Taking Advantage of System Vulnerabilities The following are current examples of how corporate, banking, home and other I/T systems can become compromised. The five basic ways that an Internet attacker can gain control over your system(s) include:
In addition to the above, there are many other methods that either internal employees or external hackers can use to compromise workstations and servers. 1.
External Hackers Accessing Your Systems
Figure 1 depicts a simplified diagram of an internal network with a web/email server, a workstation, and a firewall providing Internet access. Rules programmed into the firewall allow Internet users to access the internal web and email server, as well as allowing internal workstation access to Internet sites. The firewall inspects each data packet as it arrives from the Internet. If the packet is tcp port 80 (web traffic) or tcp port 25 (email traffic), the packet is sent to the server by the firewall without inspecting the content or information contained within the packet. All other non-port 80 or 25 traffic is simply dropped by the firewall. Regardless of whether the server is running Microsoft's IIS or Apache web software, incorrect web software settings and software bugs can allow an Internet user (or hacker) to execute other programs on the server or access data considered to be confidential. Likewise, many email servers are not properly configured allowing unscrupulous individuals to relay porn and other mail messages through the server. The relayed email messages oftentimes appear as though they originated from your server. Two web server vulnerability examples include: Microsoft IIS and Apache. (Note: the two popular web servers have had 30+ such vulnerabilities. Others will be discovered in the future.) The corrective actions include applying the vendor's hot fixes and service packs, and ensuring all software configuration parameters have been properly set for your business environment. In addition, the server's security settings (permissions, auditing, and logging) need to be set to reasonable values. The vendor's default installation values for security are very inadequate and are oftentimes disabled.
2.
Internal
Workstation Accessing Infected Web Sites Figure 2 depicts the same simplified diagram, however an internal workstation is accessing an Internet web server. If the Internet web server is already infected with any number of trojans or worms, the trojan or worm can be transferred to the internal workstation without the knowledge of the workstation user. This was the case with the popular CodeRed and Nimda worms that were prevalent in 2002. In more recent cases, hackers have found ways to send trojans and worms to firewall-protected workstations by taking advantage of software inadequacies (or bugs) within Microsoft's operating systems while the workstation user is simply using their web browser to innocently access an interesting web site. As the sophistication of unscrupulous hackers increase, the sophistication of the methods used to gain access also increases. A recent approach encourages an innocent user to visit a certain web site and listen to free music. Rather then providing the music, the hacker's site has taken advantage of a software bug within the Windows Media Player and transfers a trojan to the user's workstation without their knowledge. The trojan includes a call-home function that allows the hacker to access the infected workstation at any time, day or night. Once an internal workstation has been compromised, the hacker can then access all other internal workstations and servers (from the compromised workstation) using the same authority the workstation's normal user has been given. Two such examples (of many) include a Microsoft's Internet Explorer software bug and a Microsoft Windows Media Player. The corrective actions include applying the vendor's hot fixes and service packs on a regular basis, and ensuring all software configuration parameters (including Internet Explorer) have been properly set for your environment. In addition, current anti-virus software is consider a must; all unused services must be disabled (many are implemented during operating system installation); and, security settings (authority and auditing) reviewed to ensure employees only have the permissions necessary to perform their responsibilities.
3.
Email Sent to Your Employees Many email-based mechanisms exist that allow Internet hackers to gain access to confidential data. Figure 3 depicts the flow of an email message arriving from the Internet, passed by the firewall to an internal email server, and finally downloaded and read by an internal workstation user. An email-based compromise can be initiated via:
The corrective actions include applying the vendor's hot fixes and service packs on a regular basis, and ensuring all software configuration parameters (including Internet Explorer and Outlook) have been properly set for your environment. In addition, current anti-virus software is consider a must; and, security settings (authority and auditing) reviewed to ensure employees only have the permissions necessary to execute their responsibilities.
4.
Hijacking
Internet Infrastructure Components Many different mechanisms currently exist that can be used to compromise the security of many Internet-based systems. One such mechanism is depicted in Figure 4 where a hacker simply visits the target web site, and recreates the image of that web site on his Fake Server. Copying the web site image is as simple as executing the Save-As function from within Internet Explorer, or by using any number of free software packages commonly available from the Internet. Once copied to the Fake Server, the hacker pollutes selected Domain Name Services (DNS) servers to cause customers accessing the www.his-target.com site to be redirected to the Fake Server instead of the intended actual server. The hacker simply modifies the web source code on his Fake Server to store the UserID and Password/PIN entered by an unsuspecting customer. At some later time, the hacker visits the actual company's web site and uses the real UserID and Password/PIN previously captured to execute erroneous transactions. The transaction might include the creation of new vendors, payments issued to this new vendor, as well as many other activities that appear as though they were originated by your customer. The corrective actions required to secure each such mechanism varies depending upon the specific service and site construction. Monitoring selected external Internet components is required to detect such hacking attempts. Social engineering mechanisms include calling an employee, convince the employee you are an employee of the company (Help Desk or I/T employee), and ask the employee for his/her UserID and Password in order to resolve a technical problem. Other mechanisms include:
To summarize, the deployment of a firewall for all
Internet-connected systems is important, however a firewall should be
considered as only one step of many required to protect internal
systems. Other steps include the use of current
anti-virus software on both workstations and servers, application of
vendor-recommended hot fixes and service packs, disabling unneeded
system services, configuring the required system services with
parameters appropriate for how the services are being used, and
implementation of system security settings that can provide awareness
(and alerts) to system compromise attempts. |
|
About NPI |
Contact Us |
Services | Tools |
Site Map |
Reseller Programs
Professional Ethics |
Privacy
Copyright 1993-2024 Network Partners, Inc. All rights reserved