A.19. Preventing Common Malicious Events
If you don't know what you are up against, then you don't know how to prepare. "Know your enemy" is an admonishment from Sun Tzu that all security administrators should heed. If you are fully versed in the tools and techniques of your opponents, then you can be well prepared to stave off their attacks. We're sure you've heard the phrase ethical hacking. It is a flashing marketing phrase for security assessment or penetration testing. Ultimately, it refers to using cracker/attacker techniques and tools to test the security of your environment. But before you can perform ethical hacking, you must have two things:
Thorough knowledge and skill in cracker/attacker techniques and tools
Written approval from the owner/manager/administrator of the target network
Study is the best way to obtain knowledge and skill in cracker/attacker techniques and tools. You have four options to accomplish this:
Learn what you can as you stumble upon relevant materials at work or on the Internet.
Read relevant books, study guides, and self-paced courses.
Attend online or computer-based training (CBT) classes.
Attend instructor-led training.
The first of these options is the cheapest, but it's the least effective. The last option is the most expensive, but it is the most direct route to accomplishing the goal of being well versed in cracker/attacker techniques and tools. If you are serious about learning more about ethical hacking, several official certifications are available, such as Certified Ethical Hacker (CEH) from the EC Council (www.eccouncil.org) or the SysAdmin, Audit, Network, Security (SANS) and Global Information Assurance Certification (GIAC) (www.sans.org and www.giac.org) line of security certification pathways.
After you have a basic foundation of cracker/attacker techniques and tools, you then have to perform self-imposed continuing education, which involves the following:
Setting up a lab where you can perform attack/defend activities safely. I recommend the book Build Your Own Security Lab by Michael Gregg (Wiley, 2008).
Finding a partner to learn and experiment with. You could turn the attack/defend activities into a competition.
Watching security topic mailing lists and discussion groups.
Watching major OS, software, and hardware vendor websites.
Reading about any new vulnerability, exploit, or attack that appears in technical news.
Endeavoring to learn how and why attacks and exploits function.
Investigating the vulnerabilities and weaknesses addressed in newly released patches and updates.
Ethical security experts all agree: Never perform any attack activity against any system without written authorization from the owner of that system. Approval is your get-out-of-jail-free card. It is your protection from prosecution and job loss. If you want to experiment with an attack or exploit, do it only in your private lab. Never perform attack or exploit testing over the Internet. If you don't own and control the system, you don't have the legal authority to do what you want on that system. So obtain approval.
After you recognize the vulnerabilities and threats a system faces, you can begin to construct your lines of defense. In a corporate environment, the basics of defense should already be in place. If not, you need to make some strong recommendations to those with the authority to make network security decisions.
Of the basic prevention mechanisms available, here are the items deemed essential for every system:
Firewall
Antivirus
Antispyware
Anti-adware
E-mail filtering
A few of the latest editions of antivirus solutions have combined capabilities that encompass all of these features in a single product (or at least a single suite of products from the same company). Every client and every server in a network should have these security mechanisms installed, configured, and maintained. Depending on the size of your network and available security budget, you should also consider an intrusion detection system (IDS) to watch for the things these five foundational filtering/scanning tools might miss.
If you have systems that do not have these basic security tools present, then obtain permission to get them installed. But your security protections can't stop there. As you'll see in a moment, there are many forms of attacks and threats that require your focused attention.
Denial-of-service (DoS) attacks come in two major forms: flaw exploitation and traffic generation. You can protect against flaw-exploitation DoS attacks by applying vendor-supplied patches and updates as well as by installing firewalls and other traffic-filtering tools. Traffic-generation DoS attacks are not as easy to stop. They require detection and network traffic filtering. It is usually possible to block such attacks from entering your network, but you'll have to convince an upstream network (such as an ISP) to filter out the malicious traffic as well. Otherwise, your communication pipeline might be consumed with the bogus attack traffic and thus be unable to support your legitimate communications.
Back doors are popular because they allow easy access into a computer or network device without having to deal with the authentication systems protecting them. Some back doors are left in accidentally by the vendor but are usually patched quickly by a vendor update. If the back door is a known user account and/or admin or configuration password, then you need to make sure that the accounts are renamed and a strong password defined. Other back doors are deposited by hackers or various forms of malicious code, such as Trojan horses. If your security perimeter is working properly and you are actively watching for attacks, depositing back doors or other malicious code is made significantly more difficult.
Spoofing, as described earlier, is faking information. Common spoofing attacks use e-mail source addresses, packet source addresses, and system MAC addresses. While it is not possible to stop all spoofing attacks, you can eliminate a great number with a few simple actions. Your network traffic filters and e-mail filters should be configured to check for source spoofing in network packets and e-mails, respectively. If a packet or message is leaving your private LAN, then it cannot have a valid source address from the Internet. Conversely, if a packet or message is entering your private LAN from the Internet, then it cannot have a valid source address from the LAN. These types of filters are known as egress (exiting) and ingress (entering) filters. They need to be configured on every border system.
Using reverse lookups and white/black lists also allows you to limit spoofing attacks. Reverse lookups check to see if a source MAC address, IP address, or e-mail address is real, currently in use, and from the expected location before allowing traffic to enter or leave. White lists and black lists are filters that have lists of addresses that are known to be either legitimate and trustworthy or illegitimate and malicious. All addresses on a white list are trusted and are allowed to pass with little interference, whereas all addresses on a black list are either blocked outright or subject to greater levels of inspection before being allowed to pass. Black lists can result in a form of DoS if benign addresses are placed on the black list accidentally. This threat is something to watch for, and be prepared to verify and rectify list entries when necessary.
Man-in-the-middle, replay, and session hijacking attacks are thwarted by several means: complex packet sequencing rules, time stamps in session packets, periodic mid-session reauthentication, mutual authentication, the use of encrypted communication protocols, and spoof-proof authentication mechanisms (such as certificates). Whenever possible, use only modern OSs that are fully updated. Also, attempt to limit your out-of-LAN communications to encrypted sessions verified with certificates.
A.19.1. Antivirus Protection
The appearance of malicious code is at an all-time high, and it will only get worse. As more and more countries, cities, and population groups move into the Internet age, many people are learning how to program. Inevitably, human nature leads some of these new programmers to the dark side, and they become the authors of malicious code. Your job is to erect sufficient barriers to the malware threat to prevent any and all breaches.
The best initial protection against malicious code is antivirus software. However, these packages are not perfect. Even properly managed and fully updated antivirus scanners can still overlook 4 percent of known viruses. This oversight means that you cannot rely on a single scan to provide realistic protection; you need to scan everywhere. It is highly recommended that you employ at least three different antivirus vendors' scanning solutions in your environment. However, never install two antivirus products on the same computer! Install one product on all clients, a second product on all internal servers, and a third product on all border systems. In this manner, every bit of data entering or leaving your environment is scanned at least twice, if not three times, thus reducing the likelihood of missing a known virus from 4 percent to .16 percent (4 percent of 4 percent) or 0.0064 percent (4 percent of 4 percent of 4 percent).
Every antivirus product should scan data as it enters the computer, as it leaves the computer, as data is written to the hard drive, as data is read from the hard drive, and as data is used in memory. Plus, on a weekly or biweekly basis, scan every file on every drive. Yes, this will affect your system's performance, but in most cases a small reduction in performance is worth the trade-off for greatly improved malware protection.
Automate the downloading of virus signature databases, but restrict and control the deployment of engine updates. Virus signature database updates have rarely been the cause of problems, but delaying the deployment of the signature database can result in undetected infections. Most modern antivirus solutions offer a staged deployment controller for updates. A single server should poll the public website for antivirus updates two to four times a day. Then, that server should be the host that provides the updates to all other internal systems. This deployment controller usually allows you to make signature database updates immediately available while quarantining all other forms of updates. After updates are tested and verified, you can release the ones that you want deployed.
Users should be trained to avoid malware and risky behavior. You should issue the following warnings to users:
Don't download anything from the Internet.
Never install any unapproved software.
Don't bring in storage media from outside.
Don't leave removable media in drives.
Don't boot with removable media connected to a computer.
Stay away from private or noncommercial sites.
Always type links into a browser; never click on them from e-mails or documents.
Don't accept certificates from unknown CAs.
Never trust an entity just because you know the CA that issued their certificate.
Consider deploying a sheep-dip system for precleaning removable media before use on your LAN. A sheep-dip system is a stand-alone machine that is used solely to scan portable storage devices for malware before they are used on secured LANs. The sheep-dip system needs to be manually updated several times a day with signature database updates because it is air-gapped from the rest of the network. Every device that can store data must be checked by the sheep-dip system before it is connected to the LAN. This scrutiny needs to include cell phones, PDAs, audio/video players, digital cameras, USB drives, floppies, and CD/DVDs.
Each time a vendor releases a new version of its product, upgrade to it. Well, don't rush and do this immediately in a knee-jerk fashion. Give the new version a few months of "public" testing before making the migration. This testing lets others discover and experience the growing pains of new solutions. You can learn and benefit from earlier adaptors. Plus, always thoroughly test new software before deployment. This testing applies to any code, including new versions of software, engine patches, function upgrades, and even signature and pattern database updates. The newer the technology, the more likely it will provide reliable protection against newer malware attacks.
A.19.2. Making Stronger Passwords
Passwords are the most common form of authentication; at the same time, they are the weakest form of authentication. Password attacks have become ubiquitous. Reliance solely on passwords is not true security. At least four attack methods are used to steal or crack passwords. All of them involve reverse hash matching. This is the process of stealing the hash of a password directly from an authentication server's account database or plucking out of network traffic, then reverse-engineering the original password. Reverse-engineering, in this case, is done by taking potential passwords, hashing them, and then comparing the stolen hash with the potential password hash. If a match is found, then the potential password is probably the actual password. (By the way, even if the potential password is not the actual password, if it happens to produce the same hash, it will be accepted by the authentication system as the valid password.)
There are four password-cracking or -guessing attacks:
Dictionary
These attacks generate hashes to compare by using prebuilt lists of potential passwords. Often these lists are related to a person's interests, hobbies, education, work environment, and so forth. Dictionary attacks are remarkably successful against non-security professionals.
Brute force
Brute-force attacks generate hashes based on generated passwords. A brute-force attack tries every valid combination for a password, starting with single characters and adding characters as it churns through the process. Brute-force attacks are always successful, given enough time. Fortunately, brute-force attacks against strong passwords eight characters long can take up to three years.
Hybrid
These attacks take the base dictionary list attack and perform various single-character and then multiple-character manipulations on the base passwords. This includes adding numbers or replacing letters with numbers or symbols. Hybrid attacks are often successful against even security professionals who think they are being smart by changing a to @ and o to 0 and adding the number 12 to the end of the name of their favorite movie character.
Rainbow tables
The really worrisome tool for password attacks is called a rainbow table. Traditionally, password crackers hashed each potential password and then performed an Exclusive Or (XOR) comparison to check it against the stolen hash. The hashing process is much slower than the XOR process, so 99.99 percent of the time spent cracking passwords was actually spent generating hashes. So, a new form of password cracking was developed to remove the hashing time from the cracking time. Massive databases of hashes are created for every potential password, from single characters on up, using all keyboard characters (or even all ASCII 255 characters). Currently, a rainbow table for cracking Windows OS passwords is available that contains all the hashes for passwords that contain from 1 to 14 characters using any keyboard character. That database is 64GB in size, but it can be used in an attack to crack a password in less than three hours—meaning that all Windows OS passwords of 14 characters or fewer are worthless.
To protect yourself from this threat, change all of your Windows OS and network passwords to a minimum of 16 characters. Or, if you get approval from your security administrator, start using one or more higher-order ASCII characters in a password of at least 8 characters. You can't just use the higher-order ASCII characters because many legacy systems (for example, those written prior to 2000) do not support them. If every system you interact with does not support higher-order ASCII characters, then you can't use them.
One of the smartest—and most secure—things you can do is turn off LANMAN passwords.
Another protection is the addition of a salt to the password before it is hashed. Windows 2003/8, Windows XP Professional (SP1+), SE Linux variants, and many other modern and secure OSs employ salts. The purpose of a salt is to thwart easy hash cracking and prebuilt hash databases. Often the salt is the SID of the user account, thus a 40-character (or so) phrase is added to a, say, 12-character password to create a 52-character entity that is then hashed. An attacker may be able to learn the salt value, especially if it is the SID, but it still stops all of the easy attack methods. The use of salts forces a true real-time brute force approach to cracking hashes, thus allowing OSs to once again provide real protection for passwords (assuming the password is complex and long to begin with).
Use as many different types of characters as possible, including lowercase letters, uppercase letters, numbers, and symbols. Change your password frequently, at least every 45 days if not more often. Never reuse a previous password, and never use the same password for more than one account. Don't use password-storage tools, whether software or hardware. However, if you have to juggle so many passwords that a management tool is essential, then make sure the passwords are stored with strong encryption and the lock on the tool is stronger than the best password it is storing.