It is a war zone out there, on our networks. And the front lines are our high school networks, where budding hackers and kids who want to think of themselves are daily practicing their penetration skills, network penetration that is. And what happens when they graduate? They get to practice some more on college networks, where the good ones can get paid as research assistants to security start-ups. If they get really good, these folks get to go to conferences such as the upcoming romps in the desert next week, Black Hat/Defcon, Here they are celebrated for their exploits and the press has a field day writing about all the trouble caused. Is there any wonder why something is wrong with this picture? We reward people for the wrong things.
I was thinking about this recently, as I had the opportunity to interview a school district’s network administrator this week. As I was talking to him, I was flashing back on my own in-school experience. Five years ago, I had a part-time job teaching a bunch of high school boys on beginning networking topics, and the class was an eye-opener for me. I found out, for example, how hard it was to teach someone how to do subnetting. And that faced with the really hard work of protocol decodes, the kids just wanted to login as system administrator and leave it at that. Some of the guys are now out of college and have jobs in the IT industry, something that I am very proud of. (And some of them are still slackers, something that I am not proud of.)
But anyway, back to the attacks. My school district source was very clear about his frustrations in trying to keep the kids under control, and told me of a continuing struggle of his private battle between the forces of good and evil, and it isn’t pretty.
He locks down his network pretty tightly. He runs a content filter, so they can’t grab p0rn sites and go to other objectionable places, but even still these filters don’t stop everyone, especially students who have time on their hands and know how to reconfigure their browsers to hit proxy servers to avoid the filters. “It is amazing how clever the kids are at finding proxy servers to get around our blocks,” he told me. Many of the proxy sites use SSL connections, and “It didn’t take long for the kids to figure out how that worked.” So he has to lock down proxy servers now too, and more than that has to scan his network everyday to see if the kids have exploited something new. He has even gone so far as to assign static IP addresses, all the better to keep track of where the rogue user might be entering his network.
What I find interesting about this school district — and I am sure that they are typical — is that so many of their issues are threats from within. The days of having a perimeter and keeping the bad guys on the outside are so over. I was interested to learn that there is a whole class of newish products that go under various headings such as “extrusion detection” and “data leakage monitors” to track and prevent insiders from doing bad things, such as sending your entire customer file to their hotmail accounts.
That isn’t to say that there are plenty of bad guys out there scanning away: when I was at Stanford last month doing some tests for Information Security magazine, we had someone try to penetrate one of the SSL VPN boxes that I was testing. (They didn’t get in, but still was spooky to watch as we were going about our business at hand.) Turns out they get thousands of attempts every hour of every day. It helps that they are a very visible target, but still: put a new PC on the Internet, and someone will try to break in within a few seconds nowadays. You gotta have protection!
The technology has changed in five years since I was teaching, but the attitudes and methods haven’t. Back when I was in the classroom, we had networked PCs and I often taught from the back of the room, the better to see what the kids were doing. Most of the time, they were checking their overnight ratings on CS or IM’ing their friends telling them about their overnight ratings. Soon, the district put a stop to that, but they still could use the Web IM client (this is in the days before there were products to specifically block IM traffic). Now we have peer-to-peer music sharing and MySpace to worry about. “It is amazing how often the kids want to check their MySpace pages — they can’t go a couple of hours without trying to login,” my school source was telling me.
Now that summer is here, the district relaxes its policies for the staff a bit — they can download streaming music during the summer but not once school is back in session. And indeed, when we were scanning the network we saw one staffer listening to Internet radio and having a nice time taking all that bandwidth.
As a parent, I operated under the maxim of protect but verify, and it is a good one for a networked school district — or even any corporate environment — to operate under as well. One way is to install remote desktop software on every machine in your network, so the support people can reach out and touch someone’s PC if they are having problems, or doing something that they shouldn’t. A hospital that I visited last month had implemented this solution. They found it useful when their activity logs showed some spike in network traffic coming at either an odd hour or from an odd place. A quick look-see would generate a phone call to the user’s boss: “Do you know what your staff is doing with their PC?” No one I know wants to receive that phone call. My source at the hospital told me that he found an ex-employee who still had login credentials was using the network the night after he was fired — and didn’t realize that every mouse click was being watched.
Yes, we have come a long way since I was teaching Networking 101. But if I have learned anything over the years, it is getting harder to protect and verify our networks, as the users and exploit tools get more sophisticated. You just can’t stand still, and have to continue to tighten things up.