usage policy business analyst and technical writer


 Home  Who We Help  Services  Approach  Case Studies  Resources  Contacts  About Us

UNDERSTANDING THE BATTLE PLAN OF A NETWORK ATTACKER

Electronic attacks on our networks and computer systems are constant. They occur at all hours of the day and night. They originate from places around the globe. Physical location and time zone don't matter on the Internet.

Most attacks are poorly carried out by amateurs. These folks are called "hackers" and they are often just experimenting and learning. If you've installed rudimentary defenses, there is little to worry about from them. However, a growing number of attacks are initiated by smart professionals who know how to penetrate defense systems and get what they want. They are called "crackers" because they "crack" or break security systems. Let's take a look at how these professionals operate.

Crackers have in-depth knowledge of the weaknesses within specific software applications and operating systems. There are many attack profiles going by names such as SQL injection, cross-site scripting, cookie tampering, man-in-the-middle, and blank hijacking.

While every attack is different, there is a predictable path that crackers take in subduing their targets. If we are to repel their attacks, it is important to understand their attack flow and techniques. Most sophisticated attacks begin with a surveillance phase, and then move into probe, invasion and capture phases.

Surveillance

This is the non-technical phase of the attack. A cracker (or squad of crackers) conducts routine surveillance of possible targets. This usually involves learning as much as possible about a company from publicly available information. Corporate websites are a wealth of information not all of which should be public. Companies have been known to post telephone directories, organization charts and even passwords on their websites, often inadvertently.

A smart cracker knows how to seek out such information even when it is not readily available to the casual visitor. Having a list of contacts in a company provides the cracker with ammunition for "social engineering". This is nothing more than calling people within a company and asking them to help with a problem. We all want to be helpful.

Here is a simple example. I call your company's help desk posing as a computer technician and ask to speak with a supervisor. I tell the supervisor that the network is down. She says it's not. I ask her to log out and back in again as a test. She complies. Finally, I ask her to give me her ID and password so I can check into why my access fails while hers succeeds.

Yes, this works. Not every time, but often enough that it's worth a try in one variation or another.

Probe

Now that the cracker knows something about the company and its systems, the probe phase tests the target's boundary defenses in search of an opening. All computer systems have thousands of "ports" or addresses that software applications use for network communications. Most computer networks actually use a small subset of these ports; after all, there are a limited number of software applications that can operate on a given network.

Probing consists of issuing requests to many ports and noting which ones respond with the equivalent of a "yes, I'm here". There are a number of readily available software tools that automate the probe. Network mapping tools have the ability to generate network diagrams including topology, system IP addresses, open ports, active services, and operating system characteristics. These tools are surprisingly easy to use.

Invasion

All of the information gathered in the surveillance and probe phases is only of value to someone who has detailed knowledge of the systems and applications in use. Once the cracker has discovered an opening, his next step is to find and retrieve as much useful information as possible by taking advantage of known vulnerabilities.

Major software firms release patches on a regular basis to correct deficiencies and block entry paths. Unfortunately, many companies are very slow to install these patches. Crackers can determine software release and patch levels. When they find a company that has not patched a known vulnerability, they have a "sitting duck" and can proceed to the last phase.

Capture

The most common approaches in this phase are installing back doors or deploying Trojan horses. A back door is a means of bypassing normal security protocols to gain access to a system. A Trojan horse is a program that appears harmless but actually contains malicious code.

The capture phase has many outcomes. Crackers have been known to steal valuable information such as credit card numbers or corporate secrets. They have corrupted computer files and sought ransoms to restore the data. And sometimes, they defile websites just because they can.

Defensive Measures

Vigilance is the key to maintaining adequate defenses. You already know about firewalls, antivirus software, intrusion prevention systems and other defensive measures.

Unfortunately, none of these measures can guarantee security. You must go on the offensive by doing three things.

First, stay current with vendor updates and patches. Crackers probe for systems that have not been updated. Many successful attacks could have been easily prevented by following vendor recommendations.

Second, firewalls and other security systems maintain log files that show cracker probes and other attempted intrusions. Be sure these log files are examined on a regular basis. If suspicious activity is spotted, take action to protect the target system.

Third, adopt stealth mechanisms such as minimizing publicly available information about employees and computer systems. Also, warn employees about "social engineering" tactics and impress upon them that company information must never be released to anyone without proper identification and authorization.



Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO™. He is an expert in leveraging open software to drive growth. DAMICON provides Freelance Technical Writing, IT Disaster Response Planning, and Network Security Management services to firms throughout New England.

This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in August 2005.



To learn more about how DAMICON can help your business, please take a look at our service programs.

















Virtual Business

Virtual Business

This column appears monthly in the IndUS Business Journal.