Internet-using organisations should monitor and clearly label their outgoing traffic as well as observing incoming communications, to make it easier to track hackers and virus/worm propagators coming from within, says Canberra-based Cisco security specialist Peter Elford.
Intentional distributors of nasties – as opposed to people whose mailing address books are unwittingly used – are typically careful to “spoof” their communications to make them look as though they are coming from another source, he says. If an organisation makes sure nothing goes out without one of its genuine IP (internet protocol) addresses attached, malicious employees may think twice about attacking other systems through the internet, he says.
Awareness of the security dangers of internet connection are “as high as they have ever been”, Elford says, but there is a gap between awareness and willingness to do anything. As evidence, he cites the fact that many server owners clearly still had not implemented the Microsoft fix that protects against the Code Red worm, nor apparently read Microsoft’s and others’ readily available material on building secure web servers.
“Basically, the message is: turn off everything [in software] you don’t need.”
Alongside, a strictly managed procedure and audit trail for promptly implementing patches is essential, he says.
“I’d like to say Cisco has a silver bullet for these problems, but we don’t.”
The company is, however, advancing its detection and firewalling tools from separate network devices to “blades” inserted in a switch backplane, and eventually to application-specific integrated circuits (Asics). This aims at increasing speed of traffic screening to match the ever-growing volume of communications.
“It’s like the roads; we can and should all do our bit to make roads and vehicles safer – but some people will still drive like idiots. You can never eliminate the risk.”
But it’s certainly better to build the safeguards in at the beginning than to retrofit them. Denial of service attacks are a growing species of danger and “very hard to track”, he says. It’s difficult to tell the difference between a concerted attack and what may just be a busy period with lots of genuine customers coming into the site.
“Legislation is necessary, but I doubt if it’s particularly useful [as a deterrent],” Elford says, since hackers never think they will be detected. He suggests, though, that judges’ attitudes are hardening and sentences becoming more severe. When someone hacked a system Elford was managing in the early 90s, “he got put on a good behaviour bond,” he says. “[More recent major hacker] Kevin Mitnick is in jail.”
Governments are moving towards a uniform set of security evaluation criteria to replace separate European and US methodologies, he says.