Complex Networks Too Easy to Hack

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.wired.com/news/politics/0,1283,56766,00.html

By Michael Grebb 
Dec. 09, 2002

WASHINGTON -- Internet and telecommunications experts, here on Friday 
to discuss homeland security, said increasingly complex software 
operating systems and networks have made it easier than ever to 
disrupt U.S. communications systems. 

At the same time, hackers don't need to be highly skilled to wreak 
havoc. 

"Over time, we're getting very sophisticated attacks from morons," 
said Bill Hancock, chair of the cybersecurity focus group of the 
Network Reliability and Interoperability Council, which coordinates 
voluntary "best practices" to maintain a streamlined communications 
infrastructure. 

NRIC members include Sprint PCS, AOL Time Warner, Verisign and 
WorldCom, among others. 

In January, the FCC chartered NRIC to recommend ways for companies to 
thwart cyberattacks post-Sept. 11. 

On Friday, NRIC issued its initial recommendations, several of them 
culled from existing industry best practices that companies are 
already supposed to follow -- but often don't. 

"One of the things that has happened over the last decade is that we 
have moved from proprietary to open networks," said Shawn Abbott, 
president of Rainbow e-Security, an Irvine, California, cybersecurity 
firm. "This has created new threats and vulnerabilities. We're really 
playing catch-up here." 

Others have questioned whether voluntary measures are enough to 
protect homeland security. 

But at the meeting, FCC chairman Michael Powell argued that modern 
networks are so intertwined that companies all have a stake in making 
sure they run smoothly. "This is a form of mutually assured 
destruction," he said. 

Powell, however, didn't rule out mandating some security measures for 
regulated industries -- such as cable, broadcast, satellite and 
telephone -- if it becomes necessary to protect national security. 

Hancock, meanwhile, urged system administrators to ax unnecessary 
software and features that give hackers more attack options, partition 
and isolate pieces of the network to make them harder to detect, and 
set up multiple defense layers. 

Hancock also said the added complexity of today's software -- combined 
with the increasing availability of hacker tools on the Web -- 
actually makes it easier for inexperienced hackers to break in. 

"The simpler thing was less functional but also less dangerous," said 
Powell at a press conference following the event. "With those features 
comes added vulnerabilities (that some people) aren't aware of." 

NRIC also addressed physical security, urging the government to help 
fund grounds security at key telecom facilities, increase scrutiny of 
mergers that would put communications infrastructure in foreign hands, 
and fund employer background checks on workers with access to critical 
facilities. 

Earlier this year, NRIC members adopted a plan to cooperate to restore 
service in case of a national emergency such as a terrorist attack. 
They also adopted systems to provide detailed contact information and 
identify key people to bring Internet and communications networks back 
online. 

"We have much more to do," said Powell. "It's not effective until it's 
implemented." 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.