Today, people are firing up their intrusion detection systems (IDSes) and "detecting" attackers left and right, or so the thinking goes. But what really constitutes an attack? We can't tell you how many times we get calls from vendors claiming their product detected an intruder. But when we question the victim, we often get the same story: The existence of an actual attack is questionable. Someone noted a PING scan, a port scan, or maybe a harmless SMTP VRFY. While these may be precursors to an attack, they are far from illegal.
Yet, despite these questionable "attacks," organizations are spending weeks and months tracking down the culprits, usually at great expense. Ironically, it's the harmless hacker wannabes who usually get caught as a result of these crusades. The skilled intruders simply avoid the attacks that raise red flags.
Alarmist attitudes are not the answer and are hurting the industry as a whole. We can't run around like Chicken Little thinking the sky is falling when no one's even looking up. Software vendors have convinced the market that firewalls and IDSes are essential components to a secure network (and they are), but they forgot to mention the most important fact: that they are far from a hands-free solution to security. Deploying IDSes without assigning full-time security staff to monitor and manage them is akin to installing a home security system with no one manning the phones. We need skilled, dedicated, empowered security staff to deploy, monitor, and manage the infrastructure or the benefits of IDS will go out the window.
In addition, there are too many false positives with IDSes. You need dedicated staff to filter and selectively track down the real attacks. Tracking down every PING or port scan would occupy all of your waking hours -- even if you could be sure it was genuine. Turnkey IDS solutions are turning into automatic blame machines, making it all too easy to pull the blame trigger at the first sign of mischievous activity -- instead of tracking down the real culprits.
Now, we're not saying we should give hackers free rein to attack our systems and make them promise, on their honor, not to damage anything (but tell us how they did it). There are too many rotten apples who would spoil it for the rest of us. On the other hand, we can't take everything that our firewalls and IDSes tell us at face value. Many attacks are either false positives or harmless insomniacs. Tracking down these useless leads often enough will desensitize you to the real attacks being performed right under your nose.
Our industry needs to come together and determine acceptable tolerance levels and definitions for attacks. There needs to be serious discussion and legal precedence set to define what is and what is not an attack, and the people managing the technology need to follow these guidelines before expending energy. Built-in threshold levels for alarms would make IDSes useful -- many companies simply ignore the continual thumping on their Internet gateways due to the sheer volume of potentially malicious traffic.
Speaking of hacking techniques, we just couldn't let another week go by without pointing readers to our new security book, Hacking Exposed: Network Security Secrets and Solutions (co-authored by us and George Kurtz of Ernst & Young, and published by Osborne/McGraw-Hill).
The genesis of Hacking Exposed has closely paralleled Security Watch and was driven by our continuing desire to bridge the gap between IT support and the real world of security. Like you, we always wanted to have a one-stop reference on current Windows NT, Unix, NetWare, dial-up and Web hacking tools, techniques, and countermeasures, and we did not want to fumble across endless sources to learn how to keep intruders out of our virtual cookie jars. After many years of waiting for such a book, we finally wrote it ourselves.
We're biased, but we hope that Hacking Exposed will help you better understand the importance of network security. Send comments to firstname.lastname@example.org or email@example.com.
(Stuart McClure and Joel Scambray are consultants with Ernst & Young's eSecurity Solutions group. They have encountered a diversity of technologies during their 10 years of experience in information security.)