Being in the security business is a constant game of catch up. Let me explain. You are the Systems Engineer for a brand new shiny network, architected and configured by you. It is all deployed and working perfectly and then you are hacked.
Apart from that sinking sensation in your stomach you now need to react to the threat and hope all of your disaster recovery planning is sound. What a nightmare. The problems for the security professional arise for a number of reasons. Let’s take a look.
Bad Guys Only Have to Know One Exploit
When the latest vulnerability with your OS or a known crack to an application you are using is released in the wild, it puts you in scramble mode. You have to be aware of all of the Operating Systems, applications, hardware and protocols being used on your systems. Otherwise, how do you protect against them?
Inventory is key to a successful security plan. Now spin the table and let’s look at the hacker....they only have to know one vulnerability and become extremely good at utilising it. They simply have to find a compnay with their known vulnerability which they can exploit.
Resources are Cheap
Ask someone who has been in the computer industry for a number of years and they will tell you how amazed they are with the speed at which the processing power of computers has grown. Remember that we sent astronauts to the moon with computers housing as much processing power as modern day calculators. Let’s face it today extreme systems with oodles of RAM and processor power are cheap. For under $2000 you can build a system on the cutting edge of technology. This means that the tools that the bad guys are using have grown in efficiency too. When trying to crack passwords, the computers can react a lot faster than 15 years ago. Then you throw in the added worry of BotNets (a collection of unknowing computers that are participating in tandem to the goal of the hacker). People actually rent botnets on the Internet so that anyone can have access to 70,000 computers to conduct their nefarious activities. Like DDOS or
SPAM attacks.
Bad Guys Don’t Work 9-5
When the bad guys do decide to attack, it usually isn’t a nine to five thing. More likely, you and your security team have gone home and are snug in your beds thinking that all is hunky dory with your network. The bad guys are not limited by time constraints; they may not even be in your time zone. So apart from staying up for the next 20 years of your career, it is unlikely that you will be around when the attacks start. This is why it is imperative that your emergency response system has been well established and your team knows how to react when the emergency happens.
Security Guys Need to Worry About All Attack Vectors
As much as nobody likes talking about it, the fact is that the majority of attacks do originate from inside the network you are trying to protect in the first place. That is not to say that a large number of your employees are hackers in disguise just waiting for the call from the Master Hacker to start taking over your network. Far from it. More likely it is through inadvertent mis configuration on part of an administrator or from ignorance of policies. People like downloading that latest screensavers or that little app that they just have to have. That is why education is just as important as all of the security features you build into your network.
Resources
Given these facts, it is no wonder that security guys often look like they are bedraggled and tired. It is because they are living in a heightened state of vigilance so that the network can be up and running constantly. A large part of any security professional’s job is awareness. Staying in the know is a constant fight . If you or your security pros start finding that they are losing a grip on what is out there, I would like to recommend a couple of sites that would be helpful to them.
http://csrc.nist.gov/
http://www.sans.org/
http://www.securityfocus.com/
In Closing
Those three sites will give you a good idea as to what is hot out there from a vulnerability point of view. Remember all the policies in the world are useless unless your staff understand the importance of adhering to said policies. Educate them so they understand.
