[iwar] [fc:Hackers'.Worst.Nightmare.Sports.a.Politician's.Smile]

From: Fred Cohen (fc@all.net)
Date: 2001-10-13 01:57:30 

Return-Path: <sentto-279987-2892-1002963451-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sat, 13 Oct 2001 01:58:07 -0700 (PDT)
Received: (qmail 14746 invoked by uid 510); 13 Oct 2001 08:57:18 -0000
Received: from n32.groups.yahoo.com (216.115.96.82) by 204.181.12.215 with SMTP; 13 Oct 2001 08:57:18 -0000
X-eGroups-Return: sentto-279987-2892-1002963451-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by n32.groups.yahoo.com with NNFMP; 13 Oct 2001 08:57:31 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 13 Oct 2001 08:57:31 -0000
Received: (qmail 25932 invoked from network); 13 Oct 2001 08:57:31 -0000
Received: from unknown (10.1.10.26) by l7.egroups.com with QMQP; 13 Oct 2001 08:57:31 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 13 Oct 2001 08:57:30 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id BAA01460 for iwar@onelist.com; Sat, 13 Oct 2001 01:57:30 -0700
Message-Id: <200110130857.BAA01460@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 13 Oct 2001 01:57:30 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Hackers'.Worst.Nightmare.Sports.a.Politician's.Smile]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hackers' Worst Nightmare Sports a Politician's Smile: In computer crime,
the security expert says, the best of the bad guys don't brag.

By David Rountree, Bank Technology News, 10/11/2001
<a href="http://www.banktechnews.com/btn/articles/btnsep01-12.shtml">http://www.banktechnews.com/btn/articles/btnsep01-12.shtml> 
It's not hard to imagine Dorsey Morrow as a high school kid discovering
that computers interested him more than football. Now an attorney and
holder of the highest network security certification available, he's
only 34 and looks younger.

Some of his elders may remember Eagle Corp.'s "Eagle II" computer-the
one Morrow got his hands on after playing with an Apple in a sophomore
computer lab at his hometown high school in Selma, AL. 

"I suppose the guys I hung out with ...  we were all geeks!" he laughs,
rocking back a little in the chair of his office in Montgomery.  "I
learned a little programming in 10th grade, and then Microsoft came
along and I got interested in DOS, then just went on from there."

He "went on" to earn a bachelor's degree in computer science at Troy
State University and was preparing to attend law school in New Hampshire
when he met his wife to be, the former Paige Kyser of Montgomery. 

He smiles again: "She has strong roots here." He finished law school in
Montgomery, not New Hampshire, in 1993. 

Today, Morrow continues to practice law in Alabama, occasionally filling
in on the bench in Montgomery Municipal Court, but his principal work
still involves his love of all things digital.  And much of his
professional experience in that area has been in a financial
environment.  He oversaw the computer systems of a Montgomery-based
insurance company during his law-school days. 

He found time to earn an MBA along the way as well. 

This past December, Morrow became a network security expert for Newark,
DE-based Hyperon Inc., working with Brinks Internet Security, a joint
venture of Brinks and Hyperon. 

Not surprisingly, considering his easy, Southern manner and unabashed
interest in politics, Morrow is as friendly as they come and a great
talker.  Nonetheless, his smile disappears and his tone grows dead
serious when the subject turns to corporate data security and the
hackers who take pleasure, if not always money, in trying to compromise
it. 

"Fortunately," he says, "most of them are ...  well, I call them 'script
kitties.' They use 'scripts' that are available at any number of [hacker
Web] sites.  They download these scripts that make it easy for them to
run the attack.  Those aren't the guys you have to worry about as much,
in part because they like to brag about what they've done.  They are out
there rattling the doorknob to see whether they can get in. 

"It's the security breaches that you never learn about that are the real
threat-the ones who are quiet as a church mouse and like surgeons.  They
come in to get money as fast as possible, then disappear."

Professional hackers choose their targets carefully, says Morrow, who
passed the International Information Systems Security Certification
Consortium, or ISC2, examination in 1999 (on his first try). 

"They are very, very careful in coming in [to your network].  They do
their damage and go away quickly and quietly."

And the pros, Morrow adds, don't brag about their successes. 

Asked to name a few Brinks Internet Security clients, his smile returns;
but, it's a smile even a rookie journalist would recognize immediately
as an "I can't talk about that" smile. 

"I'd best just say several very large banks and credit card issuers,"
Morrow allows, "along with some large manufacturing corporations."

Although he's quick to point out that he considers his legal specialty
computer law, Morrow is also careful to note that he is licensed to
practice law only in Alabama and his work with Brinks Internet Security
focuses exclusively on protecting corporate clients' networks from both
intrusion and internal threats. 

Security has been a focus of corporations for some time, of course, but
has "seen even greater attention" in financial services in the past two
years-since Gramm Leach Bliley. 

"Companies realize you must have security, so you could say our business
has cranked up," Morrow says.  "Detection is hot, but the fact is that
an ounce of prevention will save you from having to spend a pound on
that protection."

In addition to his employer's client list, he is hesitant to describe
Brinks Internet Security's operations in detail. 

Too down to earth to be given to melodrama, Morrow makes no bones about
the people he's up against.  "They're criminals," he says in a
no-nonsense tone, "and they represent serious threats."

If Hyperon or Brinks Internet Security ever decides to put one of their
own in a marketing campaign, they'd be crazy not to use Morrow. 
Hyperon's network security expertise (the company's president, Jim
Molini, also holds ISC2 certification) "really was a perfect fit with
Brinks," beams the young lawyer, who serves as the security consortium's
general counsel on a volunteer basis.  "Brinks also had a tremendous
amount of knowledge about information security and [a network]
infrastructure that would be difficult for anyone else in the world to
duplicate."

The bulk of his work involves financial networks, Morrow says, adding
that "banks have huge privacy responsibilities in the wake of GLB.  All
financial services organizations have begun looking at security in a
whole new light."

Pressed for at least a general description of his firm's operations, he
says Brinks' "intrusion detection system, or IDS, can pick up on any
instance of unauthorized outbound client information."

Such an instance wouldn't necessarily mean the data was "leaving the
bank," he adds.  If the information made its way to a part of the
network on which it didn't belong, and on which it could become more
accessible to an intruder, the security technology would make that
known. 

While it's true that he could tell more exciting stories, Morrow says a
substantial number of security lapses are owing mostly to companies'
failure to stay current on available patches and fixes for their
applications. 

"A bank's software vendor may well inform them about a problem and say,
'Here's what you need to do.' Too many banks don't get around to it."

Detection may be sexy, but prevention, Morrow says, is smarter. 

But, detection of what?

"Any circumvention of your security standards basically," he says.  "Any
anomalies, anything that strikes you as odd, is probably a sign that
something is going on. 

"If you see a heavy, unusual spike-say, someone logging on at 11 p.m. 
for a long period-that would deserve attention."

In a huge corporate network, which may well be an aggregation of many
networks, the ability to detect unusual activity is by no means a given. 

"To be able to recognize it," Morrow says, "you must have a good
baseline for comparison.  Privacy is the driver, but you must have a
good baseline of what your systems are." Brinks Internet Security
project teams work closely with senior management as well as the IT
staff for that reason, "because the job of setting those parameters and
establishing a baseline for systems is based on each individual client's
preferences."

Echoing a theme one hears from virtually all technology firms serving
large corporations, he adds: "Without that buy-in from top management,
you're going to face significant roadblocks, and that means the job is
not going to get done properly."

Security is a "dynamic, changing issue," Morrow cautions, "and it can be
very creative on the criminal side.  That's why prevention is so
critical."

After delivering to clients an assessment of their current security
environment at a level of detail specified by the customer ("For some
relatively small clients, we're asked to do what amounts to a quick
fly-over," Morrow says), Brinks Internet Security normally is hired to
fix the vulnerabilities it has identified. 

Once again sounding like a no-brag, just-fact observer, Morrow notes
that he has never been unable to "find cracks in even the best security
systems."

"Occasionally, we don't find cracks or obscure little things.  We find
gaping holes."

Managers with IT responsibility react differently to the news, but "it's
the ones who are not offended when you tell them about it ...  that's
when you know they're really interested in security."

Morrow says the economy's sputtering performance in the past year hasn't
stemmed banks' demand for security services, including technology
consulting related to privacy. 

"At the same time that banks don't mind spending the money necessary,
this is an area where they see real value in return.  We see a great
deal of business on the horizon, too, on both the consulting and
security technology side," Morrow says. 

Every bit as dynamic as the latest intrusion threats facing corporations
is the law surrounding the operation of the Internet as well as
multitudes of private networks, he says. 

"Over the past five years alone, this area of the law has exploded,"
adds Morrow, who makes it his business to stay abreast of it. 

"And you really have to immerse yourself in security, too, and read
constantly.  Luckily," adds the politician in him, "my employer provides
an allowance for books and periodicals.  You can't beat that."

Spend an hour or two with Morrow and you'll bet it would take one heck
of a hacker to beat him at his game. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:54 PST