Enterprise Security: The Manager's Defense Guide [1 ed.] 020171972X, 9780201719727

Citation preview

Preface: A Call to Arms First cam e Melissa, t hen Explore.Zip and t hen t he Love Bug. Their nam es were provocat ive, fun, and cut e. Next cam e Code Red, Nim da, and, m ore recent ly, Reeezak—t he t riple e's are no t ypo. Their nam es, in cont rast , are sinist er, apocalypt ic, and foreboding. So what 's in a nam e? I n March 1999, Melissa m arked t he beginning of t he world's reckoning wit h a new t ype of I nt ernet virus—a com put er worm . A com put er worm , a special t ype of virus, is designed t o copy it self from one com put er t o anot her by leveraging e- m ail, TCP/ I P, ( Transm ission Cont rol Prot ocol/ I nt ernet Prot ocol) , and relat ed applicat ions. Unlike norm al com put er viruses, which spread m any copies of t hem selves on a single com put er, com put er worm s infect as m any m achines as possible. By all account s, com put er worm s are nast y crit t ers t hat have wreaked considerable dam age and wast ed billions of dollars in com put er worker hours. The Love Bug, Code Red, and Nim da cost t he I nt ernet com m unit y m ore t han $11 billion in product ivit y and wast ed I T st aff t im e for cleanup. The Love Bug alone cost t he global I nt ernet com m unit y close t o $8 billion and event ually infect ed approxim at ely 45 m illion e- m ail users in May 2000. I n July 2001, Code Red cost t he I nt ernet com m unit y $2.6 billion; in Sept em ber 2001, Nim da caused $531 m illion in dam age and cleanup. I n January 2002, yet anot her com put er worm , wit h t he som ewhat om inous- sounding nam e Reeezak, unleashed it self on t he I nt ernet com m unit y. Reeezak, like ot her worm s, appears in e- m ail wit h an innocent - sounding subj ect : in t his case, " Happy New Year." The m essage of t he e- m ail—" Hi...I can't describe m y feelings, but all I 6 Bye." —com es wit h an at t achm ent , called can say is Happy New Year Christ m as.exe, which when double clicked sends it self t o all addresses list ed in t he user's address book and at t em pt s t o delet e all t he files in t he Windows direct ory and ant ivirus program s. The worm also disables som e keys on t he keyboard and propagat es it self by using Microsoft 's com pat ible version of I RC ( I nt ernet Relay Chat ) program . Reeezak, like ot her worm s, affect s only users of Microsoft 's Out look or Out look Express e- m ail client s. I f t he proliferat ion of e- m ail worm s were not insidious enough, t he I nt ernet com m unit y also experienced t he effect s of anot her class of at t acks in February 2000, j ust a few m ont hs before t he Love Bug. The now infam ous and shocking dist ribut ed denial- of- service at t acks on several of t he largest and m ost popular e- business sit es—Am azon, Yahoo, eBay, and E- Trade—were not only brazen, m aking t he headlines of m any m aj or m et ropolit an newspapers, but also a wake- up call t o t he high- flying e- com m erce world. The cum ulat ive effect s of successfully orchest rat ed at t acks are t aking t heir t oll on t he I nt ernet econom y. At a m inim um , users are frust rat ed and t heir confidence shaken. Also, a cloud is raining on t he parade m arching wit h fanfare t oward ebusiness horizons. At t acks can be pot ent ially devast at ing, especially from a financial st andpoint . I n t he case of E- Trade, livelihoods were affect ed on bot h sides of t he virt ual supply chain, t he new business m odel t hat is enabling online businesses t o reinvent t hem selves t o capit alize on dynam ic e- business m arket places.

St ock t raders who subscribe t o t he e- com m erce service lost t he abilit y t o queue up t heir orders, beginning at 7 am , so t hat t he t rades could be t riggered at t he st art of t he opening bell at 9: 30 am . I n addit ion t o being livid because legit im at e orders were being denied by bogus act ivit y flooding t he sit e, t he st ock t raders lost crit ical financial advant age for cert ain securit y t enders. The owners of t he breached ebusiness sit es were em barrassed, t o say t he least . They also inherit ed a pot ent ially explosive problem t hat raises t he quest ion of securit y im m ediat ely and t he viabilit y of e- com m erce as a long- t erm business ent erprise. More im port ant , t hough, cust om ers who lose confidence in t heir abilit y t o conduct business safely and expedient ly at t hese sit es will go elsewhere. Lost cust om ers are unm ist akably t he deat h knell for I nt ernet ent erprises. The discussion could go on and on wit h exam ples, but you get t he m essage. Operat ing in t he I nt ernet econom y is risky indeed! So what can be done about it ? That is t he purpose of t his book. Ent erprise Securit y: The Manager's Defense Guide is a com prehensive guide for handling risks and securit y t hreat s t o your int ernal net work as you pursue e- business opport unit ies. Net work securit y, which fact ors in open access t o t he ent erprise's inform at ion asset s, is e- business securit y. Open access allows online t ransact ions t o incorporat e crit ical inform at ion for cust om ers, suppliers, and part ners no m at t er who t hey are or where t hey are. E- business securit y is an ext ension of t he securit y provided by firewalls and virt ual privat e net works ( VPNs) , int egrat ed wit h risk m anagem ent , vulnerabilit y assessm ent , int rusion det ect ion, cont ent m anagem ent , and at t ack prevent ion. I n int ranet s and ext ranet s and servers in t he dem ilit arized zone ( DMZ) , firewalls prot ect t he inform at ion asset s behind t heir walls. When inform at ion is in t ransit via t he I nt ernet , firewalls hand off prot ect ion of t ransact ions t o VPNs. But when inform at ion asset s are residing behind t he perim et er of firewalls or are not in t ransit , how do you prot ect t hem ? That 's t he dom ain of e- securit y. E- securit y solut ions fact or in scanning t echnologies t o act ively police operat ing syst em s, applicat ions, and net work devices for vulnerabilit ies in t he infrast ruct ure needed t o process, m aint ain, and st ore t he ent erprise's inform at ion asset s. I n ot her words, e- securit y solut ions ident ify pot ent ial t hreat s, or securit y event s, such as denial- of- service and/ or viruses. E- securit y also provides real- t im e scanning t o det ect in- progress port scans or int ruders looking for an unsecured window or door t o gain illegal access int o your net work. Aft er det ect ion, e- securit y solut ions facilit at e correct ive or prevent ive act ion before t he at t ack can be launched, wit hout disrupt ion t o t he net work. E- securit y also provides a fram ework for surviving an at t ack in progress. This book also provides a det ailed concept ual review of t he m ost popular det ect ion, assessm ent , hardening t echniques, and real- t im e securit y syst em s t hat can be int egrat ed t o provide life- cycle securit y solut ions. I n sum m ary, t his book discusses a syst em at ic process of prot ect ing net work inform at ion asset s by elim inat ing and m anaging securit y t hreat s and risks while doing business in t he free societ y of t he I nt ernet .

Why This Book I t goes wit hout saying t hat net works are com plex syst em s and t hat providing t he opt im um level of net work securit y has been part icularly challenging t o t he I T com m unit y since t he first personal com put ers ( PCs) were at t ached t o net work cabling decades ago. Today, providing net work securit y could be overwhelm ing! For a business, t he prospect of going online is so com pelling prim arily because of t he pervasiveness of t he I nt ernet and t he prom ised payoff of exponent ial ret urns. The t echnologies of t he I nt ernet are also a significant drawing card t o t he business com m unit y. The abilit y t o present your inform at ion asset s in m ult im edia views is difficult t o forgo. Suddenly, it seem s t hat 3- D graphical views, graphics, anim at ion, video and audio funct ionalit y, and low- cost com m unicat ion are t he preferred m et hods of building brand loyalt y from consum ers or preferred vendor st at us wit h cust om ers. These t echnologies also provide part ners and suppliers wit h a st rat egic advant age if t hey are connect ed direct ly t o crit ical inform at ion asset s required for com pet it iveness and m eet ing business obj ect ives. The t echnologies of t he I nt ernet also m ake it easy t o collaborat e t hrough e- m ail m essaging and workflow processes and t o t ransfer huge am ount s of inform at ion cost - effect ively. As easily as t hese t echnologies are em braced, however, t hey are also crit icized because of t heir inherent securit y problem s. TCP/ I P is a com m unicat ions m arvel but inherent ly insecure. When t he prot ocol was a design spec, t he creat ors had no com pelling reason t o build in basic encrypt ion schem es in t he free- spirit ed operat ing clim at e of t he com put ing world when TCP/ I P was conceived in 1967. Basic securit y could have possibly been built in at t hat t im e, set t ing t he st age for ot her syst em s t o be secure when spawned by t he I nt ernet decades lat er. Microsoft 's t ools and applicat ion syst em s, such as Visual Basic, Out look, Windows NT, and various office suit es, are forever being slam m ed by disappoint ed users for t he com pany's apparent decisions t o t rade off securit y in order t o be t he first t o m arket . Even PPTP ( Point - t oPoint Tunneling Prot ocol) , Microsoft 's securit y prot ocol for dial- up VPN t unneling, was also fraught wit h securit y problem s in t he beginning. Even Sun Microsyst em s's Java, a secure program m ing language for creat ing spect acular e- business applicat ions, is not wit hout it s problem s. And depending on securit y policy, m any ent erprises t urn applet s off in user browsers t o prevent m alicious code t hat m ay be att ached t o t he applet s from finding it s way int o syst em s when init ially downloaded. Therefore, because of t he inherent insecurit ies of Webenabled t echnologies, t he com plexit y of t he funct ional aspect s of net works, m ult iple operat ional layers, and, m ore im port ant , t he skill of hackers, e- securit y m ust be inherent ly com prehensive. Consequent ly, t his book reveals how securit y m ust be im plem ent ed and adm inist ered on m ult iple levels for effect ive net work securit y. This book syst em at ically reviews t he processes required t o secure your syst em plat form , applicat ions, operat ing environm ent , processes, and com m unicat ion links. Effect ive e- securit y m ust also address t he t ools used t o develop your inform at ion asset s, consist ing of applicat ions, program s, dat a, rem ot e procedures, and obj ect calls t hat are int egrat ed t o present your int ellect ual capit al t hrough t he dynam ic m ult im edia world—virt ual supply chain—of t he global I nt ernet econom y.

About This Book Ent erprise Securit y: The Manager's Defense Guide is a com prehensive descript ion of t he effect ive process of e- securit y, t he hum an t hreat , and what t o do about it . I n int ranet s and ext ranet s, inform at ion asset s are defended on t he perim et er of t he ent erprise net work by firewalls. I nform at ion t hat t raverses t he I nt ernet is prot ect ed by VPNs and secure socket layers provided by browser- based encrypt ion. But when inform at ion is eit her residing behind t he perim et er, perhaps dorm ant or not in t ransit , how is it prot ect ed? This is where e- securit y com es in. The subj ect m at t er of t his book is present ed in four part s. A descript ion of each part follows. Part I , The Forging of a New Econom y, discusses t he hypergrowt h opport unit y t he world refers t o as e- business. Chapt ers 1–3 m ake t he case for e- securit y and why it 's a closely connect ed enabler of e- business, t he new econom y. Part I also t akes you int o t he world of t he hacker, a surprisingly well- organized one. The seriousness of t he hacker problem is highlight ed, along wit h a review of how hackers m ay singlehandedly j eopardize t he fut ure of e- business as a viable indust ry. I n order for ebusiness t o achieve it s expect ed supergrowt h proj ect ions over t he next several years, an arm s race will ensue, wit h no definit e end in sight . Part I I , Prot ect ing I nform at ion Asset s in an Open Societ y, discusses t he t rium phs of firewalls, cont rolled net work access, and VPNs. Chapt ers 4 and 5 also discuss t he glaring short com ings of t hese securit y syst em s as perim et er and in- t ransit defenses and point t o t he need for m ore effect ive solut ions. I n addit ion, Part I I enum erat es and discusses t he specific securit y problem s t hat arise if I T m angers rely on perim et er defenses and cont rolled access alone t o prot ect t heir ent erprise net works. Part I I also int roduces an overview of com plem ent ary m et hodologies, such as int rusion det ect ion, vulnerabilit y assessm ent , and cont ent m anagem ent . When used t oget her wit h perim et er defenses, t hese m et hodologies will provide Web- based ent erprise net works wit h t ot al securit y, or as m uch as is pract ical in t he world t oday. Aft er com plet ing Part I I , you should have a great er appreciat ion of a syst em of securit y m easures t hat , when put in place, will effect ively t hwart hackers, including t he m alicious ones, or crackers. Part I I I , Waging War for Cont rol of Cyberspace, com prises a m aj or port ion of t he book. I n Chapt ers 6 t hrough 11, you are exposed t o how hackers and crackers wage war in cyberspace against hopeful denizens of t he new econom y. Specific weapons— soft ware t ools—are covered, including t he dist ribut ed denial- of- service ( DDoS) t ools t hat brought down E- Trade and effect ively disrupt ed service in Am azon.com and eBay. Part I I I also present s e- securit y solut ions, which I T m anagers can deploy for effect ively handling t he clandest ine t act ics of t he wily hacker. Aft er reading t hese chapt ers, you should have a pract ical knowledge of e- securit y solut ions designed for prot ect ing ent erprise net works in t he new econom y. Part I V, Act ive Defense Mechanism s and Risk Managem ent , concludes t he book. Chapt ers 12 and 13 discuss specific processes involved in im plem ent ing and using t ools and m et hodologies t hat provide securit y for net work infrast ruct ures and relat ed applicat ions for e- business. The e- securit y com ponent s of vulnerabilit y and risk m anagem ent , along wit h vulnerabilit y assessm ent and risk assessm ent and t heir

int errelat ionships, are covered in full and are carefully posit ioned as a t ot al solut ion for deploying securit y effect ively. An ext ensive set of guidelines is provided such t hat bot h t he I T and t he nont echnical professional can follow. Following t hese guidelines t o im plem ent t he t ot al e- securit y solut ion will result in fully prot ect ing t he ent erprise's net work against hacker incursions. Four appendixes provide im port ant det ails for facilit at ing t he overall e- securit y process. A glossary and a bibliography are also provided.

Intended Audience This book is int ended for sm all, m edium , and m ult inat ional corporat ions; federal, st at e, and local governm ent s; and associat ions and inst it ut ions t hat are in t rigued wit h t he pot ent ial of t he I nt ernet for business opport unit y and providing services. Organizat ions have various reasons t o be int erest ed in conduct ing com m erce over t he I nt ernet : Com pet it iveness is one, and im provem ent of services is anot her. But t he ult im at e m ot ivat ion for t his m om ent um appears t o be t he m onet ary rewards associat ed wit h effect ively harnessing online supply chains for t he world's I nt ernet com m unit y. I n response t o such am bit ions, organizat ions are wrest ling wit h t he challenge of connect ing business part ners, cust om ers, suppliers, rem ot e field locat ions, branch offices, m obile em ployees, and consum ers direct ly online t o t he ent erprise net work. Organizat ions are also wrest ling wit h t he risks of allowing open access t o inform at ion asset s. The e- business com m unit y requires com prehensive but easy- t o- m anage securit y solut ions t o handle securit y risks t o t he ent erprise net work. I f t hese problem s aren't effect ively addressed, t he out com e could be devast at ing t o t he long- t erm viabilit y of e- com m erce. This book provides a det ailed review of e- securit y, a process of prot ect ing online inform at ion asset s in t he virt ual supply chain provided by ent erprises over t he I nt ernet . E- securit y incorporat es st at e- of- t he- art I T- based securit y product s, m et hodologies, and procedures for delivering rapid ret urn on invest m ent ( ROI ) , unint errupt ed net work availabilit y, proact ive st rat egies, barriers t o m alicious int ent , and confidence in t he overall int egrit y of t he e- business product s and services. The following t ypes of readers can benefit m ost from t his book. •

Chief inform at ion officers ( CI Os) have decision- m aking aut horit y and responsibilit y for overall inform at ion t echnology infrast ruct ure and policy for t he ent ire ent erprise. Providing secure com m unicat ions and prot ect ing inform at ion asset s wit hout disrupt ion t o t he business process are exam ples of t ypical challenges faced by CI Os. I n t heory, when an organizat ion is involved in an e- business vent ure, execut ive I T m anagem ent already underst ands t he im port ance of ent erprise net work securit y. Chapt er 4 should be of part icular int erest if only firewalls and/ or VPNs are in use t o prot ect t he net work. Chapt er 4 discusses t he short com ings of perim et er defenses and point s t o t he need for st ronger securit y m easures. Chapt er 5 reviews specific securit y breaches and an overview of e- securit y's funct ional fram ework. Chapt er 8 and Chapt ers 10 and 11 expand on t he e- securit y fram ework present ed in Chapt er 5, providing an overview of t he funct ional com ponent s of e- securit y. CI Os should also find Chapt ers 12 and 13 equally im port ant .

•

•

•

Ot her execut ives/ depart m ent m anagers m ay be charged wit h providing and m aint aining t he inform at ion asset s t hat drive t he virt ual supply chain of t he ebusiness apparat us. Therefore, Chapt ers 1–3, which define e- business and esecurit y and describe t he m alicious opponent s of e- business will be of part icular int erest . Chapt er 1 reit erat es t he excit ing business pot ent ial of ecom m erce. Chapt er 3 discusses t he pot ent ial barriers t hat hackers pose t o t he prosperit y of e- business. Chapt er 3 is also a chilling rem inder t hat if net works aren't secure, e- business will never reach it s full pot ent ial. Chapt ers 12 and 13 are also a m ust - read for execut ive m anagers. MI S/ I T m anagers, Web m ast ers and securit y professionals, t he m ain audience for t his book, t ypically have direct , or m anaging, responsibilit y for net work securit y and m ay also have t he unenviable t ask of t ranslat ing t he business requirem ent s int o net work securit y solut ions, evaluat ing t he im pact of t he new solut ion on t he infrast ruct ure, and im plem ent ing and m anaging t he securit y expansion and process. These t opics are t he subj ect of t he ent ire book. Syst em analyst s/ proj ect m anagers t oo should find t he ent ire book of int erest . Chapt ers 8–11 will be of special int erest .

Acknowledgments •

• •

• •

•

• •

•

•

I would like t o acknowledge m y edit or, Mary T. O'Brien, and assist ant edit or, Alicia Carey, for t heir pat ience and professionalism . I would like t o t hank reviewers Anne Thom as Manes, Joshua Sim on, Sherry Com es, and Scot t C. Kennedy for t heir crit ical, in- dept h, and t hought provoking com m ent s, suggest ions, and insight . I would like t o t hank St anlyn, m y loving wife and soul m at e, for her long hours dedicat ed t o edit ing t he book and her gent le encouragem ent . I would like t o acknowledge m y role m odels, m y t hree older brot hers—Jam es, Christ opher, and Michael—for always st riving t o be t heir best and part of a great er spirit ual whole. I would like t o acknowledge m y younger siblings—Ronald, Dwayne, and Deborah—for t heir fait h in a big brot her. I would like t o t hank Doris L. Reynolds, t he grandm ot her of m y children and m y surrogat e m ot her, for always being t here. I would like t o t hank m y cousins, Usher A. Moses and Sandranet t e Moses and fam ily, for helping m e t o rem em ber m y root s, t he im port ance of fam ily, and t he inspirat ion from dream ing t oget her as a fam ily. I would like t o acknowledge m y t hree best friends—St even R. Brown, Lut her Bet hea, and John L. King—for helping m e keep it real and t o appreciat e what 's fun in life since our childhood. I would like t o acknowledge Jackie Jones for being t he godm ot her of m y t wo children, m y wife's best friend, and m y professional colleague. I would like t o acknowledge m y lifelong friends, Mark and Vera Johnson for being an inspirat ion, our confidant s, and professional colleagues.

Part I: The Forging of a New Economy I t is int erest ing t o speculat e on what hist orians will say about t his revolut ionary era of business. Will t hey say t hat we were visionary, opport unist ic, and prudent businesspersons pioneering t he world t o t he efficacy of a new business econom y? Or will hist orians look back on t his t im e t hrough j aundiced eyes because t he world was driven t oward t he use of a not oriously insecure global m edium in t he I nt ernet by short - sight ed, greedy, and self- serving ent it ies? Or, were we influenced by individuals who cared lit t le for t he long- t erm viabilit y of t he world's int ernat ional business com m unit y, event ually set t ing t he st age for t he global apocalypse t hat t he business world succum bed t o during a dark era in t he fut ure? Only t im e will t ell. Nevert heless, we are wit nesses t o a business revolut ion t hat rivals t he I ndust rial Revolut ion of an earlier cent ury. I n Part I —Chapt ers 1 t hrough 3—t he phenom enon called e- business is discussed in det ail. Chapt er 1 t akes an in- dept h look at t he e- business revolut ion and it s t rem endous lure t o m odern- day business ent repreneurs. I n Chapt er 2, e- securit y is defined, and it s inext ricable connect ion as an e- business enabler is carefully laid out . Chapt er 3 explores t he clandest ine world of t he hacker and looks at t he polit ical forces m obilizing t o t hwart t he progress of hackers. An arm s race is under way for t he global I nt ernet econom y.

Chapter 1. What Is E-Business? I n t his chapt er, t he e- business phenom enon is defined, or perhaps bet t er st at ed, it s ut opian allure qualified. Why are so m any businesspersons, ent repreneurs, and invest ors being seduced, given t hat t he I nt ernet is insecure? More im port ant , what are t he im plicat ions for securit y when an ent erprise's inform at ion m achine is connect ed t o t he I nt ernet ? Furt her, how does one cross t he digit al chasm from t he physical world t o a virt ual one in order t o do e- business? Finally, t he significance of virt ual supply chains is discussed, along wit h t he effect s of crit ical e- business drivers. The chapt er concludes by set t ing t he st age for e- securit y, t he crit ical success fact or in pursuing e- business opport unit ies.

The E-Business Sweepstakes Elect ronic business, or e- business, is t he phenom enon t hat is sim ult aneously legit im izing t he I nt ernet as a m ainst ream com m unicat ions m edium and revolut ionizing a new com m ercial business realit y. The growt h pot ent ial for creat ively conceived and well- m anaged e- business vent ures is unparalleled in t he hist ory of indust ry. Elect ronic ret ail ( e- t ail) , also known as business- t o- consum er ( B2C) , sales were est im at ed t o be m ore t han $12 billion in 1999, wit h $5.3 billion in t he fourt h quart er alone, according t o official Census Bureau est im at es. I n a Sept em ber 1999 st udy by Prudent ial Securit ies, analyst s predict ed t hat hypergrowt h for e- t ail sales would cont inue int o t he t went y- first cent ury, beginning wit h 130 percent growt h and leveling off t o about 45 percent by 2004. This equat es t o a com pound average growt h rat e ( CAGR) of approxim at ely 69 percent . Prudent ial Securit ies research also suggest s t hat annual e- t ail sales should reach $157 billion by 2004. Forrest er Research predict ions are even m ore opt im ist ic. Forrest er est im at es t hat sales result ing from purchases of goods and services t hrough online st ores will nearly double each year t hrough 2004. I n ot her words, online consum er sales are expect ed t o reach $184 billion in 2004. Speaking of hypergrowt h, business- t o- business ( B2B) e- com m erce, whereby businesses sell direct ly t o one anot her via t he I nt ernet , was five t im es as large as business- t o- consum er e- com m erce, or $43 billion in March of 1998, according t o a report in Business Week. Forrest er Research predict s t hat B2B will m ushroom t o $2.7 t rillion by 2004. That 's nearly 15 t im es t he size of t he consum er e- com m erce m arket proj ect ion! I n com parison, Gart ner Group's predict ions are off t he chart . The consult ing firm expect s B2B e- com m erce t o be alm ost t hree t im es t he Forrest er prognost icat ion or $7.4 t rillion. Following are som e ot her int erest ing t rends t hat are fueling t he I nt ernet m igrat ion. •

•

Of t he 100 m illion people connect ed t o t he I nt ernet , m ost had never heard of it four years earlier. According t o an April, 1998, federal governm ent report , " The Em erging Digit al Econom y," t he I nt ernet 's rat e of adopt ion out paces all ot her t echnologies t hat preceded it . For exam ple, radio was in exist ence for 38 years before 50 m illion people owned one. Sim ilarly, t elevision was around for 13 years before 50 m illion people were able t o wat ch Am erican Bandst and. And, aft er t he first

•

•

PCs em barked on t he m ainst ream , 16 years were needed t o reach t hat t hreshold. Four years aft er t he I nt ernet becam e t ruly open t o t he public—t he Nat ional Science Foundat ion released rest rict ions barring com m ercial use of t he I nt ernet in 1991—50 m illion individuals were online by 1997. At t his rat e, especially wit h 52,000 Am ericans logging ont o t he I nt ernet for t he first t im e every day, expert s believe t hat 1 billion people will be online worldwide by 2005. I n spit e of t he dot - com flam eout , com panies are st ill looking t o st ream line operat ions by harnessing t he Web, according t o a June 20, 2001 report in t he Washingt on Post .

So at t his j unct ure, t he quest ion is not whet her you should go online but when and t o what ext ent .

Caesars of E-Business: An Embattled Business Culture Like t he celebrat ed em perors who ruled t he Rom an Em pire, t he new Caesars of ebusiness are forging business em pires t hrough new, virt ual business channels and as a result are becom ing a force at t he t op of t he business world. Loosely defined, an em pire is an econom ic, social, or polit ical dom ain t hat is cont rolled by a single ent it y. Am azon.com , Aut o- by- Tel, Beyond.com , Barnes and Noble, CDNow, eBay, and ETrade are am ong t he new I nt ernet Caesars t hat appear t o be conquering t his new cyberbusiness world by building an em pire in t heir respect ive online product or service cat egories. Am azon.com becam e t he first online bookst ore when it hung up it s virt ual shingle in 1995. I n 1996, it s first year of operat ion, it recorded sales of $16 m illion. A year lat er, sales had grown nearly t enfold, reaching $148 m illion. I t is est im at ed t hat Am azon will realize $2.8 billion in sales in all product cat egories—books, CDs, m ovies, and so on—in 2003! Am azon's lit eral overnight success becam e t oo com pelling t o pass up. Barnes and Noble, a bricks- and- m ort ar est ablishm ent , set up it s own online shop t o com pet e in t he seem ingly fast - growing book m arket in 1997. Online book sales are expect ed t o reach $3 billion by 2003. Most indust ry analyst s are ready t o concede t he online book em pire t o Am azon and Barnes and Noble. Through Am azon alone, it s 11 m illion cust om ers can select from m ore t han 10 m illion t it les, consist ing of 1.5 m illion in- print books in t he Unit ed St at es and 9 m illion hard- t o- find and out - of- print books. On ot her online product ret ail front s, Beyond.com is building it s business em pire in t he online soft ware sales cat egory, wit h m ore t han 48,000 soft ware applicat ion product t it les. Sim ilarly, CDNow offers m ore t han 325,000 CD t it les t o it s online cust om ers, and eBay has locked up t he online auct ion front for t rading personal it em s of wealt h. Am azon.com and eBay are well on t heir way t o building business em pires, perhaps reaching t hat covet ed m ilest one of cat egory killers for book sales and auct ion t rading, respect ively ( see Table 1- 1) .

Feeling t he effect s of Barnes and Noble's act ions, Am azon responded wit h incisive m oves int o ot her areas. I n June 1998, Am azon.com opened it s m usic st ore, going head t o head wit h CDNow. This m ove was followed by a rollout of virt ual t oy and video st ores, posit ioning Am azon.com for direct com pet it ion wit h eToys and Reel.com , respect ively. Am azon didn't st op here. I t also set up shop in t he online greet ing cards, consum er elect ronics, and auct ion areas. Wit hin 90 days of launching it s m usic st ore, Am azon becam e t he prem ier online m usic ret ailer; wit hin 6 weeks of launch, t he prem ier online video ret ailer. Not t o be out gunned, CDNow reciprocat ed by opening online m ovie and book businesses. Ot her online ret ailers began following t his st rat egy.

Ta ble 1 - 1 . Com pe t it or s in t h e Onlin e M a r k e t Se gm e n t s ( Pr odu ct Ca t e gor ie s) Pot ent ial Cat egory Killers Product Cat egory ( Market )

Original E- Tailer

E- Tailer Crossover

Tradit ional Ret ailer

Books

Am azon.com

Buy.com

Barnes and Noble ( Bn.com )

Music ( CDs, et c.)

CDNow

Am azon.com

Tower Records

Videos

Reel.com

Am azon.com

Blockbust er Videos

PC hardware

Buy.com

Egghead

Com pUSA, Dell, Gat eway, Com paq

Toys

eToys

Am azon.com

Toys- R- Us, WalMart , KayBee

Soft ware

Beyond.com

Am azon.com Bn.com

Com pUSA, Egghead

Aut os

Aut obyt el.com , Cars.com , Aut oweb.com

N/ A

Harley- Davidson

Consum er elect ronics

800.com

Am azon.com

Best Buy, Circuit Cit y

No sooner t han t he online giant s begin m oving in on one anot her's t urf, t he t radit ional ret ailers begin t o exert t heir physical m uscle in t he virt ual world of com pelling shopping m alls and online st ores. Blockbust er set up a Web sit e t o sell m ovies. Toys- R- Us raised no eyebrows when it decided t o go online t o challenge

eToys in t he online t oy cat egory. Tower Records m oved int o CDNow's and Am azon's t errit ory t o challenge in t he m usic arenas. The incursions of t he online ret ailers and t he invasions of t he t radit ional ret ailers m ake for a crowded virt ual m arket place, indeed.

The Lure Of Overnight Successes While t he m ega- e- t ailers were j ost ling for cont rol of t heir respect ive online em pires, roughly 30,000 e- t ailers sprang up like Christ m as light s t o ply t heir wares t hrough t he Web. The overnight success of Am azon, Barnes and Noble, Dell Com put ers, Aut o- By- Tel, and ot her I nt ernet ret ailers was an int oxicat ing lure t o opport unist ic I nt ernet ent repreneurs looking t o capt ure t hat m agic form ula. Unfort unat ely, dot com s failed by t he t housands. I n fact , in t he fourt h quart er of 2000, indust ry analyst s predict ed t hat m ore t han 80 percent of e- t ailers, or 25,000 com panies, would not succeed in t he cut t hroat online ret ail business. Those t hat were absorbed by bigger concerns were fort unat e, t o say t he least . However, t he debacle of t he dot com businesses and ot her adverse m arket forces im pact ed high- t ech st ocks in general, causing st ocks in ot her high- t ech areas, such as Microsoft and Cisco, t o sust ain a decline in m arket value. The five- year period ending Decem ber 2001 saw I nt ernet giant s com plet ing t heir init ial public offerings ( I PO) and ent repreneurs, m anagem ent , vent ure capit alist s, and ot her invest ors who were holding st ock opt ions becom e overnight m illionaires, even billionaires! Am azon com plet ed it s I PO on May 15, 1997, aft er opening it s virt ual doors in July 1995. The st ock price reached $113 a share in Decem ber 1999! A year lat er, t he st ock was t rading at approxim at ely $20 a share; by Decem ber 2001, $10 a share! This is t ruly phenom enal, given t he fact t hat Am azon has been in operat ion for only six years. Even m ore am azing, as t he dot - com shakeout cont inues, forecast ers are expect ing solid growt h in all online product cat egories. The failings of t he dot - com s and t he debacle of high- t ech st ocks were inevit able, if not expect ed. Som e indust ry analyst s point out t hat t he recent adversit y is a nat ural correct ion of a m arket place, which is ret urning t o equilibrium . The overvalued capit alizat ion, inflat ed st ock prices, and exponent ial ret urns from t he I PO have sim ply run t heir course. Oddly enough, invest ors quickly underst ood t hat t o play in t he online ret ail gam e, an infusion of capit al would be needed t o develop online business m odels successfully. I n general, virt ual supply chains represent online infrast ruct ure and relat ed processes t hat harness t he at t ribut es of t he I nt ernet for t he purpose of delivering goods and services, em ulat ing physical supply chain infrast ruct ure and processes of t radit ional ret ail wit h soft ware applicat ion processes and net work infrast ruct ures for online ret ail. The challenge for online ret ailers is t o craft an aut om at ed business syst em t hat will garner success online. I nvest ors, bet t ing t hat several years of heavy capit alizat ion will ult im at ely achieve accept able ret urns in t he foreseeable fut ure, are t herefore willing t o live wit h subst ant ially undervalued st ock prices in t he near t erm for riches in t he fut ure. Besides, invest ors who held ont o t heir shares since t he I PO have m ade and lost a t on of m oney. Wit hout doubt , t he m yst ique and t he at t ract ion of t he I nt ernet as a viable business channel have been glorified and subst ant iat ed by t he innovat ive pioneering of t he super- e- t ailers, t he Caesars of t he I nt ernet econom y. But as m ent ioned, business- t obusiness e- com m erce is expect ed t o be 10 t o 15 t im es larger t han t he ret ail online

business. Moreover, com panies collaborat e over t he I nt ernet for purposes ot her t han direct selling, such as t o exchange inform at ion wit h em ployees or st rat egic business part ners. Thus, com panies int eract ing online t o provide product s and services direct ly or t o gain st rat egic and/ or com pet it ive advant age realize t he fullest , perhaps t he m ost pract ical, int ent of t he I nt ernet . How t his will be achieved from com pany t o com pany will vary significant ly.

Crossing the Digital Chasm No m at t er what e- business m odel you choose—B2C, B2B, an int ranet for int ernal use, or an ext ranet for st rat egic ext ernal ent it ies, such as business part ners—you m ust fashion t he requisit e com put er applicat ion( s) in order t o pursue e- business opport unit ies successfully. To qualify as an e- business applicat ion, it m ust allow access t o t he int ellect ual capit al, or inform at ion asset s, of t he ent erprise while operat ing safely on t he I nt ernet . I n general, e- business applicat ion developm ent depends on four crit ical fact ors: where inform at ion asset s reside, how t hey are processed, who m anages t he applicat ion, who is beneficiary; in short , t he dat abase, applicat ions, I T/ operat ing st aff and t he end user ( see Figure 1- 1) . Crit ical e- business drivers include st ream lining physical operat ing processes, reducing operat ing cost s, delivering j ust - in- t im e inform at ion, and increasing services t o cust om ers ( see Figure 1- 2) .

Figu r e 1 - 1 . Cr it ica l fa ct or s for e - bu sin e ss de ve lopm e n t

Figu r e 1 - 2 . I m por t a n t e - bu sin e ss dr ive r s

No m at t er how you slice it , t he developm ent of e- business applicat ions is not a walk in t he park. I nt ernet - enabling t echnologies facilit at e t he achievem ent of t his end and even m ake it fashionable. However, det erm ining which of t he vast am ount s of inform at ion capit al you deploy for a given e- business applicat ion m ay be a st raight forward process or as com plicat ed as ent erprise applicat ion int egrat ion ( EAI ) . EAI is a process t hat ident ifies and int egrat es ent erprise com put er applicat ions or dat abases, t ypically in dissim ilar form at s, int o a derivat ive, or new, com put er applicat ion using m iddleware m odels and relat ed t echnologies such t hat t he result ing applicat ion is accessible t hrough a graphical user int erface ( GUI ) . The crit ical first st ep in e- business applicat ion developm ent is deciding what business act ivit y would be m ore effect ive as an e- business applicat ion. I n it s sim plest form , ebusiness involves incorporat ing t he I nt ernet or it s t echnologies t o support a basic business process. For exam ple, your order ent ry syst em , connect ed direct ly t o t he invent ory dat abase, is t ypically accessed from t he field by sales reps calling t heir product availabilit y inquiries in t o an order ent ry adm inist rat or. The sales reps call in t hrough a st at ic GUI program or by e- m ail t o an order ent ry clerk, who processes each inquiry by order of receipt . The process works but m ay bog down during peak periods of t he day or when t he st aff is short - handed. Besides, t he m ain funct ion of t he order ent ry st aff is t o process act ual orders. Providing product availabilit y inform at ion t o t he field is a relat ed responsibilit y t hat is oft en superceded by higher priorit ies. Processing last - m inut e request s in preparat ion for a m eet ing is t oo oft en out of t he quest ion. To com plicat e m at t ers, you also have independent dealers and affiliat es requiring product availabilit y st at us report s as well as inquiries on an ongoing basis. Aft er deciding t hat t he product availabilit y inquiry act ivit y is suit able for an ebusiness applicat ion, t he next st ep is ident ifying t he inform at ion asset ( s) t he process generat es. The m apping of inform at ion asset s wit h t he processes t hat support t hem is a crit ical requirem ent in e- business applicat ion developm ent . I n t his exam ple, t he inform at ion asset creat ed by t he process is " product availabilit y" ( see Figure 1- 3) . Aft er receiving t he inquiries, t he order ent ry st aff queries t he invent ory dat abase t o check t he st at us of product s from key suppliers. When t he availabilit y of a part icular

product is ascert ained, t he inform at ion is conveyed back t o t he end user via e- m ail or fax. The product availabilit y inform at ion allows sales represent at ives t o respond t o client s effect ively. Finally, you recognize t hat t he order ent ry st aff perform s a clearinghouse funct ion, or a physical ( m anual) process, which ensures t hat inquiries and responses are cleared out of t he queue.

Figu r e 1 - 3 . Pr odu ct in qu ir y fu lfillm e n t pr oce ss

To be m ost effect ive, t he e- business applicat ion would have t o provide up- t o- t hem inut e inform at ion t o field personnel, consult ant s, and part ners and also elim inat e or st ream line t he product st at us and clearinghouse funct ion, reducing sales support cost s. Moreover, t he result ing applicat ion would reduce com m unicat ion cost s, given t hat t he I nt ernet replaces t radit ional com m unicat ions links, and end users' learning curve would be less, as t he syst em would be accessed t hrough t he fam iliar environm ent provided by Web browsers. This all sounds good. However, it 's easier said t han done. I n order for t he e- business applicat ion t o provide t he funct ionalit y of t he previous syst em , t he product inquiry and physical clearinghouse process is enhanced by a digit al process, or com put er applicat ion. The dat abase—in t his case, t he invent ory dat abase—m ust also be available and int erconnect ed t o t he virt ual process, or applicat ion. I nst ead of field personnel int eract ing wit h a charact er- based, st at ic GUI or ot her generic front end t o generat e t he inquiry request , t hey would access a front end t hat is capable of running in t heir browser, a personal digit al assist ant ( PDA) , or wireless

hand device. The front end—Web server—m ust be able t o perform t he funct ion provided by t he order ent ry st aff. That is, it m ust be able t o access t he invent ory dat abase, gat her t he inform at ion required by t he inquiry, form at t he response, and feed it back via t he I nt ernet t o t he appropriat e place ( field) in t he user's browser, which is running t he applicat ion on a lapt op, hom e office com put er, PDA, and so on. The applicat ion also does som e housekeeping chores by clearing t he inquiries from t he front end and t he rem ot e dat abase calls from t he back end, or invent ory dat abase. Most likely, t he front - end Web applicat ion, or what t he users see and int eract wit h in t he browser, is developed wit h I nt ernet - enabled t echnologies, such as Java or HTML applicat ion t ools. The back end could be, for inst ance, a legacy UNI X dat abase t hat has been a m ission- crit ical applicat ion for som e t im e. To accom plish t he int erconnect ivit y bet ween t he front - end browser applicat ion and t he back- end UNI X dat abase, yet anot her applicat ion syst em , t ypically referred t o as m iddleware, m ust be used t o provide t he int erconnect ions, or com pat ibilit y, bet ween t he dissim ilar front - and back- end applicat ions. Exam ples of m iddleware are syst em s developed wit h J2EE ( Java 2 Plat form Ent erprise Edit ion) . Developed by Sun Microsyst em s, J2EE is m ore popular in Web applicat ion developm ent t han CORBA ( com m on obj ect request broker archit ect ure) , int roduced by t he Obj ect Managem ent Group in 1991, or DCOM ( dist ribut ed com ponent obj ect m odel) , which is Microsoft 's bet for an obj ect st andard. However, t he ot her st andards are growing in use for Web applicat ion developm ent . Wit h m iddleware in place, t he e- business applicat ion provides t he sam e funct ionalit y of t he previous syst em . However, t he virt ual process replaces t he t radit ional product inquiry and physical clearinghouse process and provides great er operat ing advant ages and overall benefit s t o t he ent erprise ( see Figure 1- 4) .

Figu r e 1 - 4 . Cr ossin g t h e digit a l ch a sm w it h m iddle w a r e

You can see t hat for even t he sim plist ic exam ple shown in Figure 1- 4, crossing over from a t radit ional process t o a virt ual process t o achieve e- business goals could pose a pot ent ially com plicat ed challenge, like crossing a chasm on a t ight rope. Crossing t his digit al chasm t o pursue e- business opport unit ies t herefore requires a com plet e knowledge of t he ent erprise's inform at ion asset s, or m ore appropriat ely, where t he necessary inform at ion asset s reside t o support a given e- business applicat ion. This crossover also assum es t he incorporat ion of a dynam ic, browser- com pat ible front end and t he ident ificat ion or developm ent of t he st at ic back end: t he dat abase. Perhaps t he m ost crit ical aspect of t he ent ire process is deploying t he m iddleware t hat t ies t he whole e- business applicat ion t oget her. This is t he lifeblood of ebusiness.

The Sobering Reality As e- business legit im izes t he I nt ernet as a m ainst ream business facilit y, m any individuals have begun t o see t he I nt ernet m ore as a basic ut ilit y, not a m ere convenience. Livelihoods in every field of endeavor are increasingly going online. And when livelihoods are involved, a sense of securit y is usually an accom panying fact or. As previously suggest ed, t he World Wide Web consist s of highly com plicat ed yet fallible t echnology. I n dealing wit h com put er net works, a m odicum of inconvenience is accept able. Sit es get overwhelm ed and clogged wit h t raffic, Web servers break down, HTTP and Java applicat ions crash, and huge file t ransfers affect overall net work perform ance. I n general, such event s occur wit hout any int erference from ext ernal hackers and crackers or int ernal sabot eurs. Besides, no one is na ve enough t o expect unint errupt ed service j ust because essent ial applicat ions are m oved online. Those occasional hiccups in net work service are not usually a t hreat t o our sense of securit y. However, as m ore and m ore businesses and ent repreneurs m ake t hat all- im port ant leap- of- fait h in search of increased revenues, operat ional efficiencies, cost savings, and/ or st rat egic advant ages, rest assured t hat hackers, crackers, and sabot eurs will at t ain m ore powers of dest ruct ion. Fort unat ely, such powers are not om nipot ent enough t o st op t he m om ent um of t he I nt ernet m igrat ion. But t hey are powerful enough t o shake t hat sense of securit y we need t o pursue our livelihoods. I nt ernet denizens should condit ion t hem selves t o expect visit s from t hese hum an- driven m enaces.

Real-World Examples I f you want t o know what it 's like t o weat her a horrendous st orm , j ust ask E- Trade. E- Trade, t he nat ion's second- largest online broker, pioneered t he radical shift from t radit ional brokers t o t rading st ock online. About 7 am in early February 2000, ETrade cam e under a m assive denial- of- service at t ack. I t was no coincidence t hat t he at t ack began precisely when E- Trade's cust om ers, online brokers, and day t raders begin flooding t he sit e wit h legit im at e orders for st ock purchases. Much t o everyone's chagrin, t he sit e was being flooded wit h bogus queries, which succeeded in choking t he syst em and at t he sam e t im e denying legit im at e subscribers ent ry t o t he sit e. The relent less onslaught of bogus act ivit y cont inued well aft er 10: 00 am , successfully locking out business act ivit y during t he st ock m arket 's busiest t im e of t he day.

I n t he aft erm at h of t he at t ack, about 400,000 t raders, about 20 percent of E- Trade's client base, were eit her unable t o m ake t rades or lost m oney owing t o t he lengt h of t im e required t o com plet e t hem . As a st opgap, E- Trade rout ed som e invest ors t o live brokers. Consequent ly, E- Trade lost m illions of dollars when it was forced t o com pensat e t raders for losses from t rades t aking longer t han usual and t o pay t he fees from t he live brokerage houses. A few days before t he at t ack on E- Trade, Yahoo and Am azon.com were also t em porarily crippled by denial- of- service at t acks. As t he now infam ous at t acks were under way, t he I nt ernet econom y was st unned, and a sense of helplessness perm eat ed t he virt ual com m unit y. The at t acks bring int o focus t he short com ings of t he I nt ernet . Alt hough indust ry observers feel t hat t he at t acks will not st unt t he exponent ial growt h of t he I nt ernet , t hey highlight t he vulnerabilit ies of t he m illions of com put er net works t hat delicat ely link t he new econom y. Som e observers t ry t o equat e t hose at t acks wit h t he equivalent of spraying graffit i on New York's subways. Ot hers m aint ain t hat real ingenuit y and solid cit izenship will ult im at ely win t he bat t le for t he I nt ernet 's safet y and int egrit y. Such ingenuit y could lead t o dispensing a host of innovat ive cont rols t o pat rol t he freeways of t he I nt ernet . I n t he m eant im e, business will be conduct ed but not quit e as usual. This era is m arking t he end of I nt ernet innocence. I f you are involved eit her in e- business or in planning for it , you should condit ion your expect at ions for hacker exploit s, m uch like we are condit ioned for j unk m ail, rushhour t raffic, or t elem arket ers. I n t he m eant im e, a gold rush is under way. Alt hough every st ake for e- business will not find gold, t he virt ual fort y- niners will not be det erred in t heir m ad rush for e- business.

E-Business: The Shaping and Dynamics of a New Economy E- business is a revolut ion: a business exist ence based on new m odels and digit al processes, fueled by hypergrowt h and new ideals. I t is also pursuit of new revenue st ream s, cost efficiencies, and st rat egic and com pet it ive advant ages spawned by virt ual business channels. Cut t ing- edge I nt ernet t echnologies and new vist as of em erging t echnologies enable e- business. E- business is a forging of a new econom y of j ust - in- t im e business m odels, whereby physical processes are being supplant ed by virt ual operat ing dynam ics. Yes, e- business is all t his. But st ill, what is e- business? I n ot her words, what is t he int rinsic nat ure of e- business?

The E-Business Supply Chain Typically, e- business is described and discussed wit h m ore em ot ion t han ot her business areas, and right fully so. Aft er all, we are wit nesses t o an excit ing revolut ion. To gain t rue insight and a concept ual underst anding of e- business, it needs t o be defined from bot h t he B2C and t he B2B perspect ives. This sect ion also int roduces I nt ernet , or digit al, supply chains and reveals t heir underlying significance t o bot h t he B2C and B2B e- business channels.

Th e Bu sine ss- t o- Consu m e r Ph e n om e non When consum ers purchase goods and cert ain classes of services direct ly from t he I nt ernet , online ret ailers are servicing t hem . I n ot her words, online ret ailers, or et ailers, have init iat ed a consum er- orient ed supply, or value, chain for t he benefit of I nt ernet consum ers. This form of I nt ernet - based act ivit y is known as business- t oconsum er ( B2C) elect ronic com m erce. I n t his discussion, supply chain is used int erchangeably wit h value chain. However, supply chain, in t he t radit ional sense, refers t o t he supply and dist ribut ion of raw m at erials, capit al goods, and so on, t hat are purchased by a given ent erprise t o use in m anufact uring or developing t he product s and services for cust om ers or in regular business operat ions. I n B2C dist ribut ion m odes, supply, or value, chain refers t o t he syst em , or infrast ruct ure, t hat delivers goods or services direct ly t o consum ers t hrough I nt ernet - based channels. But what exact ly is B2C e- com m erce? But m ore im port ant , why has it grown int o a m ult ibillion dollar indust ry? To begin in t he abst ract , B2C e- business is a rich, com plex supply chain t hat bears no direct analogy t o t he physical world. I n fact , no supply chain in t he physical world com pares t o B2C value chains such t hat an apples- t o- apples com parison can be m ade. Thus, B2C e- channels are unique because t hey are providing supply chains t hat st ream line and enhance processes of t he physical world ( see Figure 1- 5) . I nt ernet - driven supply chains depend heavily on t he coordinat ion of inform at ion flows, aut om at ed financial flows, and int egrat ed inform at ion processes rat her t han on t he physical processes t hat t radit ionally m ove goods and services from producer t o consum er.

Figu r e 1 - 5 . Th e B2 C su pply ch a in st r e a m lin e s pr oce sse s of t h e ph ysica l w or ld

Three classes of B2C value chains m ake possible t he following e- business realit ies: 1. Delivery of t he universe, or an unlim it ed num ber—pot ent ially m illions—of goods and services wit hin est ablished m arket s, by operat ing under a single brand ident it y or as a superefficient int erm ediary 2. Creat ion of new m arket channels by leveraging t he I nt ernet 3. Elim inat ion of m iddlem en while st ream lining t radit ional business processes Am azon.com and CDNow are excellent exam ples of t he B2C class indicat ed in class 1. Am azon has succeeded by producing an efficient consum er product delivery syst em . The value in t his e- business channel is t he unit ing of m any back- st reet dealers under t he banner of one popular brand nam e. CDNow is also at t em pt ing t o im plem ent a sim ilar st rat egy. Furt herm ore, no one bookst ore or m usic st ore in t he physical world offers 10 m illion t it les like Am azon.com does or 325,000 CDs like CDNow does. Tradit ional book or CD ret ailers in est ablished m arket s could never offer t his vast array of m erchandise, because of shelf space and invent ory const raint s. For exam ple, t he t ypical superbookst ore or m usic CD st ore st ocks only 150,000 or 60,000 t it les, respect ively. An exam ple of B2C class 2 is eBay, which creat ed a new m arket channel in est ablishing an online auct ion facilit y. Through t his e- business channel, buyers and sellers—everyday consum ers—can int eract t o sell personal it em s in a venue t hat did not exist previously. Dell.com is an exam ple of t he t hird B2C e- business class. Dell.com is successful because it incorporat es t he principle of disint erm ediat ion, or t he abilit y t o elim inat e int erm ediaries from t he value chain. I n ot her words, disint erm ediat ion involves disengaging m iddlem en, who usually com m and a share of t he value chain. Research has shown t hat int erm ediaries add a large percent age t o t he final price of product s. Percent ages range from 8 percent for t ravel agent s t o m ore t han 70 percent for a t ypical apparel ret ailer. Dell is a business case exam ple of effect ive deploym ent of disint erm ediat ion because it s direct consum er m odel delivers cust om - built com put er syst em s at reasonable prices by leveraging I nt ernet channels. I n t he fut ure, ot her online supply chains will successfully rem ove m iddlem en, result ing in even lower prices for ot her classes of goods and services. Perhaps t he com m on denom inat or of all t hree cat egories is t he pot ent ial t o st ream line physical operat ing processes in t he supply chain. This is anot her im port ant reason t hat B2C growt h t hrough t he I nt ernet is so com pelling. Physical ret ailers are capit al int ensive. When t he shelves are fully st ocked, adding new product s m ay prove t o be t oo challenging, possibly requiring eit her displacing m ore est ablished product s or engaging in a cost ly physical expansion. On t he ot her hand, t he increm ent al cost of adding new product s for an online ret ailer is m inim al, especially because t he product m anufact urer or dist ribut or m ay carry t he invent ory. Also, online ret ailers do not have t o incur t he cost of operat ing a showroom floor. Sim ilarly, t he processes of ot her consum er- orient ed services, such as t ravel agencies, can be st ream lined by aut om at ion and t he overall service provided t hrough t he I nt ernet . Such t rends serve t o pass on t he cost efficiencies t o consum ers, who in t urn pay lower prices. Expect t o see m ore service- orient ed int erest s, such as financial inst it ut ions, provide m ore services online in t he fut ure as t hey cont inue t o

ident ify physical business processes t hat can be enhanced by a m ove t o t he digit al world of t he I nt ernet . I n sum m ary, t he I nt ernet supply chains creat ed t o support B2C e- business init iat ives have no direct analogy in t he t radit ional, or physical, world of com m erce. True, t he t wo channels have sim ilarit ies. The goods and services offered in physical bricksand- m ort ar ret ailers becom e sexy m ult im edia present at ions and t ransact ion dat a. Et ailers and consum ers connect via Web port als inst ead of driving t o m alls or t o various business concerns. I nvent ory becom es online t ransact ion dat a t hat flows from t he consum er's shopping cart of t he online st ore—Web sit e—t o fulfillm ent houses or direct ly t o t he producers t hem selves. To recap, B2C value chains creat e t he following t hree t ypes of e- business realit ies: 1. I n est ablished m arket s, creat ion of digit al supply chains t hat elim inat e m iddlem en and enable t he availabilit y of a unique service, such as Dell's direct delivery of cust om - built PCs. 2. Creat ion of a new m arket channel t hat did not exist in t he physical universe, such as eBay's creat ion of t he online auct ion facilit y for t he convenience of everyday consum ers. 3. Unit ing of back- end, used or rare- product dealers under t he banner of a popular nam e brand. I n effect , t his creat es a consort ium of businesses under a single branded ident it y, or under a new, superefficient int erm ediary, t hat did not exist in t he physical world. I f you can creat e a B2C value chain t hat elim inat es m iddlem en, est ablishes a new m arket channel for a novel idea, or creat es a superint erm ediary providing an unlim it ed num ber of product s while st ream lining physical processes in all cases wit h I nt ernet applicat ions, you j ust m ight becom e t he next Dell, eBay, or Am azon: a dot com . Th e Bu sine ss- t o- Bu sin e ss Ph e nom e n on B2B is t he post er child for e- business. As excit ing and awesom e as B2C and ot her ebusiness opport unit ies are, t hey pale next t o B2B proj ect ions. ( See t he sect ion The E- Business Sweepst akes earlier in t his chapt er.) Alt hough prognost icat ions vary across t he board, all est im at es are in t he t rillions of dollars. One forecast has B2B com m erce growing from $150 billion in 1999 t o $7.4 t rillion by 2004! Present ly, t he m edian t ransact ion for B2B sit es is t hree t o four t im es t he size of t he m edian t ransact ion for B2C sit es, or $800 versus $244. I m port ant drivers of t his proj ect ed growt h include, but are not lim it ed t o, com pet it ive advant age, reduct ion of cost s, increased profit s, and cust om er sat isfact ion. I f you are able t o build an effect ive B2B channel, t he payoff could be significant , result ing in im proved econom ies of scale and product ivit y, reduct ion in overhead, im proved inform at ion flows and processing, and increased operat ing efficiencies, t o nam e a few.

I n light of proj ect ed growt h, we should expect an excit ing, evolut ionary t im e in t he developm ent of dynam ic B2B I nt ernet channels, ult im at ely leading t o robust ext ranet s t hat consist of dynam ic e- t rading com m unit ies. At t he heart of e- business t ransform at ions will be t he I nt ernet - enabled supply chain. I n fact , you m ight say t hat t hese new digit ally orient ed supply chains are at t he epicent er of e- business m igrat ion. Through t he benefit s of properly im plem ent ed B2B supply chains, ent erprises can •

• • •

•

Reduce cost s of goods and services and pot ent ially lower cust om er prices. By connect ing inform at ion syst em s direct ly wit h suppliers and dist ribut ors, organizat ions can realize m ore efficient processes, result ing in reduced unit cost s of product s or services and, perhaps, lower prices t o cust om ers while effect ively achieving econom ies of scale. Reduce overhead. B2B channels can elim inat e ext raneous or redundant business funct ions and relat ed infrast ruct ures, result ing in t he reduct ion of overhead cost s. I ncrease product ivit y. By elim inat ing operat ional wast e and t he aut om at ion of inefficient business pract ices, organizat ions can realize product ivit y gains. Enhance product and service offerings. Wit h econom ies of scale, reduct ion of overhead, operat ing efficiencies, and lower operat ing cost s, such gains m ay be passed on t o t he cust om er t hrough lower prices or as enhanced or addit ional feat ures of product s or services. Cust om er sat isfact ion. A st rat egic benefit of t he successful im plem ent at ion of dynam ic B2B business m odels is im proved cust om er percept ion of t he t ransact ion.

This m et am orphosis will not occur unless com panies undergo radical changes. Ent erprises will begin wit h crit ical self- exam inat ion and com prehensive process analysis t o det erm ine what int ernal operat ing funct ions, underlying infrast ruct ures, and crit ical pract ices are necessary t o t ransform int o a B2B channel t hat is capable of leveraging t he I nt ernet . This in t urn will lead t o t he reengineering of processes, elim inat ion of operat ional inefficiencies, and, ult im at ely, increased product ivit y. I f com panies are successful, t hey will reinvigorat e t heir value chains, incorporat e t echnology- driven processes t hat becom e t he foundat ion for B2B, and increase t ransact ions wit h cust om ers ( see Figure 1- 6) .

Figu r e 1 - 6 . M a n a ge m e n t pr oce ss of B2 B va lu e ch a in

Related E-Business Trends Pursuing business- t o- consum er m arket s, especially if t he goal is t o becom e a covet ed cat egory killer in one or m ore product areas, would be t oo m uch of an uphill bat t le for m any ent erprises. Cat egory killers are t he dom inant player or players in an online product cat egory, such as Am azon.com and Barnes and Noble for online book sales. The business- t o- business arena m ay offer great er opport unit y for capit alizing on e- business applicat ions. However, t he pot ent ial I T invest m ent s required, along wit h t he general com plexit y of EAI t o achieve seam less B2B inform at ion syst em s could prove beyond t he m eans of m any ent erprises. But m ake no m ist ake about it : E- business is here t o st ay. The reason is t hat t radit ional business processes are being reinvent ed int o new digit al processes wit hin t he e- business value chain and enabled by I nt ernet t echnologies. A properly const ruct ed B2B supply chain can reduce cost s, increase product ivit y, enhance product and service offerings, and increase cust om er sat isfact ion.

Summary B2C and B2B business m odels provide progressive ent erprises wit h t he m eans t o reinvent t heir organizat ions, st ream line business processes, aut om at e t radit ional business processes, and quickly adapt t o new sit uat ions, opport unit ies, and m arket dem ands as t hey unfold. I n t he rush t o em brace e- business, organizat ions underst and t hat new opport unit ies m ust be pursued at t he speed of inform at ion, which in t urn is being enabled by t he rich but inherent ly insecure t echnologies of t he I nt ernet . To be successful, t herefore, you m ust show t hat I nt ernet supply chains are dependable. I f your public Web sit e is designed t o support t he overall B2B effort also, accept able securit y m easures should be im plem ent ed t here as well. Anot her crit ical success fact or is t hat B2B channels m ust be m ore available t han t radit ional com pet it ors, which operat e in t he physical world. But t o m eet or t o exceed e- business obj ect ives, your suppliers, dist ribut ors, and em ployees m ust perceive t hat t he B2B online supply chain is secure enough t o support t he required level of t ransact ions on an ongoing basis. These are t he keys t o success in t he new business realit y of B2B value chains.

Chapter 2. What Is E-Security? To fost er buy- in and support of e- business applicat ions from your cust om ers, suppliers, part ners, and em ployees, t hey m ust perceive t hat a reasonable level of securit y is prevalent , suggest ing t hat t he securit y goals, which include int egrit y, privacy, and confident ialit y, are being fulfilled wit hin t he applicat ion. I nt egrit y says t hat unaut horized m odificat ions t o your inform at ion are t hwart ed as t he inform at ion resides in t he syst em and t ravels from point t o point . Privacy suggest s t hat inform at ion is always confident ial t o t he part ies direct ly involved in t he com m unicat ion. Confident ialit y m eans t hat inform at ion is prot ect ed and not shared wit h unaut horized part ies. I m plem ent ing securit y m easures t o m eet t he requirem ent s of e- business applicat ions present s a dist inct set of challenges. I nst alling appropriat e securit y m easures is generally a daunt ing process, even when net works are closed. So what are t he im plicat ions for open- access net works, or e- business channels? Ent er e- securit y. Chapt er 2 int roduces t he t opic and explains why it is an im port ant enabler of ebusiness. Moreover, t wo im port ant concept s are covered in det ail: t he principles of e- securit y and t he dilem m a of open access versus asset prot ect ion.

E-Security at Your Service Achieving confident ialit y, aut hent icat ion, and dat a int egrit y was a m ilest one, a m om ent ous developm ent for net works when t he obj ect ive was t o lim it or t o prevent out sider access t o ent erprise inform at ion asset s and resources. E- business, on t he ot her hand, m andat es open access t o int ellect ual capit al and inform at ion asset s by out siders. Moreover, e- business depends on t he seam less int eract ion of com plex m ult iple com put er environm ent s, com m unicat ion prot ocols, and syst em infrast ruct ures am ong cust om ers, part ners, suppliers, branch offices, and rem ot e or m obile em ployers. Therefore, securit y t hat accom m odat es open access t o inform at ion asset s am ong het erogeneous net works is e- securit y. E- securit y m ust also be scalable and capable of being adm inist ered holist ically t o t he result ing I nt ranet , ext ranet , or Web sit e on an ongoing basis. Consequent ly, as new needs arise, t he securit y infrast ruct ure m ust adapt and grow t o m eet t he changing circum st ances.

Demands on Traditional IT Security: A Changing of the Guard To sust ain e- business init iat ives, e- securit y m ust be inherent ly com prehensive and able t o deliver securit y on m ult iple operat ing levels in corporat e Web sit es, int ranet s, and ext ranet s ( see Figure 2- 1) . By t hem selves, firewalls and VPNs ( virt ual privat e net works) do not qualify as e- securit y but rat her are considered point solut ions. To be fair, however, VPNs and firewalls are dynam ic securit y m easures and are good at what t hey do: prot ect all point s on t he perim et er ( firewalls) and all inform at ion t ransm issions bet ween securit y point s ( VPNs) .

Figu r e 2 - 1 . E- Se cu r it y: se cu r it y for m u lt iple ope r a t in g le ve ls

However, t he funct ionalit y of point solut ions is based on securit y m odels derived from t he physical world. Securit y m odels in t he physical world generally •

• •

Cont rol who has access t o a locat ion and where t hey can go once inside, by m eans of firewalls and file and direct ory perm issions Ensure t hat inform at ion is properly prot ect ed when it t ravels from one t rust ed locat ion t o anot her, using in- t ransit point - t o- point prot ect ion, such as VPNs, SSL ( Secure Socket Layer) , and encrypt ion Make cert ain t hat no one is using som eone else's keys and t hat t he individual is in fact who he or she is supposed t o be, using such aut hent icat ion m easures as sm art cards or t okens, st rong passwords, and biom et rics

Point solut ions fost er t rust ed net works, and t heir effect iveness ult im at ely depends on t heir rem aining privat e or virt ually privat e. I n ot her words, as long as t he net work's devices, host s, servers, users, and dom ains are aut hent ic, prot ect ed, have dat a int egrit y, and rem ain closed t o out siders, t he net work is secure. Virt ually privat e

net works, which prot ect inform at ion t ransfer over unt rust ed net works, such as t he I nt ernet , prot ect dat a wit h t unneling prot ocols, encrypt ion, and dat a int egrit y algorit hm s called digit al signat ures. VPNs also incorporat e t he use of st rong aut hent icat ion, t hat is, aut hent icat ion t hat requires a password and a personal ident ificat ion num ber ( PI N) . Toget her wit h encrypt ion and digit al signat ures, inform at ion is t unneled safely t hrough t he I nt ernet . Achieving com pet it ive advant age t ranslat es t o keeping cost s down yet creat ing t he inform at ion needed t o m ake j ust - in- t im e decisions. Connect ing business part ners, suppliers, cust om ers, and vendors direct ly online t o t he ent erprise's inform at ion asset s was t he next logical st ep. This evolut ionary developm ent , or j ust - in- t im e business m odel, began im pact ing point securit y solut ions in an adverse way. Theoret ically, point solut ions are sufficient t o prot ect e- business environm ent s, provided t hat a sufficient num ber of firewalls and relat ed securit y m easures are deployed in a sufficient num ber of places, creat ing sub- or concent ric perim et ers wit hin an overall perim et er ( see Figure 2- 2) . An analogy in t he physical world m ight be a depart m ent st ore's placing securit y guards in every depart m ent , securit y t ags on all t he goods, sensors on all t he doors, and surveillance cam eras t o wat ch all em ployees and cust om ers. The obvious problem wit h t his t ype of deploym ent is t hat point securit y solut ions lack t he flexibilit y required t o be pract ical in an e- business environm ent . More im port ant , reliance solely on point solut ions would prove t o be t oo expensive and not scalable enough for e- business applicat ions.

Figu r e 2 - 2 . Con ce nt r ic fir e w a ll de fe n se s

I n ot her words, firewalls, aut hent icat ion servers, card keys, VPNs, and relat ed t echnologies designed int o t radit ional perim et er- defense schem es do not sufficient ly m it igat e risk t o t he e- business value chain but shift it from one area—m ainly from

t he perim et er—t o anot her. VPNs provide dat a prot ect ion in t ransit only, or from point t o point . Unfort unat ely, dat a is st ill at risk before t ransm ission and aft er it clears t he securit y walls at t he dest inat ion. To com plicat e m at t ers, poorly chosen passwords, borrowed or confiscat ed card keys, and m isconfigured securit y rules on net work devices com prom ise access cont rols and user aut hent icat ion. As such, if m ini– perim et er cam ps are deployed t hroughout an ext ranet , for exam ple, t he net work is vulnerable t o int ernal breaches. These walled- off funct ional dom ains m ay also creat e perform ance degradat ion t hroughout t he ent ire value chain, possibly support ing several ent erprises. Finally, users perceive t he barriers as being unnecessary and dysfunct ional. On t he I T side, vigilance wanes as lim it ed st aff wit h lim it ed resources are unable t o cover t he securit y dem ands of an open syst em , such as an ext ranet , e- t ail st ore, or public Web sit e. When I T securit y st affs are frust rat ed owing t o lim it ed resources and inflexibilit y of t he securit y infrast ruct ure and end users are frust rat ed owing t o perform ance degradat ion and com prom ised logins, securit y safeguards are subvert ed, and breakdowns in prot ect ion are inevit able. Clearly, what is needed for secure e- business is an adapt ive securit y infrast ruct ure t hat is scalable, fully funct ional wit hout degradat ion of net work perform ance, and cent ralized m anageabilit y wit h lim it ed resources.

Principles of E-Security E- securit y, or securit y for open inform at ion syst em s, allows access t o inform at ion asset s by out siders. I t ext ends, enhances, and com plem ent s t he securit y m easures provided by point solut ions, regardless of whet her t he perim et er is known or whet her dat a is in t ransit . E- securit y is also flexible and scalable and can be adm inist ered t hroughout t he e- business value chain. The following principles of e- securit y recom m end t hat you • • •

• •

Underst and t he operat ional charact erist ics of your net works and t he business obj ect ives t hat are support ed. Priorit ize t he crit ical im port ance of each inform at ion syst em and prot ect it accordingly. Refort ify point securit y solut ions, such as firewalls, aut hent icat ion syst em s, and VPNs, wit h adapt ive t echnology t hat m axim izes effect iveness and lim it s prem at ure obsolescence. Develop and deploy a com prehensive ent erprisewide securit y policy, t est it regularly for com pliance, and updat e it when necessary. Purchase infrast ruct ure product s, such as int rusion det ect ion syst em s ( I DS) and assessm ent t ools. Do your research! Consult an independent source t o det erm ine which I DS and assessm ent t ools are best for your environm ent and support overall e- business securit y perform ance. Keep e- securit y sim ple. I nst it ut e sim ple policies and aut hent icat ion syst em s t hat enable hassle- free access. Be diligent in achieving a securit y infrast ruct ure t hat is easy t o scale and m anage on an ongoing basis.

The preceding principles suggest t hat e- securit y should be approached as a syst em life- cycle process support ed by an adapt ive securit y infrast ruct ure. Only when esecurit y is such an ongoing, holist ic process will you be able t o m inim ize securit y risks and consist ent ly achieve a sat isfact ory level of securit y in your e- business applicat ion.

Risk Management in the New Economy I ronically, one of t he key funct ions of e- securit y—and t he success of e- business is direct ly dependent on it —is an est ablished, physical- world business pract ice called risk m anagem ent . From securit y's perspect ive, t he great est challenge for e- business ent repreneurs is m aking t he connect ion bet ween risk m anagem ent and prot ect ing t he asset s of online supply chains. Unt il recent ly, online business concerns were not m aking t his crit ical connect ion, which is even m ore ironic given t he openness of t he I nt ernet and online supply chains. Prot ect ing valuable asset s while also opening t hem up t o online supply chains gave birt h t o t he concept of e- securit y when execut ive m anagem ent raised serious concerns about t he risks of creat ing ext ranet s and Web presence t o pursue m aj or e- business opport unit y. E- business m anagers are concerned wit h not only t he risks t o online asset s but also t he pot ent ial for econom ic risks when I nt ernet - orient ed supply chains are com prom ised. As t he E- Trade exam ple in Chapt er 1 showed, t he econom ic im pact can be considerable. Consequent ly, m anagers in t he e- business world are pinning t heir hopes and dream s for success in t he old- world business pract ice of risk m anagem ent . The concept of risk m anagem ent inherent ly signifies an ongoing process whose t im e has com e t o ensure secure e- business operat ions. ( See Chapt er 13 for a com plet e overview of risk m anagem ent .) Organizat ions pursuing e- business opport unit ies ult im at ely becom e m ore open, especially as m ore and m ore t rading part ners are added. When pot ent ially het erogeneous syst em s of dist inct ively separat e ent erprises are t asked t o work as one syst em —an I nt ernet supply chain—risk m anagem ent becom es t he crit ical success fact or for e- securit y. But what exact ly does risk m anagem ent ent ail? When an ext ranet , for exam ple, is im plem ent ed bet ween your ent erprise and t rading part ners, t he result ing digit al value chain m ay consist of inform at ion asset s generat ed by t he soft ware applicat ions developed by each individual t rading part ner. Assum ing t hat t he applicat ions were developed wit h I nt ernet - enabled t echnologies, t hreat s, relat ed securit y risks, and vulnerabilit ies becom e m ore difficult t o m anage, especially when t he digit al value chain is m odified t o accom m odat e increased t raffic from exist ing or new t rading part ners. The principles of e- securit y dem and t hat t hreat s, securit y risk, and vulnerabilit ies should be dealt wit h not only in your net work but also in t he net works of t rading part ners. For exam ple, approxim at ely 130,000 port s, or doors, are possible in net work devices and applicat ions, alt hough m ost syst em s have only a few hundred available, by default . Each door, if not adequat ely prot ect ed, present s a window of opport unit y for an int ruder t o slip int o eit her your net work or t hat of your t rading part ner( s) . Also, net work applicat ions are developed wit h cert ain applicat ion soft ware syst em s or t ools. For a given Java soft ware release, for exam ple, a hacker could possibly devise a m eans t o exploit a weakness in t he result ing applicat ion t o gain access t o your net work wit h a Troj an horse or ot her exploit . A Troj an horse is a m alicious program concealed wit hin anot her, innocuous- appearing program . When it is run, t he Troj an horse secret ly execut es, usually wit hout a user's knowledge. Typically, such vulnerabilit ies m ay be correct ed wit h new soft ware releases, or pat ches. E- securit y requires due diligence for addressing vulnerabilit ies in t he soft ware developm ent plat form used t o develop your ext ranet applicat ion. Because

soft ware syst em s are cont inually being enhanced and upgraded, it 's im perat ive t hat new releases and/ or pat ches t o soft ware be im plem ent ed whenever t hey becom e available. An exploit ed or com prom ised vulnerabilit y is an at t ack on your syst em . Securit y t hreat s could m anifest t hem selves as a port scan by a pot ent ial int ruder or an innocuous e- m ail at t achm ent . Wit h so m any windows of opport unit ies for hackers, your net work should cont inually be m onit ored for vulnerabilit ies or successful syst em com prom ises t hroughout t he ent ire e- business applicat ion syst em . I n t he open societ y of t he I nt ernet , hackers are always working t o exploit weaknesses in your syst em . To com plicat e m at t ers, disgrunt led em ployees t urned sabot eurs are t hreat s from wit hin t he ent erprise. Thus, t o successfully m anage risk t o t he inform at ion asset s and int ellect ual propert y of your I nt ernet value chain, you m ust be vigilant and im plem ent a com prehensive risk m anagem ent process. This crucial fram ework of t he process consist s of t he following funct ions/ act ivit ies: • • • •

Policy m anagem ent . Are your securit y policies in com pliance? Are t hey in synch wit h t hose of your t rading part ners such t hat t hey funct ion as a unified whole t hroughout t he e- business value chain? I f t hey are working t oget her, how oft en are fire drills conduct ed t o m easure effect iveness? Vulnerabilit y m anagem ent . Vulnerabilit ies can be classified by applicat ions, devices, operat ing syst em s, developm ent t ools, com m unicat ion prot ocols, and int erfaces. What t ools do your ent erprise and/ or t rading part ners use t o det ect vulnerabilit ies in net work applicat ions and infrast ruct ure? Threat m anagem ent . Due diligence wit h t he first t wo act ivit ies m inim izes t hreat s overall. A key st ep in t hreat m anagem ent is det erm ining t he pot ent ial num ber of t hreat sources. However, int rusion det ect ion syst em s can be used t o det er t hreat s t o t he syst em , for opt im al prot ect ion. Ent erprise risk m anagem ent and decision support . Coordinat ing securit y wit h your business part ners is a best pract ice and a recom m ended approach if inform at ion asset s are t o be effect ively prot ect ed. I f t he connect ion bet ween risk m anagem ent and an effect ive deploym ent of e- business securit y m easures is achieved, t he result ing securit y archit ect ure should also provide an effect ive decision support syst em . ( See Chapt er 13 for an overview of risk m anagem ent .)

The preceding funct ions represent new dogs of war for t he I T securit y t eam . To m ake t he connect ion bet ween risk m anagem ent and prot ect ing inform at ion asset s, it is im port ant t o inst it ut e and regularly perform t hose funct ions. These innovat ive processes are t he sent inels of open inform at ion syst em s and t he crit ical risk m anagem ent funct ions for achieving e- business securit y. These act ivit ies m ust also int eract wit h and support point solut ions t o creat e a cycle of cont inuous securit y prot ect ion on m ult iple levels. The end result is a syst em t hat responds quickly t o securit y violat ions, m onit ors net work securit y perform ance, det ect s vulnerabilit ies, m it igat es risks, analyzes at t ack pat t erns, enforces policies, and im plem ent s st rat egies for prevent ion and survival. As you can see, e- business requires a m ore sophist icat ed m odel t han t he perim et erbased securit y syst em s used by privat e or virt ually privat e net works. E- business applicat ions require t hat securit y be im plem ent ed and support ed on m ult iple layers in t he net work. They also require m anagem ent buy- in t o enforce cont rols and t o m ake t he necessary invest m ent s in securit y m easures. I n act ualit y, e- business

securit y depends on opport unit y m anagem ent as m uch as it does on risk m anagem ent . Opport unit y m anagem ent consist s of est ablishing and focusing on t he obj ect ives of t he e- business value chain and im plem ent ing t he requisit e st rat egies, including a securit y st rat egy, t o achieve relat ed goals. I f cust om ers, part ners, and int ernal users perceive t hat your e- business applicat ion is available and t hat st eps have been inst it ut ed t o at t ain a reasonable level of privacy, confident ialit y, and int egrit y, you increase your chances of m eet ing e- business obj ect ives. I f im plem ent ed correct ly and risks sufficient ly m it igat ed, your e- business syst em can even m onit or and reveal buying pat t erns and underst anding of t arget ed m arket s, st ream line operat ions, reduce relat ed cost s, and increase cust om er sat isfact ion. I n ot her words, e- securit y enables e- business.

How E-Security Enables E-Business From a business- t o- consum er perspect ive, a sit e t hat is perceived t o be safe and convenient builds brand loyalt y and a crit ical m ass of repeat cust om ers who generat e far m ore profit t han do first - t im e cust om ers. I n an art icle in t he Sept em ber 1990 Harvard Business Review, Frederick F. Reichheld revealed t hat in a num ber of indust ries, repeat cust om ers generat e 200 percent m ore profit in t he t hird year com pared t o t he first and 600 percent m ore profit in t he sevent h year for a business. From a business- t o- business st andpoint , cust om ers, suppliers, part ners, and em ployees perceive t hat t he online supply chain is a safe channel t o connect inform at ion asset s. Consequent ly, revenues are increased and profit s are higher when physical processes have been st ream lined. Field personnel realize a com pet it ive advant age from up- t o- t he- m inut e inform at ion, new opport unit ies are pursued alm ost at t he speed of t hought , preem pt ive st rikes are achieved in est ablished m arket s, and e- business can ult im at ely be pursued at t he speed of inform at ion. Specifically e- securit y enables e- business by • •

•

Ensuring dat a availabilit y, int egrit y, and privacy I dent ifying pot ent ial applicat ion, host , and net work problem s t hat could lead t o int errupt ions in service owing t o securit y breaches Creat ing secure, confident ial channels for t ransferring and exchanging dat a along t he ent ire online value chain

E- securit y enables e- business because t he risks t hat com prom ise securit y are sufficient ly m anaged t o reduce or t o elim inat e econom ic losses and t o m inim ize loss of business advant ages if t he e- business applicat ion is com prom ised. The bot t om line is t hat e- securit y enables ent erprises t o pursue e- business opport unit ies virt ually uninhibit ed, enabling as m any applicat ions for open access as necessary t o m eet ebusiness obj ect ives. This is t he e- securit y–e- business connect ion.

The E-Security Dilemma: Open Access versus Asset Protection To underscore t he significance of e- securit y, t he m odel for e- securit y is designed t o address t he inherent ly conflict ing goals of providing open access and t he crit ical need for st rict asset prot ect ion. At t he core of e- securit y is a cost - effect ive archit ect ure t hat perm it s low- level anonym ous Web access wit h high levels of t ransact ional securit y. At t he ot her end, t he great er t he level of aut hent icat ion and aut horizat ion cont rol desired, t he m ore com prehensive e- securit y's archit ect ure m ust be. Anot her crit ical considerat ion is t hat e- securit y m ust fact or in t he use of t he I nt ernet for bot h int ernal net work requirem ent s and int ernal net work requirem ent s t hat involve support ing ext ernal act ivit y, such as t he DMZ. The level of securit y t hat is ult im at ely im plem ent ed varies according t o t he ext ent t hat t he I nt ernet is used for e- business. I n sum m ary, t he securit y m odel for net works t hat are privat e or virt ually privat e em ulat ed a securit y m odel of t he physical world. Net works rem ained secure as long as access was cont rolled and requirem ent s for aut hent icat ion, dat a int egrit y, and privacy were m et wit h reasonable m easures. On t he ot her hand, secure e- business depends on not only t hese requirem ent s but also t rust , confident ialit y, and nonrepudiat ion. Also, aut hent icat ion, dat a int egrit y, and privacy should be revit alized t o ensure t hat t he e- business opport unit y is sufficient ly prot ect ed t o fost er reasonable expect at ions. Therefore, t he essent ial requirem ent s for achieving esecurit y include t rust , privacy, dat a int egrit y, aut hent icat ion, nonrepudiat ion, and int egrat ion. • •

•

•

• •

Trust ensures t hat part ies involved in developing, using, and adm inist ering t he e- business applicat ion are t rust wort hy and t hat t he support ing syst em and result ing t ransact ions are free from event s t hat cause suspicion, worry, and user concerns. Aut hent icat ion verifies t he ident it y of users, servers, devices, and syst em s and ensures t hat t hese net work obj ect s are genuine. Dat a int egrit y prot ect s dat a from corrupt ion, dest ruct ion, or unaut horized changes. Privacy keeps dat a privat e bet ween aut horized part ies. Encrypt ion is t he underlying foundat ion for privacy and, perhaps, all e- securit y com ponent s. Confident ialit y prevent s t he sharing of inform at ion t o unaut horized ent it ies. Nonrepudiat ion elim inat es t he abilit y t o deny a valid t ransact ion. Due diligence is required t o achieve t his crit ical e- business goal.

Wit h t hese essent ial elem ent s as guidelines, m axim izing open access while m inim izing risks t o t he ent erprise's inform at ion asset s can be achieved. Achieving an e- securit y balance also depends on t he seam less int egrat ion of securit y across pot ent ially het erogeneous net works. Wit hout any one of t hese, effect ive e- securit y will becom e an elusive t arget at best . These and ot her concept s of e- securit y will be expanded furt her in subsequent chapt ers.

Chapter 3. The Malicious Opponents of E-Business Over t he years, t he list of est ablishm ent s t hat have been hacked has included t he Whit e House, t he U.S. Arm y and Navy, NASA, Am erit ech, Bell Sout h, Est ee Lauder, Ford Mot or Com pany, Hewlet t Packard, Packard Bell, Microsoft , Am azon.com , eBay, E- Trade, and Yahoo, prim arily by viruses and t he denial- of- service ( DoS) at t acks. I n t he case of Microsoft , allegedly, t heft and unaut horized m odificat ions of source code int ellect ual propert y occurred. Except for t he Whit e House, t he Depart m ent of Defense, NASA, and Microsoft , t he nam es are largely inconsequent ial because for every at t ack t hat is report ed or uncovered by t he m edia, hundreds m ore go unreport ed. The Depart m ent of Defense est im at es t hat only 1 in 500 at t acks is report ed each year. Many ot hers, especially banks, want t o avoid t he negat ive publicit y and repercussions of such news becom ing public. I n a 2001 survey com m issioned by t he FBI 's Com put er I nt rusion Squad and t he Com put er Securit y I nst it ut e, 91 percent of 538 organizat ions responding det ect ed com put er securit y breaches over t he past year. Even m ore alarm ing, 40 percent report ed penet rat ion of t heir syst em s from t he out side. This num ber grew in 2001 by 37.5 percent over t he previous year. The survey also indicat ed t hat 186 of t he 538 organizat ions, or t he 35 percent willing and/ or able, report ed com bined losses from securit y breaches cost ing approxim at ely $377.8 m illion. Of t hese losses, $151.2 m illion result ed from t heft of propriet ary inform at ion; $93 m illion, t o financial fraud. I n response t o t he j uggernaut , t he m arket for providing securit y solut ions is expect ed t o reach an est im at ed $700 m illion in 2002, up from $45 m illion in 1998. So t he quest ion rem ains, can hackers be st opped? Depending on whom you ask, t he answer is a qualified no. I n t his chapt er, t he covert world of t he hacker is unveiled. Hackers are cocky; m any are t alent ed and rem arkably organized. The pop cult ure side is reviewed in order t o gain insight int o t he hacker's psychological m akeup, along wit h underst anding why a cert ain segm ent of t heir com m uit y holds such cont em pt for Microsoft . The pot ent ial cont roversy surrounding hackers and crackers is explored. Finally, how polit ical forces are m obilizing in response t o hackers and relat ed im plicat ions is syst em at ically laid out for your considerat ion. When you are done, perhaps you will be able t o draw a conclusion as t o whet her t he at t ackers are m arauders, organized for ongoing and increasingly craft ier incursions, or j ust cyberpunks seeking cheap t hrills.

The Lure of Hacking There is no nobilit y in hackers and what t hey do. You've seen t he argum ent s. You have especially seen t he side t hat argues t hat hackers ply t heir t rade for an alt ruist ic purpose or t o benefit t echnology. Hackers hack for various reasons, including m alicious int ent and financial gains, but t hey hack m ainly because t hey enj oy it ! The t radit ional view is t hat hackers break in for t he sake of im proving securit y. There are even writ t en account s of a successful hack t hat was fully docum ent ed by t he hacker and left behind for t he benefit of t he I T m anagers. An e- m ail address was also

included, for good m easure, if t he I T m anagers decided t o engage in a const ruct ive dialogue about t he at t ack. I f you j ust spent hundreds of t housands of dollars rebuilding t he root direct ory of your server or rest oring one aft er it was t ot ally wiped out , you will never be convinced t hat t hose feelings of loss, frust rat ion, anger, and helplessness were experienced for som e great er good of societ y. I ronically, t hose crusader hackers would m ost likely em pat hize wit h t his and blam e an at t ack of t his nat ure on t heir colleagues known as crackers. The fact is, several cat egories of hackers exist , including t he class originat ing from wit hin your own net works, a group consist ing of disgrunt led or unt rust wort hy em ployees. You have probably been exposed t o t he hype about why hackers hack. You have heard t he report s and read t he art icles. But for t he m ost part , hackers claim t hat t hey hack for t he challenge or t o im press t heir peers. No doubt som e in t his underground cult ure are t rying t o prom ot e t he cause for m ore secure net works, alt hough t heir m et hods m ay be convolut ed or t heir t hinking a form of self- act ualized reverse psychology. This is equivalent t o a bank robber get t ing away clean wit h a robbery only t o ret urn t o hand t he m oney back t o t he t eller wit h a m essage: " Next t im e, don't forget t o add t he exploding ink pellet s, and t rigger t he silent alarm as soon as t he perpet rat or leaves. Also, add anot her surveillance cam era over t he side ent rance." So t he quest ion is, does t he end really j ust ify t he m eans? I nt erest ingly enough, a 1999 st udy com m issioned by t he U.S. m ilit ary concurred t hat m ost hackers lack m alicious int ent . For t he record, t he st udy also revealed t hat hackers have an inherent int erest in t echnology and are m ot ivat ed by ideals. Because t his appears t o be t he basis of t he hacker psyche, anot her revelat ion suggest ed t hat hackers don't like t he not ion t hat inform at ion is privat e. The cult ural m ant ra of t he hacker underground is t hat " inform at ion want s t o be free." Moreover, alt hough m any hackers underachieve in school, t hey are st ill very com pet it ive. They hack t o be king of t he cyberm ount ain, t o im press t heir peers, or t o at t ract t he at t ent ion of t he press. The fact rem ains, t here's not hing like t he adrenaline rush of infilt rat ing t hat high- profile sit e t o swipe classified inform at ion or insert ing som e absurdit y, such as hyperlinks t o porno sit es in t he Far East . The m ore successful t he incursions, t he m ore t hey hack. I n t he final analysis, t his m ight be t he best explanat ion for hacking: Hacking is sim ply fun.

Hackers versus Crackers Do crackers st art out as hackers and at som e point cross t he line, never t o ret urn t o t heir original, m alice- free m ind- set ? Or are crackers t ot ally separat e anim als t hat are not on t he sam e psychological cont inuum as hackers? What ever t he case m ay be, hackers, as a rule, don't like crackers. As far as hackers are concerned, crackers are t he " bad- seed" perpet rat ors. The only reason t hat t here is confusion bet ween t hem is because of t he m edia. Ult im at ely, crackers are t he ones who are ent iced t o t he " dark side" of hacking, when unscrupulous businesspeople pay t hem sm all fort unes t o hack int o t he net works of com pet it ors t o st eal business secret s or confident ial inform at ion asset s. I n cont rast , hackers are t he ones who end up in corporat e cubicles, t urning t heir years of illicit pract ice int o healt hy salaries as syst em adm inist rat ors or securit y specialist s. Aft er all is said and done, from t he layperson's perspect ive, t he boundary bet ween hacker and cracker rem ains blurry at best . No

m at t er whet her it 's a hacker or a cracker who breaches your net work, it is st ill unaut horized access t o your syst em . I n a U.S. News and World Report int erview, a leader of one of t he nat ion's t op securit y t eam s st at ed t hat , as of any given t im e, hacker t echniques t end t o be 2 t o 3 m ont hs ahead of t he lat est securit y m easures available. The reason is t hat m ost of t he skilled hackers lit erally work around t he clock t o exploit net work securit y holes and, in t he process, st ay ahead of soft ware fixes or securit y count erm easures. Typically, t hwart ed hackers are average t o above- average hackers, such as m iddle and high school kids, who hack prim arily during t he sum m er m ont hs, out of boredom . I t is basically agreed t hat t he hacker elit e, or t he t op 1 percent t o 2 percent , will probably never be t hwart ed or caught . Alt hough t he leader of one of t he t op securit y firm s believes t hat it is possible t o achieve 98 percent t o 99 percent effect iveness, he acknowledges t hat t he t op t wo or t hree hackers in t he world can circum vent any of t he world's leading securit y m easures. However, t hose close t o t he com put er underground believe t hat securit y firm s are dist ressingly behind t he curve. They m aint ain t hat t he black hat s are j ust t oo cunning, t oo elusive, and t oo organized t o be consist ent ly det erred from m ainst ream securit y m easures.

Hacker Groups Cult of t he D e a d Cow One well- organized hacker organizat ion is t he Cult of t he Dead Cow, known for t he developm ent of Back Orifice and Back Orifice 2000, designed m ainly t o expose Microsoft 's securit y weaknesses. As t he nam e im plies, Back Orifice is a GUI - driven soft ware ut ilit y t hat enables unaut horized users t o gain rem ot e access t o com put er syst em s t hrough t he back doors of PCs running Microsoft 's Windows 95 or 98. The Back Orifice incursion arrives at t he unsuspect ing m achines as an e- m ail at t achm ent . Once inst alled, t he incursion com m and st ruct ure gives t he unaut horized user m ore cont rol of t he com prom ised com put er t han t he user has at t he keyboard. How's t his for t he free societ y of t he I nt ernet ? The Back Orifice program is available free of charge from t he Cult 's Web sit e. More galling, Back Orifice was released in Las Vegas in 1998 at DefCon, t he largest annual securit y conference. Moreover, Back Orifice 2000 is already available. Don't forget t o wat ch your friendly Cult Web sit e for any announcem ent s concerning Back Orifice 2002. Globa l H e ll The nam e couldn't be m ore apocalypt ic! Global Hell debut ed in t he m ainst ream when it hacked int o t he Whit e House Web sit e. I n May 1999, t he Whit e House st aff was confront ed wit h a pict ure of flowered pant ies on it s hom e page. Global Hell t ook credit for defacing t he sit e for t he whole world t o see. Though flust ered, Joe Lockhart , t he Whit e House press secret ary at t hat t im e, was unwavering in assert ing t hat Global Hell would t hink t his less of a sport when t he aut horit ies caught t he group. The FBI was brought in t o launch what am ount ed t o lit t le m ore t hen a kneej erk response. The FBI execut ed an 11- cit y sweep of 20 suspect ed crackers, but t o

no avail. ( Crackers are believed t o be t he dark sheep, or t he m alicious perpet rat ors, of hacker cult ure.) The FBI seized t he com put ers of t he alleged perpet rat ors, but m any indust ry observers were not im pressed wit h t he FBI 's grandst anding. Because crackers are using nearly unbreakable, or st rong, encrypt ion, t he FBI was relegat ed t o grasping for st raws, because lit t le evidence was obt ained aft er t he raid. As an int erest ing epilogue t o t he st ory, one of t he best crackers arrest ed in t he raid was released aft er adm it t ing t hat he had access t o servers in 14 count ries. The FBI ret ained his com put er, which he prom pt ly replaced. Guess what he's doing now? This form er hacker, a high school dropout , has a legit im at e j ob providing rem ot e securit y for an I nt ernet service provider ( I SP) based in Denver, Colorado. Scr ipt Kiddie s For t he m ost part , hackers m aint ain t hat t hey t respass on syst em s st rict ly for t he challenge. They insist t hat t he holes t hey break t hrough are rout inely pat ched up and t he syst em s adm inist rat or of t he com prom ised syst em t hought fully not ified of t he group's exploit and subsequent fix. The innocent - sounding Script Kiddies group, by cont rast , is one of t he m ost dangerous and m alicious cracker groups wreaking havoc on t he I nt ernet . Script Kiddies revel in breaking up t hings whet her by accident or on purpose, using t ools t ypically downloaded off t he I nt ernet inst ead of program m ing t he hacking t ools t hem selves. For exam ple, t wo of t heir disciples, California t eens who go by t he handles Makaveli and TooShort , lit erally ransacked a group of highlevel m ilit ary servers in 1998. I n cont rast t o t he alt ruist ic hackers, t heir goal was not t o ent er and pat ch up but t o ent er and t ear up. For t he m ost part , Script Kiddies qualify as crackers, and t heir m odus operandi is dest ruct ion. H a ck in g for Gir lie s Hacking for Girlies ( HFG) are t he polit ical act ivist s of t he underground hacker cult ure. Apparent ly, one m em ber of t he group has been held in cust ody by t he federal aut horit ies since 1995. I n Sept em ber 1998, HFG hacked int o t he New York Tim es's Web sit e in prot est and t o show discont ent wit h a Tim es report er who wrot e a book t hat chronicled t he com rade's capt ure. HFG referred t o t he report er as a clueless m oron. The Tim es's hom e page was plast ered wit h slogans dem anding t he release of t he fallen HFG com rade. HFG has also hacked int o NASA's Jet Propulsion Laborat ory and Mot orola in support of it s incarcerat ed colleague.

Why Hackers Love to Target Microsoft The superworm s Nim da, Code Red, and Love Bug were designed t o exploit vulnerabilit ies in Microsoft 's flagship product s. Code Red, which cost t he global com m unit y $2.6 billion, affect s vulnerabilit ies found in I ndex Server and t he Windows 2000 index service. Nim da infect ed close t o 2.5 m illion servers and users in less t han 24 hours. But it was t he Love Bug t hat had by far t he m ost cost ly im pact on t he I nt ernet com m unit y. When t he Love Bug was unleashed, t he program writ er, allegedly a Philippine st udent , exploit ed a vulnerabilit y in Microsoft 's Out look e- m ail program . Out look aut om at ically execut es files wit h t he file ext ension .VBS, for Visual Basic Script . A VBS file is a program t hat is used t o perform cert ain rout ine funct ions for applicat ion program s. When t he Love Bug arrived at t he e- m ail direct ories of t he

world's organizat ions—arriving first in Asia, t hen Europe, and finally t he Unit ed St at es—it cam e as an innocuously appearing e- m ail at t achm ent wit h t he file nam e love- Let t er- For- You.TXT.vbs. The m essage in t he e- m ail prom pt ed t he user t o " kindly read t he love let t er from m e." As soon as t he at t achm ent was launched, t he Love Bug did it s t hing, killing m ult im edia files wit h ext ensions .j peg and .m p3, phot o files, and ot her sm all program s. At t he sam e t im e, it m ailed a copy of it self t o every user list ed in t he user's address book. The abilit y t o forward, or self- propel it self t o ot hers, qualifies t he Love Bug as a class of virus called a worm . I n cont rast , piggybacking, or being at t ached t o a docum ent or cert ain files, spreads m ost ot her viruses. Once it 's in a host , a worm usually affect s j ust t he host and t he host 's files. I nfect ion is t ypically spread t o ot her host s by cont am inat ed t ransm issions or t he t ransport ing of infect ed files by floppy disk. The Love Bug's offspring, New Love ( Herbie) , considered even m ore vicious because it syst em at ically delet es all files in t he affect ed m achine, t hereby killing t he host , also favored t he beleaguered Out look. For som e t im e now, Microsoft has been get t ing it s share of crit icism about t he securit y holes in it s applicat ion product s. The com pany has also received a lot of negat ive press about cert ain ot her product s, such as NT. The problem s wit h NT are so widespread t hat ent ire Web sit es are m aint ained j ust t o dissem inat e inform at ion on soft ware fixes developed by t he NT user com m unit y. An excellent Web sit e devot ed t o t his end is NT BugTraq, at WWW.NTBugTraq.com . Many I T professionals believe t hat Windows NT is slow, buggy, and unt rust wort hy. And t he new operat ing syst em s—Windows 2000, XP, and Me—are st art ing t o receive t heir share of crit icism , t oo. Sim ilarly, securit y professionals deride Microsoft 's operat ing syst em s because of how hackers favor at t acking soft ware syst em s believed t o be porous, unreliable, and likely t o crash oft en. Such drawbacks leave syst em s subj ect t o at t acks. The bot t om line is t hat NT- cent ric net works wit h Windows 95 and 98 client s have gained not oriet y for being inherent ly insecure. I n response, Microsoft m aint ains t hat securit y issues are an indust rywide problem . The com pany is right t o a cert ain degree, but when you own 70 percent t o 90 percent of t he PC soft ware m arket , depending on t he product , som ehow t his posit ion isn't t oo convincing. Nevert heless, Microsoft prom ised an Out look fix t hat report edly would inhibit t he program from aut om at ically launching .VBS docum ent s. By now, you will probably have t he fix. I f not , visit t he Microsoft web sit e for det ails on how t o obt ain it . Microsoft 's feat ure- laden product s deliver t ruly m arvelous funct ionalit y but unfort unat ely have num erous securit y holes. Consequent ly, hackers love Microsoft because of t he various classes of vulnerabilit ies present ed by it s suit e of product s. I f any com pany can address t hese issues, Microsoft can because of it s financial m uscle. For now, however, we m ust learn t o live wit h securit y t hreat s, m uch like we live wit h t he prospect s of cat ching t he flu. I n t he m eant im e, do what you can t o prot ect your net work before t he next cyberflu season hit s.

Meeting the Hacker Threat As suggest ed previously, hacking is a full- t im e occupat ion. As one generat ion graduat es, anot her appears t o be eager and capable of fulfilling t heir m ant ra: I nform at ion want s t o be free. To t hat end, t hey are rem arkably organized wit h underground t rade m agazines, such as Phrack and 2600 t he Hacker Quart erly, and plent y of Web sit es, such as At t rit ion, Help Net Securit y, and Ant iOnline. They are even t aking up wit h m ainst ream securit y convent ions, as t he Cult of t he Dead Cow did t o int roduce it s back- door hacking t ool, Back Orifice. Many of t he t ools t hat hackers use are downloaded from t he I nt ernet , com plet e wit h inst ruct ions and wit hout m uch difficult y. For exam ple, in 1997, t he Nat ional Securit y Agency ( NSA) conduct ed an inform at ionwarfare gam e classified as Eligible Receiver. The secret war gam e was init iat ed t o t est several scenarios. For one scenario, which t urned out t o be t he m ost dram at ic, t he NSA downloaded t he hacking t ools direct ly from t he I nt ernet and learned how t o use t hem t here, as well. Consequent ly, t he NSA used t he t ools t o penet rat e t he Depart m ent of Defense's com put ers. Alt hough it was a t est scenario, t he NSA hacked int o a classified net work t hat support ed t he m ilit ary's m essage syst em s. Once inside, t he NSA could have int ercept ed, delet ed, or m odified any and all m essages t raversing t he net work. The scariest aspect of t his t est was t hat t he NSA could have denied t he Pent agon t he abilit y t o deploy forces. I f t hese t ypes of t ools were available several years ago, you can im agine what 's available now. No wonder t he federal aut horit ies are up in arm s. But realist ically, what can t hey do? And m ore im port ant , what are t hey doing about t he hacker t hreat ? The federal governm ent was responsible for creat ing t he I nt ernet , so it seem s fit t ing t hat t he governm ent would ult im at ely t ry t o police t he I nt ernet , alt hough it is now m aint ained by privat e- sect or concerns. Cont rary t o t he popular not ion t hat som e hackers are beyond t he considerable reach of t he federal aut horit ies, som e very good hackers are serving t im e. ( I n Decem ber 1999, a 31- year- old New Jersey program m er pled guilt y t o causing t he out break of t he Melissa virus. The Melissa virus, unleashed in March 1999, caused at least $80 m illion in dam ages.) However, t he federal agencies t hat are wearing t he whit e hat s are not asham ed t o acknowledge t hat t hey are playing cat ch- up for t he m ost part . Nevert heless, you m ust give t hem brownie point s for t aking t he proverbial bull by t he horns.

National Infrastructure Protection Center At t he forefront of t he charge is t he FBI 's Nat ional I nfrast ruct ure Prot ect ion Cent er ( NI PC) . The NI PC becam e t he lead agency when President Clint on signed President ial Decision Direct ive 63 on May 22, 1998. The chart er of t he NI PC, som et im es referred t o as t he Nat ional Crit ical I nfrast ruct ure Prot ect ion Cent er, is t o fend off hacker incursions, bot h foreign and dom est ic. The NI PC is st affed wit h m ore t han 125 individuals from t he FBI , ot her federal agencies, and indust ry, far short of t he t arget of 243 agent s. Moreover, in it s first t wo years of operat ion, NI PC's caseload grew from 200 t o m ore t han 800. Cases ranged from vandalism of Web sit es t o pot ent ial t heft of m ilit ary secret s. The NI PC, working wit h t he Just ice Depart m ent , t ook on t he responsibilit y of invest igat ing t he Love Bug epidem ic. The t eam quickly learned t hat t he bug was

launched from t he Philippines; wit hin days of t he discovery, a suspect was t aken int o cust ody. Furt herm ore, t he NI PC was largely responsible for st aving off t he pot ent ially m ore devast at ing virus New Love. Short ly aft er receiving news of t hat virus's exist ence, NI PC issued an all- point s bullet in t o t he world. As a result of t his warning and t he diligence of t he nat ion's governm ent and com m ercial I T securit y t eam s, New Love was virt ually halt ed in it s t racks. No sooner had t he inform at ion dissem inat ed t han t he NI PC t eam s det erm ined t hat New Love, unlike t he Love Bug, had originat ed in t he Unit ed St at es.

Central Intelligence Agency As you would im agine, t he CI A has it s hands full wit h bot h physical t errorism and cybert errorism from t he t ouch of a keyboard. According t o t he CI A, at least a dozen count ries, som e host ile t o t he Unit ed St at es, are developing program s t o at t ack ot her nat ions' inform at ion syst em s and com put ers t hat cont rol crit ical indust ry com put ers and infrast ruct ure. The CI A has est im at ed t hat t he Unit ed St at es was cybert arget ed by a foreign nat ion at least once. I f you t hink about it , you can underst and t he m agnit ude of t he pot ent ial problem and t he CI A's concern. Com put ers run financial net works, regulat e t he flow of oil and gas t hrough pipelines, cont rol wat er reservoirs and sewage t reat m ent plant s, power air t raffic cont rol syst em s, and drive t elecom m unicat ions net works, em ergency m edical services, and ut ilit ies. A cybert errorist capable of im plant ing t he right virus or accessing syst em s t hrough a back door, or vulnerabilit y, could cause unt old dam age t hat could, pot ent ially, t ake down an ent ire infrast ruct ure. The m ost sobering aspect of t he challenge facing t he CI A is t hat if hackers are as effect ive as t hey are t hrough regular financial m eans, im agine how powerful t hey can be if sponsored by t he governm ent of a nat ion.

Other White Hats I n addit ion t o t he NI PC and t he CI A, several ot her federal and int ernat ional organizat ions are j oining in t he fight . Am ong ot hers, t he FBI 's Com put er I nt rusion squad is responsible for conduct ing surveys t o det erm ine t he m agnit ude of t he problem , t hereby providing direct ion as t o what should be addressed in t he war against hackers. The Com put er I nt rusion squad oft en t eam s wit h ot her agencies, such as t he Com put er Securit y I nst it ut e, t o conduct research int o securit y breaches in federal and com m ercial organizat ions. Ot her federal agencies in t he fight include t he NSA, which is obsessed wit h t he t ools, t echniques, and t echnology t hat hackers use t o ply t heir t rade. To assess t heir effect iveness, t est s are oft en conduct ed against federal agencies, such as NASA and t he DoD, which t end t o be t he NSA's favorit e t est ing grounds. I n one series of exercises, t he DoD discovered t hat 63 percent of t he hacker incursions t hat were launched against it in t he sim ulat ion went undet ect ed. Finally t he Depart m ent of Just ice and t he Nat ional Securit y Council are also playing key roles in t he war for cont rol of t he I nt ernet . St ay t uned. I t 's only j ust beginning.

I n t he int ernat ional arena, t here is t he Forum of I ncident Response and Securit y Team s ( FI RST) , which is a coalit ion of int ernat ional governm ent s and privat e- sect or organizat ions est ablished t o exchange inform at ion and t o coordinat e response act ivit ies t o t he growing t hreat around t he globe. For m ore inform at ion or a list of int ernat ional m em bers, go t o ht t p: / / www.first .org/ .

Part II: Protecting Information Assets in an Open Society I t belongs t o everyone yet no one. That is t he realit y of t he net work of net works: t hat behem ot h called t he I nt ernet . Hackers love t he I nt ernet , and t heir t enet —" I nform at ion want s t o be free" —is a t hrowback t o t he beliefs t he founders held when t he DoD com m issioned t he I nt ernet for developm ent in t he 1960s. When t he ARPANET ( Advanced Research Proj ect Agency Net work) , t he ancest or of t he I nt ernet , was finally swit ched on in 1969, t he founders envisioned a high- speed net work freely accessible t o a com m unit y of users sharing dat a. Securit y was clearly of no concern in t he free- spirit clim at e of t he day. Besides, t he creat ors felt t hat t o inst it ut e securit y m easures would hinder t he free flow of inform at ion and ideas. So in a sense, hackers are keepers of t he fait h for t he I nt ernet 's t rue calling. On t he ot her hand, businesses did not com e t o t he I nt ernet as m uch for what it was originally as for what it had becom e. Ubiquit y, scalabilit y, and cost - effect iveness are t he prim ary reasons t he I nt ernet at t ract ed hundreds of t housands of businesses from around t he world. More im port ant , t he I nt ernet becam e a prom ise of exponent ial ret urns, alt ernat ive or supplem ent al revenue st ream s, new m arket s, and new, cost - effect ive channels of dist ribut ion in est ablished m arket s. Chapt ers 4 and 5 explore t he divergent goals of e- business and t he hacker com m unit y and why t he war for cyberspace is t aking on t he virt ualscape t hat it is t oday. Part I I acknowledges t he t rem endous im pact of int ranet s, ext ranet s, and virt ual privat e net works on t he growt h of t he I nt ernet and also explains why firewalls and VPNs were st rat egic in t urning t he first cyberwar in favor of m ainst ream organizat ions. However, t he resilience of hackers in t he face of point securit y m easures and t he need for businesses t o regroup under m ore com prehensive securit y syst em s is also explored ( Chapt er 4) . Chapt er 5 explores inherent net work com plexit ies t hat lim it t he effect iveness of firewalls and VPNs, or point solut ions, and expands on t he risk m anagem ent funct ions/ act ivit ies int roduced in Chapt er 2. These st eps are t he crit ical elem ent s required for inst it ut ing a life- cycle securit y process.

Chapter 4. A New Theater of Battle Businesses are inherent ly risk averse. The riskier t he opport unit y, t he great er t he possibilit y t hat it will not be pursued. Given t he risky nat ure of t he I nt ernet , it 's am azing t hat it s use has grown as m uch as it has and t hat proj ect ions for hypergrowt h ext end over t he next 5 years and beyond. About 1995, when businesses began t o incorporat e t he I nt ernet for com m erce, it was believed t o be a m uch great er securit y risk t han privat e net works. Thus, t o ent er t he high- st akes gam e of t he I nt ernet , businesses began bet t ing wit h int ranet s, ext ranet s, and especially VPNs. I n t his chapt er, t he payoffs of such I nt ernet - based business m odels are explored, as well as why t hey were so effect ive in winning t he first war against hacker incursions. This chapt er also explores t he evolut ionary im pact of open access, it s det rim ent al im pact on point securit y solut ions, and how t he t heat er of bat t le for e- business opport unit y was changed forever.

From the Demilitarized Zone and the Perimeter to Guerilla Warfare When t hey began using t he I nt ernet t o support cert ain business applicat ions, not m any businesses were willing t o connect crit ical inform at ion asset s t o t he I nt ernet . I n 1998, a survey sponsored by t he Open Group, a consort ium of global com panies pushing for securit y st andards on t he I nt ernet , revealed t hat only one in seven com panies was willing t o link crit ical applicat ions t o t he I nform at ion Superhighway. However, decision m akers knew t hat t hey were wit nessing som et hing com pelling in t he I nt ernet . I t was everywhere: ubiquit ous; it was free: t he only cost s for I SP access fees; and it could support however m uch or lit t le of business applicat ions as required: scalable. The t echnologies of t he I nt ernet also were excit ing and would provide an excellent m edium for present ing business ideas in a m anner t hat would im press em ployees, client s, and business part ners. To get int o t he gam e, ent erprises began incorporat ing firewalls t o defend t heir net works on t he perim et er from t he out side world. Press releases, m arket ing inform at ion, or ot her ent erprise propaganda were convert ed over t o HTML or Java- based applicat ions, which form at t ed inform at ion int o m ult im edia present at ions, graphics and rich t ext form at s in an inform at ion server and placed t hem int o a dem ilit arized zone ( DMZ) out side t he firewall. Anot her nam e for inform at ion servers deployed in t his m anner is t he public Web sit e. Sim ilarly, FTP ( File Transfer Prot ocol) sit es were est ablished t o support large file t ransfers. Ot her organizat ions were so enam ored of t he I nt ernet t echnologies t hat ent ire net works were being built t o creat e int ernal net works called int ranet s. I n ot her words, int ranet s becam e m iniat urized I nt ernet s for t heir respect ive ent erprises. Web and FTP sit es were st ill inst alled in t he DMZ, but int ernal Web sit es in t he int ranet were being used t o dissem inat e crit ical inform at ion t o int ernal users. When ent erprises realized t hat by linking t heir int ranet s t o t hose of business part ners, suppliers, and cust om ers for com pet it ive advant age, ext ranet s were born. Up t o t his point , int ranet s and ext ranet s rem ained closed, fairly privat e net works.

Ext ranet com m unicat ions were t ypically handled by public dat a net works— dist inguished from t he public I nt ernet —provided by such com m on carriers as UUNet or MCI WorldCom . I t wasn't long before rem ot e or nom adic em ployees needed a m eans t o access t he ent erprise's int ranet and t he ext ranet of a part ner, cust om er, or supplier. The logical st ep was t o use t he ubiquit ous, cost - effect iv e, and scalable I nt ernet t o enable access int o t he ent erprise's int ranet or ext ranet . Besides, firewalls and public dat a net works t hat provided t he m ain com m unicat ions backbones prot ect ed t he core infrast ruct ures. So net works were relat ively safe. I ronically, inst ead of being fended off by firewalls and privat e net works, hackers began t o reassert t heir will and t o recover ground t hat was lost from perim et er defenses and privat e com m unicat ions. As rem ot e em ployees, nom adic users, and branch offices of t he ent erprise, part ners, suppliers or cust om ers were gaining access t hrough t he I nt ernet , plent iful I nt ernet access point s increased t he opport unit y for hacker incursions wit h t act ics t hat resem bled guerilla warfare. What was clearly needed was a way t o allow rem ot e and nom adic users t o com m unicat e safely over t he I nt ernet int o corporat e int ranet s and ext ranet s. Hacker incursions were succeeding t oo oft en and, as m ore and m ore ent erprise inform at ion asset s were going online, st ronger m easures were needed t o t hwart hacker exploit s. When ent erprises began incorporat ing t he I nt ernet as t he prim ary com m unicat ions m edium for rem ot e access, firewalls began t o lose t heir lust er as an ent erprisewide defense. Early on, firewalls were t hought t o be a panacea because t hey cont rolled access t o ent erprise resources. Firewalls also t ook care of I P spoofing, one of t he hacker's m ost effect ive gam bit s for gaining unaut horized access int o ent erprise net works. Using various m et hods, hackers would gain t he I P address of a t rust ed net work host when t hat host went out int o t he I nt ernet cloud for Web surfing, e- m ail, FTP t ransfers, and so on. Aft er confiscat ing t he I P address of a t rust ed host , hackers could use it t o gain access t hrough t he ent erprise's rout er and/ or gat eway, even t hough net work access was gained t hrough an ext ernal port ( see Figure 4- 1) .

Figu r e 4 - 1 . I P Spoofin g, t h e h a ck e r 's fa vor it e w e a pon

As long as t he I P address appeared on t he rout ing t ables of t he rout er and t he gat eway, t he net work devices didn't care whet her a t rust ed—int ernal—I P address would suspiciously engage t he net work from an ext ernal port . Firewalls were able t o negat e I P spoofing by sim ply including a rule t hat st at ed t hat any int ernal source I P address appearing on an ext ernal access port is rej ect ed, or not grant ed access int o t he net work ( see Figure 4- 2) . The logic was t hat any I P packet at t em pt ing t o gain access t o t he net work from ext ernal port s should never have a source I P address of a t rust ed host from t he int ernal net work dom ain. I n ot her words, if it 's t ruly an ext ernal packet , t he source I P address should right fully originat e from an ext ernal net work dom ain.

Figu r e 4 - 2 . The fir e w a ll's a n t ispoofin g fe a t u r e

I n addit ion t o I P spoofing prot ect ion, firewalls enhanced t he effect iveness of I P spoofing by giving net works anot her advant ageous securit y feat ure in net work address t ranslat ion ( NAT) . Through NAT, firewalls were able t o prevent invalid or secret I P addresses of int ernal dom ains from going int o t he I nt ernet cloud alt oget her. This was accom plished by assigning t he invalid or secret I P addresses t o a valid I P address, usually t he firewall gat eway or net work rout er ( see Figure 4- 3) , Thus, for com m unicat ion dest inat ions out side t he net work, NAT inst ant aneously t ranslat ed, or changed, t he invalid or secret I P address t o t he valid I P address of t he firewall gat eway or rout er when packet s were queued for t raversing t he firewall port int o t he I nt ernet cloud. NAT reverses t he operat ion when receiving com m unicat ion packet s addressed t o t he valid I P address. Aft er t he valid or firewall gat eway addresses of packet s were t ranslat ed or changed back t o t heir original invalid or secret I P addresses, t he packet s were finally allowed t o reach t he dest inat ion of t he host or host s in quest ion.

Figu r e 4 - 3 . N e t w or k a ddr e ss t r a n sla t ion ( N AT) sce n a r io

Anot her feat ure of firewalls is address hiding, which is sim ilar t o NAT, alt hough address- hiding funct ions are usually provided by proxy- based firewalls. I n cont rast t o NAT, proxy firewalls reconst ruct packet s at t he proxy server or gat eway and in t he process subst it ut e t he I P address of t he gat eway for t he source I P address of t he original packet . This in effect hides t he I P address of t he t rust ed net work host from ext ernal sources when t raveling t hrough t he I nt ernet . Therefore, t he I P addresses of t rust ed host s of t he int ernal dom ain could be invalid, secret , or valid. Feat ures such as NAT, address hiding, and ant i–I P spoofing m echanism s worked in concert t o creat e a powerful securit y solut ion for prot ect ing t he perim et er of an ent erprise's net work. However, when rem ot e access was grant ed t o m obile, hom e, and nom adic users, hackers were able t o piggyback on t hese t ransm issions t o gain access t hrough t he ent erprise firewalls. Wit h lit t le or no difficult y, hackers easily read user I Ds and passwords as rem ot e packet s m ade t heir way t hrough unsecured net work devices en rout e t o ent erprise net works. Wit h all it s powerful feat ures, a firewall could lit erally do not hing t o prot ect inform at ion t ransm it t ed via t he I nt ernet from rem ot e sources. Unfort unat ely, in accom m odat ing rem ot e- access operat ions, t he firewall lost it s lust er.

The Triumph of Intranets, Extranets, and Virtual Private Networks The need was firm ly est ablished for rem ot e users t o successfully t raverse t he virt ual beachheads provided by ent erprise firewalls while prot ect ing net work infrast ruct ures. The first cyberwar began when t he business world decided t o prot ect it s int erest s. I nt ranet s afforded t he t echnologies of t he I nt ernet for t he privat e use of ent erprises while keeping net works privat e and hackers at bay. Ext ranet s were a response t o uncert aint y, uncont rollable forces, and, especially, com pet it ive pressures in business environm ent s. Bringing suppliers, cust om ers, and business part ners direct ly online t o ent erprise com put ing asset s was an innovat ion t hat m arked an evolut ionary shift t oward a new business realit y. However, t he com pet it ive advant ages were soon being overshadowed when organizat ions t urned t o t he I nt ernet t o connect rem ot e and m obile users, as well as branch and hom e offices. These connect ions m ade good fiscal and business sense because of t he econom ies of scale of t he I nt ernet , but t hey also provided windows of opport unit ies for hackers. Hackers began using backdoor program s and sniffers t o confiscat e user I Ds, passwords, credit card num bers, and ot her confident ial inform at ion. Sniffers, oft en referred t o as packet sniffers, are soft ware ut ilit y program s t hat have becom e one of t he favored t ools in t he hacker's arsenal. Hackers t ypically program and clandest inely inst all t hem in rout ers or servers of unsecured net works t o do t heir covert bidding on t he I nt ernet . Hackers usually program t hem t o m onit or and/ or search for dat a consist ing of cert ain pat t erns, such as passwords, user I Ds, or credit card num bers. Because a sender has no cont rol over how a packet is t ransm it t ed t hrough t he I nt ernet , dat a could be com prom ised any t im e and anywhere. Also, viruses were being unleashed in unprecedent ed rat es t hrough e- m ail at t achm ent s. The first denial- of- service ploys were being at t em pt ed using ping of deat h. Hackers discovered t hat by using huge ping packet s inst ead of t he cust om ary size of about 64 byt es, a const ant bom bardm ent could deny access t o legit im at e users and event ually crash t he sit e or, figurat ively speaking, induce sit e deat h; hence, ping of deat h. Wit h t he I nt ernet being used as t he prim ary m edium for rem ot e access int o corporat e int ranet s and ext ranet s, full- scale hacker incursions had ret urned wit h renewed purpose. I t becam e obvious t hat firewalls alone could not prot ect ent erprise net works. Ent er virt ual privat e net works. The first VPNs were achieved by using sim ple encrypt ion algorit hm s t o provide a prot ect ive t unnel for inform at ion t raversing t he I nt ernet cloud. Encrypt ion scram bled st rat egic inform at ion while it was in t ransit bet ween rem ot e users and offices and t he ent erprise int ranet or ext ranet . The first encrypt ion syst em s, or VPNs, were by default propriet ary. Exam ples include FWZ, developed by Checkpoint Soft ware Technologies; SSH, by Dat a Fellows; and Sim ple Key Managem ent for I P ( SKI P) , which was cham pioned by Sun Microsyst em s.

VPN inst allat ions also incorporat ed st rong, or t wo- fact or, aut hent icat ion t o aut horize users before t unnels ferried t heir dat a across I nt ernet channels. Two- fact or aut hent icat ion syst em s work by giving users an obj ect t o possess, such as a t oken, and som et hing t o rem em ber, such as a personal ident ificat ion num ber ( PI N) . St rong aut hent icat ion enabled VPN solut ions wit h t he m ost effect ive m eans of ensuring t he ident it ies of rem ot e users. Typically, t wo- fact or syst em s worked wit h an aut hent icat ion server on t he host net work t o aut horize users or branch offices dialing in over t he I nt ernet . When aut horizat ion was successful, t he encrypt ion schem es would aut om at ically t ake over t o negot iat e encrypt ion bet ween rem ot e users and t he host net work. Aft er successful negot iat ions, encrypt ed dat a t ransm issions would ensue, result ing in achieving virt ually privat e net work connect ions, resist ant t o hacker incursions. For exam ple, sniffer program s, secret ly inst alled in insecure syst em s along t he I nt ernet , were forced t o read ciphert ext , or scram bled t ext , inst ead of t ransm issions in clear t ext . For all int ent s and purposes, t he whit e hat s won Cyberwar I wit h t he advent of VPNs, because int ranet s and ext ranet s could ult im at ely operat e as virt ually privat e net works and prot ect rem ot e access in t he process. VPNs are pract ical and becom ing so com m onplace t hat it would not be a st ret ch t o consider t hem a com m odit y. The success of VPNs as a securit y m easure for t ransm it t ing inform at ion t hrough unt rust wort hy net work clouds st em s largely from t he applicat ion and refinem ent of de fact o and indust ry st andards im plem ent ed as t he underlying t echnologies. Tunneling prot ocols, st rong aut hent icat ion, digit al signat ures, and encrypt ion work in t andem t o creat e virt ually privat e syst em s t hrough public channels, such as t he I nt ernet . One of t he m ost im port ant st andards for VPNs is I P Securit y ( I PSec) . I PSec, t he st andard for VPN t unneling, was developed and cham pioned by an I nt ernet Engineering Task Force ( I ETF) working group of t he sam e nam e. I PSec, St andards Track RFC ( request for com m ent ) 2401, was designed t o adm inist er securit y t o t he I P dat agram , or packet level, by specifying a st ruct ure t hat would serve as t he st andard securit y form at in VPN im plem ent at ions ( see Figure 4- 4) . St andardizing t he st ruct ure for delivering securit y t o I P packet s was one of t he m aj or benefit s of t he I PSec init iat ives. Wit h I PSec as t he st andard for a t unneling prot ocol, vendors t hat incorporat e I PSec int o t heir VPN offerings ensure t he int eroperabilit y of VPN solut ion com ponent s, regardless of t he vendor.

Figu r e 4 - 4 . Se cu r it y se r vice s of I P Se cu r it y ( I PSe c)

Closely connect ed wit h I PSec is I SAKMP/ I KE, t he st andard for key exchange, which deploys t he encrypt ion for dat a t ransm ission on behalf of t he t unneling prot ocol. I n fact , I SAKMP/ I KE ( I nt ernet Securit y Associat ion and Key Managem ent Prot ocol/ I nt ernet Key Exchange) is t he default key exchange and m anagem ent syst em for I PSec. I SAKMP/ I KE, I ETF's St andards Track RFC 2408, ensures t hat bot h end point s of t he VPN use ident ical keys for aut hent icat ing and encrypt ing I P packet s. I n ot her words, I SAKMP/ I KE m anages I PSec's encrypt ion keys and enables deploym ent of securit y services t o t he dat a packet level. Services include negot iat ing t he t ype of securit y t o be delivered, aut hent icat ing t he t unnel, and encrypt ing t he dat a t ransm issions. Finally, SKI P is an opt ional key m anagem ent syst em support ed by I PSec. I n t he long run, st andards ensure int eroperabilit y, freedom of choice, and prot ect ion of invest m ent .

The Vanishing World of Controlled, or Closed, Access The I nt ernet can be like hit ching a ride on an 18- wheeler when t he pat h t o your expect ed dest inat ion is unknown or like a 747, wit h you as a VI P in cont rol of your dest iny and looking forward t o a long- overdue vacat ion on t he Riviera. When VPNs m ade t heir debut int o t he m ainst ream , businesspersons were finally on t he plane, in cont rol, and on t heir way t o t he Riviera: t o paradise.

But before t he beaches could get t oo crowded, ot hers cut t heir st ay short , and ot hers found t hem selves back on t he 18- wheeler again, chiding t hem selves for even t hinking t hat paradise could be reached. As long as access was cont rolled and net works rem ained virt ually privat e, or closed, businesspersons believed t hat net working paradise had been achieved when VPNs allowed t hem t o harness t he ubiquit ous I nt ernet as t he ent erprise's com m unicat ions backbone. The abilit y t o forgo t he cost s of leased lines, m odem banks, and com m unicat ions access servers result ed in cost savings of 40 percent t o 70 percent . Whenever a m obile user or a rem ot e or hom e office needed t o be connect ed t o t he ent erprise net work, t he individual in quest ion was given t he requisit e st rong aut hent icat ion, VPN dial- up soft ware, or an I SP account . Even if access was required from overseas, VPN solut ions offered a m ore cost - effect ive alt ernat ive t han leased- line solut ions. I n ot her words, VPNs were effect ive and indeed scalable. The archet ypal net work prot ot ype had finally been realized. Or so ent erprise execut ives t hought . VPNs were a boon t o geographically dispersed work groups, WAN ( wide area net work) com m unicat ions, and t he bot t om line. The abilit y t o send privat e e- m ail, access int ernal Web sit es for graphical business lit erat ure, view execut ive video and audio m essages, t ransfer large files, and part icipat e in chat room –t ype discussions charged business clim at es wit h a new vigor for j ust - in- t im e inform at ion. The advant ages t hat VPNs afforded businesses were unparalleled, especially working in conj unct ion wit h firewalls. A not oriously insecure m edium in t he I nt ernet was being harnessed for all t hat it was wort h. I t seem s you couldn't get t oo m uch of a good t hing, because businesses were j ust get t ing st art ed. Uncert aint y, dynam ic forces, and especially t he pace of t he m arket place cont inually st im ulat ed an already voracious appet it e for ext ract ing m ore from t he I nt ernet t echnology m odel. However, t here rem ained som e reluct ance t o t ake act ion. Perhaps m ission- crit ical applicat ions could also benefit from t he j ust - in- t im e t echnology equat ion. Therefore, as a nat ural evolut ion in t he e- business revolut ion, m issioncrit ical applicat ions were next t o go online. The awesom e significance of t his m eant t hat crit ical inform at ion asset s were also going online by default . I n fact , t he prot ot ypical archet ype of t he privat e net work t hat was achieved wit h VPNs and firewalls is, for all pract ical purpose, gone forever.

The Impact of Open Access Lessons were cert ainly learned over t he years about general net work securit y, such as m anaging user right s and inst it ut ing effect ive password policies and pict ure I Ds for physical access. Such pract ices, coupled wit h such point solut ions as VPNs and firewalls, should be sufficient securit y m easures t o prot ect t he ent erprise's inform at ion asset s t hat m ade t heir debut on t he I nt ernet : not unlike lam bs t o t he slaught er. When inform at ion asset s went online, a virt ual feeding frenzy was creat ed indeed! Nom adic em ployees and rem ot e users in branch and hom e offices found t hat in addit ion t o accessing m arket ing collat eral, t echnical whit e papers, press releases, product announcem ent s, and t he like, t hey were also able t o check order st at us and product availabilit y or t o subm it expense report s, sales forecast s, and capit al requisit ions online. Even m ore t radit ional work processes, such as account ing and hum an resources act ivit ies, went online, enabling ent erprises t o reduce operat ing cost s by enabling account ing and HR st aff t o do t heir j obs from hom e by t elecom m ut ing. As a result , t he cost s of adm inist rat ion and expensive office space could be reduced considerably, furt her j ust ifying t he use of t he I nt ernet .

Not t o be left out , t rading part ners, client s, and suppliers were experiencing t he sam e t rends at t heir end of t he ext ranet . Wit h such a flurry of act ivit y, t he point securit y provided by firewalls and VPNs was being st ret ched t o t he lim it . To m ake m at t ers worse, end user ad hoc request s were beginning t o rear t heir ugly head. An em ployee of com pany A, one of your ext ranet part ners, needs t o poke a hole t hrough a firewall t o accom m odat e a special UDP ( User Dat agram Prot ocol) - based applicat ion t o com plet e research for a proj ect deadline. • • • •

Part ner C j ust opened a larger t han usual branch office, and so in addit ion t o regular field- support ed applicat ions, t he firewall and t he VPN m ust allow access and privacy for connect ion int o t he ent erprise's HR and account ing syst em s. Part ner B j ust hired a com pany as a subcont ract or for a m aj or cont ract and m ust have access int o t he ent erprise net work for several of it s sat ellit e offices, but t he securit y policy of t he subcont ract or is not as st rict as t he policy governing t he original part ner's ext ranet . Part ner C reorganizes and t he I T depart m ent loses several key m anagers t o ot her responsibilit ies. I n t he m eant im e, t he regular updat es and revisions of t he applicat ions and operat ing syst em s on t heir part of t he ext ranet have not been m aint ained. Part ner A loses a m aj or cont ract and st aff m ust be reassigned or laid off, and t he successful cont ract or ext ends j ob offers t o ot hers. The securit y policy is not adj ust ed t o reflect t his new developm ent .

You get t he idea. When syst em s are open and connect ed am ong t rading part ners and rem ot e locat ions, you t ake on t he " st reet - level" access of your part ners, t heir risks, and t hose creat ed by your own int ernal syst em .

The Correlation between Open Access and Asset Protection When inform at ion asset s went online, t he opport unit ies for support ing rem ot e act ivit ies, processes, and workflows, coupled wit h accom m odat ing ad hoc sit uat ions arising from day- t o- day business operat ions, were pot ent ially st aggering. More im port ant , at any t im e, where would one find t he perim et er of t he ent erprise net work? I n t he world of open access, it 's a m oving t arget at best . Furt her m ore, how do you keep t he ent erprise net work safe wit h firewalls and VPNs when t he perim et er is nebulous or when you can't keep up wit h everyone who is accessing your ent erprise under various circum st ances? What happens if your t rading part ner's regular program of syst em and soft ware updat es is deferred for a cert ain period? What is t he im pact t o you when t his occurs? Are net work operat ions in com pliance wit h t he ent erprise's securit y policy? Are you aware of every ext ernal individual or organizat ion t hat your t rading part ners, cust om ers, or suppliers have been grant ing access t o for t he inform at ion asset s of t he ext ranet ? Are passwords and encrypt ion keys being recycled effect ively t o reduce t he pot ent ial for being com prom ised? I s t he sam e diligence being followed for im plem ent ing st rong aut hent icat ion pract ices for t em porary sit uat ions t hat support consult ant s or subcont ract ors? I s t he securit y policy adj ust ed accordingly t o reflect t he st art and finish of special proj ect s? Are securit y audit s perform ed periodically t o assess t he st at us of net work securit y in general?

Even if a cross- com pany t eam were est ablished wit h it s own net work operat ing cent er ( NOC) t o support t he ent erprise's ext ranet , keeping abreast of all t he pot ent ial scenarios t hat m ay com prom ise securit y, especially arm ed wit h only point securit y m easures, would be ext rem ely difficult at best . Why? As has been shown, point solut ions—consist ing of firewalls and VPNs—are not inherent ly capable of prot ect ing inform at ion asset s in an open- access com put ing environm ent . As for t he ot her quest ions, t hey will be answered over t he course of t his book. However, t he m ost crit ical correlat ion bet ween open access and prot ect ing inform at ion asset s is cont rolling who accesses t he ent erprise net work. The effect iveness of e- securit y will depend on how well users are cont rolled t hrough st rong aut hent icat ion m easures. St rong aut hent icat ion will t ake on a crit ical role in t he level of success you achieve when prot ect ing inform at ion asset s in t he new era.

The Role of Authentication and Privacy in the New Economy The securit y benefit s of privacy, dat a int egrit y, and confident ialit y could never be achieved in an open syst em wit h VPNs and firewalls alone. More im port ant , t he t rends t hat were cat alyst s for net works t o funct ion as closed syst em s are being vanquished by t he m igrat ion t o t he open societ y of t he I nt ernet . A new business realit y has ushered in an era of open access t o crit ical inform at ion asset s of global ent erprises. Consequent ly, t o prot ect crit ical inform at ion asset s in open- access environm ent s requires t he im plem ent at ion of a life- cycle or e- securit y solut ion rat her t han st at ic point securit y m easures. The success of your e- securit y effort s is direct ly correlat ed wit h st rong aut hent icat ion and effect ive privacy. I n fact , e- securit y and st rong aut hent icat ion are int erdependent . I n ot her words, in an environm ent t hat support s open access, t he m ore cont rol you require for user access, t he m ore sophist icat ed t he e- securit y infrast ruct ure m ust be. The im port ance of st rong aut hent icat ion was briefly discussed earlier in t his chapt er. St rong, or t wo- fact or, aut hent icat ion t ypically involves t he deploym ent of sm art cards and/ or t okens. Two- fact or aut hent icat ion is a m anifest at ion of t he prem ise t hat aut hent icat ion is m ost effect ive when users m ust possess som et hing, such as t he credit card–size t oken and rem em ber som et hing, t ypically a PI N num ber. As long as t he PI N num ber is com m it t ed t o m em ory and t hus never writ t en down, net work access cannot be negot iat ed wit hout a user's PI N, even if t he t oken or t he sm art card is lost or st olen. As effect ive as t wo- fact or aut hent icat ion is, it ult im at ely has som e drawbacks. •

•

• •

When init ially assigned t oken and PI N, users m ay inadvert ent ly expose num bers by leaving user I Ds and PI Ns unat t ended. Users wit h m ult iple passwords m ay j ot down t heir PI Ns t em porarily, result ing in com prom ise by an unaut horized user. Tokens or sm art cards can be lost or st olen. Disgrunt led em ployees can com prom ise aut hent icat ion procedures and access devices.

Any one of t hese scenarios com prom ises t he securit y of t he ent erprise net work, but it would be especially crit ical if t he net work support s open access. I n closed

environm ent s, securit y m anagers m ay find t hat t hey are in a bet t er posit ion t o discover a breach sooner. I n cont rast , real dam age could be done in an open environm ent . This is why cont rolling who has access t o inform at ion asset s is so crucial. To enhance aut hent icat ion effort s in open- access net works, securit y depart m ent s are also aut hent icat ing users t hrough digit al cert ificat es. Digit al cert ificat es provide yet anot her layer of securit y because a cert ificat e aut horit y ( CA) , such as VeriSign or Ent rust aut hent icat es user ident it ies. Typically, a CA requires a user t o produce proof of ident it y t hrough a birt h cert ificat e and/ or driver's license. Once an individual's ident it y is est ablished, t he CA signs t he cert ificat e and t hen issues it t o t he user. Digit al cert ificat es also cont ain encrypt ion keys t hat are used in conj unct ion wit h VPNs or for encrypt ing passwords or PI N num bers in t wo- fact or aut hent icat ion syst em s. When it signs t he cert ificat e, a CA uses it s privat e encrypt ion key t o init iat e a process t hat places a digit al signat ure on a user's public key. The digit al signat ure is an assurance t hat t he user's encrypt ion keys were not com prom ised before being placed int o service. Signing t he key also aut hent icat es t he user's ident it y because t his act ion indicat es t hat t he user is ult im at ely who he or she claim s t o be. Using digit al cert ificat es wit h t wo- fact or aut hent icat ion syst em s gives securit y m anagers t he great est level of cont rol over access t o t he ent erprise's net work in an open environm ent . Finally, t he challenge of cont rolling access when inform at ion asset s are requisit ioned for open environm ent s is leading ent erprises t o single sign- on ( SSO) and biom et rics aut hent icat ion syst em s. ( SSO is discussed furt her in Chapt er 10.) SSO aut hent icat ion solut ions are as m uch a response t o st ream lining end user sign- on procedures as t hey are t o concerns about being burdened wit h t oo m any user I Ds and passwords. SSO syst em s allow I T depart m ent s t o provide a user wit h one log- on I D and password for m ult iple syst em s, including client / server and legacy- based syst em s. SSO works in conj unct ion wit h digit al cert ificat e im plem ent at ions and t wo- fact or aut hent icat ion t o deliver t he Rolls Royce of user aut hent icat ion and log- on procedures. Biom et rics is growing in popularit y and finding a place in t he st at e- of- t he- art for st rong aut hent icat ion. Biom et rics relies on a physical charact erist ic, such as a t hum bprint or a ret ina, t o aut hent icat e users. As t he cost of such solut ions decreases, ent erprises will be im plem ent ing aut hent icat ion schem es based on biom et rics t o prot ect asset s in an open net working environm ent .

Summary I n t oday's I nt ernet econom y, m arket s are lit erally m oving at t he speed of inform at ion. To pursue opport unit ies successfully, com panies have had t o ret rofit t heir inform at ion asset s wit h inform at ion t echnology aft erburners, such as J2EE, t o support decisions, crit ical work processes, special proj ect s, and regular business act ivit ies, responding t o t he unprecedent ed forces of a j ust - in- t im e business realit y. But now t hat inform at ion asset s are being repurposed for open access, are t he gains wort h it ? I n ot her words, are e- business opport unit ies wort h t he securit y risks t hat ent erprises seem m ore willing t o t ake t han t hey were a couple of years ago? I n addit ion, given t he short com ings of VPN and firewall securit y m easures in an open-

access environm ent , why is exponent ial growt h expect ed for t he I nt ernet over t he next several years? All indicat ions are t hat e- business will cont inue t o forge ahead int o t he foreseeable fut ure. I n general, ent erprises t oday appear t o be m ore accept ing of t he I nt ernet 's pot ent ial securit y problem s. The problem s can be m anaged t o m it igat e t heir effect s. Managing pot ent ial securit y problem effect ively is even m ore crit ical when open access is grant ed t o inform at ion asset s. Saying t hat VPNs and firewalls should be enough j ust because you have invest ed in t hem is not sufficient . As long as risks are m anaged effect ively, t he pot ent ially det rim ent al effect s are m inim ized in t he long run. E- securit y m inim izes t he securit y risks associat ed wit h open access t o ent erprise inform at ion asset s. This chapt er focused on VPNs, firewalls, user aut hent icat ion, and t he short com ings of point securit y m easures relat ive t o open access. Chapt er 5 discusses t he im pact of cert ain net work problem s and ot her relat ed issues in an open- access environm ent and expands on t he t ools required for im plem ent ing a m anaged, or life- cycle, esecurit y process. These t ools will ult im at ely rearm I T depart m ent s wit h t he weapons needed in t he bat t le for inform at ion asset s.

Chapter 5. Reempowering Information Technology in the New Arms Race I nt egrat ing Web- enabled business processes wit h product ion business syst em s t o allow open access is t he new business realit y. To im plem ent an effect ive e- securit y program , I T depart m ent s m ust t hink out - of- t he- box t o forge all- new approaches t o safeguarding t he com put ing resources of t he ent erprise. Because point securit y solut ions alone are not effect ive in prot ect ing com put ing solut ions of a new econom y, I T depart m ent s, for all pract ical purposes, have no precedent s t o guide t hem . However, wit h creat ive approaches, m anagem ent buy- in, end user support , and t he em ergence of int rusion det ect ion, and vulnerabilit y assessm ent t ools, I T depart m ent s can fashion t he securit y infrast ruct ure, risk m anagem ent , policy, and securit y procedures t hat are best suit ed t o t heir organizat ions. This chapt er looks closely at t he im pact of t ying in Web- enabled business processes wit h crit ical inform at ion asset s of t radit ional product ion syst em s. I t also discusses t he im port ance of securing m anagem ent and end user buy- in t o ensure t he success of a life- cycle securit y process. Finally, t ools required t o im plem ent an e- securit y process are explored t o rearm I T in an arm s race wit h no definit ive end in sight .

The Failings of the Old Paradigm Whet her you are providing an int ranet for em ployees, an ext ranet for business part ners, or an e- t ail st ore for consum ers, Web- enabled com put ing processes are changing t he com put ing landscape forever. For exam ple, t hrough B2B, or ext ranet , solut ions, business planning, m anufact uring lead t im es, delivery schedules, and overall business cycles can be reduced considerably. This cut s operat ional labor cost s, creat es efficiencies, and reduces t im e t o m arket . Fast and efficient com panies will always have t he com pet it ive advant age and t herefore a great er financial payoff, t o t he delight of upper m anagem ent . This is t he great allure of e- com m erce. On t he one hand, excit ing ret urns on e- business invest m ent s have t op m anagers light ing t heir vict ory st ogies. On t he ot her hand, as soon as t hey exit t he sm oke- filled room s, concerns for securit y risks t o t he e- business channel are pondered aloud. Can we achieve business goals wit hout I nt ernet - enabled channels? I s our m igrat ion t o ebusiness solut ions keeping pace wit h appropriat e securit y m easures? Are t he securit y risks ident ified and m anaged? Are all risks account ed for wit h cert aint y? I s t he I T depart m ent equal t o t he challenge? Prot ect ing com put ing resources in a dist ribut ed processing environm ent , or prot ect ing t he virt ual m indscape, has always posed cert ain challenges for I T depart m ent s. To alleviat e t he problem , I T m anagers em barked on recent ralizat ion effort s of dist ribut ed client / server operat ions. Successful cent ralizat ion effort s fost ered effect ive deploym ent of point solut ions, such as firewalls and encrypt ed t unneling for point - t o- point and rem ot e dial- in com m unicat ions ( VPNs) . However, when Web- enabled processes afforded open access t o t he ent erprise's crit ical inform at ion resources, t he securit y equat ion was fundam ent ally changed.

As discussed in Chapt er 4, reliance on host - based access cont rols, such as passwords and I Ds, or perhaps even st rong aut hent icat ion m easures wit h perim et er defenses, quickly becam e unrealist ic in t he face of Web- enabled m ission- crit ical syst em s. Today, I T m anagers are t asked wit h im plem ent ing a new com prehensive securit y m odel t hat accom m odat es risks, cont rols user access, and prot ect s t he infrast ruct ure and t he net work's int ellect ual capit al. However, I T m anagers' t allest order is t o adm inist er t his securit y wit hout disrupt ing t he operat ional flow of t he net work while nonet heless preserving t he int egrit y of sensit ive inform at ion asset s. A t all order indeed! Unlike law enforcem ent agent s, who always draw at t ent ion from passersby when apprehending suspect s in public, I T m anagers m ust t hwart int ruders and at t ackers wit h as lit t le at t ent ion and disrupt ion t o t he net work as conceivably possible. How will t his be accom plished? As an I T m anager charged wit h t he reponsibilit y of building a working e- securit y m odel, you m ust first gain an underst anding of t he general operat ing and relat ed areas t hat pose securit y t hreat s t o t he ent erprise net work.

Infiltration of Rogue Applets One of t he m ost st irring concerns of open- access Web applicat ions, as well as a t rue t est t o t he effect iveness of e- securit y, is t he insidious rogue applet . Applet s are lit t le program s or rout ines t hat are t ypically downloaded by your browser t o execut e on your com put er. Applet s perform client - side funct ions on your syst em in t andem wit h t he server- side applicat ion t hat powers a part icular Web sit e. Applet s are t ypically developed wit h, for exam ple, Java. Act iveX cont rols, which are sim ilar in funct ion t o Java applet s, m ust also be screened for m alicious code. Java applet s are usually secure because of how Java operat es wit hin your syst em . Java cannot access a user's hard disk, file, or net work syst em . I n cont rast , Act iveX cont rols are very different in operat ion. Act iveX cont rols can be developed in a variet y of languages, including C, C+ + , Visual Basic, and Java. When downloaded from a Web applicat ion, Act iveX cont rols have full access t o t he Windows operat ing environm ent , m aking t hem a serious securit y risk. As im plicat ed, Act iveX cont rols are lim it ed t o Windows environm ent s only, whereas Java applet s are plat form independent . Because of t he com pat ibilit y of Act iveX cont rols wit h m any program m ing environm ent s, hackers use t hose cont rols t o develop rogue, or m alicious, rout ines. When t hey arrive, t hey can perform a variet y of at t acks, including zapping your hard disk, corrupt ing dat a, or set t ing up backdoor program s. Microsoft provides a fix of sort s t hat , when run on your syst em , allows t he Act iveX cont rols t o be aut hent icat ed before being downloaded. Using Act iveX cont rols for Web applicat ion developm ent is not as popular as using JavaScript for Web applicat ions. I n fact , alt hough JavaScript is a full script ing language, it has becom e a favorit e t ool for hackers in developing rogue code. The bot t om line is t hat you should be concerned about t he pot ent ial of rogue applet s and code in com prom ised Web sit es and Web- based applicat ions. I f your end users have Windows- based syst em s, m ake sure t hat t hey have t he necessary pat ches t o handle rogue program s, especially t hose t hat are developed wit h Act iveX cont rols and JavaScript . The ot her opt ion is t o t urn off JavaScript and Act iveX cont rols in your

browser set t ing. Because Java- based applicat ions can support Act iveX cont rols as well, you m ay also want t o deact ivat e t he browser's Java support .

Human Error and Omission I f you are responsible for securit y, cont rolling hum an error and om ission will present t he great est challenge by far in prot ect ing your net work in an open- access environm ent . I n t he federal governm ent , t he "hum an fact or" is t he num ber- one securit y- relat ed concern, according t o a 2001 art icle in Federal Com put er Week. To bring under cont rol t he various t hreat s induced by hum an errors, you m ust evaluat e t he likely areas of problem s or om issions t o securit y and inst it ut e t he appropriat e m easures. Hum an errors are m ost likely t o cause vulnerabilit ies in deploying and configuring net work devices and applicat ions, user- access procedures and pract ices, and t he applicat ion developm ent process. Configu r ing a nd D e ploying N e t w or k D e vice s a nd Applica t ion s I ll- configured net work devices, applicat ions, and securit y soft ware cause one of t he largest areas of vulnerabilit ies for net work securit y. I n Web servers, for inst ance, configurat ion errors are t ypically found in t he Com m on Gat eway I nt erface ( CGI ) program s. Am ong ot her t hings, CGI program s support int eract ivit y, such as dat a collect ion and verificat ion funct ionalit y. Too oft en, however, CGI program m ers fail t o account for t he variet y of ways CGI program m ing holes can be exploit ed. Hackers find CGI program m ing oversight s relat ively easy t o locat e, and t hey provide power and funct ionalit y on a par wit h Web server soft ware. Hackers t end t o m isuse or t o subvert CGI script s t o launch m alicious at t acks on t he sit e, such as vandalizing Web pages, st ealing credit card inform at ion, and set t ing up one of t heir m ost t rust ed weapons: backdoor program s. When a pict ure of Janet Reno was replaced wit h one of Adolf Hit ler on t he Just ice Depart m ent 's Web sit e, t he invest igat ion concluded t hat a CGI hole was t he m ost likely avenue for t he exploit . I n general, dem onst rat ion CGI program s should always be rem oved from t he product ion applicat ion before going online. The SANS I nst it ut e list s t his problem in it s t op 20 m ost crit ical I nt ernet securit y t hreat s. ( See Appendix A for a com plet e list .) Misconfigured access cont rol list s ( ACLs) in bot h rout ers and firewalls creat e anot her class of securit y vulnerabilit ies in ent erprise net works. I n rout ers, hum an error in set up m ay lead t o inform at ion leaks in cert ain prot ocols, including I CMP ( I nt ernet Cont rol Message Prot ocol) , I P, and Net BI OS ( net work basic input / out put syst em ) . This cat egory of breaches usually enables unaut horized access t o services on DMZ servers. On t he ot her hand, a m isconfigured ACL in a firewall can lead t o unaut horized access t o int ernal syst em s direct ly or indirect ly t hrough t he Web server in t he DMZ. Num erous ot her net work com ponent s can creat e configurat ion error vulnerabilit ies. The preceding exam ples are am ong t he areas t hat t end t o be m isconfigured m ost oft en. I n general, when configuring net work com ponent s, use checklist s t o ensure proper set up, t est t horoughly for desired execut ion before com ponent s go int o product ion, and harden your devices or applicat ions. Hardening net work devices involves elim inat ing or deact ivat ing ext raneous services, sam ple ut ilit ies, and program s t hat are no longer needed in t he product ion environm ent .

Use r Acce ss Pr oce du r e s a nd Pr a ct ice s One of t he sim plest problem s in hum an error but pot ent ially t he great est headache in providing effect ive securit y is poor password adm inist rat ion, which includes t he use of weak or easy- t o- guess passwords. ( See t he relat ed discussion on st rong aut hent icat ion in Chapt er 4.) The pract ice of using weak, easily guessed, and reused passwords creat es one of t he t op cat egories of concern for net work securit y vulnerabilit ies. This pract ically guarant ees a m eans for com prom ising net work servers. Most ent erprises have a policy for changing passwords at specified int ervals. Surprisingly, in such environm ent s, users t end t o writ e passwords down on t he last page of a desk blot t er or a sheet of paper t aped on t he inside of a desk drawer or a file cabinet . Or if a password isn't writ t en down in t his m anner, perhaps som et hing easy t o rem em ber, such as t he nam e of a loved one, pet , favorit e color, or som e com binat ion, is used. These pract ices are not effect ive in prevent ing passwords from being uncovered and illegally confiscat ed. According t o a June 14, 1999, U.S. News Online art icle t it led " Can Hackers Be St opped?" disgrunt led em ployees and password t hieves account for 65 percent of all int ernal securit y event s. Moreover, current research on t he " hum an fact or" reveals t hat an alarm ing am ount of evidence indicat es how frequent ly user passwords are learned by som eone sim ply calling a user and posing as a syst em adm inist rat or. Even wit h st ringent securit y policies governing t he select ion and adm inist rat ion of password use across t he ent erprise, t his area of vulnerabilit y is st ill a daunt ing challenge for securit y specialist s. To achieve effect ive password adm inist rat ion in e- business com put ing environm ent s, ent erprises are t urning t o awareness t raining for em ployees, coupled wit h incent ives and/ or penalt ies connect ed wit h accept able pract ices for password use. Ent erprises are also considering and im plem ent ing single sign- on ( SSO) solut ions t hat are offering ent erprises a cost - effect ive solut ion, especially when m ult iple passwords are required. ( See t he discussion on st rong aut hent icat ion in t he new econom y in Chapt er 4.) Applica t ion D e ve lopm e n t / Tools A growing area of concern for hum an- fact or- driven vulnerabilit ies, and a pot ent ial Pandora's box, is applicat ion developm ent pract ices and use of relat ed developm ent t ools. Applicat ion or soft ware developm ent t ools t hat are not properly m aint ained wit h pat ches or t hat are out dat ed or left in default configurat ions creat e one of t he largest sources for securit y vulnerabilit ies. Applying pat ches and enhancem ent s t o developm ent suit es in a t im ely fashion is challenging enough, especially in I T depart m ent s wit h a high rat e of eit her t urnover or act ivit ies. Beyond applicat ion developm ent t ools, however, concern is growing over t he vulnerabilit ies result ing from t he pract ices or t echniques used when program m ers writ e a given applicat ion. Prudence suggest s inst ruct ing developers t o writ e code t hat is free from com m on vulnerabilit ies and allowing securit y professionals t o review t hat code for problem s during developm ent .

Reviewing code during t he applicat ion process is not new. I n fact , it is a t hrowback t o t he days when legacy applicat ions were being developed for m ainfram e- based com put ing environm ent s. However, code was and st ill is reviewed aft er applicat ion developm ent is com plet ed, usually during bot h pre- and post t est ing st ages, which m ay also include debugging act ivit y. Code review, coupled wit h design and program m ing t im e, could be a lengt hy process, depending on t he size of t he applicat ion. Even in t he dist ribut ed processing world of fast applicat ion developm ent cycles wit h GUI - driven developm ent t ools, code review can add 6 m ont hs t o t he cycle, which in t oday's fast - paced e- business world is seen as inhibit ing t o t he business process. Yet som et hing m ust be done t o elim inat e com m on vulnerabilit ies arising from cert ain program m ing t echniques. For exam ple, nearly 40 percent of t he com m on vulnerabilit ies and exposures list ed in t he Com m on Vulnerabilit ies and Exposures ( CVE) dat abase, an indust ry reposit ory of various classes of soft ware vulnerabilit ies, are buffer overflows. The CVE dat abase is sponsored by The MI TRE Corporat ion, a not - for- profit solut ion provider. I f program m ers are t rained t o avoid buffer overflows, such incident s can be reduced by 40 percent . To address t his crit ical area, one approach involves including securit y specialist s t hroughout t he volat ile code- writ ing st age of applicat ion developm ent t o ensure t hat com m on securit y vulnerabilit ies are precluded from t he final applicat ion. I n effect , wit h t he securit y and program m ing t eam working t oget her t hroughout rat her t han aft er t he ent ire cycle t he pot ent ial risks are m it igat ed wit hout slowing down developm ent . Approaching an im port ant securit y issue in t his m anner com plem ent s a life- cycle e- securit y program because hackers have fewer vulnerabilit ies t o exploit over t he long run. Code review t hat involves securit y t eam s is a best pract ice and should be im plem ent ed for applicat ions developed in- house. Unfort unat ely, however, t his int ernal act ivit y provides no rem edy for vulnerabilit ies program m ed in vendordeveloped applicat ions. One alt ernat ive is t o request t hat an independent securit y code review be perform ed as a condit ion of purchasing t he vendor applicat ion of int erest . The fast pace of e- business m arket s—and m ost m arket s, for t hat m at t er—is an inhibit or t o such st ipulat ions being im plem ent ed on a regular basis, if at all. Owing t o t he serious im plicat ions of t his issue, t hough, som e vendors m ay incorporat e a securit y review when writ ing t heir respect ive applicat ions. I n t he m eant im e, unt il doing so becom es an indust ry pract ice, m ake cert ain t hat pat ches and upgrades are applied t o vendor applicat ions as soon as t hey are released. Applying pat ches on a regular basis will reduce t he risks associat ed wit h vulnerabilit y- exploit ed at t acks. For exam ple, you m ight be aware of a securit y hole in t he Rem ot e Dat a Services ( RDS) feat ure of Microsoft 's I nt ernet I nform at ion Server ( I I S) . I I S is deployed on m ost Web servers operat ing under Windows NT or 2000. Program m ing flaws in RDS are being exploit ed t o gain adm inist rat or privileges t o run rem ot e com m ands for m alicious int ent . This vulnerabilit y is list ed on t he SANS I nst it ut e's list of t he t op 20 m ost crit ical I nt ernet securit y t hreat s. I f you haven't inst alled all t he lat est pat ches and upgrades t o I I S, inform at ion on t he fix can be obt ained from t he Microsoft sit e: www.m icrosoft .com / t echnet / securit y/ bullet in/ m s98–004.asp.

Ongoing Change in the Enterprise Network Going for t he " brass ring" in e- business is m ore t han an acknowledgm ent of change; it is t he ult im at e realizat ion t hat e- business channels are t he logical, and perhaps even t he only, choice for achieving business goals in a world t hat is cont inually changing. E- business channels are built on I nt ernet t echnologies, which provide t he flexibilit y, scalabilit y, and adapt abilit y ent erprises need t o t hrive in dynam ic m arket places t hat are in an ongoing st at e of flux. That 's t he upside. However, t he downside is t hat t he t echnologies used t o build and t o sust ain ebusiness channels are by nat ure insecure. And when net works are cont inually being scaled, m odified, or expanded t o accom m odat e a j ust - in- t im e business m odel, t hose changes creat e anot her pot ent ial layer of securit y issues over and above inherent vulnerabilit ies. The areas t hat t end t o change t he m ost in response t o e- business init iat ives are rem ot e- access point s, int ernal host expansion, and aut onom ous operat ing depart m ent s. Re m ot e - Acce ss Point s Connect ing rem ot e users int o t he ent erprise net work has always creat ed dist inct challenges for I T depart m ent s, even in privat e or virt ually privat e net works. But as long as net works rem ained privat e, rem ot e user connect ions could be cont rolled t hrough a m anageable, st raight forward process because locat ions of rem ot e perim et er point s were known. I n cont rast , rem ot e perim et er point s in t he e- business channel m ay or m ay not be known. ( Refer t o t he sect ion The I m pact of Open Access in Chapt er 4.) For exam ple, you m ay have unknown rem ot e- access servers providing gat eways int o t he ent erprise net work. Or, rem ot e host s m ay be connect ed by m odem int o an unaut horized rem ot e- access server t hat circum vent s t he firewall and secure dial- in procedures, t hat is, VPNs. Or, secured rem ot e users m ay be connect ing t o insecure net works of business part ners. Unsecured rem ot e users of business part ners m ay be at t em pt ing access t hrough rem ot e cont rol program s, such as Carbon Copy or pcAnywhere, connect ing t hrough an unaut horized rem ot e- access server. These sit uat ions could com prom ise net work securit y. However, t he m ost com m on securit y exposures originat e from unsecured and unm onit ored rem ot e- access point s. Unprot ect ed rem ot e host s are suscept ible t o viruses and incursions from backdoor program s, which can st eal inform at ion and alt er t he cont ent s of direct ories. Back Orifice is a classic exam ple of a backdoor hacker t ool t hat can com plet ely t ake over t he operat ion of rem ot e- access point s—host s—by gaining adm inist rat or- level cont rol. Even secure rem ot e- access point s, where st rong aut hent icat ion and/ or dial- up VPNs are in use, can provide vulnerabilit ies. For exam ple, even t hough VPNs scram ble all dat a involved in t he t ransm issions, backdoor program s could piggyback int o t he rem ot e host and find ent ry point s int o t he host 's direct ory or hard disk t hrough unut ilized services, such as SMTP ( Sim ple Mail Transfer Prot ocol) or FTP ( File Transfer Prot ocol) . Effect ive handling of rem ot e- access point s in an open- access environm ent requires diligence, a robust securit y policy, and a firewall ret rofit t ed wit h dynam ic securit y surveillance capabilit ies, such as an int rusion det ect ion syst em .

I n t e r na l H ost Con side r a t ion s As e- business init iat ives grow, int ernal host expansion, which includes workst at ions and servers, could present t he broadest areas of concern for I T m anagers. Workst at ion and server host s are being added at any given t im e eit her increm ent ally or during depart m ent or corporat e- level t echnology refreshm ent cycles. Many ent erprises have a policy t o refresh all ent erprise servers and deskt ops every 2 t o 3 years, on t he average. Or, host s are refreshed aft er every second generat ion of t echnology advancem ent s. I n bet ween cycles, int ernal host s are being added, m oved, or changed t o m irror t he dynam ics of e- business realit y. When host s are deployed and go online, obsessive diligence is required t o cont rol pot ent ial securit y issues in open- access environm ent s. I f suppliers or cust om ers are connect ed t o t he ent erprise's net work, you probably cannot do m uch t o secure t heir net works. That responsibilit y lies wit h t hem , even wit h t heir support and buy- in t o connect t o your ext ranet . The effect iveness of t he securit y m easures t hey inst it ut e depends on skill level and, ult im at ely, t he securit y policy t hat governs t he rules of engagem ent from t heir perspect ive. You probably will also have no cont rol of how oft en your business part ners will add, m ove, and change net work host s in t heir environm ent s. Host s running unnecessary services, especially such services as FTP, SMTP, or DNS ( dom ain nam e service) , provide num erous avenues for int ruders. For exam ple, t he Berkeley I nt ernet Nam e Dom ain ( BI ND) package is t he m ost popular im plem ent at ion of one of t he I nt ernet 's ubiquit ous prot ocols: DNS. DNS is t he im port ant ut ilit y t hat is used t o locat e dom ain nam es in t he form at www.xyz.com inst ead of num eric I P addresses. Wit hout DNS, we would be forced t o rem em ber Web sit es by num eric charact ers and periods. I n a 1999 survey by t he SANS I nst it ut e, 50 percent of all DNS servers connect ed t o t he I nt ernet were found t o be running vulnerable versions of BI ND. Through a single vulnerabilit y in BI ND, hackers were able t o launch at t acks against hundreds of syst em s abroad. At t ackers erased t he syst em logs and gained root access t o t he host s in quest ion. I n t his sit uat ion, t he fix was relat ively sim ple. The BI ND nam e ut ilit y was disabled on unaut horized DNS servers ( host s) and pat ched on aut horized DNS servers. Only UNI X and Linux syst em s were affect ed. ( See Appendix A for t he t op 20 vulnerabilit ies.) Deploym ent of host s m ay creat e ot her problem s as well. Syst em adm inist rat ors m ay leave excessive file and direct ory access cont rols on NT- or UNI X- based servers or allow user or t est account s wit h excessive privileges. I n bot h cases, excessive direct ory cont rols or user privileges provide vulnerabilit ies and exposure for exploit at ion. I f t hese issues aren't addressed, t hey provide an ongoing level of securit y risk t o t he ent ire net work every t im e a host goes online. I n t he m eant im e, if you are t he sponsor of t he ext ranet , you m ust im plem ent t he policies, procedures, and overall m easures t hat prot ect t he privacy and int egrit y of t he ent ire com put ing environm ent . You m ay need t o provide a gent le rem inder t o your count erpart s in part ner organizat ions about t he pot ent ial securit y risks caused by excessive user privileges, unnecessary host services, and relat ed problem s as well. M a ve r ick Ope r a t ing D e pa r t m e n t s Perhaps it is a lit t le unfair t o classify t his sect ion as such. However, if you are an I T m anager, you can relat e t o t his cat egory. Every I T m anager has dealt wit h a depart m ent t hat is difficult t o please or is never sat isfied even when it get s what it

asked for. The m anagers, t ypically im pat ient , will do t hings t hat ot her depart m ent s are supposed t o do for t hem , such as hire st aff m em bers who should work for t hose depart m ent s. I ndependent ly operat ing depart m ent s are where you are likely t o find, for exam ple, t he addit ion of an insecure NT- based Web server t hat t he depart m ent has set up on it s own. Such a depart m ent m ay have ot her syst em s t hat circum vent ent erprise securit y policy and perhaps present securit y exposure t o e- business applicat ions. I n e- business environm ent s, t he corporat e securit y policy should disallow applicat ions t hat are developed by such depart m ent s t o go online unless t hey are sanct ioned wit h t he appropriat e securit y cert ificat ions. Get t ing independent ly operat ing depart m ent s t o conform t o ent erprisewide securit y policy m ay be a daunt ing challenge, especially if t he I T depart m ent 's funct ion is perceived t o be decent ralized or not fully support ed by execut ive m anagem ent . I f you are confront ed wit h a sit uat ion like t his, t he ent erprise securit y policy will never be fully adhered t o unless t he I T depart m ent has t he full support of execut ive m anagem ent . Lack of accept ed and officially sanct ioned securit y policies, procedures, guidelines, and perhaps even a m inim um baseline for st andards is a significant underlying cause for vulnerabilit ies and exposure.

Deploying and Maintaining Complex Layered Client/Server Software The I nt ernet support s a dizzying array of com put ing soft ware suit es t hat can be com bined int o a m addening num ber of com put ing environm ent s t hat operat e under various flavors of UNI X, Linux, NT, and m ore recent ly, Windows 2000. The I nt ernet also support s num erous prot ocols for com m unicat ing m ult im edia, EDI ( elect ronic dat a int erchange) , plaint ext , and encrypt ed dat a. More im port ant , no m at t er what suit e of soft ware is used t o develop your e- business applicat ions, if it can be I nt ernet enabled, com m unicat ions can t ranspire am ong a huge variet y of com put ing environm ent s. However, t here is bot h good news and bad news. First , bad news: Many I nt ernet t echnologies are insecure; it 's sim ply a quest ion of degree. For one t hing, TCP/ I P is inherent ly insecure and is t he basis for all com m unicat ions t hroughout t he I nt ernet . As for operat ing syst em s, NT and Windows 2000 have m ore securit y vulnerabilit ies t han UNI X, but hackers are st ill able t o achieve adm inist rat or or root access, respect ively, t hrough a variet y of m eans. Of t he Web developm ent t ools, JavaScript poses m any m ore of t he securit y issues t han, say, J2EE or Java. ( See t he sect ion I nfilt rat ion of Rogue Applet s earlier in t his chapt er.) Alt hough Web present at ions creat ed by t hese t ools can be unbelievably spect acular, hackers can com prom ise Java- and JavaScript - based sit es, especially if Java- based sit es incorporat e Act iveX cont rols. Applet s result ing from t hese com prom ised syst em s can creat e gaping holes t hrough net work securit y. The good news is t hat wit h life- cycle securit y m easures, you can prot ect your ebusiness com put ing environm ent wit h it s com plem ent of client / server soft ware layer by layer. But first , you need t o appreciat e t hat t he pot ent ial for vulnerabilit ies exist s on every operat ing layer of t he e- business applicat ion ( see Figure 5- 1) .

Figu r e 5 - 1 . Vu ln e r a bilit y sou r ce s in com ple x clie n t / se r ve r soft w a r e a pplica t ion s

Cont em plat ing t he vast num ber of soft ware syst em s pot ent ially available for creat ing com plex e- business applicat ions and t he t ot al num ber of com m on vulnerabilit ies and exposures at any given t im e boggles t he m ind! For inst ance, t he CVE dat abase cont ains m ore t han 1,600 ent ries. The CVE dat abase init iat ive is a concert ed effort t o st andardize vulnerabilit y ident ificat ion—nam es—t hereby increasing int eroperabilit y am ong securit y t ools. This init iat ive t o creat e a com m on lexicon of vulnerabilit ies is support ed by business, governm ent , and ot her inst it ut ional concerns. ( For m ore on CVE, see Chapt er 11.) Fort unat ely, t he soft ware syst em s and t ools you are using t o develop and t o build your e- business channel are m ost likely a m anageable num ber. The point is t hat , no m at t er how large t he ent erprise client / server soft ware pool is, you need t o have a com plet e account ing of t he soft ware t it les, release levels, and/ or version num bers t hat are support ing product ion environm ent s. Just having t his account abilit y is a crit ical st ep and will be inst rum ent al in m inim izing t he im pact of pot ent ial vulnerabilit ies.

Anot her im port ant st ep is facing up t o t he realit y t hat vulnerabilit ies exist t hroughout t he operat ing layers of t he applicat ion suit e: from t he operat ing syst em t o t he applicat ions t hem selves ( see Figure 5- 1) , especially in I nt ernet - based t echnologies. Vulnerabilit ies also exist in running services. Running services are t he prot ocols, ut ilit ies, subrout ines, obj ect s, and so on, t hat applicat ions use, call, or require inst ruct ions from when running in product ion operat ing m ode. Exam ples of running services t hat applicat ions use or call include aut om at ic execut ion of .VBS ( Visual Basic Script ) files or JavaScript on t he applicat ion level, Net BI OS funct ionalit y on t he operat ing syst em level, or SMTP or FTP on t he net work com m unicat ions level. Perhaps t he m ost - overlooked sources of vulnerabilit ies are default set t ings and passwords, dem o account s, and user guest account s. When set t ing up com plex syst em s, it is easy t o m iss sim ple t hings, such as addressing t he issues of default set t ings. For exam ple, SNMP ( Sim ple Net work Managem ent Prot ocol) is a favorit e ut ilit y of net work adm inist rat ors, who use it t o m onit or and t o adm inist er a variet y of net work- connect ed devices, such as rout ers, print ers, and host s. SNMP uses an unencrypt ed " com m unit y st ring" as it s only aut hent icat ion m echanism . The default com m unit y st ring used by t he vast m aj orit y of SNMP devices is " public." Som e vendors change t he designat ion of t he com m unit y st ring from " public" t o " privat e." However, at t ackers use t his vulnerabilit y t o reconfigure and/ or t o shut down devices rem ot ely. Anot her favorit e default - set t ing t arget of hackers are adm inist rat or account s wit h default passwords included wit h dat abase m anagem ent syst em s, for exam ple, or default m aint enance account s of services in UNI X or NT wit h no passwords. I n eit her scenario, at t ackers guess default passwords or access services not password prot ect ed, t o gain access t o root or adm inist rat ive privileges in host s, including t hose behind firewalls. Default set t ings are list ed in t he SANS I nst it ut e's list of t op 20 vulnerabilit ies. ( See Appendix A.) Finally, in deploym ent of com plex layered client / server soft ware, flaws, bugs or ot her funct ional defect s are a crit ical source of vulnerabilit ies t hat are popular t arget s exploit ed by hackers. To m inim ize t he im pact of flaws or bugs in t he applicat ion program s, you should be diligent in applying pat ches and updat es t o t he soft ware. Oft en, pat ches are a response t o securit y breaches aft er a discovery is m ade known t o t he soft ware vendor by a user group, for exam ple. Alt hough a part icular bug or a funct ional weakness m ay not have affect ed your net work, inst alling t he pat ches ensures t hat t he bug or flaw in quest ion will not affect your applicat ion in t he fut ure. I n sum m ary, you have t o address four classes, or cat egories, of vulnerabilit ies in com plex client / server soft ware inst allat ions: soft ware bugs, m isconfigured devices, default set t ings, and availabilit y of unnecessary services. Figure 5- 2 recaps t hese im port ant classes of vulnerabilit ies in e- business environm ent s.

Figu r e 5 - 2 . Vu ln e r a bilit y ca t e gor ie s in com ple x clie n t / se r ve r a pplica t ion s

Shortage of Human Capital One of t he great est challenges for achieving effect ive e- securit y is using t he professional t alent t o execut e an effect ive life- cycle securit y program . I n general, skilled I T professionals are in short supply, especially I T securit y professionals. The num ber of I T securit y personnel is m uch less t han .1 percent of t he t ot al ent erprise em ployee populat ion. To put t his in perspect ive, in organizat ions wit h 100,000 em ployees, it is not unusual t o find fewer t han 25 securit y specialist s. I n m edium t o sm all ent erprises, t he securit y- st affing rat io quickly dim inishes t o zero. An im port ant branch, consist ing of 22,000 individuals, under a crit ical federal agency has only one securit y specialist . Coincident ally, t his branch has been hacked num erous t im es, including from China. The m ain reason securit y expert ise is lacking is direct ly at t ribut able t o years of neglect in bot h t he academ ic and professional worlds, owing t o t he paucit y of educat ion and t raining curriculum and program s. Anot her reason t hat e- securit y professionals are scarce is t he percept ion, and it 's only a percept ion, t hat cost effect ive securit y is com plex. I T m anagers in general believe t hat t he abilit y t o find

securit y t alent well versed across syst em s, operat ing environm ent s, net work prot ocols, m iddleware, I nt ernet - based t echnologies, and applicat ions is rare indeed. To exacerbat e t he problem , t o ident ify securit y professionals who can work successfully wit h e- business m anagers is not unlike searching for a needle in a hayst ack. To address t his severe short fall in securit y specialist s, academ ic, business, and governm ent inst it ut ions are developing and inst it ut ing securit y curriculum s and program s. For exam ple, Purdue, I daho St at e, and Jam es Madison universit ies are offering degree program s in I T securit y. I n t he m eant im e, securit y com panies, such as Axent Technologies, I nt ernet Securit y Syst em s, Cisco Syst em s, and Net Sonar, are providing securit y t ools t hat enable ent erprises t o achieve e- securit y goals by leveraging lim it ed securit y st affs.

Rigidity of Enterprise Security Policy An inflexible securit y policy can creat e vulnerabilit ies in t he securit y infrast ruct ure in t he sam e way t hat a weak securit y policy would. However, a flexible securit y policy is difficult t o achieve, part icularly in an environm ent t hat is support ing open access t o inform at ion asset s. Developing a t horough and achievable securit y policy is a best pract ice, but if t he ent erprise perceives it t o be t oo rigid, users will circum vent t he guidelines in t he nam e of pursuing business goals. For t his reason, an exhaust ive review of t he ent erprise's business processes should be com plet ed t o det erm ine t heir alignm ent wit h business obj ect ives. I f, for exam ple, a depart m ent part icipat es in regular chat room discussions, t he securit y policy should reflect t his and allow AI M/ I CQ ( AOL I nst ant Messenger/ " I seek you" ) com m unicat ions t hrough t he firewall. But in doing so, it should also not e when t hese chat s t ake place. I f t he AI M/ I CQ sessions t ake place every Tuesday and Thursday m orning and you suddenly see a session happening at 9: 00 am on Sat urday, t his act ivit y is suspicious at best . To elim inat e any pot ent ial vulnerabilit y, t he securit y policy should not allow any AI M/ I CQ sessions for t he t wo hours before noon on Tuesday and Thursday. I f m ore flexibilit y is desired, t he ot her t hree days of t he work week can also be designat ed t o support addit ional newsgroup act ivit y. Building a securit y policy for one depart m ent , let alone an ent ire ent erprise, can be an ext ensive, t im e- consum ing process. Nevert heless, t hat process m ust be undert aken t o achieve an agile securit y policy for an open- access com put ing environm ent . Ot herwise, users will circum vent t he securit y policy t o pursue act ivit ies t hey believe are in t he best int erest of perform ing t heir dut ies. I f t he securit y policy is not robust enough t o support t hese act ivit ies, t he ent ire e- business environm ent is exposed t o risk from securit y violat ions.

Tools for Rearming the IT Manager The purpose of t his book is t o m ake you a general of e- securit y deploym ent , readiness, and resolut ion. The abilit y t o wage an effect ive cam paign of securit y against t hreat s in t he wild—a nam e t hat is growing in popularit y for t he I nt ernet — and from wit hin t he ent erprise will require a t ot al refocusing, perhaps even a m et am orphosis, of t he ent erprise: from end users t o t he CEO. I nst it ut ing a com prehensive life- cycle e- securit y program for t he ent erprise's e- business init iat ives will generally require changing t he way t he ent ire ent erprise regards

net work securit y. Making t his happen is a m onum ent al t ask but can be achieved wit h relat ively sim ple but evolut ionary guidelines.

Guidelines for E-Security One guideline of crit ical im port ance involves convincing t he ent ire user populat ion t hat everyone is responsible for prot ect ing t he net work. This will prove t o be t he m ost crit ical underlying t ask for effect ive e- securit y. Each em ployee, including t he CEO, m ust becom e a securit y officer, som eone who is direct ly responsible for t he securit y risks t hat m ay be generat ed from his or her individual work act ivit y. This, of course, cannot be achieved overnight , because em ployees m ust first gain an underst anding of what t hose risks are or at least what behaviors t hreat en t he securit y of t he ent erprise's net work. At a m inim um , t herefore, a program of int roduct ory, refresher, and j ob- specific safeguards should be im plem ent ed. I n em powering each individual, you can be creat ive. Make sure, however, t hat cost s for an ent erprisewide t raining program are kept in proport ion t o t he cost s of your overall life- cycle securit y program . Anot her guideline is deciding what level of exposure t o risk is accept able t o t he organizat ion's com put ing environm ent . The answer could range from a zero t olerance t o accept ance of som e risk. For exam ple, t he concerns of a defense cont ract or bringing suppliers online t o support classified proj ect s m ight be m ore farreaching t han t hose required by an apparel m anufact urer connect ing wit h it s suppliers. The defense cont ract or m ight decide t hat a host - based I DS t hat prot ect s individual user host s, as well as a net work- based I DS and personal firewalls, would be needed. I n cont rast , t he apparel m anufact urer m ay det erm ine t hat only a net work- based I DS, along wit h a corporat e firewall, would do t he t rick. I n short , requirem ent s for e- securit y will vary from ent erprise t o ent erprise. Don't ant icipat e any uniform it y of requirem ent s, because t here are no cookie- cut t er e- securit y solut ions. Anot her crucial guideline for est ablishing com prehensive e- securit y is det erm ining your net work's perim et er. I n open- access e- business environm ent s, t he net work's perim et er is t ypically difficult , if not im possible, t o discern. However, a concert ed effort m ust be m ade t o det erm ine whet her t he net work's perim et er can be ascert ained wit h reasonable cert aint y. I n B2B environm ent s, t he m ore nebulous t he perim et er of t he net work, t he st ronger t he aut hent icat ion syst em should be. I n ot her words, if you bring on several m ult inat ional suppliers, each support ing a variet y of client s in a variet y of m arket s, t he m ore likely you will not know where t he perim et er of your ext ranet will fall. You m ay st art off wit h a connect ion t o a cert ain office wit h cert ain individuals. Aft er a consolidat ion, reorganizat ion, m erger, or ot her developm ent s, for exam ple, you m ay end up wit h anot her office m anaged by new individuals. Therefore, t he pot ent ial for change m ay creat e a m ore nebulous or indist inct net work perim et er. Generally, t he m ore nebulous your net work's perim et er, t he st ronger t he user aut hent icat ion syst em you should use. A digit al cert ificat e server and/ or biom et rics are perhaps t he st rongest user aut hent icat ion available for aut horizing individual access. I n ot her environm ent s, a t wo- fact or aut hent icat ion syst em using sm art cards wit h relat ed access servers m ight be sufficient . What ever t he case m ay be, t he great er t he risks in cont rolling aut horized access t o your net work, t he st ronger t he user aut hent icat ion should be.

To recap, t he following guidepost s are crit ical t o t he est ablishm ent of an effect ive lifecycle securit y program . • • •

E- securit y is t he responsibilit y of all ent erprise users. Det erm ine what level of risk exposure is accept able. The m ore nebulous t he perim et er is—t he m ore open t he environm ent is—t he st ronger t he user aut hent icat ion should be.

Ensuring t hat t hese guidelines are followed is an it erat ive process. For inst ance, it m ay t ake several t raining or awareness sessions before users acquire t he m indset and behavior t hat cont ribut e t o an effect ive e- securit y program . Furt her m ore, t he great er t he num ber of user I Ds and passwords an individual requires t o perform his or her j ob, t he m ore resist ance you will encount er before st rong passwords are used consist ent ly, especially if t hey are m ore difficult t o rem em ber and should be changed at regular int ervals. Therefore, as you im plem ent your e- securit y m easures, m ake im plem ent ing t hese guidelines your m andat e. At som e point , you will consist ent ly see use of st rong passwords; know t he securit y st at us of t he net work in t erm s of accept able levels of risk and cont rol aut horized access t o inform at ion asset s even if t he net work's perim et er cont inually changes. Make sure t hat you at t ain t he result s t hat you want , even if you don't realize t hem unt il aft er your securit y m easures begin t o be im plem ent ed. The st rengt h of your esecurit y program depends on how closely you m eet t hese crit ical guidelines. Aft er t hey are sufficient ly addressed, you can begin or cont inue t o t ackle t he est ablishm ent of your ent erprise's life- cycle securit y syst em .

Enterprise Security Policy I m plem ent ing a life- cycle securit y program will probably be one of t he m ost im port ant I T proj ect s of your career. I f im plem ent ed properly, e- securit y will not only prot ect your net work's perim et er and infrast ruct ure but also enable e- business. ( See t he sect ion How E- Securit y Enables E- Business in Chapt er 2.) I n general, an e- securit y program is fashioned from t he effect ive int egrat ion of five processes and t heir relat ed t ools: securit y policy m anagem ent , risk m anagem ent and assessm ent , vulnerabilit y m anagem ent , t hreat m anagem ent , and at t ack- survival m anagem ent . Not e t hat as discussed in Chapt er 2, an e- securit y program is essent ially t he risk m anagem ent process for net work securit y, coupled wit h at t acksurvival m anagem ent . The e- securit y process encom passes t he m et hodologies and t ools t hat enable you t o t ailor a life- cycle securit y solut ion for your specific needs. Because of t heir crit ical im port ance, each of t hese five subj ect areas is discussed in a separat e chapt er. Therefore, t his chapt er will not go int o any furt her det ail. The im port ant fact t o rem em ber here is t hat t hese processes are t he building blocks of esecurit y. They provide t he necessary t ools t o deploy precision count erm easures t hat are designed t o t hwart front al and guerilla hacker incursions and int ernal sabot eurs. I f you have built an int ranet , ext ranet , B2C channel, or public server in t he DMZ, m ost likely it was developed t o conform t o t he securit y policy of t he ent erprise. The t ype, breadt h, and effect iveness of your securit y m easures are only as st rong as t he relat ed securit y policy. The securit y policy defines who is aut horized t o access t he ent erprise's inform at ion asset s and int ellect ual capit al, along wit h t he st andards and

guidelines about how m uch and what kinds of securit y m easures are necessary and t he procedures required t o im plem ent t hem . I n m any organizat ions, t he securit y policy is not a living docum ent but rat her an art iculat ed underst anding est ablished by t radit ion and general business pract ices. I n all circum st ances, a writ t en securit y policy is a best pract ice. I n closed net works, an unwrit t en securit y policy hinders t he set up and im plem ent at ion of firewalls, VPNs, and aut hent icat ion syst em s. An unwrit t en securit y policy also fost ers circum vent ion by m averick em ployees and depart m ent s, lim it s consist ency of underst anding by t he general populace, and m akes it difficult , if not im possible, t o enforce disciplinary m easures when violat ions occur. I n open net works, such as an ext ranet or a public DMZ, an unwrit t en securit y policy increases t he securit y risks t o inform at ion asset s, regardless of t he securit y m easures in place. For exam ple, if left t o personal int erpret at ion or j udgm ent , a public Web server in t he DMZ m ight also serve as an FTP server. Because of t he pot ent ial and inherent vulnerabilit ies in bot h syst em s, a Web server, especially an FTP server, should never be housed on t he sam e physical server, especially when it resides out side t he firewall. I n general, FTP servers m ust keep port s open t o accom m odat e pot ent ially heavy file t ransfer requirem ent s. ( I f you are using a st at eful inspect ion firewall, you need t o have only a single TCP port open for inbound t raffic but m ust be able t o have t he FTP server est ablish m ult iple UDP connect ions for out bound t raffic.) At a m inim um , FTP servers are vulnerable t o probing at t acks, as well as t o t he use of unencrypt ed passwords, buffer overflows, and bot h t he PORT and SI TE com m ands. An experienced net work engineer would never put an FTP server t oget her wit h ot her services. However, a less experienced engineer or financial const raint s m ight m ake t his a realit y. A writ t en securit y policy would prevent such securit y risks by clearly st at ing t he requisit e guideline( s) for a given sit uat ion and t he result ing repercussion in t he event of a violat ion. Running open- access com put ing environm ent s wit hout a writ t en securit y policy is like playing Russian roulet t e indefinit ely. Alt hough t he revolver has only one bullet , t he weapon is st ill loaded, and it 's going t o get you. Therefore, writ e down your securit y policy. Typically, a securit y policy should be no m ore t han t hree t o five pages and have a life of t hree or m ore years. Most im port ant , t he securit y policy should be writ t en so t hat it is resilient t o change. ( See Chapt er 10 for m ore on securit y policy developm ent .) A writ t en policy elim inat es vulnerabilit ies t o t he securit y precaut ions t hat are inst it ut ed, facilit at es t he im plem ent at ion of new securit y m easures, increases t he general underst anding of securit y, and sim plifies t he abilit y t o legislat e disciplinary m easures when violat ions occur. As you bring on business part ners, your securit y policy should reflect t he various t ypes of inform at ion t hat t hey are allowed t o access. What ever diligence or securit y m easures t hey m ust inst it ut e t o connect t o t he ext ranet should be clearly delineat ed, com plet e wit h t he recom m ended procedures about how t he relat ed m easures are im plem ent ed. I n general, consult wit h your business part ners when penning t he securit y policy, and give t hem a copy when t he policy is com plet ed. I f t he ent erprise already has a writ t en policy, it m ay require revam ping t o sanct ion t he e- business init iat ives t hat execut ive m anagem ent is pursuing or is planning t o pursue. Even if it has been changed before t he current life cycle has expired, t he present securit y policy should be reengineered t o accom m odat e e- business

init iat ives. I m plem ent ing t he securit y policy in your ent erprise will be challenging enough. But wit h your business part ners on board and governed by t he securit y policy, risk and exposure t o your net work are dram at ically reduced from t heir net works, and you inherit a fight ing chance in providing a safe com put ing environm ent for everyone.

Summary I deally, you now have a bet t er appreciat ion of what you should address t o est ablish ent erprisewide e- securit y. Many of t he deploym ent , com put ing, and relat ed business act ivit ies t hat creat e vulnerabilit ies in t he ent erprise net work can be m anaged before any specialized securit y m easures are purchased. Cont rolling several key sources of vulnerabilit ies by applying pat ches, hardening operat ing syst em s, elim inat ing ext raneous services in host s and servers, elim inat ing default passwords and account s, and configuring devices correct ly can be accom plished t hrough oldfashioned perseverance. Ot her vulnerabilit ies, caused by program m ing short com ings, can be cont rolled by radical new procedures, such as independent code reviews. St ill, m anaging ot her vulnerabilit ies creat ed by rem ot e- access scenarios m ay require a financial out lay for st rong aut hent icat ion, but in open- access environm ent s, such acquisit ions are pot ent ially j ust ified. The securit y policy should be penned aft er an exhaust ive review wit h all st rat egic business concerns, because t he policy should relat e direct ly t o current needs and proj ect ed requirem ent s during t he life of t he policy. The st eps you should t ake t o im plem ent t he suggest ions in t his chapt er could possibly be im plem ent ed wit h available st aff. I f st aff is lim it ed, you m ight consider using scanning or int rusion det ect ion t ools t o concent rat e your focus. Regardless of your part icular circum st ances, falling short of accom plishing t he suggest ions given in t his chapt er will com prom ise t he effect iveness of your e- securit y program before it is out of t he blocks. Therefore, arm yourself wit h t hese count erm easures; you are in a new arm s race, for cert ain.

Part III: Waging War for Control of Cyberspace Up t o t his point , you have acquired a general underst anding of what esecurit y ent ails and what 's at st ake: e- business. You also know t hat prot ect ing your inform at ion asset s is crit ical t o achieving business goals in open- access environm ent s. The ext ent t o which you pursue ebusiness init iat ives depends on how well you prot ect inform at ion asset s and relat ed net working infrast ruct ure. I n ot her words, t he ult im at e goal of your e- securit y program should be t o enable ebusiness: alt ernat ive revenue st ream s, virt ual supply chains, preem pt ive m arket ing advant age, st rat egic part nerships, and com pet it ive advant age. We now m ove from concept t o realit y and look at t he developm ent s, knowledge base, solut ions, and st at us of e- securit y. Part I I I begins by reviewing t he at t ack t ools and weapons t hat hackers use t o exploit com m on and not - so- com m on vulnerabilit ies ( Chapt ers 6 and 7) . Chapt ers 8–11 focus on surviving an at t ack: what t o do in it s aft erm at h and count erm easures needed for t hwart ing a cunning adversary and pot ent ial infilt rat or ( Chapt er 8) . Chapt er 9 looks at dealing wit h dist ribut ed denial- of- service ( DDoS) at t acks. Chapt er 10 discusses various count erm easures t hat can be deployed at various net work- operat ing layers, such as t he rout er and operat ing syst em . Chapt er 11 discusses t he deploym ent of securit y archit ect ure in layers.

Chapter 6. Attacks by Syntax: Hacker and Cracker Tools This chapt er reviews t he t ools, t echniques, and st rat egies of hackers and crackers in det ail. Hacker t ools or weapons are easily accessible and t ypically obt ained by downloading t hem from t he I nt ernet . I n som e cases, t he hackers are well organized and m anaged, such as t he Cult of t he Dead Cow, aut hors of t he Back Orifice series of backdoor program s. Organized hackers are t he perpet rat ors we should be very concerned wit h. I n ot her cases, t hey aren't so organized; inst ead, t heir at t acks are random and opport unist ic. Nonet heless, t he effect s of t heir at t acks m ay range from m ayhem , which causes lost worker hours t o fight t he spread of viruses or t o rest ore defaced Web pages, t o m alicious, which includes DDoS and out right dest ruct ion of inform at ion asset s and int ellect ual capit al.

Inherent Shortcomings of TCP/IP Much of t he securit y woes of e- business channels can be at t ribut ed t o t he inherent short com ings of TCP/ I P, t he underlying I nt ernet prot ocol. The TCP/ I P designers worked in low- securit y academ ic research environm ent s. TCP/ I P was developed for use wit h t he ARPANET, t he predecessor of t he I nt ernet . When TCP/ I P was developed, securit y was not a m aj or concern. The designers were int erest ed m ost ly in developing an operat ing syst em t hat would be com pat ible across het erogeneous plat form s but t hey were also charged wit h creat ing com put ing environm ent s in which inform at ion could be freely shared wit hout unnecessary rest rict ions. ( I nform at ion want s t o be free: Does t his sound fam iliar? The I nt ernet prot ocol suit e, known as TCP/ I P, was designed in lowsecurit y academ ic research environm ent s in California and Massachuset t s. I n t he early days ( t he Sixt ies) , universit y com put er depart m ent s provided a con genial environm ent where creat ivit y flourished; openness and considerat ion for ot hers were considered t he norm . I n t his environm ent , som e users considered securit y rest rict ions undesirable, because t hey reduced accessibilit y t o freely shared dat a— t he hallm ark of t he com m unit y in t hose days. Securit y rest rict ions m ake it m ore difficult t o access dat a. What is t he point of such rest rict ions, if access is inherent ly valuable?[ 1] [ 1]

Excerpt ed from Building a St rat egic Ext ranet , Bryan Pfaffenberger, I DG Books, 1998, p. 91.

Therefore, t here was a t radeoff of great er securit y in favor of great er support for het erogeneous syst em s. Ult im at ely, only a base level of securit y was im plem ent ed in TCP/ I P. For exam ple, t he prot ocol incorporat es only user I Ds and passwords t o provide a rudim ent ary level of aut hent icat ion. Also, I P address screening was built int o t he prot ocol t o prevent users from accessing a net work unless t hey com e from t rust ed dom ains. Unfort unat ely, bot h m easures were and st ill are ineffect ive. Passwords in TCP/ I P syst em s are oft en easily guessed or int ercept ed wit h packet sniffers. I P address

screening does lit t le or not hing t o t hwart I P spoofing, prim arily because t his feat ure doesn't cont ain any m echanism for verifying t he aut hent icat ion of incom ing dat a packet s or ensuring t hat t he packet s are com ing from t he dom ains t hey should be com ing from . I n ot her words, if t he I P address of a t rust ed dom ain is confiscat ed and is used t o fake or t o spoof t he source of an I P t ransm ission, TCP/ I P has no way of verifying whet her t he dat a is com ing from t he t rust ed dom ain or elsewhere. TCP/ I P also yields securit y holes when it is im properly configured. For t his reason, it is im port ant t hat TCP/ I P be configured t o deliver only t he services t hat are required by t he applicat ions of t he net work. Ext raneous services, default set t ings, and passwords should all be elim inat ed before I P- based net works support product ion environm ent s. Unfort unat ely, wit h all it s robust ness, TCP/ I P is a fundam ent ally insecure net work archit ect ure. Since incept ion, pot ent ially hundreds of securit y holes are t hought t o be prevalent . Alt hough m any of t hem have been discovered and pat ched, ot hers rem ain t o be discovered and exploit ed. ( For exam ple, researchers at t he Universit y of Finland at Oulu discovered t hat t hrough SNMP, a TCP/ I P service for rem ot e access and cont rol, I SPs' net work devices could be shut down or fully cont rolled by an at t acker, depending on t he flavor of SNMP. Apparent ly, t his vulnerabilit y has exist ed for m ore t han 10 years.) Generally, at t acks can occur when dat a is en rout e or residing in host com put ers. Wit h TCP/ I P, any com put er wit h a legal I P address is a host com put er. Thus, from t he perspect ive of hackers and especially disgrunt led or form er em ployees, TCP/ I P provides pot ent ially num erous illegal point s of ent ry t hat can no longer be cont rolled in I P net works wit hout t he aid of add- on securit y m easures. The next several sect ions look at specific classes of at t acks t hat exploit TCP/ I P weaknesses and flaws.

Standard "Ports" of Call TCP/ I P- based net works have approxim at ely 130,000 I P port s, or doorways, for int eract ive com m unicat ions am ong net work devices, services, applicat ions, and discret e t asks. I P port s have predefined purposes for prot ocols or services. Som e port s used for com m on t ypes of t ransm issions include:

Por t

Pr ot ocol/ Se r vice s

Port 21

FTP

Port 23

TELNET

Port 25

SMTP

Port 53

DNS

Port 80

HTTP ( t ypical Web t raffic)

Port 111

RpcBind

Port 113

AUTHd

Por t

Pr ot ocol/ Se r vice s

Port s 137–139

Net bios

Port 1524

Oracle DBMS TCP/ I P com m unicat ions

Port 443 HTTPs Port s t hat are not used regularly or as com m on are port 110: POP3 ( Post Office Prot ocol version 3) , port 389: LDAP ( Light weight Direct ory Access Prot ocol) , and port 8080: Web sit e t est ing. Effect ive securit y t ranslat es t o prot ect ing all 130,000 doors wit hin your net work. As you know, a securit y m easure, such as a firewall, will com e out of t he box wit h all port s disabled. Consequent ly, t he specific group of port s t hat your net work applicat ions require would be a m at t er of enabling t hose port s across t he firewall. For a given net work, t his could m ean enabling hundreds or even t housands of doors. For a firewall, however, t he num ber of port s init ialized for access doesn't pose any part icular problem inasm uch as port s being available t o begin wit h. As long as t he doors, or port s, are opened, depending on t he service or prot ocol, t he net work could be at risk t o at t acks t hat exploit vulnerable services or prot ocols t hat are accessed t hrough t he firewall. Therefore, proper diligence should be perform ed t o elim inat e as m uch vulnerabilit y as possible by applying t he lat est securit y pat ches, keeping firewalls configured correct ly, and deact ivat ing t hem when no longer required by applicat ions. Because business needs cont inually change, t he firewall rule base m ust also change t o reflect t he ent erprise's current need. The firewall rule base is a working rule set t hat should reflect t he current securit y policy of t he organizat ion. I nevit ably, ad hoc business needs dem and t hat cert ain ot her port s be enabled t hat m ay occasionally not be covered by an organizat ion's current securit y policy. Under t hese circum st ances, t he proper diligence m ay not be perform ed, perhaps because t he need for t he service is t em porary. Accom m odat ing such request s, or when t he appropriat e securit y checks aren't perform ed, is oft en referred t o as poking holes t hrough t he firewall. When holes are being poked t hrough t he firewall consist ent ly, pot ent ial securit y risks m ay arise. To com plicat e m at t ers, if vulnerabilit ies exist on t hese services, a skilled hacker or one wit h good t ools can easily gain access t hrough t he best firewalls. Port scanning is t he hacker's favorit e t echnique for gaining illegal access t o net works. Hackers count on finding unwat ched doors and windows t hrough t he firewall owing t o m isconfigured rules or vulnerabilit ies in t he net work. Firewalls show port - scanning act ivit y as a series of connect ion at t em pt s t hat have been dropped. I n a port scan, t he source address and t he dest inat ion address—t ypically, t he firewall— st ay t he sam e, but t he dest inat ion I P port num ber changes in sequence because port - scanning t ools/ applicat ions at t em pt connect ion t hrough port s in sequence. Ot her port - scanning t ools t ry port s random ly, t o m ake det ect ion m ore difficult . Port - scanning t ools are also fairly sophist icat ed. When a port appears t o be unprot ect ed, t he t ool logs t he inform at ion for t he hacker t o invest igat e lat er. Hackers

scan lit erally hundreds, if not t housands, of port s before com ing across a poorly secured door. For exam ple, say t hat t he firewall support s access t o port s 386, 387, 388, and 389 and t hat port 389 present s a vulnerable service t hat can be exploit ed. Most hackers would not at t em pt m ore t han t hree or four random scans at a t im e, because t hey know t hat t oo m any dropped sequent ial- access at t em pt s against I P port s in t he firewall logs would signify port - scanning act ivit y. Hackers have pat ience and resolve, because finding an open door could t ake lit erally an indefinit e am ount of t im e.

TCP/IP Implementation Weaknesses When I P net works t ransm it dat a over a wide area from a source t o a dest inat ion host , t hree t hings occur. 1. The dat a t raverses num erous rout ers, also called hops. 2. The I P packet s are t ypically divided int o sm aller unit s, or I P fragm ent s. 3. Depending on net work t raffic, a given I P fragm ent can t ravel a pat h different from t hat of anot her fragm ent . Each of t he sm aller I P packet s, or chunks, is a replica of t he original I P packet , except t hat t he chunk cont ains an offset field, creat ed when TCP/ I P deem s it necessary t o break down t he original I P packet int o sm aller unit s. When t he I P fragm ent arrives at t he dest inat ion host , t he offset field t ells t he host t he num ber of byt es t he field cont ains and t heir order of posit ion in t he original I P packet . This inform at ion enables t he dest inat ion host t o reconst ruct t he I P fragm ent s int o t he original I P packet , or int o t he packet t he source host t ransm it t ed. For exam ple, suppose t hat an I P packet cont ains 400 byt es of inform at ion and is t ransm it t ed as t hree I P fragm ent s. The offset field of one arriving I P fragm ent t ells t he dest inat ion host t hat t he field cont ains byt es " 1 t hrough 200." The offset fields of subsequent I P fragm ent s would t herefore cont ain byt es " 201 t hrough 300" and " 301 t hrough 400." Because I P fragm ent s won't necessarily arrive in order, t he offset field ensures t hat I P fragm ent s are reconst ruct ed int o t he proper sequence. Traveling in sm aller unit s also increases net work t hroughput and m inim izes t he effect s of lat ency in rout ers, swit ches, and ot her net work devices. Pin g of D e a t h The abilit y t o reduce I P packet s int o sm aller unit s is a nice feat ure of TCP/ I P com m unicat ions. Unfort unat ely, t his nat ive feat ure is also an inherent weakness. Hackers have devised several t echniques t o exploit t his problem . Using ping of deat h and such variant s as Teardrop, Bonk, and Nest ea, hackers disrupt t he offset field's abilit y t o align I P fragm ent s properly during t he reassem bly process ( see Figure 6- 1) .

Figu r e 6 - 1 . Ex ploit in g TCP/ I P w e a k n e sse s w it h pin g of de a t h

These t ools enable hackers t o reduce I P packet s int o fragm ent s wit h overlapping offset fields. Therefore, when t hey are reassem bled at t he dest inat ion host , t he overlapping offset fields force I P t o reconst ruct t hem int o m alform ed I P packet s. The m alform ed packet s don't creat e any serious dam age but could cause host s t o crash, hang, or reboot , result ing in lost dat a and t im e. Alt hough t hese securit y issues are not serious, t hey are hassles you could live wit hout . Most firewall- based securit y m easures block ping- of- deat h incursions. Make cert ain t hat t hey can also handle t he ot her variant s. SYN Flood a n d La nd At t a ck s One of t he hacker's favorit e t act ics is using t he init ial session est ablishm ent bet ween client / server applicat ions t o launch an at t ack. Com m unicat ions bet ween an init iat ing and receiving applicat ion— a TCP session—occurs as follows. 1. To begin a TCP session, t he init iat ing applicat ion t ransm it s a synchronize packet ( SYN) t o t he receiving applicat ion ( host ) . 2. The receiving host responds by t ransm it t ing a synchronized acknowledgm ent packet ( SYN- ACK) back t o t he init iat ing host . 3. To com plet e t he connect ion, t he init iat ing host also responds wit h an acknowledgm ent ( ACK) . Aft er t he handshake, t he applicat ions are set t o send and t o receive dat a. ( See Appendix D for a det ailed descript ion of SYN- ACK at t ack.) Met aphorically, if SYN flood is at t ack by " sea," or flooding, t he land at t ack is j ust t he opposit e. I n t his scenario, t he dest inat ion address of t he receiving host is also t he source I P address. I n ot her words, t he SYN packet 's source address and t arget address are t he sam e. So when it t ries t o respond by sending a SYN- ACK, t he

receiving host t ries t o respond t o it self, which it can't do. Land at t acks are anot her denial- of- service ploy; t he t arget ed applicat ion will ignore all legit im at e request s while fut ile at t em pt s t o respond t o it self are cont inued. Firewalls handle SYN floods by sending t he final ACK and m onit oring t he connect ion t o det erm ine whet her norm al com m unicat ions are conduct ed. I f not hing t ranspires, t he connect ion is t erm inat ed. Land at t acks are prevent ed by ant i–I P spoofing m easures. Typically, when t rust ed int ernal I P addresses originat e on ext ernal port s, ant ispoofing feat ures will aut om at ically drop t he connect ions, t hereby t hwart ing any land at t acks.

IP Spoofing Pract ically all I P packet –based at t acks use I P spoofing, especially basic denial- ofservice at t acks, such as SYN- ACK, ping of deat h, and land at t acks, and t he m ore sophist icat ed dist ribut ed denial- of- service ( DDoS) at t acks, which depend on m ast er/ slave relat ionships t o funct ion properly. I P spoofing is popular because it hides t he hacker's ident it y and provides t he m eans t o slip int o your net work. I P spoofing works only when your net work or securit y m easures believe t hat t he source address of t he I P packet originat es from a t rust ed dom ain. ( See t he discussion in Chapt er 4.) The m ain m et hod of t hwart ing I P spoofing is t o use securit y m easures t hat rej ect packet s when t rust ed or int ernal I P source addresses arrive on ext ernal port s. I P spoofing com bined wit h DDoS incursions creat es a form idable at t ack. Alt hough properly configured firewalls can recognize all " flooding" or variat ions of DoS at t acks, once t he firewall has been breached, t he hacker gains a foot hold int o your net work. When t his happens, t he firewall won't help you ident ify t he source of t he at t ack, because t he address is faked. However, t he firewall will log t he suspicious t raffic. Wit h t his inform at ion, you can work wit h your I SP t o help filt er out t he bogus t raffic before it does m uch harm t o your net work. ( At t ack prevent ion and survival are discussed furt her in Chapt er 8.)

Distributed Denial-of-Service Attacks and Tools Everyone was concerned t hat t he new m illennium m ight usher in t he Y2K bug. Many braced for t he apocalypse, but what we got am ount ed t o no m ore t han a cloudy day wit h scat t ered showers. As t he clouds passed and t he world was j ust beginning t o breat he a sigh of relief, several well- known business ent it ies were st ruck by t he com put er world's equivalent of a flash flood: a dist ribut ed denial- of- service ( DDoS) at t ack. Am azon.com , Yahoo, and E- Trade led t he dist inguished list of com panies t hat were brazenly at t acked one m orning in early February 2000. A DDoS at t ack is a coordinat ed, m ilit arist ic at t ack from m any sources against one or m ore t arget s. I n fact , t hat is t he real m aj or difference bet ween a dist ribut ed DoS and a regular DoS. Ot her t han t he at t ack com ing from m any sources ( dist ribut ed) , bot h variat ions flood your net work wit h such a high volum e of useless packet s t hat legit im at e users can't get t hrough. Usually, t he hackers download DDoS t ools from t he I nt ernet . Exam ples of such at t ack t ools are Trin00, Tribe Flood Net work ( TFN) , and TFN's lat est version: Tribe Flood Net work 2000 ( TFN2K) .

For m ost businesses, DDoS at t acks would cause an inconvenience or loss of product ivit y. However, for e- business concerns, DDoS at t acks could creat e subst ant ial losses result ing from lost sales and cust om er confidence. Just ask ETrade. ( See t he sect ion Real- World Exam ples in Chapt er 1.) The m ost im port ant fact about DDoS at t acks is t hat t hey are not designed t o penet rat e, dest roy, or m odify your net work but t o bring you down, perhaps indefinit ely. This is not sport ing at all, as if any hacker exploit could be. DDoS at t ack t ools are a hacker's dream , enabling int ruders t o at t ack wit h t he elem ent of surprise by m obilizing forces covert ly and wit h precision. DDoS at t acks exploit arguably t he single great est advant age afforded by t he I nt ernet : dist ribut ed client / server funct ionalit y. I n general, DDoS at t ack t ools could not work wit hout t his im port ant feat ure, because t hey depend on client / server relat ionships bet ween t he hacker and t he m ast er and bet ween t he m ast er and t he at t ack t ools t hem selves, t he daem ons. Aft er finding a way int o your net work, usually by exploit ing vulnerabilit ies or unwat ched doors, t he hacker inst alls daem ons on t he com prom ised host . Daem ons are sim ply soft ware ut ilit ies t hat service t he request s of t he m ast er program by init ializing t he host s t o send large and useless packet s of inform at ion t o an unsuspect ing t arget . Once t he host is com prom ised, t he host becom es an agent , and t he daem on becom es a zom bie, which is dead unt il sum m oned t o life—int o act ion—by a m ast er. Once hundreds or perhaps t housands of zom bies are in place, t he DDoS at t ack is orchest rat ed. The hacker program s t he m ast er t o com m and t he zom bies t o launch a DoS at t ack against a single unsuspect ing t arget : sim ult aneously. A single DoS at t ack would not do m uch t o a net work wit h high- bandwidt h I nt ernet access, but t housands of t hese at t acks originat ing from around t he globe would effect ively overwhelm a sit e and deny service t o legit im at e users. Table 6- 1 sum m arizes t he salient feat ures of DDoS at t ack t ools. ( Also, see Appendix D for a det ailed descript ion of DDoS at t ack t ools.)

Trin00 One of t he m ost powerful DDoS at t ack packages is Trin00, or Trinoo. Trinoo m ade it s debut t oward t he end of 1999 by at t acking several high- capacit y com m ercial and universit y net works. Unlike t he ot her DDoS at t ack t ools, Trinoo does not spoof t he source addresses during t he at t ack. The source addresses of t he at t acks are t he host s t hat were com prom ised by Trinoo daem ons. The host s can belong t o anyone anywhere on t he I nt ernet . The t ype of flood t hat Trinoo dispenses is a UDP flood. The DoS occurs when t he t arget host becom es inundat ed wit h a flood of UDP packet s t o process while denying service t o legit im at e operat ions. The orchest rat ion of Trinoo is m ore a t est of int est inal fort it ude t han of skill. Through diligence and pat ience, t he int ruder scans lit erally hundreds, perhaps t housands, of I nt ernet host s for vulnerabilit ies before a legion of host s are com m andeered. Set t ing up t his at t ack is also a t est am ent t o client / server funct ionalit y and dist ribut ed processing. Using vulnerable host s, t he m ast er and daem on program s are clandest inely inst alled one aft er anot her unt il all Trinoo's com ponent s are in posit ion. Several of t he host s are used for t he " m ast er program s," and each m ast er cont rols a

clust er of host s t hat have been invaded by Trinoo's daem ons. Figure 6- 2 sum m arizes Trinoo.

Figu r e 6 - 2 . Tr in 0 0

Tribe Flood Network Like it s cousin Trinoo, TFN is an at t ack t ool t hat is able t o launch DDoS at t acks from m ult iple locat ions against one or m ore t arget s. Unlike Trinoo, t he source I P addresses of t he at t ack packet s can be spoofed. Hackers like TFN because it can generat e a variet y of DoS at t acks. I n addit ion t o a UDP flood, TFN is capable of generat ing a TCP SYN flood I CMP echo request flood, and an I CMP direct ed broadcast , also known as a Sm urf bandwidt h at t ack. Based on a client / server relat ionship, t he TFN int ruder int erfaces t o a TFN m ast er wit h a charact er- based com m and line t o provide at t ack inst ruct ions t o a legion of TFN daem ons.

Ta ble 6 - 1 . Com pa r ison of D D oS At t a ck Tools Tr in 0 0 Client / Server Archit ect ure

3 t ier: client , m ast er, daem ons

DoS Flood UDP flood Type ( At t ack)

TFN

TFN 2 K

St a ch e ldr a h t

2 t ier: client , daem ons

2 t ier: client , daem ons

3 t ier: client , handler, agent

UDP, I CMP echo

UDP, I CMP echo

UDP, I CMPecho request , SYN-

Ta ble 6 - 1 . Com pa r ison of D D oS At t a ck Tools Tr in 0 0

TFN

TFN 2 K

St a ch e ldr a h t

request , SYN- ACK, Sm urf bandwidt h

request , SYN- ACK, Sm urf

ACK, Sm urf bandwidt h

Operat ing Syst em

UNI X and NT

UNI X and NT

Linux, Solaris, and NT

Linux and Solaris

I nt ruder Port ( t o Mast er)

TCP: TELNET, NETCAT: I nt erface is from a client

N/ A ( I nt erface direct ly int o m ast er)

N/ A ( I nt erface direct ly int o m ast er)

TCP: TELNET Alike ( I nt erface is from a client )

Mast er Port ( t o Daem on)

UDP

TCP, UDP

TCP, UDP, I CMP

TCP, I CMP

Daem on Port ( t o Mast er)

UDP

TCP, UDP

TCP, UDP, I CMP

TCP, I CMP

I P Spoofing

No

Yes

Yes

Yes

Encrypt ion

List of known daem ons in file m ast er

IP addresses in daem ons wit h Blowfish

Dat a fields are encrypt ed, using t he CAST algorit hm

• •

TELNET Alike Session Mast er and Daem on links wit h Blowfish

Tribe Flood Network 2000 TFN2K, a descendant of TFN, uses client / server archit ect ure. Like TFN, TFN2K operat es under UNI X- based syst em s, incorporat es I P address spoofing, and is capable of launching coordinat ed DoS at t acks from m any sources against one or m ore unsuspect ing t arget s sim ult aneously. TFN2K can also generat e all t he at t acks of TFN. Unlike TFN, TFN2K also works under Windows NT, and t raffic is m ore difficult t o discern and t o filt er because encrypt ion is used t o scram ble t he com m unicat ions bet ween m ast er and daem on. TFN2K is also m ore difficult t o det ect t han it s predecessor because t he at t ack t ool can m anufact ure " decoy packet s" t o nont arget ed host s.

Unique t o TFN2K is it s abilit y t o launch a Teardrop at t ack. Teardrop t akes advant age of im properly configured TCP/ I P I P fragm ent at ion reassem bly code. I n t his sit uat ion, t his funct ion does not properly handle overlapping I P fragm ent s. When Teardrop is encount ered, syst em s sim ply crash.

Stacheldraht Germ an for barbed wire, St acheldraht debut ed on t he I nt ernet bet ween lat e 1999 and early 2000, com prom ising hundreds of syst em s in bot h t he Unit ed St at es and Europe. Alt hough t his DDoS t ool looks a lot like TFN, it s archit ect ure resem bles Trinoo's, which is based on a t hree- t ier client / server approach, wit h client ( int ruder) , m ast er, and daem on com ponent s. Like TFN, St acheldraht can generat e UDP, SYNACK, I CMP echo request , and Sm urf bandwidt h DDoS at t acks.

ICMP Directed Broadcast, or Smurf Bandwidth Attack The Sm urf bandwidt h at t ack is nam ed for one of t he program s in t he set required t o execut e t his at t ack. ( See Appendix D for m ore inform at ion on Sm urf at t ack.) I n t his at t ack, hackers or int ruders use t he inherent charact erist ics of t wo services in TCP/ I P t o orchest rat e a DoS at t ack for unsuspect ing vict im s. I n I P net works, a packet can be direct ed t o an individual host or broadcast t o an ent ire net work. Direct broadcast addressing can be accessed from wit hin a net work or from ext ernal source locat ions. When a packet from a local host is sent t o it s net work's I P broadcast address, t he packet is broadcast , or delivered t o all host s on t hat net work. Sim ilarly, when a packet t hat originat es from out side a local net work is t ransm it t ed t o a net work's I P broadcast , t he packet is also sent t o every m achine on t he local or t arget net work. I n general, m ake sure t hat your net work filt ers out I CMP t raffic direct ed t o your net work's broadcast address. ( See Chapt er 9 for m ore on prevent ion of Sm urf bandwidt h at t acks.)

Backdoor Programs and Trojan Horses Technically speaking, a backdoor program is not a Troj an horse, alt hough t he t wo t erm s t end t o be used synonym ously. A Troj an horse is a m alicious program t hat is concealed wit hin a relat ively benign program . When a vict im runs t he innocuous program , t he Troj an horse execut es surrept it iously, wit hout t he vict im 's knowledge. By cont rast , a backdoor program set s fort h t he not ion of circum vent ing a regular ent ry or access point , such as t hrough a user " front door," or login rout ine. A back door, an ent ry point int o a host com put er syst em , bypasses t he norm al user login procedures and pot ent ial securit y m easures of t hat syst em . A back door could be a hardware or soft ware m echanism but is generally soft ware based; like a Troj an horse, it is act ivat ed secret ly, wit hout t he vict im 's knowledge. An int ruder's favorit e m et hod of slipping backdoor program s int o t rust wort hy host s is t o send t he backdoor program as an e- m ail at t achm ent wit h an innocent - sounding nam e. Because of t his t rick, a backdoor program is referred t o as a Troj an horse. The com m on elem ent in bot h a backdoor program and a Troj an horse is t hat t hey funct ion wit hout t he user's knowledge.

The ult im at e goal of t he m ore t han 120 backdoor program s exist ing in t he wild is t o secret ly cont rol your com put er syst em from a rem ot e hiding place. I n order for a backdoor program t o funct ion properly, it m ust gain root access t o t he host syst em . Root access allows an int ruder t o do what he or she want s in your com put ing environm ent . Once a backdoor program is in place, your syst em can be accessed and m anipulat ed, unbeknownst t o you, whenever t he int ruder desires. That 's t he unfort unat e realit y of backdoor program s.

Backdoor Program Functions Rem ot e- cont rolled backdoor program s can be inst ruct ed t o perform a lit any of funct ions, ranging from cut e annoyances t o out right m aliciousness. To annoy you, backdoor program s can open and close your CD- ROM drive, reboot your m achine, st art your screensaver aut om at ically, reassign your m ouse but t ons, shut down t he com put er, play sounds, and even look t hrough a Webcam on your syst em . However, t he m ain purpose of backdoor program s is for m alicious int ent and m isuse. They can st eal your passwords by m onit oring fields in dialog boxes or keyst rokes, regardless of whet her t hey are encrypt ed, plain t ext , dial- up, or cached. Backdoor program s dest roy and m odify dat a and files, delet ing syst em files, m oving and killing windows on your deskt op, hij acking com m unicat ion sessions by port redirect ion, execut ing files, reading and writ ing t o t he regist ry, and capt uring screenshot s. One of t he m ore insidious feat ures of t hese program s is t heir abilit y t o use your com put er as a server, such as an FTP server, t o support illicit act ivit ies. Finally, backdoor program s can open your Web browser t o any URL, send m essages by pret ending t o be you, and play proxy for you in chat room s t hrough I nt ernet Relay Chat ( I RC) connect ions. The ram ificat ions of t he last exploit can be significant . An int ruder, m asked by your I nt ernet account, can engage in undesirable act ivit ies, such as use of vulgar or illicit language, t hat , at a m inim um , can prom pt a reprim and from t he chat room " police" or m ake you liable for harassm ent .

Examples of Backdoor Programs The m ost popular backdoor program s in use in t he wild are Back Orifice 2000 and Net bus 2.0 Pro ( NB2) . Back Orifice 2000 is t he newest release of Back Orifice, which m ade it s debut in July 1998 as t he brainchild of t he Cult of t he Dead Cow, a hacker organizat ion t hat has vowed t o t hwart Microsoft at every opport unit y. Net bus has been widely accept ed and in use for som e t im e. Bot h Back Orifice 2000 and Net bus are com pat ible wit h Windows 95, 98 and NT operat ing syst em s. Table 6- 2 sum m arizes t hese and ot her popular backdoor program s. Like ot her backdoor program s, Back Orifice 2000 gat hers inform at ion, perform s syst em com m ands, reconfigures m achines, and redirect s net work t raffic. However, Back Orifice 2000 appears t o be t he granddaddy of t hem all, wit h m ore t han 70 com m ands at an int ruder's disposal. I t s m ost com pelling feat ure is t hat once inst alled, it becom es pract ically invisible.

Ta ble 6 - 2 . Ge n e r a l Ch a r a ct e r ist ics of Som e Popu la r Ba ck door Pr ogr a m s File N a m e Pr ogr a m Back Orifice 2000

Pr e in st a ll •

•

bo2K.exe ( server) bo2kgui.exe

Post in st a ll • •

At t a ck e r Link

FileUMGR32.exe TCP/ UDP Rem ot e adm inist rat ion service ( NT)

List e n in g Por t s •

•

En cr ypt

UDP Client / Se 31337 link: 3DE Opt ional

NB2

N/ A

NbSvr.exe

TCP

20034

DeepThroat

N/ A

Syst em t ray.exe

UDP

• •

2140 3150

N/ A

Net Sphere

N/ A

Nssx.exe

TCP

• •

30100 30102

N/ A

Gat eCrasher N/ A

Syst em .exe

TCP

•

6969

N/ A

Port al of Doom

N/ A

Lj sgz.exe

UDP

• •

10067 10167

N/ A

GirlFriend

N/ A

Windll.exe

TCP

•

21554

N/ A

Hack'a'Tack

N/ A

Expl32.exe

TCP/ UDP

•

31785 TCP 31789 UDP 31791 UDP

N/ A

•

•

Client / se link: wea

EvilFTP

N/ A

Msrun.exe

TCP/ FTP

•

23456

N/ A

Phase Zero

N/ A

Msgsvr32.exe

TCP

•

555

N/ A

SubSeven

N/ A

Explorer.exe

TCP

• • •

1243 6711 6776

N/ A

Back Orifice 2000 has been used as a sim ple m onit oring t ool, but it s prim ary use appears t o be t o m aint ain unaut horized cont rol over a t arget host t o com m andeer resources, render vexing annoyances, st eal passwords, and generally collect and m odify dat a. This program also has an array of com m ands t o eavesdrop, play, st eal, and m anipulat e m ult im edia files. Moreover, it support s adj unct program s called plugins, t o enhance it s overall capabilit y. Net bus 2.0 ( NB2) descended from t he popular backdoor program Net bus. NB2 does pret t y m uch everyt hing Back Orifice 2000 is able t o do: m anipulat e files, provide full cont rol over all windows, capt ure video from a video input device, and support plugins. NB2 also enables t he at t acker t o find cached passwords and t o run script s on a specified host ( s) at a given t im e. NB2 support s an " invisible m ode" t o hide from users of infect ed m achines. I t also possesses a peculiar feat ure whereby it will not ify users of com prom ised m achines aft er inst allat ion. However, at t ackers can hide t his feat ure wit h relat ively lit t le m odificat ion.

Summary The m ost im port ant fact about backdoor program incursions is t hat once t hey are inst alled on your syst em , t he original at t acker( s) can m ake t he back door available t o ot hers. The im plicat ions are fright ening. Anot her im port ant point t o rem em ber is t hat backdoor incursions are not dependent on exploit ing any inherent or relat ed vulnerabilit y in operat ing syst em s or applicat ions. Usually, t he backdoor program finds it s way int o a m achine by t rickery or t hrough t he use of a Troj an horse. I n ot her words, it finds it s way int o your syst em as an e- m ail at t achm ent , for exam ple, wit h an innocent - sounding nam e. Fort unat ely, backdoor program s are easily disposed of once t hey are det ect ed, but because of t heir cham eleonlike charact erist ics, det ect ion is difficult . To det erm ine whet her a back door is act ive on your syst em is a st raight forward process if you know what t o do. I f t he back door is cont rolled by a UDP connect ion, it requires sending a UDP packet t o t hat port , wit h t he appropriat e specificat ions, and t he backdoor program in quest ion will respond. I f t he backdoor program com m unicat es by TCP, you can TELNET t o t he suspicious port and provide t he necessary inform at ion, which should also provide you wit h a response from t he backdoor program in quest ion. To elim inat e backdoor program s m anually, you m ust obt ain t he appropriat e inst ruct ions. Therefore, you should m ake it a regular pract ice t o st ay in t ouch wit h several securit y organizat ions t hat dissem inat e alert s and up- t o- t he- m inut e inform at ion on coping wit h securit y issues and t hreat s. Carnegie- Mellon's CERT Coordinat ion Cent er ( CERT/ CC) , SANS I nst it ut e Resources, I nt ernet Securit y Syst em s' " X- Force" alert s, Axent Technologies' " SWAT," and Web reposit ories, such as NT BugTraq Web sit e, are all good sources of finding st ep- by- st ep inst ruct ions for elim inat ing or m it igat ing t he effect s of securit y t hreat s and risks. I f an at t acker renam ed t he backdoor program , t he st ep- by- st ep inst ruct ions m ay not be sufficient t o rid yourself of a part icular problem . I n t his case, you have t o rely on a host and net work vulnerabilit y assessm ent and int rusion det ect ion syst em and a st rong virus prot ect ion im plem ent at ion.

Chapter 7. Attacks by Automated Command Sequences Viruses are t ypically spread t hrough e- m ail wit h infect ed at t achm ent s or m edia, such as floppy disks. Dist ribut ed denial- of- service at t acks t ake advant age of inherent weaknesses in TCP/ I P and relat ed vulnerabilit ies in net work devices, such as firewalls, host s, and rout ers. Backdoor program s t ypically find t heir way int o a net work as a Troj an horse or an innocuously appearing com ponent of a larger, perhaps m ore recognizable, program . The one com m on t hread in t hese t hree classes of incursions is t hat t hey have been act ive in t he wild for som et im e. These incursions also have ident it ies of t heir own, wit h dist inct signat ures, or com m and st ruct ure, or synt ax. I n t his chapt er, we explore anot her m ode of int rusion: script at t acks. Unlike DDoS and backdoor incursions, which m ust be orchest rat ed by an int ruder, a script at t ack direct s it self t hrough aut om at ed com m and sequences. The code of a script t hat perpet uat es a specific at t ack is cont inually being m odified t o produce ot her at t acks. When unleashed, script at t acks st eal passwords, credit card num bers, and sensit ive inform at ion; m odify and dest roy dat a; hij ack sessions; and, in som e cases, enable alt ernat ive pat hways int o a t rust ed net work dom ain. I n t his regard, a script at t ack funct ions like your garden- variet y backdoor program . I n ot her circum st ances, script at t acks funct ion like a virus, when dat a is dest royed, m odified, or changed or when applicat ions perform errat ically. This chapt er also explores ot her sources of vulnerabilit ies t hat , because of t heir pervasiveness, your life- cycle securit y m easure( s) should address when inst it ut ed wit hin your ent erprise.

Script Attacks A script is a sm all, self- cont ained program t hat perform s specified t asks wit hin client / server applicat ions. I t gives developers t he flexibilit y t o build funct ionalit y int o applicat ions whenever t hey desire. Script s usually provide client - side funct ionalit y; when a user views a Web sit e, for exam ple, script s are downloaded wit h t he page and begin execut ing im m ediat ely. This is a key reason t hat hackers like script s. I n cont rast , when plug- ins are downloaded, t he user m ust t ake t he t im e t o inst all it and perhaps rest art t he com put er. Script s are developed wit h script languages, such as JavaScript or Visual Basic Script ( VBS) , creat ed by Net scape Com m unicat ions and Microsoft , respect ively. I n general, JavaScript , which is a derivat ive of Java, allows Web designers t o em bed sim ple program m ing inst ruct ions wit hin t he HTML t ext of t heir Web pages. Bot h Microsoft 's I nt ernet Explorer and Net scape Com m unicat or support JavaScript . On t he ot her hand, VBS, a script ing language based on Visual Basic, provides t he m acro language used by m ost Microsoft applicat ions. Like JavaScript , VBS script ing is also used in Web page developm ent . However, it is com pat ible wit h Net scape com m unicat or wit h a plug- in. Using script languages t o creat e at t acks or m alicious code is quit e popular am ong hackers because t he pot ent ial for at t ack variat ions is virt ually unlim it ed. Script at t acks t ypically are sent via e- m ail. But ot her m alicious code can be encount ered

t hrough rogue Web sit es, anot her nam e for Web locat ions wit h em bedded m alicious code. A script is easily m odified, so any given one can perform a variet y of at t acks. More im port ant , each t im e m alicious code is m odified, it s signat ure or com m and st ruct ure, or synt ax, changes, m aking individual script at t acks, and part icularly t heir derivat ions, difficult t o deal wit h t hrough current securit y m easures. When t he Love Bug was released ont o approxim at ely 45 m illion com put ers in t he wild, a deadlier but slower- m oving variat ion, called New Love by t he m edia and Herbie by t he Just ice Depart m ent , m at erialized wit hin days of t he Love Bug's dem ise. Wit hin 2 weeks of Herbie's debut , about 29 variat ions of t he Love Bug were spawned. I n ot her words, when a script at t ack is launched, newer versions of t he at t ack are t ypically unleashed int o t he I nt ernet com m unit y fast er t han t he whit e hat s can release count erm easures. The m ain problem wit h securit y m easures is t hat t hey usually can't prot ect against new script - based viruses unt il t he virus has been fingerprint ed and placed in t heir signat ure dat abase—in t he case of an int rusion det ect ion syst em —or dat a files—in t he case of a virus prot ect ion syst em . However, no sooner t han a culprit has been corralled and fingerprint ed, t hwart ing subsequent incursions is relat ively easy t o do. Recognizing t he problem , com panies t hat supply securit y m easures are cont inually on t he lookout for new t hreat s in t he wild, including e- m ail- borne script viruses. As soon as t hey are discovered and fingerprint ed, t hey can be added as updat es t o t he re spect ive client bases in a t im ely fashion. This keeps client s a lit t le ahead of t he gam e. Anot her alt ernat ive t o address- em bedded script ed at t acks is t o harden net work applicat ions by disabling aut om at ic script ing capabilit ies. Som e product s act ivat e powerful script ing capabilit ies by default . This feat ure is called act ive script ing in Microsoft applicat ions. Windows Script ing Host ( WSH) in Windows 98 provides t he funct ionalit y. The m aj orit y of users do not require or want em bedded script ing enabled, especially WSH in Microsoft applicat ions. For exam ple, WSH is inst alled and act ivat ed by default wit h Windows 98 and I nt ernet Explorer version 4.0 and higher. Wit h WSH enabled, users can execut e .VBS files by double clicking. I n cont rast , a new generat ion of script ed e- m ail at t acks will execut e wit hout user int ervent ion, t hrough viewing only. Therefore, unless cert ain users need t o execut e em bedded script ing aut om at ically, t he best bet is t o disable script ing capabilit ies. This will disable bot h VBScript and JavaScript and default funct ions, such as Windows Script ing Host in Windows operat ing environm ent s.

The Next Generation of E-Mail Attacks The next generat ion of script ed e- m ail at t acks does not require t he user t o be duped int o double clicking t he script —m alicious code—for execut ion. For exam ple, if you are using Out look Express wit h t he Preview Pane enabled, t his script ed e- m ail at t ack can infect a host wit hout t he user's ever opening t he e- m ail. This class of at t ack is t he next generat ion of e- m ail worm s. A worm is a virus t hat propagat es it self wit hout t he aid of anot her program or user int ervent ion. Worm s are also nefarious. The Love Bug's offspring, Herbie, was able t o change t he subj ect line of t he e- m ail whenever it propagat ed it self from host t o host as an e- m ail at t achm ent . This polym orphous nat ure of worm s m akes t hem very

difficult t o det ect wit h cont ent scanners or virus soft ware. Alt hough worm s, such as Herbie and t he Love Bug, are self- replicat ing and dest ruct ive at t he sam e t im e, t he user st ill m ust execut e t he em bedded script in t he e- m ail t o act ivat e t he worm . I n cont rast , next - generat ion script ed e- m ail at t acks will not require t he user t o double click em bedded script in t he e- m ail for it t o propagat e. The at t ack m erely needs t o arrive and t ake advant age of certain vulnerabilit ies in t he t arget host . As m ent ioned, if Out look Express has t he Preview Pane act ivat ed, coupled wit h em bedded script ing, t he next - generat ion worm can lit erally wreak havoc. I t arrives by st ealt h, becom es act ivat ed aut om at ically, exact s dam age in a variet y of ways, disguises it self, secret ly t arget s everyone in t he user's e- m ail address book, and reproduces t he at t ack over and over again at every receiving host . Scary indeed!

The Bubble Boy Virus The Bubble Boy virus was t he proof of concept of t he dangerous next - generat ion self- act ivat ing, self- propagat ing script ed e- m ail at t acks. I f act ive script ing is enabled and t he Preview Pane is act ivat ed in Out look Express, for exam ple, sim ply viewing t he infect ed e- m ail will launch t he virus at t ack. I n ot her words, t he user does not have t o physically open t he em bedded script —at t achm ent —in t he e- m ail t o act ivat e t he at t ack. The Bubble Boy virus borrows it s nam e from an episode of t he popular Jerry Seinfeld show. I n t hat episode, Jerry's sidekick, George, plays Trivial Pursuit wit h a boy confined t o an oxygen bubble because of a fault y im m une syst em . The boy right fully answers " Moors" t o one of t he quest ions, but t he gam e card m isspelled it as " Moops." When George insist s t hat t he answer is Moops, a heat ed argum ent unfolds, and a fight ensues. To everyone's dism ay, t he fight ends when George accident ally pops t he oxygen bubble. The Bubble Boy virus quiet ly m ade it s debut on t he I nt ernet in lat e 1999, at t acking Microsoft 's Out look e- m ail syst em . Classified as a worm , t he virus sent it self t o everyone list ed in t he infect ed syst em 's e- m ail address book. The Bubble Boy virus spread it self t o everyone list ed in t he vict im 's address book. This was t he ext ent of t he at t ack. However, t he at t ack could have j ust as easily delet ed, m odified, or st olen dat a before it m oved on. More significant ly, t he at t ack proved t hat a script ed e- m ail at t ack could occur by st ealt h, wit hout any user act ion( s) what soever. The im plicat ions of t his developm ent bode pot ent ially disast rous consequences for t he I nt ernet com m unit y. One dangerous possibilit y involves a self- replicat ing dist ribut ed denial- of- service at t ack t ool t hat spreads t hrough e- m ail. I m agine being bom barded by a DDoS at t ack from every recipient of an e- m ail worm running Out look or Out look Express. Even worse, im agine being bom barded wit h a DDoS at t ack from t he 45 m illion recipient s of t he Love Bug virus worldwide.

Mainstream JavaScript Attacks Alt hough m ost of t he discussion in t his chapt er has focused on script at t acks involving Microsoft 's VBS language, com parable JavaScript - based at t acks have also em erged int o m ainst ream scrut iny. The irony of it all is t hat cert ain of t hese JavaScript at t acks exploit vulnerabilit ies in Microsoft applicat ions.

Ja va Scr ipt At t a ck s on M icr osoft 's E- M a il Pr ogr a m s I f your ent erprise uses Out look 98, Out look Express 5, or Out look 2000, you should be aware of an em bedded e- m ail JavaScript at t ack on t he prowl in t he wild. Alt hough Microsoft has developed and issued pat ches t o correct t he vulnerabilit y, t hese e- m ail applicat ions, if im properly configured, are st ill suscept ible t o t he t hreat , which direct s t hem t o perform unaut horized act ivit y. The at t ack begins aft er t he e- m ail program receives inst ruct ions from t he m alicious JavaScript code. The Out look- based client opens a browser window t o any URL of t he int ruder's choice. The unwit t ing client s t end t o be com prom ised in t wo ways. Subm it t ing dat a t o com plet e form s on Web sit es is one at t ack; t he ot her one, which is m ore diabolical, involves direct ing t he user t o a Web sit e t hat can load Web pages capable of exploit ing vulnerabilit ies t hat are not exploit able by e- m ail at t acks. This em bedded JavaScript incursion can be used in conj unct ion wit h ot her exploit s, such as one t hat levels at t acks on cookies t hat are creat ed while t he user is surfing wit h I nt ernet Explorer. I n t e r n e t Ex plor e r Cook ie s Cr um ble Cookies are one of t he necessary evils of doing business on t he I nt ernet . A cookie, prim arily a m arket ing t ool, is an inherent ly int rusive pract ice. Web developers use cookies t o collect inform at ion on I nt ernet surfers when users visit or purchase anyt hing from a Web sit e. Cookies enable Web m erchant s t o ascert ain what users do at a sit e, chart t heir pat t erns, and how oft en t hey visit . The bet rayal com es when sit e m anagers com bine t his and ot her regist rat ion inform at ion int o a dem ographic dat abase of fellow surfers t o sell t o m arket ers. Many surfers don't realize t hat a cookie is aut om at ically creat ed when t hey regist er at or m erely visit a sit e. When cookies are creat ed, t hey reside on your syst em . Cert ain e- business Web sit es, such as Am azon.com , Yahoo, NYTim es.com , and lit erally t housands of ot hers, m ay even use cookies t o aut hent icat e users or t o st ore confident ial inform at ion. Wit h t he inform at ion provided by t he cookie, t he Web sit e regist ers you t o facilit at e int eract ion in subsequent visit s. Alt hough browsers allow you t o disable cookies, som e sit es m ay funct ion errat ically or crash when t hey are visit ed. Ot hers m ay require you t o regist er again before browsing t heir sit es, and you will lose t he use of cert ain feat ures, such as greet ings wit h cust om ized welcom es. I f cookies weren't irrit at ing enough, Microsoft 's I nt ernet Explorer has given us som et hing else t o worry about : copycat exploit s. Alt hough Microsoft has issued a pat ch t o fix t he problem , be on t he lookout for t his exploit . Also, script s can be used t o t ake advant age of t his vulnerabilit y. I n part icular, derivat ions of a JavaScript based at t ack could be prowling t he I nt ernet t oday. Wit hout t he specific Microsoft pat ch t hat correct s t his problem , all versions of I nt ernet Explorer, including versions for Windows 95, 98, NT, and 2000 are vulnerable t o t his at t ack, as are versions for Solaris and HP- UX ( Hewlet t PackardUNI X) . Apparent ly, using a specially const ruct ed uniform resource locat or ( URL) , a rogue Web sit e can read any of t he cookies in I nt ernet Explorer client s t hat were creat ed while browsing. For exam ple, any cookies set from a dom ain t hat uses t hem

for aut hent icat ion or st oring privat e inform at ion, such as Am azon.com , NYTim es.com , Yahoo Mail or MP3.com , can be read. Whenever any of t he I nt ernet Explorer client s encount ers a specially const ruct ed URL t hat references a cookie in t he user's cookie file, I E get s confused and t hinks t hat it is int eract ing wit h t he legit im at e URL and allows t he inform at ion cont ained in t he cookie in quest ion t o be read or m odified. The descript ion of t his problem and pat ch can be found in securit y bullet in m s00–033.asp and obt ained from Microsoft 's Web sit e: ht t p: / / www.m icrosoft .com / t echnet / securit y/ bullet in/ m s00- 033.asp. N e t sca pe Com m u n ica t or Cook ie H ole I n Net scape Com m unicat or version 4.x, a rogue Web sit e can set a cookie t hat allows a user's HTML files, including bookm ark files, and browser cache files t o be read. The exploit is accom plished wit h JavaScript code, which is included in t he dat a t hat is com posing t he cookie. I n order for t his exploit t o succeed, t he Web surfer m ust have bot h JavaScript and cookies enabled, and Net scape Com m unicat or's Default user profile m ust be act ive. To elim inat e t his problem , kill t he Default user profile aft er set up and t est ing. This exploit depends largely on t he int ruder's being able t o guess your Profile nam e in Net scape Com m unicat or. The elim inat ion of t he Default user profile would not be enough if t he int ruder is able t o guess your current user profile, which is norm ally a first nam e or user nam e port ion of an e- m ail address. To be safe, also disable JavaScript and/ or cookies t o preclude any chance of t his exploit 's working against you.

Attacks through Remote Procedure Call Services Operat ing under TCP/ I P, rem ot e procedure calls ( RPCs) are a useful and est ablished net work service t hat provides int eract ivit y bet ween host s. RPC is a client / server ut ilit y t hat allows program s on one com put er t o execut e program s on an ot her com put er. RPCs are widely used t o access net work services, such as shared direct ories, available t hrough Net work File Syst em ( NFS) . Am ong ot her t hings, NFS allows a local user t o m ap shared direct ories on rem ot e host s such t hat t he direct ories appear as ext ended direct ories of a local host . Over t im e, RPC services have gained a reput at ion for being insecure. Hackers discovered t hat alt hough used prim arily bet ween rem ot e host s in an int ernal net work, RPC enables ext ernal host s t o access int ernal net works by exploit ing RPC vulnerabilit ies in int ernal host s. For t heir first incursions, hackers used RPC t o obt ain password files and t o change file perm issions. I n t he m uch- publicized DDoS at t acks t hat affect ed e- businesses in February 2000, evidence is com pelling t hat t he syst em s used in t he at t ack were com m andeered t hrough vulnerabilit ies in RPC. For exam ple, daem ons belonging t o bot h Trinoo and Tribe Flood Net work DDoS at t ack t ools are known t o exploit t hese vulnerabilit ies, alt hough t hese at t ack syst em s m ay not have necessarily been used in t he brazen DDoS incursions. At t acks t hrough RPC vulnerabilit ies have becom e so exploit ed t hat t hey are t hird on t he SANS I nst it ut e's list of t he 20 m ost crit ical I nt ernet securit y t hreat s. ( For a com plet e list , see Appendix A.) The following RPC services pose t he m ost serious t hreat s t o net works:

•

•

Buffer overflow vulnerabilit y in rpc.cm sd. The Calendar Manager Service Daem on, or rpc.cm sd, is frequent ly dist ribut ed wit h t he Com m on Deskt op Environm ent ( CDE) and Open Windows. This vulnerabilit y enables rem ot e and local users t o execut e arbit rary code or script s wit h root privileges. The rpc.cm sd daem on usually operat es wit h root privileges. Vulnerabilit y in rpc.st at d exposes vulnerabilit y in rpc.aut om ount d. Hackers use t he vulnerabilit ies in t hese t wo program s t oget her t o at t ack int ernal host s from rem ot e I nt ernet safe houses. The rpc.st at d program com m unicat es st at e changes am ong NFS client s and servers. The vulnerabilit y in t his RPC service allows an int ruder t o call arbit rary RPC services wit h t he privileges of t he rpc.st at d process. I n ot her words, t he int ruder can exploit any RPC service t hat m ay be called by t he rpc.st at d process. Typically, t he called or com prom ised service m ay be a local service on t he t arget m achine or a net work service on anot her host wit hin t hat sam e net work. The rpc.aut om ount program is used t o m ount cert ain t ypes of file syst em s. This program allows a local int ruder or int ernal sabot eur t o execut e arbit rary com m ands wit h t he privileges of t he aut om ount d process. Bot h vulnerabilit ies have been prevalent for som e t im e, and vendors t hat supply RPC services provide pat ches for t hese vulnerabilit ies. Too oft en, however, vendor- supplied pat ches are not applied. By exploit ing t hese t wo vulnerabilit ies sim ult aneously, an int erest ing at t ack, t o say t he least , occurs. A rem ot e int ruder is able t o relay, or bounce, RPC calls from t he rpc.st at d service t o t he aut om ount d service on t he sam e t arget ed m achine. The rpc.aut om ount d program does not norm ally accept com m ands from t he net work. Through t his exploit , however, it accept s com m ands from not only t he net work but also sources t hat are ext ernal t o t he net work. Once t he connect ion is m ade, t he int ruder is able t o execut e arbit rary com m ands, including script s, t o at t ack t he host , wit h all t he privileges provided by aut om ount d.

•

Vulnerabilit y in ToolTalk RPC service. The ToolTalk service allows independent ly developed applicat ions t o com m unicat e wit h one anot her. ToolTalk's popularit y hinges on t he fact t hat applicat ion program s can int eract t hrough com m on ToolTalk m essages, which provide a com m on prot ocol. Addit ionally, ToolTalk allows program s t o be freely int erchanged and new program s t o be plugged int o a syst em wit h m inim al configurat ion. Hackers at t ack host s t hat support ToolTalk services, exploit ing a bug in t he program 's obj ect dat abase server. This vulnerabilit y enables int ruders t o funct ion as a super- or adm inist rat ive user and t o run arbit rary code or script s on m any m ainst ream UNI X operat ing syst em s support ing CDE and Open Windows.

Alt hough various RPC services are being com prom ised, int ruders are launching sim ilar at t acks. For exam ple, any of t he RPC vulnerabilit ies can be exploit ed t o execut e a m alicious script wit h sim ilar com m ands for insert ing a privileged back door int o a com prom ised host . Cert ain forensics are associat ed wit h RPC exploit at ions. I n general, you m ay discover t he following kinds of act ivit y:

•

•

•

Core files for t he rpc.t t dbserverd—for t he ToolTalk dat abase server—left in t he root / direct ory in an at t em pt t o at t ack rpc.t t dbserverd. Files nam ed callog* discovered in t he Calendar Manager Service Daem on spool direct ory, result ing from an at t ack on rpc.cm sd. Script s t hat aut om at e exploit at ions, which t ake advant age of privileged back doors. This m et hod has been used t o inst all and t o launch various int ruder t ools and relat ed archives, t o execut e at t acks on ot her net work host s, and t o inst all packet sniffers for illicit dat a gat hering.

You m ay also encount er t wo archive files: neet .t ar and leaf.t ar. The neet .t ar archive includes a packet sniffer, nam ed updat e or updat e.hm e, a backdoor program , nam ed doc, and a replacem ent program , called ps, t o m ask int ruder act ivit y. I n leaf.t ar, you should find a replacem ent program , called infingerd, which creat es a back door; an I nt ernet Relay Chat ( I RC) t ool, called eggdrop; and relat ed script s and files. RPC vulnerabilit ies are also exploit ed t o dissem inat e DDoS at t ack t ools and t o rem ove or t o dest roy binary and configurat ion files. I n any event , if you believe t hat a host has been com prom ised, it should be rem oved from t he net work im m ediat ely and st eps t aken t o recover from a root com prom ise. Also, assum e t hat user nam es and passwords have been confiscat ed from out put logs and t rust relat ionships wit h ot her host s est ablished. The Carnegie- Mellon CERT Coordinat ion Cent er provides excellent guidelines for recovering from a root com prom ise. This docum ent can be obt ained at ht t p: / / www.cert .org/ t ech_t ips/ root _com prom ise.ht m l. Aft er recovering from t he root com prom ise, RPC services should be t urned off and/ or rem oved from m achines direct ly accessible from t he I nt ernet . I f you m ust run t hese services, obt ain pat ches from t he vendor from which you purchased your host plat form . Pat ches are available for I BM's AI X, Sun Microsyst em s' SunOS, SCO UNI X, HP- UX, Com paq's Digit al UNI X, and so on.

Brown Orifice Brown Orifice, a recent ly discovered at t ack t hat has surfaced in t he wild, is dangerous because it at t acks wit hout t he user's int ervening, t hrough t rickery or ot her m eans. A user can be at t acked sim ply by encount ering a rogue Web sit e while surfing t he Net . Surfers who browse wit h all versions of Net scape Navigat or and Net scape Com m unicat or version 4.74 and earlier are predisposed t o at t ack. These versions include syst em s running Windows 2000, NT, and Linux. The problem is pat ched, however, in versions 4.74 and higher or version 6.0. When encount ered, Brown Orifice can init iat e a series of com m ands t hat will allow a Java applet included in t he browser t o display a direct ory of what 's on t he surfer's hard drive. I n ot her words, a surfer's st andard PC can be t ricked int o t hinking t hat it is a Web server capable of displaying t he cont ent s of it s hard drive. This exploit allows t he int ruder t o access any local file creat ed by t he user or any shared net work files t hat are m apped t o t he user's m achine. Brown Orifice had at t acked nearly 1,000 m achines in pract ically no t im e at all. Report s of it s at t acks have been conflict ing. One report says t hat t he at t acker can see, run, and delet e files in t he affect ed PC. Ot her report s indicat e t hat Brown Orifice

allows files t o be displayed and read. I n any event , Net scape should have a pat ch available t o t hwart Brown Orifice. I n t he m eant im e, disable Java in your browser, and you will be fine unt il a pat ch can be applied.

Summary and Recommendations Alt hough t his chapt er focused on Microsoft 's VBS and JavaScript at t acks, ot her t ypes of script at t acks prowl t he World Wide Web. Com m on Gat eway I nt erface ( CGI ) script s are also m aking t heir m ark on t he I nt ernet com m unit y. Recall t hat CGI is a com m on program used for providing int eract ivit y, such as dat a collect ion and verificat ion in Web servers. Default CGI program s, or script s, are used t o launch a variet y of at t acks, such as backdoor incursions, credit card t heft , and sit e vandalizing.I n general, disabling em bedded script ing elim inat es t he securit y risks associat ed wit h t he ent ire class of em bedded e- m ail script ing at t acks. More im port ant , m ost users do not need t o have " aut om at ic" script ing enabled, such t hat double clicking can execut e t he script files. Wit h respect t o Microsoft applicat ions in part icular, disable Windows Script ing Host ( WSH) in t he operat ing syst em or relat ed applicat ion. WSH is inst alled by default wit h Windows 98 and I nt ernet Explorer version 4.0 and lat er. Disabling WSH virt ually elim inat es t he possibilit y of accident ally launching a m alicious VBS file. Also disable em bedded e- m ail script ing capabilit ies in your e- m ail program s and script ing support in browsers. Disabling browser support for script ing virt ually elim inat es t he possibilit y of get t ing exploit ed by a rogue Web sit e. For users wit h legit im at e script ing needs, script s can be execut ed by using ut ilit y applicat ions, such as Wscript .exe program . As a final precaut ionary m easure, rem ove t he .VBS ext ension from t he Regist ered File Types ( Regist ry) alt oget her. Wit h t his act ion, you have virt ually inst it ut ed t he m ost pract ical securit y available against m alicious code wit hout adding an e- m ail or cont ent filt er. One final caveat . I n cert ain applicat ions, disabling em bedded script ing support does not elim inat e t he applicat ions' vulnerabilit y t o script at t acks. For exam ple, I nt ernet Explorer ( I E) versions 4.0 service pack 2 ( SP2) or lat er enables Microsoft 's Access files ( .m db files) t o be accessed for execut ion of m alicious code. Fort unat ely, Microsoft provides a pat ch t hat fixes t his vulnerabilit y. I t 's im perat ive t hat you m ake it a regular pract ice t o visit t he Web sit e and inform at ion reposit ories t hat dissem inat e inform at ion on t he soft ware program s t hat com prise your net work's applicat ions. St aying in t ouch on a regular basis will ensure t hat you obt ain and adm inist er t he appropriat e pat ches t o your net work's applicat ions in a t im ely fashion. The recom m endat ions here provide t he key safeguards t o t hwart ing script at t acks. However, for t he m ost effect ive level of prot ect ion, an e- m ail filt ering or cont ent m anagem ent syst em should also be added t o your securit y arsenal. I n bet ween applying updat es, specific fixes or pat ches, and general policing t o check t he st at us of t he net work's act ive script ing support , a cont ent m anagem ent / e- m ail filt ering syst em quarant ines or prevent s script code from passing t hrough t o t he ent erprise's net work and generally provides anot her layer of prot ect ion. I n ot her words, it can act ively enforce t he corporat e securit y policy against em bedded script ing act ivit y by providing an aut om at ed level of prot ect ion t hat com plem ent s t he pract ical m easures t hat are m anually adm inist ered in an ongoing basis.

Chapter 8. Countermeasures and Attack Prevention Nearly all ent erprises have disast er- recovery plans for t heir m ission- crit ical syst em s. I ronically, t hough, m any com panies do not have an at t ack- survival or prevent ion plan for t hose very sam e syst em s. This is indeed unwise, especially in light of t he m ad dash t oward e- business. Going online wit h t he ent erprise net work wit hout an at t ack- survival and prevent ion plan is like an airport operat ing wit hout plans for coping wit h hij acking. This chapt er focuses on how t o survive and t hwart net work at t acks. At t acks occur even wit h securit y m easures, such as firewalls and st rong aut hent icat ion syst em s, in place. I f, for exam ple, t he firewall is im properly configured or has port s t hat are not prot ect ed or if passwords in user aut hent icat ion syst em s are st olen, guessed, or cracked, you are vulnerable t o at t acks. This chapt er helps you prepare for an at t ack, covering how t o assem ble an incident response t eam , form an alliance wit h your I SP, report t he at t ack t o t he appropriat e aut horit ies, and collect forensics for legal prosecut ion. This chapt er also explores anot her crit ical area: recognizing a DDoS at t ack in progress and im plem ent ing count erm easures t o m it igat e it s im pact . Several proven t echniques can be im plem ent ed by your securit y t eam as pract ical securit y m easures for t he ent erprise net work. Such m easures m ay be adequat e and provide a cost effect ive alt ernat ive t o deploying m ore expensive t hird- part y or COTS ( com m ercial off- t he- shelf) securit y m easures.

Surviving an Attack Ext ernal at t acks from hackers are like guerilla warfare because t he conflict t akes place behind your net work's perim et er. When t he at t ack originat es from disgrunt led em ployees t urned int ernal sabot eurs t he t heat er of conflict is again wit hin your net work. At t acks from ext ernal sources include backdoor incursions, Troj an horses arriving as e- m ail, denial- of- service, and relat ed exploit s. Through backdoor program s, int ruders will engage your resolve for root cont rol of your PC, st eal passwords and ot her sensit ive inform at ion, dest roy and m odify dat a, hij ack com m unicat ion sessions, and plant m alicious code. ( See t he sect ion Backdoor Program s and Troj an Horses in Chapt er 6.) DoS at t acks succeed in denying service t o legit im at e users. Exploit s t hrough e- m ail include slipping back door program s int o your syst em s and launching script at t acks. On t he ot her hand, int ernal sabot eurs can be em ployees or em ployees of business part ners. Much of what t hey do depends on t heir m ot ivat ion. I nt ernal at t acks include dest ruct ion and m odificat ion of dat a, t heft and espionage for personal gain and/ or profit , and ot her com put er crim es. Whet her t he at t ack originat es from out side or wit hin your net work, t he level of cost s you incur when you engage t he at t ack depends, by and large, on t he effect iveness of your at t ack and survival plan. Generally, t he m ore com prehensive t he plan, t he less cost s you incur and t he great er your abilit y t o cont rol t he effect s of t he at t ack. I f your at t ack result s in a root com prom ise, what st eps do you t ake t o recover? Or what do you do when fight ing a denial- of- service at t ack? What t act ical st rat egies

should be deployed when a DoS at t ack is launched against you? How do you handle int ernal sabot eurs? Before answering t hese quest ions, let 's begin wit h som e general planning. Alt hough it is easier said t han done, t he m ost im port ant react ion is t o st ay calm when you are at t acked. No quest ion, t his will be a st ressful t im e for your com pany, especially if you deal wit h a DoS at t ack. Every m om ent t hat service is denied could m ean t ens of t housands of dollars in lost revenue or product ivit y. To avert t hose feeling of helplessness and violat ion, you m ust keep your wit s about you. The best way t o ensure t his is by im plem ent ing an approved survival plan t hat is ready t o go in t he event of an at t ack.

Formulate an Emergency Response Plan and an Incident Response Team The em ergency response plan is geared t oward helping organizat ions build and im prove t heir at t ack preparedness. There are no hard- and- fast rules t o follow for const ruct ing an effect ive act ion plan. However, not hing is m ore im port ant t han assessing t he ent erprise's readiness or it s abilit y t o appropriat ely respond t o a given at t ack. During t his crit ical preat t ack act ivit y, you will discover t he st at us of business syst em s, exist ing securit y m easures, support infrast ruct ure and services—I SPs—and int ernal resources' predisposit ion t o at t ack. Your em ergency or incident response plan should cover t he following key areas: • • • • • • •

The incident response t eam ( I RT) and it s m em bers' roles and responsibilit ies When t o review your preat t ack post ure wit h securit y checklist s Where t o obt ain out side assist ance, if necessary What law enforcem ent aut horit ies t o call t o report t he incident How t o ident ify and isolat e t he host ( s) under at t ack How t o m onit or im port ant syst em s during t he at t ack, using appropriat e securit y t ools, such as firewalls, int rusion det ect ion syst em s, e- m ail filt ers, and/ or cont ent m anagem ent syst em s or t hird- part y securit y services What t act ical st eps t o t ake t o m it igat e t he im pact of t he at t ack while it is under way

The m ost im port ant aspect of your plan is t he t eam of individuals select ed for responding t o an at t ack and relat ed em ergencies. Perhaps individuals also support disast er recovery. I ndividuals who are assigned t o disast er recovery are generally ast ut e in logist ics and syst em s support and funct ion well under pressure. Sim ilarly, t o cope wit h a com put er at t ack, you should assign individuals who also funct ion well under pressure and respond quickly and logically t o adverse sit uat ions. Addit ionally, t hese people m ust be experienced wit h net work operat ions. Therefore, your t eam should be com posed of senior t echnical st aff who are capable of form ulat ing and execut ing a plan of act ion. Senior m anagem ent should bot h sanct ion and give t he necessary aut horit y t o t he t eam and t he subsequent plan. Specifically, t he t eam should consist of several key individuals. The m ost im port ant m em ber is t he one who has line responsibilit y for net work securit y. I deally, t his person should be proficient in t he various at t ack classes and capable of discerning t he kind of at t ack t he ent erprise sust ains. Being able t o ident ify t he t ype of at t ack

will help det erm ine it s source, durat ion, and, perhaps, t he num ber of occurrences. Next , t he individual who m anages or is proficient in m anaging com put er/ securit y logs is a good candidat e. The lead engineer or syst em s person who im plem ent s t he net work's securit y m easures is also a good candidat e for t he t eam . The com m unicat ion specialist or individual who int erfaces wit h t he ent erprise's I SP is a sure bet , t oo. Finally, a t eam leader should be designat ed; it doesn't necessarily have t o be t he securit y officer but m ust be som eone who can m anage t he em ergency t ask force effect ively. Grant ed, som e pot ent ial candidat es m ay possess t wo or m ore of t he skill set s t hat t he t eam requires. I f so, t he role and t he responsibilit y of a given t eam m em ber should m at ch t he skills he or she is capable of perform ing best during an at t ack. I n ot her words, m ake sure t hat enough individuals are available t o deal wit h t he at t ack swift ly and effect ively. This will prevent any one individual from get t ing bogged down wit h t oo m uch t o do. Figure 8- 1 sum m arizes t he baseline organizat ion for an incident response t eam .

Figu r e 8 - 1 . Ba se lin e or ga n iza t ion for incide n t r e sponse t e a m

I f t he skills you need are not available in- house, consider out sourcing t hese requirem ent s t o a service provider t hat offers em ergency response services. Com panies t hat provide such services t ypically offer t he m eans t o provide t hem direct ly or t rain st aff as needed. I f t he budget perm it s, you m ay also hire t he individual( s) you require. However, out sourcing for t raining or service delivery m ay be t he m ost feasible choice.

Obtain Outside Assistance When under at t ack, get help. St art by inform ing your I nt ernet service provider t hat an at t ack is in process. The I SP can t ake act ion t o pinpoint where t he at t ack is originat ing, t o block subsequent incursions from reaching t he affect ed host s in your ent erprise. You can also report at t acks on your net work t o t he CERT Coordinat ion Cent er. This is st rongly recom m ended. The CERT/ CC is part of t he Soft ware Engineering I nst it ut e ( SEI ) , a federally funded research and developm ent cent er at Carnegie- Mellon Universit y. CERT/ CC was com m issioned t o handle and t o coordinat e I nt ernet em ergencies am ong aut horit ies aft er t he in fam ous I nt ernet worm incident of 1988, which was responsible for bringing 10 percent of all I nt ernet syst em s t o a halt . Since it s incept ion, CERT has received m ore t han 288,600 e- m ail m essages and 18,300 hot - line calls report ing com put er securit y incident s or request ing inform at ion. From t hese filings, CERT has handled m ore t han 34,800 com put er securit y incident s, and t he CERT/ CC's incident - handling pract ices have been adopt ed by m ore t han 85 response t eam s worldwide. During an incident , t he CERT/ CC can help t he ent erprise's I RT ident ify and correct t he vulnerabilit ies t hat allowed t he incident t o occur. CERT has received m ore t han 1,900 vulnerabilit y report s since going int o operat ion. CERT will also coordinat e t he response wit h ot her sit es t hat are affect ed by t he sam e incursion or incident and int erface wit h law enforcem ent individuals on behalf of an at t acked sit e. CERT officials work regularly wit h ent erprises t o help form I RTs and t o provide guidance t o newly operat ing unit s. When obt aining out side help, have t he following im port ant inform at ion handy: •

• • •

•

Com pany or organizat ion nam e, t elephone num ber, e- m ail address, and t im e zone The host nam e, dom ain nam e, and I P address of t he syst em under at t ack The apparent source of t he at t ack: host nam e or I P address A descript ion of t he at t ack m et hod: back door, DoS; at t ack t ool/ t ype; and relat ed file nam es, execut ables, and so on Durat ion or discovery of t he at t ack

The init ial inform at ion you give CERT is invaluable in gat hering forensics for legal proceedings. To use CERT's official form for incident report ing, go t o ht t p: / / www.cert .org/ report ing/ incident _form .t xt . ( A sam ple of t his form is given in Appendix B.) At a m inim um , you or som eone on t he I RT should have working knowledge of t he various classes of at t acks and t he abilit y t o diagnose t hem in t he event of such occurrences.

Contact Law Enforcement Authorities When confront ing an at t ack, m ake cert ain t hat you docum ent and est ablish an audit t rail of your response act ivit y. This will bolst er your effort s in accum ulat ing forensics and m it igat ing t he effect s of current and, perhaps, subsequent at t acks. The im port ance of docum ent ing every act ion you t ake in recovering from an at t ack is crucial. Recovering from an at t ack is as t im e consum ing as it is st ressful. I t is not unusual t hat very hast y decisions are m ade under t hese circum st ances. Docum ent ing all t he st eps you m ake in recovery will help prevent hast y decisions and will provide a crit ical record of t he st eps t he ent erprise t ook t o recover. So whom do you call? U.S. sit es int erest ed in an invest igat ion should cont act t he local Federal Bureau of I nvest igat ion field office. On May 22, 1998, President Bill Clint on signed President ial Direct ive 63, which t arget ed 2003 as t he year by which a " reliable, int erconnect ed, and secure inform at ion syst em infrast ruct ure" would be creat ed. Alt hough t he FBI was involved wit h m ore t han 200 cases before t he direct ive, t he FBI 's caseload quadrupled in t he t wo years aft er t he direct ive t ook effect . Those 800 cases ranged from vandalism of Web sit es t o pot ent ial t heft of m ilit ary secret s. I t is im perat ive t hat you cont act law enforcem ent officials before at t em pt ing t o set a t rap or t o t race an int ruder. Any at t em pt s t o t rap or t o t race an int ruder m ay prove fruit less unless you involve a law enforcem ent agency, which will guide you in t he appropriat e procedures. To pursue an invest igat ion, call t he local FBI field office. The FBI has 56 field offices wit h full- t im e com put er squads assigned. Be advised, however, t hat som e field offices m ay not have full- t im e or any com put er incident / crim e st aff assigned what soever. I n som e cases, t he nearest field office wit h com put er crim e agent s on st aff m ay be a st at e or m ore away. For inform at ion, consult t he local t elephone direct ory or visit t he FBI 's field offices Web page: ht t p: / / www.fbi.gov/ cont act / fo/ fo.ht m . As an alt ernat ive reference source, you can also visit t he Web page of t he FBI 's Washingt on Field Office I nfrast ruct ure Prot ect ion and Com put er I nt rusion Squad ( WFO I PCI S) : ht t p: / / www.fbi.gov/ program s/ pcis/ pcis.ht m . The U.S. Secret Service m ay be t he best alt ernat ive for cert ain ot her incident s: •

• •

Theft or abuse of credit card inform at ion: credit card fraud, t he illegal confiscat ion and exchange of credit cards, and blackm ail E- m ail t hreat s on t he President of t he Unit ed St at es I m personat ion of t he President of t he Unit ed St at es t hrough forged e- m ail

The U.S. Secret Service can be cont act ed on it s m ain t elephone num ber: ( 202) 4357700. The Secret Service's Financial Crim es Division- Elect ronic Crim es Sect ion t elephone num ber is ( 202) 435- 5850. I n t he int ernat ional arena, cont act t he local law enforcem ent agency of t he count ry in quest ion for inst ruct ions on how t o pursue an invest igat ion. The federal governm ent has also set up t he Federal Com put er I ncident Response Capabilit y ( FedCI RC) , an incident response organizat ion for federal civilian agencies.

Alt hough t he day- t o- day operat ions of FedCI RC are handled by CERT, t he General Services Adm inist rat ion ( GSA) m anages t he organizat ion. The following sit es and t elephone num bers have been est ablished for incident report ing. • •

•

For m ore inform at ion on FedCI RC, go t o ht t p: / / www.fedcirc.gov/ . Send e- m ail t o fedcirc- [email protected]; call t he FedCI RC Managem ent Cent er at ( 202) 708- 5060. To report an incident , civilian agencies should send e- m ail t o [email protected] or call t he FedCI RC hot line at ( 888) 282- 0870.

Use Intrusion Detection System Software When your ent erprise is at t acked, isolat e and m onit or affect ed syst em s, using int rusion det ect ion syst em ( I DS) soft ware or relat ed services. Such soft ware sim plifies t his crucial st ep, especially if you have bot h host and net work int rusion det ect ion soft ware. Host - based I DS is advant ageous in isolat ing int ernal sabot eurs by t racking and responding t o violat ions of securit y policy or business rules by int ernal users. When a host I DS encount ers an int ernal breach or an incursion, net work securit y st aff are inst ant ly alert ed by e- m ail, paging, or relat ed not ificat ion. For large net works wit h m any m ission- crit ical servers, host - based int rusion det ect ion can be very expensive. I f t he cost is prohibit ive, find t he t radeoff t hat will enable you t o prot ect m ission- crit ical or st rat egic host s in t he ent erprise net work. I f host - based I DS is sim ply out of t he quest ion, you m ay be able t o j ust ify a net work- based I DS deploym ent t o m onit or at t ack signat ures as t hey are encount ered on t he net work. Then appropriat e act ion can be t aken, including inst ruct ing t he firewall not t o accept any m ore I P packet s wit h at t ack signat ures from t he source of t he at t ack. Furt herm ore, an I DS can lead you t o t aking im port ant count erst eps during t he at t ack and in post at t ack m ode, such as inst alling securit y pat ches in net work devices, increasing bandwidt h, and t aking relat ed act ions in coping wit h a DoS at t ack. An I DS can also help you det erm ine whet her a front al incursion is really a diversion t hat is m asking a m ore serious at t ack, wherein t he act ual obj ect ive is t he com plet e t akeover of your syst em s. I n place of an I DS or ot her securit y m easure, you have no choice but t o engage in hand- t o- hand com bat or use m anual m et hods. This assum es t hat , at a m inim um , a rudim ent ary knowledge of t he com m and st ruct ure or signat ures of t he various classes of at t acks can be det erm ined by reading logs, inspect ing root direct ories, or discovering unusual port s logging act ivit y at odd t im es. I nspect ion of direct ories for t ell- t ale signs of at t ack could ident ify known files or execut ables t hat produce backdoor or DoS incursions. I nspect ing user and syst em logs, alt hough pot ent ially t im e consum ing, could show unexpect ed act ivit ies, such as unaut horized access t o financial records or confident ial ent erprise inform at ion. Or, you m ay discover suspicious UDP or TCP session act ivit y over five- digit or uncom m on, port num bers ( see Table 6- 2) . Unless your net work has fewer t han, say, 50 workst at ions, reviewing logs, perusing direct ories, and dealing wit h an at t ack in progress could prove t o be a t im econsum ing, t edious process. The sheer am ount of inform at ion t hat you m ust sift t hrough, let alone t he knowledge you or a t eam individual( s) m ust possess and apply

expedient ly, could prove overwhelm ing, especially if t he t eam is operat ing wit hout securit y count erm easures, such as an I DS. I n t he final analysis, if you have a net work t hat is larger t han perhaps 25–50 users, you should st rongly consider deploying an I DS. An I DS securit y m easure will com plem ent , if not enhance, t he knowledge of your t eam , respond t o an incursion expedient ly, and enable you t o sift t hrough a lot of inform at ion at t he packet level and t hereby decrease your exposure t o securit y risks. For an excellent perspect ive on I DSs, refer t o t he review " I nt rusion Det ect ion Syst em s ( I DSs) : Perspect ive" by Gart ner. The review can be obt ained at ht t p: / / www.gart ner.com / Display?TechOverview?id= 320015. Anot her excellent review is " NI ST Special Publicat ion on I nt rusion Det ect ion Syst em s," available from t he NI ST Web sit e: www.nist .gov. Finally, for a survey of com m ercially available I DSs, go t o ht t p: / / lib- www.lanl.gov/ la- pubs/ 00416750.pdf" and ht t p: / / www.securit yfocus.com . Securit yFocus.com is an I DS- focused sit e t hat feat ures news, inform at ion, discussions, and t ools.

Countering an Attack Firewalls are inst rum ent al in t hwart ing at t acks t hat involve I P spoofing and cert ain DoS exploit s, such as a SYN- ACK at t ack. Virus soft ware blocks viruses of all t ypes. I nt rusion det ect ion syst em s are designed t o foil virt ually every ot her class of at t acks: backdoor program s, dist ribut ed DoS at t acks and relat ed t ools, I P fragm ent at ion exploit s, and, especially, int ernal sabot age. At a m inim um , ent erprises t hat operat e in t he I nt ernet econom y should have eit her a st at eful inspect ion or proxy firewall or, preferably a com binat ion of t he t wo and virus soft ware. Furt herm ore, all organizat ions t hat operat e wit h t heir net works online should also have som e form of I DS, at least in t heory. Believe it or not , however, m any organizat ions don't even have a firewall, let alone an I DS. That 's unt hinkable, given t he pot ent ially horrifying securit y problem s of t he I nt ernet . Alt hough t he out lay for fully deploying an I DS m ay be beyond t he financial m eans of m any ent erprises, it should be a key count erm easure in your securit y arsenal, especially if open access t o inform at ion asset s is involved. The only ot her way t o ensure securit y is by disconnect ing your net work from t he I nt ernet and relegat ing it t o your largest st orage closet ! I f you det erm ine—preferably aft er a risk assessm ent —t hat weat hering a securit y breach is m ore cost - effect ive t han deploying an I DS, t he inform at ion present ed in t his sect ion will be helpful. The scenarios in which you could possibly forgo deploying an I DS are very few, such as having a non- m ission- crit ical FTP server or a Web sit e operat ing in t he DMZ, net works t hat support nonessent ial business funct ions wit h em ail m essaging, bullet in boards, or corporat e chat room s. Consequent ly, if you have only virus soft ware and own or are planning t o put in a firewall, t he inform at ion present ed in t his sect ion is crit ical t o your abilit y t o prot ect your net work. I f, on t he ot her hand, you are planning t o inst all an I DS, t his sect ion will great ly enhance your working knowledge and im prove your abilit y t o use such a securit y t ool in prot ect ing your net work's infrast ruct ure. Wit h an I DS and a firewall deployed, you are aut om at ically not ified of at t ack signat ures prowling your net work and violat ions of business rules. Wit h a host I DS in

place, you are also aut om at ically alert ed when int ernal users perform any unaut horized act ion, such as dat a m odificat ion, rem oval, or delet ion. I n effect , an I DS levels t he playing field. Wit hout an I DS, you are, unfort unat ely, left wit h plain old due diligence and a lot of int est inal fort it ude. I f you are operat ing wit hout an I DS ( act ually, hardening your infrast ruct ure is a best pract ice whet her you have an I DS or not ) , harden operat ing syst em s and elim inat e ext raneous services and default user account s and passwords t hroughout t he net work. ( Refer t o t he discussion earlier in t his chapt er on what t o do before an at t ack and t he sect ion Deploying and Maint aining Com plex Layered Client / Server Soft ware in Chapt er 5 for ot her recom m ended precaut ions.) Thus, when you det erm ine t hat syst em s are com prom ised, you should first disconnect t he com prom ised syst em ( s) and m ake a copy of t he im age of t he affect ed syst em ( s) .

Disconnect Compromised Host/System from Your Network When a net work node or host has been com prom ised, t ake it off t he ent erprise net work. I n m ost cases, t he best way t o recover from at t acks is by disconnect ing t he com prom ised host t o rem ove or t o clean affect ed files, delet e rogue program s, and rebuild t he syst em , including rest oring hard drives. I n a DDoS at t ack, you can t ake count erm easures during t he at t ack t o lessen it s severit y and t o allow you t o cont inue providing services t o legit im at e users. When t he at t ack has run it s course, you m ay need t o rem ove t he affect ed host t o det erm ine whet her any t ell- t ale forensics capt ured by t he affect ed host 's syst em logs can be used in any legal proceedings. Tact ics you can use t o m it igat e t he im pact of DDoS at t acks in progress will be covered in det ail in Chapt er 9. Aft er disconnect ing a com prom ised UNI X syst em , you m ay wish t o operat e in singleuser m ode t o regain cont rol. For NT or Windows 2000 syst em s, swit ching t o local adm inist rat or m ode is recom m ended. Swit ching t o t hese m odes ensures t hat you have com plet e cont rol over t hese m achines, because t he link t o any pot ent ial int ruder is severed. One word of caut ion, however: I n swit ching t o single or local adm inist rat or m ode, you run t he risk of losing pot ent ially useful inform at ion because any processes running at t he t im e of discovery will be lost . Processes t hat are killed m ay elim inat e t he abilit y t o m ark an int ruder's pat hway t o, for exam ple, a net work sniffer. By m axim izing your effort s t o obt ain im port ant forensics from t he processes being run at t he t im e of t he at t ack, you risk furt her breaches or deeper penet rat ion before t he com prom ised host can be rem oved. When you are convinced t hat you have capt ured vit al inform at ion from act ive processes, rem oving t he m achine and swit ching m odes would be m ore feasible. Working in single- user m ode or local adm inist rat or m ode for UNI X or NT/ Windows 2000, respect ively, poses som e addit ional advant ages. Doing so prevent s int ruders and int ruder processes from accessing or changing st at e on t he affect ed host as a recovery process is at t em pt ed. Recovering in t hese m odes also elim inat es t he int ruder's abilit y t o undo your st eps as you t ry t o recover t he com prom ised m achine. Therefore, when you are cert ain t hat you have obt ained adequat e forensics from t he processes t hat were running when t he at t ack( s) occurred, disconnect t he com prom ised m achine in favor of a single- user operat ing m ode in recovery.

Copy an Image of the Compromised System(s) Before st art ing an analysis of t he int rusion, m ost securit y expert s recom m end t hat you m ake a copy of your syst em 's m ass st orage device or hard disk. The purpose of t he backup is t o provide a snapshot of t he file direct ory of t he host ( s) in quest ion at t he t im e of t he at t ack. Chances are, you m ay need t o rest ore t he backup t o it s original " at t ack" st at e for reference as t he recovery and subsequent invest igat ion proceeds. Making a backup of your hard drive in UNI X syst em s is st raight forward. Wit h a disk drive of t he sam e capacit y as t he com prom ised drive, you can use t he dd com m and t o m ake an exact duplicat e. A derivat ion of dd can also be used if, for exam ple, a Linux syst em wit h a SCSI ( sm all com put er syst em s int erface) disk is t he host in quest ion. Wit h a second SCSI disk of t he sam e m ake and m odel, an exact replica of t he com prom ised disk can be achieved. ( For m ore inform at ion, refer t o your syst em docum ent at ion on m aking a backup of m ass st orage m edia.) NT syst em s have no inherent equivalent com m and. However, plent y of t hird- part y syst em ut ilit ies are available. Label, sign, and dat e t he backup, and st ore it in a safe place t o ensure t he int egrit y of t he unit .

Analyze the Intrusion Wit h t he com prom ised syst em ( s) disconnect ed and t he recom m ended backup( s) com plet ed, you are ready t o analyze t he int rusion. What is t he ext ent of t he breach? Were sensit ive inform at ion and int ellect ual secret s confiscat ed? Were any user passwords capt ured during t he raid? Did t he hackers get away wit h confident ial cust om er inform at ion, including credit cards? Analyzing t he int rusion or t o answer t hese quest ions begins wit h a t horough review of t he securit y person's equivalence of surveillance t apes: log files and configurat ion files. Through analysis of t hese files, your securit y t eam will uncover signs and confirm at ion of int rusions, unaut horized m odificat ions, and m aybe obscure configurat ion weaknesses. Verify all syst em binaries and configurat ion files. The best way t o accom plish t his is by checking t hem t horoughly against t he m anufact urer's dist ribut ion m edia t hat shipped wit h t he syst em . Keep in m ind t hat because t he operat ing syst em it self could also be m odified, you should boot up from a t rust ed syst em and creat e a " clean" boot disk t hat you could use on t he com prom ised syst em . Aft er t he boot disk is creat ed, m ake cert ain t hat it is writ e- prot ect ed t o elim inat e any pot ent ial of it s being m odified during your analysis. CERT/ CC, which has had considerable experience wit h such m at t ers, has concluded t hat syst em binaries of UNI X and NT syst em s are a favorit e t arget of int ruders for perpet rat ing t heir incursions. Troj an horses com m only replace binaries on UNI X syst em s. The binaries t hat are t ypically replaced include •

•

TELNET, in.t elnet d, login, su, ft p, ls, ps, net st at , ifconfig, find, du, df, libc, sync, inet d, and syslogd Binaries in t he direct ory / et c/ inet d.conf, in crit ical net work and syst em program s, and in shared obj ect libraries

Troj an horses, used on NT or Windows 2000 syst em s as well, usually int roduce com put er viruses or rem ot e adm inist rat ion program s, such as Back Orifice and Net bus. ( See Chapt er 6.) I n cases on NT syst em s, a Troj an horse replaced t he syst em file t hat cont rols I nt ernet links. One final caveat about evaluat ing binaries. Som e Troj an horse program s could have t he sam e t im est am ps as t he original binaries and provide t he correct sum values. Therefore, in UNI X syst em s, use t he cm p com m and t o m ake a direct com parison of t he suspect binaries and t he original dist ribut ion m edia. Alt ernat ively, m any vendors supply for t heir dist ribut ion binaries MD5 checksum s, which can be obt ained for UNI X, NT and Windows 2000 syst em s. Taking t he checksum s of t he suspect binaries, com pare t hem against a list of t he checksum s m ade from t he good binaries supplied by t he vendors. I f t he checksum s don't m at ch, you know t hat t he binaries have been m odified or replaced. Aft er evaluat ing syst em binaries, check syst em configurat ion files. For UNI X syst em s, m ake sure t o do t he following. • • •

•

Check your / et c/ passwd file for ent ries t hat do not belong. Check t o ascert ain t hat / et c/ inet d.conf has been changed. I f r- com m ands, such as rlogin, rsh, and rexec, are allowed, det erm ine whet her anyt hing doesn't belong in / et c/ host s.equiv or in any .rhost s files. Check for new SUI D and SGI D files. Use t he appropriat e com m and t o print out SUI D and SGI D files wit hin t he com prom ised file syst em .

For NT syst em s, be cert ain t o check t he following. • •

•

•

Look for odd users or group m em berships. Check for any changes t o regist ry ent ries t hat st art program s at log- on or at t he st art of services. Check for unaut horized hidden sharing facilit at ed by t he net share com m and or Server Manager ut ilit y. Check for unident ifiable processes, using t he pulist .exe t ool from eit her NT's resource kit or Task Manager.

Recognizing What the Intruder Leaves Behind Aft er ascert aining what int ruders have done at t he root and syst em levels, figure out what at t ack t ools and dat a t he hackers left behind. The class of at t ack t hat you find will provide insight int o t he t ype of breach t hat is ult im at ely sust ained by t he ent erprise. Following are t he com m on classes of at t ack t ools, relat ed dat a, and t he ent erprise inform at ion asset s, capit al, and ot her t hings t he int ruders were m ost likely aft er. Net work sniffers are soft ware ut ilit ies t hat m onit or and log net work act ivit y t o a file. I nt ruders use net work sniffers t o capt ure user nam es and password dat a t ransm it t ed in clear t ext over a net work. Sniffers are m ore com m on on UNI X syst em s. The equivalent on NT syst em s are keyst roke- logging logs. Troj an horse program s appear t o perform an accept able funct ion but in realit y perform a clandest ine exploit . ( See t he sect ion Backdoor Program s and Troj an

Horses in Chapt er 6.) I nt ruders use Troj an horses t o hide surrept it ious act ivit ies and t o creat e back doors t o enable fut ure access. Like sniffers, Troj an horses are also used t o capt ure user nam e and password dat a. I n UNI X syst em exploit s for exam ple, hackers replace com m on syst em binaries wit h Troj an horses or t heir alt ered versions of t hese program s. ( See t he sect ion Analyze t he I nt rusion in t his chapt er.) Backdoor program s are designed t o hide t hem selves inside a com prom ised host . ( Refer t o t he sect ion Backdoor Program Funct ions in Chapt er 6.) Typically, t he backdoor program enables t he hacker t o access t he t arget ed syst em by circum vent ing norm al aut horizat ion procedures. The real st rengt h of back doors is t hat once t hey are in place, t he int ruder can access your syst em wit hout having t o deal wit h t he challenges of vulnerabilit y exploit at ion for repeat access. Vulnerabilit y exploit s are used t o gain unaut horized access in order t o plant int ruder t ools in t he com prom ised host . These t ools are oft en left behind in m asked, obscure, or hidden direct ories. For exam ple, int ruders exploit vulnerabilit ies in RPC services t o inst all replacem ent program s, or Troj an horses. Replacem ent program s hide int ruder processes from syst em adm inist rat ors and users. ( See t he sect ions Deploying and Maint aining Com plex Layered Client / Server Soft ware in Chapt er 5 and At t acks t hrough Rem ot e Procedure Call Services in Chapt er 7.) Ot her int ruder t ools are t he sam e as t hose securit y m anagers and syst em adm inist rat ors use for legit im at e operat ions. I nt ruders use t hese t ools t o probe or scan your net work, cover t heir t racks, replace legit im at e syst em binaries, and exploit ot her syst em s while operat ing from a com prom ised one. Basic scanning/ probing t ools becom e obj ect s of suspicion when t hey appear in your net work in unaut horized locat ions, such as direct ories. Chances are t hat int ruders are using t he host in quest ion t o scan other net works, and your net work has becom e a base cam p for illicit int ruder operat ions. I nt ruders t ypically use scanning t ools t o det erm ine where t hey will set up shop. Som e of t he t ools scan for a specific exploit , such as ft p- scan.c. I f a single port or vulnerabilit y is being probed on your net work, t he int ruder is perhaps using one of t hese single- purpose t ools. On t he ot her hand, such t ools as sscan and nm ap probe for a variet y of weaknesses or vulnerabilit ies. Of t he t wo, sscan is t he m ost sophist icat ed m ult ipurpose scanner in t he wild. To launch sscan, t he hacker sim ply supplies t he program wit h t he net work I P address and net work m ask, and t he program does t he rest . The hacker m ust be at t he root level t o use sscan. The port scanner of choice since it s int roduct ion, nm ap, short for net work m apper, is a ut ilit y for port scanning large net works, alt hough a single host can be scanned. This ut ilit y provides operat ing syst em det ect ion, scans bot h UDP and TCP port s, assem bles packet s in a variet y of ways, random izes port scanning, bypasses firewalls, and undert akes st ealt h scanning, which does not show up in your logs. Replacem ent ut ilit ies use ut ilit y program s called root kit s t o conceal t heir presence in com prom ised syst em s. One of t he m ost com m on root kit s is I rk4, an aut om at ed script t hat when execut ed, replaces a variet y of crit ical int ruder files, t hus hiding t he int ruder's act ions in seconds. Password- cracking t ools, such as Crack and John t he Ripper ( Jt R) , are passwordcracking t ools in widespread use in t he wild. Unless you are using t hese t ools for

your own benefit , you won't necessarily see t hem on your net work, unless your net work is used as a base cam p. Crack is freeware and is designed t o ident ify UNI X DES- encrypt ed passwords t hrough ordinary guessing t echniques supplied by an online dict ionary. Jt R, fast er and m ore effect ive t han Crack, runs on m ult iple plat form s, including Windows operat ing syst em s and m ost flavors of UNI X. Hacker account s on UNI X syst em s m ay be called m oof, rewt , crak0, and w0rm . DoS at t ack t ools are likely t o be found in files nam ed m ast er.c and/ or ns.c, indicat ing t hat your net work cont ains eit her a m ast er or a zom bie, respect ively, com ponent of a Trin00 DDoS at t ack syst em . I nt ruder t ool out put t o syst em logs is cleaned t o cover t he hackers' t racks. Cloak, zap2, and clean are log- cleaning t ools t hat int ruders m ay use for t his purpose. Nevert heless, it is st ill a good idea t o check t he logs for int ruder act ivit y. For exam ple, syslogd in som e versions of UNI X, such as Red Hat Linux, logs sscan probes against your net work in t he secure log file. Secure log appends an ent ry whenever an out side host connect s wit h a service running t hrough inet d. However, sscan always int errupt s t he connect ion wit h a reset before t he source of t he probe can be logged, t hus keeping t he source of t he probe unknown. Logs t hat cont ain no inform at ion but should are a sign t hat t hey have been cleaned, which in t urn suggest s t he presence of a com prom ised net work host . Unfort unat ely, t he t ools described here are only som e of t hem . You need t o cont inue your research int o t he t ypes and funct ions of t he t ools t hat are used against you, so t hat t he appropriat e count erm easures can be deployed t o safeguard your net work. At a m inim um , you should download a copy of nm ap and fam iliarize yourself wit h t his dynam ic probing t ool. Periodically run scans against your net work t o see what t he hacker sees and what could pot ent ially be exploit ed. Adopt ing t his pract ice will help you st ay focused on elim inat ing t he vulnerabilit ies t hat expose net work services t o hacker incursions. To download a copy of nm ap, go t o ht t p: / / www.insecure.org/ nm ap/ index.ht m l. I n general, look for ASCI I files in t he / dev direct ory on UNI X syst em s. When hackers replace som e syst em binaries wit h Troj an horses, t he result ing Troj an binaries rely on configurat ion files found in / dev. Search carefully for hidden files or direct ories, which usually accom pany creat ion of new account s or hom e direct ories. Hidden direct ories t end t o have st range file nam es, such as " ." ( one dot ) or " . " ( one dot and a space) . Once a hidden file is isolat ed, list t he files in t hat direct ory t o det erm ine t he ext ent of t he incursion in t erm s of hacker t ools and files t hat are on t he com prom ised m achine. On Windows syst em s, look for files and direct ories t hat are nam ed t o direct ly or closely m at ch a Troj an syst em file, such as EXPLORE.EXE or UMGR32.EXE.

Chapter 9. Denial-of-Service Attacks Denying service t o legit im at e net work users is a favorit e exploit of hackers. Hackers m ay deny access t o an individual net work service, such as FTP or HTTP, or t o an ent ire net work. DoS, especially DDoS, at t acks can pot ent ially be t he m ost cost ly of at t acks for ent erprises t o handle. I n large B2B net works, for exam ple, a DDoS at t ack could cause losses in lit erally m illions of dollars. I n addit ion t o incurring int ernal cost s for fight ing a DDoS at t ack, t housands—perhaps even m illions—of dollars m ore could be realized in lost revenue. Most dist urbing, once a DDoS at t ack is launched, you can't st op t he flood of packet s, m ainly because t he at t ack source could be t housands of net work host s sending bogus inform at ion from anywhere in t he wild. Alt hough you m ay not be able t o st op a DDoS, you m ight be able t o st em t he t ide. This chapt er focuses on denial- of- service at t acks and on t he count erm easures you should deploy t o m it igat e t he pot ent ially devast at ing effect s.

Effects of DoS and DDoS Attacks Hackers have used sim ple DoS at t acks, such as SYN- ACK and land incursions, in t he wild for som e t im e. " Sim ple" at t acks originat e from a single or lim it ed source and are launched against a single t arget at a t im e. I n cont rast , a dist ribut ed DoS is launched from perhaps t housands of locat ions against a single or lim it ed num ber of t arget s. Firewalls prot ect against sim ple DoS at t acks by, for inst ance, not allowing half- open, or SYN- ACK, connect ions t o rem ain on t he server in quest ion such t hat a backlog of SYN- ACK m essages occurs. A half- open session exist s when t he SYN- ACK, or acknowledgm ent , of t he server syst em has not received t he final ACK from t he init iat ing client . I n t his sit uat ion, firewalls will send t he final ACK t o com plet e t he half- open t ransm ission. The server syst em will reset for subsequent session est ablishm ent . Num erous SYN- RECEI VED ent ries in t he firewall logs could suggest a SYN- ACK at t ack. ( See t he sect ion SYN- Flood and Land At t acks in Chapt er 6.) SYNACK and land at t acks are also t hwart ed by t he ant i–I P spoofing capabilit y of firewalls. Ping of deat h and ot her variant s, such as Teardrop ( see Chapt er 6) are used t o send m alform ed and/ or oversized packet s t o syst em s. When t hey receive such packet s, host s operat e errat ically and possibly crash, denying service t o legit im at e users. Correct ly configured firewalls can recognize t hese at t acks and block t hem from ent ering t he net work because t hey are originat ing from a single or a lim it ed source. ( Not e t hat in t his scenario, t he firewall is only repelling t he at t ack, not st opping it from occurring.) Furt herm ore, if t he t arget ed sit e has high- speed/ bandwidt h I nt ernet access, such as a digit al subscriber line ( DSL) , fract ional T1 or T1, a sim ple, or regular, DoS at t ack will m ost likely not cause a syst em crash. Dist ribut ed DoS ( DDoS) at t acks, however, are anot her st ory. These at t acks cannot be so easily repelled, even wit h a firewall. However, wit h a fort ified firewall—one equipped wit h perform ance boost ers—an I DS, and m axim um com m unicat ion bandwidt h( s) , you m ay be able t o prevent t he DDoS from dram at ically im pact ing net work perform ance or crashing t he net work.

A DDoS at t ack direct s t raffic from hundreds t o t housands of syst em s against one or a lim it ed num ber of t arget s all at once, creat ing an enorm ous flood of t raffic at t he vict im 's net work/ host ( s) . Like sim ple DoS at t acks, DDoS at t acks arrive as a SYN- ACK at t ack, Ping of deat h, UDP bom b ( I CMP Port Unreachable at t ack) , or a Sm urf ( I CMP bandwidt h at t ack) . ( See Chapt er 6 and Appendix D.) A DDoS at t ack is a war of bandwidt h, wit h t he at t acker m ost likely t o win because of t he pot ent ial for incredible num bers const it ut ing t he at t ack source. Your challenge involves enduring an at t ack by m inim izing t he st rain on com put ing resources, t hereby prevent ing t he com plet e consum pt ion of connect ivit y bandwidt h and recovery. During a DDoS at t ack, a firewall bears t he brunt of t he at t ack. Any firewall, if configured correct ly, could recognize all t he aforem ent ioned DDoS at t ack m et hods and drop t he packet s before t hey penet rat e t he net work. However, if t he firewall's rule base is not properly configured or if t he server lacks sufficient com put ing cycles, it will quickly becom e consum ed wit h processing bogus connect ion at t em pt s. Even a properly configured firewall would st ill need t im e t o m ake decisions before dropping t he connect ion at t em pt . Processing a flood could st rain t he firewall's resources, leading t o perform ance degradat ion and denial t o any legit im at e connect ion at t em pt s. To det erm ine whet her an at t ack is indeed a DDoS at t ack, you should consider t he MAC ( m edia access cont rol) addresses being logged by t he firewall. Looking for source I P addresses would not necessarily help, because t hey are likely t o be spoofed. Furt her, DDoS at t ack t ools use flat - dist ribut ion random - num ber generat ors t hat cause each at t ack packet t o use an address only once. Typically, t hese addresses are nonrout able I P addresses or ones t hat don't exist on global rout ing t ables. Moreover, t he MAC address is t he perm anent address assigned t o devices t hat provide t he int erface, or link, for LAN ( local area net work) com m unicat ion and dat a access. For exam ple, t he m anufact urers of net work int erface cards ( NI Cs) usually burn in t he MAC address int o PROM ( program m able read- only m em ory) or EEPROM ( erasable program m able read- only m em ory) configured int o t he LAN card. I f you see m ult iple at t acks from various MAC addresses, you are probably sust aining a DDoS assault .

General Computing Resources As a pract ical m easure, m ake sure t hat your firewall gat eway/ server has am ple com put ing resources—RAM ( random - access m em ory) , CPU ( cent ral processing unit ) cycles, and caching—t hat are over and above t he recom m ended requirem ent s. Expanding RAM could enable t he operat ing syst em t o cont inue funct ioning, perhaps even m aint ain perform ance, during t he at t ack. The ext ra capacit y m ay also enable your firewall t o address t he at t ack packet s while allowing exist ing t raffic t o cont inue wit h t heir sessions. ( Not e t hat alt hough exist ing t raffic at t he t im e of t he DDoS at t ack m ay not be denied, session request s from new t raffic m ight be.)

High-Performance Firewall I m plem ent ing a high perform ing firewall ent ails deploying t wo firewalls wit h at least t wo load- balancing devices t o dist ribut e t raffic equally am ong t he result ing firewall clust er. Load balancing, provided by specialt y hardware, is a t echnique t hat m axim izes resource availabilit y and perform ance in net works. The relat ively inexpensive cost of load- balancing solut ions m akes t hem a cost - effect ive alt ernat ive for opt im izing securit y resources. Load- balanced firewalls increase perform ance benefit s by allowing bot h firewalls t o m ake securit y decisions sim ult aneously. I n a proxy- based firewall clust er, for exam ple, each firewall could support up t o 850,000 concurrent sessions. Alt hough a clust ered, load- balanced firewall solut ion will not st op t he DDoS at t ack, t he firewall clust er will lessen t he im pact of t he at t ack by m arshalling t he resources of t wo firewalls sim ult aneously. I n a load- balanced firewall im plem ent at ion, all firewalls are act ive and cont inually sharing st at e inform at ion t o det erm ine one anot her's abilit y t o cont rol net work access. I n ot her words, t he firewalls are cont inually checking one anot her's abilit y t o perform t he j ob. During a DDoS at t ack, it is inconceivable t hat a firewall clust er could be overwhelm ed t o t he point of crashing, especially as each firewall in a loadbalance farm could handle up t o 850,000 concurrent sessions, depending on t he hardware configurat ion. However, depending on t he m agnit ude of t he at t ack, even a load- balancing firewall solut ion could, pot ent ially, st ruggle t o keep perform ance from degrading or bandwidt h from com plet ely exhaust ing in a DDoS at t ack t hat is generat ing m illions of packet s at t em pt ing t o est ablish bogus TCP or UDP sessions wit h your net work. But your abilit y t o st ay online and t o keep net work resources accessible is increased considerably wit h a firewall clust er as you work wit h your response t eam and I SP t o put down t he at t ack at t he source.

Network Bandwidth The im pact of a DDoS incursion can be lessened by t aking precaut ions wit h t he bandwidt h of crit ical net work im plem ent at ions. For exam ple, upgrading from a fract ional t o a full T1 and dist ribut ing processing across t he net work m ay help achieve a brut e- force bandwidt h defense. Such defense com bines large com m unicat ion channels wit h dist ribut ed net works t o provide t he brut e st rengt h capable of alleviat ing pot ent ial bandwidt h const raint s in t he event of a DDoS at t ack. One way of achieving dist ribut ed net works is t hrough im plem ent ing a load- balanced dist ribut ed net work wit h high availabilit y. Such a net work in corporat es server farm s, wit h redundant applicat ions t o opt im ize perform ance and net work availabilit y. Loadbalanced server farm s allow user sessions t o be balanced am ong t hem . I f any server goes down, user sessions are aut om at ically balanced am ong t he rem aining ones in operat ion, wit hout any int errupt ion of service. Alt hough it will not im pede t he DDoS at t ack, t he ext ra bandwidt h m ay m inim ize t he pot ent ial for a bot t leneck at t he point of ent ry and exit from t he net work, as t he fort ified resources of t he dist ribut ed net works and large com m unicat ion pipes handle t he bogus t raffic.

Handling a SYN Flood DDoS Attack A SYN packet is t he first one sent during a TCP session set up. FTP, TELNET, and HTTP services rely on TCP t o est ablish connect ions and t o relay m essages. By sending only a SYN packet and no subsequent packet s in response t o a SYN- ACK, or acknowledgm ent , from a server, t he TCP session request is left half open: an orphan TCP session. When a DDoS at t ack syst em , such as Stacheldraht or Tribe Flood Net work 2000 ( TFN2K) dispenses a flood t o one or a range of I P addresses, t he servers or host s t arget ed at t hose addresses receive num erous SYN packet s. These at t acks random ly t arget port s, such as FTP and HTTP, at t he t arget m achines. The obj ect ive of t he SYN flood is t o disable t he t arget m achine( s) by opening all available connect ions, t hereby perhaps crashing t he syst em or denying legit im at e users from accessing t he server. A SYN flood is difficult t o det ect because each open session looks like a regular user at t he Web or FTP server. The ext ent of t he flood dam age depends on how t he source addresses are spoofed. SYN flood packet s can be spoofed wit h eit her unreachable source I P addresses—addresses t hat don't appear on global rout ing t ables—or valid I P addresses. When hackers launch at t acks using I P source addresses creat ed by a random - num ber generat or or an algorit hm t hat allows I P source addresses t o be changed aut om at ically, t he source address is unreachable. When spoofed source addresses are unreachable, only t he t arget syst em is affect ed. The t arget ed host server repeat edly reserves resources, wait ing for responses t hat never com e. This cont inues unt il all host resources have been exhaust ed. I n cont rast , when a SYN flood is launched wit h spoofed I P source addresses t hat are valid or legit im at ely reachable, t wo syst em s are affect ed: t he t arget syst em and t he net work t hat is assigned t he valid I P addresses. The net work t hat owns t he valid I P addresses is a collat eral, or unint ended, vict im when t he at t acker spoofs t he SYN flood packet s wit h t hat net work's I P addresses. Consequent ly, when SYN packet s are spoofed wit h valid I P addresses, t he dest inat ion t arget syst em forwards SYN- ACK responses t o t he net work t hat it believes t o be t he originat or of t he TCP session request s. The net work assigned t o t he valid I P addresses receives t he SYN- ACK responses, alt hough it never init iat ed t he TCP sessions or sent t he original SYN packet s. When t his occurs, t he unwit t ing host s are forced t o use resources t o handle t he flood of SYN- ACK responses t hat t hey did not expect . I n t his scenario, t he hacker succeeds in degrading perform ance or crashing net works in t wo separat e net work dom ains.

Countermeasures I P source address spoofing is a fact of life in SYN flood DDoS at t acks. The hackers want t o cover t heir t racks and m ask or conceal t heir t rue whereabout s or base of operat ions. I P address spoofing is a favorit e t act ic for m asking assault s against unsuspect ing t arget s. When packet s wit h fake source addresses—whet her random ly generat ed or valid for anot her net work—originat e from your net work, you becom e an unwit t ing accom plice t o hacker offenses. To prevent packet s wit h spoofed source addresses from leaving your net work and t o elim inat e t he chance of becom ing an

unknowing part icipant in hacker capers, consider im plem ent ing a t echnique called egress filt ering. The opposit e of ingress filt ering, egress filt ering says t hat on out put from a given net work, deny or don't forward dat a t hat doesn't m at ch a cert ain crit erion. Wit h egress filt ering, net work m anagers can prevent t heir net works from being t he source of spoofed I P packet s. This t ype of filt er should be im plem ent ed on your firewall and rout ers by configuring t hese devices t o forward only t hose packet s wit h I P addresses t hat have been assigned t o your net work. Egress filt ering should especially be im plem ent ed at t he ext ernal connect ions t o your I nt ernet or upst ream provider, t ypically your I SP. The following st at em ent is an exam ple of a t ypical egress filt er: Permit Your Sites Valid Source Addresses to the Internet Other Source Addresses

Deny Any

All ent erprises connect ed t o unt rust wort hy net works, such as t he I nt ernet , should ensure t hat packet s are allowed t o leave t heir net works only wit h valid source I P addresses t hat belong t o t heir net works. This will virt ually elim inat e t he pot ent ial of t hose net works' being t he source of a DDoS at t ack t hat incorporat es spoofed packet s. Unfort unat ely, egress filt ering will not prevent your net work from being com prom ised by int ruders or being used in a DDoS at t ack if your net work's valid addresses are used in t he assault . Nevert heless, egress filt ering is an effect ive count erm easure and a pot ent ially effect ive securit y pract ice for lim it ing at t acks originat ing wit h spoofed packet s from inside ent erprise net works. I n general, it 's everyone's responsibilit y t o inst it ut e best pract ices, such as egress filt ering. Only wit h t hese t ypes of m easures will ent erprises ult im at ely achieve a reasonable level of securit y when operat ing in t he I nt ernet environm ent .

Precautions Because a SYN DDoS flood is so difficult t o det ect , m ost vendors have fort ified t heir respect ive operat ing syst em s t o be resilient in t he face of an at t ack. Operat ing syst em s have been m odified t o sust ain at t acks at very high connect ion at t em pt rat es. Find out from your vendors what t heir t hreshold is for t he m axim um rat e of connect ion at t em pt s of each operat ing syst em t hat your ent erprise has deployed in e- business syst em s. To achieve m axim um lim it s m ay require upgrading soft ware releases. Load- balancing devices also incorporat e m echanism s for elim inat ing orphan SYN connect ions. Even if egress filt ering is im plem ent ed at t he rout er and operat ing syst em s are fort ified at t he servers, load- balancing devices can offer addit ional securit y count erm easures and increased bandwidt h. Load- balancing devices, such as t hose provided by Radware, elim inat e orphan SYN sessions aft er 5 seconds if no addit ional SYN packet s are received at t he server host and wit hin t heir own session t ables. Com bining egress filt ering, fort ified operat ing syst em s, and load balancing creat es an effect ive count erm easure for SYN DDoS flood, especially when t he source address is spoofed.

Handling a Bandwidth DDoS Attack Every DDoS at t ack is a war of bandwidt h. The Sm urf at t ack, however, could be t he m ost devast at ing because t he resources of t hree net works—t hose of an accom plice, an int erm ediary, and a vict im —are t ypically com m andeered for t he exploit . ( For a full descript ion of t he Sm urf at t ack, see t he sect ion I CMP Direct ed Broadcast , or Sm urf Bandwidt h At t ack, in Chapt er 6.) A Sm urf bandwidt h at t ack is usually leveled against t arget s from a DDoS at t ack syst em , such as Tribe Flood Net work ( TFN) , TFN 2000, or St acheldraht ( see Table 61) . At t ackers orchest rat e hundreds or t housands of com prom ised host s t o sim ult aneously send I CMP echo request or norm al ping packet s t o t he I P broadcast address of a t arget net work. That address is designed t o broadcast t he packet t o every net work host t hat is configured for receiving t he broadcast packet . At t his point , t he net work t hat receives an I P direct ed broadcast at t ack of I CMP echo request packet s becom es t he int erm ediary in t he Sm urf at t ack. On receipt of t he packet s, all host s on t he net work respond by sending I CMP echo reply packet s back t o t he source address cont ained in t he broadcast of echo request packet s. As you m ight guess, t he source address used in t he Sm urf exploit is spoofed, usually wit h valid or rout able I P addresses of t he int ended t arget inst ead of invalid or unreachable I P addresses. When t he int erm ediary or am plifier net work responds wit h I CMP echo reply packet s, t he replies bom bard t he net work t hat owns t he spoofed source address. Consequent ly, t his net work becom es t he ult im at e vict im of t he Sm urf at t ack. The Sm urf at t ack can be devast at ing because each I CMP echo request packet t hat originat es from hundreds of accom plice net works com prom ised by a DDoS syst em will be responded t o in t urn wit h successive waves of I CMP echo reply packet s. Each wave is form ed by a sim ult aneous response of echo reply packet s from all t he host s on one or m ore int erm ediary net works. Thus, if an int erm ediary net work receives hundreds or t housands of I CMP echo request packet s, a corresponding num ber of waves of echo reply packet s m ight respond. I n t he Sm urf incursion, t he int erm ediary net work is also a vict im because it is an unwilling part icipant of t he at t ack, and it s resources—bandwidt h—will also be consum ed, responding wit h waves of echo reply packet s t o t he vict im 's net work. The bot t om line is t hat bot h t he int erm ediary and t he vict im 's net works can experience severe net work congest ion or crashes in a Sm urf at t ack. Likewise, even sm all t o m edium - size I SPs providing upst ream service can experience perform ance degradat ion t hat will effect all peer users relying on t he I SP's net work.

Guarding against Being an Accomplice Network An accom plice net work is one t hat has been breached and enslaved by a zom bie, or DDoS daem on, which is cont rolled by a m ast er server safely t ucked away in t he wild. A Sm urf at t ack is orchest rat ed t hrough m ult iple m ast er servers, which collect ively direct hundreds of daem ons t o send I CMP echo request packet s wit h spoofed source addresses t o one or m ore int erm ediary net works.

The m ost effect ive way t o prevent your net work from being an unwit t ing accom plice in t he Sm urf incursion is by im plem ent ing egress filt ers at t he firewall and on rout ers, especially on ext ernal rout ers t o your I SP. Wit h egress filt ers in place, any packet t hat cont ains a source address from a different net work will not be allowed t o leave your net work. Not e t hat egress filt ers will not prevent host s on your net work from being com prom ised and enslaved by zom bie DDoS daem ons. Most likely, t he at t acker exploit ed a net work vulnerabilit y t o secret ly insert t he daem ons in t he first place. ( Prevent ing at t ackers from exploit ing your net work t o inst all t he various com ponent s of a DDoS at t ack t ool is discussed lat er in t his chapt er.)

Guarding against Becoming an Intermediary Network I f your net work can't be com prom ised for eit her an accom plice or an int erm ediary, t he Sm urf at t ack can't happen. That 's t he good news. The bad news, however, is t hat t oo m any net works operat ing in t he wild haven't been equipped wit h t he proper precaut ions. You can inst it ut e several st eps bot h ext ernally and int ernally t o prevent your net work from being used as an int erm ediary in a Sm urf at t ack. For ext ernal prot ect ion, one solut ion involves disabling I P direct ed broadcast s on all applicable net work syst em s, such as rout ers, workst at ions, and servers. I n alm ost all cases, t his funct ionalit y is not needed. By disabling—configuring—your net work rout ers t o not receive and forward direct ed broadcast s from ot her net works, you prevent your net work from being an int erm ediary or am plificat ion sit e in a Sm urf at t ack. Det ailed inform at ion on how t o disable I P direct ed broadcast s at Bay or Cisco rout ers, for exam ple, are available direct ly from t hose m anufact urers. Som e operat ing syst em s, such as NT—Service Pack 4 and higher—disable t he m achine from responding t o I CMP echo request packet s sent t o t he I P direct ed broadcast address of your net work. This feat ure is set by default in NT. As a rule, all syst em s should have direct ed broadcast funct ionalit y disabled by default . Check wit h your vendor t o det erm ine t he st at us of t his feat ure for your operat ing syst em and relat ed syst em s. I n fact , m ake cert ain t hat your securit y policy ensures t hat t his feat ure is always disabled for syst em s deployed in your ent erprise. As for int ernal t hreat s, if a host on your net work is com prom ised and t he at t acker has t he abilit y t o operat e from wit hin your net work, he or she can also use your net work as an int erm ediary by at t acking t he I P broadcast address from wit hin t he local net work. To elim inat e t he int ernal t hreat , m ake cert ain t hat your operat ing syst em and relat ed syst em s are m odified t o rej ect packet s from t he local I P direct ed broadcast address.

Guarding against Being a Victim I f you are t he vict im or t he recipient of t he I CMP echo reply packet s from one or m ore int erm ediary net works, your net work could be placed in a quandary, even if you disable I P direct ed broadcast s at your rout er and relat ed syst em s. The problem is t hat considerable congest ion bet ween ext ernal rout ers and your upst ream I SP provider would st ill exist . Alt hough t he broadcast t raffic would not ent er your net work, t he channel bet ween your net work and t he I SP could experience degraded

perform ance and perhaps rest rict access t o net work resources. I n t his sit uat ion, work wit h your I SP t o block t his t raffic wit hin t he source of t he I SP's net work. ( See t he sect ion Obt ain Out side Assist ance in Chapt er 8.) You should also cont act t he int erm ediary in t he at t ack once you and your I SP pinpoint t he origin of t he at t ack. Make cert ain t hat t he I SP im plem ent s t he recom m endat ions provided in t he previous sect ion. You m ight also assist your I SP in ident ifying t he origin of t he at t ack. Several freeware soft ware t ools will enable you t o accom plish t his. The m ost well known such ut ilit y is Whois, a UNI X com m and t hat allows vict im s t o obt ain cont act inform at ion on an at t acking sit e. Whois is run from a TELNET window t o pinpoint t he at t acker by running an inquiry on t he at t acker's I P address against a Whois server. For m ore inform at ion on how t o use t he Whois com m and, go t o ft p: / / ft p.cert .org/ pub/ whois_how_t o.

Handling a UDP Flood Bomb I n a UDP flood, t he at t acking syst em , cont rolled by a DDoS at t ack t ool, dispenses a large num ber of UDP packet s t o random dest inat ion port s on t he vict im 's syst em . Favorit e t arget s of UDP at t acks are t he diagnost ic port s of t he t arget ed host . A UDP flood, or bom b, causes an explosion of I CMP Port Unreachable m essages t o be processed at t he t arget ed m achine. The affect ed host get s bogged down because of t he enorm ous num ber of UDP packet s being processed. At t his point , lit t le or no net work bandwidt h rem ains. Perform ance degrades considerably, oft en result ing in a net work crash. One of it s m ore insidious feat ures is t hat a UDP flood cannot be reliably dist inguished from a UDP port scan, because it is not possible t o det erm ine whet her t he result ing I CMP m essages are being m onit ored. Using a scanning t ool, such as nm ap, an at t acker scans a net work's host syst em s t o det erm ine which UDP port s are opened. Knowing what port s are open, t he at t acker knows which port s t o at t ack. At t his point , however, it is difficult t o det erm ine, on t he net work side, whet her it is a scan or an at t ack. Nevert heless, if your firewall logs show, for exam ple, approxim at ely t en UDP packet s t hat have t he sam e source and dest inat ion I P addresses and t he sam e source port but different dest inat ion port s, you likely have a UDP scan. I n cont rast , a UDP flood can be det ect ed. The first m et hod involves ident ifying num erous UDP packet s wit h t he sam e source port and different dest inat ion port s. Second, as in all dist ribut ed DoS at t acks, you will see a num ber of packet s wit h different source I P addresses. I f, for any given source address, you find approxim at ely t en UDP packet s wit h t he sam e source port and t he sam e dest inat ion address but different dest inat ion port num bers, you could have a UDP flood. Anot her m et hod ent ails looking for a num ber of I CMP Port Unreachable m essages wit h m ult iple varying source addresses but t he sam e dest inat ion I P addresses. This m et hod could also signal a UDP bom b from a DDoS incursion. One m et hod of t hwart ing a UDP flood is t o never allow UDP packet s dest ined for syst em diagnost ic port s t o reach host syst em s from out side t heir adm inist rat ive dom ain. I n ot her words, deny t o int ernal host s any UDP packet s t hat originat e from ext ernal connect ions. One m et hod of denying ent ry of UDP packet s is t o disable UDP services at t he rout er. This is usually accom plished wit h a sim ple st at em ent , such as

" No service UDP ( specific t o Cisco rout ers) ." Det erm ine how t his service can be disabled at your part icular rout ers, and act accordingly. To det erm ine what port s are open, t he at t acker relies on port scans and t he t arget host 's ret urning I CMP Port Unreachable error m essages. Wit h t his inform at ion, t he at t acker knows what port s t o at t ack. To t hwart UDP scans alt oget her or, ult im at ely, UDP floods, disable t he rout er's abilit y t o ret urn Port Unreachable m essages. I f necessary, check wit h your rout er m anufact urer t o ascert ain t he required com m and( s) t o disable t his facilit y at each ext ernal int erface.

Using an IDS Fight ing DDoS at t acks is a com m unit y effort . I f you are operat ing in t he I nt ernet com m unit y, you should t ake every precaut ion econom ically feasible for your ent erprise. Therefore, you should consider an int rusion det ect ion syst em ( I DS) t o fight DDoS incursions and ot her securit y t hreat s. A DDoS at t ack syst em requires several st ages t o get in place. First , a pot ent ial at t acker m ust scan your firewall, assum ing t hat you have one, t o det erm ine what port s are open on your net work. This is usually accom plished wit h a scanning t ool, such as nm ap, SATAN, or Nessus. ( Nessus can be obt ained from www.nessus.org.) ( For inform at ion on how t o obt ain SATAN, see Chapt er 11.) Second, an exploit m ust be run on a vulnerabilit y t o gain access int o your net work. At t his point , t he int ruder would have t o est ablish a connect ion t o an int ernal host , t ypically t he one t hat let him or her in, t o t ransfer t he at t ack t ool com ponent s: m ast er, daem ons, and relat ed binaries. Finally, on com plet ing and fully inst alling t he rogue soft ware, t he at t acker would search for ot her vulnerable m achines in t he sam e net work and repeat t he process. I f a good I DS were in operat ion on t his net work, t he at t acker would never had advanced beyond t he init ial scan. Consequent ly, a firewall operat ing in t andem wit h an I DS is t he m ost expedient way for ent erprises t o det ect and t o t hwart DDoS act ivit y or at t acks in set up m ode or, especially, in progress, respect ively. An I DS m onit ors your net work like a wat chdog. Wit h an I DS on hand, signat ures of inst alled DDoS at t ack t ools or act ivit y based on com m unicat ion bet ween m ast er and daem on com ponent s could be easily det ect ed during set up at t em pt s. Addit ionally, som e I DSs work in conj unct ion wit h com m ercial scanning t ools, such as Sym ant ec's Net Recon or I nt ernet Securit y Syst em 's I nt ernet Scanner, each of which could det ect inst alled daem ons, agent s, or m ast ers before com m unicat ions t ranspire. The part icular at t ack t ool t hat you find on your net work m ight be inst rum ent al in helping you det erm ine where corresponding or com panion com ponent s exist on ext ernal net works. Those sit es should be cont act ed accordingly t o dism ant le t he dist ribut ed DoS at t ack syst em . When at t acks are in progress, an I DS could reconfigure t he firewall aut om at ically t o shut down t he port and t he relat ed service t hat was exploit ed by t he DDoS incursion and t o kill t he bogus connect ions in quest ion. On t he one hand, t he abilit y t o reconfigure t he firewall on t he fly will help prevent DDoS packet s from ent ering and slowing down t he net work. I n addit ion, killing t he bogus connect ions in a SYN flood, for exam ple, will free up som e valuable resources and reduce t he st rain on t he firewall. On t he ot her hand, t o deny access t o a part icular service, an int ruder would have t o spoof only packet s dest ined for t hat service.

To fix t o t his problem , t he I DS can direct t hat t he first packet from each source address be dropped. The current generat ion of DDoS t ools generat es packet s wit h random source addresses, whereby each address is used only once. This m et hod works because in TCP- based sessions, TCP sends a second request t o t he server or Web sit e, allowing t he next and subsequent packet s t hrough t o t he t arget ed host . Ot her prot ocols, such as UDP and I CMP, can be configured t o send a ret ry aft er t he first rej ect ion, t o allow norm al packet s t hrough. An effect ive I DS is t he elect ronic sent inel of your net work. I n operat ion, it s j ob is t o churn t hrough every packet t hat t raverses t he firewall, net work segm ent , or host t o ident ify signat ures t hat exploit net work vulnerabilit ies. A part icular vulnerabilit y does not have t o exist on your net work t o encount er relat ed scans and at t ack signat ures. And j ust because your net work doesn't have t he part icular vulnerabilit y does not m ean t hat you shouldn't worry. I n realit y, an int ruder has succeeded in breaking t hrough your defenses. I f t he right vulnerabilit y was not found on t his incursion, perhaps one or m ore will be found on t he next . When an I DS det ect s DDoS or any ot her class of at t ack signat ures, t he appropriat e act ions are t aken, including alert ing t he net work police and shut t ing down t he port , or window, t hat let in t he rogue packet s. The bot t om line is t hat a good I DS is t he elect ronic wat chdog, or t hat crit ical layer of securit y, t hat m ay m ean t he difference bet ween becom ing an unwit t ing accom plice in a DDoS at t ack group or operat ing safely while m inim izing risks t o t he I nt ernet com m unit y.

Recovering from a DDoS Attack Depending on which side of t he DMZ you are on, recovering from a DDoS at t ack could ent ail pursuing one or m ore dist inct courses of act ion. For exam ple, if eit her t he I SP and/ or t he at t acked ent erprise has served you not ice t hat your net work has been an unwilling accom plice in a DDoS at t ack syst em , cert ain host s in your net work have been exploit ed, part icularly wit h eit her m ast er or zom bie agent s. Provided wit h t he host or host I P addresses, t he m achines in quest ion should be im m ediat ely rem oved from t he net work and st eps t aken t o delet e t he rogue source code, binaries, and relat ed at t ack signat ures/ t ools t hat com prom ised your m achines. A good host vulnerabilit y scanner, such as I SS's Syst em Scanner, m ay need t o be used t o det ect t he signat ures of t he inst alled at t ack com ponent s. Given t he level of an exploit or t he dept h of penet rat ion, t oo m any syst em binaries m ay have been replaced by Troj an horses or hidden direct ories discovered t o t rust t he host again, even aft er correct ive m easures are t aken. Under t hese circum st ances, be prepared t o reinst all t he operat ing syst em and applicat ions from scrat ch t o ensure t hat t he host can be t rust ed when it is back in service. I f you are t he t arget of a DDoS at t ack, recovery m ay involve fort ifying your net work, based on som e of t he suggest ions given in t his chapt er. A good num ber of recom m endat ions have been discussed t o increase net work bandwidt h at crit ical net work int erfaces, including t he firewall. Aft er an analysis of t he DDoS int rusion, det erm ine t he t radeoff( s) and im plem ent t he m easure t hat m it igat es t he great est risks t o net work bandwidt h and perform ance. Finally, t he relat ed logs—syst em , firewall, and so on—will provide an account of t he at t ack, which your em ergency response t eam can use t o work wit h your I SP t o filt er out subsequent at t ack t raffic from bom barding your net work. This inform at ion will

also help t he FBI t rack down t he zom bie m achines—dom ains—t hat are launching t he at t acks against you and perhaps t he m ast er m achines and at t acker. I n t he final analysis, logs provide im port ant evidence t hat law enforcem ent needs for successful prosecut ion. Therefore, m ake cert ain t hat inform at ion provided by t he firewall logs and t he syst em logs of t he host t arget ed by t he at t ack is collect ed and prot ect ed before it is accident ally or deliberat ely erased.

Chapter 10. Creating a Functional Model for E-Security By now, you know how t he int ruders at t ack you and what weapons t he at t ackers use. You also know t hat t heir t act ics, st rat egies, and m et hods are t o exploit you in clandest ine ways, especially when you least expect it . But t he scariest fact s about int ruders are t hat : t hey are relent less, pat ient , and skillfully use a variet y of t ools t o look for obscure windows and back doors int o your net work. Anot her sobering fact or is t hat wit h your inform at ion asset s online for your business part ners, cust om ers, and/ or suppliers, pot ent ially t housands of windows and doors creat ed by t he net work com ponent s and result ing applicat ions com prise your com put ing syst em . The challenge and lifeblood of e- business securit y is t o replace, elim inat e, lock down, and reinforce t hose windows and doors in your net work. This chapt er looks at how t o address t hat challenge, reviewing t he st eps you should t ake t o m it igat e t he m yriad classes of net work vulnerabilit ies and ot her crit ical exposures t hat could provide unwant ed access t o your e- business applicat ions. This chapt er det ails a funct ional m odel for e- securit y, incorporat ing a layered approach t o inst it ut ing securit y m easures. This funct ional m odel is dependent on an underst anding of your business obj ect ives and t he relat ed securit y safeguards required as a business enabler. At t he core of t his funct ional m odel are policy considerat ions for t he ent erprise. What policies and/ or business pract ices are necessary t o achieve a secure com put ing environm ent ? As for t he net work it self, what st eps should be t aken at t he perim et er of your net work? Are t he operat ing syst em s driving t he host s sufficient ly rat chet ed down? I s t he current net work archit ect ure opt im ized for securit y, or should ot her st eps be t aken? What are t hey? These and ot her relat ed quest ions are addressed in full det ail in t his chapt er. When you are done, you will possess t he knowledge required t o build an effect ive securit y archit ect ure t hat m inim izes your vulnerabilit ies and exposure while achieving t he business result s t hat your ent erprise desires.

Developing a Blueprint for E-Security I n m any respect s, developing a blueprint for e- securit y is a st raight forward process t hat requires m ore pract ical experience t han innovat ion, alt hough innovat ion is a key com m odit y and one of t he crit ical fact ors in keeping a lit t le ahead in t he securit y gam e. Your ent erprise's e- securit y blueprint should t ranslat e int o a pract ical funct ional m odel, which in t urn should lead t o a robust archit ect ure t hat provides t he fram ework for your ent erprise's life- cycle securit y. As wit h any archit ect ure, t hat for e- securit y cont ains som e basic infrast ruct ure com ponent s. The best approach in est ablishing an e- securit y funct ional m odel, or blueprint , for your e- securit y archit ect ure is t o begin wit h inform at ion securit y best pract ices and securit y policy. The securit y policy should be a living, act ive docum ent t hat reflect s t he business goals and st rat egies in t he current business cycle. ( I n Chapt er 5, see t he sect ions Reengineering t he Ent erprise Securit y Policy and Rigidit y of Ent erprise Securit y Policy for a definit ion and in- dept h discussion, respect ively.) The securit y policy delineat es who can do what in t he ent erprise net work. The securit y policy also

reflect s how—what st andards should be adhered t o—when accessing ent erprise inform at ion asset s. For exam ple, DSL or great er connect ions m ay be a m andat ory policy for accessing cert ain applicat ions from hom e offices t o ensure accept able bandwidt h and response t im es. Tight ly connect ed wit h t he ent erprise's securit y policy are inform at ion securit y best pract ices. I nform at ion securit y best pract ices prom ot e t he idea t hat securit y should be m anaged t o opt im ize privacy, int egrit y, and availabilit y, along wit h t he m eans t o assess, or m easure, t he effect iveness of securit y elem ent s. I nform at ion securit y best pract ices also t ake int o account nonrepudiat ion and t he fost ering of t rust t o inst ill confidence in bot h int ernal and ext ernal users in t he ent erprise com put ing syst em . ( See t he sect ion The E- Securit y Dilem m a: Open Access versus Asset Prot ect ion in Chapt er 2 for a discussion on nonrepudiat ion and t rust .) Thus, at t he heart of t he esecurit y funct ional m odel is t he ent erprise I T securit y policy, t ight ly coupled wit h inform at ion securit y best pract ices. ( For a sum m ary of t he recom m ended e- securit y blueprint , see Figure 10- 1.)

Figu r e 1 0 - 1 . Blu e pr in t for su cce ss: t h e e - se cu r it y fu n ct ion a l m ode l

Understanding Business Objectives Before engaging in a det ailed review of each of t he com ponent s in t he e- securit y blueprint , you need t o underst and your st rat egic business obj ect ives. The process t ypically st art s by fully appreciat ing m anagem ent 's goals for t he ent erprise. For exam ple, dom est ic sales for product A m ust increase by 20 percent . Sales for product B m ust increase 10 percent per region. On t he ot her hand, support cost s m ust rem ain const ant or, where possible, be reduced. Depending on t he organizat ion, accom plishing such goals could be unrealist ic. At t he least , goals should be challenging; at best , at t ainable. Assum ing t hat t hey are at t ainable, t he next st ep is put t ing t he inform at ion syst em in place t o support t he effort . This m ay require building an ext ranet t o bring t he suppliers of product s A and B online so t hat t he field can have up- t o- t he- m inut e product and order st at us inform at ion. This also m ay ent ail set t ing up a server in a privat e DMZ for int ernal users—road warriors, m obile users, and rem ot e offices—and in a public DMZ for cust om ers and prospect s. Aft er t he pot ent ial users have been ident ified and t heir inform at ion plat form det erm ined, t he focus should shift t o t he applicat ions. For exam ple, what net work services or prot ocols are required t o support t he result ing e- business applicat ions? I n ot her words, what services and relat ed port s m ust be perm it t ed t hrough t he firewall t o support t he st rat egic applicat ions? HTTP service for t he Web applicat ion and SMTP for e- m ail m ust be allowed. But what about enabling TELNET? Cert ain rem ot e offices m ust TELNET t o t he server for access. I n such cases, perhaps ingress filt ering could be used for t his group, especially if t he I P address is known. I ngress filt ering says t hat on input —rout er or firewall—accept incom ing TELNET for a given I P address or I P address range. This rule could be included at t he firewall or an access cont rol list ( ACL) / filt er at t he ext ernal rout er. Any TELNET t ransm issions for all ot her I P addresses would be sum m arily dropped by t he rout er or t he firewall. TELNET t ransm issions wit h spoofed packet s or packet s wit h addresses not belonging t o t he perm it t ed I P address or range would also be dropped. I ngress filt ers, however, would not prevent spoofed packet s t hat t ransm it wit h valid I P addresses. Typically, valid I P addresses are swiped, for exam ple, during a hop t hrough t he I nt ernet by an at t acker wit h a sniffer program inst alled in an unprot ect ed node. Once t he valid or rout able address of t he packet s from t he perm it t ed TELNET sessions are confiscat ed, t hey could be launched from a com prom ised sit e and be passed by your rout er or firewall. Given t he pot ent ial for t his exploit , you m ust assess t he risk t o your privat e DMZ from t he rem ot e locat ions in quest ion. I f t he risk were st ill unaccept able, even aft er inst allat ion of an ingress filt er, t he next st ep would be t o use a VPN ( virt ual privat e net work) . Wit h a VPN equipped wit h t he proper prot ocol, such as I P Securit y ( I PSec) , which is t he t unneling prot ocol st andard support ed by t he I nt ernet Engineering Task Force ( I ETF) , t he I P addresses in t he header would be encrypt ed so t hat t he valid I P address could not be deciphered if illegally obt ained. To sum m arize, gaining a full appreciat ion of your business obj ect ives and how t hey t ranslat e t o I T requirem ent s and, ult im at ely, e- securit y safeguards is crit ically im port ant . Only aft er you know t his crit ical m apping will you be able t o inst it ut e t he

e- securit y your ent erprise requires for fulfilling business obj ect ives. ( See t he sect ion How E- Securit y Enables E- Business in Chapt er 2.)

Honing in on Your IT Security Policy One im port ant st ep should be considered or developed aft er ident ifying business obj ect ives but before harnessing com put ing applicat ions t o support t hem . Specifically, t his st ep ent ails adhering t o t he ent erprise's I T securit y policy. I n general, policy is defined as t he rules for obt aining t he obj ect ives of an act ivit y, usually a crucial one. The I T securit y policy, t herefore, provides t he rules for obt aining t he obj ect ives of I T securit y. And, of course, t he obj ect ive of I T securit y is t o enable e- business. By definit ion, t he I T securit y policy m ust also t ake int o account t he business obj ect ives and st rat egies of t he current business cycle. I n revisit ing our funct ional e- securit y m odel, Figure 10- 2 depict s a m ore applicable port rayal of t he esecurit y funct ional m odel and it s int erdependency wit h t he ent erprise's business obj ect ives.

Figu r e 1 0 - 2 . M a ppin g t h e e - se cu r it y fu n ct ion a l m ode l t o bu sin e ss obj e ct ive s

Not e t hat t he I T securit y policy does not exist under it s own auspices and, m ore im port ant , is not creat ed in a vacuum . On t he cont rary, t he I T securit y policy should be dist illed from t he general corporat e business policy, corporat e securit y policy, and

corporat e I T policy. Som e ent erprises m ay find it helpful t o include t he corporat e m arket ing policy as well. Figure 10- 3 shows t he relat ionships am ong t hese policies.

Figu r e 1 0 - 3 . The Re la t ion sh ip of I T se cu r it y policy t o ge n e r a l cor por a t e policie s ( Fr om I SO/ I EC TR 1 3 3 3 5 – 2 : 1 9 9 7 , Figur e 2 . Re pr odu ce d w it h pe r m ission of t h e I n t e r n a t ion a l Or ga n iza t ion for St a n da r diza t ion , I SO. Th is st a n da r d ca n be obt a in e d fr om t h e W e b sit e of t h e I SO se cr e t a r ia t : w w w .iso.or g. Copyr igh t r e m a in s w it h I SO.)

I nt erest ingly enough, m any ent erprises do not have a writ t en I T securit y policy. The reason m ay vary. However, if any of t he ot her policies is not clearly defined or, worse, not writ t en, it 's not difficult t o infer why m any ent erprises operat e wit hout a writ t en I T securit y policy. For a com prehensive review of how t o build an I T securit y policy, including recom m ended elem ent s, refer t o an aut horit at ive docum ent produced by t he j oint collaborat ion of t he I nt ernat ional Organizat ion for St andardizat ion ( I SO) and t he I nt ernat ional Elect rot echnical Com m ission ( I EC) . [ 1] The bot t om line is t hat t he I T securit y policy and relat ed policies should be writ t en. A writ t en I T securit y policy is a recom m ended best pract ice because in essence, if you can art iculat e it , you can do it . [ 1] " I nform at ion Technology—Guidelines for t he Managem ent of I T Securit y Part 2: Managing and Planning I T Securit y," docum ent I D I SO/ I EC TR 13335–2 ( E) , available from I SO Cent ral Secret ariat , Case Post ale 56, CH- 1211 Geneva 20, Sw it zerland.

Making Good on IT Security's Best Practices I f t he I T securit y policy com prises t he rules for achieving t he obj ect ives of e- securit y, t he best pract ices are t he m easures, act ivit ies, and processes t hat have been opt im ized t o com ply wit h t he policy. For t he m ost part , t his chapt er focuses on best pract ices. The good news is t hat t he body of knowledge for I T securit y best pract ices is such t hat t hey can be cult ivat ed and legit im ized by t he driving influence of st andards. The bad news is t hat t he arm s race for cont rol of cyberspace m ay cause t hese st andards t o be m odified or revised at a fast er rat e t han ot her I T st andards. Thus, t he quest ion rem ains as t o whet her t hese st andards will ever be sufficient ly subst ant ive, applicable, and t im ely t o be widely adopt ed. The organizat ion cham pioning st andards for I T securit y best pract ices is t he Brit ish St andards I nst it ut e ( BSI ) . [ 2] The BS7799 st andard has been fast - t racked for dissem inat ion and request for com m ent s, which invit es writ t en com m ent ary, suggest ions, m odificat ions, endorsem ent s, and, ult im at ely, adopt ion from I T professionals worldwide. The I SO/ I EC has also endorsed BS7799, accept ing it as an int ernat ional st andard in Decem ber 2000 as " I SO/ I EC 17799: 2000 I nform at ion Technology—Code of Pract ice for I nform at ion Securit y Managem ent ." [ 2] The source, or st andards docum ent is BS7799–1: 1999, t it led " Code of Pract ice for I nform at ion Securit y Managem ent ."

BS7799, a com pilat ion of inform at ion securit y best pract ices, was developed as a result of indust ry, governm ent , and com m ercial dem and for a com m on fram ework t o enable ent erprises t o develop, im plem ent , and m easure effect ive securit y m anagem ent pract ices and for inst illing confidence in e- business com m erce. BS7799 is based on t he m ost effect ive inform at ion securit y pract ices of leading Brit ish and int ernat ional businesses. The collect ion of best pract ices has m et wit h int ernat ional acclaim for it s abilit y t o prom ot e confident ialit y, int egrit y, and availabilit y in ebusiness net works. The m aj or benefit of BS7799 and sim ilar schem es is t o prot ect int ellect ual capit al from an enorm ous array of t hreat s, for t he purpose of ensuring business cont inuit y and m inim izing risks while m axim izing ret urn on invest m ent s and opport unit ies.

The IT Security Functional Model The deploym ent st rat egy for t he I T securit y funct ional m odel is concept ually a layered approach. Because of t he pot ent ial num ber of vulnerabilit ies t hat could creat e unaut horized pat hways int o a given ent erprise net work, im plem ent ing securit y m easures and count erm easures at st rat egic net work operat ing levels is t he opt im al defense st rat egy in t hwart ing t he wily hacker. Figure 10- 4 m aps t he proposed I T securit y funct ional m odel wit h a net work exam ple. The I T securit y funct ional m odel provides t he blueprint t hat recom m ends an I T securit y archit ect ure for pract ical deploym ent int o your ent erprise.

Figu r e 1 0 - 4 . M a ppin g t h e I T se cu r it y fu n ct ion a l m ode l

H a r de n in g t h e N e t w or k I nfr a st r u ct u r e for E- Se cu r it y Hardening t he infrast ruct ure is t he m ost crit ical area t o address in achieving effect ive net work securit y. As wit h any archit ect ure, doing so provides t he necessary foundat ion for t he securit y archit ect ure t o funct ion effect ively. Hardening t he infrast ruct ure m eans elim inat ing ext raneous net work services, default user account s, and dem os, as well as ensuring properly configured syst em s and net work deploym ent s. Even wit h firewalls and perhaps even I DS syst em s in t ow, som e organizat ions are st ill suscept ible t o at t ack, because st rat egic net work nodes or decision point s, such as t he rout ers or t he operat ing syst em cont rolling online servers, are not sufficient ly hardened, result ing in crit ical vulnerabilit ies being overlooked. ( See Chapt er 5.) Moreover, im properly configured/ deployed securit y count erm easures are also suscept ible t o at t acks. Ent erprises, t herefore, m ust exercise t he necessary due diligence t o ensure t hat t he net work's infrast ruct ure, t he result ing securit y archit ect ure, and relat ed cont rols are sufficient ly hardened t o provide t he best foundat ion for delivering securit y m easures holist ically. Con t r olling N e t w or k Acce ss a t t h e Pe r im e t e r When you t hink of cont rolling net work access on t he perim et er, you im m ediat ely t hink of firewalls, and right fully so. But t he operat ive word here is perim et er, and t his book has shown t hat alt hough firewalls play an im port ant role in t he overall esecurit y schem e, t he perim et er m ust be sufficient ly fort ified and robust t o fulfill it s im port ant role in enabling e- business. I n ot her words, firewalls play a key role in

inst illing t he necessary t rust and confidence t hat end users dem and t o operat e safely on t he I nt ernet . This part of t he e- securit y funct ional m odel answers t he quest ion, How effect ive is m y firewall? and suggest s a blueprint for deploying a firewall t hat will be resilient in a given com put ing environm ent . Asse ssin g Life - Cycle Se cu r it y Ex posu r e s I n t he I T com ponent s com prising t he com put ing resources of your net work, what vulnerabilit ies and exposures exist ? How do you ever feel com fort able t hat t he services, prot ocols, operat ing syst em s, and result ing applicat ions are free from vulnerabilit ies and securit y t hreat s? When are you m ost suscept ible t o vulnerabilit ies and exposures? No m at t er how m any securit y m easures you deploy, if your net work is laden wit h vulnerabilit ies, it s securit y is precarious at best . This area of t he e- securit y funct ional m odel craft s a blueprint t hat addresses vulnerabilit ies and exposures in an ongoing basis. The result ing archit ect ure t hat you deploy should be in response t o t he level of risks such vulnerabilit ies pose t o your net work and a t radeoff of cost versus accept able risk. Wit hout vulnerabilit ies, t he hacker's abilit y t o penet rat e your net work is great ly dim inished, leaving less creat ive endeavors, such as social engineering and desk blot t er raids, for I Ds and passwords. I n social engineering, would- be at t ackers pret end t o be legit im at e in- house I T support st aff in order t o confiscat e user I Ds, passwords, and ot her inform at ion t o gain unlawful ent ry int o a part icular net work. Most such t act ics can be elim inat ed by inst it ut ing securit y policies t hat prohibit end users from providing crit ical login inform at ion by t elephone or t o an unfam iliar support person. La ye r in g Se cu r it y Cou n t e r m e a su r e s When inform at ion asset s go online, t he m ost effect ive prot ect ion ent ails deploying securit y count erm easures at crit ical operat ing layers wit hin your net work. One key layer of securit y is, of course, t he firewalls on t he net work's perim et er. The firewall's securit y is like an elect ronic fence around your net work. But what happens if t he fence is scaled or t unneled under from below? How do you ensure t hat back doors do not m at erialize or breaches don't occur from inside t he fence? The blueprint from t his part of t he funct ional m odel focuses on st rat egic deploym ent of count erm easures on various operat ing levels inside t he net work's perim et er. The obvious choice for providing t his t ype of securit y m easure is an int rusion det ect ion syst em . I DS syst em s can operat e on t he net work or t he host level. At t he host level, I DS syst em s m onit or end user act ivit y t o det ect any business rules violat ions or unaut horized act ivit y. Ot her securit y m easures, such as e- m ail scanners, can be im plem ent ed on t he applicat ion level t o m onit or t his user- dem anding act ivit y as well. Layered count erm easures allow you t o prot ect all t he st rat egic operat ing levels in your net work, especially wit hin t he host and t he applicat ion levels. The purpose of t his part of t he funct ional m odel is t o prot ect your net work inside it s own doors.

Se cu r in g Poin t - t o- Poin t Con n e ct ion s This part of t he funct ional m odel, which concent rat es on prot ect ing in- t ransit inform at ion/ dat a could be t he t rickiest area t o pin down. The t ype of securit y t hat you ult im at ely deploy depends on t he part ies involved in t he com m unicat ion and t he t ype of inform at ion being t ransm it t ed. For exam ple, if you are building a Web server t o support business- t o- consum er t ransact ions, you will m ost likely rely on an indust ry st andard, such as t he Secure Socket Layer ( SSL) prot ocol, for providing a secure t unnel. The SSL prot ocol, support ed by m ost popular browsers, encrypt s t he dat a for privacy, aut hent icat es t he connect ion, and ensures t he int egrit y of t he inform at ion. For business- t obusiness com m unicat ions of rem ot e, nom adic, or hom e users, a virt ual privat e net work could be t he t icket . Or, for int ernal com put ing involving adm inist rat ive act ivit ies, perhaps Secure Shell ( SSH) or a VPN could be deployed for encrypt ed or aut hent icat ed adm inist rat ion. The bot t om line is t hat if point - t o- point com m unicat ions m ust t raverse unt rust ed net works or t he pot ent ial for dat a com prom ise by unscrupulous insiders exist s, in- t ransit securit y is warrant ed. Au t he n t ica t in g t he Use r Ba se When net works are open, t he perim et er nebulous, and concern is ongoing for unaut horized access t o t he syst em , m aking cert ain t hat t he int ended user base accesses t he syst em could be t he m ost daunt ing challenge for e- business securit y. Ensuring t hat users are who you t hink t hey are or should be is especially challenging if your net work is accessible from m any geographically dispersed locat ions. The goal of t his port ion of t he funct ional m odel is t o m ap out login syst em s t hat provide t he m ost effect ive aut hent icat ing m echanism s t hat could be reasonably cost j ust ified. Typically, an ent erprise t hat has a user base of nom adic users who access t he net work from various geographic locat ions would probably have t o spend m ore t o ensure t hat t hose users are aut hent ic t han would an ent erprise whose rem ot e offices experience m inim al st aff changes. I f users m ust access m ult iple syst em s requiring t he use of m ult iple logins, how do you ensure t hat users are aut hent icat ed under t hese circum st ances? The securit y archit ect ure t hat you deploy for aut hent icat ing t he user base m ust t ake t hese issues under considerat ion. The archit ect ure should also fact or in t he cult ure of t he ent erprise. I f it has m any adm inist rat ive and clerical individuals, deploying a syst em t hat requires fancy login procedures m ay encount er resist ance for wide- scale adopt ion. On t he ot her hand, if t he syst em is t oo sim plist ic for t he cult ure, unaut horized users m ay slip int o t he net work. Therefore, t he archit ect ure t hat you deploy m ust necessarily be effect ive, flexible, reliable, and resilient against t he pot ent ial for com prom ise and unaut horized ent ry.

Deploying Effective E-Security Architecture: Hardening the Network's Infrastructure The e- securit y funct ional m odel has been carefully laid out . I n t his sect ion, we focus on building an e- securit y archit ect ure, using t he e- securit y blueprint as guidelines. The result ing securit y archit ect ure, relat ing t o each area of t he funct ional m odel, incorporat es I T best pract ices t hat opt im ize t he effect iveness of t he securit y m easures t hem selves when init iat ed int o service. Much of t he best pract ices t hat provide t he building blocks for t he e- securit y archit ect ure are reasonably sound, pract ical, or inherent ly cost - effect ive, enabling ent erprises at various financial levels t o deploy a securit y archit ect ure t hat m axim izes t heir net works' act ive defenses. Chapt er 5 provided an overview of t he im port ance of elim inat ing unnecessary services, user and default account s, and insecure nat ive prot ocols and services from your net work. Chapt er 5 also t alked about t he im port ance of properly configuring key net work com ponent s, such as servers/ operat ing syst em s, gat eways, and rout ers. This sect ion explores best pract ices for hardening crit ical net work infrast ruct ure com ponent s. Specific guidelines are given for deact ivat ing and disabling cert ain insecure services and prot ocols at t he rout er t hrough t he access cont rol list ( ACL) list and/ or t he firewall. This sect ion also discusses how t o harden specific operat ing syst em s, such as Linux, UNI X, and NT, and crit ical servers, such as firewall gat eways. ( Appendix C includes recom m endat ions for hardening Windows 2000 syst em s.)

Hardening Your Router I f you inst all a firewall and especially an I DS, you wouldn't necessarily have t o be concerned about t he kinds of sessions and relat ed services allowed by rout er ACL list s, because t he firewall and I DS syst em would provide all t he securit y you need, right ? Wrong. The t ypes of services t hat are cont rolled by t he firewall and relat ed securit y m easures should also be m irrored by t he rout er's ACL list . The reason you have a firewall and especially an I DS is t o prevent som eone from get t ing in from t he out side or opening a door from t he inside, respect ively. But what happens if t he firewall and/ or I DS is at t acked by a DoS, for exam ple? I f t he ACL list on t he rout er allows access t o cert ain insecure services, t hey could be exploit ed t o allow an at t acker t o slip int o t he net work while t he firewall and/ or I DS is busy fending off t he DoS incursion. Moreover, if you have a net work wit h perhaps t housands of host s, chances are t hat im proper configurat ions, insecure services, default account s, and ot her vulnerabilit ies m ay m at erialize on your net work from t im e t o t im e. These pot ent ial windows are opened from t he inside t o allow int ruders in. St aying abreast of all t he classes of vulnerabilit ies t hat m ay be int roduced int o your net work is challenging, even wit h vulnerabilit y assessm ent t ools. Unfort unat ely, int ruders have t o find only one or a few unguarded windows/ doors t o gain unaut horized access int o your net work. I f your rout er allows access t o one or m ore of t hese vulnerabilit ies, t he int ruder would have t o at t ack only t he firewall and/ or t he I DS t o slip int o t he net work t hrough t he rout er. For t hese reasons, t he rout er ACL list m ust be hardened t o m at ch t he firewall and, perhaps, even t he I DS t o prevent int ruders from slipping

t hrough unguarded windows and doors if you find your firewall and I DS com e suddenly under at t ack. Hardening your rout er requires knowledge and abilit y t o work wit h ACL list s. Therefore, whet her you are using a Cisco, Bay Net works, or ot her t ype of rout er, t he services list ed in Table 10- 1 should be disabled or not perm it t ed t hrough ext ernal rout ers or t hose t hat are downst ream from I SP's upst ream rout ers.

Ta ble 1 0 - 1 . Rou t e r Se cu r it y a n d H a r de n in g M e a su r e s Se r vice / Pr ot ocol

D e scr ipt ion

Se cu r it y Risk

SNMP

Verifies t he operat ional st at us Creat es securit y of rout ers risks, so deact ivat e

UDP

A connect ionless t ransport layer prot ocol

Favored in m any hacker exploit s

TCP

The connect ion- orient ed t ransport layer, in cont rast t o UDP, which verifies t he connect ion

Favored in hacker exploit s, but m any key services, such as FTP, rely on TCP; if possible, deact ivat e

HTTP server

I n Cisco rout ers, for exam ple, allows rem ot e adm inist rat ion

Can be m odified t hrough Web browsers and t he right password

FTP

Usually enables hundreds of port s t o accom m odat e various file t ransfer act ivit ies

I f FTP required, deact ivat e unneeded port s

TELNET

Creat es a virt ual t erm inal for connect ing incom pat ible com put ers t o t he I nt ernet

Exposes login and passwords in clear t ext as it t raverses t he net work

Finger service

Det erm ines whet her act ive users are on a syst em

Allows at t acks t o occur wit hout drawing at t ent ion t o t he syst em

Boot P ( Boot st rap Prot ocol) service

Enables users t o discover t heir own I P addresses and t hose of servers connect ed t o t he LAN

A not oriously m aj or securit y risk

Ta ble 1 0 - 1 . Rou t e r Se cu r it y a n d H a r de n in g M e a su r e s Se r vice / Pr ot ocol

D e scr ipt ion

Se cu r it y Risk

I CMP

Used t o handle errors and t o exchange cont rol m essages

Used by several at t ack classes, so lim it what I CMP m essages are allowed

I P Unreachable m essage

Forces an I CMP t ype 3 error m essage t o display when an ACL list drops a packet

Ret urning I P Unreachable error m essages allow rout er fingerprint ing or t hat access list s are used

I P redirect s

Enables packet s t o be redirect ed from one rout er t o anot her rout er t o t raverse and t o exit net works

Enables hackers t o engage in m alicious rout ing t o escape safet y net s deployed in net works

I P direct ed broadcast

I CMP echo reply ( norm al ping) packet s t hat are sent t o a net work's I P broadcast address

Sm urf bandwidt h at t ack

Source rout ing

The abilit y t o specify t he Can est ablish a t rust rout e packet s can t ake from a relat ionship bet ween an at t acker ( source) source t o a t arget host and host a t rust ed

Ant ispoofing

Rej ect s packet s from ext ernal net works wit h source I P addresses belonging t o your int ernal net work

Packet s wit h spoofed addresses signify a variet y of hacker exploit s

Privat e and reserved I P addresses[ * ]

Nonrout able I P addresses t hat are usually reserved for int ernal net work act ivit y and should not be accept ed from ext ernal net works

Masks securit y exploit s when originat ing ext ernal net works

I ngress filt ering [ * * ]

Denies spoofed I P packet s by verifying t hat sourceI P

Det ers m alicious insiders from

Ta ble 1 0 - 1 . Rou t e r Se cu r it y a n d H a r de n in g M e a su r e s Se r vice / Pr ot ocol

D e scr ipt ion

Se cu r it y Risk

addresses m at ch t he valid addresses assigned t o t he source net work

launching at t acks wit hin t he int ernal ent erprise net work

Password securit y

Encrypt s password st rings, especially for rout er configurat ion, t o prevent viewing of passwords in clear t ext

Prevent s confiscat ion of passwords by eavesdropping

User aut hent icat ion

Provides various m et hods for aut hent icat ing adm inist rat ors/ users

Prevent s unaut horized access t o adm inist rat ive level cont rol

[* ]

[* * ]

See Request for Com m ent ( RFC) 1918 for list . See RFC 2267 for I ngress Filt ering Rev iew .

Aft er cert ain crit ical funct ions have been disabled, ot her precaut ions, such as password securit y, should be inst it ut ed at t he rout er as well. For exam ple, during rout er configurat ion, encrypt password st rings t o guard against t heir being confiscat ed from syst em logs and relat ed report s, such as elect ronic copies of your rout er configurat ion. Encrypt ion service m ay be included wit h rout er ut ilit ies, so m ake good use of it t o encrypt passwords. Not e, however, t hat encrypt ion provided t hrough such services t ends t o be relat ively weak, so rem ove encrypt ed password st rings from writ t en report s/ copy. User aut hent icat ion for rout er adm inist rat ors should also be carefully addressed. Depending on t he size of t he ent erprise net work, several rout er adm inist rat ors m ay be required. Cert ain rout er m anufact urers, such as Cisco Syst em s, allow adm inist rat ive privileges t o cont rol t he level of access t o rout er funct ionalit y. These privileges can be set t o allow various levels of cont rol. Each adm inist rat or's associat ed login and password can in t urn be aut hent icat ed, using MD5, for exam ple, or ot her feat ures provided by t he m anufact urer. For direct and rem ot e adm inist rat ive m anagem ent , ot her precaut ions can be t aken as well. For direct access t o t he rout er t hrough a console or an auxiliary port , use aut ologout funct ions for idle t im e. The adm inist rat or will be aut om at ically logged off t he rout er aft er a cert ain int erval of idle t im e, usually 2–5 m inut es. This prevent s unaut horized access in case an adm inist rat or accident ally forget s t o log out before leaving t he rout er. I f SNMP is st ill preferred for rem ot e m anagem ent of t he rout er t o m aint ain t he highest level of securit y in your net work, consider out - of- band m anagem ent , an I T

t echnique t hat specifies set t ing up a separat e net work segm ent t o provide securit y t o accom m odat e crit ical net work act ivit ies. To m anage a rout er wit h SNMP, which is inherent ly insecure, consider deploying a t hree- int erface rout er inst ead of one wit h t wo int erfaces. The first t wo int erfaces can be used t o accom m odat e regular ext ernal and int ernal connect ivit y, respect ively. Your access list s should disable SNMP t o bot h ext ernal and int ernal host s on t he relat ed int erfaces. The t hird int erface on t he rout er should be set up t o accom m odat e SNMP for rem ot e m anagem ent of int ernal rout er adm inist rat ion. By t aking rem ot e m anagem ent of t he rout er out of t he norm al band of net work t raffic, SNMP can st ill be used for rout er m anagem ent on t he ent erprise level. Using SNMP t hrough an out - of- band net work segm ent provides t he highest level of securit y and is t he recom m ended pract ice for using SNMP safely. Finally, synchronize your rout er wit h ot her host s on your net work t hrough Net work Tim e Prot ocol ( NTP) . Wit hout synchronized t im e am ong t he rout er, firewall servers, and swit ches, event correlat ion from log m essage t im est am ps is pract ically im possible. NTP allows it s client s t o aut hent icat e relat ed t im e sources, prevent ing at t ackers from spoofing NTP servers and ult im at ely m anipulat ing t he syst em clock. Having t he t im e signat ures in various host s synchronized and aut hent icat ed t hrough NTP will aid forensic invest igat ion in t he event of an at t ack.

Hardening Your Operating Systems Wit h opt im um securit y archit ect ure im plem ent ed in your rout er( s) , t he perim et er of your net work's infrast ruct ure is sufficient ly fort ified t o t ake on at t acks. I n t his sect ion, we go behind t he net work's perim et er t o harden ot her key com ponent s of t he net work's infrast ruct ure: operat ing syst em s. Hardening t he operat ing syst em is a crit ical phase in building t he I T securit y archit ect ure. Operat ing syst em s right out of t he box usually include t he ext raneous services, default user account s, relat ed prot ocols, and ut ilit ies t hat possess t he vulnerabilit ies and exposure t hat are suscept ible t o at t ack from unt rust wort hy net work environm ent s. Disabling and elim inat ing unneeded operat ing syst em services and ut ilit ies is t he goal of hardening your OS and a recom m ended best pract ice in craft ing resilient I T securit y archit ect ure. Linux, UNI X, and NT are t he operat ing syst em s t hat are m anaging t he m illions of t he I nt ernet 's host com put ers. Bot h Linux and UNI X are available in various flavors. There is only one NT, but various service pack levels can be in product ion in an organizat ion at a given t im e. I dent ifying what operat ing syst em is inst alled on your host ( s) is one of t he first st eps a hacker will t ake t o launch a successful at t ack against you. I dent ifying your operat ing syst em is called fingerprint ing t he st ack. Tools are so adept at pinpoint ing an operat ing syst em t hat hackers can different iat e versions of t he sam e operat ing syst em . For exam ple, nm ap can reliably dist inguish am ong Solaris 2.4, 2.5, and 2.6. Many securit y holes are dependent upon OS version. Furt her, if a hacker discovers t hat you are running Solaris version 2.51 or Linux 2.0.3.5 and if port 53 is open, you are likely running vulnerable versions of BI ND. ( BI ND, or Berkeley I nt ernet Nam e Dom ain, is t he m ost widely im plem ent ed dom ain nam e service [ DNS] on t he I nt ernet .) Wit h t his inform at ion, t he hacker could ent er your syst em wit h j ust a few m inor m odificat ions of code. However, if t he operat ing syst em is hardened, your syst em will not be penet rat ed when t he hacker t ries t o exploit known vulnerabilit ies

associat ed wit h t he operat ing syst em version your I nt ernet host s are running. For a review of rem ot e det ect ion of operat ing syst em s via TCP/ I P fingerprint ing, obt ain t he art icle of t hat nam e at www.insecure.org/ nm ap/ nm ap- fingerprint ing- art icle.ht m l. Lin u x Linux is fast becom ing one of t he m ost popular operat ing syst em s for e- business plat form s, m ainly because of it s power and wide availabilit y in t he public dom ain. To harden t he operat ing syst em , st art at t he beginning, wit h a clean inst allat ion. Only wit h a clean inst allat ion can you ensure syst em int egrit y so t hat no unaut horized m odificat ions or t am pering wit h operat ing syst em com ponent s has occurred. Depending on t he organizat ion, t his could prove t o be a m onum ent al undert aking if m any operat ing syst em host s are t o be redone. I f reinst alling every one of t hem is financially infeasible or beyond your level of resources, perhaps clean inst allat ions can be at t ained wit h t he m ost crit ical product ion host s. ( For t he record, don't forget t o back up your dat a.) Once Linux is reinst alled, never connect it direct ly t o t he I nt ernet or t o any ot her unt rust wort hy net work, even when downloading operat ing syst em pat ches, updat es, or upgrades. A PC should be designat ed for t he expressed purpose of downloading such it em s. Sim ilarly, a Linux- based product ion syst em should be at t ached t o it s own privat e net work segm ent . When updat ing t he Linux kernel, t he PC wit h t he OS downloads should in t urn be connect ed t o t he isolat ed product ion net work segm ent t o updat e t he OS. Handling your OS host s and relat ed downloads in t his m anner is a recom m ended best pract ice and a pract ical m easure for fost ering a secure com put ing environm ent . St art ing wit h t he clean copy of Linux, t he next st ep is t o inst all t he recom m ended securit y pat ches for your version of t he operat ing syst em . Securit y pat ches, which are t he elect ronic inoculat ions of OS securit y ills, are crit ical t o fort ifying an OS and should always be updat ed t o m aint ain OS healt h. Wit hout t hem , your syst em s can be easily com prom ised. Therefore, wit h your go- bet ween PC configured for downloading and obt aining pat ches elect ronically over t he Net , obt ain t he lat est pat ches and reconnect t o t he privat e net work where t he clean OS host resides, and com plet e t he securit y updat es. Two excellent sources for following bugs and syst em pat ches, especially for t he Red Hat version of Linux, are Bugt raq@securit yfocus.com and redhat - wat ch- list request @redhat .com . Red Hat version 6.1 and higher includes an aut om at ed facilit y, up2dat e, for obt aining pat ches. This t ool is highly cust om izable and easy t o use, det erm ines which Red Hat files requires updat ing, and aut om at ically ret rieves updat es from t he Red Hat Web sit e. Wit h t he clean version of t he OS fully inst alled and updat ed wit h securit y pat ches, t he next st eps involve t he hardening act ivit ies. The four st eps required t o harden Linux are • • • •

Disabling or elim inat ing unneeded or ext raneous services Adding logging capabilit y Fine- t uning cert ain files I nst alling TCP wrappers and I PChains

D isa bling or Elim ina t in g Un n e e de d or Ex t r a n e ou s Se r vice s Linux is a powerful operat ing syst em t hat offers m any useful services. However, m any of t hem pose pot ent ial securit y risks t o a given environm ent and consequent ly should be t urned off. I n addit ion t o elim inat ing such services as Finger and Boot P ( see Table 10- 1) , also elim inat e t he services list ed in Table 10- 2. You should be fam iliar wit h m any of t he services list ed in Table 10- 2. An em erging pat t ern suggest s t hat t hese TCP/ I P services in part icular are inherent ly insecure whet her t hey are execut ing at t he rout er or t he operat ing syst em level. I n addit ion t o t he R services[ 3] you m ay be fam iliar wit h, Linux—in part icular, Red Hat 6.0— possesses som e ot her R services t hat aren't so com m only known. Rusersd, rwhod, and rwalld should also be elim inat ed. I n general, t ry t o avoid running any R services alt oget her, as t hey pose a serious securit y risk by providing int ruders wit h considerable lat it ude for ent ering your net work illegally from rem ot e locat ions. [ 3] R serv ices, short for RPC ( rem ot e procedure calls) serv ices, are subrout ines t hat allow program s on one com put er t o execut e program s on a second com put er. They are used t o access serv ices connect ed t o shared files.

Ot her Linux script s you should elim inat e unless t hey are absolut ely necessary include dhcpd, at d, pcm cia, rout ed, lpd, m ars- nwe, ypbind, xfs, and gat ed. ( For an explanat ion of t hese services, refer t o Red Hat 6.0 docum ent at ion or Webopedia: www.webopedia.com , t he online com put er dict ionary for I nt ernet t erm s and com put er support . The preceding script s and services and t hose list ed in Table 10- 2 are inst alled by default , init ialize when t he syst em is boot ed, but are not crit ical t o syst em funct ioning. The bot t om line: I f you don't need t hem , t urn t hem off. I f you do need t hem , m ake cert ain t hat you exercise t he proper cont rols t hrough your securit y policies and firewall rule set s t o m onit or and/ or lim it access. Loggin g a n d Tw e a k in g Wit h as m any services as possible elim inat ed, you are well on your way t o achieving a hardened operat ing syst em kernel, t he m ost im port ant m odule of t he operat ing syst em . The fewer t he services t he kernel has t o m anage and t he fewer t he processes and/ or t asks, whet her legal or illegal, t o be support ed, t he m ore efficient ly your operat ing syst em will perform . Linux has excellent logging and support s running processes—execut ing program s/ script s—well except for FTP. I f you m ust use FTP, lock down all relat ed services on t he FTP server. To ensure t hat Linux logs FTP act ivit y properly, edit inet d.conf, t he configurat ion file t hat cont ains all t he services allowed t o run in your net work. A hardened Linux host has m inim al net work services and/ or program s enabled. When properly configured, FTP logs all FTP sessions and user com m ands t o syslog, t he m ain host logging funct ion.

Ta ble 1 0 - 2 . Se r vice s/ Scr ipt s t o Be Elim in a t e d/ D e a ct iva t e d in Lin u x Se r vice / Scr ipt

Post Office Prot ocol ( POPD)

D e scr ipt ion

Se cu r it y Risk

Used t o st ore incom ing e- m ail on end users' com put ers

Hist ory of securit y issues; if available, hackers use t o launch e- m ail at t acks against users

I nt ernet Message Used t o st ore incom ing e- m ail Access Prot ocol m essages on a ( I MAPD) cent ral m ail server

Hist ory of securit y issues; elim inat e

RSH ( rem ot e shell)

Enables rem ot e execut ion of print er com m ands from ext ernal I P addresses

I m plies a t rust ed relat ionship bet ween host s; m aj or securit y risk if accessed by ext ernal users from spoofed addresses

APMd ( Advanced Power Managm ent daem on)

Used only for lapt ops

Vulnerable script , so delet e

XNTPd ( X Net work Tim e Prot ocol daem on)

Net work t im e prot ocol

Can be used t o alt er t he syst em clock

Port m ap

Required if you have any RPC services

Elim inat e RPC and dependent files; RPC services alt er file perm issions and st eal password files, rem ot ely

Sound

Saves sound card set t ings

Vulnerable script ; delet e

NETFS

The NFS client , which m ount s file syst em s from an NFS server

Vulnerable script ; delet e

Rst at d

Com m unicat es st at e changes bet ween NFS client s and

Enables an int ruder t o spoof a legit im at e rpc.st at d process; R services are t oo

Ta ble 1 0 - 2 . Se r vice s/ Scr ipt s t o Be Elim in a t e d/ D e a ct iva t e d in Lin u x Se r vice / Scr ipt

D e scr ipt ion

Se cu r it y Risk

servers

accom m odat ing t o rem ot e users, so delet e t hem

YPPasswdd

Necessary for NI S servers

An ext rem ely vulnerable service

YPserv

Necessary for NI S servers

An ext rem ely vulnerable service

SNMPd

Provides operat ional st at us and det ailed inform at ion on net work com ponent s

SNMP used t o com pile operat ional and det ailed inform at ion on your syst em

nam ed

Used t o set up t he DNS server

May cont ain a vulnerable version of BI ND; upgrade t o secure version, if needed

NFS

Allows m apping of rem ot e direct ories as ext ensions t o local user files

Allows int ruders t o browse ent ire file syst em s for poorly secured direct ories

AMD ( aut om ount d)

Allows m ount ing of rem ot e file syst em s

Used wit h st at d t o gain adm inist rat ive privileges in exploit ed host

Gat ed

Used t o run t hirdpart y rout ing prot ocols

A vulnerable script ; delet e it

Sendm ail

Widely used t o im plem ent e- m ail in TCP/ I P net works

A hist ory of securit y problem s; delet e if not being used for e- m ail

HTTPd

The Apache Web server daem on

I f used, im plem ent t he lat est version

I NNd

The net work news daem on

Allows hackers t o at t ack syst em s t hrough net work news service prot ocol

linuxconf

Enables a user t o

Ext rem ely vulnerable

Ta ble 1 0 - 2 . Se r vice s/ Scr ipt s t o Be Elim in a t e d/ D e a ct iva t e d in Lin u x Se r vice / Scr ipt

D e scr ipt ion

Se cu r it y Risk

configure Linux t hrough a st andard browser Ot her logging opt ions are available for FTP as well. I f ot her logging act ivit y is desired, m ake cert ain t hat t hey are properly secured. For exam ple, xferlog, which records all FTP uploads and downloads, is a great source for det erm ining what int ruder t ools m ay have been inst alled or inform at ion downloaded if your syst em is com prom ised. Logs, especially syslog, can record user passwords under cert ain circum st ances, allowing t hem t o be confiscat ed if t he correct safeguards aren't deployed. An im port ant area t hat should be t weaked is file adm inist rat ion, and securing t he password file is one of t he m ost crit ical t asks in providing an opt im al level of securit y. I n Linux Red Hat version 6.0 and in UNI X, t he / et c/ passwd file m ust be fort ified. This file is a dat abase t hat st ores user account s and t heir associat ed passwords. I n Red Hat version 6.0 and lat er, user passwords are st ored as hashes and securely placed in a file t hat is accessible only from root , accom plished by using t he / et c/ shadow ut ilit y. You can use eit her t he default hash crypt ( 3) or m essage digest ( MD) 5. MD5 provides an even great er level of prot ect ion. By st oring user passwords in t heir hash values, et c/ shadow prot ect s passwords from being easily accessed and worse, cracked. Red Hat version 6.0 aut om at ically convert s t he password file int o " shadow" passwords by default . For ot her versions of Linux, only a sim ple com m and sequence is required t o convert user passwords t o t heir hash values and st ored in t he et c/ shadow file. Like clockwork, one of t he first act ions a hacker will t ake aft er gaining a root com prom ise is t o access t he et c/ passwd file t o confiscat e user passwords and log- on I Ds. Therefore, t his is one of t he m ost im port ant act ions t o t ake in securing your Linux host . You are not done t weaking t he et c/ passwd account yet . This file cont ains default user account s for news services and FTP, or anonym ous FTP. I f you are not planning t o run your hardened Linux host as a newsgroup server, which requires NNTP ( Net work News Transport Prot ocol) , rem ove t he news user. Be sure t hat relat ed files, such as et c/ cron.hourly, are updat ed, because t his file looks for user " news." Also rem ove t he user account FTP, which allow s anyone t o access an FTP server as a user called anonym ous, or FTP. An anonym ous FTP user can choose any password—t ypically, t he client 's host nam e. Ot her files you should t weak aft er t he / et c/ password file are / et c/ ft pusers, / et c/ securet t y, and / et c/ issue. The / et c/ ft pusers file funct ion, cont rary t o what you m ight guess, does not enable FTP users but inst ead prevent s users—especially syst em users, such as root or bin—from at t em pt ing FTP sessions. Linux provides t his file by default . As a rule of t hum b, you never want root t o possess t he FTP abilit y t o

t he syst em . Consequent ly, if you do not want users or account s wit h t he abilit y t o init iat e FTP sessions, include t hem in t he / et c/ ft pusers file. You should also ensure t hat root cannot TELNET t o t he syst em . This forces users t o log in as t hem selves and t o use ot her aut horized m eans t o access root . The file / et c/ securet t y list s cont ain all t he virt ual t erm inals t t ys root can connect t o. Such list ings as t t y1, t t y2, and so on, rest rict root logins t o local access. Such list ings as t t yp1 allow root t o log in t o t he syst em rem ot ely. To rest rict what root can TELNET t o, m ake cert ain t hat t his file is m odified accordingly and t he necessary diligence exercised for ongoing cont rol. Finally, t he / et c/ issue file is an ASCI I t ext banner t hat greet s users who log in by TELNET. This file is t ypically used t o display legal warnings whenever som eone at t em pt s t o log in t hrough TELNET t o your syst em . By default , however, Linux creat es a new / et c/ issue file on every system reboot . To use t he sam e legal warning for every reboot , Linux allows you t o m odify t he .../ init .d/ S99local file. Using TCP W r a ppe r s a n d I P Cha in s As a m anager of I T securit y, one of your key responsibilit ies is t o m anage your server once it goes online. I f t he server m ust be m anaged rem ot ely, your connect ion should also be secured. Despit e expending considerable effort t o harden your operat ing syst em on product ion unit s, leaving an unsecured connect ion could pose a securit y risk t o t he net work. Two opt ions are recom m ended for est ablishing a secure rem ot e m anagem ent connect ion int o your Linux server: TCP wrappers and a secure t unnel, or Secure Shell ( SSH) . A TCP wrapper is a binary, or execut able, file t hat wraps it self around inet dcont rolled services, such as HTTP, FTP, or SMTP. Recall t hat inet d is a powerful service t hat ensures t hat execut ing processes receive syst em support in t erm s of prot ocols and relat ed services. I net d list ens on Linux port s for t he request ed services and m akes t hem available t o t he connect ion in accordance wit h t he inet d.conf.file. For Linux users, TCP wrappers are available by default on inst allat ion. Access cont rol t hrough TCP wrappers is achieved in conj unct ion wit h t wo files: / et c/ host s.allow and / et c/ host s.deny. When a user at t em pt s t o connect t o t he Linux server, Linux launches t he wrapper for inet d connect ions. The syst em enables t he wrapper t o verify t he connect ion at t em pt against t he access cont rol list s in t he t wo files. I f t he connect ion is perm it t ed, TCP wrappers relay t he connect ion t o t he appropriat e execut able, such as HTTP or TELNET, and t he connect ion ensues. I f t he connect ion param et ers reside in t he / et c/ host s.deny file, t he connect ion is dropped. TCP wrappers log all at t em pt s and deploy secure program s and ut ilit ies. Connect ions t o services operat ing wit h TCP wrappers are logged t o t he Secure log file. Wit h all it s power, however, TCP wrappers will not prot ect your net work from sniffing and do not provide encrypt ed connect ions. I nt ruders can st ill capt ure rest rict ive inform at ion, including passwords t ransm it t ing in clear t ext over t he net work. I f you feel t hat your net work is sufficient ly privat e and fort ified against out side int rusions, TCP wrappers would be adequat e in a t rust ed com put ing dom ain. However, t o guarant ee a higher level of privacy for rem ot e adm inist rat ion, Secure Shell ( SSH) m ay be m ore appropriat e.

Typically, TELNET, FTP, or Rlogin is used for rem ot e m anagem ent act ivit ies. These services have a hist ory of securit y problem s. First , passwords are t ransm it t ed across t he I nt ernet in clear t ext . Therefore, SSH is t he preferred m et hod for m anaging your Linux server from a rem ot e locat ion. I n part icular, SSH is growing in popularit y becuase of it s abilit y t o provide a variet y of encrypt ed t unneling opt ions, aut hent icat ion m et hods, and com pat ibilit y wit h popular operat ing syst em s. [ 4] Like TCP wrappers, SSH also provides logging capabilit y. SSH encrypt s all rem ot e m anagem ent t raffic, including adm inist rat or passwords, aft er aut hent icat ing t he user. Wit h SSH providing t he secure connect ion, you can ensure t hat adm inist rat ors are aut hent ic, t hwart eavesdropping, and elim inat e connect ion hij acking and relat ed net work at t acks. [ 4]

OpenSSH is t he m ost popular SSH version. Use OpenSSH t o replace rlogin, TELNET, and FTP for rem ot e m anagem ent operat ions. The product has been enhanced, and m any of t he problem s w it h earlier SSH have been correct ed. For m ore inform at ion on OpenSSH, go t o ht t p: / / www.openssh.com .

Finally, I PChains is t o Linux host s what ACL list s are t o rout ers. The I PChains ut ilit y is packet - filt ering soft ware t hat is included in t he inst allat ion kit in Linux Red Hat version 6.0 and lat er. I PChains soft ware is sim ilar t o Cisco ACL list s in form and funct ions m uch like a firewall. The soft ware cont rols what packet s can com e in and out of your Linux box in a net work and st and- alone environm ent . I m plem ent ing t he precaut ions covered in t his sect ion will give you a st rong base level of securit y. The key t o having a secure, or hardened, Linux syst em is m aking sure t hat t he m inim al soft ware in t erm s of services is inst alled, default user account s elim inat ed, and securit y archit ect ure deployed in layers, using TCP wrappers or SSH, I PChains, and hashed password prot ect ion. ( To aut om at ically secure Linux host s, check out Bast ille Linux, a PERL script t hat provides st ep- by- st ep inst ruct ions.) Addit ional st eps, such as password prot ect ing t he BI OS ( basic input / out put syst em ) and t he syst em t o rest rict physical access, m ay be warrant ed, depending on t he challenges you m ay face in your com put ing environm ent . [ 5] I n t he final analysis, no m at t er what you do, no syst em can be m ade 100 percent secure. However, deploying t he securit y m easures and archit ect ure discussed here are best pract ices for considerably reducing crit ical securit y risks t o your e- business com put ing plat form s. [ 5] For an excellent overv iew of securing Linux host s, see t he art icle " Arm oring Linux" by Lance Spit zner at ww w.ent eract .com / ~ 1spit z/ papers.ht m l.

UN I X The process for hardening UNI X is t he sam e as t hat for hardening Linux. [ 6] Alt hough Linux is a m ore feat ure- laden derivat ion of UNI X, t he recom m endat ions about elim inat ing services, t weaking password files, and deploying securit y archit ect ure in layers generally m irror t hose recom m ended for Linux. Linux Red Hat version 6.0 and higher provides cert ain default services, such as t he Shadow password ut ilit y, use of MD5 hashes aut om at ically wit h Shadow, and TCP wrappers. Your part icular version of UNI X m ay provide such services by default . [ 6] For m ore inform at ion on hardening your UNI X syst em , see " UNI X Configurat ion Guidelines" at www .cert .org/ t ech_t ips/ UNI X_configurat ion_guidelines.ht m l.

As wit h Linux, hardening a UNI X host begins wit h a clean inst all of UNI X. I f your I T environm ent consist s of m any UNI X host s, reinst alling clean copies of your version of t he UNI X operat ing syst em m ay be t oo cost ly. However, t o m inim ize securit y risks st em m ing from operat ing syst em vulnerabilit ies, find an accept able t radeoff t hat perhaps would ent ail hardening only m ission- crit ical host s. A lim it ed effort m ay st and a bet t er chance of being approved by execut ive m anagem ent . St art ing wit h a clean inst all of your operat ing syst em elim inat es any doubt s about what could be or m ight have been exploit ed. Wit h UNI X, t he kernel, binaries, dat a files, running processes, and syst em m em ory all have associat ed vulnerabilit ies. Therefore, t o ensure t hat t he operat ing syst em is free of exploit s, it should be reinst alled from t he dist ribut ion m edia provided by t he m anufact urer of your version of UNI X. Aft er t he operat ing syst em has been reinst alled, t he next st ep is t o apply t he full suit e of securit y pat ches for your operat ing syst em . One of your m ost crit ical ongoing t asks is st aying on t op of all t he securit y alert s for your operat ing syst em . To accom plish t his, m ake it a pract ice t o regularly visit t he Web sit e of t he m anufact urer of your version of UNI X. As recom m ended in t he Linux discussion, never connect your host wit h t he clean copy of t he operat ing syst em direct ly t o t he I nt ernet or any unt rust wort hy net work t o download securit y pat ches. A go- bet ween PC wit h t he necessary securit y precaut ions—virus soft ware, personal firewall, and so on—should be used for t his purpose. Wit h t he securit y pat ches inst alled, connect your go- bet ween PC t o t he clean operat ing syst em host s, which should be connect ed t o t heir own separat e net work segm ent . Wit h your operat ing syst em s updat ed, you can begin t he process of hardening your UNI X host s, which consist s of • • • •

Disabling or elim inat ing unnecessary services Enabling and securing logs Tweaking cert ain files Adding TCP wrappers and securit y in layers

D isa bling or Elim ina t in g Un n e ce ssa r y Se r vice s The sam e services ident ified as unsafe under Linux are unsafe under UNI X and so should be disabled. Table 10- 3 list s all t he insecure services t hat should be disabled or elim inat ed from indet d.conf and relat ed files. The t able describes only som e of t he m ost exploit ed UNI X services. To st ay on t op of ot her UNI X services and ut ilit ies t hat m ay be exploit ed, check t he Web sit e of your part icular UNI X m anufact urer, along wit h such securit y sit es as CERT/ CC and SANS I nst it ut e, on a regular basis. Anot her source for st aying abreast of UNI X vulnerabilit ies is t he UNI X I nsider art icles. [ 7] [ 7]

A com prehensiv e list ing of art icles by subj ect can be accessed at www.UNI Xinsider.com / com m on/ swol- sit eindex.ht m l. Back issues of UNI X I nsider can be explored at ww w.UNI Xinsider.com / com m on/ swol- back issues.ht m l. Hom e page is www.I TWorld.com / com p/ 2378/ UNI XI nsider/ .

Ta ble 1 0 - 3 . UN I X Se r vice s t o Be D isa ble d/ D e a ct iva t e d Services

Descript ion

Securit y Risk

TELNET

Used t o access various port s Replace wit h OpenSSH. for various syst em processes

FTP

Popular for m anaging file servers for dist ribut ing docum ent s

Deact ivat e it if you don't need it , or replace wit h OpenSSH.

Finger

Det erm ines whet her an act ive syst em is unat t ended

Allows hackers t o gat her inform at ion for lat er clan- dest ine exploit s; should generally not be run.

Boot st rap Prot ocol ( Boot P)

Allows users t o det erm ine t heir own I P addresses and t hose of ot her host s at t ached t o a net work

Deact ivat e if not needed.

Com sat

An alt ernat ive service t o I f ot her m et hods are POP and I MAP, not ifies users being used t o ret rieve of incom ing m ail via Biff m ail, disable.

Exec

Allows rem ot e users t o execut e com m ands wit hout logging in

Deact ivat e.

Login

Enables rem ot e users t o use rlogin and, if support ed by an rhost s file, t o do so wit hout a password

For rem ot e connect ions, use SSH and TCP wrappers inst ead.

Shell

Allows user t o execut e r com m ands rem ot ely

I f t he funct ion is required, disable and use TCP wrappers.

Net st at

Provides net work st at us inform at ion t o rem ot e host s

Can be used locally on t he syst em , but disable for rem ot e access.

Syst at

Provides syst em st at us inform at ion

Disable.

Talk and

Enables com m unicat ions

Disable.

Ta ble 1 0 - 3 . UN I X Se r vice s t o Be D isa ble d/ D e a ct iva t e d Services

Descript ion

Securit y Risk

Nt alk

bet ween local users and rem ot e users on ot her syst em s

TFTP ( Trivial File Transfer Prot ocol)

A m iniversion of FTP

I f required, disable and use TCP Wrappers.

Tim e

Provide synchronized t im est am ps, which are crit ical for forensic invest igat ion

Use XNTP inst ead.

UUCP ( UNI Xt o UNI X copy program )

Used t o t ransfer files from one UNI X syst em t o anot her

Disable.

En a blin g a n d Se cu r ing Logs UNI X syst em s offer opt ions for logging user sessions. Perusing logs on a regular basis could prove t o be a m undane, t edious act ivit y. However, it is a necessary evil and perhaps even a best pract ice because logs show t he pat t erns of use for your net work. Fam iliarit y wit h t hem will help you discern abnorm al or suspicious pat t erns of use, which oft en prove t o be t he sm oke signals of pot ent ial securit y fires. Following are com m on UNI X log file nam es and descript ions. • • • •

•

•

Syslog, t he m ain logging facilit y for UNI X syst em s, allows an adm inist rat or t o log session act ivit y in a separat e part it ion or host . Under cert ain circum st ances, it m ay be necessary t o look in t he / et c/ syslog.conf file t o det erm ine where syslog is logging m essages. Messages, t he log designed t o capt ure session inform at ion. I n t he event of an incident or int rusion, t his log would be inst rum ent al in revealing anom alies in and around t he suspect ed t im e of t he incident or int rusion. Xferlog, used t o log dat a from FTP sessions. I f FTP m ust be used, xferlog m ay assist you in det erm ining when any uploads or downloads, for exam ple, of int ruder t ools or unaut horized inform at ion, respect ively, have occurred. Ut m p, file t hat records binary inform at ion on every current ly logged- in user. One way of accessing t his dat a is t hrough t he who com m and. Wt m p, t he file m odified whenever a user logs in or out or when a m achine reboot s. Gleaning useful inform at ion from t he binary file requires a t ool such as last , which creat es a t able t hat associat es user nam es wit h login t im es and t he host nam e t hat originat ed t he connect ion. Out put from t his t ool helps you discover unaut horized connect ions, host s t hat are involved, and user account s t hat m ay have been com prom ised. Secure, t he file t o which som e UNI X versions log TCP wrapper m essages. Specifically, whenever a service t hat runs out of inet d wit h TCP wrappers

support s a connect ion, a log m essage is appended t o t his file. This log reveals connect ions from unfam iliar host s, especially for services t hat m ay not be com m only used. An im port ant best pract ice is securing your syst em logs. Logs are t he elect ronic reconnaissance files of your net work. However, your logs are not useful if you can't t rust t heir int egrit y. One of an int ruder's first it em s of business is t o alt er your log files t o cover his or her t racks or, worse st ill, t o cont rol logging by inst alling a Troj an horse. Hackers use a root kit , such as Cloak, t o wipe out t heir t racks recorded in syst em logs. Regardless of how secure your syst em m ay be, logs cannot be t rust ed on a com prom ised syst em . More im port ant , som e int rusions m ight erase your hard disk. For t hese reasons, a dedicat ed server t hat capt ures logs rem ot ely from ot her key syst em s should handle logging act ivit y. A dedicat ed logging server can be easily built inexpensively under Linux. Make sure t hat you t urn off all services and follow t he relat ed recom m endat ions for hardening Linux. Access should be t hrough t he console only. Therefore, block port 514 UDP, which is used for logging connect ions at t he firewall t hat cont rols your I nt ernet connect ion. This prevent s your dedicat ed log server from receiving bogus or unaut horized logging inform at ion from t he I nt ernet . Next , recom pile syslogd t o read a different configurat ion file, such as / var/ t m p/ .conf. To accom plish t his, change t he source code in / et c/ syslog.conf t o t he new configurat ion file, which in t urn is set up t o log bot h locally and t o t he rem ot e log server. As a decoy, t he st andard copy of t he configurat ion file should, on t he syst em in quest ion, point t o all local logging. This process should be repeat ed for all syst em s t hat you want t o have logging int o t he dedicat ed, rem ot e server. Once in place, local syst em log files can be regularly com pared against t he rem ot e log files t o m onit or whet her local logs are alt ered. [ 8] [ 8]

For a com plet e discussion on t his t opic, refer t o t he art icle " Know Your Enem y: I I " at www.linuxnewbie.org/ nhf/ int el/ securit y/ enem y 2.ht m l.

To assist in m anaging t he m ounds of dat a t hat can be generat ed from logging act ivit y, check out a logging t ool called Swat ch, or t he Sim ple Wat cher program , a device used for m onit oring and filt ering UNI X log files. Swat ch wat ches for suspicious dat a in response t o set param et ers; when it encount ers t hese pat t erns, t he program can t ake cert ain act ions t o alert securit y personnel. [ 9] [ 9]

For m ore inform at ion on Swat ch or t o obt ain a freeware copy , go t o ft p: / / ft p.st anford.edu/ general/ securit y- t ools/ swat ch/ .

Tw e a k in g Ce r t a in File s a nd Se r vice s One of your m ost im port ant act ivit ies is prot ect ing your password file against direct ed at t acks. As point ed out in t he Linux discussion, t he / et c/ passwd file st ores user account s and associat ed passwords. Passwords m ay be st ored in DES encrypt ion form at . You would t hink t hat encrypt ed passwords would be safe, even if t he file is som ehow com prom ised or st olen. Unfort unat ely, however, t hat is not t he case. A hacker who could som ehow st eal your password file would prom pt ly m ove or copy it t o anot her m achine t o run a brut e- force dict ionary search at t ack, using a program such as Crack against t he password file. ( Crack is a freeware t ool t hat

should be used regularly by syst em adm inist rat ors as a password- audit ing t ool t o ensure t hat users are using uncrackable passwords. [ 10] [ 10]

Crack is available from ft p: / / coast .cs.purdue.edu/ pub/ t ools/ unix/ pwdut ils/ crack or ft p: / / info.cert .org/ pub/ t ools/ crack.

Research has shown t hat t hese t ools can crack 20 percent of, for exam ple, DESencrypt ed passwords of a user base of a m edium / large ent erprise in approxim at ely 10 m inut es. The Shadow password ut ilit y, on t he ot her hand, st ores a hash of t he passwords in a separat e file t hat is not world- readable. Shadow m ay be available in t he dist ribut ion m edia of your version of UNI X. Consult your docum ent at ion, or call your UNI X m anufact urer t o find out if it is provided by default or from a dist ribut ion Web sit e. Sendm ail can be exploit ed t o at t ack t he / et c/ passwd file. Sendm ail's problem s are well docum ent ed and have plagued t he I nt ernet for som e t im e. Cert ain Sendm ail vulnerabilit ies can be exploit ed t o st eal a copy of t he UNI X password file. [ 11] Sendm ail, version 8.7.5 fixes m any of t hese vulnerabilit ies. However, new Sendm ail exploit s surface in t he wild from t im e t o t im e, alt hough older versions of Sendm ail, which have not been m odified wit h t he lat est securit y pat ches, receive t he m aj orit y of at t acks. [ 11]

For a review of Sendm ail vulnerabilit ies, go t o www.cert .org/ t ech_t ips/ passw d_file_prot ect ion.ht m l.

All versions of Sendm ail—whet her or not updat ed wit h securit y pat ches—should be deployed wit h Sendm ail rest rict ed shell ( sm rsh) . [ 12] I n addit ion t o blocking at t acks on t he UNI X password file, sm rsh can help prot ect against anot her well- known Sendm ail vulnerabilit y, which allows unaut horized rem ot e and local users from execut ing program s as any syst em user ot her t han root . [ 12]

Sm rsh can be obt ained at et iher ft p: / / info.cert .org/ pub/ t ools/ sm rsh/ or ww w.sendm ail.org.

The UNI X password file can also be com prised by TFTP ( Trivial File Transfer Prot ocol) , which confiscat es t he file. Safer alt ernat ives are SSH and even a wrapped FTP. Because of it s sim ple applicat ion—it s abilit y t o easily exchange files bet ween separat e net works and no securit y feat ures—deploy TFTP, if required, wit h rest rict ed access provided by TCP wrappers. [ 13] [ 13] I f your version of UNI X does not ship w it h TCP wrappers or is not available from t he m anufact urer, obt ain t he program from ft p: / / ft p.porcupine.org/ pub/ securit y/ or www.larc.nasa.gov/ I CE/ soft ware- list / descript ions/ t cp_wrapper- 7.2.ht m l.

Som e UNI X dist ribut ions, such as I RI X from Silicon Graphics, dist ribut e default syst em account s wit hout passwords assigned. Aft er inst allat ions, t hese account s are oft en forgot t en, creat ing a vulnerabilit y. The account s in quest ion include I P, dem os, guest , nuucp, root , t our, t ut or, and 4Dgift s. I f you plan t o use any of t hese account s for net work access, assign t hem st rong passwords im m ediat ely. A favorit e t act ic of int ruders is t o exploit syst em default passwords t hat were not changed aft er inst allat ion, such as account s wit h vendor- supplied default passwords. Thus, m ake cert ain t hat all account s wit h default passwords assigned on net working equipm ent and com put er syst em s are changed before deploying t hem . Also,

soft ware updat es can change passwords wit hout creat ing any at t ent ion t o t hat fact , so be m indful of t his and check passwords aft er product upgrades. As a rule of t hum b, a single password should not be used t o prot ect m ult iple account s for a given user. I f an int ruder using a packet sniffer, for exam ple, is able t o confiscat e a shared password t hat has been t ransm it t ed in clear t ext , all account s sharing t hat password are com prom ised. Ensure t hat each account has it s own unique password. This m ay require deploying hand- held or soft ware t okens t hat generat e one- t im e passwords. Usually, t hese devices accom pany st rong aut hent icat ion m et hods t hat are suit ed for aut hent icat ing users across unt rust ed net works t o access sensit ive ent erprise resources, such as int ellect ual capit al, nam e servers, or rout ers. Tw e a k in g Ot h e r Cr it ica l File s Som e UNI X m anufact urers' default st at e is t o t rust —allow user access—from ot her syst em s. These vendors issue t he / et c/ host s.equiv files wit h a plus sign ( + ) ent ry. Rem ove t he plus sign from t his file; ot herwise, your syst em will t rust all ot her syst em s by allowing access t o any client host . Sim ilarly, t he .rhost s file m ay be supplied wit h a plus sign ent ry t hat should be rem oved. This file is used t o list host / user pairs t hat are perm it t ed t o log in and by rlogin and rsh, m aking .rhost s insecure by associat ion. Bot h files should never be world- writ able. Many UNI X versions com e preconfigured t o allow secure, root login access t hrough any TTY device. Depending on your release, check eit her t he / et c/ t t ys or t he / et c/ t t yt ab file. The only t erm inal t hat should be set t o secure is t he console. Disallow secure logins from everyt hing else. I f you m ust use FTP, m ake cert ain t hat anonym ous FTP is configured correct ly. Follow t he inst ruct ions provided wit h your operat ing syst em m anual t o properly configure file and direct ory perm issions, ownership, and group. Not e t hat you should never use your st andard password file, / et c/ passwd, or group file for t his service. Moreover, t he anonym ous FTP root direct ory and it s t wo relat ed subdirect ories, et c and bin, should never be owned by FTP. I n general, ensure t hat you regularly check t he prot ect ions and ownership of your syst em direct ories and files. Whenever new soft ware is inst alled or verificat ion ut ilit ies are run, t hese procedures can cause file and direct ory prot ect ions t o change. Such changes creat e vulnerabilit ies. Thus, aft er such procedures are run, m ake cert ain t hat file and direct ory prot ect ions are set according t o t he recom m endat ions provided by your syst em 's docum ent at ion. Use a freeware package called COPS ( Com put er Oracle and Password Syst em ) t o regularly check for incorrect perm issions on file direct ories. [ 14] COPS is a collect ion of program s t hat provide a variet y of helpful services, including host vulnerabilit y assessm ent s. [ 14]

COPS can be obt ained from ft p: / / coast .cs.purdue.edu/ pub/ t ools/ UNI X/ scanners/ cops/ .

Addin g TCP W r a ppe r s a nd Se cur it y in La ye r s As wit h Linux, UNI X syst em adm inist rat ors have t he opt ion of providing securit y in layers t hroughout t he UNI X com put ing environm ent . Once t he operat ing syst em is hardened on as m any operat ing unit s as possible, addit ional st eps should be t aken t o

inst it ut e ot her crit ical securit y layers. For rem ot e adm inist rat ion, for exam ple, TELNET, FTP, or Rlogin should be used wit h TCP wrappers if t ransm issions m ust t raverse regular operat ing dom ains for rem ot e adm inist rat ion. ( Recall t hat TCP wrappers are sim ilar t o access cont rol list s ( ACL) for rout ers and provide t he sam e funct ionalit y.) Check your docum ent at ion and/ or soft ware dist ribut ion m edia t o see whet her TCP wrappers were provided in conj unct ion wit h t he regular OS m odules. Alt ernat ively, if rem ot e adm inist rat ion will t raverse unt rust ed net works, perhaps OpenSSH, a robust version of SSH, can be used for at t aining privacy for rem ot e adm inist rat ion act ivit y. OpenSSH provides aut hent icat ion and encrypt ed t unneling for all t ransm issions, including passwords. Wit h TCP wrappers and SSH used for rem ot e adm inist rat ion, an effect ive level of securit y can be achieved. St rong passwords and perm issions prot ect syst em s if adm inist rat ion is conduct ed direct ly at t he console. User access is cont rolled by solut ions providing st rong aut hent icat ion and " t weaking" t o rest rict t erm inal access except at t he console. Ext raneous or unused services are elim inat ed or m inim ized t o cont rol t he incidence of vulnerabilit ies while syst em s are in operat ion or online. Wit h securit y m easures im plem ent ed in layers, as sum m arized here, you inst it ut e som e of securit y's best pract ices t o operat e safely in e- business environm ent s. Figure 10- 5 sum m arizes a layered securit y archit ect ure approach for UNI X nad Linux syst em s.

Figu r e 1 0 - 5 . La ye r in g se cu r it y in UN I X a n d Lin u x ope r a t in g e n vir on m e n t s

Finally, as an ext ra recom m ended precaut ion, consider securit y t ools, such as Tripwire, t o provide int egrit y checking for crit ical program s, such as UNI X binaries. [ 15] Som e hacker exploit s m odify syst em binaries and/ or replace t hem wit h Troj an

horses. Tripwire builds a dat abase of files and direct ories you would like t o m onit or or, at a m inim um , t he program s and binaries t hat are t ypically replaced aft er a syst em com prom ise. ( See t he sect ion Analyze t he I nt rusion in Chapt er 8.) Each t im e Tripwire is run, which should be regularly, it flags delet ions, replacem ent s, and addit ions and creat es t he relat ed log file. Tripwire builds t he list aft er com paring it s findings t o t he dat abase of files and directories creat ed when it is deployed. Tripwire enables you t o im m ediat ely spot changes in your key operat ing files t o t ake t he appropriat e act ions, up t o and including reinst alling t he com prom ised host t o ensure it s int egrit y. [ 15]

Tripw ire can be obt ained from ft p: / / coast .cs.purdue.edu/ pub/ t ools/ UNI X/ ids/ t ripwire/ .

An alt ernat ive t o Tripwire is MD5 checksum s. [ 16] The MD5 checksum algorit hm , designed by RSA Dat a Securit y, can be used t o t ake a hash value of each of your syst em files, especially syst em binaries. The MD5 hash of a given file is t hat file's unique fingerprint . The m anufact urer of your version of UNI X m ay be able t o give you t he list of checksum s for your syst em files, or you can creat e t he list yourself. As wit h Tripwire, MD5 checksum s should be run on a regular basis t o t rack any changes t o your crit ical syst em files. MD5 is a freeware ut ilit y t hat is assigned st andards t rack RFC 1321. [ 16] For m ore inform at ion on MD5 checksum s or t o obt ain a copy, refer t o t he CERT advisory on www.cert .org/ advisories/ CA- 1994- 05.ht m l.

NT Windows NT ( New Technology) , widely used by businesses worldwide, is one of Microsoft 's m ost advanced Windows operat ing syst em s. ( See Appendix C for a relat ed discussion on Windows 2000.) This sect ion provides som e general guidelines and best pract ices t o secure t he NT operat ing syst em . Of course, securit y can be inst it ut ed on a m uch wider, m ore granular level over and above t hat covered here. Nevert heless, som e NT securit y cont rols and m easures m ay im pede operat ional processes. Therefore, t ake care t o achieve t he proper t radeoff bet ween im plem ent ing a reasonable level of securit y and t olerable risk. Again, securit y m easures can be cat egorized as • • • •

Disabling and elim inat ing unneeded services Adding and/ or securing logs Tweaking cert ain files and services Adding securit y m easures in layers

D isa bling a n d Elim ina t ing Un n e e de d Se r vice s Windows NT services are program s t hat t he syst em uses on st art - up. As wit h all operat ing syst em s, NT services t ypically run in t he background, servicing request s from users and t he net work sim ult aneously. By default , a large num ber of services are available t hrough NT aft er inst allat ion. These services are t ypically inst alled t o and used by t he om nipot ent NT syst em account , which is accessible from t he NT Services Cont rol panel.

At t his point , a dist inct ion should be m ade bet ween elim inat ing NT, or operat ing syst em , services and net work services provided by nat ive net work prot ocols, such as TCP/ I P and Net BEUI ( Net work BI OS Ext ended User I nt erface) . On inst allat ion, NT m akes available bot h operat ing syst em services, such as t he alert er, t he com put er browser, t he direct ory replicat or, and so on, and t ypical net work services provided t hrough, for exam ple, t he TCP/ I P st ack, which runs nat ive under NT. By default , m any NT, or operat ing syst em , services possess securit y- sensit ive right s, any one of which could subvert overall syst em securit y. Also, m any of t he net work services are suscept ible t o packet - level at t acks. Thus, t ake care t o elim inat e as m any unnecessary NT services as possible, especially t hose t hat are likely t o be at t acked while t raversing unt rust ed net working environm ent s. To be sure of t he services t hat you don't need, verify t heir funct ion in t he NT syst em docum ent at ion before disabling t hem . I f any of t he following services are unnecessary, disable t hem : • • • • • • • • • • • • • • • • • • •

Alert er Com put er browser DHCP ( dynam ic host configurat ion prot ocol) client Direct ory replicat or FTP publishing service I nt ernet inform at ion service adm in service Messenger Net BI OS int erface Net log- on Net work DDE ( dynam ic dat a exchange) Net work DDE NSDM Rem ot e procedure call locat or Rem ot e procedure call configurat ion Server Spooler ( not required if a print er isn't direct ly connect ed) TCP/ I P Net BI OS helper WI NS ( Windows I nt ernet nam ing service) Workst at ion World Wide Web publishing service

The I P services t hat are elim inat ed/ disabled under Linux/ UNI X should also be elim inat ed under NT. TELNET, FTP, Boot P, R services, and t heir associat ed port s should be disabled t o prevent access from unt rust ed net works. I n fact , NT enables net work m anagers t o configure t he host s t o m irror t he port s t hat are enabled at t he firewall. Because TCP and UDP services can be accessed and cont rolled t hrough t he Cont rol Panel m enu, ot her securit y m easures, such as allowing only cert ain adm inist rat ors t o cont rol net work services, lim it ing access right s of all ot her users t o perhaps read- only. Moreover, using st rong adm inist rat or passwords for general access and for screensavers works t o provide holist ic securit y precaut ions. En a blin g a n d Se cu r ing Logs NT provides an efficient logging syst em t hat can capt ure a significant num ber of act ivit ies in it s securit y logs. NT's audit ing syst em gives securit y m anagers full cont rol of what t ype of inform at ion can be audit ed and how m uch of it t o log. When set t ing up your logging funct ion, you should consider t he am ount of t im e and resources adm inist rat ors can devot e t o t he analysis and m aint enance of securit y

logs. NT supplies only a sim ple viewer for analysis of it s logs. Thus, for in- dept h log analysis, NT fully accom m odat es t hird- part y analysis t ools. As a best pract ice, t he securit y log should be support ed by a dedicat ed hard disk part it ion, wit h access rest rict ed t o aut horized securit y personnel. The NT logging capabilit y allows t he audit ing of • • • •

Log- on and log- off act ivit y St art - up, shut - down, and syst em event s Specific files, such as execut ables or dynam ic linking libraries User and group m anagem ent

NT also allows audit ing of obj ect access, process t racking, and use of user right s. However, deriving m eaningful pat t erns of any suspicious behavior requires analysis t ools. Make it a pract ice t o review logs periodically for unexpect ed or suspicious act ivit y. I f necessary, invest in t he analysis t ools t hat you m ay need t o glean useful inform at ion from t he logs and ult im at ely a ret urn on your invest m ent . One final point about NT logging: Guest and unaut hent icat ed users can access syst em and applicat ion logs—not t he securit y log—by default . Alt hough t hey possess read- only right s, t hese users can nonet heless discern useful inform at ion about t he operat ing plat form t o subvert securit y. To disable t his feat ure requires a sim ple m odificat ion t o t he applicat ion and syst em event log files in t he NT regist ry, a dat abase t hat Windows- t ype operat ing syst em s use t o st ore configurat ion inform at ion. User preferences, display and print er set t ings, hardware, and operat ing syst em and inst alled applicat ions param et ers are t ypically writ t en t o t he regist ry on inst allat ion and set up act ivit ies. When edit ing t he NT regist ry, usually wit h regedit .exe, t ake great care t hat m odificat ions are im plem ent ed correct ly, because errors t o t he regist ry could disable t he com put er. Tw e a k in g Ce r t a in File s a nd Se r vice s On inst allat ion, NT m akes available m any services in t he syst em root direct ory: WinNT. Alt hough Microsoft has inst it ut ed reasonable securit y precaut ions, t radeoffs against opt im al securit y were inst it ut ed t o m axim ize com pat ibilit y wit h pot ent ial applicat ions out of t he box. However, t o m axim ize securit y for your NT syst em , you should t weak cert ain files, especially WinNT, which has inherent access cont rol m echanism s t hat , oddly enough, are called access cont rol list s. NT's ACLs are sim ilar t o TCP wrappers on UNI X syst em s, but t he applicat ion of ACLs provides m ore granular cont rol over user privileges, and hence access, right s t han TCP wrappers do. I n general, aut hent icat ed users should be grant ed read- only right s when accessing syst em files. Aft er a st andard NT inst all, t he Public users group—which usually m eans everyone—can access cert ain files in t he WinNT syst em root direct ory and regist ry. Everyone m ight be bot h unaut hent icat ed and aut hent icat ed users or a subset of aut hent icat ed users. Whichever way you define t his group, it should be grant ed only read- only privileges, because NT also provides writ e privileges t o t his group by default aft er a st andard inst all. Public exercises read- and writ e- access privileges t o t he WinNT direct ory during an inst all of new soft ware or hardware or for m aint enance.

For obvious reasons, you do not want everyone t o have access t o WinNT direct ory t rees and t he regist ry. However, you also do not want t o lose t he capabilit y t o inst all applicat ions on t he local level, especially in large net works wit h m ult iple dom ains. Because NT allows you t o creat e user groups, a t rust ed applicat ion inst aller, or App inst aller group should be creat ed for t he purpose of inst alling and m aint aining soft ware and hardware. This group would not carry t he full privileges of an adm inist rat or, but at least you ret ain a pot ent ially crit ical capabilit y on t he local level while lim it ing a perpet rat or's abilit y for a root com prom ise of t he WinNT syst em direct ory and t he regist ry. Finally, review file and direct ory perm issions on C: \ and C: \ Tem p, and assign t he perm issions on t hese direct ory t rees recom m ended by Microsoft . When form at t ing st orage volum es, use NT's NTFS ( NT File Syst em ) form at inst ead of t he m ore com m on FAT ( file allocat ion t able) form at . NTFS support s a feat ure called spanning volum es, which enables files and direct ories t o be spread across several physical disk drives. Unlike FAT, NTFS incorporat es t he use of ACLs, providing a secure st orage solut ion, and allows perm issions t o be set for direct ories or individual files. The FAT syst em , on t he ot her hand, possesses an inherent vulnerabilit y t hat allows anyone t o reset FAT files wit h a read- only perm ission. Lacking a com pelling reason t o use FAT—and t here seldom is on NT—form at all pot ent ially capable volum es wit h NTFS. As wit h any operat ing syst em , inst it ut e a st rong, effect ive password policy. NT has been widely crit icized for net work password exposure. Alt hough it st ores and uses t he hash value of user passwords, NT is st ill suscept ible t o brut e- force at t acks from t he confines of unfriendly local and rem ot e net working environm ent s. Furt herm ore, cert ain com m ands, such as RDI DSK, provide weaker prot ect ion, which leads t o com prom ising securit y of st ored hash values. NT usually st ores t he hash value of user passwords, in t he user account dat abase of t he NT regist ry, also known as t he SAM. To st rengt hen t he prot ect ion of locally st ored hash passwords, use t he NT's nat ive SYSKEY com m and t o configure t he syst em so t hat user password hash values are encrypt ed wit h a 128- bit encrypt ion algorit hm for ext ra prot ect ion. Not e t hat , according t o m any report s in t he wild, NT's hashing algorit hm is rat her widely known, m aking t he use of SYSKEY all t he m ore im port ant . Devising an ent erprisewide password policy and pract ice is challenging enough, especially in a diverse user populat ion. NT provides several m echanism s t o ensure t hat users are adhering t o accept able password pract ices. The t hree areas subj ect t o NT password syst em at t acks are • • •

Log- on at t em pt s. I n t his kind of at t ack, t he hacker at t em pt s t o break in by guessing a legit im at e user's password by logging in from t he user's workst at ion or from a rem ot e locat ion. I n t his sit uat ion, weak passwords provided t he at t ack opport unit y. Capt ured password at t acks. Typically, a sniffer program capt ures t he hash value of t he NT user password from t he aut hent icat ion t raffic port ion of a user log- on operat ion. The user account dat abase in t he regist ry.

I n ent erprises in which poor password select ion is persist ent , NT allows adm inist rat ors t o select passwords for cert ain users or user groups. The adm inist rat or should work wit h t hese individuals t o select passwords t hat are easy t o rem em ber, expedit ious, conform t o ent erprisewide securit y policy, and effect ive. This m ay be t he m ost feasible way t o ensure t he use of st rong passwords. But if t his is cont rary t o organizat ion policy, run a password- guessing program , such as L0pht crack, designed t o pinpoint weak users in NT environm ent s. As a best pract ice and t o ensure user buy- in, t he ent erprise should be inform ed t hat such passwordchecking act ivit ies will be perform ed on a regular basis against random ly select ed users. When weak- password users are ident ified, t hey can be referred t o rem ediat ion t hat is geared t oward enabling users t o consist ent ly creat e passwords t hat conform t o ent erprise password policy. Log- on- at t em pt at t acks can be virt ually elim inat ed t hrough reasonable password com plexit y, lifet im e, and account locking. Thus, each adm inist rat or m ust develop crit eria for password com plexit y by specifying password lengt h, age—how oft en t o renew—and password uniqueness, or how oft en new passwords m ust be creat ed or a favorit e one recycled before it can be used again. Generally, eight - charact er passwords should be used, form ulat ed from random ly generat ed lowercase alphabet ic or alphanum eric charact ers t o creat e m xyzpt lk or er22fo44, respect ively, for exam ple. Passwords should also be renewed every 30 days and exist ing passwords recycled every fift h t im e. Or, four unique passwords m ust be developed before you can go back t o one t hat 's already been used. A key feat ure in NT for t hwart ing log- on- at t em pt at t acks is password locking, or account lockout . Aft er succeeding in a log- on at t ack, a hacker t ypically m ust guess t he password before account lockout is t riggered. NT allows users several unsuccessful log- on at t em pt s before being locked out of t he syst em . Once locked out aft er reaching t he lockout t hreshold, t he user m ust wait 15 or 30 m inut es before being allow ed anot her log- on at t em pt . The count , which allows bad- log- on at t em pt s, is also reset aft er t he lockout durat ion. Again, t he crit eria t hat work best for your ent erprise should be det erm ined. However, t he following should be used as guidelines in configuring t he account - lockout feat ure: • • •

Lock out aft er five unsuccessful log- on at t em pt s Reset count aft er 30 m inut es Lockout durat ion of 30 m inut es

To enforce your user password policy, NT offers a feat ure called PASSFI LT, a special program t hat rej ect s a user's password if it doesn't m eet t he defined param et ers est ablished by t he adm inist rat or. PASSFI LT is not a silver bullet but when used in conj unct ion wit h, say, a password- guessing program provides an effect ive m et hodology for enforcing t he ent erprise's password policy. One of t he first account s t hat should be disabled is t he guest account . Anot her account t o deact ivat e is t he Null session user. The Null session allows anonym ous users t o log on t o list dom ain user nam es and t o enum erat e share nam es. Elim inat e anonym ous log- ons t hrough Null sessions, which is t he source for net work incursions and exploit s. Finally, renam e t he password for t he adm inist rat or account before you t ackle any adm inist rat ive dut ies. I n keeping wit h sound password- creat ion convent ions, m ake sure t hat t he password is at least eight charact ers in lengt h and derived from random ly generat ed alphanum eric or alphabet ic charact ers.

Addin g Se cu r it y M e a su r e s in La ye r s Alt hough NT, in m any respect s, is different from UNI X/ Linux, securit y can also be inst it ut ed in layers in m uch t he sam e way ( Figure 10- 6) . MD5 and Tripwire can be used t o m onit or changes in syst em binaries and relat ed files. SYSKEY is used t o prot ect st ored passwords in t he ( user account dat abase in t he NT regist ry) . A VPN or SSL can be used for rem ot e adm inist rat ion or user applicat ions.

Figu r e 1 0 - 6 . La ye r in g se cu r it y in N T ope r a t in g e n vir on m e n t s

Summary The guidelines in t his port ion of t he chapt er are a good point of depart ure for realizing effect ive securit y in operat ing environm ent s. I T m anagers can t ake m any ot her precaut ions t o ensure opt im al securit y in ent erprise net works. Alt hough a num ber of freeware and com m ercial sources, including books, address t he NT securit y quest ion, one of t he m ost com prehensive freeware docum ent s available for NT securit y is " Windows NT Securit y Guidelines," available by downloading from www.t rust edsyst em s.com . The NSA com m issioned Trust ed Syst em Services t o develop t his unclassified st udy for t he agency and hence t he general public. Anot her source is " Securing Windows NT," which can be obt ained from www.phoneboy.com / fw1. Finally, t he NT Server Configurat ion Checklist from Microsoft is also a good source for NT securit y.

Chapter 11. Building a Security Architecture Wit h your infrast ruct ure sufficient ly hardened, you now have t he foundat ion for building resilient securit y archit ect ure. The im port ant point t o not e about t he inform at ion in Chapt er 10 is t hat you don't have t o be a specialized securit y professional or hire a securit y guru t o inst it ut e t he com m onsense m easures present ed. Most im port ant , t hose m easures can be im plem ent ed relat ively cost effect ively wit h regular I T/ net working st aff. The real cost t o t he ent erprise, however, is t he cost of not inst it ut ing t he best pract ices int o your regim en of net working act ivit y. Or in pract ical t erm s, what is your exposure t o risk? The focus of Chapt er 11 is t o review t he opt ions for building a securit y archit ect ure and m ap t hem t o your part icular infrast ruct ure and ult im at ely t he ent erprise. I n ot her words, we look closely at t he archit ect ure as suggest ed by t he I T securit y funct ional m odel ( see Figure 10- 4) . How should t he firewall be deployed or t weaked t o m axim ize it s effect iveness? Now t hat m y infrast ruct ure is hardened, what st eps can I t ake t o t rack, or m onit or, t he incidence of vulnerabilit ies in m y net work? How do I design m y net work and/ or inst it ut e securit y m easures t o m axim ize t heir efficiency and resiliency in t he face of a growing t hreat ? How should t hese m easures be int erspersed t hroughout t he ent erprise for opt im al prot ect ion of inform at ion asset s and com put ing resources? What is t he best way t o deploy securit y for point t o- point com m unicat ions? And, finally, how do I aut hent icat e t he user base and gain user support and buy- in for t he aut hent icat ion syst em chosen for t he ent erprise? This chapt er addresses t hose quest ions, discussing cost - effect ive solut ions t hat include best pract ices for deploying com prehensive securit y archit ect ure.

Firewall Architecture Deployment, Controls, and Administration For any given firewall, a body of inform at ion is available, including published books, whit e papers, and/ or art icles t hat are writ t en for t he expressed purpose of opt im ally deploying your firewall. This inform at ion is concerned prim arily wit h properly configuring your firewall's rule base. I n t he case of st at eful inspect ion firewalls, t he rule base, or access rules, m ust be configured in a cert ain sequence in order for t he firewall t o perform correct ly. St at eful inspect ion firewalls enable net work access by accum ulat ing key inform at ion, such as I P addresses and port num bers, from init ial packet s int o dynam ic st at e t ables, t o decide whet her subsequent packet s from a session will be grant ed access; hence, t he nam e " st at eful inspect ion." Ult im at ely, t he rule base cont rols access. The st at eful inspect ion act ivit ies occur only if t he connect ion is allowed in t he first place. This sect ion focuses on deploym ent st rat egies, user access, and adm inist rat ive cont rols inst it ut ed t o ensure an effect ive firewall im plem ent at ion.

Types of Firewalls The archit ect ure you deploy for your firewalls depends on a num ber of fact ors, such as t he level of securit y required, risk t radeoff, perform ance requirem ent s, int erfaces desired, access cont rols, net work resources, and general applicat ion and user requirem ent s. The deploym ent also depends on what you are willing t o spend. I n fact , t he archit ect ure ult im at ely deployed m ust necessarily balance cost against t he ot her fact ors. The cardinal rule for im plem ent ing any firewall archit ect ure is t o never allow unt rust ed ext ernal net works direct connect ions int o t he t rust ed int ernal net work environm ent , especially if t he ext ernal net work is t he I nt ernet . A corrollary is t o keep valid int ernal I P addresses from t raversing unt rust ed ext ernal net works. Three of t he m ost effect ive firewall archit ect ures t hat incorporat e and funct ion on t hese prem ises are m ult ihom ed host , screened host , and screened subnet , or sandbox. M u lt ih om e d Fir e w a ll H ost A m ult ihom ed host has m ore t han one physical int erface or net work int erface card ( NI C) inst alled. A dual- hom ed host , wit h t wo NI C cards, is t he m ost com m on exam ple of t his t ype of archit ect ure. I n t his scenario, one NI C card is connect ed t o t he ext ernal, or unt rust ed, net work; t he ot her NI C card, t o t he int ernal, or t rust ed, net work. A t rust ed net work m ay be defined as an int ernal ent erprise net work or as a net work involving a business part ner: an ext ranet . A t rust ed net work, t herefore, is best defined as one t hat shares t he sam e securit y policy or t hat im plem ent s securit y cont rols and procedures t hat yield an agreed on set of com m on securit y services and precaut ions. I n a dual- hom ed host , I P packet forwarding is disabled bet ween t he t wo NI C connect ions by default , so t hat t raffic originat ing from ext ernal, unt rust ed net works never direct ly connect s int o t he t rust ed, or int ernal, net work environm ent . Typically, dual- hom ed host s com plem ent applicat ion proxy firewalls, which t erm inat e and reinit iat e user connect ions aft er fully inspect ing all packet s t hat are seeking ent ry int o t he t rust ed net working environm ent . Traffic from t he ext ernal, unt rust ed net work is received by t he proxy firewall t hrough t he ext ernal NI C connect ion. The proxy disassem bles all t he packet s received, filt ers out suspect or risky com m ands, recreat es t he packet s, and, on det erm ining t hat t hey are valid, forwards t hem t hrough t he int ernal NI C t o a dest inat ion wit hin t he prot ect ed net work ( see Figure 11- 1) .

Figu r e 1 1 - 1 . D u a l- h om e d fir e w a ll pr ox y h ost

I n effect , net work t raffic from an ext ernal cloud never direct ly t raverses int o t he t rust ed m ission net work. On t he ot her hand, t he proxy never forwards int ernal I P addresses of out bound t raffic, which is received from t he int ernal NI C connect ion. I n t his m anner, valid int ernal I P addresses are t ranslat ed by t he proxy such t hat t he only I P address ever seen by ext ernal, unt rust wort hy net works is t he I P address of t he ext ernal NI C of t he dual- hom ed host . When a dual- hom ed proxy host works in conj unct ion wit h t he packet - filt ering rules of a rout er, t he result ing archit ect ure provides t wo effect ive layers of securit y. The firewall proxy skillfully capt ures any suspicious packet s t hat som ehow slip t hrough t he rout er's packet - filt ering rules ( see Figure 11- 2) . I n sum m ary, t his firewall archit ect ure is ideal for net working environm ent s wit h high securit y needs. I t ensures not only t hat unt rust wort hy net work t raffic never direct ly connect s int o prot ect ed net works but also t hat applicat ion- borne at t acks, which t ypically slip t hrough packet - filt ering rules, will also never reach t he prot ect ed net working environm ent .

Figu r e 1 1 - 2 . M u lt ila ye r se cu r it y e x a m ple

Scr e e n e d H ost Ar ch it e ct u r e Screened, or bast ion, firewall host archit ect ure uses a host , or bast ion host , t o which all ext ernal host s connect . I nst ead of allowing out side host s t o connect direct ly int o pot ent ially less secure int ernal host s, t hese connect ions are rout ed t hrough a screened firewall host . Achieving t his funct ionalit y is fairly st raight forward. Packet filt ering rout ers are configured so t hat all connect ions dest ined for t he int ernal net work are rout ed t hrough t he bast ion host . When t hey ent er t he host , packet s are eit her accept ed or denied, based on t he rule base governing t he firewall. Bast ion host archit ect ure is suit ed for organizat ions requiring a low t o m edium level of securit y. Packet - filt ering gat eways m ake decisions on t he basis of addressing and port num bers. Applicat ion- level at t ack signat ures, usually buried in t he payloads of packet s, oft en sneak t hrough t he defenses present ed by t he packet - filt ering rules. This is t he m ain argum ent in favor of proxy- based firewalls, which are effect ive against applicat ion- level at t acks. Generally, packet - filt ering firewalls offer fast er t hroughput . Thus, for great er perform ance, securit y m anagers are willing t o t rade off a lower level of risk for t he perform ance gains. Nonet heless, cert ain high- perform ance packet - filt ering—st at eful

inspect ion—firewalls, such as Cyberguard's firewalls, achieve excellent perform ance levels wit h t heir proxy feat ures in effect . I n sum m ary, t he bast ion host is an effect ive alt ernat ive when securit y requirem ent s are low t o m edium . I t also prevent s direct connect ion from ext ernal, unt rust ed sources int o prot ect ed int ernal environm ent s. I f great er securit y is required, t he dual- hom ed firewall host m ay be t he bet t er solut ion, but be prepared t o t rade off net work perform ance in t he process. Scr e e n e d Su bn e t I n t oday's com pet it ive business environm ent s, t he only perceived difference bet ween you and t he com pet it ion could be t he services you offer. This is one of t he m ain drivers for e- business. Ent erprises are capit alizing on t he awesom e pot ent ial of t he I nt ernet t o provide cost - effect ive services t o t heir client s and prospect s. The challenge, of course, is doing it safely. Generally, t he m ore you seek t o engage your client or prospect online, t he m ore securit y is needed. For exam ple, if you are planning t o provide t he usual inform at ion found on a Web sit e, a Web server wit h hardened operat ing syst em and firewall offers a reasonable level of prot ect ion. On t he ot her hand, if you are planning t o conduct business- t o- consum er ( B2C) or business- t o- business ( B2B) e- com m erce t hat requires dat abase lookup, record creat ion, and relat ed dat abase operat ions, a great er level of securit y safeguards should be inst it ut ed t o ensure t he safet y of your int ernal net work from ext ernal, unt rust ed sources. Addit ionally, if you int end t o offer supplem ent al services, such as e- m ail and file t ransfer support , providing t he full com plem ent of services online securely is best accom plished by a screened- off subnet , or dem ilit arized zone ( DMZ) . As t he nam e suggest s, a DMZ is a subnet t hat is screened off from t he m ain, or int ernal, net work. This is done t o allow ent erprises t o offer a variet y of online services, at t he sam e t im e prot ect ing t he int ernal net work from unt rust ed, ext ernal access. The screening m echanism is usually a firewall or a firewall and a packet filt ering rout er. Owing t o t he pot ent ially devast at ing t hreat s lurking in t he wild and t he fact t hat t he m aj orit y of at t acks originat e from int ernal sources, operat ing a DMZ t oday poses a dist inct set of obst acles t hat m ust be successfully negot iat ed if accept able ret urns are t o be realized. Through best pract ices and effect ive archit ect ure, your business obj ect ives can be achieved. The m ost im port ant t hing t o bear in m ind is t hat t he DMZ will be t he m ost likely area t o be at t acked and t herefore a prim e source for com prom ising t he prot ect ed int ernal net work. The ot her, m ore com pelling, st at ist ic, based on indust ry t rends, is t hat t he DMZ is t wice as likely t o be at t acked from t he int ernal net work. So t he precaut ions t hat are t aken m ust fact or in t he int ernal t hreat as well. This is ironic, given t hat t he safet y of t he int ernal ent erprise net work is t he highest priorit y. I n ot her words, t he int ernal net work m ust also be prot ect ed against it self. The applicat ions and t he syst em s in t he DMZ should never be allowed access int o t he int ernal net work. I n t urn, access int o t he DMZ from t he int ernal net work should be for m aint enance and adm inist rat ion only, and such access should be rest rict ive. This leads t o an obvious quest ion. I f t he DMZ is not allowed access int o t he int ernal net work, assum ing t hat t he cent ral dat abase resides wit hin t he int ernal net work,

how can dat abase m angem ent syst em operat ions, such as lookup and record creat ion, be init iat ed? The answer lies wit hin t he archit ect ure. Theoret ically, a DMZ net work should be built t o accom m odat e all access requirem ent s for a set of applicat ions and syst em s. When access requirem ent s differ, a variat ion of an exist ing set of applicat ions and relat ed syst em s or t he inst it ut ing of a new applicat ion and syst em plat form m ay be needed. I n ot her words, whenever access requirem ent s m andat e a cert ain applicat ion and relat ed operat ing syst em plat form , t hat applicat ion and relat ed syst em s should be at t ached t o t heir own DMZ net work. Moreover, a given level of user access needs m ight force various levels of applicat ion- level access wit hin t he result ing DMZ. Let 's explore t his not ion. To safely accom m odat e t he access needs of t he general user and t he result ing access needs of t he applicat ion, t he DMZ should be divided int o t wo segm ent s: a public DMZ and a privat e DMZ ( see Figure 11- 3) . A public DMZ cont ains all t he applicat ions t hat are int ended for general public access. Applicat ions such as t he Web server, t he m ail server, and t he FTP server, for exam ple, are m ade available for all users wit h hom ogeneous access requirem ent s.

Figu r e 1 1 - 3 . Scr e e n e d- off su bn e t

I n addit ion, access should be rest rict ed t o only t hose prot ocols required t o access t he applicat ions in t he public DMZ. I n our exam ple, t hese include HTTP, SMTP, and FTP. All ext raneous prot ocols and default services t hat are not needed should be disabled or rem oved t o sufficient ly harden t he applicat ion server in quest ion. ( See Chapt er 10.)

A second, privat e DMZ is in t urn est ablished t o accom m odat e t he access requirem ent s of t he individual applicat ions in t he public DMZ. The privat e DMZ, where t he result ing dat abase servers reside, handles dat abase lookup, record creat ion, and ot her dat abase request s from t he applicat ions in t he public DMZ. As a best pract ice, t he privat e DMZ should never allow access from t he general public or from ext ernal, unt rust ed sources. More im port ant , t his segregat ion of dut ies lim it s t he pot ent ial am ount of dam age and disrupt ion in t he event of an at t ack. Wit h t he appropriat e rest rict ions in place t o cont rol ext ernal access, rest rict ions should also be est ablished t o regulat e int ernal access. I n general, only t he individual responsible for m aint aining a part icular server in t he public DMZ—usually a syst em adm inist rat or—is allowed unrest rict ed access int o t he server in quest ion. For exam ple, only t he syst em adm inist rat or for t he SMTP server should be grant ed access t o t his server. The Web adm inist rat or should be given access t o t he Web ( HTTP) server only, and so on. Sim ilarly, only t he dat abase adm inist rat or is allowed t o perform m aint enance and adm inist rat ion on t he dat abase servers on t he privat e DMZ, and t he prim ary dat abase is perm it t ed t o perform dat a t ransfer operat ions. Furt her securit y gains can be achieved by ensuring t hat a given syst em adm inist rat or is grant ed only t he specific service and adm inist rat ive prot ocols needed t o do his or her j ob. For inst ance, t o m aint ain t he file t ransfer server, t he firewall should enable t he syst em adm inist rat or t o init iat e only FTP connect ions, along wit h t he requisit e adm inist rat ive prot ocols t o perform relat ed funct ions. Overall, each public and privat e server in t he DMZ should im plem ent full audit ing and logging capabilit y. As a best pract ice, a dedicat ed log server on t he int ernal net work side of t he firewall should syst em at ically ret rieve logs from t he DMZ. Ult im at ely, t he dedicat ed log server prevent s unaut horized m odificat ions and ensures t he overall int egrit y of t he logs. On t he subj ect of logging, ensure t hat firewall logs do not fill up; t he t ypical response is t o allow t he firewall t o sim ply shut down. I n high- available com put ing environm ent s, t his is not feasible. To ensure t he 24/ 7 availabilit y of your firewall in t hese circum st ances, m ake sure t hat t he one you select allows logs t o be writ t en t o rem ot e logging servers. For exam ple, Check Point 's Firewall- 1 allows logging t o m ult iple logging facilit ies or logging t o m ult iple m anagem ent servers. I n t he rare case when m anagem ent servers aren't available, logging is writ t en t o t he firewall's local drive. Net screen Technologies' Net screen- 100, a firewall appliance wit h no hard disk, allows logs t o be writ t en via t he UNI X SYSLOG ut ilit y t o a virt ually unlim it ed num ber of log servers. Make cert ain t hat you are fully aware of how logging is support ed by your firewall, especially if it is t o prot ect a highly available com put ing environm ent . As a final recom m endat ion, t o facilit at e general changes and enhancem ent s t o t he applicat ions running in t he DMZ, t his act ivit y should never be conduct ed in real t im e direct ly from t he int ernal net work. I nst ead st aging servers wit hin t he int ernal net work should be used. St aging servers are configured in exact ly t he sam e way as t he servers on t he DMZ. Any changes t o be im plem ent ed are first inst it ut ed on t he st aging servers and t est ed accordingly. Once t he changes are verified and t he funct ionalit y validat ed, t he new m odificat ions m ay be deployed t o t he DMZ. I f st aging servers are not financially feasible, t he analyst s responsible for t he changes

m ust be given access rest rict ions t hat are sim ilar t o t hose im posed on t he syst em adm inist rat ors.

Hardening Firewalls Out of t he box, default set t ings of firewalls m ay pose cert ain vulnerabilit ies. Som e firewalls m ay be configured t o accept rout ing updat es. Wit h rout ing updat es enabled, an at t acker can provide bogus rout ing inform at ion during a session and divert t raffic t o an unt rust ed dom ain. Fort unat ely, t his pot ent ial vulnerabilit y can be resolved by sim ply deact ivat ing rout ing updat es, allowing t he firewall t o use st at ic—regular— rout ing inst ead. TCP source port ing and UDP access are exam ples of ot her vulnerabilit ies t hat m ay be prevalent in firewall default configurat ions. For exam ple, t hese pot ent ial vulnerabilit ies are prevalent in t he default configurat ion of Check Point Soft ware's Firewall- 1 version 4.0. Wit h source port ing, an at t acker uses a t rust ed port , such as port 80 for Web/ HTTP t raffic, t o m ask his or her ent ry t hrough t he firewall. I nst ead of t he t ypical HTTP packet s, t he m alicious packet s used in t he at t ack m ay be launched against t he firewall or host s t hat are prot ect ed behind it s perim et er. A firewall can count er t his at t ack in t wo ways. Firewall- 1 can be configured t o block t raffic from suspect sources by init iat ing connect ions from well- known sources inst ead. Also, act ivat e t he proxy m odule for a given prot ocol/ service t o nab m alicious code buried in t he payloads of packet s from m alicious sources. Like m any st at eful inspect ion firewalls, such as Firewall- 1, proxy m odules are available t o work in t andem wit h st at eful inspect ion m odules t o ward off payload- borne—applicat ionlevel—at t acks. TCP source port ing can m ask cert ain DDoS, virus, and Backdoor at t acks. Make cert ain t hat t he right precaut ions are init ialized wit h your firewall t o block TCP source port ing. Many firewall default configurat ions deny all t raffic unless expressly perm it t ed. I n t hese circum st ances, ensure t hat only t he necessary port s and services are allowed t hrough t he firewall t o support net work operat ions. UDP ( User Dat agram Prot ocol) , which is not oriously insecure, should cont inue t o be blocked at t he firewall. I n cont rast , t he default configurat ion of Firewall- 1 version 4.0 allows DNS updat es t o t ranspire t hrough UDP port 53. This could pot ent ially allow at t ackers t o provide bogus DNS ent ries t o perpet rat e session hij acking or a divert ing of a t rust ed user host com m unicat ion t o a rogue dom ain or Web sit e wit hout t he user's knowledge. Subsequent sessions wit h t he rogue dom ain will cont inue indefinit ely or unt il discovered. But in t he m eant im e, m uch inform at ion can be com prom ised. Firewall- 1 can handle t his problem easily enough by deact ivat ing DNS forwarding t hrough t he firewall configurat ion's Propert ies m enu. Finally, m ake cert ain t hat your firewall blocks Act iveX cont rols and script - based applet s. As you know, t he pot ent ial for m alicious script ing at t acks poses a huge risk t o t he int ernal net works. Wit h t hese and t he forgoing st ream lining st eps, you are well on your way t o deploying an effect ively hardened firewall for a crit ical layer of net work prot ect ion.

Remote-Access Architecture This sect ion assum es t hat you will not use an insecure prot ocol, such as TELNET, wit h your rem ot e- adm inist rat ion solut ion t o adm inist er a firewall or a server. TELNET and ot her insecure prot ocols should never be used t hrough unt rust ed net work dom ains for any purpose, let alone rem ot e adm inist rat ion. The safest way t o adm inist er t o firewalls and dedicat ed servers is locally, t hrough t he at t ached t erm inal or console. For local adm inist rat ive access cont rol, t he console workst at ion can generally be elect ronically prot ect ed t hrough passwords and log- on I Ds. I n addit ion, physical precaut ions can be t aken, such as disconnect ing and locking away t he keyboard and/ or locking t he door t o t he server room t o lim it access. Or a card reader can be inst alled on t he door t o cont rol access elect ronically. Also, idle t im e- out m echanism s can be used t o log out t he adm inist rat ors if keyst rokes aren't det ect ed aft er a cert ain int erval of t im e. However, if circum st ances dict at e t hat adm inist rat ion m ust t ake place rem ot ely, physically secure t he server in quest ion, and secure rem ot e com m unicat ions in a part icular m anner, especially if t hey m ust t raverse unt rust ed net works. Under t hese circum st ances, t he goal is t o avoid com m unicat ing in clear t ext . Depending on t he act ivit y, adm inist rat ors can choose a t hird- part y VPN—depending on t he operat ing syst em , secure socket layer ( SSL) or secure shell ( SSH) —or built - in encrypt ion m echanism s, such as t hose included wit h com m ercial firewalls.

Encryption Options for Administrators Virt ually all firewalls have built - in encrypt ion funct ionalit y for rem ot e adm inist rat ion. But t hey differ in t he encrypt ion algorit hm s, key lengt h, and encrypt ion key m anagem ent syst em s t hat are used. Most vendors support t he em erging st andard I nt ernet Key Exchange ( I KE) , driven by t he I nt ernet Engineering Task Force ( I ETF) . I KE is a set of rules t hat specify how t wo end host s—t he syst em s adm inist rat or and t he firewall gat eway/ server—negot iat e for exchanging keys t hat will be used t o encrypt sessions. I KE m akes sure t hat t he keys m at ch and are aut hent ic before com m unicat ions get under way. Secure hash algorit hm ( SHA- 1) and m essage digest 5 ( MD5) are t he hashing algorit hm s used t o ensure t hat encrypt ion keys are aut hent ic, or dispensed bet ween t he part ies t hat are expect ing t o be involved in t he session. I n addit ion t o encrypt ion, which adds privacy t o t he com m unicat ion, t he syst em adm inist rat or should use st rong aut hent icat ion, or t wo- fact or aut hent icat ion, t o access t he syst em . Two- fact or aut hent icat ion refers t o som et hing t he individual m ust own and rem em ber t o log on t o syst em s. Sm art cards or t okens, which are usually not bundled wit h t he firewall, are t he m ost com m on form of t wo- fact or—st rong— aut hent icat ion. These hand- held devices, t he size of credit cards, provide t he adm inist rat or's ( user's) log- on I D.

I n addit ion, t he adm inist rat or m ust ent er a personal ident ificat ion num ber ( PI N) t hrough a challenge/ response m echanism , which in t urn will issue a one- t im e password. A password is creat ed at set int ervals from a random - password generat or built int o t he syst em . Aft er passing t he challenge/ response, t he adm inist rat or ( user) is accept ed as aut hent ic, and access t o t he firewall server is grant ed. Typically, sm art cards or t okens m ust be purchased separat ely from t he firewall. I f an ent erprise has m any syst em adm inist rat ors who are on t he m ove, a t wo- fact or aut hent icat ion syst em m ay be t he best opt ion for realizing an accept able level of securit y. The net work's firewall and ot her servers can be adm inist ered from various geographically dispersed locat ions or from separat e offices wit hin a given locat ion. I n ot her circum st ances, t he log- on I D and password m echanism , coupled wit h t he built in encrypt ion schem es, would offer an accept able level of securit y for rem ot e adm inist rat ion.

Securing Remote-Administration Pipes for Administrators When you are doing rem ot e adm inist rat ion, services t ransm it user log- on I Ds and passwords in clear t ext . When crossing unt rust ed net works, t hey are subj ect ed t o sniffers, connect ion hij acking, and net work- level at t acks. Therefore, t he prot ocols and services should never be used t o support connect ivit y when adm inist ering t o syst em s rem ot ely. The SSH prot ocol can subst it ut e for TELNET, rlogin, and FTP in UNI X- based syst em s. I n browser- based syst em s, SSL is t he preferred m et hod. Also, a virt ual privat e net work ( VPN) can be used for rem ot e adm inist rat ion connect ivit y, regardless of t he operat ing syst em used by t he server. Each m et hod enables rem ot e log- on at t em pt s and sessions t o be encrypt ed, dat a t o t ransm it wit h int egrit y or wit hout unaut horized m odificat ions, and aut hent icat ion of syst em adm inist rat ors. Addit ionally, VPNs support t he use of sm art cards and t okens for a m obile adm inist rat ive st aff. Adm inist rat ive funct ions should also be prot ect ed from unscrupulous int ernal sources. A growing best pract ice involves using out - of- band m anagem ent t o support adm inist rat ive funct ions ( see Figure 11- 4) . Wit h t his t echnique, a separat e subnet work is creat ed t o allow access for adm inist rat ors only. Each server or host , including rout ers, m ust be out fit t ed wit h an int erface, t ypically an NI C card dedicat ed for t he adm inist rat ive subnet work.

Figu r e 1 1 - 4 . Ou t - of- ba n d a dm in ist r a t ive m a n a ge m e n t su bn e t

I f SNMP is popular in your ent erprise, creat ing an out - of- band subnet for t he adm inist rat ors m ay offer a viable alt ernat ive. Working in conj unct ion wit h TCP wrappers, available t o UNI X and Linux syst em s, and adm inist rat ive, file, and direct ory perm issions, available t o Windows ( NT/ 2000) - based syst em s, t he out - ofband subnet solut ion would be a cost - effect ive m eans of prot ect ing host s from int ernal sabot eurs while providing an effect ive level of securit y for adm inist rat ive funct ions.

Remote-Access Architecture/Solutions for Users Providing secure net work access t o bot h local and rem ot e users is one of t he biggest challenges facing I T m anagers. Moreover, t he larger t he organizat ion, t he m ore difficult t he enforcem ent of user access securit y policy becom es, exacerbat ing a pot ent ially t enuous sit uat ion. Get t ing users t o consist ent ly use st rong passwords wit h t heir log- on I Ds is at t he heart of t he problem . The t endency is t o reuse easily rem em bered passwords or t o writ e down m ore difficult ones. Som e users m ay require m ult iple log- on I Ds and passwords t o perform t heir dut ies. Under t hese circum st ances, users m ay find it difficult t o adhere t o ent erprise password policy, especially if it requires t hem t o creat e a unique password for each log- on I D, say, every 4 weeks.

Furt herm ore, regardless of whet her users use st rong or weak passwords, t hey m ay occassionally be t ricked int o providing t heir passwords t o perpet rat ors pret ending t o be support st aff or help desk personnel. This form of at t ack, euphem ist ically called social engineering, can be addressed easily enough t hrough end user securit y awareness program s and t raining. The bot t om line is t hat passwords should never be provided over t he t elephone or t hrough e- m ail, especially t o individuals not known t o t he user. Sm a r t Ca r ds a n d Tok e n s Ent erprises are t urning t o alt ernat ive, pot ent ially m ore effect ive m eans t o achieve an accept able level of cont rol over user log- on procedures. To ensure t hat st rong passwords are consist ent ly used and changed oft en, organizat ions are providing t heir user base wit h sm art cards and/ or t okens wit h one- t im e password- generat ing algorit hm s. A sm art card works wit h a special reader and can be used for m ult iple applicat ions, such as PKI ( public key infrast ruct ure) , building access, or biom et rics. I n cont rast , a t oken t ypically generat es a unique passcode and displays it in a sm all window on t he device over a set int erval, perhaps every 60 seconds. The user com bines t he passcode wit h t he PI N num ber and m anually keys in t he dat a at t he PC keyboard t o gain access. The aut hent icat ion server knows every user passcode/ PI N com binat ion t o expect in any given 60- second int erval. Given a m at ch for t hat user's passcode/ PI N com binat ion, access is grant ed. Bot h sm art cards and t okens are designed t o work wit h encrypt ion key algorit hm s, which ensures t hat passwords are st rong and never t ransm it t ed across unt rust ed net works in clear t ext . The com binat ion of t he built - in encrypt ion and t he PI N num ber ensures t hat t he user in quest ion is who he or she claim s t o be. Because of t he crit ical role t he PI N num ber plays in t he user log- on process, it should never be writ t en down but inst ead im m ediat ely com m it t ed t o m em ory. The big problem wit h t his log- on m et hod is t hat cards can be lost or st olen. I f a card is st olen, which is oft en difficult t o prove, it 's likely t hat t he PI N num ber connect ed wit h a user's card m ay also have been confiscat ed. I n t hese circum st ances, a new card or t oken m ust be reissued and t he confiscat ed card deact ivat ed t o prevent unaut horized net work access. Deploying sm art cards and t okens for user log- on and aut hent icat ion addresses t he use and enforcem ent issues of st rong passwords but m ay creat e an equally worrisom e sit uat ion caused by lost or st olen cards. Sm art cards and/ or t okens m ay pose no great er risk t o being lost or st olen t hen regular bank ATM cards. However, wit h t he proper policies and user educat ion program s in place, t his problem can be m it igat ed and/ or cont rolled so t hat t he use of sm art cards or t okens could be right for your organizat ion. SSO Solu t ion s Two- fact or aut hent icat ors solve t he problem of weak passwords. But how do you cope wit h t he m ult iple log- on requirem ent s? Ent erprises run t heir businesses on a wide variet y of com put ing plat form s, and users m ust be able t o readily access ent erprise inform at ion safely and securely wherever it resides. Single sign- on ( SSO) syst em s are a viable solut ion t o t he scenario of m ult iple log- ons and passwords.

SSO syst em s enable users t o aut hent icat e once t o a cent ralized log- on ( SSO) syst em and t hen seam lessly connect int o each applicat ion plat form t hat has been SSO enabled. Som e organizat ions m ight have a dozen or m ore applicat ion plat form s, wit h each norm ally requiring a separat e log- on I D and password ( see Figure 11- 5) . Once t he user is aut hent icat ed t o t he SSO syst em , t he applicat ion plat form s t hat have been ret rofit t ed wit h SSO capabilit y can be accessed from user deskt ops.

Figu r e 1 1 - 5 . Sin gle sign - on a r ch it e ct u r e

Vendors of SSO solut ions support m any, but not all, applicat ion plat form s. UNI X ( HPUX, Solaris, AI X) , NT/ 2000, Net Ware, and cert ain I BM m ainfram e plat form s, such as MVS, are support ed t hrough ready- m ade SSO m odules or agent s t hat com e as part of t he st andard offering. To develop SSO funct ionalit y for ot her plat form s, SSO solut ions include a soft ware developers kit ( SDK) and/ or applicat ion program m ing int erfaces ( API s) t o creat e an SSO agent or m odule. This, of course, requires program m er int ervent ion. RSA's Keon PKI Single Sign On solut ion, for exam ple, offers an SDK t o develop a st and- alone agent for program m ing a st and- alone SSO m odule for t he applicat ion plat form in quest ion or a source code SDK t o program t he SSO funct ionalit y direct ly int o t he source code of t he applicat ion. Eit her way, t he applicat ion plat form will becom e SSO enabled; however, going t he " agent " rout e m ay im pact perform ance, owing t o t he great er level of overhead creat ed for t he result ing applicat ion plat form . I n effect , you t rade off perform ance t o gain ease of developm ent , funct ionalit y, and quicker ret urns on invest m ent . I n t he final analysis, you m ay det erm ine t hat t he cost of enabling SSO for cert ain applicat ion plat form s is t oo great . I n fact , SSO solut ions are rarely used t o include every applicat ion plat form support ing business operat ions, owing t o cost of deploym ent , ROI , and syst em life- cycle considerat ions. Nevert heless, SSO solut ions offer a viable alt ernat ive t o t he problem of m ult iple log- on passwords. SSO solut ions

can also accom m odat e user aut hent icat or devices, such as sm art cards, or PKI for an effect ive, secure log- on solut ion.

Vulnerability Assessment Architecture/Solutions Vulnerabilit ies are t he t ell- t ale, overlooked, and forgot t en windows and doors t hat hackers violat e t o gain unaut horized ent rance int o your ent erprise net work. The dist urbing realit y about vulnerabilit ies is t hat hackers don't have t o be very good t o exploit t hem . Wit h lim it ed skill, a lit t le pat ience, and perseverance, t he average hacker can at t ack a net work wit h known vulnerabilit ies and, depending on t he exploit , cause m aj or disrupt ion, vandalism , dest ruct ion, t heft or loss of int ellect ual propert y, propriet ary secret s, and/ or inform at ion asset s. One reason an average hacker can be so successful is t hat powerful t ools exist as freeware downloads from popular hacker sit es in t he wild. ( See Chapt er 8 for an overview of hacker t ools.) Anot her, m ore im port ant , reason is t hat because figuring out what vulnerabilit ies t o exploit depends in large part on a relat ively uncom plicat ed process: det erm ining what operat ing syst em , syst em plat form , and services run on a given net work. I n ot her words, a hacker who can ident ify t he OS, hardware, services, and specific versions of running services can m ost likely ident ify at t acks likely t o succeed. These at t acks com e in t he form of hom e- grown script s, ut ilit ies, and relat ed m odified program s t hat are readily available as free downloads from yet ot her hacker sit es. Aft er obt aining OS and relat ed inform at ion, t he hacker can, wit h a lit t le research, derive a list of known vulnerabilit ies. A program like nm ap, t he " Swiss arm y knife of hacker t ools," is effect ive in ident ifying operat ing syst em s, syst em plat form s, and running services t hrough an ext ensive array of built - in feat ures for probing, port scanning, and OS fingerprint ing. To ident ify t he pert inent inform at ion, pot ent ial hackers m ay have t o probe ent ire net works or a single host , bypass a firewall, use st ealt h or undet ect able scanning t echniques, or scan prot ocols. Nm ap sim plifies t his process by including virt ually all t he t echniques t hat would norm ally require m ult iple scanning t ools t hat run on m ult iple plat form s. Unfort unat ely, nm ap and sim ilar, but less powerful, t ools are in wide use in t he wild by hackers and, t o a lesser ext ent , whit e hat s, as well. For exam ple binfo.c is an efficient lit t le script t hat ret rieves t he version of t he dom ain nam e service running on a rem ot e nam e server. I f t he server is running a vulnerable version of BI ND, t he hacker will also know t hat t he operat ing syst em is a flavor of UNI X. Wit h nm ap, t he hacker could quickly pinpoint t he specific operat ing syst em and t he version of BI ND t hat is running. Wit h a lit t le ext ra research, t he hacker would soon learn t hat NXT, QI NV ( inverse query) , and I N.NAMED ( nam ed) are t he t hree vulnerabilit ies t hat are exploit ed t o gain unaut horized cont rol of t his part icular DNS server. At t acking t he vulnerable version enables t he hacker t o gain a root com prom ise wherein syst em files can be replaced and adm inist rat ive cont rol obt ained. The binfo.c script can be obt ained from t he Web sit e ht t p: / / www.at t rit ion.org/ t ools/ ot her/ binfo.c. At t rit ion.org is a popular hacker sit e founded by Brian Mart in, who is known in t he hacker com m unit y as Jericho. Alt hough t his exploit can be cont rolled by applying t he appropriat e pat ch levels, t he BI ND

vulnerabilit y is st ill list ed as t he num ber 3 UNI X exploit in t he SANS/ FBI list of t op 20 vulnerabilit ies ( see Appendix A) . As a good pract ice, I T securit y m anagers should obt ain a copy of nm ap and run it periodically so t hat t hey know what a pot ent ial hacker is able t o see if he or she decides t o obt ain reconnaissance on your net work. I f you decide t o inst all nm ap, t he recom m ended configurat ion is a dedicat ed Linux box. [ 1] [ 1]

For det ails on how t o download nm ap under Linux, go t o ht t p: / / www.insecure.org/ nm ap/ .

The bot t om line is t hat wit h nm ap, hackers can obt ain crit ical inform at ion on t he OS, syst em plat form , and running services. Wit h such inform at ion, a list of known vulnerabilit ies for t he " fingerprint ed" operat ing environm ent can be obt ained wit hout m uch difficult y. Therefore, t he recom m ended st rat egy is t o elim inat e as m uch vulnerabilit y as possible in m ission- dependent net works. A hacker m ay be able t o learn your net work's OS, services, and syst em plat form , but if t he relat ed vulnerabilit ies aren't t here, you succeed in elim inat ing t he unwant ed windows and doors, which are key t o a hacker's success. Vulnerabilit y assessm ent , or analysis, is accom plished by using specialized t ools t o det erm ine whet her a net work or host is vulnerable t o known at t acks. Vulnerabilit y assessm ent t ools, also known as scanners, aut om at e t he det ect ion of securit y holes in net work devices, syst em s, and services. Hackers pat ient ly probe net works t o discover such openings. Sim ilarly, scanners are designed t o sim ulat e t he behavior pat t erns and t echniques of hackers by syst em at ically launching a salvo of t hese at t ack scenarios t o explore for known vulnerabilit ies, which could be any of hundreds of docum ent ed securit y holes. The SANS I nst it ut e's list docum ent s 600 or m ore exploit able securit y weaknesses. Som e scanners, such as Sym ant ec's Net Recon, provide a pat h analysis, which det ails t he st eps an int ruder m ight t ake t o discover and exploit your net work's vulnerabilit ies. When t hey are discovered, scanners priorit ize t hem in a report . The rat ing indicat es t he im m ediat e level of t hreat pot ent ial for a given securit y hole. These specialized analysis t ools are available from bot h com m ercial channels and freeware sources and are used for eit her net work vulnerabilit y assessm ent or host vulnerabilit y assessm ent . Nm ap, developed by Fyodor; Nessus, by Renaud Deraison and Jordan Hrycaj ; and SATAN ( Securit y Adm inist rat or Tool for Analyzing Net works) , developed by Wiet sa Venem a and Dan Farm er, are exam ples of freeware net work scanners. SATAN can also be used for host scanning. Nessus t est ed bet t er t han did com m ercial scanning t ools Net Recon and I nt ernet Scanner in t he 2001 Net work World Vulnerabilit y Scanner Showdown. Nevert heless, Net Recon, I SS's I nt ernet Scanner, and Cisco Syst em s' Net Sonar are all effect ive net work scanners. For host vulnerabilit y assessm ent , com m ercial t ools appear t o be in m ore widespread use and accept ance. Leading t he com m ercial offering for host vulnerabilit y analysis are Sym ant ec's ESM, I SS's Syst em Scanner and Dat abase Scanner, and Net work Associat e's CyberCop Scanner. On t he freeware side, you can use nm ap, SATAN, and a freeware m ult ipurpose t ool called COPS ( Com put er Oracle and Password Syst em s) , developed by Dan Farm er. [ 2]

[ 2]

SATAN can be obt ained from ft p: / / ft p.porcupine.org/ pub/ securit y. Furt her inform at ion on SATAN can be obt ained from ht t p: / / www.cert .org/ advisories/ CA- 95.06.sat an.ht m l. Nessus can be obt ained from www.nessus.org. COPS can be obt ained from ft p: / / coast .cs.purdue.edu/ pub/ t ools/ UNI X/ cops.

Network-Based Assessment Architecture Net work scanning should be conduct ed from a single syst em . Depending on t he scanner, t he scanning engine can operat e under various operat ing environm ent s. For exam ple, Net Recon version 3 wit h securit y updat e 7 operat es under Windows NT 4.0, service pack 3 or great er, or a Windows 2000 workst at ion or server. The recom m ended operat ing environm ent for nm ap is Linux. Regardless of t he scanner's operat ing environm ent , t he syst em can scan various operat ing environm ent s, including UNI X, Linux, Windows 2000, Windows NT, and Net Ware. The scanning syst em analyzes t he ext ernal side of an ent erprise's firewall, servers, workst at ions, and net work devices by launching a variet y of at t acks and probes t o cat egorize weaknesses ( see Figure 11- 6) .

Figu r e 1 1 - 6 . N e t w or k vuln e r a bilit y a sse ssm e n t

I n t he final analysis, t he com plet ed scan enables you t o det erm ine what havoc an int ruder could wreak, what services could crash, or what denial- of- service at t acks t he net work is precondit ioned t o. Scanners can also help you ensure t hat t he ent erprise securit y policy is resilient in t he face of sim ulat ed at t acks. More im port ant , a scanner can be inst rum ent al in conveying whet her your firewall can be penet rat ed. Of course, a successful penet rat ion m ay suggest t hat rem ediat ion is in order. As a best pract ice, net work vulnerabilit y assessm ent should be run at set int ervals or when t here is a significant change t o t he net work. Depending on t he sensit ivit y of your inform at ion asset s and t he level of open access, you m ight be bet t er served t o conduct net work vulnerabilit y assessm ent on a m ont hly basis. Ot herwise, conduct ing one on a quart erly basis m ay prove t o be sufficient . ( For addit ional discussion, see Chapt er 12.)

Host Vulnerability Assessment Host - based analysis works from wit hin t he net work, focusing on int ernal m anagem ent cont rols as enforced t hrough t he ent erprise securit y policy. Host assessm ent syst em s check t he syst em and applicat ion set t ings wit hin t he host and com pare t he dat a t o t he rule base in t he host assessm ent syst em . The rule base is a m anifest at ion of t he ent erprise's securit y policy. Therefore, any violat ion of t he rule base is a violat ion of t he ent erprise's securit y policy. The host - based syst em is designed t o run direct ly on servers, workst at ions, and applicat ions operat ing in t he net work. Because of t he sheer num ber of pot ent ial host s t hat can exist on a given net work, t he best st rat egy in deploying a host assessm ent syst em is t o st art wit h t he crit ical syst em s first , such as t hose feat ured in Figure 11- 6. I n operat ion, an assessm ent agent of t he host vulnerabilit y syst em m ust reside on t he host in quest ion. These agent s, in t urn, report t he dat a t o a cent ral host assessm ent server, which is designat ed as t he cent ral reposit ory, or m anager. The adm inist rat or int erfaces wit h a GUI t o generat e report s. The report s t ell t he adm inist rat or which syst em s are in com pliance wit h t he securit y policy. Syst em s found not t o be in com pliance are m odified accordingly wit h t he correct set t ings, securit y enhancem ent s, and relat ed cont rols. Net work and host - based assessm ent are key in building a resilient securit y archit ect ure. Coupled wit h infrast ruct ure- hardening procedures, t hey ult im at ely provide t he foundat ion on which ot her securit y m easures, such as int rusion det ect ion syst em s, firewalls, VPNs, and virus det ect ion syst em s, should be deployed t o ensure proper prot ect ion of t he ent erprise's net work. ( Addit ional inform at ion on vulnerabilit y assessm ent is provided in Chapt er 12.)

Intrusion Detection Architecture

An int rusion det ect ion syst em is perhaps t he m ost crit ical layer in a m ult ilayer securit y deploym ent st rat egy. I nt rusion det ect ion syst em s are designed t o render net work securit y in real t im e and near real t im e. I n real- t im e int rusion det ect ion, an int rusion det ect ion agent cont inually sift s t hrough all net work t raffic. On t he ot her hand, near- real- t im e I DS syst em s t ake snapshot s of t raffic on t he wire at set int ervals. Eit her way, t he I DS sensor m ust analyze t he dat a st ream against a dat abase of known at t ack signat ures t o det erm ine whet her an at t ack is under way. I n effect , t he I DS syst em and it s relat ed signat ure dat abase are only as good as t he last known at t ack. The operat ive word here is known. A window of opport unit y for hackers exist s in t hat int erval of t im e when new at t acks originat e and t he I DS signat ure dat abase is updat ed wit h t heir signat ures. Because of t he ongoing t hreat of new at t acks and t he im m ediat e t im e fram e before signat ure dat abases are updat ed, som e idealist s believe t hat no signat ure- based I DS syst em , t herefore, is a t rue real- t im e securit y syst em . At best , signat ure- dat abase I DS syst em s can be only near real t im e because new at t ack pat t erns m ost likely will not be det ect ed. Bet ween t he point of discovery and when a pat ch is applied and/ or signat ure dat abase updat ed, it is up t o t he I T securit y m anager, not t he I DS syst em , t o ensure t hat t he window of opport unit y is m inim ized. For t his reason, securit y adm inist rat ors m ust be vigilant in ensuring t hat I DS signat ure dat abases are brought up- t o- dat e as soon as new at t ack signat ures becom e available. I nst ead of wait ing for your I DS vendor t o fingerprint new at t acks and t o provide t hem as e- m ail at t achm ent s or t o sit e downloads, som e I DS syst em s, such as Sym ant ec's Net Prowler, allow developm ent of cust om at t ack signat ures. For t he init iat ed, t his feat ure will allow net work securit y t o st ay perhaps one st ep ahead of—or, depending on your point of view, no m ore t han one st ep behind—hacker exploit s.

Network-Based IDS Architecture Like an out - of- band adm inist rat ive subnet work, a net work I DS syst em should be deployed as a separat e net work segm ent . I f t he I DS syst em is direct ly connect ed int o t he int ernal net work as regular net work host s and assigned I P addresses, t he syst em would be subj ect ed t o at t acks. To m inim ize t he pot ent ial for at t acks, I DS agent s or sensors t hat are responsible for m onit oring net work t raffic should not be configured wit h net work I P addresses. This precaut ion would render t he I DS agent virt ually undet ect able while enabling it t o work in a st ealt hlike m ode. But if I P addresses are not provided t o I DS agent s, how is rem ot e adm inist rat ion handled? More im port ant , can rem ot e adm inist rat ion be support ed from a cent ral point ? I n all inst ances, an I DS sensor should be a st and- alone unit configured as a dualhom ed host . One net work int erface card ( NI C) —for analyzing all t he packet s t raversing t he wire—should be configured in prom iscuous m ode, exam ining every packet on t he local segm ent while operat ing undet ect ed in a st ealt hlike m anner. The ot her NI C card should be configured wit h an I P address t o facilit at e I DS report ing and rem ot e adm inist rat ion. Wit h t his archit ect ure, t he I DS net work segm ent can be cont rolled from a cent ralized rem ot e locat ion while operat ing virt ually undet ect ed ( see Figure 11- 7) .

Figu r e 1 1 - 7 . I D S pr om iscu ou s m ode a n d r e por t in g a r ch it e ct u r e

Alt hough t he figure shows t he DMZ I DS agent connect ing direct ly t o t he I DS, bear in m ind t hat t his is a concept ual diagram . As a best pract ice, any I DS agent t hat m onit ors an ext ernal net work segm ent , such as a DMZ, should report back t hrough t he firewall. Report ing t hrough t he firewall helps rest rict access and ult im at ely increases securit y t o t he overall I DS net work. Sim ilarly, t he I DS agent t hat is at t ached t o t he ext ernal I nt ernet connect ion for m onit oring at t acks on t he ext ernal I nt ernet rout er should also report back t hrough t he firewall t o t he m anagem ent console. One im port ant caveat , however: When m onit oring ext ernal host s on t he I nt ernet side of t he firewall, carefully configure I DS agent s t o avoid unnecessary alarm s. This m inim izes t he alert s and being forced t o respond t o false posit ives. Too m any false posit ives run t he risk t hat I DS would event ually not be t aken t oo seriously. Aft er configuring and deploying t he I DS agent s appropriat ely, a separat e I DS net work segm ent is creat ed. I deally, an I DS agent should also be connect ed t o t he

I DS subsegm ent t o m onit or it for at t acks, m ainly from t he inside. However, if proper access policies, OS hardening, and physical securit y, are est ablished, t he risk of at t acks from wit hin t he net work should be m inim ized. A separat e net work- based I DS deploym ent schem e, wit h individual analysis and report ing int erfaces, offers ot her benefit s as well. Because t he I DS analysis and report ing m echanism s are on separat e int erfaces, t he overall perform ance of t he I DS is im proved. Furt her, if a bandwidt h- consum ing DOS at t ack hit s any of t he segm ent s guarded by t he I DS sensors, t he I DS cont inues t o funct ion. I n general, deploying an I DS syst em separat ely prevent s t he reduct ion of available bandwidt h t o ent erprise net work segm ent s, especially t he DMZ, which is usually devot ed t o public access. I f circum st ances dict at e t hat t he report ing and cont rol int erface m ust be connect ed direct ly t o t he int ernal net work rat her t han t o a separat e I DS segm ent , securit y can be m aint ained by deploying filt ering rout ers and/ or swit ches t o rest rict access t o t he I DS m anagem ent console. The filt ering rout ers and/ or swit ch ensure t hat only I DS act ivit y, such as report ing, adm inist rat ion, and cont rol, is allowed on t he connect ion. Finally, com m unicat ion bet ween t he I DS agent s and t he m anagem ent console should always be encrypt ed and aut hent icat ed. Addit ionally, t he syst em clocks of all t he host s support ing t he I DS syst em s should be synchronized t o facilit at e correlat ion and t he audit ing of log dat a. This includes t he clocks of t he I DS agent s, m anagem ent consoles, firewalls, and rout ers. All log dat a, in t urn, should be direct ed t o a cent ralized log server t o facilit at e analysis and t o prevent unaut horized m odificat ions of logs. Finally, alt hough net work- based I DS syst em s are effect ive in seeing all t he t raffic on a given net work segm ent , t hey cannot see what is happening on individual host s. For t his reason, a com plet e I DS im plem ent at ion incorporat es net work- based and host based I DS com ponent s. For an excellent perspect ive on I DSs, refer t o " I nt rusion Det ect ion Syst em s ( I DSs) : Perspect ive" by Gart ner. The review can be obt ained from ht t p: / / www.gart ner.com / Display?TechOverview?id= 320015. Anot her excellent review, " NI ST Special Publicat ion on I nt rusion Det ect ion Syst em s," is available from t he NI ST Web sit e: www.nist .gov. Finally, for a survey of com m ercially available I DSs, go t o ht t p: / / lib- www.lanl.gov/ la- pubs/ 00416750.pdf; and ht t p: / / www.securit yfocus.com . ( Securit yFocus.com is an I DS- focused sit e t hat feat ures news, inform at ion, discussions, and t ools.)

Host-Based IDS Solutions Host - based I DS syst em s work t hrough an agent t hat resides on t he host it is m onit oring. The agent collect s and analyzes inform at ion from session event s in response t o host operat ions. Because of t heir proxim it y t o t he host , agent s are able t o analyze act ivit y wit h great reliabilit y and accuracy but m ust be configured for full audit ing and act ivit y logging. The agent scrut inizes event logs, crit ical syst em files, direct ory perm issions, and ot her audit - capable resources, looking for unaut horized changes and suspicious pat t erns of act ivit y. Unlike net work- based I DSs, host - based

I DSs can see t he out com e of an at t em pt ed at t ack. When an at t ack is discovered or anyt hing out of t he ordinary is discovered, an alert is issued. Because t he host I DS agent resides on t he unit , m onit ored syst em s should be configured wit h addit ional m em ory, sufficient disk space, caching, and ot her resources t o ensure accept able perform ance. Like net work- based I DS syst em s, com m unicat ion bet ween t he I DS host and t he m anagem ent console should be encrypt ed and aut hent icat ed.

Part IV: Active Defense Mechanisms and Risk Management I n a sense, t he subj ect m at t er covered in Chapt ers 12 and 13 is ant iclim act ic. I f you harden your infrast ruct ure, deploy securit y in m ult iple layers, increase securit y aw areness in t he user base, inst it ut e com prehensive m anagem ent cont rols, and fost er execut ive m anagem ent support and buy- in, your ent erprise will be well on it s way t o at t aining holist ic life- cycle securit y. The best pract ices present ed in Part I V m erely com plem ent , or enable, an opt im al esecurit y post ure for t he ent erprise net work. I n ot her words, near- realt im e and act ive defense m echanism s are im port ant , but t hey rely heavily on t he effect ive dispensat ion of ot her e- securit y com ponent s. The int errelat ionships are not m ut ually exclusive but inst ead int erdependent . I f a vulnerabilit y assessm ent reveals known vulnerabilit ies in a crit ical net work com ponent , t he fact t hat every ot her host is sufficient ly hardened doesn't obviat e t he fact t hat t he net work is placed at risk for at t ack. Vulnerabilit y assessm ent is effect ive only if t he appropriat e st eps are t aken t o elim inat e or m it igat e t he vulnerabilit y discovered. Chapt ers 12 and 13 focus on vulnerabilit y and risk assessm ent m anagem ent , respect ively. Chapt er 12 explores how t o cont rol t hose unwant ed windows and back doors t hat crop up during t he securit y life cycle of a net work. Chapt er 13 covers how vulnerabilit ies are used t o derive t he financial t hreat of pot ent ial net work at t acks.

Chapter 12. Vulnerability Management Vulnerabilit y m anagem ent can be one of t he m ost challenging e- securit y areas for I T m anagers t o cont rol, because m anaging your net work's vulnerabilit ies can be a m oving t arget at best . This chapt er reviews t he various sources of vulnerabilit ies. Four m ain cat egories of vulnerabilit ies are discussed t o provide insight int o t he pot ent ial scope of t he problem . Several recom m endat ions and best pract ices on how t o keep abreast of your net work's known vulnerabilit ies are discussed next . The solut ions are pract ical and key t o t he overall life- cycle securit y process. The chapt er also furt her discusses host - and net work- based vulnerabilit y assessm ent . The advant ages and disadvant ages of each are described t o help you bet t er det erm ine how t o best deploy com plem ent ary securit y m easures t hat are right for your ent erprise's net work.

Types of Vulnerabilities Vulnerabilit ies in net works and host s can be creat ed by inherent ly insecure prot ocols, from im properly configured net work syst em s and host s, and from t he com binat ion of cert ain services support ing cert ain applicat ions. Vulnerabilit ies also propagat e from design flaws in soft ware and relat ed com ponent s, from cert ain net working pract ices, and from regular applicat ions and ad hoc business applicat ions t hat m ay require t em porary m odificat ions t o com put ing resources. I n general, vulnerabilit ies can be classified int o four cat egories: vendor- supplied soft ware, syst em configurat ion, syst em adm inist rat ion, and user act ivit y. • • • •

Vendor- supplied soft ware m ay creat e vulnerabilit ies t hrough design flaws, bugs, unapplied securit y pat ches, and updat es. Syst em configurat ion vulnerabilit ies include t he presence of default or im properly set configurat ions, guest user account s, ext raneous services, and im properly set file and direct ory perm issions. Adm inist rat ion- based vulnerabilit ies include int egrat ion of syst em services wit h im properly set opt ions in NT regist ry keys, for exam ple, unaut horized changes, and unsecure requirem ent s for m inim um password lengt h. User act ivit y can creat e vulnerabilit ies in t he form of risky short cut s t o perform t asks, such as m apping unaut horized users t o net work/ shared drives; failure t o perform housekeeping chores, such as updat ing virus soft ware; using a m odem t o dial in past t he corporat e firewall; and policy violat ions, such as failing t o use st rong passwords.

Table 12- 1 list s exam ples of vulnerabilit ies.

Ta ble 1 2 - 1 . M a j or Com m on Vu ln e r a bilit ie s Vu ln e r a bilit y I nput validat ion error •

•

D e scr ipt ion Result s when t he input t o a syst em is not properly checked, producing a vulnerabilit y t hat can be exploit ed by sending a m alicious input sequence.

Buffer overflow ( input validat ion error)

Syst em input is longer t han expect ed, but t he syst em does not check for t he condit ion, allowing it t o execut e. The input buffer fills up and overflows t he allocat ed m em ory. An at t acker t akes advant age of t his, skillfully const ruct ing t he excess input t o execut e m alicious inst ruct ions.

Boundary condit ion error

Syst em input exceeds a specified boundary, result ing in exceeding m em ory, disk space, or net work bandwidt h. The at t acker t akes advant age of t he overrun by insert ing m alicious input as t he syst em at t em pt s t o com pensat e for t he condit ion.

Access validat ion error

The access cont rol m echanism is fault y because of a design flaw.

Except ionalcondit ion handling error

An except ional condit ion has arisen; handling it creat es t he vulnerabilit y.

Environm ent al error

The environm ent int o which a syst em is inst alled causes it t o becom e vulnerable because of an unant icipat ed event bet ween, for exam ple, an applicat ion and t he operat ing syst em . Environm ent al vulnerabilit ies m ay exist in a product ion environm ent despit e a successful t est in t he t est environm ent .

Configurat ion error

Occurs w hen user- cont rollable set t ings are im properly set by syst em / applicat ions developers.

Managing IT Systems Vulnerabilities Underst anding t he source of vulnerabilit ies is an im port ant st ep in being aware of and ult im at ely m it igat ing vulnerabilit ies in t he ent erprise net work. Cont rolling t hem on an ongoing basis requires j ust as m uch of a com m it m ent t o a m et hodical review process as t he com m it m ent t o periodically assess t he I T net work wit h host and net work scanners. Many com m ercial, educat ional, and public- sect or inst it ut ions m aint ain reposit ories of known vulnerabilit ies and t heir relat ed exploit s. CERT/ CC, Sym ant ec's SWAT, I SS's X- Force, and t he MI TRE Corporat ion's Com m on Vulnerabilit ies and Exposures ( CVE) dat abase are j ust a few of t he m ost com prehensive dat abases for t racking vulnerabilit ies in UNI X, NT/ 2000, ot her popular operat ing syst em s and applicat ions. ( The CVE dat abase, m ore akin t o a dict ionary t han t o a dat abase, is focused on est ablishing a list of st andardized nam es for known vulnerabilit ies and relat ed inform at ion securit y exposures.) As a recom m ended pract ice, t hese sit es should be m onit ored syst em at ically t o t rack t he incidence of vulnerabilit ies and t heir fixes. Wit h up- t o- dat e inform at ion, I T m anagers can inst it ut e a proact ive syst em for handling vulnerabilit ies in t heir respect ive ent erprise net working environm ent s. Carnegie- Mellon's CERT/ Coordinat ion Cent er ( CC) is fast becom ing t he de fact o st andard for incident t racking, alert s, and report ing on vulnerabilit ies, m ainly because of it s obj ect ive, unbiased handling of securit y event s. Since being com m issioned for operat ion by t he Defense Advanced Research Proj ect s Agency ( DARPA) in 1988, CERT/ CC has handled m ore t han 35,000 com put er securit y incident s and has received m ore t han 2,000 vulnerabilit y report s. CERT/ CC publishes securit y inform at ion prim arily t hrough advisories, incident and vulnerabilit y not es, and sum m aries. The bullet ins and advisories are dissem inat ed t hrough e- m ail received from free subscript ions, Usenet newsgroup bullet in boards, and t he CERT/ CC sit e at www.cert .org. For m ore inform at ion on how vulnerabilit y report ing and analysis are handled, go t o ht t p: / / www.cert .org/ m eet _cert / m eet cert cc.ht m l. SANS I nst it ut e is anot her excellent freeware source for vulnerabilit y alert s; ot her securit y services, however, are provided at a reasonable fee. Like CERT/ CC alert s, SANS I nst it ut e's Resources alert s provide st ep- by- st ep inst ruct ions on how t o handle current net work securit y t hreat s, vulnerabilit ies, and relat ed problem s. SANS I nst it ut e offers " Securit y Alert Consensus," a weekly com pilat ion of alert s from m any accredit ed sources. Alert s and incident report s are com piled from SANS, CERT/ CC, t he Global I ncident Analysis Cent er, t he Nat ional I nfrast ruct ure Analysis Cent er, NTBugt raq, t he DoD, and several com m ercial vendors. Most of t hese sources have t heir own individual sit es t hat can be accessed direct ly. For exam ple, NT securit y alert s can be accessed from www.NTBugt raq.com . However, t hrough t he SANS service, a subscriber can receive sum m ary alert s t hat are t ailored t o t he needs of his or her part icular environm ent . Com m ercial sit es wort h m ent ioning are Sym ant ec's SWAT, I nt ernet Securit y Syst em 's X- Force, and Microsoft 's securit y bullet in sit es; all offer a variet y of inform at ion on syst em vulnerabilit ies, securit y art icles, and recent developm ent s. The sit es also provide a library and allow free subscript ions by regist ering at t he sit e. This result s in placem ent of subscribers on t he sit es' m ailing list s.

As a recom m ended pract ice, I T securit y specialist s should regist er wit h t he Microsoft sit e t o receive securit y bullet ins, especially if t heir net working resources include Microsoft plat form s. Securit y bullet ins are provided for all Microsoft 's flagship product s, including such Web soft ware as I I S and I nt ernet Explorer. Microsoft securit y bullet ins can be obt ained at ht t p: / / www.m icrosoft .com / t echnet / securit y/ bullet in/ . Sym ant ec's and I SS's sit es can be accessed at www.sym ant ec.com / swat / and ht t p: / / xforce.iss.net / alert s/ , respect ively.

Conducting Vulnerability Analysis Vulnerabilit y analysis t ools generat e a snapshot of t he securit y st at us of a net work or a host . I n addit ion t o providing an exhaust ive search of known vulnerabilit ies, t hese t ools enable securit y st aff t o check for problem s st em m ing from hum an error or t o assess host syst em s for com pliance wit h t he ent erprise's securit y policy. Vulnerabilit y assessm ent s t ypically proceed in t he following way: 1. A part icular range of syst em at t ribut es is sam pled. 2. The result s of t he polling are st ored in t he t ool's dat a reposit ory. 3. The collect ed inform at ion is organized and com pared t o t he int ernal library of hacker t echniques provided by t he vulnerabilit y t ool. A host assessm ent t ool, for exam ple, com pares gat hered inform at ion against a specified set of rules t hat represent t he securit y policy of aut horized or allowable user act ivit y. 4. Any m at ches or variances t o t he rule set s are ident ified and list ed in a report . Vulnerabilit y analysis t ools are of t wo m aj or t ypes. One cat egory defines t he t ool by t he locat ion from which assessm ent inform at ion is gat hered. This schem e refers t o eit her net work- based or host - based t ools and is t he classificat ion t hat popular com m ercial and freeware t ools are built around. The second, som ewhat abst ract , cat egory defines t he t ool by t he assum pt ions regarding t he level of t rust invest ed in t he t ool. Tools in t his cat egory are said t o be eit her credent ialed or noncredent ialed. These t ools incorporat e and provide t he opt ion t o use syst em credent ials, such as passwords or ot her aut hent icat ion t echniques, t o access int ernal syst em resources. The discussion in t his book applies t o net work- based or host - based vulnerabilit y syst em s only.

Network-Based Vulnerability Analysis Net work- based vulnerabilit y scanners reenact net work at t acks and record t he responses t o t hose at t acks and/ or probe various t arget s t o det erm ine whet her weaknesses exist . Net work- based assessm ent t ools are an act ive defense m echanism ; during t he analysis, t he syst em is act ively at t acking or probing t he t arget ed net working segm ent . The t echniques t hese syst em s use during t he assessm ent are eit her t est ing by exploit or inference m et hods. Test ing by exploit involves launching a series of individual at t acks in search of known vulnerabilit ies. I f an at t ack is successful, t he out com e is flagged and t he result included in subsequent report ing. I nference m et hods don't at t em pt t o exploit vulnerabilit ies. I nst ead, t he syst em looks for evidence t hat successful breaches leave behind. Exam ples of inference m et hods

include checking for port s t hat are open, syst em version num bers t hat illicit queries m ight check, or request s t hat seek syst em st at us and relat ed inform at ion. Net work- based scanners provide t wo m aj or st rengt hs: ( 1) cent ralized access t o t he securit y short com ings and issues of t he ent erprise net work and ( 2) a net workorient ed view of t he ent erprise's securit y risks. The first area of st rengt h— cent ralized access t o t he securit y short com ings and issues of t he ent erprise net work—includes • • •

Discovery of all operat ing syst em s and services t hat run and/ or exist in t he net working environm ent , as well as det ailed list ings of all syst em user account s found t hrough st andard net work resources. Such net work obj ect s are t est ed for vulnerabilit ies. Det ect ion of unknown or unaut horized devices and syst em s on a net work, which furt her allows discovery of unknown perim et er point s on t he net work. This is inst rum ent al in det erm ining whet her unaut horized rem ot e access servers are being used or connect ions m ade t o an insecure ext ranet . Ease of im plem ent at ion and use, because no com panion soft ware is required on t he host syst em s t hat com prise t he net work.

The second area of st rengt h—a cent rist view of t he securit y risks of t he ent erprise's net work—include •

• • •

The abilit y t o evaluat e net work vulnerabilit ies on t he fly by reenact ing t echniques t hat int ruders use t o exploit net works from rem ot e locat ions. I nvest igat ion of pot ent ial vulnerabilit ies in net work com ponent s, such as operat ing syst em s, relat ed syst em services and daem ons, and net work prot ocols, especially t hose t hat are popular t arget s, such as DNS or FTP servers. The m eans t o assess crit ical net work devices t hat are incapable of support ing host - scanning soft ware. This refers t o such devices as rout ers, swit ches, print ers, rem ot e access servers, and firewall appliances. Post cert ificat ion of host s t hat have been hardened and/ or locked down t hrough proact ive securit y m easures. This process involves t est ing of crit ical syst em s, such as file, dat abase, Web, DMZ, applicat ion servers, and securit y host s, such as firewalls. I t also involves t est ing for configurat ion errors t hat would render t hese servers likely t o int ruder at t acks.

Alt hough net work- based scanners are effect ive securit y t ools, a few caveat s are in order. Cert ain net work- based checks, such as t hose for denial- of- service, can crash t he syst em . Therefore, t est s should be conduct ed in off- peak hours t o m inim ize disrupt ion t o t he net work. These scanners are also plat form independent but less accurat e and subj ect t o m ore false alarm s. Furt herm ore, when net work- based assessm ent s are conduct ed, t he I DSs can block subsequent assessm ent s.

Host-Based Vulnerability Analysis Host - based vulnerabilit y syst em s det erm ine vulnerabilit y by evaluat ing low- level det ails of an operat ing syst em , file cont ent s, configurat ion set t ings, and specific services. Host - based vulnerabilit y syst em s at t em pt t o approach a syst em from t he perspect ive of a local user on t he syst em . The obj ect ive is t o isolat e user act ivit ies

t hat creat e securit y risks in t he host . The vulnerabilit ies t ypically revealed by host based assessm ent involve users' gaining increasing or escalat ing right s and privileges unt il a superuser st at us is achieved. I n UNI X syst em s, t his would be a root com prom ise. I n NT or Windows 2000 syst em s, t his would signify illegally at t aining syst em adm inist rat or st at us. Host - based syst em s help ensure t hat a syst em is properly configured and vulnerabilit ies pat ched so t hat a local user does not gain privileges t hat he or she is not ent it led t o own, such as adm inist rat or or root privileges. The st rengt h of host based vulnerabilit y scanners can be divided int o t hree m ain areas: ident ificat ion of risky user act ivit y, ident ificat ion of successful hacker incursions, and recovery det ect ion of securit y problem s t hat are elusive t o net work scanners. I dent ificat ion of risky user behavior includes • • •

•

Violat ions—whet her int ent ional or not —of t he organizat ion's securit y policy. Select ion of easily guessed passwords or no passwords. Unaut horized sharing of a hard disk t hrough default set t ings—whet her int ended or not . Det ect ion of unaut horized devices, such as m odem s and relat ed soft ware, such as pcAnywhere. I t will also flag unaut horized use of rem ot e access servers t hat bypass t he ent erprise firewall.

I dent ificat ion of successful hacker exploit s and recovery includes • • •

Discovering suspicious file nam es, unexpect ed new files and file locat ions, and program s t hat m yst eriously gained root privileges. Det ect ing changes in crit ical syst em set t ings in, for exam ple, t he regist ry of Windows syst em s is anot her key feat ure. Act ive hacker act ivit y, such as sniffer program s, seeking passwords and ot her crit ical inform at ion or services, such as cert ain script s, backdoor program s, and Troj an horses. I t also checks for exploit s t hat would t ake advant age of buffer- overflow condit ions in t he host . For recovery, host - based scanners can creat e secure MD5 checksum s of syst em binaries t o allow securit y personnel t o com pare current files t o a secure baseline of MD5 checksum s creat ed earlier.

Securit y problem s t hat are elusive or difficult for net work- based scanners include • •

Perform ing resource- int ensive baseline and file syst em checks, which are not pract ical wit h net work- based vulnerabilit y t ools. This could pot ent ially require t he t ransfer of t he cont ent s of t he hard drive of each host on t he net work t o t he net work vulnerabilit y assessm ent engine. Ot her scanning t hat would be difficult for net work scanners t o perform include password guessing and policy checks, act ive file–share det ect ion, and search for password hash files.

The m ain short com ing of host - based scanners is t hat t heir operat ion depends on a close int erconnect ion wit h operat ing syst em s and t he relat ed applicat ions. Because of t he pot ent ial num ber of host s t hat m ay warrant an evaluat ion, host - based securit y assessm ent solut ions can be cost ly t o build, m aint ain, and m anage. Thus, as a recom m ended best pract ice, only m ission- crit ical host s should be scanned on a regular basis. Ot her, less crit ical syst em s should be sufficient ly hardened and kept

up- t o- dat e wit h securit y pat ches and revisions. A random sam pling of host assessm ent s can t hen be periodically init iat ed t o ensure t hat vulnerabilit ies are cont rolled and m inim ized. I n sum m ary, vulnerabilit y assessm ent syst em s can reliably spot changes in t he securit y st at us of net work syst em s, affording securit y st aff an effect ive rem ediat ion t ool. Specifically, t hese syst em s enable your securit y st aff t o recheck any m odificat ions t o net work syst em s and vulnerabilit ies t hat exist from an oversight in syst em set up. This ensures t hat resolving one set of problem s does not in t urn creat e anot her set . Vulnerabilit y assessm ent syst em s are inst rum ent al in docum ent ing t he st at e of securit y at t he st art of a securit y program or reest ablishing t he securit y baseline whenever m odificat ions t o t he ent erprise net work occur. Finally, when using t hese syst em s, organizat ions should m ake cert ain t hat t he syst em s t hat require t est ing are lim it ed t o t hose wit hin t heir polit ical or m anagem ent cont rol. Privacy issues m ust be t aken int o account , especially when t he personal inform at ion of em ployees or cust om ers is included in t he inform at ion asset s t hat are assessed for vulnerabilit ies.

Chapter 13. Risk Management Risk m anagem ent is an essent ial t ool for business m anagers in prot ect ing ent erprise asset s, especially in such funct ional areas as finance, m anufact uring, and invent ory cont rol. I ndeed, t he concept of risk m anagem ent is not unique t o t he I T environm ent . I f t he goal is prot ect ing t he asset s of t he organizat ion, if not t he organizat ion it self, inform at ion and I T plat form s have becom e crit ical, valuable asset s t hat t oo m ust be prot ect ed t o m eet t he m ission of t he organizat ion. I n t oday's I nt ernet econom y, m any of t hese I T asset s are open t o business part ners, cust om ers, suppliers and prospect s, m aking t he goal of prot ect ing t he m ission especially challenging. This chapt er explores guidelines for applying risk m anagem ent concept s and pract ices t o m anaging securit y risks t o t he I T environm ent . I f you are t he I T syst em owner responsible for m eet ing t he ent erprise's m ission and your inform at ion syst em has been opened t o valued cust om ers, suppliers, and/ or part ners, you will find t he discussion in t his chapt er quit e useful. The obj ect ive of t his chapt er is t o ult im at ely assist you in m aking well- inform ed risk m anagem ent decisions. The goal is t o also provide you wit h a t ool t hat is t radit ionally used in t he decision- m aking process by your count erpart s in ot her funct ional business areas.

The Role of Assessment in Risk Management What is t he risk m anagem ent process for I T securit y of net work operat ions and funct ions? I n general, risk m anagem ent is a process t hat enables ent erprise m anagers t o balance operat ional and econom ic cost s of prot ect ive syst em s wit h t he desired gain in m ission effect iveness. For I T securit y, risk m anagem ent involves t he abilit y t o balance t he cost of prot ect ive securit y m easures against t he risks t o t he I T syst em . I T syst em s st ore, process, and t ransm it m ission inform at ion. The risk m anagem ent process m ust necessarily t ake t his int o account and seek a workable balance bet ween t he cost s of count erm easures and t he risks t hat t hreat en t he inform at ion syst em . No risk m anagem ent funct ion can elim inat e every risk t o t he inform at ion syst em . But wit h t he appropriat e applicat ion of risk m anagem ent pract ices during t he I T syst em 's life cycle, risks wit h a high likelihood of occurring can be properly priorit ized and addressed such t hat residual risk is accept able t o t he overall m ission. A key com ponent in risk m anagem ent is risk assessm ent , t he m ost crit ical phase in ident ifying and handling risks t hroughout t he life cycle of an inform at ion syst em . The m ain benefit of risk assessm ent is ident ifying and priorit izing risks relat ive t o t heir pot ent ial im pact t o t he m ission. Equally im port ant is select ing t he appropriat e securit y m easure t o m it igat e t he pot ent ial effect s of risks.

The Process of Risk Management What is risk? Risk is a funct ion of t he probabilit y of a securit y exploit and t he im pact t hat it would have on t he organizat ion's I T syst em and overall m ission. Two im port ant fact ors in underst anding risk assessm ent are t he probabilit y of t he securit y event and t he im pact of t he event on t he ent erprise's m ission. To det erm ine

probabilit y, or likelihood, of securit y exploit at ion, pot ent ial t hreat s t o t he syst em should be analyzed in connect ion wit h t he known vulnerabilit ies in t he syst em . To det erm ine t he im pact of securit y exploit s, crit ical elem ent s of t he syst em m ust be assessed t o appreciat e t he pot ent ial im pact on t he m ission. These t wo fact ors can also be described as t hreat analysis and im pact analysis, respect ively. Before any t hreat or im pact analysis can be perform ed, however, t he syst em m ust be defined, or charact erized, t o provide t he necessary scope of t he risk m anagem ent effort . Several guidelines and relat ed it em s geared t o set t ing t he boundary of t he I T syst em for t he risk m anagem ent act ivit y follow, along wit h a com plet e review of t hreat and im pact analysis.

Defining the System Boundaries Defining t he syst em boundaries est ablishes t he scope of t he risk m anagem ent effort . I n addit ion t o providing an underst anding of t he ent erprise's m ission and syst em operat ions, t his st ep provides inform at ion t hat is essent ial t o defining t he risk. This st ep also provides an underst anding of t he nat ure of t he m ission im pact as reflect ed t hrough t he inform at ion syst em and enables t he dem arcat ion of t he syst em . For exam ple, inform at ion t o gat her for syst em charact erizat ion includes • • • • • • • • • •

The ent erprise's m ission Syst em processes Funct ional requirem ent s of t he syst em Syst em securit y requirem ent s The user com m unit y The I T securit y policy The syst em operat ing environm ent The physical locat ion St orage requirem ent s I nform at ion flows

Once t he syst em has been charact erized and boundaries ident ified, t he crit ical resources and inform at ion t hat const it ut e t he syst em are det erm ined, com plet ing t he playing field of t he risk m anagem ent effort . The inform at ion resources or asset s can be classified as • • • • •

The infrast ruct ure of t he inform at ion Mission hardware Specific inform at ion asset s and relat ed dat a Syst em and applicat ion int erfaces and result ing connect ivit y Syst em , adm inist rat ive, and user com m unit ies

Threat Analysis Threat analysis is t he process of det erm ining t he likelihood, or pot ent ial, t hat a t hreat source will successfully exploit a known vulnerabilit y. To conduct a t hreat analysis properly, I T securit y m anagers should consider four im port ant areas: t hreat sources, vulnerabilit ies, exist ing cont rols, and probabilit y. Then t he likelihood t hat a t hreat will exercise a known vulnerabilit y can be det erm ined. Not e t hat wit hout a vulnerabilit y t o be exploit ed, a t hreat source does not pose a risk. This underscores

t he im port ance of cont rolling t he incidence of vulnerabilit ies in t he ent erprise inform at ion syst em . Th r e a t Sour ce I de n t ifica t ion For our purposes, a t hreat is a funct ion of t he pot ent ial for a t hreat source t o int ent ionally exploit or accident ally t rigger a known vulnerabilit y, result ing in unaut horized access t o t he ent erprise net work. A t hreat source, on t he ot her hand, is any circum st ance or event wit h t he pot ent ial t o adversely im pact an inform at ion syst em . Threat sources are t ypically cat egorized as nat ural, hum an, and environm ent al. All t hreat sources should be assessed for t heir pot ent ial t o cause harm t o t he syst em . But obviously, hum an t hreat sources in t he form of hackers, crackers, and unt rust wort hy em ployees com m and m uch of t he concern and at t ent ion of I T securit y m anagers. Environm ent al and nat ural t hreat sources are oft en caused by nat ure and are accident al or are occasionally caused by int ent ional circum st ances, which are largely unpredict able. But in t he final analysis, t hese t ypes of t hreat sources can cause as m uch dam age as hum an sources. However, t he probabilit y of your I T syst em 's being harm ed from nat ural and environm ent al sources is m inim al com pared t o t he raw num bers of pot ent ial hum an t hreat sources in t he wild and from wit hin your own net works. H u m a n Thr e a t Sou r ce s Cert ain cont ribut ing fact ors t o hum an t hreat sources are not relevant t o t he ot her t hreat sources. I n order for a hum an t o qualify as a valid t hreat source, m ot ivat ion, and especially resources, m ust also be at t heir disposal. As you know, at t acks can be eit her deliberat e or unint ent ional. I nt ent ional at t acks are usually designed t o gain illegal net work ent ry for t he purpose of com prom ising a net work's int egrit y, confident ialit y, or availabilit y. Unint ent ional incursions could also result in a com prom ised net work, because once illegal access is gained, t he perpet rat or m ay decide t o have a lit t le fun. The at t ack could also be benign, m eaning t hat t here is no physical com prom ise t o inform at ion, or t he at t ack was launched t o circum vent securit y m easures, for exam ple. Table 13- 1 provides an overview of t he various hum an t hreat sources, t heir m ot ivat ions for at t acking you, and t he m eans by which t he at t ack m ight be carried out . How any one of t he forgoing individual at t ackers becom es int erest ed in a pot ent ial t arget depends on m any fact ors. This is where t he result s of your syst em charact erizat ion act ivit y com e int o play. Using t hat inform at ion, ident ify which t hreat source m ay apply t o each of t he syst em resources, asset s, applicat ions, physical locat ions, connect ions, subnet s, and so on. For exam ple, you m ay det erm ine t hat t he Web server on your ext ernal DMZ caches and t em porarily st ores credit card inform at ion of your client s for a cert ain period of t im e. The part icular way t hat your server is configured creat es a vulnerabilit y t hat can com prom ise t his financial dat a by bot h cracker and possibly crim inal t hreat sources. Making t his t hreat source associat ion for each of t he int egral com ponent s of your net work, you can derive a precise m apping of how t he individual areas of your net work can be com prom ised by pot ent ial t hreat sources. Once t his list of t hreat agent s is com piled relat ive t o t he elem ent s produced by your syst em det erm inat ion/ charact erizat ion, you should develop a reasonable est im at e of t he resources and capabilit ies needed t o succeed in an at t ack. To give you an idea, t his est im at e m ay require t he use of a connect ion

int o t he syst em , using aut om at ed t ools t o init iat e t he at t ack. Or, it could require reliance on insider inform at ion of syst em weaknesses t hat are not generally known.

Ta ble 1 3 - 1 . H u m a n Th r e a t Sou r ce s Sou r ce

M ot iva t ion

At t a ck M e t h od

Hacker, cracker

Ego, challenge, rebellion, or grat ificat ion in wreaking m aliciousness

I nt rusion or unaut horized syst em access

Crim inal

Monet ary gain, illegal disclosure of inform at ion, t heft of financial inform at ion, and unaut horized dat a m odificat ion

I nt rusion or fraud

Terrorist

Dest roy inform at ion, exploit and/ or blackm ail

I nt rusion and relat ed it , syst em incursions

I nt ernal sabot eur/ int ruder

Financial gain, revenge, capt uring int elligence

or Abuse, int rusion, and unaut horized access

One of t he crit ical requirem ent s in t hreat analysis is t o t ry and m aint ain an up- t odat e list of t hreat sources. This inform at ion is readily available and can be obt ained from m any governm ent and privat e- sect or organizat ions. Good governm ent sources include t he FBI 's Nat ional I nfrast ruct ure Prot ect ion Cent er ( NI PC) and Federal Com put er I ncident Response Cent er ( FedCI RC) . Addit ional references for pot ent ial t hreat sources are given in Chapt er 12. Vu lne r a bilit y An a lysis The next st ep in t hreat analysis is vulnerabilit y analysis. The obj ect ive of t his st age is t o develop a list of syst em flaws and weaknesses t hat could be exploit ed by pot ent ial t hreat sources. Not e t hat a t hreat source does not pose a risk wit hout an associat ed vulnerabilit y t o exploit . The purpose of t his st ep is t o syst em at ically evaluat e t he t echnical and nont echnical weaknesses associat ed wit h t he net work. I n addit ion t o using scanners t o gat her inform at ion and assess vulnerabilit ies, t hey can be ident ified t hrough sit e surveys, st aff int erviews, and available syst em and relat ed docum ent at ion. The available docum ent at ion m ay vary, depending on t he st at e of t he syst em . For inst ance, if t he syst em is in design phase, focusing on securit y policies, procedures, and syst em requirem ent definit ions can ident ify vulnerabilit ies. I f t he syst em is in im plem ent at ion st age, t he search should include syst em design docum ent at ion. I f t he syst em is operat ional, your search t o pinpoint vulnerabilit ies should include analyzing t he exist ing securit y m easures t o det erm ine whet her t he cont rols in use are effect ive and ult im at ely able t o m it igat e risk.

Vulnerabilit y analysis at t em pt s t o ident ify and t o assess t he level of vulnerabilit ies on ent erprise net works and t he pot ent ial for t heir being exploit ed. A flaw is unlikely t o be exploit ed if t here is im pot ent t hreat source int erest and capabilit y or effect ive securit y cont rols in place. For a det ailed review of vulnerabilit y analysis and m anagem ent , refer t o t he Chapt er 12. Con t r ol Ana lysis I n t his st ep, t he focus t urns t o assessing t he effect iveness of securit y cont rols t hat are im plem ent ed in response t o t he securit y requirem ent s m andat ed by t he syst em . The obj ect ive is t o ascert ain whet her t he securit y requirem ent s, which are generally ident ified during syst em charact erizat ion, are being sufficient ly addressed. The out com e is t o det erm ine what at t ribut es, charact erist ics, set t ings, and relat ed feat ures do not sat isfy desired securit y cont rol requirem ent s. Then t he necessary rem ediat ion can be init iat ed t o bring t he syst em int o equilibrium . Securit y cont rols can be classified int o t hree m ain cat egories: t echnical cont rols, operat ional cont rols, and m anagem ent cont rols. All are designed t o prevent , det ect , or recover from a securit y breach. • •

Technical securit y cont rols are m easures t hat are incorporat ed int o t he net work archit ect ure. Specifically, t hey are im plem ent ed at t he hardware, soft ware, or perhaps firm ware levels. Exam ples are ant ivirus soft ware, firewalls, st rong aut hent icat ion, Tripwire, and encrypt ion. Operat ional cont rols are t hose best pract ices, procedures, personnel, and physical m easures inst it ut ed t o provide an appropriat e level of prot ect ion for securit y resources. Exam ples are securit y awareness and t raining, securit y reviews and audit s, and securit y plans, such as disast er recovery, cont ingency, and em ergency plans.

Ot her securit y cont rols are designed t o support prim ary securit y syst em s. For exam ple, crypt ography is used in support of user aut hent icat ion syst em s or virt ual privat e net works. Managem ent cont rols are sim ply t hose t hat enable ent erprise decision m akers t o m anage securit y and t he risks t hat t hreat en securit y. Exam ples of m anagem ent cont rols include t he policies, guidelines, procedures, and enforcem ent provided t hrough t he I T securit y policy, access cont rols, syst em securit y plan, and risk assessm ent . The m ost im port ant aspect of m anagem ent cont rols is ensuring t hat t he securit y procedures t hat are vit al t o t he success and m ission of t he ent erprise are execut ed in conj unct ion wit h m anagem ent 's securit y direct ives. I n essence, m anagem ent cont rols provide t he foundat ion from which t he ent erprise builds it s holist ic securit y apparat us. For t his reason, t hey m ust necessarily be com prehensive. Therefore, t he areas you should explore when devising your cont rols include ent erprise securit y policies and plans, syst em operat ing procedures, syst em securit y specificat ions, and indust ry st andards and best pract ices. Pr oba bilit y D e t e r m ina t ion The final st ep in t hreat analysis involves det erm ining t he likelihood t hat a given t hreat source exploit s a known vulnerabilit y. This is accom plished by deriving an overall likelihood rat ing. Fact ors t hat govern t hreat probabilit y are t hreat source

m ot ivat ion and associat ed capabilit y, t he nat ure of t he vulnerabilit y, and t he effect iveness of current securit y cont rols. The likelihood t hat a vulnerabilit y will be exploit ed by a given t hreat source is described as high, m oderat e, or low. •

•

•

High: The t hreat source is highly m ot ivat ed and equally capable. Securit y cont rols t o prevent t he vulnerabilit y from being exploit ed are ineffect ive. Moderat e: The t hreat source is m ot ivat ed and capable from a resources st andpoint . However, securit y m easures in place will prevent t he exercise of t he vulnerabilit y. Or, t he t hreat source lacks t he m ot ivat ion or is only m arginally capable of exploit ing t he vulnerabilit y in quest ion. Low: The t hreat source lacks eit her t he m ot ivat ion or t he capabilit y, or cont rols exist t o prevent or significant ly curt ail t he exploit at ion of t he vulnerabilit y.

Com plet ing t his st ep successfully concludes t hreat analysis, yielding t he crit ical assessm ent t hat reveals t he likelihood t hat pot ent ial t hreat sources will breach cert ain vulnerabilit ies in your net work. Com plet ion of t his st ep concludes a crit ical com ponent of risk assessm ent . The rem aining part , im pact analysis, is discussed next .

Impact Analysis I m pact analysis, t he next m aj or st ep in risk assessm ent , used m ainly t o det erm ine t he result ing im pact on t he m ission in t he event t hat a t hreat source successfully breaches a known vulnerabilit y. I m pact s t o t he I T syst em or ult im at ely t o t he m ission of t he ent erprise can be qualified wit h eit her quant it at ive or qualit at ive out com es. Quant it at ive out com es are m easured in lost revenue, cost of syst em repairs, or rem ediat ion. Whenever possible, your analysis should at t em pt t o quant ify t he im pact s of pot ent ial incursions. Qualit at ive out com es express im pact s t o t he m ission in t erm s of eit her t he loss or t he degradat ion of desired goals of I T securit y, such as int egrit y, availabilit y, confident ialit y, and account abilit y. Cust om ary pract ice involves using a rat ing scale t o classify t he pot ent ial im pact s t o t he I T syst em . For exam ple, t he following rat ing syst em could be used t o m easure syst em im pact s qualit at ively. • • • •

Crit ical im pact : An at t ack result s in unavailabilit y, m odificat ion, disclosure, or dest ruct ion of valued dat a or ot her syst em asset s or loss of syst em services, owing t o a disast rous im pact wit h nat ional im plicat ions and/ or deat hs. High im pact : The t hreat result s in unavailabilit y, m odificat ion, disclosure, or dest ruct ion of valued dat a or ot her syst em asset s or loss of syst em services, owing t o an im pact causing significant degradat ion of m ission or possible st aff inj uries. Moderat e im pact : The breach result s in discernible but recoverable unavailabilit y, m odificat ion, disclosure, or dest ruct ion of dat a or ot her syst em asset s or loss of syst em services, owing t o an im pact result ing in a t ransit ory adverse im pact t o t he ent erprise m ission but no inj ury t o persons. Low im pact : The incursion result s in unavailabilit y, m odificat ion, disclosure, or dest ruct ion of dat a or degradat ion of syst em services but does not cause a significant m ission im pact or inj ury t o persons.

Measuring t he im pact of a successfully launched at t ack should be assessed in eit her quant it at ive—t he preferred m anner—or qualit at ive t erm s. But what are t he advant ages and disadvant ages of each? One advant age of t he qualit at ive im pact analysis is it s abilit y t o provide a relat ive priorit izat ion of t he risks and t o ident ify crit ical areas for rem ediat ion of vulnerabilit ies. One disadvant age is t hat specific quant ifiable m easurem ent s are not at t ainable, t hus creat ing a significant barrier t o preparing cost - benefit analysis for desired securit y cont rols. I n cont rast , quant it at ive im pact analysis facilit at es cost - benefit analysis because t he m agnit ude of t he im pact can be m easured—for exam ple, in dollars and cent s—and incorporat ed in t he cost - benefit j ust ificat ion for desired securit y cont rols. One disadvant age, however, is t hat if a quant ifier ot her t han cost is used, t he specific m eaning of t he quant ificat ion m ay be unclear. Therefore, t he result ing int erpret at ion m ay by default becom e qualit at ive in nat ure. More im port ant , if t he quant it at ive values derived are t he product of subj ect ive j udgm ent s, which is t oo oft en t he case, t he use of quant it at ive fact ors is a m ask for qualit at ive result s. The following guidelines m ay assist you in quant ifying t he m agnit ude of an im pact : •

• •

An est im at e of t he frequency of a part icular t hreat source exercising vulnerabilit ies over a cert ain int erval of t im e, such as one quart er. A reasonable cost est im at e of each pot ent ial occurrence of a securit y event . A weight ed fact or based on a subj ect ive analysis of t he relat ive priorit y of t he likelihood of specific securit y event s. For exam ple, given a high likelihood t hat a t hreat source will exploit a vulnerabilit y, t he weight ed fact or could be 6. I f t he event is m oderat e, t he fact or m ight be 4.

Risk Determination The final det erm inat ion of risk can be achieved by com bining t he rat ings derived from bot h t hreat analysis and im pact analysis int o one overall risk t able ( see Table 13- 2) . For exam ple, if a t hreat source is highly likely t o exploit a given vulnerabilit y, t he source is m ot ivat ed and capable, and t he out com e of such a breach would have a crit ical im pact on t he organizat ion, t he overall risk t o t he organizat ion is crit ical.

Ta ble 1 3 - 2 . Le ve l of Risk D e t e r m in a t ion Likelihood of Threat Occurrence I m pact

High

Moderat e

Low

Crit ical

Crit ical

High

Moderat e

High

High

Moderat e

Low

Moderat e

Moderat e

Moderat e

Low

Low

Low

Low

Low

Summary Risk assessm ent is t he cornerst one of risk m anagem ent . When you are able t o m ap all risk t o t he I T syst em and ult im at ely t o t he m ission t o a level of risk det erm inat ion, t he result leads t o an underst anding of how t he pot ent ial exploit at ion of each risk will im pact t he organizat ion's m ission. I f t he overall effect s of risks are det erm ined t o be high or crit ical, t he necessary st eps should be t aken t o m it igat e such risk at t he organizat ion's earliest convenience. On t he ot her hand, risks wit h overall effect s rat ed as m oderat e t o low can be deem ed accept able, requiring lit t le or no response from m anagem ent . The discussion in t his chapt er, one could say, is purely academ ic. However, if t he concept s are applied t o real- world circum st ances, t he crit ical challenges in applying risk assessm ent t echniques on a regular basis lie in t wo areas in t he overall process. One crit ical challenge is developing a realist ic est im at e of t he resources and capabilit ies t hat m ay be required t o carry out an at t ack. Assessing t he capabilit y of a t hreat source is an ext rem ely im port ant stage in t hreat analysis. I f t he necessary due diligence is not devot ed t o at t aining accurat e inform at ion relat ive t o at t ack capabilit y, t he effect iveness of t he assessm ent is considerably com prom ised. The ot her crit ical challenge involves quant ifying t he im pact of an exploit ed vulnerabilit y. Again, if t he quant ificat ion m easurem ent t hat you use is not realist ic, m anagem ent m ay have a t ough t im e accept ing t he recom m endat ions of your risk assessm ent . Finally, once risks are det erm ined, t he appropriat e st eps should be t aken against unaccept able risk. For an excellent discussion on how t o m it igat e unaccept able risk and t o conduct a cost - benefit analysis t o j ust ify acquisit ion of relat ed securit y count erm easures, refer t o t he " Risk Managem ent Guide," NI ST Special Publicat ion 800- 30, which can be downloaded from t he NI ST ( Nat ional I nst it ut e of St andards and Technology) Web sit e at www.NI ST.gov.

Appendix A. SANS/FBI Top 20 Internet Security Vulnerabilities

Cert ain host scanners such as Sym ant ec's Ent erprise Securit y Manager ( ESM) , are able t o audit syst em s t o t est for vulnerabilit ies provided by t he SANS/ FBI Top 20 list . The purpose of t his list is t o m ake recom m endat ions for what a host scanner t est should look for regarding each vulnerabilit y. The vulnerabilit ies on t his list have been prevalent for som e t im e.

Top Vulnerabilities That Affect All Systems (G) • •

• • • •

•

G1: Default inst alls of operat ing syst em s and applicat ions. OS configurat ions are audit ed by flagging unneeded services and services t hat are not pat ched, or up- t o- dat e. This provides com prehensive coverage of G1. G2: Account s wit h no passwords or weak passwords. Password st rengt h checking is an im port ant feat ure. A scanner will alert on m any different password set t ings, such as weak passwords t hat can be broken t hrough a brut e- force at t ack, weak password lengt h set t ings, password sam e as user nam e, password wit hout nonalphabet ic charact ers, weak password hist ory set t ings, and so on. I t could also ident ify dorm ant account s t hat should be rem oved. G3: Nonexist ent or incom plet e backups. Especially useful on NT and Windows 2000, a backup int egrit y feat ure for Windows NT and Windows 2000 ident ifies crit ical servers t hat are not backing up dat a on a regular basis. G4: large num ber of open port s. Host scanning can t ypically provide ext ensive discovery of net work services bound t o open port s. Securit y officers can specify forbidden and m andat ory services and audit each syst em against t hese st andards. Net work scanners also discover all open net work port s. G5: Not filt ering packet s for correct incom ing and out going addresses. Cert ain firewalls, such as Sym ant ec's Ent erprise Firewall, provide ingress and egress filt ering by default . G5 is a rout er and/ or firewall act ivit y. G6: Nonexist ent or incom plet e logging. An im port ant host - scanning funct ion. A host scanner provides ext ensive audit ing of each syst em 's audit able set t ings. Securit y officers can use cert ain scanners t o easily discover audit set t ings on all syst em s in t heir ent erprise. Granular audit set t ings can be discovered. G7: Vulnerable CGI program s. Usually checks t o see whet her I I S best pract ice policy passes audit of CGI direct ory perm issions, vulnerable CGI s and ot her script and execut able file vulnerabilit ies on I I S.

Top Vulnerabilities in Windows Systems (W) • • • •

W1: Unicode Vulnerabilit y ( Web Server Folder Traversal) . Test s for a I I S best pract ice policy t o see whet her audit ing for t his vulnerabilit y flags I I S Web servers t hat are not pat ched for t he problem . W2: I SAPI ext ension buffer overflows. Test s I I S best - pract ice policy t o see whet her audit ing for t his vulnerabilit y flags I I S Web servers t hat are not pat ched for t his problem . W3: I I S RDS Exploit ( Microsoft rem ot e dat a services) . Test s I I S best - pract ice policy for vulnerabilit y t o see whet her I I S Web servers t hat are flagged for not having pat ches for t his problem . W4: NETBI OS–unprot ect ed Windows net working shares. Test s for SMB vulnerabilit ies by list ing all shares for each syst em , shares t hat are

•

•

read/ writ able by everyone, all share perm issions, hidden shares, null session connect ions, and so on. W5: I nform at ion leakage via null session connect ions. Test for t he null session connect ion vulnerabilit y. W6: Weak hashing in SAM ( LM hash) . Test for weak LM hashing in it s Password St rengt h m odule and LM set t ings.

Top Vulnerabilities in UNIX Systems (U) • •

•

• •

• •

U1: Buffer overflows in RPC services. Test for vulnerable RPC services U2: Sendm ail vulnerabilit ies. Test all relat ed syst em s for vulnerable Sendm ail services. Som e scanners, such as ESM, have default t est ing facilit y built in. U3: BI ND weaknesses. Flags all syst em s t hat have vulnerable BI ND DNS services. U4: R com m ands. To ident ify t his vulnerabilit y, t est t he cont ent s of / et c/ host s.equiv or ^ / .rhost s for forbidden param et ers t hat would enable rcp, rlogin, and rsh. Det erm ines when rhost files are m odified, creat ed, or delet ed. U5: LPD ( Rem ot e Print Prot ocol Daem on) . Test t o det erm ine whet her LPD set t ings, such as whet her LPD services, are running, LPD user rest rict ions, LPD dash exploit , and syst em s running LPD services wit h no at t ached print ers. Test should also ident ify LPD services t hat are not at current pat ch levels. U6: Sadm ind and Mount d. Test for and ident ify all running forbidden sadm ind and m ount d services. I n addit ion, ident ify t he services t hat are not pat ched t o t he current level, using t he OS Pat ches m odule. U7: Default SNMP st rings. Look for all running SNMP services and audit t he services pat ch level. I n addit ion, det ect forbidden param et ers and blank param et ers wit hin t he SNMP configurat ion files. This vulnerabilit y should also be t est ed wit h a net work scanner.

Appendix B. Sample CERT/Coordination Center Incident Response Form

I ncident Report ing Form

Incident Reporting Form CERT/ CC has developed t he following form in an effort t o gat her incident inform at ion. I f you believe you are involved in an incident , we would appreciat e your com plet ing t he form below. I f you do not believe you are involved in an incident , but have a quest ion, send e- m ail t o: cert @cert .org. Not e t hat our policy is t o keep any inform at ion specific t o your sit e confident ial unless we receive your perm ission t o release t hat inform at ion. We would appreciat e any feedback or com m ent s you have on t his I ncident Report ing Form . Please send your com m ent s t o: cert @cert .org. Please subm it t his form t o: cert @cert .org. I f you are unable t o send e- m ail, fax t his form t o: 1 ( 412) 268- 6989.

Your contact and organizational information 1. Nam e: 2. Organizat ion nam e: 3. Sect or t ype ( such as banking, educat ion, inform at ion t echnology, energy or public safet y) : 4. Em ail address: 5. Telephone num ber: 6. Ot her:

Affected Machine(s) (duplicate for each host) 7. Host nam e and I P: 8. Tim e zone: 9. Purpose or funct ion of t he host ( please be as specific as possible) :

Source(s) of the attack (duplicate for each host) 10. Host nam e or I P: 11. Tim e zone: 12. Been in cont act ?: 13. Est im at ed cost of handling incident ( if known) :

14. Descript ion of t he incident ( include dat es, m et hods of int rusion, int ruder t ools involved, soft ware versions and pat ch levels, int ruder t ool out put , det ails of vulnerabilit ies exploit ed, source of at t ack, or any ot her relevant inform at ion) : Special perm ission t o use I ncident Report ing Form , © 2000 by Carnegie Mellon Universit y, is grant ed by t he Soft ware Engineering I nst it ut e. CERT and CERT Coordinat ion Cent er are regist ered in t he U.S. Pat ent and Tradem ark Office.

Appendix C. Windows 2000 Security/Hardening Plan The body of knowledge for im plem ent ing holist ic securit y m easures for Windows 2000 is growing and is readily available. Many organizat ions eit her have or int end t o m igrat e t o Windows 2000. The good news is t hat Windows 2000 has im plem ent ed pot ent ially excellent feat ures, such as t he adapt at ion of LDAP ( Light weight Direct ory Access Prot ocol) for t he new Act ive Direct ory. Windows 2000 also support s ot her st andards, such as Kerberos for user aut hent icat ion and I PSec for creat ing VPN t unnels. The bad news is t hat Windows 2000 has holes, as do ot her com m ercially and publicly available operat ing syst em s. For Windows 2000 securit y guidance and direct ion, go right t o t he source: Microsoft . To it s credit , Microsoft has im plem ent ed a com prehensive reposit ory of securit y guidelines and best pract ices t hat cover Windows 2000 im plem ent at ions. Technical docum ent s and whit e papers are available t o provide procedures and/ or st ep- by- st ep inst ruct ions about securit y m easures, best pract ices, and solut ions t o at t ain a safe com put ing environm ent . One such securit y docum ent is t he Securit y Operat ions Guide for Windows 2000 Server, which provides procedures for locking down t he Windows 2000 server t o m inim ize vulnerabilit ies, as well as best pract ices for effect ive m anagem ent and applicat ion of securit y pat ches. Guidelines for audit ing and int rusion det ect ion are also provided, t o round out t he in- dept h level of inform at ion available. The part ial guide is direct ly perusable and accessible from www.m icrosoft .com / securit y/ default .asp. A com plet e version of t he guide can be downloaded from www.m icosoft .com / downloads/ release.asp?releaseid= 37123. A wealt h of securit y inform at ion on an endless variet y of subj ect s can be obt ained from t he Windows 2000 Securit y sect ion, accessible as a m enu choice at t he t op of t he Web page of t he part ial guide. On t his part of t he sit e, you can find such docum ent s as • • • • • •

" Default Access Cont rol Set t ings in Windows 2000" " I P Securit y for MS Windows 2000 Server" " Secure Net working Using Windows 2000 Dist ribut ed Securit y Services" " Securing Act ive Direct ory" " Securing Windows 2000 Net work Resources" " St ep by St ep Guide t o Configuring Ent erprise Securit y Policies"

• • • • • • •

" St ep by St ep Guide t o I nt ernet Prot ocol Securit y ( I PSec) " " Single Sign On Windows 2000 Net works" " Windows 2000 Cert ificat e Services" " Windows 2000 Kerberos I nt eroperabilit y" " Windows 2000 Securit y Technical Overview" " Windows 2000 Server Baseline Securit y Checklist " Fort y addit ional docum ent s on a variet y of subj ect s, including PKI

To ensure obj ect ivit y, you m ay want t o consider t hird- part y com m ercial and freeware sources for providing Windows 2000 securit y. Sym ant ec has creat ed a com plem ent ary guide t o Microsoft 's Securit y Operat ions Guide, dem onst rat ing how t o use Sym ant ec's t ools t o im plem ent t he best pract ices described in t he Microsoft guide. The Sym ant ec docum ent can be downloaded free of charge from ht t p: / / securit yresponse.sym ant ec.com / avcent er/ securit y/ Cont ent / securit y.art icles/ se curit y.fundam ent als.ht m l. Also, t he NTBugt raq Web sit e is an excellent independent ly run source for obt aining relat ed inform at ion. Go t o ht t p: / / www.nt bugt raq.org ( Securit y Focus) t o obt ain Securing Windows 2000 Com m unicat ions wit h I P Filt ers. The sit e publishes such inform at ion on a periodic basis and t herefore is a reliable, ongoing source for obt aining crit ical securit y inform at ion.

Appendix D. Denial-of-Service Attacks Sm urf Bandwidt h SYN Flood St acheldraht Tribe Flood Net work ( TFN) Tribe Flood Net work 2000 Trinoo

Smurf Bandwidth I n a Sm urf, or I P direct ed broadcast , att ack, t he int ruder uses I CMP echo request packet s direct ed t o t he I P broadcast address of a part icular net work, which during t he at t ack becom es t he int erm ediary. I n addit ion t o t he int erm ediary and t he at t acker, t he ot her part y involved in t he at t ack is t he vict im . Because t he int erm ediary's net work is not a willing part icipant , t he int erm ediary t oo should be considered a vict im . I n a Sm urf at t ack, t he int ruder direct s an I CMP echo request packet t o t he I P broadcast address of t he int erm ediary's net work. The int ruder prefers net works t hat do not filt er out I CMP echo request packet s t hat are direct ed t o t he net work's I P

broadcast address. When t he host s receive t he I CMP echo request packet , t hey all prom pt ly respond wit h an I CMP echo reply packet at t he sam e t im e. The source address of t he original echo request packet has been spoofed or subst it ut ed wit h t he I P address of t he int ended vict im . Consequent ly, when t he host s respond back wit h echo reply packet s, t he response is direct ed t o t he host or host s on t he vict im 's net work. The vict im is bom barded wit h a t orrent of I CMP echo reply packet s. I f a large num ber of host s are involved, a considerable num ber of echo request and echo reply packet s will be creat ed on t he int erm ediary's and vict im 's net works, respect ively, as t he broadcast t raffic consum es all available bandwidt h. All t he DDoS at t ack t ools, except Trinoo, are capable of launching a Sm urf bandwidt h at t ack.

SYN Flood I n a SYN flood at t ack, t wo event s occur: The hacker spoofs, or fakes, t he source address and floods t he receiving applicat ions wit h a series of SYN packet s. I n response, t he receiving host originat es SYN- ACK responses for each SYN packet it receives. While t he receiving host wait s for t he ACK t o ret urn, all out st anding SYNACKs are queued up on t he receiving host 's backlog queue. SYN- ACKs accum ulat e unt il t he server's backlog queue fills up or unt il all available connect ions are exhaust ed. Each SYN- ACK will rem ain in t he queue unt il t he corresponding ACK com plet es t he sequence. However, because t he source I P addresses are spoofed, t he ACKs never com e. The SYN- ACKs would st ay on t he t arget ed applicat ion indefinit ely if not for a built - in t im eout m echanism t hat t erm inat es t he connect ion at t em pt s aft er a specified int erval of t im e. Usually, t hese t im eout m echanism s are lengt hy. Thus, before an at t acked or t arget host can address each SYN- ACK in t he backlog queue, a considerable am ount of t im e can t ranspire, all t he while denying SYN request s from legit im at e users. SYN- ACK at t acks are basic denial- of- service ( DoS) at t acks. DoS at t acks occur because t he at t acked host becom es consum ed or inundat ed wit h processing eit her useless session est ablishm ent or bogus dat a. I n t he case of a SYNACK DoS at t ack, t he host t ries t o respond t o bogus address dat a from illegit im at e sources wherein t he final ACK never com es. Therefore, request s t o est ablish com m unicat ion sessions by legit im at e users will be ignored by t he t arget host as long as it s backlog queue is full.

Stacheldraht I n St acheldraht , a UNI X- based DDoS at t ack t ool, t he m ast er program is cont ained in m serv.c ( m ast er server) , and t he daem on resides in leaf/ t d.c. St acheldraht report edly runs under Linux but not as cleanly as it does on Solaris UNI X. St acheldraht correct s one of TFN's glaring weaknesses. When t he at t acker com m unicat es wit h t he m ast er( s) , t he int eract ion is in clear t ext . I n response, t his at t ack t ool allows t he int ruder t o encrypt a TELNET- like connect ion int o t he m ast er program . I n cont rast t o Trinoo and TFN, which uses UDP, St acheldraht uses TCP and I CMP t o accom m odat e com m unicat ions bet ween m ast er and daem on. I n fact , t he daem on list ens for and responds t o inst ruct ions on TCP port 65000. When com m unicat ing wit h I CMP, inst ruct ions are im bedded in I CMP echo reply packet s. The int ruder uses encrypt ed TELNET sessions t o com m unicat e t o t he m ast er program on TCP port 16660.

Encrypt ion is also used bet ween t he m ast er and St acheldraht daem ons, som et im es referred t o as agent s. Aft er successfully connect ing t o t he m ast er, som et im es referred t o as a handler, t he int ruder is prom pt ed for a password. The default password is Sicken, which in t urn is encrypt ed wit h Blowfish, using t he pass phrase aut hent icat ion. All ensuing com m unicat ions bet ween t he handler and agent s are encrypt ed wit h t his Blowfish pass phrase. A St acheldraht m ast er or handler can cont rol up t o 1,000 agent s. As not ed, t he m ast er also com m unicat es wit h t he daem ons t hrough I CMP echo reply packet s. The I D fields in t he packet s are used for cert ain values, such as 666, 667, 668, and 669; t he dat a fields, for corresponding plaint ext expressions, such as skillz, ficken, and spoofworks. The com binat ion of I D values and dat a field values is used bet ween m ast er and daem on when t he daem on at t em pt s t o ident ify it s default handler or m ast er. For exam ple, if a handler's configurat ion file cont aining it s address is not found by t he fledgling daem on aft er com pile t im e, t he daem on reads and cont act s a list of default I P addresses of handlers, hard coded in it s file, t o find one t o cont rol it . Therefore, it will send a I CMP echo reply wit h 666 in t he I D field and skillz in t he dat a field t o t he default I P address of t he first handler on t he list . On receipt of t he packet , t he handler responds wit h an I CMP packet wit h 667 in t he I D field and ficken in t he dat a field. When a connect ion is m ade, t hey will periodically send 666–Skillz and 667–ficken packet s back and fort h t o keep in t ouch. St acheldraht 's scariest feat ure is it s abilit y t o regenerat e it self aut om at ically. Agent / daem on program s can be direct ed t o upgrade t hem selves on dem and by going t o a com prom ised sit e t o be replaced by a fresh copy of eit her a Linux or a Solaris version. The com m and for upgrading it self is .dist ro user server. St acheldraht has nearly four t im es t he num ber of com m ands—22, t o be exact —t han Trinoo for m anipulat ing t he at t ack and t he at t ack net work. I n general, at t acks can run for a specified durat ion from lit erally hundreds of locat ions against a t arget at one I P address or several over a range of I P addresses.

Tribe Flood Network (TFN) Hackers like t his DDoS t ool because it can generat e a variet y of DoS at t acks. I n addit ion t o a UDP flood, TFN is capable of generat ing a TCP SYN flood, an I CMP echo request flood, and an I CMP direct ed broadcast , or Sm urf bandwidt h at t ack. I n t he TFN net work, t he m ast er funct ions as t he client , and t he daem ons funct ion as servers. The m ast er com m unicat es wit h t he daem ons by using I CMP echo reply packet s. I CMP echo request s and echo replies are sent and received by t he ping com m and. I nst ruct ions t o t he daem ons are em bedded in t he I D fields and dat a port ion of t he I CMP packet s. Aft er inst ruct ions are received, t he daem ons generat e t he specified DoS at t ack against one or m ore t arget s. During t he at t ack, source I P addresses and source port s can be random ized and sizes of at t ack packet s varied. Recent versions of t he TFN m ast er m ay use t he encrypt ion algorit hm Blowfish t o hide t he list of I P addresses associat ed wit h it s daem ons.

Tribe Flood Network 2000 TFN2K, a descendant of TFN, operat es under UNI X- based syst em s, incorporat es I P address spoofing, and is capable of launching coordinat ed DoS at t acks. I t is also able t o generat e all t he at t acks of TFN.

Unlike TFN, t he TFN2K DDoS t ool also works under Windows NT, and t raffic is m ore difficult t o discern and filt er because encrypt ion is used t o scram ble t he com m unicat ions bet ween m ast er and daem on. More difficult t o det ect t han it s predecessor, TFN2K can m anufact ure " decoy packet s" t o nont arget ed host s. Unique t o TFN2K is it s abilit y t o launch a Teardrop at t ack. Teardrop t akes advant age of im properly configured TCP/ I P fragm ent at ion reassem bly code. I n t his sit uat ion, t his funct ion does not properly handle overlapping I P fragm ent s, result ing in syst em crashes. The TFN2K client can be used t o connect t o m ast er servers t o init iat e and t o launch various at t acks. Com m ands t o t he m ast er are issued wit hin t he dat a fields of I CMP, UDP, and TCP packet s. The dat a fields are encrypt ed using t he CAST encrypt ion algorit hm . Anot her feat ure of TFN2K is it s abilit y t o random ize t he TCP/ UDP port num bers and source I P addresses. The TFN2K m ast er parses all UDP, TCP, and I CMP echo reply packet s for encrypt ed com m ands. Unlike Trinoo, t he m ast er server does not require a default password from t he int ruder at com pile t im e. During t he at t ack, TFN2K enables t he int ruder t o cont rol at t ack param et ers t hrough it s encrypt ed com m and int erface. Am ong ot her capabilit ies, TFN2K com m ands enable at t ack launches, set t ing one or m ore t arget host s wit hin a range of I P addresses.

Trinoo One of t he m ost powerful DDoS at t ack packages is Trin00, or Trinoo. Trinoo dispenses a UDP flood consist ing of large UDP packet s t hat force t he at t acked host s t o respond wit h I CMP Port Unreachable m essages. I CMP is used t o det erm ine whet her a m achine on t he I nt ernet is responding. Ping uses I CMP t o check t he availabilit y of m achines and t he validit y of t he result ing connect ions. Preparing for an at t ack requires coordinat ion bet ween t he hacker, who becom es a client t o Trinoo's m ast er program ( s) , which funct ions as t he server, and Trinoo's daem ons, which also funct ion as client s. Launching t he at t ack is client / server funct ionalit y at it s best . The hacker, now an int ruder who has succeeded in infilt rat ing perhaps t housands of I nt ernet host s, connect s wit h t he m ast er program s t hrough TELNET or Net Cat . Generally, TELNET creat es a virt ual t erm inal t hat allows com put ers wit hout t he capabilit y t o connect t o I nt ernet host s. Net Cat is a ut ilit y t hat enables one t o read and writ e dat a, using arbit rary TCP and UDP port s. From an I nt ernet safe house, t he int ruder ent ers a password com m and via TELNET- TCP connect ion t hat st art s t he at t ack sequence. The default password, bet aalm ost done, t raverses TCP port 27665 of t he com prom ised host and init ializes t he m ast er program . I n Trinoo, t he m ast er program is cont ained in a file called m ast er.c, and it expect s a password before any com m unicat ions wit h t he int ruder can ensue. The m ast er is inst ruct ed t o begin preparat ion for t he at t ack. The broadcast , or t he program t hat generat es t he UDP packet s t hat cause t he flood, is com piled. The program code is cont ained in a file called ns.c and is com piled in t he host m achines t hat have been com prom ised by t he daem ons. Also during com pile m ode, t he daem ons hard code t he specific I P address of t he part icular m ast er t hat cont rols t hem . When done, t he daem ons send a UDP packet cont aining t he st ring " Hello" back t o t he m ast er t hrough UDP port 31335. ( Not e t hat t he int ruder—client —

com m unicat es wit h t he m ast er on TCP port 27665 and t hat t he daem on com m unicat es wit h t he m ast er on UDP port 31335.) The Hello packet regist ers t he com piled broadcast wit h it s respect ive m ast er. At t his point , all syst em s are ready. Think of t he broadcast as t he dam holding t he floodwat ers back. Trinoo provides six com m ands for t he int ruder t o cont rol and t o m anipulat e t he broadcast : t he im pending flood. The com m ands creat e t he size of t he UDP flood packet s, set t he t im ing of t he at t ack, check for t he readiness of t he floodgat es, t arget t he vict im ( s) , and rescind t he wat ers, or kill t he flood. For exam ple, t o check t he readiness of a broadcast , or daem on- cont rolled host poised for at t ack, t he int ruder inst ruct s t he m ast er t o send a ping, which is broadcast t o all t he daem ons it cont rols. The ping is received on UDP port 27444 and is accom panied by t he password png 144adsl. The daem ons confirm availabilit y by t ransm it t ing a pong back t o UDP port 31335 of t he com prom ised host cont aining t he m ast er program . Now t he int ruder can connect t o t he m ast er( s) and inst ruct t he daem ons t o send a UDP flood t o a specified t arget or t arget s. The com m and t he m ast er issues t o release t he floodgat es of t he broadcast against a single t arget is t he dos com m and— not t o be confused wit h t he I BM DOS com m and. The synt ax of t he at t ack is aaa l44adsl 10.1.1.1. To flood a list of t arget s, t he com m and used is m dos. I f you underst and t he underlying services and prot ocols Trinoo uses, you can gain insight int o it s charact erist ics. The int ruder com m unicat es wit h t he m ast er via t he t ransport m echanism TCP. This m akes sense because t he connect ion has t o be ensured and reliable, giving t he int ruder an advant age while t he at t ack is being planned and carried out . TCP ensures t he reliabilit y of dat a t hrough error recovery and connect ions t hat are est ablished by init ializing t he necessary port s. Besides, t he hacker's source I P address and port are spoofed, m asking his or her locat ion. I n cont rast , t he fact t hat t he m ast er and t he daem on com m unicat e via UDP is also no coincidence. UDP headers are only one t hird as large as TCP headers, so having lower overhead m akes det ect ion of UDP headers m ore difficult t han for TCP headers. Moreover, because UDP is connect ionless, m eaning t hat it does not hing t o ensure reliable dat a t ransfer or a com m unicat ions link, it 's underst andable why Trinoo uses ping t o verify t he availabilit y of daem ons. Various TCP/ I P services and prot ocols use ping t o verify connect ivit y. Furt herm ore, t he fact t hat Trinoo generat es a UDP flood shows how knowledgeable t he designers are about TCP/ I P and it s relat ed prot ocols. When TCP est ablishes a connect ion, it init ializes t he port required t o connect t o t he applicat ion in quest ion, at t he dest inat ion host . I n cont rast , UDP does not init ialize any port s at t he dest inat ion host , because it 's connect ionless. However, UDP headers do use dest inat ion port num bers and source port num bers. Here is where it get s really int erest ing. I CMP is t he default service t hat TCP/ I P uses when t he dest inat ion host m ust convey inform at ion, usually error condit ions, t o t he source host . So when UDP packet s reach a dest inat ion host t hat wasn't expect ing t hem , it m akes sense t hat t he dest inat ion host would respond wit h I CMP Port Unreachable m essages. UDP does not init ialize any port s, and when a host isn't expect ing UDP packet s, I CMP int ervenes, as it should. I n ot her words, t he Trinoo at t ack relies on inherent funct ionalit y, which in t his case involves t he diligence of I CMP and t he connect ionless nat ure of UDP. Recall t hat t he UDP flood is creat ed when t he syst em get s bogged down processing I CMP Port Unreachable error m essages in response t o an overwhelm ing volum e of UDP packet s. So what 's t he

point of all t his? Hacker t ools are well designed and conceived; consequent ly, t heir abilit y t o infilt rat e your net work should never be t aken for grant ed.

Glossary Boot P ( Boot st r a p Pr ot ocol) An I nt ernet prot ocol t hat enables a diskless workst at ion connect ed t o a LAN t o discover it s own I nt ernet ( I P) address, t he I P address of a Boot P server on t he net work, and a file t o load int o m em ory t o boot t he PC. I n effect , t he workst at ion can boot wit hout a floppy or hard disk. For obvious reasons, Boot P is a favorit e service for int ruders. bu ffe r ove r flow Occurs when a program , especially a ut ilit y program , such as a daem on, receives m ore dat a input t han it is prepared t o handle. Program m ers build t his t olerance int o program s t o prevent t hem from crashing. When a buffer overflow occurs, crit ical areas of m em ory are overwrit t en during program execut ion. Exploit ing buffer overflows is a favorit e hacker t echnique; in fact , m ost incursions are based on t his " sm ashing t he st ack." Hackers use buffer overflows t o slip in and t hen execut e m alicious code, which t ypically result s in gaining root access. dir e ct or y I n com put er syst em s, a cert ain t ype of file t hat is used t o organize relat ed ot her files in a hierarchical t ree st ruct ure, which m et aphorically resem bles an invert ed t ree. The root , or t opm ost , direct ory resides at t he t op of t he t ree. A direct ory t hat is below t he root or any ot her direct ory in t he t ree is a subdirect ory. The direct ory direct ly above any ot her one is t he parent direct ory. File access in a direct ory is accom plished by specifying all t he direct ories, or direct ory pat h, above t he file. I n GUI - based operat ing syst em s, such as NT, t he t erm folder is used inst ead of direct ory. e gr e ss filt e r in g Used by net work m anagers t o prevent t heir net works from being t he source of spoofed I P packet s, t he pot ent ial source of num erous t ypes of at t acks. Egress filt ering says t hat on out put from a given net work, do not forward or t ransm it dat a t hat doesn't m at ch a cert ain crit erion. Egress filt ering can be im plem ent ed on eit her a firewall and/ or rout ers by configuring t hese devices t o forward only t hose packet s wit h I P addresses t hat have been assigned t o your net work. Egress filt ering should especially be im plem ent ed at t he ext ernal connect ions t o your I SP. fin ge r

A service used prim arily t o t arget a syst em for at t ack. Finger det erm ines whet her a part icular syst em has any users; if t here are none, t he syst em is " fingered" for at t ack. fir e w a ll An elect ronic screening device usually placed bet ween an organizat ion's int ernal net work and an unt rust ed net work environm ent , such as t he I nt ernet . Basic firewall t ypes include packet filt ers, which operat e on t he packet level; proxy firewalls, which operat e on t he applicat ion level; and st at eful inspect ion firewalls, which operat e and allow connect ions based on connect ion param et ers in user st at e t ables. I n t e r n e t Con t r ol M e ssa ge Pr ot ocol( I CM P) Used t o handle errors and t o exchange cont rol m essages. Typically I CMP is used t o det erm ine whet her a host on t he I nt ernet is act ive and capable of responding. To accom plish t his, an I CMP echo request is t ransm it t ed t o t he m achine in quest ion. I f t he host can, it will, on receipt of t he request , ret urn an I CMP echo reply packet . Ping is an exam ple of an im plem ent at ion of t his process. I CMP is also used t o convey st at us and error inform at ion, including not ificat ion of net work congest ion and ot her net work t ransport problem s. in e t d The I nt ernet daem on, or I nt ernet swit chboard operat or for UNI X syst em s. Users access t his superserver indirect ly. I t is one of t he m ost fundam ent al, powerful background services on UNI X syst em s. When a UNI X syst em boot s up, inet d init iat es request ed services by list ening in on service- specific port s. I t refers t o t he inet d.conf file t o det erm ine which services t he server provides on request . in e t d.con f The configurat ion file for inet d. I net d.conf cont ains t he specificat ions for t he services t hat are allowed on a server by syst em adm inist rat ors. I net d.conf is crit ical t o securit y in UNI X and UNI X- like syst em s, such as Linux, because num erous securit y holes are provided by t he services and should be rem oved or locked down.

I n gr e ss filt e r in g A net work access- rest rict ion t echnique t hat elim inat es source address spoofing on t he dest inat ion side. Source address spoofing allows packet s t o be forwarded from a net work wit h source I P addresses t hat aren't assigned t o t hat net work's dom ain. I ngress filt ers are im plem ent ed on ext ernal rout ers of a net work dom ain. On input t o an ext ernal rout er on t he dest inat ion side, t he

rout er will not pass t he t raffic t o t he net work behind it unless it can verify t hat t he packet has originat ed wit h t he valid I P addresses of t he net work t o which it belongs. I n ot her words, ingress filt ers prevent t he passing of packet s wit h spoofed source addresses. Because ingress filt er im plem ent at ion depends on knowledge of known I P addresses, it is pract ical for sm aller I SPs t hat have knowledge of t he I P addresses of downst ream net works and for int ernal ent erprise net works. in .t e ln e t d The service daem on t hat inet d init ializes t o support a TELNET session bet ween host s. When it det erm ines t hat a part icular service is available, inet d inst ruct s t he appropriat e service daem on—in t his case, in.t elnet d—t o handle t he connect ion. Then in.t elnet d st art s t he TELNET process, including request ing t he user's login and password and init ializing com m unicat ion port 23, t he port for TELNET. Ja va Developed by Sun Microsyst em s, an obj ect - orient ed language t hat is sim ilar t o C+ + , but sim plified t o elim inat e and t o m inim ize language at t ribut es t hat cause com m on program m ing errors. Java has been opt im ized t o t ake advant age of t he exponent ial I nt ernet growt h. Com piled Java code can run on m any plat form s because Java int erpret ers and runt im e environm ent s—Java Virt ual Machines ( VMs) —are available for m ost of t he m ainst ream com put ing environm ent s, including UNI X, Windows, and Macint osh. Ja va Scr ipt A script ing language for publishing Web applicat ions. JavaScript is a sim ple program m ing language t hat enables Web aut hors t o em bed Java- like program m ing inst ruct ions int o t he HTML t ext of Web pages. JavaScript however, execut es m ore slowly t han Java. Because JavaScript is derived from C, program m ers wit h C or C+ + experience will find JavaScript fairly easy t o learn. The European Com put er Manufact urer's Associat ion ( ECMA) recent ly st andardized JavaScript . The int erpret er for JavaScript is built int o popular Web browsers, such as I nt ernet Explorer. loa d ba la ncin g Dist ribut ion of net work t raffic t o com put ing resources, such as a firewall or a server, by a device for achieving high availabilit y and resource opt im izat ion. The device feat ures a load- balancing algorit hm , which dynam ically balances t raffic in response t o decisions derived by m onit oring t raffic—packet s per second—users—client or TCP sessions—and resource feedback, such as firewall CPU ut ilizat ion, session connect ions, and so on. loa d- ba la ncin g a lgor it h m A syst em ic process of dist ribut ing net work t raffic, based on cert ain m at hem at ical param et ers. Load- balancing algorit hm s can be based on fewest

users, fewest packet s per second, fewest byt es per second, percent age of CPU ut ilizat ion, and so on. M AC ( m e dia a cce ss con t r ol) a ddr e ss I n a LAN environm ent , assigned t o LAN devices t o facilit at e accurat e com m unicat ions access. For exam ple, vendors of net work int erface cards burn in t he MAC address—usually 6 byt es long and represent ed as a 12- digit hexadecim al num ber—int o a ROM or EEPROM included in t he NI C configurat ion. MAC addresses are also assigned t o ot her LAN int erfaces t o est ablish broadcast , m ult icast , unicast , and funct ional addresses, t hrough which relat ed LAN com m unicat ion is achieved. M D 5 ( m e ssa ge dige st 5 ) A crypt ographic checksum program used t o ensure dat a int egrit y in net work applicat ions and relat ed syst em s. MD5 is used t o creat e a fingerprint of soft ware program s, dat a files, system program s, and so on. MD5 accept s input in t he form of, for exam ple, a dat a, soft ware, or syst em program m essage of arbit rary lengt h and creat es a 128- bit fingerprint , or m essage digest , of t he input . MD5 ensures dat a int egrit y because any given input m essage st ring of arbit rary lengt h produces it s own unique signat ure, or fingerprint . MD5 is I nt ernet Prot ocol St andard RFC 1321. N AP ( ne t w or k a cce ss point ) I n LANs, t he physical locat ion where t he net work is connect ed t o t he I nt ernet . Rout ers are usually posit ioned at a NAP, or where dat a ( packet s) could flow in t wo or m ore direct ions. N e t Ca t A general- purpose client ut ilit y designed t o enable client s t o connect t o servers. Net Cat , available in bot h UNI X and NT versions, is popular because it allows you t o read and writ e dat a, using arbit rary TCP and UDP port s. Syst em engineers and program m ers find Net Cat an invaluable t ool for debugging and invest igat ing net work services. n u ll se ssion A ut ilit y t hat allows various services t o com m unicat e wit h one anot her wit hout t he benefit of user passwords and ident ificat ion. Hackers exploit null sessions t o gain unaut horized access t o host syst em s. Through a null session, int ruders are able t o read password files, user account s, and net work services t hat are lat er used t o log in as legit im at e users. Ope nSSH ( Se cu r e She ll) A powerful service t hat provides a variet y of secure t unneling capabilit ies and aut hent icat ion m et hods. OpenSSH, a freeware version of t he SSH prot ocol suit e of net work connect ivit y t ools, encrypt s all t raffic, including passwords,

t o effect ively neut ralize hacker exploit s, such as eavesdropping ( sniffing) , connect ion hij acking, and relat ed net work at t acks. Replace TELNET, rlogin, and FTP, which t ransm it passwords in t he clear and are associat ed wit h hacker incursions, such as DDoS and R exploit s, wit h OpenSSH for rem ot e net working connect ivit y and operat ions. ope r a t in g syst e m k e r n e l The operat ing syst em 's m ain m odule, which loads first and rem ains in m em ory while t he host is act ivat ed. The OS kernel is responsible for t he m anagem ent of m em ory processes, t asks, and disks. The challenge for m anufact urers is t o keep t he kernel as sm all and as efficient as possible t o ensure a higher level of operat ing syst em perform ance. Pin g A fairly robust ut ilit y t hat can m anipulat e I CMP echo request s and echo replies in a variet y of creat ive ways. Ping also allows you t o specify t he lengt h and t he source and dest inat ion address and t o set cert ain ot her fields in I P headers. pr iva t e de m ilit a r ize d zone An ext ernal net work used for an int ernal com put ing group. For exam ple, an ext ranet is a privat e DMZ, a net work dedicat ed for t he use of an ent erprise's suppliers and st rat egic part ners. r oot a cce ss I n com put er syst em s, t he st at e t hat provides t he great est level of cont rol over an operat ing syst em . Root access allows a user t o delet e, add, m odify, m ove, and renam e files. For t his reason, hackers seek t o gain root access when infilt rat ing a syst em . Root access is t ypically gained t hrough st ages, first by gaining access t o a user account ( s) and finally by exploit ing a vulnerabilit y in t he operat ing syst em . r u le ba se A set of procedural st at em ent s t hat t ranslat e t he ent erprise securit y policy int o a base of rules t hat securit y m easures, such as a firewall or an int rusion det ect ion syst em , rely on for cont rolling dat a com m unicat ions in and out of net works. I n st at eful inspect ion firewalls, for exam ple, rules com prising t he rule base m ust be arranged in a specific order. For rules t hat are not properly ordered, t he desired act ion( s) m ay not execut e properly when t he rule is applied t o a given sit uat ion. Se ndm a il Widely used t o im plem ent elect ronic m ail in TCP/ I P net works, despit e it s long hist ory of securit y problem s. Sendm ail version 8.7.5 and higher correct t he known securit y problem s, and securit y pat ches are available t o correct t he

problem s in older versions. Current versions also ship wit h t he sm rsh ( Sendm ail rest rict ed shell) program , which is designed t o fort ify Sendm ail against exploit s for known vulnerabilit ies. sh e ll Technically, t he out erm ost layer of a program . However, shell is m ore com m only known as a user int erface, t ranslat ing user inst ruct ions t o appropriat e com m ands underst ood by t he operat ing syst em . UNI X syst em s provide a choice bet ween Mot if or OpenLook, shells based on t he graphical windowing developm ent syst em X- Window. sn iffe r s Program s t hat hackers use t o log inform at ion from com prom ised host s. Once in place, usually t hrough a vulnerabilit y exploit , sniffers wat ch all t he user act ivit y on t he com prom ised host t o t rap, for exam ple, user passwords or t o capt ure user sessions. Act ive packet sniffers, secret ly inst alled on com prom ised host s and servers and rout ers in unt rust wort hy net works, hij ack sessions bet ween client and servers wit hout displaying any percept ible clues. Through act ive packet sniffers, hackers can int ercept , save, and print all t ransact ions t ransm it t ed during a given session. TFTP Used for init ializing or boot ing diskless workst at ions and copying files. TFTP ( Trivial File Transfer Prot ocol/ Service) was im plem ent ed on t op of UDP t o exchange files am ong net works t hat im plem ent UDP. Hackers count on adm inist rat ors t o im properly configure t his service. When t his is t he case, TFTP can be used t o copy any file on a given syst em . TELN ET A TCP- based service designed for creat ing a virt ual t erm inal, which allows com put ers wit hout t he capabilit y t o connect t o t he I nt ernet . TELNET servers com m unicat e across port 23; TELNET client s use port s above 1023. Use r D a t a gr a m pr ot ocol A service designed for applicat ions t o exchange m essages. Typically, UDP is com pared t o TCP because t hey bot h provide dat a t ransfer and m ult iplexing and are inherent funct ions of TCP/ I P. Unlike TCP, however, UDP has no m echanism t o ensure t he reliable t ransfer of dat a and t he est ablishm ent of connect ions bet ween host s. Therefore, UDP is oft en referred t o as a connect ionless prot ocol.

Bibliography

Aberdeen Group. Vulnerabilit y Assessm ent : Em powering I S t o Manage Act ual Risk, Bost on: Aberdeen Group, 1997. Adam s, J. "I nt ernet Ret ailing/ Elect ronic Com m erce Updat e." ( Prudent ial Securit ies, I nc.) Available online: ht t p: / / web4.infot rac.galegroup.com . 1999. Axent Technologies. I nform at ion Begins wit h Sound Securit y Policies, Rockville MD: Axent Technologies, 1999. __________. Underst anding Assessm ent and Scanning Tools. Rockville MD: Axent Technologies, 1999. Bace, Rebecca, Pet er Mell, and Nat ional I nst it ut e of St andards and Technology ( NI ST) . NI ST Special Publicat ion on I nt rusion Det ect ion Syst em s, Washingt on, D.C.: Technology Adm inist rat ion, U.S. Depart m ent of Com m erce, 2001. Biggs, Maggie. " Good I nt rusion Det ect ion Solut ions Don't Have t o Cost a Bundle," Federal Com put er Week, Available online: www.fcw.com . 2001. CERT Coordinat ion Cent er. "I ncident Report ing Guidelines." Available online: www.cert .org/ t ech_t ips/ incident _report ing.ht m l. 2001. __________. "I nt ruder Det ect ion Checklist ." Available online: www.cert .org/ t ech_t ips/ int ruder_det ect ion.ht m l. 2001. __________. "Prot ect ing Yourself from Password File At t acks." Available online: www.cert .org/ t ech_t ips/ password_file_prot ect ion.ht m l. 2001. __________. "St eps for Recovering from a UNI X or NT Syst em Com prom ise." Available online: www.cert .org/ t ech_t ips/ root _com prom ise.ht m l. 2001. __________. "UNI X Configurat ion Guidelines." Available online: www.cert .org/ t ech_t ips/ unix_configurat ion.ht m l. 2001. Christ iansen, Christ ian A. Cont ent Securit y: Policy Based I nform at ion Prot ect ion and Dat a I nt egrit y, Fram ingham , MA: I DC, 2000. Christ iansen, Christ ian A., John Daly, and Roseann Day. e- Securit y: The Essent ial eBusiness Enabler, Fram ingham , MA: I DC, 1999. Clark, David Leon. I T Manager's Guide t o Virt ual Privat e Net works, New York: McGraw- Hill, 1999. Fennelly, Carole. " Wizard's Guide t o Securit y." Available online: www.sunworld.com / unixinsideronline/ swol- 05–2000/ swol- 05- securit y_p.ht m l. 2001. Ferguson, P. and Senie, D. RFC 2267 Net work I ngress Filt ering: Defeat ing Denial of Service At t acks Em ploying I P Source Address Spoofing. January 1998.

Frank, Diane. "Training t he Securit y Troops," Federal Com put er Week, Available online: www.fcw.com / fcw/ art icles/ 2000/ 0410/ sec- t rain- 04- 10- 00.asp. 2000. Fyodor. "Rem ot e Det ect ion via TCP/ I P St ack Fingerprint ing." Available online: www.insecure.org/ nm ap/ nm ap- fingerprint ing- art icle.ht m l. 1999. Gagne, Marcel. " Thwart ing t he Syst em Cracker, Part s 1–6." Available online: www2.linuxj ournal.com / art icles/ sysadm in/ 003.ht m l. ( For Part s 2–6, use 004.ht m l– 008.ht m l, respect ively.) 2001. Henry- St ocker, Sandra. "Building Blocks of Securit y," Available online: www.sunworld.com / unixinsideronline/ swol- 12- 2000/ swol- 1208- buildingblocks.ht m l. 2001. __________. "Square One: Paring Down Your Net work Services." Available online: www.sunworld.com / unixinsideronline/ swol- 1006- buildingblocks_p.ht m l. 2001. Koerner, Brendan I . "The Gray Lady Get s Hacked." Available online: www.usnews.com / usnews/ issue/ 980928/ 28hack.ht m l. 2000. __________. "Who Are Hackers, Anyway?" Available online: www.usnews.com / usnews/ issue/ 990614/ 14blac.ht m l. 2000. Koerner, Brendan I . "Can Hackers Be St opped?" Available online: www.usnews.com / usnews/ issue/ 990614/ 14hack.ht m . 2000. Korzenioski, Paul. "Scanning for Securit y Holes," Federal Com put er Week, Available online: www.fcw.com / fcw/ art icles/ 2000/ 0410/ sec- scan- 04- 10- 00.asp. 2000. Lint hicum , David, S. Ent erprise Applicat ion I nt egrat ion, Bost on: Addison- Wesley, 2000. Nat ional I nst it ut e of St andards and Technology ( NI ST) . Risk Managem ent Guide, Special Publicat ion 800- 30, Washingt on, D.C.: Technology Adm inist rat ion, U.S. Depart m ent of Com m erce. 2001. Newm an, David. Super Firewalls! Manhasset , NY: CMP Media, 1999. Past ernak, Douglas, and Bruce Aust er. "Terrorism at t he Touch of a Keyboard." Available online: www.usnews.com / usnews/ issue/ 980713/ 13cybe.ht m l. 1998. Pffaffenberger, Bryan. Building a St rat egic Ext ranet , Fost er Cit y, CA: I DG, 1998. Power, Richard. "Com put er Securit y I ssues and Trends: 2001 CSI / Com put er Crim e and Securit y Survey" ( VI I : 1) . San Francisco: Com put er Securit y I nst it ut e, 2001. Radcliff, Deborah. "Securit y, t he Way I t Should Be," Com put erworld, July 2000. __________. "Diary of a Hack At t ack." Available online: www.nwfusion.com / news/ 2000/ 0110hack.ht m l?nf. 2000.

Rekht er, Y, RFC 1918 Address Allocat ion for Privat e I nt ernet s, February 1996. SANS I nst it ut e Resources, "Help Defeat Denial of Service At t acks: St ep- by- St ep." Available online: www.sans.org/ dosst ep/ index.ht m . 2000. Schwart z, John. "New Virus Hit s World Com put er Net works," Washingt on Post , Available online: www.washingt onpost .com / wp- dyn/ art icles/ A374332000May19.ht m l. 2000. Sokol, Marc S. Securit y Archit ect ure and I ncident Managem ent for E- business, At lant a: I nt ernet Securit y Syst em s, 2000. Spit zner, Lance. "Arm oring Linux." Available online: www.ent eract .com / ~ lspit z/ papers.ht m l. 2000. __________. "Know Your Enem y, Part s I , I I , I I I ." Available online: www.linuxnewbie.org/ nhf/ int el/ securit y/ enem y.ht m l. ( For Part s I I and I I I , replace " enem y" wit h " enem y2" and " enem y3," respect ively.) 2001. Sut t on, St eve. "Windows NT Securit y Guidelines." Trust ed Syst em Services. Available online: www.t rust edsyst em s.com . 1998. Sym ant ec. " Ent erprise- Grade Ant i- Virus Aut om at ion in t he 21 st Cent ury ." Whit e paper. Cupert ino, CA: Sym ant ec Corporat ion. Available online: www.sym ant ec.com . 2000. __________. "Responding t o t he Nim da Worm : Recom m endat ions for Addressing Blended Threat s." Whit e paper. Cupert ino, CA: Sym ant ec Corporat ion. Available online: www.sym ant ec.com . 2000. Thurm an, Mat hias. " Server Lockdown Locks Out End Users." Com put erworld, April 2001. UNI X I nsider, available online at www.I TWorld.com / com p/ 2378/ Unixinsider/ . USA Today.com . " Get Ready for 'Code Red' virus version 2.0." Available online: www.usat oday.com / hlead.ht m . 2001. Xt ream .Online. "I nt ernet Securit y." Available online: ht t p: / / xt ream .online.fr/ proj ect / securit y.ht m l.