Mitigating Hacker Threats

Windows of Insecurity

Even the best security technology, policies, and procedures do not guarantee the security of a system. As seen with the Hotmail bug, a seemingly perfectly secure system can become completely insecure overnight if a clever hacker discovers a bug and posts an exploit on the Internet. People should certainly configure their systems correctly, install all patches, use firewalls, deploy an intrusion detection system, and regularly update their virus checkers. However, these techniques typically only prevent and detect known attack methods. If an attacker uses a new attack while engaging in a legitimate conversation with a system, the attack will go undetected and unstopped by the aforementioned methods.

About 30-40 unique computer attacks are published monthly on the Internet. For a certain amount of time after each attack is published, attackers have free rein to break into networks because administrators have not yet been able to apply a workaround or patch. It often takes incident response organizations hours to release workarounds and days to release patches. When that time is added to the time it takes an administrator to become aware of the problem and apply the patch, attackers have a large window of opportunity with every attack that is published. Since new vulnerabilities are discovered on a daily basis, patient hackers can wait for an applicable vulnerability to be published before launching an attack against their desired target.

Weaknesses in Virus Checkers

A related problem exists with virus checkers. Here, the attacker does not need to wait for a new attack to be released, but can simply create a new virus that won't be detected. The problem is that virus detection software detects only the viruses that have been previously analyzed and added to the software's database. Such software has great difficulty in detecting never-before-seen viruses. A hacker who wishes to penetrate a particular company can write a virus specifically for that organization. By testing the virus beforehand on the handful of popular

virus-checking programs, the hacker can guarantee that the virus will enter the organization undetected. The hacker then sends an innocuous e-mail and the malicious code will likely be executed within the target organization.

Denial-of-Service (DOS) Attacks

During the first months of 2000, hackers launched DOS attacks against a number of organizations' Web sites. The attacks were coordinated floods of legitimate-looking requests for connection to the sites. Often, the attacks were launched from a large set of attacking hosts spread throughout the world. In some cases, the Web sites were shut down for hours or days while administrators determined the originating sites of the attacks and installed filters on routers and firewalls to block connections originating from those sites. These sorts of attacks are difficult or impossible to block completely and force organizations that

rely heavily on the availability of their Web sites to monitor traffic continuously and react quickly to any suspicious activity.

Lack of Automated Tracing

The primary method hackers employ to avoid being traced successfully is to log into a series of hosts in different countries or organizations before making an attack. To trace the hacker, the owners of each host in the attacker's chain must be contacted and asked to review their log files (if any exist). If the attacker's chain passed through several foreign countries, tracing is made more difficult. A secondary way hackers avoid being traced is by "lying" about their location. The

attacker sends out malicious packets with a random Internet Protocol (IP) source address. To trace the source of the packets, one must manually contact router owners on the physical path taken by the packets and trace backwards along the path taken by the malicious packets. As before, if the malicious packets traverse several foreign countries, tracing becomes difficult.

Blurring between Data and Code

It used to be that some files contained only data while other files contained executable instructions. Today, almost all data files can contain small programs that aid in the presentation or use of the data. These programs or scripts embedded in data serve as an easy way for hackers to penetrate a network; the instructions can perform powerful functions and cause havoc. In many cases, the power provided by the scripts embedded into data is unneeded and unused by the user.

Inside-Out Network Subversion

Many organizations now use firewalls, and hackers have responded by developing new techniques for bypassing these security barriers. In many instances, this was accomplished by tricking inside users and systems to execute code containing worms, which could then spread to other systems behind the firewall. In other cases involving attacks that used JavaScript and ActiveX, users were tricked into executing malicious code hidden in external Web sites. In the case of the Microsoft Jet Engine incident, simply reading the e-mail that contained the embedded worksheet caused the malicious code to execute; no attachments were involved. There is some consensus among worldwide corporations that these "inside-out" attack scenarios are likely to be the most dangerous because they are difficult to detect and prevent.

Threat Summary

Network perimeter security mechanisms, while necessary and effective in stopping the majority of attacks, cannot provide sufficient protection against all outside threats. Attackers, faced with sophisticated firewalls, have developed mechanisms to bypass those firewalls by directly attacking user computers within the network. A common bypass mechanism is to attack a user through e-mail and Web browsing using a variety of security flaws in commonly used scripting languages. Users are often unaware when a script is being run since scripts can piggyback on most types of data files. Often, but certainly not always, such inside-out attacks rely upon a user performing an action such as opening an attachment. Attackers may create the malicious code themselves to ensure that it will not be detected by an anti-virus tool. Another way of entering a network is to attack the software and servers that are visible from the Internet. As previously discussed, the most recent attack might be used so that it will not be detected by intrusion detection systems. Attackers frequently target e-mail servers, domain name servers, Web servers, routers, and even computer security devices (like firewalls). If such attacks are detected, it is unlikely that the attacker's identity can be found, as tracing expert hackers on the Internet is very difficult. Security is often very lax inside a network since systems administrators generally do not have time to completely secure all internal hosts. Thus, worms or human attackers that enter a network via e-mail may spread their influence throughout a network using a variety of possible vulnerabilities. Typically, these other methods of spreading attacks are automated and do not require a legitimate user to be deceived into performing an insecure action.

Despite the severity and sophistication of a computer attack, the attacker may not be a large, well-funded organization. A lone hacker with patience and publicly available tools can cause an enormous amount of damage. A single teenager can marshal the resources to launch DOS attacks against the most robust of Web sites. A more-prepared and better-funded adversary could do much more damage. Organizations, large and small, must prepare against these emerging threats.

Recommendations

To mitigate the threat of hackers on the Internet breaking into or shutting down a network, organizations must divide their attention among several areas:

• Securing a small number of externally visible systems,

• Hardening a large number of vulnerable internal systems,

• Responding to security incidents, and

• Mitigating denial-of-service attacks.

A security architecture, policies, procedures, firewalls, virus checkers, intrusion detection systems, strong authentication schemes, virtual private networks, host encryption, personal firewalls for telecommuters, war dialers, and other appropriate security devices must also be in place and appropriately configured to support these activities.

Securing a Small Number of Externally Visible Systems

Due to the widespread use of firewalls, most hackers on the Internet can directly access only a few hosts in an organization. These hosts are usually firewalls, Web servers, routers, e-mail servers, and domain name servers. If the applications on these hosts are vulnerable, a hacker not only has access to a valuable resource, but also the host may provide an avenue by which to break into the hosts behind the firewall. Thus, it is necessary to secure these hosts and to frequently patch and upgrade to mitigate emerging threats. Fortunately, the number of such important hosts visible from the Internet should be small relative to the total number of hosts in an organization. Therefore, a focused effort on this set of hosts is generally cost-effective.

The most important applications to patch, secure, and monitor include:

1. Domain name system (e.g., BIND)

2. CGI scripts employed by Web servers (be certain to remove vulnerable example scripts)

3. Web server vulnerabilities (e.g., Apache and Microsoft IIS)

4. E-mail server software (e.g., Sendmail)

5. Operating system software

6. E-mail access protocols/daemons (e.g., IMAP and POP)

7. SNMP access control to networking devices

The SANS (System Administration, Networking, and Security) Institute has published a list of the top ten vulnerabilities which covers many of these "problem" applications. The paper is available at: http://www.sans.org/topten.htm. Also, NIST maintains a searchable index of serious vulnerabilities that contains over 600 entries. Called the ICAT Metabase, this index is a tool that allows one to search for vulnerabilities at a fine granularity (e.g., using software names and version numbers). For each vulnerability of interest, ICAT points a user to patch information and vulnerability databases that thoroughly describe the security issue. The ICAT Metabase is available at: http://csrc.nist.gov/icat.

Hardening a Large Number of Internal Systems

Securing internal hosts in an organization is typically much harder because of scaling issues. Most organizations have a large number of insecure hosts sitting behind their firewall. In the near future, more vendors will provide automated ways to patch a large set of hosts from a single console. This technology will enable organizations, which have a standard host setup, to easily keep all hosts updated. However, this technology is not widespread and most system administrators have to patch hosts one computer at a time. Since the time required to install a patch on all hosts usually is prohibitively large, internal systems are not usually patched.

Despite this frustrating situation, there are ways to inexpensively harden internal systems against hackers on the Internet. The key is to realize that internal systems are typically penetrated through e-mail and Web access since the firewall, when properly configured and maintained, prevents most other types of access. We recommend the following actions:

1. Users of Microsoft Windows should be trained in how to install security patches using the Windows Update feature: http://windowsupdate.microsoft.com/. Active desktop users should be notified about when to accept the automatic notifications of security updates.
2. Users should be trained not to open attachments if an e-mail looks atypical (even e-mail from their friends). A reasonable rule is that a user should not open an attachment, without confirming with the sender, unless the context of the e-mail demonstrates that this is not a mass e-mailed virus.
3. Virus checkers should be installed on every computer and those checkers should automatically update themselves daily with new virus signatures.
4. Organizations should check for viruses at their firewall and e-mail server in addition to checking on each internal host. We recommend using a different virus detection product on internal hosts and back-bone hosts in order to diversify, and thus strengthen, a network's detection and prevention capability.
5. Organizations should create an internal Web site for distributing virus software updates and patches for situations where vendors' Web sites are overwhelmed with update requests.
6. Scripts should be disabled when people preview and read their e-mail. Otherwise, as soon as a new script vulnerability emerges, hackers can send malicious e-mail that will automatically infect the receiver. It may be best to enforce this policy at the email gateway where the scripts can be automatically removed or email containing scripts can be automatically rejected.
7. For organizations requiring greater internal host security, an easy way to boost security is by installing internal firewalls to isolate critical subnets and by using personal firewalls on critical internal hosts.

Responding to Security Incidents

Despite our best efforts to secure systems, hackers will occasionally penetrate an organization. The response to such break-ins must be planned, timely, and appropriate in order to mitigate the damage. System administration staff must be trained concerning what to do or who to call during a security crisis. Incident response organizations are useful resources for advising an organization about recovering from an attack and setting up their own incident response capability (FedCIRC, http://www.fedcirc.gov/ or CERT, http://www.cert.org/).

Mitigating Denial-of-Service Attacks

There are two types of DOS attacks: flaw-based and flooding. Both attacks attempt to consume the resources of a host or application to prevent it from functioning. Some articles talk about "distributed DOS" attacks. These attacks are DOS attacks that are generated from multiple attacking hosts. Attackers use these multiple hosts in order to amplify the effect of their attacks.

Flaw-based DOS attacks make use of errors in software in order to consume resources. Patching and upgrading software can prevent these types of DOS attacks. Flooding DOS attacks send more information to an application than it can handle. These types of attacks cannot be prevented by software fixes because the software is functioning properly.

Several ways exist, however, to combat a flooding DOS attack. A simple solution is to install faster hardware. With this solution, one attempts to handle normal traffic in addition to the load caused by the attack; this can be effective against hackers with limited resources. Another solution is to attempt to filter out the attack packets before they reach the target software. Attackers are not always clever and may attack from the same IP address, use packets with the same contents, or use a recognizable pattern in port number choices. These features may help a target distinguish attack packets from legitimate traffic. Once a distinguishing feature has been identified, routers can be configured to drop the malicious packets. This approach often works; however, a clever attacker with many resources can circumvent any such countermeasures. Many organizations are concerned not only about being the target of a denial-of-service attack, but also they do not wish to be the unwitting source (or intermediary) of such an attack. A SANS paper, located at http://www.sans.org/ddos_roadmap.htm, describes how to reduce the possibility that an organization will be used by a hacker as the source of such attacks.