40 Managing Network Vulnerability Assessment
Disgruntled Employees
Rich Brewer of International Data Corp. (IDC) commented during Directions
’99 that “the perception is that most hack attacks come from political activities
and professional industrial thieves, but the reality is that approximately
70 percent of attacks come from within a company. Most security breaches
are committed through a bunch of holes, enabling hackers to steal assets and,
more important, ideas.”
“Hackers are benefiting from a company’s silence,” Brewer said, adding that
“according to the FBI, fewer than 3 percent of hack attacks were detected last
year, and out of those, fewer than 1 percent were reported to the FBI.” To defend
against hack attacks, “products alone can’t save” companies. Companies will
have to look at all options: security consulting and implementation; managed
firewalls; an intrusion, detection, and response operation; and hacker insurance.
In 1998, a disgruntled programmer at defense contractor Omega Engineer-
ing Corp. set off a digital bomb, destroying $10 million in data.
A temporary employee working as a computer technician at Forbes Mag-
azine was charged with crashing the company’s network and causing more
than $100,000 in damage.
Industrial Spying
The gathering of competitive business intelligence is now considerably easier
and more effective because of the Internet. Clues to competitors’ intellectual
property development and strategic plans have grown so accessible that
management might fear repercussions from shareholders for not gathering
such material. It is very easy to gather such information from private-sector
and government Web sites, news groups, chat rooms, and other quite public
gathering spots of the information age. It is so easy that it is almost criminal.
Recently, the European Union warned that the Russian secret service is
committed to stealing technology.
According to the Futures Group, some 60 percent of companies have
organized systems for collecting information on rivals.
Additional Threats
To successfully identify possible threats, there are a number of services that
can provide current threat information and possible solutions. The contacts
most commonly used include:
Vendors
CERT Coordination Center (www.cert.org/advisories)
Computer Incident Advisory Capability (CIAC)
Federal Information Processing Standards Publications (FIPS Pub)
(www.itl.nist.gov/fipspub)
Assessing Current Network Concerns 41
National Institute of Standards and Technology (NIST) publications
Generally Accepted System Security Principles (GASSP)
British Standard (BS) 7799
International Standard for Information Security (ISO 17799)
Global Information Assurance Certification (GIAC) (www.giac.org) by the
SANS Institute
Some additional threats identified by these organizations include:
Firewall and system probing. Hackers are using sophisticated, automated
tools to scan for the vulnerabilities of a company’s corporate firewall and
systems behind the firewall. These hacker tools have proved quite effective,
with the average computer scan taking less than three minutes to identify
and compromise security.
– Safeguard/control. Companies can prevent this by ensuring that their
systems sit behind a network firewall, and any services available through
this firewall are carefully monitored for potential security exposures.
Network file systems (NFS) application attacks. Hackers attempt to exploit
well-known vulnerabilities in the NFS application that is used to share files
between systems. These attacks, usually through network firewalls, can
result in compromised administrator access.
– Safeguard/control. To combat this, ensure that systems do not allow
NFS through the firewall, and enable NFS protections to restrict access
to files.
Vendor default password attacks. Systems of all types come with vendor-
installed user names and passwords. Hackers are well educated on these
default user names and passwords, and use these accounts to gain unau-
thorized administrative access to systems.
– Safeguard/control. Protect systems by ensuring that all vendor pass-
words have been changed.
Spoofing, sniffing, fragmentation, and splicing attacks. Recently, computer
hackers have been using sophisticated techniques and tools at their disposal
to identify and expose vulnerabilities on Internet networks. These tools
and techniques can be used to capture user names and passwords, as well
as compromise trusted systems through the firewall.
– Safeguard/control. To protect systems from this type of attack, check
with computer and firewall vendors to identify possible security pre-
cautions.
Social engineering attacks. Hackers will attempt to gain sensitive or con-
fidential information from companies by placing calls to employees and
pretending to be another employee. These types of attacks can be effective
in gaining user names and passwords as well as other sensitive information.
– Safeguard/control. Train employees to use a “call-back” procedure to
verify the distribution of any sensitive information over the phone.
Prefix scanning. Computer hackers will be scanning company telephone
numbers, looking for modem lines that they can use to gain access to
internal systems. These modem lines bypass network firewalls and usually
bypass most security policies. These “backdoors” can easily be used to
compromise internal systems.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.