Rule 6: There's Always Someone Out There Smarter, More Knowledgeable, or Better-Equipped Than You

Be careful about the assumptions you make concerning the threats your systems face. Even redundant security mechanisms and careful monitoring won't necessarily protect you against the uebercracker. Consider this excerpt from Dan Farmer's and Wietse Venema's article, "Improving the Security of Your Site by Breaking Into It":¹

Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's uebermensch, or, literally translated into English, "over man." Nietzsche used the term not to refer to a comic book superman, but instead a man who had gone beyond the incompetence, pettiness, and weakness of the everyday man. The uebercracker is therefore the system cracker who has gone beyond simple cookbook methods of breaking into systems. An uebercracker is not usually motivated to perform random acts of violence. Targets are not arbitrary -- there is a purpose, whether it be personal monetary gain, a hit and run raid for information, or a challenge to strike a major or prestigious site or net.personality. An uebercracker is hard to detect, harder to stop, and hardest to keep out of your site for good.

Many security threat models assume than the bad guy will be a one-dimensional loner or a script kiddie probing systems for fun. While redundant security mechanisms and careful monitoring might protect against these threat models, they may fail against a determined, hardened, and skilled professional -- an uebercracker.

An even more serious threat than the uebercracker is the attack cell -- a group of complex individuals who work together to attack systems in order to further a common goal. While an organization prepares for the lone cracker, an attack may be executed by professionals with extensive financial and technical resources. An attack cell might include a social engineering expert who's just been hired into Marketing, a systems expert who can model your network "UNIX box by bloody UNIX box," a security programmer who's spent years developing custom tools, and a phone phreak specializing in moving information via intermediaries. It might have significant research and development capabilities or even the backing of a government organization.² All the tools and techniques discussed in this book (or any book!) will only be marginally effective in this scenario. If your UNIX systems (or any of your systems) contain commercially or politically valuable secrets, be prepared to make substantial investments in security management, physical security, personnel security, and a significant investigative capability in addition to system and network security.