Jokesters confirm: security is no laughing matter

The bad news is no network can be completely secure. The good news is that may not be a problem

Jesper Johansson and Steve Riley probably have a future in comedy if their security roles at Microsoft ever wind up. Their sessions at TechEd were popular with punters who turned out in force to learn about the myths of security and to understand how they can make absolutely sure that their network is hackable. Delivered with a mix of visual gags and quips — the definition of a security expert: “(noun) a person who’s been quoted in the media” — their messages were nonetheless sobering to many.

“How do you know that you haven’t already been hacked?” asked Johansson, before relating a story about a major corporate in the US that discovered a number of phantom employees on the payroll. It turns out the payroll system had been hacked and the corporation had been paying salaries to several phantoms for some time.

Asked whether it’s a hopeless case trying to create secure environments given the almost infinite set of possible exploits, the somewhat dispiriting answer was “Yes it is, really”. That’s actually a qualified “yes” — it’s a question of degree. If the bad guys want what you have badly enough, then they’ll find a way to get it. But there’s no point in making it easy either because that just opens the door to a whole lot of opportunists who would otherwise not be a threat.

“It’s really about raising the security bar,” says Johannson, “so that you can keep out the 80% — the script kiddies and the like — and focus your efforts on doing what you can to protect against and target the really serious threats”.

Riley agrees: “Security is really risk management and you need to make a decision about the value of what you are protecting versus the cost of protecting it”.

One point that the pair make is that a lack of application-level security — an insecure web application, for example — increasingly provides the backdoor through which hackers can compromise your network. They’ll happily do that on the one port commonly opened through firewalls — port 80 for the web server. Or, as Johannson laughingly puts it, “I’m happy to use [HTTPS] port 443 if you’ve opened that, because encrypted hacker traffic is much better for me anyway”.

Either way, with a security failure at the application level, the presence of a network firewall can become completely irrelevant.

In one of his sessions, Johansson demonstrates an exploit using SQL injection to compromise a web server behind a firewall, and then from that single machine proceeds to compromise all the other machines in the internal network.

“And once a hacker gets in he will lie, cheat, steal and hide, and you will never get him out,” he warns.

Once compromised, you don’t know what you can’t trust, leaving the rather daunting prospect of a complete rebuild of your network as the only safe recovery strategy.

“Or you could just ignore it,” chuckles Johansson, “and hope the bad guys run your network better than you did”.

Evans is a partner at Ideas Accelerator. Email him at mark@ideasaccelerator.com

Some useful tips from the sessions

  • Watch out for application security holes and don’t run applications and services using privileged accounts
  • Restrict traffic between machines inside the firewall to just what’s needed. Don’t allow unrestricted outbound traffic from internal machines to the internet. This often allows an intruder to gain a foothold in your network
  • Don’t use the same usernames and passwords across multiple machines and domains
  • Password cracking isn’t the big problem. If you can access the hashed passwords and know how the challenge process works, a hash is as good as the original password
  • Measure known “good” network behaviour to allow you to spot anomalies and realise how your network may be compromised
  • Use layered defences
  • Always be paranoid and train everyone in your organisation to exercise that same paranoia

Evans is a partner at Ideas Accelerator. Email him at mark@ideasaccelerator.com

Join the newsletter!

Error: Please check your email address.

Tags TECH EDsecuritySecurity ID

More about Microsoft

Show Comments
[]