Discover millions of ebooks, audiobooks, and so much more with a free trial

From $11.99/month after trial. Cancel anytime.

The Abilene Net
The Abilene Net
The Abilene Net
Ebook228 pages3 hours

The Abilene Net

Rating: 0 out of 5 stars

()

Read preview

About this ebook



Internet
usage over the last decade has exploded.
Yet every day, we are seeing more and more compromises of information which is attached to the Internet. The Abilene Net explores why it is strategically impossible to fully and permanently protect information which is accessible through the Internet and proposes an alternative approach to electronic commerce. style='mso-spacerun:yes'> The Abilene Net contrasts and compares the
current cyber war with traditional warfare and discusses a variety of issues
associated with transmitting sensitive information over an open network which
is accessible to virtually everyone. The
book defines a series of security axioms and strategies to be considered when
implementing a layered security model, recommending fundamental changes in our strategies associated with the exchange of sensitive information.style='mso-spacerun:yes'> The Abilene Net is a must read for CEOs,
CFOs, CIOs, CTOs, and other
corporate officers who will be held increasingly responsible for protecting
their companys information resources and the information of their customers.



LanguageEnglish
PublisherAuthorHouse
Release dateMay 1, 2004
ISBN9781418473921
The Abilene Net
Author

Gregg Powers

Gregg and Ed are followers of Jesus Christ who both seek a deeper relationship with the Lord through study of scripture and through trying to walk with the Holy Spirit. Gregg has spent the last 10 years facilitating his community’s Bible Study and was responsible for the Children’s Programs at his prior church. Ed has led home and church Bible studies since 2000. He currently leads a Sunday school class at his church on end times prophecy based on his book, The Day of the Lord (2nd Edition). They are committed to relying on the Word of God, not the words of men, for spiritual truth.

Related to The Abilene Net

Related ebooks

Computers For You

View More

Related articles

Reviews for The Abilene Net

Rating: 0 out of 5 stars
0 ratings

0 ratings0 reviews

What did you think?

Tap to rate

Review must be at least 10 words

    Book preview

    The Abilene Net - Gregg Powers

    © 2004 by Gregg Powers. All rights reserved.

    No part of this book may be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the author.

    First published by AuthorHouse 04/26/04

    ISBN: 978-1-4184-7392-1 (e-book)

    ISBN: 1-4184-4226-7 (Paperback)

    Table of Contents

    Preface

    Foreword

    Introduction

    A Bit of History

    The Interminable War

    The Basic Challenges

    The Internet: Target One

    Information Half Life

    The Constantly Changing Face of War

    A Sample Exercise

    Understanding the Threats

    The Battlefield

    The Network

    The Weapons

    Our Enemies

    Criminal Elements

    Employees

    Fanatics and Terrorists

    Hackers and Crackers

    Hostile Governments

    Our Allies

    Process

    Time

    Anticipation

    The Reinforcements

    Technology, a Fickle Ally

    Basic Training for War

    The Handicaps

    Lack of Qualified Personnel

    Cost of the War

    Security by Committee

    The Price of Openness

    The Endless Stream of Changes

    A Key Conflict of Interest

    Liability

    The Spoils of War

    A War Capable and Worth Winning

    A New Battlefield

    Moving from Reactive to Proactive

    Limiting the Damage from Attacks

    Obfuscation

    Conclusions

    Appendix A-Summary of the Key Security Axioms

    Appendix B-Three Weeks of Vulnerabilities

    Appendix C-Survey of Major Internet Attacks

    About the Author

    Preface

    This book is dedicated to God who makes all things possible through his son Jesus Christ, my wonderful wife Lois, and to my first mentors in security, Troy Schumaker whose humility is exceeded only by his knowledge and Demetrios Lazarikos who boldness and combined knowledge of security and human behavior allow him to excel in all aspects of Social Engineering. Both of these gentlemen approach security the way it ought to be approached. They recognize that security is a journey, not a destination and that security is not just a science, but also an art. The humility they exhibit in dealing with their customers and others is a model for all to follow.

    Foreword

    This book is not designed to be a technical treatise on Internet security; others have walked this path before doing an excellent job, so there is no need to repeat their efforts. Rather, it is designed to focus on common sense as applied to the Internet and to put forth axioms related to the exchange of sensitive information. These are axioms that should be considered in the development of a layered security model. This book is written for the high level decision makers in a company who are starting to be held responsible for protecting the sensitive information of their company or government, their clients or constituents, and their employees. The axioms presented in this book are common sense axioms that make sense in any security setting and when taken together as a whole, beg the question: is the public Internet really an appropriate place to exchange sensitive information? This book will challenge traditionally held beliefs and may be quite controversial.

    New security companies arise on a daily basis, many making a healthy living providing security consulting. While their services are useful, many operate from a flawed assumption. Many assume that enough security technologies and policies can fully protect a company and its information resources. This is a false assumption as we will see within this book. The dynamic nature of the environment we are trying to secure precludes any such guarantees.

    Even as I wrap up this book, a new attack called the Slammer worm has been launched against the World Wide Web, slowing down access to Internet sites through an attack on database servers, hitting the financial industry hard. The Slammer worm set speed records for its ability to spread throughout the Internet. In addition, more than 8,000,000 credit card numbers were recently stolen from a credit card processing company. These are just a couple of high profile events that have recently arisen on the Internet landscape.

    The first realization that a book of this type might be necessary was in discussion with executives of companies who could not clearly articulate the threats that exist on the Internet. Many take it for granted that the Internet is the de facto place to conduct business without even considering alternatives. Even if they could identify general threats, many had not taken the time to sit down and analyze the nature of these threats so that they could develop specific countermeasures. Although virtually every organization using the Internet maintains some type of security staff, rarely is it of sufficient size or skill to deal with the number and evolving complexity of threats that exist in the Internet community, nor is it sufficient to address the ever changing security landscape. Evidence of this claim can easily be validated by simply looking at the ever increasing number of incidents related to security breaches among both high and low profile companies. While annual spending rates on security related products and services will continue to increase, it is the basic philosophy, that enough technology and diligence can provide complete information security, which is in question. This book questions the common wisdom of using the public Internet for the exchange of sensitive information and looks at the basic security principles that should be adhered to for electronic commerce regardless of what landscape it is conducted on. Some people will read this book and may point out that it is simplistic and alarmist. I would ask you to look at the facts objectively and determine for yourself whether we are winning the war or losing the war in securing our resources and what the costs are to even make the attempt.

    Introduction

    Look, stop me if you’ve heard this one before...

    Four adults are sitting on a porch in 104-degree heat in the small town of Coleman, Texas, some 53 miles from Abilene. They are engaging in as little motion as possible, drinking lemonade, watching the fan spin lazily, and occasionally playing the odd game of dominoes. The characters are a married couple and the wife’s parents. At some point, the wife’s father suggests they drive to Abilene to eat at a cafeteria there. The son-in-law thinks this is a crazy idea but doesn’t see any need to upset the apple cart, so he goes along with it, as do the two women. They get in their Buick, which is not equipped with air conditioning, and drive through a dust storm to Abilene. They eat a mediocre lunch at the cafeteria and return to Coleman exhausted, hot, and generally unhappy with the experience. It is not until they return home that it is revealed that none of them really wanted to go to Abilene-they were just going along because they thought the others were eager to go.

    Sound familiar? The Abilene Paradox is a paradox that is examined by many middle and senior management personnel during management seminars. The lesson to be learned from the Abilene Paradox of course, is that people in groups, tend to agree on courses of action that individually they know don’t make sense. Examples of this Groupthink mentality, a term coined by Irving Janis, include the Challenger disaster, Pearl Harbor, and many others. Sometimes the paradox occurs because others take strong positions, enticing others to follow without carefully thinking through the implications of the action. At times, individuals agree with courses of action to be socially acceptable or to fit in with the group even though they may have serious reservations about the planned course of action. Often, people inadvertently transfer responsibility to other leaders assuming that they have carefully researched and thought through their recommendations and decisions. Very few people are immune to this effect and it requires people to stop and think, and then assert their objections about a given course of action, regardless of the potential consequences. At times, this can be hard to do, especially if the consequences of speaking up can be either career limiting or result in being socially outcast.

    Now that we understand the basics of the Abilene paradox and Groupthink, let me tell you about another place this paradox is being practiced on a routine basis-the Internet. Here’s the way that I might sum up the Internet:

    Large numbers of organizations and individuals have elected to utilize a series of public, unsecured networks, where the population of the network is largely unknown, where any entity can obtain access to the network, where actively hostile elements exist and practice their trades, and where sensitive information about businesses, individuals, and governments is routinely exchanged.

    Sound accurate? While many people may object to the way in which it is phrased, most people would agree with the assertions, namely that the Internet is a series of networks, with an unknown population complete with hostile elements, where sensitive information is routinely exchanged. If a company came in and presented the Internet to you in this manner as a part of a routine sales activity, you might laugh. You would probably indicate that you weren’t interested in actually conducting business in this type of environment. Yet this is precisely what is happening.

    Now, in order to be fair to the Internet Illuminati and other Internet advocates, there are mitigating circumstances to the way I summed up the Internet above. Most businesses do exchange information over encrypted channels and employ a variety of different security mechanisms and procedures to protect information. In addition, many businesses attempt to safeguard their information within their organizations, although many opt in favor of perimeter level security, leaving internal resources less protected. A mismatch continues to occur between the companies protecting information resources, which sometimes may not understand just what they are up against, believing their resources to be secure behind the corporate firewall, and the professional and criminal elements, who invest heavily (time and money) to compromise those very same information resources.

    Statistics depicting the number of attacks as well as the seriousness of the attacks confirm this. We shall see, later on in this book, attempting to keep up with the hostile elements attempting to compromise your corporate or individual security is a monumental and costly task. The measures taken today, to protect information resources in storage and through transmission, lead to a false sense of security. Even though we might be able to identify companies that have not been compromised to date, I would contend that it’s only a matter of time. A person who has no tickets, but routinely travels 75 MPH in a 55 MPH zone does not prove that they are safe from prosecution, only that to this point they have not been caught. Given the fact that most environments change on a daily basis, we provide our adversaries plenty of chances to catch us making a mistake.

    Consider this simple security model for a moment. Suppose that we allowed access to the Pentagon by any and all individuals. We would, of course, store all information in secured areas and would carry on all conversations in locked, private rooms, talking in code. Would any of you out there suggest that this is ample security for the Pentagon? It doesn’t take much to defeat this type of security because the basic enabler is in place-FPA (Full Physical Access). Access to

    a resource enables you, through a variety of investigative methods, to formulate and execute attacks against the security infrastructure. The attacks can be augmented through information obtained through carefully orchestrated social engineering attacks. Given the example above, how long would it take you to think of ways to compromise that security model? As it turns out, this type of example is not all that far-fetched. The Internet is access, enabling governments, companies, individuals, and others to access other resources and systems. All it takes is a single flaw or exposure in the security models of the companies using the Internet and the exposure can be exploited by criminal elements because they have the one thing they need-FEA (Full Electronic Access). Access via the public Internet is the enabler that makes all attacks possible. And since we don’t control all of the access points, it is very hard to adequately protect information resources in this type of environment.

    We have seen so many different viruses attacking the Internet community through so many different avenues. The Love Bug, Sir Cam, Bugbear, Slammer, Code Red, and Nimda are just a few of the viruses that propagated themselves over the Internet and they are setting records for how quickly they propagate, with some reaching worldwide penetration in a matter of hours. The Code Red virus for example, spread with alarming rapidity. CyberDefense magazine reported that the Code Red virus spread to approximately 359,000 servers in 14 hours and that at its peak, it affected more than 2,000 servers per minute. Overall more than 750,000 servers were

    estimated to have been compromised. They were launched through the Internet because someone had access. Let’s not forget the denial of service attacks rendering electronic commerce paralyzed to conduct business, buffer overflow attacks launched against applications causing a crash of the server enabling access to the underlying operating system, directory traversal attacks exposing sensitive information, and so on. Today’s information systems are complex, very complex. They are made up of more components than ever before. Is this bad? Not necessarily, but more components implies more potential vulnerabilities and subsequently many more potential attacks and attack strategies which can be employed. Often, it takes only a single vulnerability in one of the components supporting an application to launch an effective attack.

    More and more disturbing trends are surfacing. Youths actively pursuing hacking careers many times devoid of conscience for the damage they cause to others, attacks on the Internet targeting critical infrastructure components, the introduction of mobile technologies extending the Internet to unwired locations, and the ever increasing philosophical gap between America and many other countries of the world. Here are some more trends that are scary.

    o   More than 60% of companies have disciplined individuals for

    o   improper Internet usage

    o   More than 30% have actually terminated employees for the same type of improper Internet usage

    o   13% of employees spend more than two hours on the Internet a day

    o   125 of the Fortune 500 have battled sexual harassment claims arising from misuse of the Internet or email

    The trends are leading us to a less stable, less secure world and the Internet is only one casualty of this insecurity. Is this type of network really the place that we want to be exchanging sensitive information and conducting business?

    The Abilene Paradox is being relived again in the minds of many individuals and executives as they utilize the Internet as the main conduit through which to conduct electronic business and exchange sensitive information. Virtually all corporate executives believe in the value of the Internet as a transport for sharing information and for transacting business enabling them to reach millions of potential customers, yet few of them consider carefully the actual cyber risks to their companies, their customers, or their business partners.

    It is this panacea of universal access to a marketplace of consumers and businesses that can overwhelm common sense. Many individuals do not consider the actively hostile elements that are aligned against them in the Internet, grouping them into a general category of security threats. Often there is too great of faith in the companies that they rely on for products and services and hoping that utilizing these products in combination with a minimal security staff, will be

    sufficient to protect their information and technology resources. Executives utilize the network without understanding the ever evolving threats that can be marshaled against their business, their employees, and their customers, and most importantly, the data that represents them.

    Many companies employ meager security staffs, augmenting them with consultants that may not be vested with the same level of interest in securing resources as employees of the company. Many security staffs are relatively stagnant, slowly assimilating changes in technologies and closing vulnerabilities, leaving open the window of vulnerability that exists between the time an exposure is identified and the time it is patched, longer than it should be. An

    Enjoying the preview?
    Page 1 of 1