I approach all my assignments as a scientist
Last active: 3 months ago
I have 6 years of experience as a Network Security Consultant. Previously I worked as a Data Modeler and Object Oriented Designer. I liked my past jobs. But my current job is different, it is more intellectually satisfying because it puts me at a direct competition with the hackers who want to steal datum from the network security systems that I designed. I have to be smarter than my opponents to prevent them from winning our duel.
As a Network Security Consultant, I was doing the following:
Was partitioning databases in such way that there were no Internet connections to the most sensitive datum.
Was determining where to install firewalls and how to configure them.
Was establishing the rules of data sharing and transmission, which is essential to successful functioning of intrusion detection software packages.
Was monitoring computer networks for the purpose of determination if there were hackings.
If necessarily, was redesigning databases to make sure that the probability of data theft was minimized.
In case there was a suspicion about the hacker software operating inside a network, was designing and implementing strategies aimed at identification of hostile software.
Was advising clients how to use the VPN (virtual private network) for secure data transmission.
Was working in the field of NAC (network access control) to integrate various data protection techniques such as host intrusion prevention, antivirus software, vulnerability assessment, etc.
Currently I am working on the book, How to Protect Your Computer Network from Hackers. Chapter 1 of the book presents an overview of network protection methods.
Overview of existing data protection methods.
The most heavily advertised data protection method is data encryption. Indeed, some companies offer complicated schemes of data encryption that even the most sophisticated hackers cannot crack. But they do not have to -- they can break into your network by exploiting software glitches and then use your decryption programs to decipher the encrypted data.
For example, both Sony and Target had their credit card numbers data encrypted. But the encryption did not prevent their datum from being stolen.
The encryption approach creates false sense of security, and we do not recommend relying solely on it.
If you have one or two data entry points into your network system, and a small number of customers, a strong firewall may be the best solution for you. But if you have hundreds of points of entry and thousands of customers, you should consider additional means of protection working in conjunction with your firewalls.
Modern intrusion detection tools capable of data mining are very good, although they have two weaknesses: a) usually, it takes several weeks to detect a malicious software; b) you need employees with a specific kind of training to use these tools successfully. This doesn’t mean that we do not recommend using intrusion detection packages; on the contrary, we believe that you should use them together with the method that we will be describing in this book.
Finally, in this chapter we are going to briefly mention the most powerful method of data protection, and will elaborate on this topic in the subsequent chapters.
Ideally, this method of design of network systems and their databases makes data theft impossible. However, a comprehensive design meeting this goal might cost plenty of money and not every company can afford it. Fortunately, there are many less expensive ways of keeping possibility of extraction of valuable data close to zero.
In some cases the ideal result can be reached without major investment of money. Take power plants, for instance -- there were reports of hacking into their computer networks. But this could have been easily avoided if instead of using the Internet to transfer the data the power companies were using standalone networks to control their plants, which is an achievable goal because a power plant is a classic example of an isolated facility that doesn’t need access to the Internet. Frankly, only a fool would use the Internet to run his power plant.
The core of this method is a redesign of a computer network and its database in such way that most of the vital data is beyond the Internet’s reach. Of course, every network is unique, and there is no universal solution applicable to all systems. However, it is possible to discern certain properties that are common to a large number of networks, and use the experience acquired during the design of some of them to the others.