The hacker challenge

Will we ever reach the stage where hackers, rather than system administrators, will constantly be on the offensive?

Talking about IT security tends to bring out people's inner four horsemen of the Apocalypse, or at least their lurking George Bush Jr. "It's an arms race," says Neil Campbell, national security practice manager for Dimension Data. "The bad guys are always innovating and coming up with new ways of circumventing security." "Hackers and attacks are becoming more and more sophisticated everyday and will continually challenge in-place systems," says Paul Serrano, Asia Pacific senior director marketing for NetScreen. "Security systems must adapt and grow with them." The near-ubiquity of the Internet has also dramatically changed the nature of the security challenge. "Security is being redefined to encompass continuous availability," says Rick Seeto, director enterprise data portfolio for Nortel Networks Asia Pacific. Indeed, the need to make segments of the corporate network available in the form of a Web server has been one of the most significant changes in the typical security setup over the past decade. The opportunity to sell some extra technology into an otherwise cautious market certainly has vendors champing at the bit. IDC estimates that by 2006, the global market for IT security systems will be worth a staggering $38 billion -- no mean feat in an industry generally considered to be in the throes of a major and prolonged downturn. Unusually for the generally mature IT space, competition also remains fierce, with dozens of small companies competing for a slice of the pie via their own highly specialised products. "You don't have to be a huge vendor to get some mind share," points out Campbell. Indeed, the proliferation of vendors is such that for many IT managers, the trickiest decision is working out whether you need all the different options on offer. Do you need an IDS and an IPS? How many firewalls are too many? One relatively undeveloped area is in physical security, although vendors are fond of pointing out that it represents one of the most obvious ongoing threats. "If you can get physical access to a machine, there is no security," says Callum Russell, solutions marketing manager IT infrastructure at Microsoft Australia. "Some may say that the only secure computer is one that has its power cord removed and has been buried under six foot of dirt," says Daniel Zatz, security specialist at Computer Associates ANZ. "That isn't exactly true. It is possible to dig that computer up and plug the power back in, and then it isn't so secure."

While that's undoubtedly so, IT managers aren't being kept awake at night worrying about whether someone has dug up their old computers and plugged them in. The evidence suggests they're being kept awake worrying about who is going to hack into the ones they haven't buried yet. According to a survey of chief security officers (CSOs) conducted by IDC last year, 59 percent believe that electronic attacks represent the biggest potential threat to their company. Just eight percent expressed concerns over physical attacks to their systems, and a practically insignificant three percent were worried about electronic attacks that might have physical consequences. Though the survey also revealed that nearly 50 percent of CSOs (a job specialisation that may well ultimately go the way of the late, unlamented chief knowledge officer) are concerned about the possibility of an electronic attack by terrorists, that concern doesn't seem to have spread into the general business community. No, it's busy worrying about the most visible threat: virus writers. Feeling viral
A steady stream of publicity has ensured that antivirus software has become virtually ubiquitous for all computer users, even if they ignore every other potential security threat. The evidence suggests they are doing just that. In a survey of Australian businesses carried out by the Australian Bureau of Statistics, only 14 percent of businesses using a computer claimed to have no IT security measures in place. However, 80 percent of those businesses which did claim to have a security solution in place were running nothing apart from antivirus software. It seems the notions of fighting viruses and security have become equivalent in the minds of many businesses. This is both interesting and disturbing, since most security observers agree that virus writers, however much inconvenience they can cause with a successful virus, are hardly typical of the major security threats faced by companies. Because of the relative ease with which viruses, especially macro viruses, can be constructed, virus creators are generally viewed as a distinct category from other hackers. "Viruses are not a technological phenomenon, they are a social phenomenon," says Dave Perry, global director of education at corporate antivirus vendor Trend Micro. "What drives people to write viruses is the need for notoriety." "Research into the motivations and backgrounds of virus writers has shown that the early virus writers were not evil incarnate, but rather adolescents who were basically just like the kids next door," notes Sarah Gordon, a psychologist who has spent much time investigating the virus writing community and who has been employed by companies such as Symantec for her professional expertise. "Initially, the virus writing and hacking communities were very much two separate groups. Hacking required a totally different set of skills and mindset from virus writing. Now, with the massive connectivity available, the two skills are having some crossover."

Continuing media hysteria, and the steady rise of viruses distributed via e-mail, has ensured that most people have antivirus software in place. Fairly straightforward online upgrades mean that most such systems stay relatively up-to-date. This is useful, since the virus community shows no sign of slowing down its activities. By 2010, Trend's Perry predicts that more than 10 million viruses will be in existence. "Antivirus is like a game of cards in which the highest card wins," says Paul Ducklin, head of technology for antivirus vendor Sophos Asia Pacific. "But not only is there no limit to the number of turns in the game, there is also no highest card in the deck." In other words, no matter what tricks virus writers come up with, antivirus companies can generally work around them in fairly short order. After antivirus software, the next most common security solution put in place is a firewall, which should (at least in theory) keep unwanted traffic out of your internal network. "From an awareness perspective, everybody knows they need a firewall," says Dimension Data's Campbell. Firewalls enjoyed a particular boost in popularity after the glut of denial-of-service (DoS) attacks in the late 1990s, which alerted many businesses to the potentially devastating effects of a surplus of unwanted malicious traffic. Basic firewall technology has even been built into recent versions of Windows, although serious corporate implementations tend to rely on more robust offerings from specialist vendors. Indeed, one perspective is that a single firewall is not actually enough. "One layering approach is to use one vendor's firewall, followed by another," notes Campbell. "In practice, though, it can be quite difficult to maintain two different technologies." The usefulness of firewalls becomes less clear as network boundaries blur. "Clients generally look at their perimeter first, although there is a growing push to move security infrastructure into the internal network," says Tim Smith, national business continuity manager for systems integrator Alphawest. "In a lot of cases, the bridge between the perimeter and the internal network is a little cloudy, with partner and employee access taking place behind the traditional perimeter network." The demand for remote access to internal systems poses a major challenge for firewall implementations, requiring a balance to be struck between convenience and security. Notably, while firewalls are a useful line of defence, they don't provide much in the way of active intelligence about possible attackers. "Firewalls do a good job of blocking traffic, but not of thinking about what it is," says Joe Magee, chief security officer for Top Layer. By their nature, both antivirus and firewall systems are also limited in their ability to fend off internal attacks, or attacks by hackers who have successfully cracked basic company passwords. "These technologies are only effective in dealing with unauthorised access activities," says CA's Zatz. Looking for intruders
So how do you grow beyond the firewall? One approach that is growing in popularity is to use intrusion detection systems (IDSes) or intrusion prevention systems (IPSes) to more proactively deal with potential network threats. "We now know that even the best firewalls are vulnerable to attack," says Graham Dodson, product marketing manager for SecureNet. "To provide us with notification someone has broken through the firewall, an intrusion detection system should be implemented."

As the names suggest, IDSes monitor network activity and report suspicious activity, based on pattern matching for unusual behaviour. IPSes go a step further and attempt to stop the intrusive activity, either by disallowing the connection or by diverting the attacker into a honey pot (a server with low security but containing no vital data, which acts as a decoy) or onto a fake address. As with firewalls, both can be implemented as software-only solutions or (for more effective performance at a higher cost) as separate standalone devices. Their dependence on pattern recognition makes IDSes and IPSes subject to some of the same criticisms as antivirus and firewall software. "Intrusion prevention systems look for suspicious behaviour or system anomalies rather than specific patterns or signatures, but the behaviours they look for are still based on broad techniques that have been used by hackers in the past," says Arthur Argyropoulos, CEO of managed security provider Zento. "While there is no question they can be more effective, if someone comes up with something totally new and never seen before rather than just a variation, these systems still won't recognise it." Monitoring all network traffic can also take its toll on the general performance of the network. "One of the pitfalls in using an IDS is performance," says Top Layer's Magee. "IDSes are generally passive," concurs NetScreen's Serrano. They identify but cannot stop an attack. In addition, they sit of the side on the network and can only perform random scanning in order not to significantly impact traffic." Again, striking a balance between performance and protection will require you to set explicit policies. Once the data from an IDS has been collected, you also have to try and make sense of it, especially if an attack appears to be taking place. "One of the main issues with security devices is the logging," says AlphaWest's Smith. "We get too much garbage hiding the real issues, making the job of detection very difficult." Specialised packages, falling into the broad category of security information management (SIM), can be used to help make sense of the log data collected by IDSes and other tools. "Security devices generate some 20,000 different alerts," says Smith. "What a SIM tool will do is normalise that data and aggregate it into 10 separate entities. It will also aggregate all the security alerts across disparate systems so that security alerts from our firewalls, routers, IDS, event logs, and AV software are all collated in one point. This makes management and alerting a lot more proactive."

SIM systems still don't seem to be enough for some observers. "Intrusion detection systems are a bit up in the air," says Campbell. "There is some disenchantment in the market with their benefits. It takes effort to understand IDS, tune it, and use it properly. I recommend caution [with IPSes] because any time you are automating responses that change traffic, you risk creating an unintentional denial of service." In other words, attempts to block what seems to be undesirable activity may have the side effect of blocking legitimate business tasks. As with most security solutions, intrusion detection needs to be viewed in the correct perspective. "A lot of people thought intrusion detection would help us stop these attacks, but it's more like a video camera; it catches people in the act," says Magee. "Intrusion detection does have a role, but it doesn't completely reduce the risk." Other, more specialised software is also now playing a role in company security planning. "Content management is something that people are taking more and more of an interest in," says Campbell. For instance, scanning e-mails for words such as "virus" may provide an additional means of detecting possible problems. Security can enter some very unexpected areas in this way. As part of its broad security initiative, Microsoft is investing considerable effort in adding enhanced digital rights management (DRM) across its products, arguing that ensuring that content can only be viewed by appropriate individuals is just as much of a concern for corporations handling sensitive information as it is for movie studios. Above and beyond these individual point solutions, one constant theme emerges in discussions about IT security: the need to keep systems patched and up to date. "Ironically, one of the most effective ways of keeping your systems secure is still the simplest," says Zento's Argyropoulos. "Keep all your servers and network devices patched to the latest possible revisions." In a world where the underlying operating systems used by all businesses consist of billions of lines of code, the requirement for better patch management is universally acknowledged. "Staying abreast of vulnerabilities and implementing a solution that automates and manages patch deployment is one of the simplest and most cost-effective methods to protect systems against hackers," says Eric Schultze, director of product research and development for security consulting firm Shavlik.

Of course, it's almost impossible to predict just when a patch is going to be needed in advance. "We have to find out there is a vulnerability," says Microsoft's Russell. "Until someone finds the exploit, we can't do much." The inefficiency of patch management was made abundantly clear earlier this year, when the Slammer worm attacked numerous SQL Server installations worldwide, taking advantage of a vulnerability that Microsoft had identified and patched some months beforehand. "There are a couple of ways to improve patch management," says Russell. "The first is to be more cognisant of how the patch is deployed." For instance, the first patch Microsoft released to deal with the vulnerability that Slammer exploited fixed the problem, but required significant manual intervention by administrators. After receiving numerous complaints, Microsoft issued a second patch which was much more automated. Unfortunately, it seems many managers never bothered to even seek out the first patch, let alone the second. Microsoft plans to incorporate more sophisticated patch management systems in future Windows server releases, building on the Windows Update technology included in recent versions. OS enhancements or not, such dismissive attitudes may well change in the future, as IT managers face the wrath of higher-level executives. "We're seeing people more actively working to identify vulnerabilities," says Campbell. "Patch management is a key issue. A lot of the big worms are attacking old and known vulnerabilities. If you combine vulnerability management with patch management, that's a good approach." One factor complicating any attempt at patch management is the huge number of systems involved. A company running a number of database and network servers, and with all the security elements discussed above deployed on top of that, faces a formidable management challenge in keeping all those systems up to date and working together. As a result, demand for unified solutions is increasing rapidly. "We're finding an increasing awareness that a total solution is what solves the problem, not band-aid solutions for individual problems," says Russell. It's widely recognised that security solutions must work in concert to be effective. "It is simply too easy for an intruder to get through a single line of defence," says Kim Valois, director of global information security services for CSC Australia. "No single defensive mechanism absolutely prevents a hack or attack." Even vendors agree. "Rarely can a single product or vendor provide all possible aspects of security -- there are far too many components, each changing very rapidly," says NetScreen's Serrano. "Using multiple layers is definitely more effective than just relying on a firewall," says Argyropoulos. However, getting the different layers to work in conjunction is more difficult, and almost impossible to automate. "The only effective way to achieve any kind of correlation between these devices is through human intervention," says Argyropoulos. The human element is likely to remain important for some time to come. "A good security system only works if a multi-layer approach underpinned by a robust set of security policies and procedures is implemented," says SecureNet's Dodson. Can we stay ahead?

By its very nature, current security technology tends to be reactive rather than proactive. In part, this is because of inherent limitations in all security products. As the Defence Signals Directorate cheerfully points out on its Web site: "No product can be guaranteed to be 'hacker proof' or 'impenetrable'." As well as technological limitations, there are also cultural factors to be considered. "Technology can only go so far -- people always screw up," says Top Layer's Magee. "In the computer security field, technology can help. In fact, it can help a lot. But a little common sense goes an awful long way," says Sophos' Ducklin. Few security industry observers believe that corporate networks will ever be able to be made truly hacker proof. "The way hackers are evolving and the technologies they have mean that we are always to have to be constantly vigilant around security," says Russell. Some do believe, however, that we may get closer to the goal of keeping all hackers out. "Whilst you almost certainly can't build a hacker-proof system, there is no reason why you can't get very close -- close enough for all practical purposes," says Ducklin. "It could be argued that there will always be a cleverer person around the corner who could discover a 'back door', but it is possible to have an extremely high level of assurance in a properly configured and managed system," says Dodson. "IT security is more of a risk management issue than ever before and many organisations are treating this issue with the same diligence they treat other forms of risk management." "There is a risk to doing business of any sort," says Smith. "No system can be completely fool-proof, however with the right risk-based approach, we can make our assets as secure as possible whilst still enabling the business to run." Sadly, there is no ultimate solution. "You need to be as proactive as possible -- but that may be just building in measures that protect against known problems," says Campbell. "If you're targeted with a new exploit, you're going to go down. You need to do everything you can do to protect against what's known, everything you can to respond to what's new, and pray for the rest." For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter. Tell us what you think in the Enterprise Mailroom.