Security Is 'Kid' StuffBy Jim Rapoza | Posted 2007-07-06 Email Print
Thinking like the enemy is crucial to network security.
It takes a thief to catch a thief, or so the adage goes. It's not clear how this plays out in the general crime-fighting world, but it's true when it comes to securing IT assets.
Most IT and security staffers won't have the time or skill sets to attain the expertise that high-level hackers and security researchers have, but learning to think like your most common opponent isn't that hard. And the most common attacker of your IT resources is the "script kiddie."
Most script kiddies have an IT skill level at or below that of a well-trained IT person. But what they do have is knowledge of simple hacking tools and how these tools can be used to subvert technology and basic security systems.
That's why eWEEK Labs recommends that anyone dealing with IT security become familiar with the same tools and techniques used by script kiddies today. Many of these tools can actually be quite helpful in understanding the potential weak points in your own security systems.
Here in the Labs, for example, we gained a newfound appreciation of the potential security problems in VOIP (voice over IP) implementations when we were able to use the network tool Cain & Abel to sniff and record discussions on a VOIP network.
In fact, many of the more common tools used by both security researchers and script kiddies are essentially straightforward network and system analysis tools that are useful in daily IT administration, including Ethereal and Nessus.
However, there are some script kiddie tools you shouldn't fool with, especially those designed to create and deploy worms and rootkits. Bringing these into your environment is just too risky, though it's still worthwhile to read up on these tools and understand their possible uses.
More importantly, having the ability to think like your most common security foe will make it potentially easier to convince executives at your organization of the dangers of security holes.
It's one thing to say that a company resource is vulnerable to hacking, but it's quite another to be able to use test systems to actually show executives how a system could be subverted.