>Hacker Camps and Enterprise Architecture

>

One of the perspectives of the enterprise architecture is Security. It details how we secure the business and technology of the organization. It includes managerial, operational, and technical controls. From an information security view, we seek confidentiality, integrity, availability, and privacy of information.

Who are we protecting the enterprise from in terms of our information security? From hackers of course!

How do we protect ourselves from hackers? By teaching our security professionals the tricks of the trade—teach them how to hack!

The Wall Street Journal, 1 April 2008, reports that “Hacker Camps Train Network Defenders: Sessions Teach IT Pros to Use Tools of the Online Criminal Trade.”

“In such sessions, which cost about $3,800, IT pros typically spend a week playing firsthand with the latest underground computer tools. By the end of the week, participants are trained as ‘ethical hackers’ and can take a certification test backed by the International Council of Electronic Commerce Consultants.”

Overall more than 11,000 people have received the ‘ethical hacker’ certificate since 2003; nearly 500 places world-wide offer the training.”

Why do we need to teach these hacking tools to IT security professionals?

They need to understand what they’re up against so they can more effectively plan how to protect against the adversary. Know thy enemy!

How large is the IT security issue?

The average large U.S. business was attacked 150,000 times in 2007…the average business considered 1,700 of these attacks as sophisticated enough to possibly cause a data breach. In addition, the number of unique computer viruses and other pieces of malicious software that hackers tried to install on computers and IT networks doubled to 500,000 last year from 2006…[and it’s expected] to double again in 2008.”

It’s great that we are advancing the training of our information security champions and defenders, but what about those who take the course, but are really there to learn hacking for the sake of hacking? How many of the 11,000 ‘ethical hackers’ that have been trained are really ethical and how many are using their newfound knowledge for more nefarious ends?

From an enterprise architecture standpoint, we need to ensure that we are not giving away the keys of the kingdom to anyone, including our own IT security staff—through hacker training. Also, we need to be careful not to rely on any one individual to maintain the security order of things. We need to plan our security using a system of checks and balances, just like the constitution lays out for the governance of the nation, so that even the chief information security officer (CISO) is accountable and has close oversight. Finally, we need to institute multiple layers of defense to work best we can to thwart even the determined hackers out there.

>Information Security and Enterprise Architecture

>

Information security is generally considered a cross-cutting area of enterprise architecture. However, based on its importance to the overall architecture, I treat information security as its own perspective (similar to performance, business, information, services, and technology).

According to the Wall Street Journal (WSJ), 11 December 2007, professional hackers are getting smarter and more sophisticated in their attacks and this requires new IT tools to protect the enterprise. Here are some of the suggestions:

  1. Email scams—“hackers have responded to improved filtering software and savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person of group of people” In response, organizations are installing antivirus and antimalware software from multiple vendors to increase the chance, the an attack that gets by one security software products, will be stopped by one of the others. These products can be obtained from vendors like Sophos, Sybari, Micosoft, Symantec, and McAfee.
  2. Key loggers—“one common form of malware is a key logger, which captures the user names and passwords that an unsuspecting computer user types, and then sends these to a hacker.” However, software from Biopassword Inc. can thwart this by recording employees typing rhythms, so that even a hacker that knows a username and password is denied access if he types too fast or too slow.
  3. Patrolling the network—hackers who get past the firewall often have free rein to roam once inside the network. However, CoSentry Networks Inc. has a product that imposes controls on where a user can go on the network, so even someone with a valid login will be prevented from snooping around the network or accessing information from an unapproved location.
  4. Policing the police—one of the biggest threats to an enterprise is from the insiders, employees who have access to the systems and information. Software from Application Security Inc., however, monitors access, changes, repeated failed logins, and suspicious activity and notifies the designated security officer.

From a user-centric EA standpoint, information security is paramount to protect the enterprise, its mission execution, its employees, and stakeholders. As the WSJ points out, “breaches of corporate computer security have reached epidemic proportions. So far this year more than 270 organizations have lost sensitive information like customer credit-card or employee social security numbers—and those are just the ones that have disclosed such incidents publicly.” EA must help the chief information security officer to identify these enterprise security threats and select appropriate countermeasures to implement.