Empty Red Bull cans litter the floor, reflecting the warm glow of the monitors. Alongside the sketch boards lie drained liters of Mountain Dew, partially eaten burritos and dozens of 486 machines configured as Linux Beowulf clusters. A Pentium II machine plugged into a seemingly endless line of surge suppressors hums as it continues to brute-force password guesses at a rate of 10 million per second. Only 12 more hours to go...
All the machines have their lids off--no hard-core geek is ever satisfied with the state of a system. Legal pads are covered with IP addresses, penciled network maps and port numbers. As the attackers' scripts relentlessly scan for the presence of the recently identified CGI vulnerability, they continue to exchange notes with the crew on IRC (Internet Relay Chat). They figure once they've compromised a few dozen ISPs--creating a network of "stepping stones"--they can forge ahead to their target.
It's all about buffer space--a disposable safety net with a redo button. If they "own" a dozen machines between them and their target, they can attack with the confidence that only a cyborg in a time machine could ever gather enough info to snag them--only a handful of organizations have the manpower or expertise to catch intruders who leave no trail. Attack, clean, reattack--and gain as much net space as possible.
Auditor? Cracker? Strung-out administrator? The roles can be interchanged and the distinction blurred, with one exception: The crackers have the easiest task. They need find only one open doorway; the defenders must check every lock.
"It takes one to know one" may be cliché, but it holds up in the network security arena. Understanding how attackers operate is invaluable--in fact, it's your best defense. The concept of "hacking" into your own network for security purposes isn't new. Dan Farmer published a paper in 1995 entitled "Securing Your Site by Breaking Into It" (www.fish.com/security/admin- guide-to-cracking.html). Network Computing published a similar article a few years ago (see "Intrusion Detection Provides a Pound of Prevention" at www.networkcomputing.com/815/815ws1.html).
Many of the time-tested security principles still hold true. However, attackers' tools and talent have taken giant leaps. Each time security products mature, so do attack methodologies, and if you fall behind on either, you're setting yourself up for a nightmare.
Cracking Some Myths
Before we even think about sitting down in front of a computer, let's debunk some common assumptions about crackers and excuses for reduced vigilance.
"We are not a high-profile company--no one is targeting us." You may manufacture industrial-strength toilet seats, but be "next door," in Internet terms, to an e-commerce site performing credit-card processing. Or maybe you have great bandwidth or juicy servers, or maybe your domain name just sounds cool. It often doesn't matter what your company is or does, intruders can make use of your network even if it isn't their final target.
"That is a really complicated attack--it would never happen to us." Although experts agree that the successful cracker lies somewhere between script kiddy (able to execute prewritten code, but unable to manufacture new exploit code) and elite programmer, most are able to pull off fairly sophisticated attacks. Think back to your college years. Imagine spending less time drinking beer and more time in front of your terminal. What level of mischief could you achieve? Now add the declining prices of bandwidth and hardware and it's no wonder 14-year-olds are drawing visits from the Secret Service.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
