Home » Data Protection » Network Security

Q&A

Securing the Network

Larry Bickner, vice president and information security officer of Nasdaq, answers readers' network security questions

December 09, 2002 — CSO — Q: I get a lot of script kiddies hitting our websites, apparently trying to overflow the URL buffer and access the system files. What can you tell me about this three-pronged exploit?

A: This falls into the "script list" set of hacks, where the script follows a logical progression of attacks to gain access to a target system. The problem is that there are hundreds of variations on the theme, with more coming each day. I suggest maintaining a focus on the totality of the attacks faced by your websites.

It is not unreasonable to worry about the sheer number of attempts on your systems, even though your logs suggest that they are not soaking through your defenses. You are faced with the fact that, if just one box is misconfigured and vulnerable, you will have a problem.

You need enough overlap of controls, countermeasures, monitoring and surveillance to allow you to effectively detect and stop a penetration—before it does any damage to your products or services. Given the thousands of known hacks and dozens of uncorrected vulnerabilities in the wild at any given time, you have to play a game of probabilities by stacking up solid firewall controls, standard images, religious patch management, keen intrusion detection systems (IDS) and dedicated staff against the odds.

Q: At your company, do you determine the level of protection based on data classification, or do you treat all the information as crucial? Do you have any internal process to analyze logs and try to predict hack attempts?

A: Yes and no. Rarely can you influence the sensitivity level of data. It is not clearly identifiable within the overlapping layers or network, system, application and operational controls. I keep the sensitivity or classification level in the back of my mind during risk reviews because it establishes the why of the attack equation, and I set the minimum protection level, in part, based on the sensitivity and value of the information.

We all have to deal with the fact that, in the end, we cannot accurately predict when someone will start attacking our internal or external systems or networks. Looking through megabytes of logs is unlikely to yield a good enough answer to justify the time and tool costs involved. I prefer to rely on some level of intuition that is based on external threat levels identified across our industry and across the Internet, the internal climate within my company, the state of vulnerabilities, the availability of hacking tools and methods, and last but not least the trends information from our IDS and other surveillance systems. From this amalgam of knowledge and information, we attempt to set our risk level on a weekly basis and increase our protective condition level to match.