by December 31, 2001 0 comments

In the connected world of today, information is the key to a successful business. And the way information sharing occurs could determine the efficiency of your business. In an ideal society, we expect only the intended recipients to receive the information you send out; the reality is entirely different. So, there is any number of ways in which people could try to get at data meant for someone else.

In this article we shall try to classify the kinds of network attacks (not an appropriate term for things like data theft), look at the methodology of their execution and probable damages they might cause.

While network intrusions are commonly perceived as threats from outside the company’s private network, studies indicate otherwise. More than half of network attacks reported are inside jobs and that excludes data sabotage and theft.

From the Internet
Attacks from the Internet are executed with the intention of using a company’s resources for a personal purpose or for revengeful reasons. A person might break into the company network and steal personal and financial data, ‘rig-up’ the machines on an internal network to act as ‘zombies’ (zombies are machines that are compromised and are in the control of a hacker), or simply use up the network resources. In the simplest cases, he might just be using the company’s SMTP server to send out spam mail. Graver crimes would be stealing credit-card details, bank-account details, transaction details, etc of a company and its employees.

One way used by potential crackers is to seed the network, and the other is to break into the network.

Let us look at how seeding occurs. More often than not, ‘zombies’ or compromised machines are created because rightful users unknowingly run applications that have malicious code embedded in them. This could be software, an e-mail attachment, a configuration or batch file, etc. The embedded code could be a script that works its way around the local machine and looks for information to be sent to its ‘owner’. Scripts usually look for passwords in the system’s common/default storage locations, information in the swap file, a person’s contacts’ information, etc. This ‘scavenged’ data is then sent to the owner of the script through the compromised machine’s e-mail client (those who write this sort of scripts are commonly referred to as ‘script kiddies’!). Another methodology is through a Trojan. Trojans work in a similar manner but can do much more than simple stealing of data. They can be used to remotely control the zombies, can execute system-level-commands and can do whatever a local user on a machine can do.

Another form of seeding is the use of remote desktop clients that give desktop access to a remote user. The remote user can then execute anything on the machine and access all the data.

To break into a network is more complicated and requires extensive knowledge of network protocols, TCP/IP stacks, OS components, routers, firewalls and gateways. This is what crackers do. The process involves port scanning and breaking into firewalls using vulnerabilities in the software or router firmware. Once an entry point is found, there are a host of tools and conceived methods for exploiting the vulnerability. A simple buffer overflow attack on a router’s firmware (not patched) could compromise it. Details of how these attacks are carried out are too extensive and can be found on standard security advisories.

Talking of network attacks, we should also be aware of the most prevalent attacks that Internet servers normally face–DDoS (Distributed Denial of Service). The methodology is simple. We know that Internet servers serve Web pages and services to clients across the Internet. Every time a Web server gets a ‘request’, it ‘acknowledges’ it, sends an acknowledgement to the client and allocates system resources (processor time and memory) to serve it. Then it waits for an acknowledgement from the client. Imagine if this never comes in. The allocated system resources are kept there till the ‘wait’ period is over. Now what if there are thousands of simultaneous requests to the Web server, that never acknowledge the server’s acknowledgement. The server will soon have exhausted all its resources and will stop serving even genuine requests! This is Denial of Service. Such an attack is usually carried out with an army of compromised machines, preferably on a high bandwidth network, that are directed onto the Web server which is to be brought down. Similar attacks that can be carried out are SYN, ICMP Flood, UDP Flood, Ping of Death, IP Spoofing, Tear Drop, WinNuke, etc. Also common are exploitation of CGI scripts to gain control of Web servers.

From the inside
As if all these outside threats were not enough, internal elements offer an even higher threat to the companies network. This is because of the simple reason that they already are on the network and have easier access to local terminals and other resources. Let us look at certain possible threats here.

The simplest example would be someone coming to your terminal, and while you are entering your password, watch the keystrokes. Though this appears innocuous, the prospect of being able to access your personal/confidential material is too easy. In your absence, someone could also plant code that will give them anything they want to know, including all your passwords, accounts details and personal data. So supposing you were working in the company’s accounts department, they would soon have access to the accounts, statements and balance sheets, which could even go for a price to your competition.

Another seemingly very method here is to access somebody’s terminal and simply copy critical or sensitive data either onto floppies, hard disks or even e-mail it to their personal email accounts. Revengeful activities are data sabotage and deletion. A simple addition or removal of a zero could ruin all the work done on a financial statement, for example. The job is easier from the inside because access privileges on the network are often lenient and the assumption is that the network is a ‘trusted zone’. People casually share their data over network/local shares without giving a second thought to the fact that the whole network can see it.

Less common but more harmful threats are applications like keyboard loggers and tracers. These are programs which when installed on a machine run as background tasks. They will log all events including key taps for later retrieval. These log files will obviously have all the user’s passwords, and information about all the activities he does. Some of these applications even go a step further and take periodic screen shots of the client’s desktop!

Another known method to access the company resources and data is by deliberately opening a way into the network. Somebody could rig a modem to his terminal in office, configure RAS on it and go home. From his home machine, he could then easily dial into the office and get onto the office Internet connection. Going a step further, he could install remote desktop software like PCAnyWhere, and even access the data on his office machine or the network shares.

All is not lost!
The situation is alarming, but not all that bad. Steps can be taken to prevent or thwart off such threats to the security of your data. Network security is a complete field of study in itself and beyond the scope of this text. But let us look at some common and simple ways to implement it.

A seasoned network administrator who understands security can do this for you. Though firewalls are put in place, it is the proper configuration of firewalls that is necessary. Packet level monitoring of data can be used to ‘weed’ out malicious packets, which are prospective DoS attacks. Unused ports on your gateway should be closed by the firewall. A common practice of implementing firewalls is in a dual configuration — one behind the gateway and one in front of it. Routers are also prone to attacks and the firmware should be regularly patched. ACL (Access Control Lists) on routers are an important line of defense too. Also, be sure to put in a network monitor that can keep track of suspicious activity. Another very useful tool that we seldom look at are log files. All software that provides network or Internet services create logs about their activity.

Keep a regular watch over them.
Internal users should be made aware of the company security policy, their access rights and a list of do’s and don’ts. Also understand that a normal PC user in the office need not necessarily understand all about security. So, patching of OS and software vulnerabilities becomes the administrator’s task. Regular warnings about upcoming viruses or Trojans should be circulated and people be made aware of the means to protect from them.

Ashish Sharma

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.