Hacking for Dummies

IT SECURITY

Little more than a decade ago, IT security was barely a newborn in
diapers. With only a handful of security professionals in 1994, few practiced
security and even fewer truly understood it. Security technologies
amounted to little more than anti-virus software and packet filtering routers
at that time. And the concept of a “hacker” came primarily from the
Hollywood movie WarGames; or more often it referred to someone with a low
golf score. As a result, just like Rodney Dangerfield, it got “no respect,” and
no one took it seriously. IT professionals saw it largely as a nuisance, to be
ignored — that is until they were impacted by it.
Today, the number of Certified Information Systems Security Professionals
(CISSP) has topped 41,000 (www.isc2.org) worldwide, and there are more
security companies dotting the landscape than anyone could possibly
remember. Today security technologies encompass everything from authentication
and authorization to firewalls and VPNs. There are so many ways to
address the security problem that it can cause more than a slight migraine
simply considering the alternatives. And the term hacker has become a permanent
part of our everyday vernacular — as defined in nearly daily headlines.
The world (and its criminals) has changed dramatically.
So what does all this mean for you, the home/end-user or IT/security professional
that is thrust into this dangerous online world every time you hit the
power button on your computer? The answer is everything. The digital landscape
is peppered with land mines that can go off with the slightest touch
or, better yet, without any provocation whatsoever. Consider some simple
scenarios:

Simply plugging into the Internet without a properly configured
firewall can get you hacked before the pizza is delivered,
within 30 minutes or less.

Opening an e-mail attachment from a family member, friend,
or work colleague can install a back door on your system,
allowing a hacker free access to your computer.

Downloading and executing a file via your Internet Messaging
(IM) program can turn your pristine desktop into a Centers
for Disease Control (CDC) hotzone, complete with the latest
alphabet soup virus.

Browsing to an innocent (and trusted) Web site can completely
compromise your computer, allowing a hacker to read
your sensitive files or, worse, delete them.
Trust me when we say the likelihood of becoming an Internet drive-by statistic
on the information superhighway is painfully real.
I am often asked, “Is the fear, uncertainty, and doubt (FUD) centered on
cyber-terrorism justified? Can cyber-terrorists really affect our computer systems
and our public infrastructure as some have prognosticated like new-age
Nostradamus soothsayers?” The answer I always give is, “Unequivocally,
yes.” The possibility of a digital Pearl Harbor is closer than many think.
Organized terrorist cells like Al Qaeda are raided almost weekly, and when
computers are discovered, their drives are filled with cyber-hacking plans,
U.S. infrastructure blueprints, and instructions on attacking U.S. computer
and infrastructure targets.
Do you believe the energy commissions report about the biggest power
outage in U.S history? The one that on August 14, 2003, left one-fifth of the
U.S. population without power (about 50 million people) for over 12 hours?
Do you believe that it has to do with untrimmed trees and faulty control
processes? If you believe in Occam’s Razor, then yes, the simplest explanation
is usually the correct one, but remember this: The power outage hit just
three days after the Microsoft Blaster worm, one of the most vicious computer
worms ever unleashed on the Internet, first hit. Coincidence? Perhaps.
Some of you may be skeptical, saying, “Well, if the threat is so real, why
hasn’t something bad happened yet?” I respond simply, “If I had come to you
on September 10, 2001, and said that in the near future people would use
commercial airplanes as bombs to kill over 3,000 people in the matter of 5
hours, would you believe me?” I understand your skepticism. And you should
be skeptical. But we are asking for your trust, and your faith, before something
bad happens. Trust that we know the truth, we know what is possible,
and we know the mind of the enemy. I think we can all agree on at least one
thing, we cannot allow them to succeed.
Every minute of every day there are governments, organized crime, and
hacker groups turning the doorknobs on your house looking for an unlocked
entry. They are rattling the windows and circling your domicile, looking for a
weakness, a vulnerability, or a way into your house. Are you going to let them
in? Are you going to sit idly by and watch as they ransack your belongings,
make use of your facilities, and desecrate your sanctuary? Or are you going
to empower yourself, educate yourself, and prevent them from winning? The
actions you take today will ultimately answer that question.
Do not despair, all hope is not lost. Increasing security is more of a mindset
than anything else. Security is akin to working out. If you don’t do it regularly,
it won’t become a part of your lifestyle. And if it doesn’t become a part of
your lifestyle, it will quickly become something you can forgo and avoid. In
other words, you won’t be fit. Same thing applies for security. If you don’t
realize that it is a process, not a goal, then you will never make it part of your
everyday wellness routine; as a result, it quickly becomes something you
forgo and avoid. And if you avoid it, you will eventually be bit by it.