Halting the hacker is no easy task. First, it is not a level playing field. A hacker needs only to find a single flaw one time to penetrate security, but a security manager has to have the security completely correct all of the time so that it cannot be penetrated. Second, security is everyone's responsibility. Users must select good passwords and not share information with people. System administrators must keep the system current and install security patches, as well as keep aware of current security issues. System vendors must start shipping systems with an operating system that is more secure out of the box and software suppliers must design their products with security in mind. Finally, security is a balancing act. You have to balance the cost and effort of securing and monitoring a system against the possible losses if the system is compromised. You have to balance the cost and effort to restrict users and systems against the ease of use and productivity of those users. And you have to balance the value of prosecuting a hacker against the publicity that such a prosecution would bring. Historically, the imbalance has been that honest users have paid the cost of more monitoring and more restrictions for the activities of a few hackers, who do not pay for their crimes because of the company's fear of bad publicity.
Proactive Security Measures
Proactive security measures are processes that look for security issues before they become problems. Proactive security tools test for known security problems ” configuration problems used by standard attack scenarios. They also include software that assists users in keeping the systems secure, whether a tool to help users select good passwords or one that encrypts network traffic to keep hackers from snooping on the network. Most security tools are proactive security measures.
Any tool that compares the system to a checklist of configurations is this type of tool. These tools can be very effective if they are run on a frequent basis and their reports monitored . It is best to run these tools on an irregular schedule so the hacker is not certain of the size of the window between the tests. If these programs are scheduled to run each day at a given time, the hacker will know he will have a 24- hour window where he can clean up after his hacking and go undetected.
Reactive Security Measures
Reactive security measures will report attacks that have already taken place or are currently taking place. These measures are generally either processes that monitor the system and report any anomalous behavior or processes that are looking for activities that correspond to defined attack profiles.
These can be real-time monitors and alarms that will immediately report suspicious activities or they can be batch processes that run at scheduled times and review and correlate logged information to determine and report suspicious activities. Real-time monitors require that there be someone to notify immediately who can take action while the attack is underway. Otherwise, they provide the same features as batch- processed security reports. These reports are used to locate attacks and determine how they were perpetrated to know how to close the holes or where to set real-time traps to catch the hacker during a later attack.
