things are going well, the new Web site is bringing in more business, and it looks like the DSL line is paying for itself--until one fine day, he comes into the office, fires up his Web browser only to find that his corporate Web page has been defaced with a cryptic message by some 12-year-old kid in Brazil, that begins with the line "'w3 0wn3d j00!".
Sounds a little too far-fetched? You'd be surprised. The problem of Web page defacement and script kiddie or cracker activity doesn't just end at the new companies moving into the e-commerce and online arena. Companies that have had an online presence and have been around for quite some time have had their fair share of network security headaches, and the problem isn't going to mysteriously solve itself unless we sit up and do something about it.
Like what? Well, the first would be to raise the level of awareness of the people responsible for a companies network. A firewall isn't going to solve your problems if the server itself is vulnerable.
A lot of companies fail to realize this, and instead, feel that all they need to protect themselves is use an anti-virus solution, and an out-of-the box firewall. Granted that a firewall does provide some level of protection, it isn't the be-all and end-all of network security. Security is an on-going process, not a solution that you can implement today, and forget about tomorrow. New vulnerabilities and attacks surface almost every other day (just subscribe to Bugtraq if you don't believe me).
Securing your organizations from attacks originating from the outside is a start, but what then for attacks from within? The stories of attacks from behind the firewall aren't as uncommon as you may think. We've got a lot of disgruntled employees these days, and having a good security policy for internal networks is becoming almost essential in maintaining a secure environment. It's quite pointless to have excellent protection from outside attacks, when all it's going to take to breach that protective shield is an individual from the inside planting a Trojan or opening a backdoor in your system. Your $20,000 security solution has just gone up in smoke!
We need to raise the level of understanding amongst individuals of what network security is about, what methods attackers use, and what the limitations of the technology or solutions are.
A chance in a million? Think again
The second common problem I've seen with companies in Malaysia, and Asia in general, is with regards to mindset. Most companies fool themselves into thinking that "Hey, we're just ONE Web site in the sea of millions, what're the chances that we're going to get attacked?"
Well, sorry to inform you folks, but nine times out of 10, it's not a dedicated attack that you should be worried about (ie, an individual targeting your organization per se, unless of course you happen to be a large target, which, in the eyes of attackers, would be a prized trophy). More often than not, you have the situation of an attacker sitting behind a machine on another side of the planet scanning a subnet or a whole list of IP addresses for a common vulnerability. If your machine's IP address happens to come up as vulnerable, that's pretty much that--you're going to get attacked. IT managers need to come to grips with the fact that to the attacker, their machine is just yet another target. There is a need for a PROACTIVE approach to security, as opposed to a reactive one. Don't wait for something to happen before you do something, fix it while you can.
There is also a third situation that is becoming increasingly widespread. The network administrator who's also the graphics designer, the content administrator, the database administrator, and the guy who makes the coffee.
Companies don't want to allocate sufficient funds to security as they deem it as "unimportant" or even as "a waste of money"… Pretty much due once again to a lack of awareness and their complacent attitude. They much prefer designating the job to someone who might know a little about what needs to be done, and save on employing someone full-time, or on getting network security consultants in. As a result, the individual designated the task of maintaining the security of the servers is overworked, having to see to more than just his usual tasks. It's also too much to expect an in-house graphics artists to stay on the cutting edge of network vulnerabilities when it's NOT HIS AREA OF EXPERTISE to begin with! Needless to say, in such a scenario, you're very likely going to end up with a security implementation that's as strong as a sand castle.
Companies really need to wake up and get their act together. It would also be nice to see MyCERT (the Malaysian Computer Emergency Response Team) help businesses get secured, as opposed to just collecting statistics and re-releasing advisories posted on Bugtraq.
The embarrassment of having your companies site listed on a defacement mirror might serve as some form of deterrent, but judging by the increasing regularity that this is happening, it is obvious people don't learn anything. They're just too content in wiping their brows and thanking deities that they were not the victims. Well, you may have been spared for now, but unless you firm up your security policies and machines, you WILL suffer an attack and it's only a question of when.
Dhillon Andrew is the founder and chief executive officer of information security site Hack In The Box, a site designed to facilitate discussion on security-related topics, create security awareness, and provide a comprehensive database of security knowledge and resources to the public.