I don't want this post to be misconstrued as a dump on system administrators. They have a difficult job with many different facets that limit control over their networks. They are charged with keeping information flowing, not slowing it down. The job can be a stressful one. One hiccup with internet service is met with a flood of angry calls and emails. They have to deal with support issues, employee issues, vendor issues, security issues, budget issues, the list goes on. It really is a difficult and thankless job in many ways, But........
IMHO, security boils down to one simple thing: standard (or "best") practices. The industry is based on them, therefore bound to them. Most system admins were taught from the same curriculum, inherit practices from their predecessors, and tend to utilize only what they understand. Very few want or need to be more. Hackers are not bound to any protocol, learn as they go, and aren't burdened with long term data integrity, shareholders, or profits. They are fluid creatures limited only by their imagination and sheer technical ability. In short, there isn't a contest.
For example: If I but three red cars, you could assume with reasonable certainty that my fourth car would be red, too. A lot of protocols that corporations follow are similar in estimation. It's very predictable. Some system admins are happy to place Youtube at a higher priority level than reading logs or checking equipment. A breach can happen anytime, and a network device sending an email isn't going to cut it. It's difficult to stay vigilant when that critical moment will seemingly never arrive. I'm sure there a few admins that take pride in their security knowledge and implement it well, but many don't have a good grasp of attack vectors (both virtual and physical) or how to secure them.
In fact, employee information is the easiest to obtain. It's not very well guarded and is made available for the asking. Try calling a company and asking to speak with a salesman. Mr. John Smith will happily assist you. Visit us on the web at http://mycompany.com, here's my email jsmith@mycompany.com if I can assist you further. That's more than enough to begin planning the stage of attack, and no elaborate trickery was involved. It was all given for the asking (or completely volunteered), and even more can be obtained with a little imagination.
Contrary to popular belief, customer information isn't very high on the security food chain. It's usually stored in a database server accessed by a surprising number of people often from different segments. Salesmen, managers, data entry clerks, IT personnel, customer support, as well as outside contractors have direct, or indirect, access to that information. I often asked myself why they bother using passwords or securing the server room, other than to protect hardware configuration. In comparison, only a select few have access to proprietary or sensitive information pertaining to the company or R and D.
Corporate networks are compromised because they are a wealth of profitable information with plenty of soft targets. These networks are constantly hacked, but reported very little. Every American that has used a debit or credit card can rest assured that their financial information has been in the wrong hands quite possibly more times than you want to know. Can more be done to stop it? Not without rethinking everything we know about networking and doing business.
No comments:
Post a Comment