Daniel Lewkovitz has been known to resort to some fairly unorthodox measures to demonstrate security flaws.
"One CIO was so sure I wouldn't get past his firewall he just about promised to eat his hat," Lewkovitz said. "I donned a suit and walked in through the front doors, in fact some of his staff even held the doors open for me, unplugged the box and asked what kind of sauce he wanted with his hat as I placed it on his desk."
This attitude is probably a good one, because his role as senior information security consultant for IT service provider CMG requires him to break into IT systems considered unbreakable. And armed with a background in physical security, he emphasises the importance of going beyond the firewall, encouraging companies to focus on the physical and procedural aspects of security as well as the technology.
Suggesting that much of the information malicious hackers would need to break into a system is easily obtained from unwary company sources, he advocates not only the application of a company-wide, standard operating environment, but a deliberate limiting of internal information availability.
As well as many recognised anti-hacking measures involving blocking unnecessary ports and services, hardening servers, applying multiple security layers, and consistent log analysis, Lewkovitz used a presentation for Hack 2002 to call for increased emphasis on company-wide education measures and policies.
"All the infrastructure imaginable can be undone in a second if anyone within the company fails to recognise a suspect email and opens it anyway," Lewkovitz said. "Policy, people and infrastructure have to interact effectively to provide real security within an organisation."
Identifying the threat
With IT security breaches mushrooming globally, the term hacker tends to conjure up images of long-haired, spotty-faced "script kiddies", blindly wielding tools they barely understand to cause generalised mischief in systems throughout the world. According to Dr Tim Cranny, senior scientist with 90East, whose role sees him monitoring a quarter of all Federal Government agencies, probe packets detected at the top layer of these networks has increased from 300,000 to 1.2 million since the 11 September attacks on the World Trade Center and subsequent war in Afghanistan. "We have seen a significant increase in those emanating from the Middle East and South East Asia," he said. While he concedes many of these attacks are relatively harmless, he said that the sheer quantity served to mask some of the more sophisticated and targeted attacks. "It is not uncommon for a hacker to use quite sophisticated tools to break into a Unix box, then not know what to do when they get there. We end up catching these people because they don't know how to log off," Dr Cranny said. "Even if most attacks aren't serious, they serve as masks for more sophisticated operations." Also speaking at Hack 2002, Cranny pointed out that with over a trillion dollars now passing through Internet transactions throughout the world, and rapid diversifications of the devices connected to the Internet, it would not be long before IT security began to affect the wider community in more tangible ways. "I see the turning point coming when there is a multimillion dollar hack which turns off the refrigeration at the local meat works," Dr Cranny said, also warning of as yet unknown difficulties associated with emerging wireless protocols. "IT Security is increasingly a business issue, as we see it integrated into insurance policies and the resulting premiums, as well as due diligence and company liability." Like Lewkovitz, Dr Cranny used his presentation to call for more flexible, scalable, proactive and ubiquitous security measures to be implemented throughout the business sector.
Tech & Work