IT departments are so obsessed with firewalls that they ignore other
more important aspects of IT security, a former hacker claimed last week.
Brian Martin, who spent years as hacking under the name "Jericho", warned businesses that firewalls alone will not guarantee an IT system's security.
"If you have a new firewall you can guarantee that some one will find a way through it," he told business people at the Compsec IT security conference in London.
Businesses are falling victim to 14- or 15-year-olds who use tools available on the Internet to hack into their systems, Martin warned.
These "script kiddies," are motivated by the desire for fame and recognition among the hacking community and will often attempt a visible hack, such as defacing a company Web site.
Nasdaq, which had its Web site defaced a year ago, claimed that its main IT systems were secure. But Martin, now a security engineer with Digital Systems International, said the hackers could have done serious damage to the exchange's internal IT systems.
Martin warned companies against relying too much on "honeypots" - computer systems containing bogus data designed to trap and monitor unsuspecting hackers.
"Let's say a hacker discovers he is in a honeypot. He gets upset and asks 2,000 script kiddies to mount a denial of service attack against you. You have 2,000 trails of evidence to monitor now, not just one."
Kent Brown, another former hacker, now a managing director with Amdahl, said companies would take security much more seriously if they knew what hackers could do.
A typical US bank would lose $10m a minute if its systems went down for five minutes, yet they are often not willing to spend even a fraction of that on security.
Brown, who runs Web sites on hacking, said he knows of hackers who have used their skills to buy laptops for only $2 from Internet retailers.
This was first published in November 2000