How security became mission impossible

It's getting harder and harder to secure an Internet-connected network. In fact, it's no longer possible

It's been quite a month for network and computer security folks. Sony's network was cracked -- what, a half-dozen times? I've lost count. Then apparently everything from the CIA's website to your grandmother's embroidery blog was successfully compromised. It's almost like someone wants to prove a point.

The fact is that, even with the proliferation of computer and network security tools, it's easier than ever to compromise a network. Couple the economic downturn, which has resulted in the layoffs of thousands of skilled IT workers, with willy-nilly implementations of highly public Internet applications and frameworks -- plus the extreme effectiveness of today's hacking tools -- and you have big problems.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | See if you qualify for the title of certified IT ninja. ]

It does require skill to crack into a corporate server, but that expertise need only be possessed by a few people who write the tools that let anyone halfway adept get into the game. After all, known exploits are known exploits, and if you can figure out how to use public proxies or other anonymizing tools and fire up a few apps, you too can get in on the fun.

On the other side of the fence, there are -- and should be -- a whole bunch of very worried CSOs. These execs should be aware not only that their networks are going to be targeted, but because they know they simply aren't equipped to deal with the problem. Simply, the weapons on the other side are more effective than theirs. They're outgunned and outnumbered.

Part of the problem with working IT security is proving your worth. Bean counters can easily dismiss IT security as a money pit because we haven't been hacked. Proving that negative when budgets are tight can be challenging. I've actually heard the argument that IT security staff should be laid off because "who would bother hacking into our company?" Of course, the answer is obvious -- hordes of 14-year-old kids armed with underground hacking tools and boredom. Or, if you're unlucky, a Russian criminal organization that decides you're worth hacking after all.

The best way to try to protect against attack is to hire competent security people -- but also to make sure that new projects are not rushed into production in an effort to meet some kind of deadline defined by nontechnical management. That's exactly how big security holes are created and how everything falls apart very quickly.

Also, make sure you're conducting regular internal and external security audits from highly reputable firms. This should include everything from external penetration testing to training employees to avoid social engineering ploys. In addition, regularly scan for rogue access points and keep close tabs on what goes into and out of the data center -- and what's actually in there. After all, a SheevaPlug looks like a wall-wart power supply and could be doing all kinds of nasty things while affixed to a wall behind a desk when nobody was looking.

I know this advice sounds like your dentist admonishing you to floss three times a day and brush five, but it's good practice, even if these measures won't protect you from a few thousand loosely organized teenagers armed with Low Orbit Ion Cannon and IRC.

Let's face it, protecting an Internet-connected network of any size is no simple task, and it'll only get harder. If you've never been compromised, it's probably not that your security is all that great, it's because you haven't been noticed -- yet.

This story, "How security became mission impossible," was originally published at InfoWorld.com. Read more of Paul Venezia's The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies