Hackers: If you can't beat 'em, employ 'em

This year's annual Defcon conference in July brought together a record crowd of hackers, federal agents and computer security experts. A highlight was the "Wall of Sheep," a giant public screen that displayed the names and partial passwords of unsuspecting attendees who used the hotel's unsecured wireless network.

With cyber-crime becoming big business, the trend of former hackers turning into security consultants continues to grow. While hiring someone with a criminal record to evaluate your network may be a debatable move, I believe that every company can benefit from thorough, periodic assessments of their network vulnerabilities. Often, the best results can be obtained by working with several security firms. These companies typically employ so-called "white hat" hackers whose expertise in breaking into systems is put to good use.

Advertisement

In many cases, a critical step in improving security is selecting and deploying intrusion detection systems (IDS). These systems can be used to monitor individual computers (host-based) or network traffic flow (network-based), and send alerts when suspicious activity is detected. Although many companies turn to IDS only after they've experienced a problem, IDS are most effective when used as part of a preventive maintenance program.

Host-based intrusion detection systems (HIDS) install software on each computer to be monitored. The software generates log files that, together with the operating system's own records, provide data for the security experts to review. HIDS monitor traffic to and from the computer, watch running processes, and check the integrity of critical system files.

The simplest type of HIDS is a personal firewall, such as those produced by vendors like Symantec, McAfee  and ZoneLabs. More sophisticated HIDS consist of agents that report information back to a central location. These include commercial products like Tripwire (www.tripwire.com) and Cisco Security Agent (www.cisco.com), and the open-source Snort (www.snort.org).

Network-based intrusion detection systems (NIDS) monitor traffic on a specific network segment by examining packets of data as they flow by a sensor. Like antivirus software, NIDS identify suspicious activity based on matching patterns or signatures. NIDS consist of two types: stand-alone appliances such as Cisco's PIX series and software-based solutions (like Snort) that are installed on a dedicated computer.

HIDS offer the advantages of computer protection both on and off the network, lower total cost of ownership and less specialized knowledge needed to install and use. In contrast, NIDS are typically more expensive, more difficult to effectively deploy and contribute to greater network overhead. However, NIDS are critical in mixed-platform environments where HIDS may not effectively protect all the individual computers.

Larger companies will benefit from a combination of HIDS and NIDS, while smaller companies may want to consider HIDS as an initial step to securing their systems. It's also important to remember that IDS are only one part of an effective strategy to keep hackers out of your valuable data. The optimal approach is a layered defense � one that begins with the simple steps of establishing security policies and providing all employees with training and resources to help them combat the ever-growing threats. The best way to beat the hackers is to think like one.