The most common type of attackers, script kiddies, are not sysadmins. They are amateurs who download attack scripts and go looking for poorly defended, vulnerable systems.

Script kiddies are easy to defend against: Keep your software up-to-date and follow good computing practices. Like locusts, script kiddies are easy to squash, but there are just so darned many of the little buggers!

Botnets are composed of machines compromised by worms or viruses and are controlled from a central point. The botnet’s controllers might use the victim machines to search for more vulnerable hosts, to send spam, or to break into secure sites. Most botnets are composed of Windows or Linux machines, but there’s no reason why such a worm couldn’t target OpenBSD. The virus author would need to work hard, but it’s conceivable—if he finds a suitable security flaw.

Fortunately, botnet defense is much like script kiddie defense. You shouldn’t have much to worry about if you keep your software patched, configure your server software securely, and follow good computing practices.

Security pundits commonly claim that a system’s legitimate users cause the majority of security problems.^[26] Legitimate users are most likely to know where your security gaps are, to feel that the system rules don’t apply to them, and to have the necessary access and time to experiment with breaking your security. If you tell an employee that company policy forbids him access to a computer resource, and the employee feels that he should have access to it, he is likely to search for a way around the restriction. You can patch all of your servers and protect them with an outright hostile firewall, but if someone has physical access and knows the root password, your protections are useless.

Deal with this problem on two levels. The first is technical: Keep your servers patched and up-to-date. The second is human: Don’t leave projects half finished or half documented. That unsecured modem you installed for emergency incoming access until the VPN is solid? Get rid of it, or put a password on it. Ditto for that telnet server running on a nonstandard port.

Security by obscurity is feeble at best. When a privileged user leaves the company, immediately disable his account, change all administrative passwords, inform employees of the person’s departure, and remind them not to share confidential information with that person. Implement a computer security policy with real penalties for violations. If you have a Human Resources department, get the staff members to agree to the policy and insist they enforce it.

What’s the best way to protect yourself against the disaffected user? Don’t be lazy.

As the most dangerous group, skilled attackers are competent system administrators, security researchers, penetration specialists, and criminals who want access to specific resources. Taking over computers is a lucrative business these days. Sending junk email or launching distributed denial-of-service attacks can bring in large sums of money. These intruders don’t care who they attack, as long as they secure the computing resources they need.

If your company has valuable secrets, however, you might attract an entirely different type of intruder: someone who wants access to your network in particular. If your employer creates anything—from software to cast-iron tulips for front-wheel-drive vehicles—there’s likely a market for illicit copies of your product. Someone will find it worthwhile to probe every port on every IP address you expose to the Internet. It might take a long time, but that’s okay. Your data has a price tag, and the scan is cheap. This is often called the advanced persistent threat, or APT.

Security measures that stop the other types of intruders affect the techniques used by skilled attackers. If you’ve ditched that unsecured inbound access method, the intruder can’t find it. If your servers and programs are up to date and correctly configured, the intruder will need to find a previously unknown exploit to break into your network. If a skilled intruder really wants your company’s data, he will need to change tactics. Maybe he will try dumpster diving for old sticky notes, or even show up dressed as a telco repairman and try to install a packet sniffer. If an intruder knows everything about your network and his easiest way to break in is still something out of a caper film, your security is pretty good.