The Abilene Net
By Gregg Powers
()
About this ebook
Internet
usage over the last decade has exploded.
Yet every day, we are seeing more and more compromises of information which is attached to the Internet. The Abilene Net explores why it is strategically impossible to fully and permanently protect information which is accessible through the Internet and proposes an alternative approach to electronic commerce. style='mso-spacerun:yes'> The Abilene Net contrasts and compares the
current cyber war with traditional warfare and discusses a variety of issues
associated with transmitting sensitive information over an open network which
is accessible to virtually everyone. The
book defines a series of security axioms and strategies to be considered when
implementing a layered security model, recommending fundamental changes in our strategies associated with the exchange of sensitive information.style='mso-spacerun:yes'> The Abilene Net is a must read for CEOs,
CFOs, CIOs, CTOs, and other
corporate officers who will be held increasingly responsible for protecting
their companys information resources and the information of their customers.
Gregg Powers
Gregg and Ed are followers of Jesus Christ who both seek a deeper relationship with the Lord through study of scripture and through trying to walk with the Holy Spirit. Gregg has spent the last 10 years facilitating his community’s Bible Study and was responsible for the Children’s Programs at his prior church. Ed has led home and church Bible studies since 2000. He currently leads a Sunday school class at his church on end times prophecy based on his book, The Day of the Lord (2nd Edition). They are committed to relying on the Word of God, not the words of men, for spiritual truth.
Related to The Abilene Net
Related ebooks
Cyber Security From Beginner To Expert Cyber Security Made Easy For Absolute Beginners Rating: 0 out of 5 stars0 ratingsProtecting Your Assets: A Cybersecurity Guide for Small Businesses Rating: 0 out of 5 stars0 ratingsSecurity in the Digital World Rating: 0 out of 5 stars0 ratingsSecurity: The Human Factor Rating: 0 out of 5 stars0 ratings7 Rules to Influence Behaviour and Win at Cyber Security Awareness Rating: 5 out of 5 stars5/5The Cybersecurity Playbook for Modern Enterprises: An end-to-end guide to preventing data breaches and cyber attacks Rating: 0 out of 5 stars0 ratingsCyber Resilience: Defence-in-depth principles Rating: 0 out of 5 stars0 ratingsCybersafe For Humans: A Simple Guide to Keep You and Your Family Safe Online Rating: 0 out of 5 stars0 ratingsCybersafe for Business: The Anti-Hack Handbook for SMEs Rating: 0 out of 5 stars0 ratingsHack Proof Yourself!: The essential guide for securing your digital world Rating: 0 out of 5 stars0 ratingsPrivileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations Rating: 0 out of 5 stars0 ratingsCyber Smarts for Students Rating: 0 out of 5 stars0 ratingsHackable: How to Do Application Security Right Rating: 5 out of 5 stars5/57 Rules To Become Exceptional At Cyber Security Rating: 5 out of 5 stars5/5Fortify Your Data Privacy Rating: 0 out of 5 stars0 ratingsCyber Minds: Insights on cybersecurity across the cloud, data, artificial intelligence, blockchain, and IoT to keep you cyber safe Rating: 0 out of 5 stars0 ratingsIdentity Attack Vectors: Implementing an Effective Identity and Access Management Solution Rating: 0 out of 5 stars0 ratingsInside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can't Ignore Rating: 0 out of 5 stars0 ratingsBig Breaches: Cybersecurity Lessons for Everyone Rating: 0 out of 5 stars0 ratingsKeeping Cyber Security Simple Rating: 0 out of 5 stars0 ratingsMergers & Acquisitions Cybersecurity: The Framework For Maximizing Value Rating: 0 out of 5 stars0 ratingsBuild a Security Culture Rating: 0 out of 5 stars0 ratingsThe Personal Digital Resilience Handbook: An essential guide to safe, secure and robust use of everyday technology Rating: 0 out of 5 stars0 ratingsZero Trust Security: An Enterprise Guide Rating: 0 out of 5 stars0 ratingsThe Secure CEO: How to Protect Your Computer Systems, Your Company, and Your Job Rating: 0 out of 5 stars0 ratingsInsider Threat: A Guide to Understanding, Detecting, and Defending Against the Enemy from Within Rating: 0 out of 5 stars0 ratingsSnowflake Security: Securing Your Snowflake Data Cloud Rating: 0 out of 5 stars0 ratingsCYBERSECURITY FOR BEGINNERS: A Step-by-Step Guide to Protecting Your Digital World (2024 Crash Course) Rating: 0 out of 5 stars0 ratingsThe Five Anchors of Cyber Resilience: Why some enterprises are hacked into bankruptcy, while others easily bounce back Rating: 0 out of 5 stars0 ratings
Computers For You
Elon Musk Rating: 4 out of 5 stars4/5Mastering ChatGPT: 21 Prompts Templates for Effortless Writing Rating: 4 out of 5 stars4/5Standard Deviations: Flawed Assumptions, Tortured Data, and Other Ways to Lie with Statistics Rating: 4 out of 5 stars4/5Procreate for Beginners: Introduction to Procreate for Drawing and Illustrating on the iPad Rating: 5 out of 5 stars5/5Slenderman: Online Obsession, Mental Illness, and the Violent Crime of Two Midwestern Girls Rating: 4 out of 5 stars4/5The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution Rating: 4 out of 5 stars4/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 4 out of 5 stars4/5The Invisible Rainbow: A History of Electricity and Life Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Uncanny Valley: A Memoir Rating: 4 out of 5 stars4/5Excel 101: A Beginner's & Intermediate's Guide for Mastering the Quintessence of Microsoft Excel (2010-2019 & 365) in no time! Rating: 0 out of 5 stars0 ratingsHow to Create Cpn Numbers the Right way: A Step by Step Guide to Creating cpn Numbers Legally Rating: 4 out of 5 stars4/5Deep Search: How to Explore the Internet More Effectively Rating: 5 out of 5 stars5/5Alan Turing: The Enigma: The Book That Inspired the Film The Imitation Game - Updated Edition Rating: 4 out of 5 stars4/5CompTIA IT Fundamentals (ITF+) Study Guide: Exam FC0-U61 Rating: 0 out of 5 stars0 ratingsEverybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Rating: 4 out of 5 stars4/5The Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5The Data Warehouse Toolkit: The Definitive Guide to Dimensional Modeling Rating: 0 out of 5 stars0 ratingsPeople Skills for Analytical Thinkers Rating: 5 out of 5 stars5/5Computer Science I Essentials Rating: 5 out of 5 stars5/5CompTia Security 701: Fundamentals of Security Rating: 0 out of 5 stars0 ratings101 Awesome Builds: Minecraft® Secrets from the World's Greatest Crafters Rating: 4 out of 5 stars4/5
Reviews for The Abilene Net
0 ratings0 reviews
Book preview
The Abilene Net - Gregg Powers
© 2004 by Gregg Powers. All rights reserved.
No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the author.
First published by AuthorHouse 04/26/04
ISBN: 978-1-4184-7392-1 (e-book)
ISBN: 1-4184-4226-7 (Paperback)
Table of Contents
Preface
Foreword
Introduction
A Bit of History
The Interminable War
The Basic Challenges
The Internet: Target One
Information Half Life
The Constantly Changing Face of War
A Sample Exercise
Understanding the Threats
The Battlefield
The Network
The Weapons
Our Enemies
Criminal Elements
Employees
Fanatics and Terrorists
Hackers and Crackers
Hostile Governments
Our Allies
Process
Time
Anticipation
The Reinforcements
Technology, a Fickle Ally
Basic Training for War
The Handicaps
Lack of Qualified Personnel
Cost of the War
Security by Committee
The Price of Openness
The Endless Stream of Changes
A Key Conflict of Interest
Liability
The Spoils of War
A War Capable and Worth Winning
A New Battlefield
Moving from Reactive to Proactive
Limiting the Damage from Attacks
Obfuscation
Conclusions
Appendix A-Summary of the Key Security Axioms
Appendix B-Three Weeks of Vulnerabilities
Appendix C-Survey of Major Internet Attacks
About the Author
Preface
This book is dedicated to God who makes all things possible through his son Jesus Christ, my wonderful wife Lois, and to my first mentors in security, Troy Schumaker whose humility is exceeded only by his knowledge and Demetrios Lazarikos who boldness and combined knowledge of security and human behavior allow him to excel in all aspects of Social Engineering. Both of these gentlemen approach security the way it ought to be approached. They recognize that security is a journey, not a destination and that security is not just a science, but also an art. The humility they exhibit in dealing with their customers and others is a model for all to follow.
Foreword
This book is not designed to be a technical treatise on Internet security; others have walked this path before doing an excellent job, so there is no need to repeat their efforts. Rather, it is designed to focus on common sense as applied to the Internet and to put forth axioms related to the exchange of sensitive information. These are axioms that should be considered in the development of a layered security model. This book is written for the high level decision makers in a company who are starting to be held responsible for protecting the sensitive information of their company or government, their clients or constituents, and their employees. The axioms presented in this book are common sense axioms that make sense in any security setting and when taken together as a whole, beg the question: is the public Internet really an appropriate place to exchange sensitive information? This book will challenge traditionally held beliefs and may be quite controversial.
New security companies arise on a daily basis, many making a healthy living providing security consulting. While their services are useful, many operate from a flawed assumption. Many assume that enough security technologies and policies can fully protect a company and its information resources. This is a false assumption as we will see within this book. The dynamic nature of the environment we are trying to secure precludes any such guarantees.
Even as I wrap up this book, a new attack called the Slammer worm has been launched against the World Wide Web, slowing down access to Internet sites through an attack on database servers, hitting the financial industry hard. The Slammer worm set speed records for its ability to spread throughout the Internet. In addition, more than 8,000,000 credit card numbers were recently stolen from a credit card processing company. These are just a couple of high profile events that have recently arisen on the Internet landscape.
The first realization that a book of this type might be necessary was in discussion with executives of companies who could not clearly articulate the threats that exist on the Internet. Many take it for granted that the Internet is the de facto place to conduct business without even considering alternatives. Even if they could identify general threats, many had not taken the time to sit down and analyze the nature of these threats so that they could develop specific countermeasures. Although virtually every organization using the Internet maintains some type of security staff, rarely is it of sufficient size or skill to deal with the number and evolving complexity of threats that exist in the Internet community, nor is it sufficient to address the ever changing security landscape. Evidence of this claim can easily be validated by simply looking at the ever increasing number of incidents related to security breaches among both high and low profile companies. While annual spending rates on security related products and services will continue to increase, it is the basic philosophy, that enough technology and diligence can provide complete information security, which is in question. This book questions the common wisdom
of using the public Internet for the exchange of sensitive information and looks at the basic security principles that should be adhered to for electronic commerce regardless of what landscape it is conducted on. Some people will read this book and may point out that it is simplistic and alarmist. I would ask you to look at the facts objectively and determine for yourself whether we are winning the war or losing the war in securing our resources and what the costs are to even make the attempt.
Introduction
Look, stop me if you’ve heard this one before...
Four adults are sitting on a porch in 104-degree heat in the small town of Coleman, Texas, some 53 miles from Abilene. They are engaging in as little motion as possible, drinking lemonade, watching the fan spin lazily, and occasionally playing the odd game of dominoes. The characters are a married couple and the wife’s parents. At some point, the wife’s father suggests they drive to Abilene to eat at a cafeteria there. The son-in-law thinks this is a crazy idea but doesn’t see any need to upset the apple cart, so he goes along with it, as do the two women. They get in their Buick, which is not equipped with air conditioning, and drive through a dust storm to Abilene. They eat a mediocre lunch at the cafeteria and return to Coleman exhausted, hot, and generally unhappy with the experience. It is not until they return home that it is revealed that none of them really wanted to go to Abilene-they were just going along because they thought the others were eager to go.
Sound familiar? The Abilene Paradox is a paradox that is examined by many middle and senior management personnel during management seminars. The lesson to be learned from the Abilene Paradox of course, is that people in groups, tend to agree on courses of action that individually they know don’t make sense. Examples of this Groupthink
mentality, a term coined by Irving Janis, include the Challenger disaster, Pearl Harbor, and many others. Sometimes the paradox occurs because others take strong positions, enticing others to follow without carefully thinking through the implications of the action. At times, individuals agree with courses of action to be socially acceptable
or to fit in with the group
even though they may have serious reservations about the planned course of action. Often, people inadvertently transfer responsibility to other leaders assuming that they have carefully researched and thought through their recommendations and decisions. Very few people are immune to this effect and it requires people to stop and think, and then assert their objections about a given course of action, regardless of the potential consequences. At times, this can be hard to do, especially if the consequences of speaking up can be either career limiting or result in being socially outcast.
Now that we understand the basics of the Abilene paradox and Groupthink
, let me tell you about another place this paradox is being practiced on a routine basis-the Internet. Here’s the way that I might sum up the Internet:
Large numbers of organizations and individuals have elected to utilize a series of public, unsecured networks, where the population of the network is largely unknown, where any entity can obtain access to the network, where actively hostile elements exist and practice their trades, and where sensitive information about businesses, individuals, and governments is routinely exchanged.
Sound accurate? While many people may object to the way in which it is phrased, most people would agree with the assertions, namely that the Internet is a series of networks, with an unknown population complete with hostile elements, where sensitive information is routinely exchanged. If a company came in and presented the Internet to you in this manner as a part of a routine sales activity, you might laugh. You would probably indicate that you weren’t interested in actually conducting business in this type of environment. Yet this is precisely what is happening.
Now, in order to be fair to the Internet Illuminati and other Internet advocates, there are mitigating circumstances to the way I summed up the Internet above. Most businesses do exchange information over encrypted channels and employ a variety of different security mechanisms and procedures to protect information. In addition, many businesses attempt to safeguard their information within their organizations, although many opt in favor of perimeter level security, leaving internal resources less protected. A mismatch continues to occur between the companies protecting information resources, which sometimes may not understand just what they are up against, believing their resources to be secure behind the corporate firewall, and the professional and criminal elements, who invest heavily (time and money) to compromise those very same information resources.
Statistics depicting the number of attacks as well as the seriousness of the attacks confirm this. We shall see, later on in this book, attempting to keep up with the hostile elements attempting to compromise your corporate or individual security is a monumental and costly task. The measures taken today, to protect information resources in storage and through transmission, lead to a false sense of security. Even though we might be able to identify companies that have not been compromised to date, I would contend that it’s only a matter of time. A person who has no tickets, but routinely travels 75 MPH in a 55 MPH zone does not prove that they are safe from prosecution, only that to this point they have not been caught. Given the fact that most environments change on a daily basis, we provide our adversaries plenty of chances to catch us making a mistake.
Consider this simple security model for a moment. Suppose that we allowed access to the Pentagon by any and all individuals. We would, of course, store all information in secured areas and would carry on all conversations in locked, private rooms, talking in code. Would any of you out there suggest that this is ample security for the Pentagon? It doesn’t take much to defeat this type of security because the basic enabler is in place-FPA (Full Physical Access). Access to
a resource enables you, through a variety of investigative methods, to formulate and execute attacks against the security infrastructure. The attacks can be augmented through information obtained through carefully orchestrated social engineering attacks. Given the example above, how long would it take you to think of ways to compromise that security model? As it turns out, this type of example is not all that far-fetched. The Internet is access, enabling governments, companies, individuals, and others to access other resources and systems. All it takes is a single flaw or exposure in the security models of the companies using the Internet and the exposure can be exploited by criminal elements because they have the one thing they need-FEA (Full Electronic Access). Access via the public Internet is the enabler that makes all attacks possible. And since we don’t control all of the access points, it is very hard to adequately protect information resources in this type of environment.
We have seen so many different viruses attacking the Internet community through so many different avenues. The Love Bug, Sir Cam, Bugbear, Slammer, Code Red, and Nimda are just a few of the viruses that propagated themselves over the Internet and they are setting records for how quickly they propagate, with some reaching worldwide penetration in a matter of hours. The Code Red virus for example, spread with alarming rapidity. CyberDefense magazine reported that the Code Red virus spread to approximately 359,000 servers in 14 hours and that at its peak, it affected more than 2,000 servers per minute. Overall more than 750,000 servers were
estimated to have been compromised. They were launched through the Internet because someone had access. Let’s not forget the denial of service attacks rendering electronic commerce paralyzed to conduct business, buffer overflow attacks launched against applications causing a crash of the server enabling access to the underlying operating system, directory traversal attacks exposing sensitive information, and so on. Today’s information systems are complex, very complex. They are made up of more components than ever before. Is this bad? Not necessarily, but more components implies more potential vulnerabilities and subsequently many more potential attacks and attack strategies which can be employed. Often, it takes only a single vulnerability in one of the components supporting an application to launch an effective attack.
More and more disturbing trends are surfacing. Youths actively pursuing hacking careers many times devoid of conscience for the damage they cause to others, attacks on the Internet targeting critical infrastructure components, the introduction of mobile technologies extending the Internet to unwired locations, and the ever increasing philosophical gap between America and many other countries of the world. Here are some more trends that are scary.
o More than 60% of companies have disciplined individuals for
o improper Internet usage
o More than 30% have actually terminated employees for the same type of improper Internet usage
o 13% of employees spend more than two hours on the Internet a day
o 125 of the Fortune 500 have battled sexual harassment claims arising from misuse of the Internet or email
The trends are leading us to a less stable, less secure world and the Internet is only one casualty of this insecurity. Is this type of network really the place that we want to be exchanging sensitive information and conducting business?
The Abilene Paradox is being relived again in the minds of many individuals and executives as they utilize the Internet as the main conduit through which to conduct electronic business and exchange sensitive information. Virtually all corporate executives believe in the value of the Internet as a transport for sharing information and for transacting business enabling them to reach millions of potential customers, yet few of them consider carefully the actual cyber risks to their companies, their customers, or their business partners.
It is this panacea of universal access to a marketplace of consumers and businesses that can overwhelm common sense. Many individuals do not consider the actively hostile elements that are aligned against them in the Internet, grouping them into a general category of security threats. Often there is too great of faith in the companies that they rely on for products and services and hoping that utilizing these products in combination with a minimal security staff, will be
sufficient to protect their information and technology resources. Executives utilize the network without understanding the ever evolving threats that can be marshaled against their business, their employees, and their customers, and most importantly, the data that represents them.
Many companies employ meager security staffs, augmenting them with consultants that may not be vested with the same level of interest in securing resources as employees of the company. Many security staffs are relatively stagnant, slowly assimilating changes in technologies and closing vulnerabilities, leaving open the window of vulnerability that exists between the time an exposure is identified and the time it is patched, longer than it should be. An