Unfortunately, not all companies, computers or networks are the same and the threat of external 'hackers' depends entirely on your situation. For instance, take a small company - 10 people or so. Let's say that they do something like resell plumbing supplies. Let's also say that they have no Internet connection. For a company like this, they have little threat of external hackers and for several reasons:

There probably isn't anything that a hacker would want to steal at a plumbing supply company. They don't have an Internet connection, so any access would have to be physical, reducing the threat greatly. They have a relatively small staff theoretically that means there is a smaller number of machines and a smaller amount of data to keep track of reduced exposure. In that scenario, the actual threat to the company is probably rather limited. Undue paranoia would be counter-productive.

Let's take another situation. A medium company this time, say 100+ users with a T-1 Internet connection. What do they do? How about data processing for the creation of credit card numbers? In this scenario, the risks are the reversal of the scenario above:

There is definitely something worth value to be stolen - credit card numbers. They have a somewhat high speed Internet connection and depending on the configuration, it may not be being filtered or firewalled. . . VERY dangerous. Larger staff, more machines, more data and more people in the mix. One of the weakest security links is people who can be convinced into giving out passwords, etc. The best security that a company like this one would have would be that they're relatively smaller as companies go and anyone interested in stealing credit card numbers would first have to know of their existence and of what the company's primary function is. They'd have to know that there is something to steal in order to want to steal it. This 'security by obscurity' is the sole reason that most companies actually are safe from external 'hackers'.

The Enemy Within

Having now examined some of these risk factors, it's easy to see that some of the greatest security risks to an organization are the personnel within the organization. And the more power someone has (technically speaking), the more dangerous they are. To this end, it is crucial that a manager is aware of the security of the network and of which operations and procedures that may pose potential security risks. Sadly, security books all too often focus on either too much on one operating system or on the latest bug du jour (Nimba, Sir Cam, Code Red, etc.)

Now, before we go any further, I want to clarify: I am not insinuating that System Administrators are really 'hackers' in disguise - rather, the opposite. The point is that as a manager, you need to be aware of what is going on with your network; when should you be alarmed and when you shouldn't. Another reason to be security conscious is on large networks with separate functional groups. The networking team may be separate from the firewall team, from the Server Administration team and from the desktop support team. With things broken into smaller divisions like this, it's really easy to have a situation where 'finger-pointing' or factioning occurs. For example, I know a Server Administrator on a network that is 20,000 users or so. The Networking and Firewall team is separate from the Server Administrator team and any ports needed to be opened on the firewall had to be requested and signed by the Server Administration Manager. Well, one day, a request to open http (80) ports for several machines came from the Server Administrators and after about a week of inactivity, the Firewall Administrator acknowledged that he'd be rejecting the request, saying that the boxes were "unsecure".

The firewall administrator remained rigid against the Server Administrator's requests, repeating that the server was insecure and insinuating that the Server Administrator's protests were merely excuses. Luckily, the Server Administration Manager was a former Systems Administrator himself, and was able to go over the firewall administrator's head to get the changes made. The "insecurity" that the Firewall administrator was so vehement about was from ports 135 and 139 - Windows file sharing ports. These ports had not been requested to be opened and so the 'vulnerabilities' would not be accessible from the Internet. If the manager didn't understand the aspects of security involved, he would have gone on the side of caution and supported the Firewall Administrator's pious claims of not wanting to endanger network security. (The obvious truth is that the Firewall Administrator hadn't bothered to pay attention to the port request and was more or less just being lazy.)

Hackers Beware!

In the process of reading Hacker's Beware, I found that this book would be perfect for Managers or business owners that are concerned about security, but lack the needed skills to know what is and is not crucial to the safety of the network.

The book starts, as most security books do, with the emphasis on why security is important as we covered above. Some of the example scenarios in the book are less than stellar, but the point of the tome is not to regale anecdotes, but to establish the knowledge needed to secure your systems.

After the obligatory fright tactics, the book really gets down to brass tacks and explains how and why a hacker would attack a system or a network, starting with the impetus of the attack and going from there into surveillance methods used by hackers - even covering Social Engineering - the verbal manipulation of workers in an organization. This aspect of 'hacking' probably makes up about 90% of the vulnerability of the network and is often ignored in security books. Good personnel policy is essential to the safety of the network and this is thankfully made clear in the book.

No Experience Necessary

After the general analysis of network infiltration, the book delves more specifically into Operating System related issues, focusing primarily on Windows NT and Unix-like Operating Systems. This is really where the manuscript shines as it provides not only information pertaining to the existing threats, but provides direction enough for non-experienced individuals to check for possible vulnerabilities and to configure the system sufficiently enough to avoid them. This book makes little assumptions as to the Administration skills of the reader and instead provides solutions to resolve any issues and not just the abject paranoia about the existence of potential issues.

The information in this book surpasses just the exploit-related threats and actually covers checking IP configuration, logs and even password checking for both internal policy enforcement issues and for outside threat potentials.

A Guide for Hackers

One of the necessary evils of security is understanding how the opposition works. This book is full of excellent and thorough information on how to do the exploit that it protects against. I'd fare to say that this is one of the best tutorials that I've seen on how to hack as well as how to protect yourself. This may sound alarming to some, but really, to know your enemy is to beat your enemy and in this department, I've seen none better.

With its thorough explanation of the methods, tools (it includes code snippets within the book! You can't get cooler than that for this old Byte Magazine / Dr. Dobbs fan!) and prevention methods, I'd advise this book to anyone concerned about the security of the network. Especially to someone who is not entirely comfortable with hardcore technical subjects this book breaks it down to simple, comprehensible terms and instructions. If you're concerned about security, but not sure where to start, this book is for you!