The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin D. Mitnick, William L. Simon
Authors: Kevin D. Mitnick, William L. Simon
Ads: Link
at some point in time. Thus, we should create an environment that minimizes the potential damage a bad guy can do. One example, as mentioned earlier, is to place publicly accessible systems on the DMZ of the company firewall. The term DMZ, borrowed from the military/political abbreviation for demilitarized zone, refers to setting up network architecture so that systems the public has access to (Web servers, mail servers, DNS servers, and the like) are isolated from sensitive systems on the corporate network. Deploying a network archi- tecture that protects the internal network is one example of defense in depth. With this arrangement, even if hackers discover a previously unknown vulnerability and a Web server or mail server is compromised, the corporate systems on the internal network are still protected by another layer of security.
Companies can mount another effective countermeasure by monitor- ing the network or individual hosts for activity that appears unusual or suspicious. An attacker usually performs certain actions once he or she has successfully compromised a system, such as attempting to obtain 46 The Art of Intrusion
encrypted or plaintext passwords, installing a back door, modifying con- figuration files to weaken security, or modifying system, application, or log files, among other efforts. Having a process in place that monitors for these types of typical hacker behavior and alerts the appropriate staff to these events can help with damage control.
On a separate topic, I've been interviewed countless times by the press about the best ways to protect your business and your personal computer resources in today's hostile environment. One of my basic recommenda- tions is to use a stronger form of authentication than static passwords. You will never know, except perhaps after the fact, when someone else has found out your password.
A number of second-level sign-on techniques are available to be used in combination with a traditional password, to provide much greater security. In addition to RSA's SecureID, mentioned earlier, SafeWord PremierAccess offers passcode-generating tokens, digital certificates, smart cards, biometrics, and other techniques.
The trade-offs of using these types of authentication controls are the added cost and the extra layer of inconvenience for every user. It all depends on what you're trying to protect. Static passwords may be suffi- cient for the LA Times Web site to protect its news articles. But would you count on static passwords protecting the latest design specs for a new commercial jetliner?
THE BOTTOM LINE The stories in this book, as well as in the press, demonstrate the insecu- rity of this nation's computer systems and how vulnerable we are to an attack. It seems as if few systems are truly secure.
In this age of terrorism, we clearly need to be doing a better job of stitching up the holes. Episodes like the one recounted here raise an issue we need to face: how easily the talents and knowledge of our own unwit- ting teenagers can be turned against us to endanger our society. I believe that school kids should be taught the principles of computer ethics start- ing when they are being introduced to computing in elementary school.
Recently I attended a presentation given by Frank Abagnale, the pro- tagonist in the blockbuster film Catch Me If You Can. Frank had con- ducted a survey of high school students across the country about the ethical use of computers. Each student was asked whether he or she con- sidered it acceptable behavior to crack the password of a fellow student. Surprisingly, 48 percent of the surveyed students thought it was just fine. With attitudes like this, it's not hard to understand why people become involved in this type of activity. Chapter 2 When Terrorists Come Calling 47
If anyone has a suggestion of how to make young hackers less suscep- tible to being recruited by our enemies, foreign and domestic, I wish he or she would speak up and
Companies can mount another effective countermeasure by monitor- ing the network or individual hosts for activity that appears unusual or suspicious. An attacker usually performs certain actions once he or she has successfully compromised a system, such as attempting to obtain 46 The Art of Intrusion
encrypted or plaintext passwords, installing a back door, modifying con- figuration files to weaken security, or modifying system, application, or log files, among other efforts. Having a process in place that monitors for these types of typical hacker behavior and alerts the appropriate staff to these events can help with damage control.
On a separate topic, I've been interviewed countless times by the press about the best ways to protect your business and your personal computer resources in today's hostile environment. One of my basic recommenda- tions is to use a stronger form of authentication than static passwords. You will never know, except perhaps after the fact, when someone else has found out your password.
A number of second-level sign-on techniques are available to be used in combination with a traditional password, to provide much greater security. In addition to RSA's SecureID, mentioned earlier, SafeWord PremierAccess offers passcode-generating tokens, digital certificates, smart cards, biometrics, and other techniques.
The trade-offs of using these types of authentication controls are the added cost and the extra layer of inconvenience for every user. It all depends on what you're trying to protect. Static passwords may be suffi- cient for the LA Times Web site to protect its news articles. But would you count on static passwords protecting the latest design specs for a new commercial jetliner?
THE BOTTOM LINE The stories in this book, as well as in the press, demonstrate the insecu- rity of this nation's computer systems and how vulnerable we are to an attack. It seems as if few systems are truly secure.
In this age of terrorism, we clearly need to be doing a better job of stitching up the holes. Episodes like the one recounted here raise an issue we need to face: how easily the talents and knowledge of our own unwit- ting teenagers can be turned against us to endanger our society. I believe that school kids should be taught the principles of computer ethics start- ing when they are being introduced to computing in elementary school.
Recently I attended a presentation given by Frank Abagnale, the pro- tagonist in the blockbuster film Catch Me If You Can. Frank had con- ducted a survey of high school students across the country about the ethical use of computers. Each student was asked whether he or she con- sidered it acceptable behavior to crack the password of a fellow student. Surprisingly, 48 percent of the surveyed students thought it was just fine. With attitudes like this, it's not hard to understand why people become involved in this type of activity. Chapter 2 When Terrorists Come Calling 47
If anyone has a suggestion of how to make young hackers less suscep- tible to being recruited by our enemies, foreign and domestic, I wish he or she would speak up and
Similar Books
