essential guide thwarting hackers pdf

7/29/2019 Essential Guide Thwarting Hackers PDF

1/8

ThwartingHackersBY MEL BECKMAN OCTOBER 2005

T H E E S S E N T I A L G U I D E T O

TH EY C ALL IT INTERN ET BACKG RO UND RADIATION , O R IBR. ITS TH AT CO NSTANT H ISS OF

traffic ever present on every Internet connection. Like the universes Cosmic Background Radiation, IBR lets us

know that the Internet is not empty. Unlike its benign cosmic cousin, however, IBR is malevolent proof that

evildoers prow l the Net seeking w hom they may devour.

You can see IBR with your own eyes by examining any firewall log, which will

report a constant stream of probes and pokes at random IP addresses in your

netw ork. There is a hacker behind every one of these probes; none is innocent.

Over time, IBR will ferret out known vulnerabilities in any network and

exploit them. The average survival time of a n unprotected Window s PC is

measured in minutes; more secure devices might last weeks or months. Butone thing is certain: If yo u dont find the vulnerabilities in your netw ork,

hackers will. Soon.

But dont despair. The key to a hackers suc-

cess is the subtle phra se know n vulnera-

bilities. H ackers are bottom feeders; very

few actually discover new security flaws on

their own. Instead, they troll software bug

reports and system pat ch anno uncements,

then devise cunning robotic scanners or

bots to seek out a nd exploit them. It is

these bots tha t generate IBR, a nd it is them

that you must repel.

To tha t end, here are 10 stra ightforw ard stepsthat you can take to make your network less sus-

ceptible to a tta ck, by dint o f removing

know n vulnerabilities. I present

these steps in order of ease

w ith the simplest first

because the more of these steps

you accomplish, the more like-

ly you are to be removed from

the hackers list of low-hanging

fruit. Some of the steps require

SUPPLEMENT TO iSeries NEWS 20051


2/8

T H E E S S E N T I A L G U I D E T O T H W A R T I N G H A C K E R S


MBF>LMB1IKHM>


3/8SUPPLEMENT TO iSeries NEWS 2005

nothing more tha n the investment o f yo ur time; others

require the cooperation of your entire enterprise. You

should take each step as soon as possible.

1. Continuously Educate UsersH ackers get into netw orks most often by tricking users

into opening the front doo r: Trojan pro grams embedded

in e-mail attachments, malicious URLs seemingly for-

warded by friends, and virus infections brought into the

enterprise by PC s from ho me. There is only one w ay to

prevent user-induced security breaches, and that is user

education.G iven the barra ge of routine anno uncements and t rain-

ing materials that the average corporation foists on

employees, it can be difficult to make your security mes-

sage heard. Your best bet is to make the message perva-

sive and continuous. You cant simply publish a security

policy and expect users to absorb and follow it. Instead,

inform users of their need for vigilance in small doses by

displaying security tips in newsletters, on the corporate

intranet, a nd in routine e-mail communications. Start

with a mandatory security training session to review your

policies but bo lster tha t w ith

constant reminders.

H ere are the key points to

emphasize with all users:

Dont open e-mail at tachments

that you did not expect to receive,

even from colleagues and friends.

Dont click URLs in e-mails; carefully copy and

paste them instead. Although inconvenient, this is

the only way to avoid malicious links.

G et approval before installing any freewa re or

sharew are softwa re. D o not install any unauthorized

commercial software.

Never connect computers from home to the enter-

prise LAN. Only secured systems, including compa-

ny-secured notebook computers can be attached.

Be aw are of visitors attempting to use enterprise

computers or network connections.

Dont connect wireless equipment of any kind,including w ireless keyboa rds a nd mice, to the

netw ork w ithout prior approval.

Some users will be unhappy with these restrictions, so

you should also establish appropriate responses for viola-

tions. No body w ants to play cop, but if you dont enforce

these protections, nobod y else will. One w ay to d etect

infringements is to periodically inventory the soft w are

installed on every computer. You can use any number of

readily ava ilable desktop administration systems to do

this centrally.

A particularly insidious new threat t hat requires copi-

ous user education is Bluetooth netw orking. Bluetoot h,also called personal a rea netw orking, is a short-range

wireless technology designed to replace the cables used to

att ach cell phones, PD As, keyboard s, and mice to

computers. It operates over a range of a few feet, but an

interloper as far as 100 feet away can exploit Bluetooth.

Although Bluetooth includes encryption, end users often

misconfigure it, defeating that protection. Users need to

be taught how to safely connect Bluetooth devices, and

they need to know w hich devices are approved fo r use in

your network.

Your goal in constantly reminding users of security pre-

cautions is to create a n a tmosphere of security aw areness.

A great source of security aw areness educationa l materialsis the SANS Security Aw areness Whitepa pers Web site

(see Security Resources, a t left).

2. Lock Down Physical SecurityH ackers dont just exist outside your netw ork; theyre

often inside the enterprise perimeter in the form of

disgruntled and overly curious employees, authorized and

unauthorized visitors, consultants, suppliers, and mainte-

nance staff. Sometimes an inside hacker is an unsus-

pecting agent fo r hackers, such as a vendor or consultant

CERTSecuring Desktop Workstations

www.cert.org/security-improvement/modules/m04.html

The Spread of the Sapphi re/Slammer Worm

www.cs.berkeley.edu/~nweaver/sapphire/

Respondi ng to Int rusions

www.cert.org/security-improvement/modules/m06.html

Patch Management and the Need for M etri cs

Kenneth J. Ma cLeod

sans.org/rr/whitepapers/bestprac/1461.php

ICSI Center for Internet Research

Characteri sti cs of In ternet Background Radiat ion

www.icir.org/vern/papers/radiation-imc04.pdf

SANS

Securi ty Awareness Whi te Papers

sans.org/rr/whitepapers/awareness/

Honey Pots and H oney N ets: Securit y T hrough Decepti on

sans.org/rr/whitepapers/attacking/41.php

M .B.

SECURITYRESOURCES

3



4/8SUPPLEMENT TO iSeries NEWS 2005

3. Use Multiple Layers of ProtectionThere are many kinds of netw ork security protection:

hardware firewalls in routers and dedicated security appli-

ances; software firewalls in end-user systems; antivirus

and antispyware scanners; application filters to block

such attacks as cross-site scripting and SQL injection;

intrusion-prevention appliances to kill questionable traf-

fic; and Virtual Private Network (VPN) servers to keep

out unauthorized remote users. You should be employing

several of these in your netwo rk to da y. An essential

aspect of that employment is using these products in lay-

ers, a technique called defense in depth.

The idea behind defense in depth is that you dont

depend on any one protection as the sole barrier between

your users and the unwashed Internet. For example,

behind yo ur Internet bo rder firew all, you should deploy an

antivirus filter on all inbound e-mail, software firewalls on

all desktop ma chines, a nd a ntivirus and antispywa re scan-

ners. Any given route of attack should have to penetrate at

least two layers of protection to succeed.

Defense in depth w orks by dra matically reducing theability of attackers to exploit random flaws, such as

missed patches or buffer overflow vulnerabilities.

H ow ever, t he w ay to effectively deploy multiple layers of

protection isnt alw ays ob vious. For exa mple, many

netwo rk ad ministrato rs operate centra lly a dministered

antivirus scanners, believing them to be an enhancement

over desktop-based scanners. But just because something

is centra lly administered doesnt mean it off ers additiona l

protection. To ga in true in-depth virus prot ection, you

should employ a d eep-inspection firew all or intrusion

prevention appliance that loo ks into every pa cket fo r

evidence of viral content a nd squa shes that content before

it reaches a desktop.A new protection technology just becoming common in

enterprise networks is the so-called application firewall. If

uninformed users are the most common pa ths of entry f or

hackers, ma lformed applications are the second. H ackers

often infiltrate Web servers by exploiting the common

buffer overflow class of vulnerability, new instances of

w hich operating-system a nd server-softw are vendors a re

constantly reporting. Application coders are rarely securi-

ty experts, so getting programmers to implement secure

applications is difficult. A useful wa y to improve the

depth of application security is by using an a pplication

firewall appliance, which examines HTTP requests,

H TM L responses, SQL queries, and other a pplication

traffic to detect and block common hacker attacks.

4. Filter and Monitor Outbound TrafficJust as interlopers can lurk inside your building, they can

lurk inside your netw ork in the fo rm of viruses and

Trojan horses seeking to use your LAN as a jumping-off

point for att acks on new victims. After such Net vermin

get into a computer behind your f irew all, they begin

probing your network and others on the Internet for

additional machines to infect. Unfortunately, the standard

w ho inad vertently plugs an infected computer into yo ur

internal LAN. But they ca n a lso be malicious; some

famo us hackers start ed their atta cks by first visiting their

victims, posing as potential customers or salespeople.

To count er this threat, yo u must bolster your physica l

security. Sta rt b y locking up a ll networ k gear (e.g.,

switches, routers) in a closet or in metal cabinets. Keeping

a hacker away from the key synapses in your network is

essential. A compromised Ethernet switch or router cangive an intruder the keys to your kingdom.

The second most prevalent physical exposures are the

ubiquitous Ethernet port s, of w hich you never seem to

have enough. Unprotected ports in conference rooms, util-

ity closets, and hallw ays a re easy pickings for d eliberate

intruders and tempting lures for inadvertent ones.

Its best to physically lock dow n these ports, but you

can also protect them electronically

using switch-based Medium Access

Co ntrol (MAC) locking a nd 802.1x

authentication. Use M AC locking

to ensure that only the specific

machines you permit are plugged

into publicly accessible ports that

printers, scanners, and other LAN

devices use. Use 802.1xto ensure

that only a uthorized users can plug

general-purpose computers

into ot her Ethernet port s.

The 802.1xsecurity stan-

dard has gotten a lot of press

lately as a quick-and-dirty Wi-Fi

protection measure, but its actually

not particularly reliable in that

role. However, 802.1xis very good as a guardian ofEthernet po rts. You must first establish a R emote

Authentication Dial-in User Service (RADIUS) server to

store user IDs and passwords or to validate user IDs and

passwo rds a gainst yo ur existing a uthentication server,

such as Windows Active Directory. Then simply turn on

802.1xon bo th the sw itches and end-user computers, and

users will be prompted to log in every time they reconnect

their computers to yo ur LAN.

What if a visiting consulta nt or customer ab solutely

must connect to the Internet from your premises? Prepare

for tha t eventuality by establishing a visitor hot spot

network, one completely isolated from your corporate

LAN and providing limited a nd monito red access toonly the Internet. You can build such a hot spot with an

inexpensive off -the-shelf f irew all a ppliance.

As I mentioned, end-user awareness is an important

part of physical security. Users should ha ve a read y

avenue to report suspected abusers. You can also detect

potential physical violations by monitoring the M AC

address tables of your switches, which report to you any

new devices appearing on your LAN. Many managed

switches support this feature, and you should ta ke

advantage of it.

4



5/8



policies in the process. A secondary role for proxies is to

cache content for speedier Web surfing. Proxies typically

handle Web and FTP tra ffic, but they can also ha ndle out-

going e-mail. All Web browsers, and most FTP programs,

have built-in support for proxies, but using this support

requires that every end users desktop be specifically con-

figured to point to your pro xy server. An easier a pproach

is to have your firewall or internal router automatically

redirect Web, FTP, ande-mail tra ffic to your

proxy, avoiding the

need to customize desk-

tops.

After a proxy is in

place, yo u can filter all

outbound protocols

from end users at your

Internet border, because

nobody should be

accessing the Internet

directly. Policies you

can then enforce in the

proxy include limiting

users to certain sites, tracking URLs that users visit,

restricting the size and types of files transferred in and

out, a nd restricting the destinations a nd content fo r e-

mail. For example, you could prohibit o utbound FTP

transfers for a ll but a f ew users and restrict e-mail att ach-

ments to e-mail correspondents on a preapproved w hite

list.

Proxy protection seriously inhibits virus propaga tion

outside your netwo rk, w hich makes you a better Netizen

and reduces the liability tha t yo u incur should yo ur net-

work cause a service outage for some other Internet user.

6. Employ VPN Encryption

on Wireless and Remote LinksRepeat this mantra until its ingrained in your psyche:

Theres no safe w ireless encrypt ion. There isnt thats

an established fact. All Wi-Fi encryption that is,

encryption performed in wireless access points (APs)

themselves is vulnerable to hacker penetration (see

The Wi-Fi Time Bomb Ma y 2005, art icle ID 20069

at iSeri esN etw ork .com). The only proper w ay to secure a

Wi-Fi netw ork is via VPN encrypt ion the same VPN

encryption tha t yo u should be using for a ll your remote

users. (Which you are, right?)At one time, VPNs w ere hard to set up, but tho se da ys

are over. For a few hundred dollars, you can buy VPN-

enabled a ppliances that provide w eapons-grad e encryp-

tion. All enterprise-class firew alls ha ve VPN servers built

in, and all desktop operating systems have VPN clients

built in. A VPN tunnel provides solid security from the

users Ethernet port to your Internet border.

G iven the vulnerab ility of Wi-Fi encryptio n, its not

surprising that Wi-Fi has become the third most common

path for netwo rk infiltration right behind clueless users

practice in most netw orks is to permit a ll outbound tra ffic

on a netw ork, w hich is why recent virus and w orm

plagues have spread so rapidly thro ughout the w orld. The

Sapphire/Slammer w orm, f or exa mple, infected near ly 90

percent of all vulnerable systems on planet Earth in only

10 minutes.

The solution to this problem is stra ightforw ard : Block

all outbound UDP and TCP protocols except those that

you know are neededby end users. Typically

these are HTTP and

HTTPS (TCP ports 80

and 443), e-mail (TCP

25 and 110), DNS

(UDP 51), a nd possibly

FTP (TCP 21). The

most common protocol

that malware uses to

find and detect other

systems is Internet

Control M essage

Protocol (ICMP) Ping;

blocking this one w ill

thw art the vast majority o f viruses and Trojans.

As w ith a ll security, this protection is a com promise

between safety and convenience. Youll undoubtedly get

user complaints shortly after locking down outbound

traffic, and youll have to evaluate each complaint to see

w hether the o ffending tra ffic is truly necessary. You can

add new protocols to your outbound filters, but be

judicious. Its pointless, for instance, to open all UDP

ports a bove 1000, a lthough some users w ill undoubtedly

make such requests.

Hand-in-hand with filtering outbound traffic ismonitoring packets that those filters drop. You should

investigate all such occurrences and remediate them.

Sometimes its simply a matter of a misconfigured host;

sometimes filter hits indicate a virus infection in progress.

Being vigilant here will give you early w arning o f possible

problems, letting you stop t hem before they snow ball into

a netwo rk outage.

5. Use a Proxy ServerHackers are clever and have come up with ways to cir-

cumvent outbound filters. The most common way is sim-

ply to run their malicious traf fic over a w ell-know n port,

such as HTTPs port 80 or e-mails port 25. If youreemploying simple outbound filtering and monitoring, yo u

never see this tra ffic. End users can a lso use w ell-know n

ports to operate unauthorized peer-to-peer servers, open-

ing your o rganizat ion up to intellectual property infringe-

ment liabilities. As they say in mathematics, outbound fil-

tering is necessary but not sufficient. To really prevent

outbound traf fic abuse, you need a proxy server.

In a security role, a prox y server intercepts TC P/IP

requests from desktop computers and relays t hem to the

ultimate Internet destination, applying certain security

Given the vulnerability of Wi-Fi

encryption, its not surprising that

Wi-Fi has become the third most

common path for network

infiltration right behind clueless

users and faulty applications.


6/8


6 SUPPLEMENT TO iSeries NEWS 2005

and faulty applications. Thats amazing when you

consider that Wi-Fi didnt even exist five years ago. Not

all Wi-Fi exposures are ob vious either. You re conscious,

of course, of the need to secure your ow n APs, and yo u

might have realized the vulnerability of users at coffee

shops and a irport cafes. But ha ve you considered the

w ireless netw orks that your users might already have

deployed without your knowledge? Even if you dont run

Wi-Fi, you need to protect against it by prohibiting unau-thorized w ireless gear and monitoring for rogue APs.

Commercial rogue Wi-Fi appliances exist, but you can

use an ordinary Wi-Fi-capable notebook computer to eas-

ily perform a quick scan of y our enterprise. If yo u find a n

open wireless network, attach to it and then use network

troubleshooting tools to trace the traffic back to the

offending d evice. This is a straightforw ard process easily

accomplished if you have mana ged switches.

OK, yo u can stop the mantra now.

7. Run Routine Vulnerability AssessmentsNetwork monitoring organizations, such as the Computer

Emergency Response Team (C ERT cert.org), report

that 99.999 percent of all successful network penetrations

occur through known vulnerabilities. You can use fire-

w alls and intrusion-prevention tools to try to cover up the

vulnerabilities that you must a ssume are there, or you ca n

go looking for them and kill them dead . Thats w hat vul-

nerability assessment (VA) is.

O nce the purview of netwo rk security specialists a nd

so-called ethical hackers, VA has become a commodity

service embodied in numerous security products, both

hardware and software. The hallmark of modern VA is

the automa tion of the vulnerability d etection, tra cking,

remediation, and verification process. The core compo-nent is a scanner that cont inuously probes your netwo rk

inside and out, looking for vulnerabilities listed in a con-

stantly upda ted da tab ase of potential exposures. The

scanner has two parts one inside your network and

one outside that work together to find and report

problems. Common exposures, such as inadvertently open

ports and missing security patches, are the meat and pota -

toes of VA. But ad vanced products a lso f ind more subtle

failures, such a s application holes and SQL scripting

flaws.

Detected vulnerabilities are ranked by severity and

tracked thro ugh the remediation process. Remediation

can be a s simple as a dding a firewa ll rule or applying anOS patch; on the other hand, remediation might require

hours of programming changes to an application or the

insta llation of a w hole new layer of prot ection. VA keeps

bringing old vulnerabilities to the surface so that they get

att ention, and it provides remediat ion progress reports for

management. VA also performs verification tests after

remediation to make sure that the problem is really fixed.

You can build your ow n VA tool w ith open-source

softw are, such a s the Nessus security scanner, but youre

really better off buying an a ppliance built by an expert in

the field. Youre less likely to miss a critical exposure, and

the cost of appliances makes them easy to justify. With

VA in place, you at least have a chance of catching new

vulnerabilities before the hackers do.

8. Manage PatchesYou likely already apply OS patches to servers and desk-

tops, so you realize that pa tches are bot h a blessing and a

curse. Patches are a blessing because they let you stophackers in their tracks a t the same time they learn abo ut a

new exploit, but patches are a curse because they often

break things and make your life more difficult.

Thats w here patch mana gement comes in. On the scale

of ease of implementation, all the steps Ive discussed so

far have been relatively simple to carry out. But this step,

and those that follow, are a quantum leap in effort and

expense.

Patch management is expensive because its far from a

science. To ma nage patches, you ha ve to know w hat their

impact is by studying vendor recommendations and read-

ing abo ut the experiences of those w hove already applied

the patches. Alas, vendor informa tion

is often couched in terms designed

to limit vendor liability ra ther

than help you assess the need for

a particular patch. Commercial

patch-management

tools automate

this process by

connecting yo u

to an expert

database of patch

information

that documentsside effects

and inter-

actions.

These tools

let you

rank every

patch to

determine whether the benefits outw eigh the risks.

Some patch-management tools are OS specific, such as

those aimed at Window s fixes. O thers are more generic

but necessarily less specific in their recommendations.

Sometimes patch mana gement is an a dd-on module to an

IP or VA appliance. This isnt necessarily bad, because theappliance is in a position to collect the information need-

ed for patch management.

Patch managers provide an important twofold service:

the collection of patches from vendors in a central reposi-

tory for easy deployment, and the interception of auto-

matic patches that vendors might try to apply without

your permission. Windows Service Pack 2 is a good

example of a patch that you w ant to control but that

M icrosoft currently insists o n installing.

Youll need t o underta ke an extensive study of your


7/8


Bryan

Meyers

About t he A u thorMel Beckman is a senior technical editor for iSeries NEWSand the

editor of Dr. I Doctor (DrIDoctor .com). He has built two regional

Internet service providers and is currently president of Beckman

Software Engineering, a technical consultancy specializing in

large-scale, high-bandwidth networks. You can e-mail Mel

at mbeckm an@iser iesnetw ork.com


10. Go on the Offensive with

Honeypots and HoneynetsNot hing is more satisfying than ha cking a ha cker, w hich

is exactly what network administrators were thinking

when they devised so-called honeypots and honeynets. A

honeypot is a decoy computer left a pparently exposed to

hacker attack. Its job is to attract hackers, monitor their

activities, and occupy their time so they have less to spendattacking the rest of your network. A honeynet is a wire-

less network with the same goal: attract hackers and keep

them busy while you watch. Both work surprisingly well

and can a lert security specialists to new hacker ploys

before they become pervasive.

Creat ing a convincing honeypot system isnt easy; if

youre careless, a ha cker w ill make you and a bandon

the system (or worse, set a bot to work on the hon-

eypot occupying yourtime needlessly). A

key ingredient of a ny honeypot is some

att ractive bait a uthentic-looking doc-

uments or binary files that the intruder

can be tricked into believing are valu-able. That aspect ma kes it hard to

mass-produce honeypots, so if yo u

decide to create o ne, youll have to

do it by hand.

Honeynets are somewhat easier to

build because they do nt actua lly have

content, per se. You simply provide

an o pen AP a nd a n Internet connection

and watch hackers swarm like dung flies

on a . . . w ell, you get the idea.

You dont actually have to build a honeypot or

honeynet t o reap the research b enefits of one. Numerous

aca demic honey-things abound on t he Internet, a nd t heirowners publish their findings. Studying these prior

efforts is an important prerequisite to building your o w n

honey-thing.

Proceed to Advance CampWhen it comes to network security, there are no guaran-

tees. You cant do it all, but as long as you can do more

than the next guy, youll make yourself a less attra ctive

ta rget tha n he is. Take as many of these 10 steps as yo u

can to move your enterprise fruit to higher branches.

current systems to have the data necessary to select a

good patch-mana gement platf orm. In the meantime, be

religious a bout applying pat ches manua lly.

9. Deploy Two-Factor AuthenticationTw o-facto r authentication is the augmentat ion of tra di-

tiona l user ID/passw ord checks with a physical token,

such a s a USB key or a biometric test (e.g., a thumbprint).

As with patch management, deploying two-factor authen-

tication is a Big Deal. The additional factor is a major

change to user behavior and a serious inconvenience.

However, two-factor authentication demonstrably

improves the protection that passwords afford and makes

it much easier to revoke authority w hen users change jobs

or leave the organiza tion. Simply deaut horize the token or

biometric, and the user is locked out everywhere.

Enterprises often roll out tw o-facto r a uthenti-

cation in conjunction with an identity

management (IM) overhaul. Most two-

factor authentication requires a modern

authentication infra structure, such as

Lightweight Directory Access

Protocol (LDAP), which also

happens to facilitate single sign-on

(SSO) and other IM benefits. Be

aware, however, that improper

two-factor implementation can

actually reduce rather than enhance

security. If users are currently sharing

passwords, and a USB key lets them

simply share a to ken as w ell, youve not

improved security one w hit. User educat ion and

policy upgrad es are essential a djuncts to tw o-fa ctor

authentication deployment.Beware also of the unwarranted claims of some

tw o-facto r tokens and biometrics. One major security

token vendor was caught with its keys down when a

security consultant discovered that the tokens encryption

could be bypassed easily. And several fingerprint-scanner

proponents were taken off guard by how easily finger-

prints can be captured a nd reused using ordinary gelat in

to simulate skin.

So by all means, add a second factor to authentication,

but do it thoughtfully, with due care.


8/8



essential guide thwarting hackers pdf

Documents