We'll start this section with a summary of computer industry trends in the context of computer crime.
Like the Internet, computer crime continues to be a growth industry. Hackers and vandals discover and create innovative—and often all too simple—techniques for disrupting computer systems around the world. It seems like the computer security industry is always one step behind the criminals, playing catch up in response to new intrusions and virus infections.
The following sidebar summarizes the results of the "1999 CSI/FBI Computer Crime and Security Survey" undertaken by the Computer Security Institute (CSI) and the FBI. These results underscore the magnitude of the computer security problem in this country.
"1999 CSI/FBI Computer Crime and Security Survey"
From the "1999 CSI/FBI Computer Crime and Security Survey":For the third year in a row
- System penetration by outsiders increased, with 30 percent of survey respondents reporting intrusions.
- The number of respondents who identified their Internet connection as a frequent point of attack increased from 37 percent in 1996 to 57 percent in 1999.
- Unauthorized use by insiders increased, with 55 percent of respondents reporting incidents.
- Financial losses due to security breaches exceeded $100 million. Note: Of the 51 percent who reported losses, only 31 percent could quantify these losses.
Types of crimes reported by survey participants
- Denial-of-service (DoS) attacks reported by 32 percent of participants.
- Sabotage of data or networks reported by 19 percent.
- Financial fraud reported by 14 percent.
- Abuse of Internet access (for example, downloading pirated software or pornography, and inappropriate use of e-mail systems) reported by 97 percent.
- Virus contamination reported by 90 percent.
- Laptop computer theft reported by 69 percent.
It's obvious from the statistics presented in the "1999 CSI/FBI Computer Crime and Security Survey" that many businesses aren't coping well with computer security or still aren't "getting it." Why not?
There are many reasons for the alarming trends identified in the survey, including:
The Complexity of the Problem
There has been exponential growth in the complexity—and inherent vulnerabilities—of computer systems over the past several years. Computer system complexity has been exacerbated by the broad acceptance of the Internet as a networking platform for business computing. The growing complexity of this computing environment means that products are becoming less secure rather than more secure.
The Scope and Volume of the Problem
At the same time that the Internet gave businesses global access to customers and other businesses, it also gave users around the world access to these same businesses and their computer systems. The increase in the number of attackers worked in combination with the rapid growth of Internet-based computing to put IT staff in an untenable situation, one in which support demands, particularly in the area of security, far outstripped available resources and capabilities. Hackers and vandals, on the other hand, were unhindered by bureaucracy and budgets and had an unlimited number of targets from which to choose. From the onset, security professionals and system administrators were forced into a catch-up role, a role that still persists today.
Jim Magadych, security research manager with Network Associates, observed: "There are a lot of system administrators out there that are aware that security holes exist in their systems, but they see the alerts coming out daily and are overwhelmed by sheer numbers." As a result, security fixes often don't get applied. According to a CMPnet (http://www.cmpnet.com) security task force, at least three-quarters of the businesses connected to the Internet have at least one of 20 known security holes.
Misunderstanding the Nature of the Solution
Even today, years after the Internet was adopted by mainstream businesses, many of the business managers and system administrators for these companies still believe that their systems are safe, simply because they have a firewall. Nothing could be farther from the truth. Reliance on a purely technical solution—particularly if it's flawed or poorly configured and implemented—is no solution. Numerous security professionals have noted that effective security systems are not a simply a product but an appropriate combination of products and processes that are designed to meet the needs of an individual organization.
Ownership of the Problem
An organization's staff members, from the CEO to junior office worker, have to share the burden of the security problem. The responsibility for computer security is everyone's problem, not just the individual or individuals that have formal responsibility for corporate computer security.
One writer equates user responsibility for computer security to employee responsibility for making sure the door is locked when they leave the building at the end of the work day—regardless of whether or not it's part of their job description.
The SANS (System Administration, Networking, and Security) Institute, working with experts from more than 40 private and public sector security research and practitioner groups, compiled several lists of security-related items for managers and IT professionals to consider when dealing with security in their organizations.
But before examining the "The Ten Worst Security Mistakes Information Technology People Make" and "The Ten Most Critical Internet Security Threats" that the SANS Institute published, let's see what attendees at a large security conference identified as the top seven mistakes that managers made in the area of security.
The 1,850 computer security experts and managers attending the SANS99 and Federal Computer Security Conferences compiled this list of management errors:
Management security mistakes are frequently compounded by mistakes made by the IT professionals in their organization, as the next section illustrates.
The 10 worst mistakes identified by the experts are:
TIP
Install and use the Microsoft Windows 2000 Internet Information Services 5.0 (IIS) hotfix checking tool, HFCheck. This tool allows administrators to ensure that their servers are up to date on all IIS security patches. The tool can be run continuously or periodically against the local computer or a remote one, using either a database on the Microsoft Web site or a locally hosted copy of the program. When the tool finds a patch that hasn't been installed, it can display a dialog box or write a warning to the Event Log.
To obtain more information about this tool and download it, go to http://www.microsoft.com/technet/security/tools.asp
WARNING
Test your system(s) thoroughly after installing a software patch. Don't assume that simply applying the fix solves the problem. There may be other issues related to system configuration that need to be dealt with as well.
NOTE
This issue of unencrypted Telnet traffic is important if you are using one of the load balancing devices described in Chapter 13, "Third-Party Load Balancer Support."
And a bonus...
In the wake of the distributed denial-of-service (DDoS) attacks that brought down eight major Web sites in a week, the SANS Institute started soliciting input from security experts in February 2000. The entries in "The Ten Most Critical Internet Security Threats" list are the results of a consensus between almost 50 experts from companies, universities, and such government agencies as the National Security Agency and the Department of Defense. It is intended to give system administrators who are looking to secure their systems a place to start.
The top 10 threats identified by the experts are:
Alan Paller, director of research for the SANS Institute, says that this list gives administrators a set of priorities for dealing with security holes. With regards to the items in this list, he says, "This is probably 70 percent of the attacks occurring on the Internet. Even though (the list represents) 10 out of a large number of exploits, it's the majority of attacks."
Jim Magadych (Network Associates), a contributor to the report, says that by closing the holes identified in the top 10 list, companies "are protecting themselves against the largest number of intruders on the Internet, but also the least sophisticated—what we call ankle-biters."
NOTE
The SANS Institute also published "How to Eliminate the 10 Most Critical Security Threats," which can be downloaded from its Web site at http://www.sans.org.