Opinion: How security became mission impossible

Chief security officers should be worried, says Paul Venezia

It's been quite a month for network and computer security folks. Sony's network was hacked — what, a half-dozen times? I've lost count. Then apparently everything from the CIA's website to your grandmother's embroidery blog was successfully compromised. It's almost like someone wants to prove a point. The fact is that, even with the proliferation of computer and network security tools, it's easier than ever to compromise a network. Couple the economic downturn, which has resulted in the layoffs of thousands of skilled IT workers, with willy-nilly implementations of highly public internet applications and frameworks — plus the extreme effectiveness of today's hacking tools — and you have big problems. It does require skill to crack into a corporate server, but that expertise need only be possessed by a few people who write the tools that let anyone halfway adept get into the game. After all, known exploits are known exploits, and if you can figure out how to use public proxies or other anonymising tools and fire up a few apps, you too can get in on the fun. On the other side of the fence, there are — and should be — a whole bunch of very worried CSOs. These execs should be aware not only that their networks are going to be targeted, but because they know they simply aren't equipped to deal with the problem. Simply, the weapons on the other side are more effective than theirs. They're outgunned and outnumbered. Part of the problem with working IT security is proving your worth. Bean counters can easily dismiss IT security as a money pit because we haven't been hacked. Proving that negative when budgets are tight can be challenging. I've actually heard the argument that IT security staff should be laid off because "who would bother hacking into our company?" Of course, the answer is obvious -- hordes of 14-year-old kids armed with underground hacking tools and boredom. Or, if you're unlucky, a Russian criminal organization that decides you're worth hacking after all. The best way to try to protect against attack is to hire competent security people — but also to make sure that new projects are not rushed into production in an effort to meet some kind of deadline defined by nontechnical management. That's exactly how big security holes are created and how everything falls apart very quickly. Also, make sure you're conducting regular internal and external security audits from highly reputable firms. This should include everything from external penetration testing to training employees to avoid social engineering ploys. In addition, regularly scan for rogue access points and keep close tabs on what goes into and out of the datacentre — and what's actually in there. After all, a SheevaPlug looks like a wall-wart power supply and could be doing all kinds of nasty things while affixed to a wall behind a desk when nobody was looking. I know this advice sounds like your dentist admonishing you to floss three times a day and brush five, but it's good practice, even if these measures won't protect you from a few thousand loosely organised teenagers armed with Low Orbit Ion Cannon and IRC. Let's face it, protecting an Internet-connected network of any size is no simple task, and it'll only get harder. If you've never been compromised, it's probably not that your security is all that great, it's because you haven't been noticed — yet.

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments