- Introduction
- The Basics of a Network
- Basic Network Utilities
- The OSI Model
- What Does This Mean for Security?
- Assessing Likely Threats to the Network
- Classifications of Threats
- Likely Attacks
- Threat Assessment
- Understanding Security Terminology
- Choosing a Network Security Approach
- Network Security and the Law
- Using Security Resources
- Summary
This chapter is from the book
This chapter is from the book
This chapter is from the book
Assessing Likely Threats to the Network
Before you can explore the topic of computer security, you must first formulate a realistic assessment of the threats to those systems. The key word is realistic. Clearly one can imagine some very elaborate and highly technical potential dangers. However, as a network security professional, you must focus your attention—and resources—on the likely dangers. Before delving into specific threats, let’s get an idea of how likely attacks, of any type, are on your system.
In this regard, there seem to be two extreme attitudes toward computer security. The first viewpoint holds that little real danger or threat exists to computer systems and that much of the negative news is simply a reflection of unwarranted panic. People of this attitude often think that taking only minimal security precautions should ensure the safety of their systems. Unfortunately, some people in decision-making positions hold this point of view. The prevailing sentiment of these individuals is, “If our computer/organization has not been attacked so far, we must be secure.”
This viewpoint often leads to a reactive approach to computer security, meaning that people will wait until after an incident to decide to address security issues. Waiting to address security until an attack occurs might be too late. In the best of circumstances, the incident might have only a minor impact on the organization and serve as a much-needed wake-up call. In less fortunate cases, an organization might face serious, possibly catastrophic consequences. For example, some organizations did not have an effective network security system in place when the WannaCry virus attacked their systems. In fact, WannaCry would have been completely avoided, if systems had been patched. Avoiding this laissez faire approach to security is imperative.
Any organization that embraces this extreme—and erroneous—philosophy is likely to invest little time or resources in computer security. They might have a basic firewall and antivirus software, but most likely expend little effort ensuring that they are properly configured or routinely updated.
The second viewpoint is that every teenager with a laptop is a highly skilled hacker who can traverse your systems at will and bring your network to its knees. Think of hacking skill like military experience. Finding someone who was in the military is not too hard, but encountering a person who was in Delta Force or Seal Team 6 is rare. Although military experience is fairly common, high levels of special operations skills are not. The same is true with hacking skills. Finding individuals who know a few hacking tricks is easy. Finding truly skilled hackers is far less common.
At the other end of the spectrum, some executives overestimate security threats. They assume that very talented hackers exist in great numbers and that all of them are an imminent threat to their system. They might believe that virtually any teenager with a laptop can traverse highly secure systems at will. This viewpoint has, unfortunately, been fostered by a number of movies that depict computer hacking in a somewhat glamorous light. Such a worldview makes excellent movie plots, but is simply unrealistic. The reality is that many people who call themselves hackers are less knowledgeable than they think. Systems protected by even moderate security precautions have a low probability of being compromised by a hacker of this skill level.
This does not mean that skillful hackers do not exist. They most certainly do. However, people with the skill to compromise relatively secure systems must use rather time-consuming and tedious techniques to breach system security. These hackers must also weigh the costs and benefits of any hacking mission. Skilled hackers tend to target systems that have a high benefit, either financially or ideologically. If a system is not perceived as having sufficient benefit, a skilled hacker is less likely to expend the resources to compromise it. Burglars are one good analogy: Certainly, highly skilled burglars exist; however, they typically seek high-value targets. The thief who targets small businesses and homes usually has limited skills. The same is true of hackers.
Both extreme attitudes regarding the dangers to computer systems are inaccurate. It is certainly true that people exist who have both the comprehension of computer systems and the skills to compromise the security of many, if not most, systems. However, it is also true that many who call themselves hackers are not as skilled as they claim. They have ascertained a few buzzwords from the Internet and are convinced of their own digital supremacy, but they are not able to effect any real compromises to even a moderately secure system.
You might think that erring on the side of caution, or extreme diligence, would be the appropriate approach. In reality, you do not need to take either extreme view. You should take a realistic view of security and formulate practical strategies for defense. Every organization and IT department has finite resources: You only have so much time and money. If you squander part of those resources guarding against unrealistic threats, then you might not have adequate resources left for more practical projects. Therefore, a realistic approach to network security is the only practical approach.
You might be wondering why some people overestimate dangers to their networks. The answer, in part at least, lies with the nature of the hacking community and with the media. Media outlets have a tendency to sensationalize. You don’t get good ratings by downplaying danger; you get them by emphasizing, and perhaps outright exaggerating. Also, the Internet is replete with people claiming significant skill as hackers. As with any field of human endeavor, the majority is merely average. The truly talented hacker is no more common than the truly talented concert pianist. Consider how many people take piano lessons at some point in their lives, and then consider how many of those ever truly become virtuosos.
The same is true of computer hackers. Keep in mind that even those who do possess the requisite skill also need the motivation to expend the time and effort necessary to compromise your system. Keep this fact in mind when considering any claims of cyber prowess you might encounter.
The claim that many people who describe themselves as hackers lack real skill is not based on any study or survey. A reliable study on this topic would be impossible because hackers are unlikely to identify themselves and submit to skills tests. I came to this conclusion based on two considerations:
The first is simply years of experience traversing hacker discussion groups, chat rooms, and bulletin boards. In more than two decades of work in this field, I have encountered talented and highly skilled hackers, yet I encounter far more who claim to be hackers but clearly demonstrate a lack of sufficient skill. I have also been a frequent speaker at hacking conferences, including DEF CON, and have published in hacking magazines such as 2600. I have had the opportunity to interact extensively with the hacking community.
The second is that it is a fact of human nature that the vast majority of people in any field are, by definition, mediocre. Consider the millions of people who work out at a gym on a regular basis, and consider how few ever become competitive body builders. In any field, most participants will be mediocre. That is not meant as a derogatory statement, it is just a fact of life.
This statement is also not meant to minimize the dangers of hacking. That is not my intent at all. Even an unskilled novice attempting to intrude on a system will get in, in the absence of appropriate security precautions. Even if the would-be hacker does not successfully breach security, he can still be quite a nuisance. Additionally, some forms of attack don’t require much skill at all. We discuss these later in this book.
A more balanced view (and therefore, a better way to assess the threat level to any system) is to weigh the attractiveness of a system to potential intruders against the security measures in place. As you shall see, the greatest threat to any system is not actually hackers. Viruses and other attacks are far more prevalent. Threat assessment is a complex task with multiple facets.
