Computer insecurity

I am continually flabbergasted by the people who are professionals in cyber security who are so into the latest fad of the security world.
You know, we have to stop spam, we have to block worms, update Windows continually ....
Yes these are problems, spam though is not a security problem, physhing is, worms may be (but the root cause is not the worm writers) and viruses, although it's been a long while since we actually saw a real one, are.
All of these are fixed real easy by just keeping morons off computers and teaching the rest of the people using them how to avoid worm, trojans and virii.
The real problem is computer security are employees that are about to attack their place of work over some real or imaginary beef.
The chance of acme widget getting hit by a terrorist cyber attack is about the same as them being hit on the next pass of hailies comet. The chance that bob in accounting is pissed of at brenda in HR is much higher and bob is your security threat.
Bob's biggest pay off will be to delete all the files on Brenda's hard drive or he just might send the plans for the next pink flamingo to another widget company for some real money and a secret attack on acme.

Spam is not a security problem but an accounting one, the same as denial of service is not going to hurt the company servers but will hurt the company bottom line. Security should not be watching the bottom line but checking to see if there is some reason they should be watching bob more closely. (Isn't that what security clearances are for?)
Spam and physhing, or at least 90% of it can be stopped real easy by getting the header of the email and seeing if the reported sender actually is the person who sent it.
MS and a bunch of others want to add more information to the header (which can just as easily be hacked and added) when there is already more then enough info there to stop 99.99% of it now.
If you use a real email program that lets you see the full internet header of the email you get it has a traceback in it. the : recieved from lines.
If the bottom most recieveed from ip address is not within the domain of the person who is in the from line toss it. Even Microsoft Outlook ccan do this and any good open source email program can be easily modified to do it. (You will need to know how to use whois, but this is not for morons right?)

ysrd has not has a single virus hit us for the last 15 years of internet use. We have never had a single trojan attack and we have never been hacked (except at hackfest and that's inside the firewall.)
We use three industry standard firewalls and one of our own in series. Our network includes everything from pocket pcs to macs, windows, linux, unix, minix, IBM360 and os/2 (and others to numerous to mention.) We have never had a worse problem then one of the kids deleting a picture that we got back from a 5 minute delayed raid backup.
Our policy is if we can hack it don't use it. We do not use credit cards on-line. Nothing of any consiquence is sent outside the firewall unless it's an encrypted file with at least 1024 bit protection. Our IP is on servers that never have a connection to the internet. Our most secure system can only read cd's encrypted with our own special algorythm and can only be connected to by sneaker net. No floppy, no usb key, no network, just the cd. Backups are made by cd manually and kept in two seperate secure off site locations. They are kept offline and no other machine but one can read them. All other machines think the cd's are junk. Hardware hack.

Why? because it's the only secure way to do it; period.

And this is just our little IP. I think I could argue that anyone who doesn't do this is asking for trouble. If you know that there is someone out there who could get into your system and you don't do enough to keep them out then you may as well just open source it. If someone really wants into 99% of the data out there in major corperations they can get it and not leave a trace.

I know I am in the 99th percentile when it come to computers, I would even hazard that as 99.8 percentile. That leaves a lot of people who if they wanted to could easily learn how to do this. They already work for you. Most likely not in your IT or IT Security departments. They are the researchers in your lab, the salesman who plays with Linux or hacks his Ipaq. All of the tools are readily downloaded and most run off cd without installing anymore.

Have you heard of Knoppix yet? Have you seen the dozens of versions of it out there that include all of the latest non-detectable sniffers? Did you know sniffers can work on a switched network? Did you know the computer in the local library has a direct connection to the internet and if you boot it from a knoppix cd the user leaves no trace on the computer? When it runs off the cd it doesn't even start the hard drive. It doesn't change the hard drive anyway. It doesn't leave log files behind, it just lets the user have complete and unfettered access to the net anonamously and no-one can stop him.
Now that computer could also be one of the ones in an empty cube in your company as well. One of your employees could fire this up (or one of litterally hundreds of other bootable cds) and be on your network right now. He could have hunt running right now and capturing all of the traffic, including passwords, and burning it to cd or even shoving it out onto the web.
He can access all of the shares on your Windows computers and even log into them as a sysadmin if he wants. he can then copy anything you have on-line and can walk out the door or even send it out to the net completely under your nose and there is not one way for you to stop him.
If he is smart he will make it look like it was your cio who did it, right down to using his password which is probably insecure, but then with hunt who cares.
And you are worried about worms and dos attacks.

Your IP is your company. Your employees are for the most part good people, but do you really know who they are? Now you don't need to hire private investigators to follow them around the clock but you should know something about them. regular security checks, police record checks, make sure people who are to have data can be trusted with it.
Another way to make your security better is to involve everyone in it. Impress on them that security is not just your job but every ones job. If the company has a major security problem it may well be their jobs on the line if your company loses all of it's IP.
Teach people how to avoid getting a worm on their computer, how to avoid Office macro viruses, or switch to a more secure or even just obscure office suite.
Teach employees how to spot someone doing something they are not supposed to and report it.
Just knowing that everyone is a part of security will make Bob think twice about hijacking the computer in the corner.
For your more skilled computer people get a higher level of security check, Secret level or higher is a good way to know you can trust your key people. have their managers kept up to date on what to watch for and keep them in the loop as far as security is concerned. They should know all of their employees right down to who they are dating regularly and if their kids are back room hackers.
Give your employees free copies of firewalls and virus checkers at home, know how to use spyware checkers and keep your employees up to date on how to use them. With the home network becoming an extension of the Corperate network this is imperative. Poeple take work home, make sure it's as secure there as at work.
Give regular talks and information sessions on security, keep them interesting and supply free food and coffee. If you don't you don't reach your audience. Don't force them but make sure they are there anyway. Have a course you give and do it on company time. It's worth the investment.
Use wireless but use it right. Put your wireless network in a dmz, use vpn, use encryption and make sure that the wireless is set up to only allow known devices by mac address.
Defense in depth. I use firewalls on evey computer plus the one in the gateway computer plus the one built into the proxy server. This puts 3 firewalls between your data and the internet.
Use a gateway computer instead of an appliance. All of the appliances out there are just monitorless computers with an OS and some type of net access admin. The OS is most likely Linux or Windows and how often do you patch them? Do you apply the monthly worm patches from Microsoft to the appliance? Did you know you have to? Did the supplier tell you that what you have running as you primary security device is an unpatched version of windows. Did you even set the admin password to something other then the default?
We use a real computer for a gateway. We patch it as patches become available, daily checks for OS, Firewalls and virus software and sig updates.
Well that's my rant for the day.

ysrd