Network Security Is Tough!
Information and knowledge comprise most of what is valuable in today's organizations. This valuable data is stored on computers and flows across networks. Security is used to avoid theft or damage to something valuable.
People experience physical security in everyday life. For example, they lock the doors of homes, cars, and banks. Although they know that they are vulnerablebecause there are only a limited number of possible keys out therethey also know there are risks and costs. Even if someone had all the keys, it would take them a long time to try them all out. If someone were to smash a locked window, it would make a loud noise that other people might hear.
What is different about computers is that they operate on a superhuman scale. They can repeat intricate instructions tirelessly. They can operate at fast or slow speeds beyond human perception. They work without the concept of pain or boredom. They can be connected and networked into elaborate systems. Their overall capability and complexity are beyond our intuitive grasp, even beyond our physical perception.
Bruce Schneier, in his well-written book Secrets and Lies: Digital Security in a Networked World, describes three advantages that computer criminals have over those dealing solely with physical security: automation, action at a distance, and technique propagation.
Dull, repetitive, trivial actions can be automated and run for extended periods across a large number of computers. Computer programs can do repetitive things very fast, such as trying all the password combinations. It may take one termite a long time to fell a mighty tree, but millions of them working relentlessly can dispose of it rapidly.
At the other extreme, computers also can repeat things very slowly to avoid detection. The accumulation of tiny "nicks" can add up to something over time. To extend the previous analogy, homeowners are often surprised to discover that termites have slowly eaten away the underpinnings of the home they built only 10 years ago.
Action at a Distance
In the past, to rob a bank, you had to physically go there with your gang to commit the deed. Crimes are usually solved because of physical evidence: The perpetrators voices were heard or recorded, their pictures were taken, they left something behind, and so on.
Computer criminals are often anonymous because they don't need to be physically present at the crime location. No one gets to see their face or know their identities or those of their collaborators.
Computer networks let you commit crimes from afar, without having to physically show up. On the Internet, anyone in any location can take a crack at the security of your system. Moreover, a particularly good location is a country with weak security laws.
A perpetrator's success or failure in physically robbing a bank depends on how smart, thorough, and lucky he or she is. Bank robbers need personal mastery of a wide set of criminal techniques, as well as meticulous execution.
However, only one intelligent, agile mind is needed to come up with a new computer-security-cracking techniqueand only once. From there, everyone can use it. Any one person, anywhere, who cracks any security mechanism can post the solution to the web. Then, anyone else anywhere, no matter how low his or her skill level, can try the newest technique or run the tools that automate it. New techniques regularly spread worldwide in seconds; old techniques never disappear.
In fact, one type of invader is known as a script kiddy, an amateur who downloads cracker programs from the web and runs them in anonymity, with no knowledge of their operation or effects. They can run crippling attacks at the push of a button.
In addition to counteracting these advantages of computer criminals, those implementing security measures have to deal with the complexity of computer systems. Every computer and network device has its own unique hardware, software, and data. Each has unexpected vulnerabilities, failure modes, and interactions. Connecting the computers and devices together into a complex system increases the potential problems combinatorially, often beyond the grasp of human defenders.
Computer security is a tough challengeand it will continue to get tougher. VoIP equipment is based on computer and data networks; by adopting VoIP, you are adopting all the security problems inherent in computer systems. However, with proper planning and attention to security details, you can prevent, detect, and react to security problems in an efficient manner. The next section looks at approaches you can take to make these problems more manageable.