“Freedom from risk or danger; safety.” This
is a simple definition of security. Security is a relative concept.
We all have some level of it, but sometimes the amount we think
we have is not reality. In our personal and relatively civil world,
security is something we take for granted. There are laws in effect
that keep criminals at bay. And when the laws are not enough, the
police & lawyers step in to place the bad guys behind bars.
While there are analogies to be made in the digital world, the
institutions and knowledge are not quite where they need to be
and often several steps behind the ever-curious and devilishly
industrious "hacker" community. In some cases, these
threats are intentionally aimed at a precise target. More often,
they are random attacks looking for vulnerable targets. In the
world of speed-of-light communications on the Internet and in our "connected" worlds
of PDAs, LANS, WANS our security can be compromised in seconds.
These attacks can come not by someone stalking us hiding behind
street posts and dumpsters in unlit alleys, but by a teenager perhaps
sitting with his friends in his bedroom "dialed in" to
the Net hacking into your network from several states or countries
away. It is not difficult to do and anyone with an Internet connection
and some spare time can very quickly find freely available software
that can get them started on a “digital attack”.
As a society, we have slowly but surely given up many of our fears
and concerns about this connected environment. We purchase things
on the Internet by providing very personal & financial data
like birth dates and credit card numbers. For the sake of convenience
we submit to the likes of Microsoft et al by subscribing to a utility
like the Passport. While seemingly innocent, this leaves a potential
trail of our path through the Internet. Whether used to login to
eBay and purchase lingerie for a spouse (or mistress?) or simply
to login to check email, an auditable path of our actions gives
unknown persons and entities the ability to make informed judgments
about our lifestyles, preferences, age, marital status, etc. The
risks often get forgotten when it becomes second nature to use
the utility. At least in a restaurant when paying with a credit
card that is willingly handed over to someone (who perhaps is a
thief and intends to photocopy the card while it is in his possession)
we have the small comfort of being able to look the person in the
eyes and make a judgment about the risk we are taking. This is
not possible in the digital world. There we are forced to either
blindly submit or to place trust in a secure certificate endorsed
by a company like VeriSign. How many people do you know at VeriSign
and what makes them trustworthy? As far as I can tell, it is the
fact that they were one of the first to the game and therefore
by default are a trusted entity. Hmmm?
I recently subscribed to a cable Internet service (one that shall remain unnamed)
and out of curiosity, plugged in a Linux-based intrusion detection system
(IDS). I can not say that I was surprised that in about 3 weeks time, I had
over 3 dozen attempts by persons on the Internet to login to my machine,
run port scans to detect vulnerabilities, and do other mischievous things.
All of it was done without my permission and absent the IDS, would have been
without my knowledge. The sessions lasted milliseconds in some cases and
the longest was no more than two seconds. No “open doors” were
found to exploit so I assume the attackers quickly went on to find the next
victim. The Internet is no longer the place for the feint of heart or for
those who are blindly ignorant of the risks they are taking. These risks
can rather easily be mitigated to very reasonable levels with a few small
precautions. However, I have been repeatedly amazed at the wide array of
configurations I have seen in the commercial market place. Most of my amazement
comes from the misplaced trust that has been placed in advice from and actions
of the service providers who claim to understand these risks and understand
how to mitigate them. In a recent example, I found a company who had installed
a router capable of providing firewall services along with a firewall sitting
right next to it. When I asked why the firewall was installed, the business
owner responded that it was for extra protection. Further inspection of the
system showed that the router’s firewall features had never been enabled
AND the firewall was simply plugged into the wall burning electricity, but
not enabled or configured (hardly the “extra protection” the
customer thought he had!). This was either the result of laziness or ignorance
on the part of his service provider and led to this particular customer having
a very false sense of security.
The Internet has broken down immense barriers between people,
customers & vendors and even countries. The convenience of
this medium will guarantee its future growth and utilization by
all civilized and developing societies. The risks and pitfalls
of this "connectedness" are significant but can easily
be mitigated. It is foolish and irresponsible not to take a second
look at how we use the Internet, the information we make available
on the medium, and the systems we put in place to protect that
which is important to us. We walk in and out of the front and back
doors of our houses on a daily basis and are tangibly assured that
the door still functions and the locks are still operable. When
was the last time you checked your router, firewall, and other
network-related security mechanisms to insure their functionality?
The sanctity of our personal and corporate data depends on our
vigilance and prudence in proper defenses against such attacks.
Do you know who has the keys to your digital doors?
|
