“Success in warfare is gained by carefully accommodating ourselves to the enemy’s purpose. If the enemy shows an inclination to advance, lure him on to do so; if he is anxious to retreat, delay on purpose that he may carry out his intentions.”Sun Tzu, The Art of War
Adequate protection against hacker attacks requires an understanding of how and where attacks are likely to be launched, as well as understanding the character of the attacker. Hackers have a wide range of options when they are sizing up a target, and it is up to you to know where your vulnerabilities might lie.
The basic hacker access methods are social engineering and computer-based attacks. Additionally, there are different attack strategies based upon the location of the attacker: dial-in and internal access. Often, attack methods and location-based strategies are used in combination. For the hacker, these may be considered the tools of the trade.
Social engineering is exploitation of a naive or inexperienced user to gain access to systems. It is one of the most difficult attack methods to prevent, and can only really be defeated by strong security policies and employee compliance. Social engineering attacks take many forms, the most basic being to trick an inexperienced user into changing or revealing his or her password, thus making it available to the attacker. Another common use of this technique is where an attacker poses as a legitimate user in order to obtain a password. For example, he might call a systems administrator claiming to be a specific executive, and saying that he has forgotten his password.
Any form of impersonation may fall into the social engineering category. This strategy is difficult to defeat because it requires constant vigilance and reliance upon business policies rather than upon technology.
Another method of attacking systems and networks is to use a programming approach. This includes a wide variety of attacks within the areas typified by viruses, worms, Trojan horses and buffer overflows. Viruses can be used to gain control of systems and open a back door for later access, install a Trojan horse, or provide the means to use ‘infected’ systems to attack other systems. For example, a variation of a virus known as a worm can quickly spread and cause multiple systems to attempt to access a single site at the same time, creating what is called a denial-of-service (DoS) attack – that is, while the attack is underway, access is so high that legitimate users cannot get in.
Scripts are often packaged with virus and worms that use primitive internet code or built-in macro languages of legitimate programs to gain control of systems. These pose a threat because they are common and easy to create and deploy, frequently being spread by the growing army of ‘script kiddies.’
Finally, Trojan horses are programs that overwrite and masquerade as legitimate programs, opening the way to hackers upon activation. A program called notepad.exe, for example, could overwrite your legitimate notepad program. As soon as you activate it by clicking on a text file, it might send your password files or important documents to a waiting attacker. Trojan horses are frequently inserted by viruses and worms.
One rule to remember with computer-based attacks: Once a program gains command of your system, it can do virtually anything, from trashing your hard disk to attacking other systems. The program or script is in control, not you.
Protection against computer-based attacks requires a number of defenses, including installation and regular maintenance of anti-virus programs, regular vulnerability assessment analysis, plus filtering devices installed within the network – in addition to standard security policies and protections.
Access to an organization from the outside can be obtained through a dial-up line, the internet, via a virtual private network (VPN) or by direct remote access to systems. Dial-in access is obtained most frequently over the internet, but here it demands defeat of conventional security, such as firewalls. Easier access is obtained in those cases where someone attaches a modem to a company workstation for ease of access, thus bypassing ordinary security. Access to such a line by a hacker may be a matter of luck, of naivety on the part of the modem user, or even of conspiracy with an inside partner.
Another important, and growing, method of accessing dial-up connections and circumventing security is through the simple theft of a laptop computer. Many users take advantage of auto logon features to instantly access their critical networks. This is a goldmine to the hacker, and an estimated 80 percent of laptop thefts are undertaken solely to gain access to networks.
The theft problem is actually growing with the increasing use of smaller (and therefore more vulnerable) PDAs and cellular phones equipped with network access. Users must learn to avoid setting auto-logon features or storing passwords on portable systems. Care must also be taken to ensure that these devices are not stolen. This can include locks, use of hotel safes, and simple vigilance. Another layer of defense is the implementation of smartcards, SecureID, or other multi-factor authentication options. Care must be taken here so that the solution is easy and as convenient as possible for the end-user or else they themselves are likely to find ways to circumvent this layer of defense.
Internal access automatically provides immediate advantages to the hacker as such access bypasses firewalls. Internal access can be as easy as having physical access to the yellow Post-it notes upon which people often write passwords and stick to their computer screens. We have looked at the employee hacker before. The employee poses a threat by knowing the system, having access to resources and legitimate passwords and security clearances and so forth. Such an employee requires little extra knowledge to break into sensitive areas of the system, and can only be defeated by a combination of good security policy, appropriate clearances, and vigilance. A good rule of thumb here is to always implement the ‘least required privilege’ standard. This requires a lot more active administration, but significantly reduces this threat.
In addition to basic employee access, internal threats can come from social engineering, as described above, or from intruders. In this case, consider that someone might enter the facility and access terminals, jot down passwords, or compromise security in various ways for later break-ins. Again, protection demands security policy, appropriate clearances, and vigilance. For a personal example of this technique, stay late at work one night then walk around and see how many users have remained logged into their computers. Now realize that someone who wanted access to your systems would really only need to get a job as a cleaner for a couple of weeks in order to get the information they needed.
Next week, we will look at how hackers select and ‘fingerprint’ a target, looking at motivations and methods used.
Darren Thomas is a security expert at NetIQ Corp.(www.netiq.com).