By David Raikow, Sm@rt Reseller August 13, 1999 11:34 AM PT URL: "Know your enemy." It's a strategic maxim as old as warfare, but according to experts, one which many network administrators have yet to learn. The image of the hacker as a romantic, dangerous figure is pervasive, even in high tech industries. Vendors promote such an image to sell security products. Hackers and wanna-be's promote it for the mystique. But security specialists attending this week's WebSec security conference in San Francisco say that these myths can be far from harmless. Oftentimes, when a company is guarding against an illusory threat, it may be overlooking a real one. Myth 1: Whiz-Kid Genius Programmers "Anyone can learn how to hack," says Cisco Senior Network Security Engineer Craig Rowland. "Hacking is no more inherently difficult than plumbing or carpentry, and just as in anything, there is a small minority who are very intelligent and talented, and a great majority who are not." Char Sample of L-3 Network Security concurs. "There are some really bright, creative thinkers out there; most of those guys actually want to improve security by hunting down and exposing bugs. Most would-be hackers are actually 'script kiddies' whose primary talent is downloading from warez sites." Myth 2: Hackers = The Primary Threat Though hacker attacks on websites have received a lot of attention lately, the vast majority of computer crimes are actually inside jobs. In one presentation at this week's WebSec conference, Global Integrity Senior VP and former federal prosecutor Mark Rasch stated that 82 percent of successful attacks on corporate systems are perpetrated by disgruntled employees or contract workers. By contrast, he estimates that only two percent of attacks are linked to "kid hackers". The lesson? Security is about planning, not just the latest technology. That high-end firewall may keep out the best of hackers, but it can't stop an employee who's already inside a company's network. Myth 3: Hacking Is Sophisticated Stuff It's important recognize the threat of attack; security breaches are a very real and very expensive risk. Good security is hard and requires significant resources. There is no "silver bullet" solution that can replace diligent monitoring and software updates. Both Rowland and Char emphasize, however, that very few hacks are particularly sophisticated. The most common (and most successful) rely on "social engineering" directed against the user rather than the technology. In simulated attacks, Global Integrity was able to acquire passwords 90 percent of the time by either calling a user and impersonating the help desk, or vice versa, according to Rasch. The next most common technique--password guessing--is similarly low-tech. Those attacks which do exploit technical weaknesses in the target system are rarely new or undocumented. Most can be blocked with free patches available from vendors. As many systems administrators are lax about installing security patches, crackers can get a substantial payoff with little effort by exploiting old weaknesses over and over again. Indeed, the term "script kiddie" refers to an attacker who relies on widely available freeware to exploit these weaknesses without understanding them. According to Rowland, a few straightforward measures, such as enforced security and password policy, staff education, patch maintenance, will fend off most attackers. "If you keep your doors and windows locked, someone could always break through a wall," Rowland says, "but they're much more likely to move on to an easier target."