Copyright © 2008 by The McGraw-Hill Companies. Click here for terms of use.
4
“contaminated” with Linux, as the IT sales reps referred to that operating system. In truth, he was the only one in a company of over one thousand employees who ran it on his desktop system. And the only reason he could get away with it was because it made him better at his job. It also helped him maintain a little bit of control over the infrastructure.
One day Simon noticed network traffic attempting to contact services on his system.
This was not so odd in itself since it appeared to be NetBIOS connections and the occasionalNetBIOS storm—that little network problem where several badly configured Windows machines continually announce themselves and respond to each announcement, growing multiplicatively until they reach maximum network density and choke themselves off—was not a rare occurrence. But these packets did not seem to be typical NetBIOS greetings; they were looking only for shares, and they seemed to be coming from only a few IP addresses.
He fired up Wireshark to take a closer look at the packets. He didn’t know what he was looking for, but he did know that with the company’s dynamic IP addressing in-house, he could not easily figure out which computer was making these requests. Even the NetBIOS name of the sending computer was a generic one. Unfortunately, the packet information told him nothing. So he left Wireshark running and logged the data only from those sending IP addresses for whatever they sent across the network.
After a few minutes, he found some data from one of the packets inside the buffer referring to hiring personnel, which made him think the offending systems might be in the Human Resources department. Moments later, however, he grabbed an email going out from one of the IP addresses he had been watching. Now he had a name: John Alexander.
Simon went straight to the CIO with his information. He didn’t know if the storm was due to malicious intent or some new kind of worm, but he knew it had to be stopped.
However, the CIO wasn’t so quick to judge. The person in question was not a low-level employee; he was a mid-level manager who ran the credit department. And with the potential confidential records stored on his computer, demanding an audit would be no small feat. Furthermore, the CIO had his doubts that this was actually a problem since his system had not registered any strange activity. Simon tried to explain how the CIO’s Windows system had not been designed to question such connections and had probably just processed them like any other request. Therefore, he wouldn’t have seen anything suspicious.
When Simon asked how he should proceed, the CIO instructed him to monitor the activity, concluding that with the amount of money they spent on antivirus and anti-malware licenses, the next daily automatic database update of those programs would clearly kill the infection if it was indeed malware. The whole problem would go away.
Simon suggested that it might not be malware. It might be a deliberate attack from hackers who had gained entry into an internal system or John Alexander himself might be doing some hacking. The CIO considered the idea for a moment but could not see Simon’s suspicion as being reasonable. After all, as he explained to Simon, the company
5
had spent a great deal of money on security. Simon suggested otherwise. He explained that the company had spent a great deal of money on a few specific controls but almost nothing on security. The CIO dismissed Simon, reminding him that he was an administrator, not a security expert, and that the reason they bought security solutions from the experts was so they didn’t need to hire them.
Simon could do no more than simply watch the packets swim through the network as valid traffic with invalid intentions. Months later, when John Alexander was promoted to a foreign office, the mysterious traffic suddenly stopped.
T
he biggest problem people have with securing anything is the very narrow scope they use in determining what to secure and how to secure it. Maybe this is because people don’t fully understand what security is, but most likely it’s because security is such a loaded word that it can mean far too many things. Dictionary definitions alone do not help. Most of them call security the means of being free from risk. Well, that’s fine for soccer moms and minivan dads trying to up their security satisfaction, but it doesn’t really help a professional design a secure system.The fully established professions, like the legal or medical professions that require a culture of academic and skill-based refinement to achieve a licensed, professional standing, place great emphasis on definitions. For example, if a person says he or she is depressed, it means something magnitudes different than what a clinical psychiatrist means by it. Generally, people separate the two terms in day-to-day conversation by saying “clinically depressed” when they mean the disease of depression. However, there is no such term as “clinically secure” or even “professionally secure.”