Just a couple things come to mind thinking about the NY Times article mentioned in the last post.
First of all, how much time do you spend securing your network? Herein lays the problem. American businesses are very busy. To be competitive, we have cut staff, and have very limited budgets. When a new server needs to be put in, it needs to be done quickly. Be it a small business or corporate datacenter, time is money. A corporate server is set up quickly, usually from a checklist and then some sort of security program and anti-virus is installed. The programs are “supposed” to auto update without intervention. Rarely do people go back and make sure that the servers are updating. Anyways, the security program control panel said it sent the updates to the server. On a small business server, many times the server is set up, and locked in a closet. It is set to get security and anti-virus updates automatically, but does it?
Time is the issue. In the NY Times example, the hacker spent 6 hours a day hacking. 6 HOURS! Hackers do not have time limits or budget constraints. They usually go for easy prey, but if your site has something of interest to the hacker, they will spend weeks, months or in the extreme case years to find a way in.
This leads me to my second point. Most secure servers by checklists. If A through Z has been done, the server is secure. Server security is structured and precise. Hackers work out of the box. They don’t follow the rules. There is a lot to do in setting up a server. A random Server 2008 book has almost 1500 pages. That is about the same amount of pages as a Bible. Also, with the huge amount of code in a Microsoft operating system, holes are found very frequently. Usually, only the good guys reveal to Microsoft when an exploit has been found. Foreign hackers guard these exploits and as the article states, hope to use them in the future.
The odds are definitely in the bad guys favor, but with due diligence, we can harden our systems so the casual hacker will bypass our systems and look for easier prey.
Daniel W. Dieterle