An ethical
hacker's evaluation of a system's security seeks answers to three basic
questions:
•
What can an intruder see on the target
systems?
•
What can an intruder do with that
information?
•
Does anyone at the target notice the
intruder's
attempts or successes?
While the first and second of these are
clearly important, the third is even more important: If the owners or operators
of the target systems do not notice when someone is trying to break in, the
intruders can, and will, spend weeks or months trying and will usually
eventually succeed.
When the client requests an evaluation, there
is quite a bit of discussion and paperwork that must be done up front. The
discussion begins with the client's answers to questions similar to those posed
by Garfinkel and Spafford:
·
What are you trying to protect?
·
What are you trying to protect against?
·
How much time,effort, and money you willing
to expend to obtain adequate protection?
A surprising number of clients have
difficulty precisely answering the first question: a medical center might say
"our patient information," an engineering firm might answer "our
new product designs," and a Web retailer might answer "our customer
database."
All of these answers fall short, since they only describe targets in a
general way. The client usually has to be guided to succinctly describe all of
the critical information assets for which loss could adversely affect the
organization or its clients. These assets should also include secondary
information sources, such as employee names and addresses (which are privacy
and safety risks), computer and network information (which could provide
assistance to an intruder), and other organizations with which this
organization collaborates (which provide alternate paths into the target
systems through a possibly less secure partner's system).
A complete answer to (2) specifies more than
just the loss of the things listed in answer to (1). There are also the issues
of system availability, wherein a denial-of-service attack could cost the
client actual revenue and customer loss because systems were unavailable. The
world became quite familiar with denial-of-service attacks in February of 2000
when attacks were launched against eBay, Yahoo, ETRADE, CNN and other popular
Web sites. During the attacks, customers were unable to reach these Web sites,
resulting in loss of revenue and "mind share." The answers to (1)
should contain more than just a list of information assets on the
organization's computer. The level of damage to an organization's good image
resulting from a successful criminal hack can range from merely embarrassing to
a serious threat to revenue. As an example of a hack affecting an
organization's image, on January 17, 2000, a U.S. Library of Congress Web site
was attacked. The original initial screen is shown in Figure 1, whereas the
hacked screen is shown in figure 2. As is often done, the criminal hacker left
his or her nickname, or handle, near the top of the page in order to guarantee
credit for the break-in.
Some clients are under
the mistaken impression that their Web site would not be a target. They
cite numerous reasons, such as "it has nothing interesting on if or
"hackers have never heard of my company." What these clients do not
realize is that every Web site is a target. The goal of many criminal hackers
is simple: Do something spectacular and then make sure that all of your pals
know that you did it. Another rebuttal is that many hackers simply do not care
who your company or organization is; they hack your Web site because they can.
Answers to the third question are complicated
by the fact that computer and network security costs come in three forms. First
there are the real monetary costs incurred when obtaining security consulting,
hiring personnel, and deploying hardware and software to support security
needs. Second, there is the cost of usability: the more secure a system is, the
more difficult it can be to make it easy to use. The difficulty can take the
form of obscure password selection rules, strict system configuration rules,
and limited remote access. Third, there is the cost of computer and network
performance. The more time a computer or network spends on security needs, such
as strong cryptography and detailed system activity logging, the less time ft
has to work on user problems. Because of Moore's Law, this may be less of an
issue for mainframe, desktop, and laptop machines. Yet, it still remains a
concern for mobile computing.
No comments:
Post a Comment