The Russell Crowe blockbuster movie Master and Commander: The Far Side of the World depicts navel warfare between the British and French during the Napoleonic age. Several of its lessons about security apply to today’s IT environment.
The Bottom Line: Technology may have changed the nature of attack and defense, but the essential hacker techniques and ways to prevent them have existed far longer than you might expect.
What It Means: As British Navy Captain Jack Aubrey (played by Russell Crowe) tries to outsmart and outfight the French, he provides us with several security truisms that IT managers should heed as they battle the endless stream of malware unleashed on the Internet.
New technology can’t provide perfect security; it only changes the rules of engagement. In the movie, the French sail a ship built using a new construction technique that makes it highly resistant to English cannonballs. However, Captain Aubrey overcomes the French defensive technology using the following techniques that hackers use to attack IT systems:
- Aubrey gathers information, including a scale model of the French ship’s hull, revealing its vulnerabilities. IT managers are tempted to rely on “security by obscurity” in order to keep their systems safe. In theory, if details about a system aren’t public, hackers won’t be able to find vulnerabilities. The Takeaway: Unfortunately, in the Internet era, nothing remains secret for long, and patient, resourceful hackers inevitably find system weaknesses.
- Once he has identified various potential weaknesses, Aubrey devises a battle plan to attack each of them in succession. Most hackers are interested only in penetrating systems and not in the specific means of attack. The Takeaway: If one attack fails, the hacker will try others until he reaches his goal.
- Aubrey appeals to his opponents’ greed to induce the French to expose their ship to attack. Rather than spending time trying to penetrate defenses like strong passwords, hackers often trick unsuspecting users to give them passwords. The latest Internet malware, the MiMail worm, replicates like a traditional worm, but tricks unsuspecting users into providing confidential bank account information. The Takeaway: Solid security processes, training, and auditing can mitigate but not eliminate personnel-related risks.
The Internet era has opened the door to corporate IT systems and exposed them to new attacks that exploit new technologies. However, hacker techniques have existed as long as warfare. Defense is a never-ending process of discovering vulnerabilities, patching them, and deploying multiple defenses. IT managers must employ technologies like firewalls, intrusion detection systems, intrusion protection systems, vulnerability scanning tools, and anti-virus products to protect against multiple points of attack. IT managers cannot make the same mistake as the French captain who relied too much on a single defensive technology.
TechRepublic originally published this article on 8 November 2003.