[2387] in WWW Security List Archive
Re[2]: Need a Security Consultant
daemon@ATHENA.MIT.EDU (Mark_W_Loveless@smtp.bnr.com)
Wed Jul 10 20:16:47 1996
From: Mark_W_Loveless@smtp.bnr.com
Date: Wed, 10 Jul 96 16:59:45 CST
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I also found portions of this disturbing.
I have gone into an out-of-state company that was losing bids by very
small amounts to one particular competitor. It took a few days to get
the full story but one individual was hired in as a temp computer
operator (3rd shift) and was stealing and reselling secrets. The
hacking attempts (all unsuccessful) that had been made from the
outside stopped after this guy started working.
Back doors in every system, from Netware to Lotus Notes Servers to
Unix. A laptop that had been missing was found under the raised floor
with sniffer software loaded, cabled to the network.
The company lost six figures in business, and never went public
because they sold physical security systems (cameras, etc). The guy
was fired, but he didn't seem too worried. Seems he had a second job
on second shift at another company...
While the thrillrider/hacker is usually just out for kicks and WILL
move on to easier targets, if there is money involved you will attract
a different type of threat. Yes, the 15yr old using scripts and 3 yr
old "tools" can do damage if they get in, but stealing customers is
much more damaging. Everyone tries to stop the obvious attacks, but
does everyone try and stop the "professional" attack?
Mark_W_Loveless@smtp.bnr.com
Opinions are my own, not my employer's
______________________________ Reply Separator _________________________________
Subject: Re: Need a Security Consultant
Author: chris.liljenstolpe@ssds.com at internet
Date: 7/6/96 10:26 PM
Greetings,
Some of these comments are disturbing, and indicitive of the
problems we have with INFOSEC in corporate America.
On Fri, 5 Jul 96 12:13:01 -0400, the sage Frank Willoughby
<frankw@in.net> scribed:
>At 02:03 PM 7/4/96 +0200, Vassilis Risopoulos allegedly wrote:
>
[SNIP]
>
>
>No offense taken and you raised some good points. While I agree with
>most of what you say, I don't agree with everything you said. While
>no security is 100% impenetrable (nor will it ever be), the goal of
>good InfoSec is to make your company less appealing (ie - more difficult
>to break into) than other companies.
This is incorrect. While this stance may protect an entity against a
low-grade threat attack (the attacker who is out "joy-riding"), it
will not protect a company that is the target of a directed attack
(mid-grade to high-grade). In these cases, the act of breaking in is
not the driving force, it is acheving a goal after getting in.
In these cases (industrial espionage, info-terrorism, information
warfare, etc.) the target is a specific entity or company, and the
attacker will not "just go away and attack a softer target" if the
target is hardened, the attacker will, instead, continue to probe
electronically, physically, and socially. They WILL find a way in.
The goal is to make it VERY expensive for them to do so (hopefully
more expensive than the return on investment), detect them when they
DO get in, and limit the amount of damage that they can do.
American corporations are, for the most part, concerned about
low-grade threats, and are ignoring the potentially more devistating,
higher-grade threats. Your statement is a PRIME example.
>
>IOW, if I'm taking a hike in the woods with someone else and a bear
>starts to chase us, I only need to run faster than the other person
>to be assured a reasonably good chance of coming out of the situation
>(more or less) intact. The same applies to businesses & hacking.
>Hackers, like most other people, usually tend to go the path of least
>resistance. Why would they spend weeks or months trying to crack one
>company while at another company, it only takes a few minutes? Unless
>the hacker has a personal axe to grind, they usually won't bother.
>
>During the time I worked at the subsidiary, we had no successful
>breakins. You'll excuse me if I don't talk about that company's
>security, but I will say that we made ourselves a less attractive >target
than other corporations and that we spent some serious energy >into
securing the remote access connections. Not every company is >willing to
spend some time & money in securing their remote access >connections
(which represent one of the primary entry points an intruder >can have
into a corporation) - and the results frequently show up in >the press.
>
>However, I will mention that it is a very wise procedure to have
>as few gateways as possible and to guard those gateways like a hawk.
>Assuming that the connections are secure AND that those connections
>are monitored for potential abuses AND you are ready to pull the
>plug if anything looks suspicious, THEN you have a decent start
>on good network security.
>
>MfG,
>
>
>Frank
>P.S. - Herzlichen Dank fuer dein Mail. Du hast ein paar wichtigen
> Themen ans Licht gebracht.
>Any sufficiently advanced bug is indistinguishable from a feature.
> -- Rich Kulawiec
>
><standard disclaimer>
>The opinions expressed above are of the author and may not
>necessarily be representative of Fortified Networks Inc.
>
>Fortified Networks Inc. - Information Security Consulting
>http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
>Home of the Free Internet Firewall Evaluation Checklist
>
>
>
>
--
( ( | ( Chris Liljenstolpe <Chris.Liljenstolpe@ssds.com>
) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
business driven Bloomington, MN 55437;
technology solutions TEL 612.921.2392 FAX 612.921.2395 Fram Fram Free!
PGP Key 1024/E8546BD5 FE 43 BD A6 3C 13 6C DB 89 B3 E4 A1 BF 6D 2A A9
