Get into hackers' minds, companies urged
By M. Madhavan
The Star (1st June 2001)

KUALA LUMPUR: Companies should understand how hackers work to better tighten their network security, urged software powerhouse Computer Associates International Inc (CA).

"Rather than just talk about technology and how it does 'wonders', we feel it is better to give a picture of the 'other side- how hackers exploit security loopholes," said Hee Keen Keong, the company's South-East Asia field services group vice-president.

Also, companies should understand "computer forensics," methods to gather evidence if their server is hacked, as well as know how to recover from a computer break-in, he said.

"Knowing the hacker game raises confidence in IT managers," Hee added.

IT managers should be aware that hackers still use a dictionary to crack passwords, and most of the time they are successful because many IT managers still use simple passwords, he said.

"From experience, instead of just recommending that they use a tough password- a combination of words and numbers- we also recommend that they do not have a single account with full privileges," Hee said.

It is better to distribute access rights to several accounts, so that a hacker can't do much damage once he gets the password for a single account, he added.

CA's ( suite of e-business security solutions, eTrust, does this and also provides an Intruder Detection System (IDS), firewall, content inspection and virus protection among others.

eTrust is available for most platforms, including Windows, Solaris and Linux, and counters security threats like website defacement and denial of service attacks, Hee said at CA's hands-on seminar, Unmasking the Network Intruder.

At the seminar, CA vendors and customers, as well as members of the media, ran through exercises on how to hack a website.

Companies should also realise that there is no single technology or a "silver bullet" that can protect them from intruders. "Only awareness and common sense would prevail," said Hee.

"Computer vendors, government agencies and the press should do their part to increase awareness of new trends of attacks," he added.

Hee noted that there was an increased awareness after the denial-of-service attacks brought down Internet giants like Yahoo! and eBay in February last year.

Still, Hee pointed out that internal parties- like employees abusing their access privileges- were still a bigger threat to companies than external threats such as viruses.

"The challenge is greater with internal threats because it is not just about laying out perimeter defences, and everyone is a suspect. So who do you trust?" he said.

One of the ways to overcome internal threats is to have (strict security) policies and clear guidelines, Hee said.