- The recent hacker attacks at Microsoft have had a tremendous impact in the industry.
"If Microsoft can fall victim, what prevents our company from becoming the next one?" is the common question being asked.
The attack was originally thought to be the work of a worm or a Trojan horse that, once unknowingly executed, proceeded to download precious source code to a remote attacker's computer. But now a more realistic scenario has emerged.
According to the original early reports, an attacker somehow planted a worm within Microsoft that allowed him or her to unearth valuable source code and download it from around the world. This scenario is great for science fiction, but would have had some formidable hurdles to clear in reality.
The first is the writing of the QAZ worm itself. We are fairly certain that the QAZ worm is not publicly available, so the author would have had to design it from scratch. This is hardly impossible, but it requires too many assumptions. The worm would have needed an ingenious design to ferret out the computer systems that contained source code from the Microsoft labyrinth, bypass Visual Source Safe authentication, and then return that code to the attacker.
A more likely theory is that the attacker piggybacked on an employee's system. This technique has long been considered an enormous risk, but it is also one that most organisations play down or simply ignore due to its immense scope.
Here's how it works: Employees often work from home and on the road; when they do, they take a small piece of your organisation with them. Yet their personal systems are typically the least secure. Although system administrators at your company probably focus on the "vital" systems such as the web, mail, primary domain controllers, and centralized NT/Unix servers, they are probably completely missing the biggest threat to your enterprise: the individual employees' home computers.
We have stated ad nauseam in this column and elsewhere that security is only as strong as your weakest link. This means that if you do not actively attempt to secure every major cyber inlet to your company, then you leave yourself at risk.
The knee-jerk reaction is to buy products such as SecureID or VPN technology to provide a secure mechanism for your employees to remotely log in to your corporate network. But these technologies are the Band-Aids applied to the haemorrhage. They do nothing more than restrict unauthorised users from gaining access directly into the company and encrypting the traffic between the employee's computer and the company's network. But they don't stop a hacker from attacking an employee's home system and riding that connection to the corporate motherland.
By far the easiest way into any organisation is to go after the employees' systems. Many now have @Home and DSL connections to the internet. And they are constantly bombarded with massive port scans from kiddies searching for Windows 95/98 and NT systems, not to mention Linux systems.
We continue to be amazed at our WinRoute firewall and IPFilter logs where scans for Windows systems, Unix systems, and Trojan horse backdoor programs abound. The kiddies are probing for low-hanging fruit or, in this case, systems vulnerable to attack, and these always-on connections provide a target-rich environment. It does not take a high IQ to understand that most home users know nothing about security and consequently make themselves attractive targets for hackers.
As difficult as it is to swallow, the counter to the piggyback technique is to harden your employees' home systems as well as your internal company assets. If you need to allow remote connectivity into your network over the internet, then you must extend the reach of your corporate security.
We understand this is a daunting task for your IT department, but at a minimum you must deploy -- and then support -- some sort of personal firewall technology that blocks undesirable incoming port scans. WinRoute, by TinySoftware, continues to be a favorite for Windows systems, but latecomers such as Symantec's Personal Firewall also show promise.
In addition, you should harden your home users' systems on a regular basis by checking their password usage, confirming service pack updates, forcing the use of anti-virus software, and restricting their registry and file permissions. These security checkups must be done on a recurring basis and must be followed up with immediate fixes.
In today's always-connected world, your corporate jewels now extend around the world. The sooner you and your company understand this concept, the more secure your company will be.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com).