What We Know About Security

What We Know About Security

You will notice that throughout this book, I refer to this area of study as "the WORLD of information security." The term "world" has been used intentionally since there is a whole world found within the topic. While exploring security, we will discover fascinating subcultures of security practitioners and hackers who have propagated and spread, uninhibited by international or geographic boundaries. Continually innovative and relentless in their initiatives, their growing numbers constantly wage war with and against each other in every corner of the globe. For simplicity's sake, I will talk about these parties as the "good" and the "evil" sides of information security, the security practitioners and the hackers, respectively. There are many gray and colorful shades between the good and the bad, all of which are quite fascinating, but would simply serve to confuse the issue and distract from the focus. So for now, we will just consider them the "good guys" and the "bad guys."

The Good Guys

Simply put, WE are the good guys. By "we," I am referring to the individuals and groups of professional and amateur security practitioners working to protect the safety of IT within our own arenas. Our motivations range widely, often centering on a sense of challenge, a few noble ideals, and a desire for high compensation, benefits, and job security. Unfortunately for us, and certainly to the detriment of the security world, the desire for high compensation and profitable business tends to make the process of securing something much more expensive than the process of hacking it. Sure, security can provide a sense of nobility and truth. I rarely find security professionals who are not happy in their jobs; however, if this was the primary motivation for security professionals, then the security industry would not be the cash cow it currently is. And while a security consultant can be expensive, hackers normally work for free or even at their own expense. While popular firewalls cost many thousands of dollars, almost all hacker tools are free or extremely cheap. We will discuss this in Chapter 7, Know Thy Enemy and Know Thyself.

The good guys remain a strong force in the world of information security. On a global scale, however, we have only been effective in the pockets where security is practiced wisely and regularly. The majority of organizations and home users on this planet still maintain little to no security, thus providing an unending number of targets for the bad guys and a wide variety of problems for the rest of us. Government and law enforcement organizations are doing a great job with their limited funding and resources, but the budgets for information security enforcement seems far too low to be effective on a massive scale. Government institutes, in general, rely on patriotism to attract good security professionals rather than high salaries. This leaves most of the extremely talented good guys working for independent companies and not necessarily participating in the larger security community. As it stands, fighting cyber crime can be accurately compared to fighting terrorism with a bunch of neighborhood watch programs. We all have our own little neighborhoods we are watching, in case someone targets our block.

graphics/02fig01.gif

Most of the people involved in the technical world, however, seem to be in the process of becoming security-aware and are helping to make great strides in fighting this war. Beyond the tremendous growth we have seen in the average individual user, there is also a spirit of group effort in the form of non-profit organizations and semi-formal collaborations between talented security professionals. These groups work to fight crime and plan security for the sake of the whole, not just their own neighborhood. We are indeed progressing and managing to keep pace, in many respects, with the bad guys.

The Bad Guys

Vastly outnumbering the good guys, bad guys come in all shapes and sizes, from different backgrounds, levels of education, and social classes. They can be sitting across the world from us, or they could be our oldest and most trusted employees. It is important for those practicing security to have a good understanding of these individuals and groups, their resources, capabilities, and motivations. Chapter 7 is dedicated to understanding how these people think and operate; but for now, we will keep it simple.

The enemies in the world of information security are those who desire to gain access to and/or manipulate our electronic services and information against our will and without our permission. In general, the bad guys can operate with very little overhead requirements. A basic computer, an Internet connection, a phone line, and a lot of time are about all that is needed to be a successful hacker. The tools and talents can be acquired by most technically-minded people quickly and easily through hacker Web sites, forums, and chat groups.

Unfortunately, a hacker with a $1,500 budget and a few months of effort can often effectively wage war against companies with millions invested in security. It is important to understand that organizations have to spread focus across a million possible vulnerabilities, while the hacker only has to focus in on the one that was missed or not secured properly. Even worse, the average employee hacker can operate with no budget at all! We will discuss all of this in more detail later. For now, it is important to remember that the good guys are greatly outnumbered, and that while securing something can be resource-intensive, hacking into it simply requires time. For every hour spent securing something in this world, there may be thousands of hours spent trying to find a way into it.

graphics/02fig02.gif

Of course, there are many different types of hackers, each with his or her own set of motivations, resources, and each posing a different threat to an organization. There are a number of very distinct cultures that exist within the realm of the bad guys, some of which are quite fascinating and some of which are quite pathetic. The neat technical tools we saw in spy movies a few years ago comprise the stuff that professional criminals are actually using today. At the same time, the computer nerd that breaks into the mega-huge company using a shoestring and a stick of gum can also come true. Every place you look, everywhere you turn, there seems to be a bad guy. Chances are that everyone reading this book knows someone who is or has been a hacker at some point in time.

Our Abstract Battleground

Now that we have taken a peek at the two warring parties, let's take a moment to reflect on the physical reality behind the information security battlefield. All devices operate and communicate through a series of electrical pulses, mostly ones and zeros. When a person spends all of his or her time and creative effort trying to hack into a computer, he/she is simply trying to determine the correct combination of electrical pulses that will serve his/her needs. The good guys, on the other hand, spend all of their time and attention regulating the sequences of electrical pulses entering the environment to guard against attacks. Can you imagine the millions of dollars some companies spend simply to regulate the small pulses of energy coming into their information storage centers?

So next time someone asks you what your job is, you can safely say, "I work to make sure that only authorized and expected sequences of energy pulses come into contact with our information devices." This certainly does not make information security any easier to comprehend, however.

Is Anyone Winning?

There was a time in the not-too-distant past when it was extraordinarily easy to hack into a company, steal or manipulate its data, and then get out clean and easy without a trace. This could be accomplished through a simple program that could have been created in a matter of hours. Fortunately, the idea of malicious hacking was not as widespread back then as it is today.

By taking a closer look, it would appear that the world of the good guy and the world of the bad guy are synchronized. It can certainly be viewed as a symbiotic relationship, each party needing the other to exist. Through this reflecting relationship, we are all growing together. The newest form of attack is always matched by the newest form of defense, and vice versa. Any group making a great leap in technology spawns a great leap on behalf of the other party. The more agencies and governments that get involved in the battle, the more motivation there is for hackers to increase their efforts. Thus, no group seems to ever win or lose, but we all simply remain in a stalemate of thrust and parry.

This does not mean, however, that there are not losers in these battles. Unfortunately, most organizations, including software and hardware manufacturers, deal with security on a reactive basis. As the ability to hack and secure make great leaps forward, the mass population tends to wait until it feels the knifepoint of the attacker before bothering to discover it has fallen far behind in its security practices. Saying that security and hacking seem to be in a stalemate does not mean that the average organization can say the same. While the technologies and methodologies tend to balance out, the rest of the world is still on the losing end of the battle.