[Moderator: Some of the comments in this article are interesting
considering the comments posted to the Errata site a week or so ago.]
Forwarded From: Simon Taplin <sticker@icon.co.za>
Perspective--Rutrell Yasin: Think Twice Before Becoming A Hacker
Attacker
RUTRELL YASIN
December 14, 1998
I'm a big proponent of self-defense. Having studied a few of the martial
arts, I've learned the value of being prepared to fend off and respond to
attacks. To paraphrase a famous activist of the '60s: If someone attacks
you, make sure he can't put his hands on somebody else.
That appears to be the stance of a growing number of large companies that
have been victimized by hacker attacks, according to extensive research
conducted by WarRoom Research.
In an 18-month study of 320 Fortune 500 companies, 30 percent said they
have installed software capable of launching counterattacks to security
breaches. The report, titled "Corporate America's Competitive Edge,"
focuses on security and business intelligence practices and will be
available next month.
Most security experts agree that companies should have some way to strike
back at hackers. They caution users, however, not to get embroiled in
cyber shootouts. The main reason? The system you're aiming at might not be
the culprit.
The concept of "strikeback" has been around for years, but the method
gained wider attention over the past few months after the Defense
Department used software to disable an attacker's browser.
Strikeback can take many forms-from the collection of information about
intruders that can be used later to launch a counterstrike or put the
culprits in jail, to the launch of debilitating countermeasures such as
denial of services or flooding attacks that virtually shut down an
attacker's system.
But a savvy hacker can forge packet headers to make it appear that an
attack is coming from another location. And if a company is shooting first
and asking questions later, innocent people could be hurt.
What's ominous about the WarRoom Research findings is that many of the
companies in the security study would prefer to use their own strikeback
methods as opposed to calling the FBI or state law enforcement agencies.
As WarRoom Research president Mark Gembicki pointed out, a code of ethics
controls how government agencies use strikeback measures. Large companies
are truly borderless and are moving into uncharted territory.
Ken Geide, section chief of computer investigation with the FBI's National
Infrastructure Protection Center, agreed.
"It's really important that companies have the capability to detect
efforts to break into systems," he said. But strikeback has possible
drawbacks.
"The consequences of strikeback has the potential to put the victim at
civil risk or physical risk," Geide said.
The companies in the WarRoom study view strikeback as a right, just as the
law protects physical self-defense by way of force.
But there are lessons from the physical world that IT managers should
consider before launching a strike, experts said.
If you see someone trying to break into your car parked at the curb, do
you have the right to get your gun and take a shot at the suspected thief?
Geide asked.
The person might be intoxicated and just stumbling on your car, not
actually intending to break in. Worse, the bullets may ricochet and hit a
bystander.
"Our recommendation would be to let a properly trained individual help
protect the property," Geide said. IT managers should adopt the same kind
of response when conflicts arise in cyberspace.
"They could be launching a strikeback against themselves. The victim is
better off working with law enforcement," he added.
Geide said, however, that companies have been reluctant in the past to
tell law enforcement about security breaches, fearing unwanted public
exposure. Just as technology continues to advance, the FBI has grown more
sophisticated in investigating computer break-ins. "We're cognizant of the
concerns of the victim. It would be silly to victimize the victim twice,"
Geide said.
As a result, the FBI has seen a nearly 200 percent increase in pending
investigations, primarily as referrals from victims, according to Geide.
It's clear that more large companies are devising options and plans to
address network intrusions-from both internal and external attacks. Many
are deploying tools that block or kill TCP/IP connections when an
intrusion is detected.
Those considering counterstrikes should realize that we're a long way from
being able to effectively verify that we're hitting the right targets.
Rutrell Yasin is a senior editor at InternetWeek.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Dec 21 08:40:35 1998