Title:

Network Security -- Where Does the *Real* Threat Lie?

Author:

Millicent R. Watts
Security Consultant
sfuze@escape.com
Abstract:

While much of the media has expressed a particular kind of tunnel vision toward the unauthorized hacking of systems, with a particular slant toward "hackers" and "hacker groups", it is curious to note that more emphasis has not been given to the larger problems inherent in network security -- and certainly on the security of large computer networks with potentially valuable data, such as credit bureaus, telephone and utility companies, most corpora- tions, and schools which produce (often government-sponsored) research.

Many people are surprised to hear that a good 85-90% of all hacking done is done internally -- by the people we hire, trust, background, pay, and depend upon -- sometimes for money, almost always for some kind of personal gain (whether it's information to potentially blackmail a fellow employee or just some project in the works that they feel might be useful to bring up at a particular time (such as using it to gain a better position/higher salary, etc.). Some of it is passed on to external sources for money or a "foot in the door" at another place of business.

Information Warfare, another vaguely new concept, also has its particular threats to companies, especially financial and securities firms, where minutes can cost millions, potentially billions, of dollars in lost income and clientele, not to mention "bad press".

This talk will focus on the lesser talked about types of hacking, how and why it is important to approach security from a perimeter standpoint, and what can be done to increase corporate/institutional awareness of security threats, blackmail, espionage, and, yes, "hacking".

Addressed will be various network authentication and verification schemes and their inherent weaknesses, the importance of securing not only computer systems but phone systems and "people systems", the various threats and ways to lessen the likelihood of attack, and the different "types" of hacks -- what to look out for in the network AND your people.

A particular emphasis will be placed upon the changing focus of internet breakins (and dialin breakins) on a network level, from a purely "hacker" focus to one which touches upon the growing incidence of corporate espionage, denial of service for personal gain (or for egotistical purposes, such as some recent ISP DOS attacks), and strategies to cope with intrusion.