To Catch a Thief

Mar 01, 2001 10:30 PM  By

Alarming statistics abound on the prevalence of security breaches. A survey released in 2000 by the Computer Security Institute (CSI) and the FBI reveals some startling facts:

  • 90% of 643 respondents report having detected cyber attacks;

  • 70% report a variety of security breaches, including theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks, and sabotage of data;

  • 74% acknowledge financial losses resulting from computer breaches, with 273 respondents quantifying losses of over $265 million; and

  • 71% of respondents report experiencing unauthorized access by insiders.

These disturbing statistics point to the extensive work that needs to be done to protect the confidentiality, availability, and integrity of information that exists on company networks. The first step in preventing network security incidents is to identify the threats and put controls in place to prevent them from happening. Threats can be unauthorized external users or hackers gaining access, focused intruder attacks based on inside information (corporate espionage), intentional acts by disgruntled employees, or accidental events caused internally.

Before attempting to secure your network, you must identify the worst threats to your environment and start focusing on those areas. For example, if you use the Web to distribute information about the company, you face a much higher security risk from internal users than you do from hackers, whereas if you’re heavily involved in e-commerce, you could suffer far worse consequences if hackers assault your routers with denial of service attacks, which flood a system with so much information that legitimate traffic is halted. Last year, denial of service attacks disabled several prominent online companies, among them Yahoo!, eBay, and Amazon.com.

If you wish to draw management’s attention to security issues and demonstrate the vulnerabilities in your network architecture, try an “ethical hack.” This method involves attempting to gain access to the company’s network using tools and techniques that a hacker would use, such as port scanning to map the firm’s external network. Although there are many different technical ways to gain entry, the most prevalent is still weak or default passwords. Other methods of gaining access involve exploiting weaknesses in a Web server or application programming logic to take over the server. Operating system, Internet, and application default settings also provide ample opportunities to gain access during an ethical hack test. They offer an open doorway for the determined hacker.

As companies become heavily reliant on Web-based applications, it is becoming more important to test the security of such programs. The misconfigurations that could allow unauthorized access are numerous, and coding and programming errors can allow a user to view files, obtain information, or execute operating system commands as if he were sitting in front of the server.

Start a fire

Using a firewall system can reduce the risk that a company faces on the Internet while doing business with trading partners. However, even a firewall can potentially be bypassed because of software and operating system misconfigurations in systems that are trusted by the firewall. Installing remote access applications such as Citrix Metaframe or Windows Terminal Server may also provide a hacker with a clean access route to the client’s network, and usually these applications are allowed through the firewall.

Ethical hacks can be expensive and normally uncover only a subset of the vulnerabilities that may exist on a network. However, they are great at providing an understanding of just how poor or superior the security of the network is. Building on an ethical hack would involve performing a diagnostic review, a procedure that offers a detailed view of what vulnerabilities exist on specific hosts.

A diagnostic review focuses on looking at file system permissions and reviewing user account information, password rules, and operating system configuration. Keep in mind that the ethical hack would not capture these vulnerabilities if they were not exploited in gaining access.

An intrusion detection system can help identify an attack, but you must develop an incident response plan designed to handle internal or external penetrations to ensure that an incident is handled in a manner that protects the evidence. Handling an incident should involve segregating the affected systems. If you intend to take legal action, you must ensure that the proper chain of custody is followed. Familiarize yourself with cyber law, write-protect all affected systems, and create a mirror image of the data. Computer forensics can be used on the mirror image to check for hidden, modified, or deleted files.

In securing a network, you should make sure that the following procedures are followed:

  • Establish a security policy that describes the training and actions needed to set up and maintain a strong information security architecture.

  • Install intrusion detection software that will alert administrators of attacks.

  • Review the logs produced by the intrusion detection system and other systems on a regular basis.

  • Keep up-to-date with the patches and fixes for your operating system and applications.

  • Remove default or sample applications and data from Web servers and tighten the default services running on hosts.

  • Set up a firewall system for all Internet connections and links with business trading partners.

  • Arrange for proactive solutions, such as penetration testing or diagnostic testing, to be implemented to enhance network security.

Don’t forget that to be effective, these techniques require the right mix of people, processes, and technology. Rely too heavily on any one area, and your security will will be less than full strength.

David Pluviose is assistant editor of Operations & Fulfillment. Martin Dolphin is a systems manager at Ernst & Young LLP. He can be reached at (617) 859-6249