Not too long ago, people were asking whether or not the virus threat was real, or if it was a scare tactic dreamed up by vendors of anti-virus software. As reports of "in the wild" viruses began to hit the press, the threat was finally accepted as having basis in fact, but still it was thought that as long as we were careful, "it could never happen to us".

But, of course, it can - and it does.

The same scepticism has, to a certain extent, been evident in the face of the Internet hacking threat. Is there really a problem? In fact, one in five respondents to a recent survey admitted that intruders had broken into, or had tried to break into, their corporate networks, via the Internet, during the preceding twelve months. The threat, therefore, is demonstrably real, and the network administrator is in the unenviable position of securing the corporate networks against similar events.

It took one or two well-publicised attacks on major organisations to bring home just how vulnerable we are when we take up residence in the Global Village. In August 1996, for example, the US Department of Justice was the victim of a notorious Web site hacking. In a protest against the Computer Decency Act, the perpetrator gained access to the DoJ Web server and made extensive changes to the pages there, posting some less-than-savoury replacement material. Just one month later, the CIA (of all people) became the victim of a similar attack.

Our own dear Labour party had its Web site hacked not once, but twice within a few days in December 96. And the hacker even had the nerve to contact a national newspaper and warn of the second attack before it happened. And still the IT brains of the Labour party couldn’t prevent it. Web site hacks are all too common, and are sometimes not that easy to prevent. After all, in order for your Web site to be publicly available to browse, you have to locate it on a part of the network that is available to everyone – usually outside your firewall (or on a DMZ). This means you have to rely purely on the built-in defences provided by the software vendor – and all too often these prove woefully inadequate.

Round about the time of the CIA hack, another phenomenon came to light – the Denial of Service (DoS) attack. By exploiting a weakness in the TCP/IP protocol, a hacker managed to virtually close down a major US-based Internet Service Provider (ISP) for a week - preventing access to all Web servers and e-mail. DoS attacks are even easier to perpetrate than Web site hacks or other intrusions, since it is not necessary to gain access to the target network. The aim is to simply tie up a server’s resources, or clog up a WAN connection, in order to render the target device virtually inoperable.

You may read about such vulnerabilities with regular monotony in the computer press. Some are to do with weaknesses in the underlying protocols, like SYN flooding, whilst others are down to bugs in applications software – usually Web servers, browsers or mail programs. A bug in one browser allowed a cleverly designed Web page to gain access to the whole browsing session without the user’s knowledge – details that included every URL accessed, every user name entered and every password too!

There is no way a software vendor will ever manage to remove all the bugs in its software, so the best you can do is to monitor the bug alert mailing lists, and apply the appropriate patches as soon as the become available. There is nothing more alarming to perform a security audit and run a program like SATAN (a sort of "hacker in a box" available on the Internet as freeware) against the system and find that the program has found some vulnerabilities. Why? Because SATAN itself has not been updated for over five years! Yet constantly it turns up potential loopholes that have had fixes available for almost that long.

Even with the warning that "you can never make anything 100 per cent secure" ringing in your ears, you still need to take all possible precautions to physically protect your network and its access points both from external and internal intruders – firewalls and intrusion detection systems are the most obvious purchases.

Effective network security is not just about buying the electronic equivalent of the five-lever lock and deadbolt, however. It is important to create a corporate security policy, detailing everything that an employee is allowed (and, more important, not allowed) to do, and clearly spelling out the penalties if the policy is ignored.

For instance, you might make it a disciplinary offence to attach a modem to a desktop PC and dial out to the Internet, since this would clearly open up a huge hole in the perimeter security. No matter how good your firewall is, if you allow direct dial-in access to your network you are providing the potential for a would-be hacker to drive right around it.

Once you have your policy and your physical deterrents in place, find yourself a consultancy firm which specialises in security issues and get them to give your set-up the once over. Get them to look at it from the inside and the outside, and try to get someone who can perform a full range of penetration tests. Above all, make sure this process is carried out at regular intervals.

Only by testing your security efforts thoroughly and regularly can you hope to stay one step ahead of the hackers.

Summary

• Make sure your vulnerable Web and FTP servers are kept well away from your protected network (either outside the firewall or on a DMZ)
• Ensure the public access points to your corporate network are protected by at least one firewall device
• Do not allow direct dialling to/from your desktop machines – ban all modems!
• Create a corporate security policy and make sure your employees stick to it rigidly
• Keep an eye on bug and vulnerability tracking newsgroups and mailing lists. Ensure that all relevant patches are downloaded and applied as soon as they become available
• Get a third party to test your perimeter defences (both from inside and outside) at regular intervals. The NSS Group can perform such services - please contact us to discuss your requirements.

Glossary

Hack – An attack on a protected or trusted network, either from inside or outside an organisation

Firewall – a device designed to protect a trusted network from an untrusted network by filtering and discarding unwanted network packets

DoS (Denial of Service) – A form of hacking which concentrates on tying up resources on a protected network to prevent them from operating

Spoofing – A form of hacking where one device pretends to be another, thus fooling a trusted device into revealing information to an untrusted one

Trojan Horse – A program that pretends to be something it is not, i.e. a fake login program that collects user names and passwords and mails them to an outsider.

DMZ (De-Militarised Zone) – A segment of the network attached to a port on a firewall which offers limited protection to devices such as Web or FTP servers. However, if those devices are compromised, the DMZ does not allow the hacker access to the protected part of the network.

Top         Home

NSS Awards

Group Test Reports

Articles/White Papers

Contact

Home

Send mail to webmaster with questions or 
comments about this web site.
Copyright � 1991-2005 The NSS Group Ltd.
All rights reserved.