by Eric D. McMillen, MCSE, CCA
It is very uncommon to pick up a newspaper or trade journal these days and not see something pertaining to network security. Unfortunately, most of these articles are pertaining to how a company’s network is compromised. According to the 2002 Computer Crime and Security Survey performed by the Computer Security Institute (CSI) and the FBI, ninety percent of respondents detected security breeches within the last twelve months. Yet with all of this happening, I am still asked if firm’s need to worry about security, or even worse, I am told, “We have a firewall, so we’re protected”.
What is network security and why is it important? Network security is defined as the process of protecting a firm’s network resources, and information contained on those resources, while ensuring that legitimate users have the ability to access the information and resources for which they are authorized along with limiting them to the functions granted them. This is a long-winded way of saying that it is keeping the bad guys out and only allowing the good guys to do what they need too.
Why is it important? While this may seem like an absurd question, it is also commonly asked. The main reasons for ensuring that you have adequate network security are protecting firm assets, complying with regulatory requirements or fiduciary responsibilities, and gaining a competitive advantage. While the first two are self explanatory, you may be wondering how you can gain a competitive advantage from network security. How well would your new private client sites be received if your clients hear that you cannot secure your own internal network, or even worse, they receive a copy of their personal financial statement, that you prepared, in the mail from an anonymous source? The first is a hypothetical. The second actually happened; needless to say, that firm lost more than one client due to this incident.
Before you can implement a good network security program, you need to understand who and what you are securing your network against. So let’s begin with our friend the hacker. Contrary to everything that you see in the press and from Hollywood, the term hacker is a misnomer. A hacker, in the true sense, is a person who has a great deal of technical ability and is driven to figure out how things work; there is no malicious intent involved. Where a person who compromises a computer or network with malicious intent is best referred to as a Cracker. These two individuals are not the only threats that we must concern ourselves with. There are four other classifications of individuals that dot the security landscape: script kiddies, disgruntled employees, organized crime or terrorist organizations, and the “others” category. In this article I will refer to all of them generically as attackers.
Script Kiddies are a recent phenomenon but probably the most common external threat that you will encounter. Unfortunately, most of the tools needed to perform common security exploits are now available on the Internet and come with nice graphical front-ends so no real skills are necessary to launch attacks using them. Script Kiddies are generally young males with too much time on their hands that blindly run these exploits against systems at random without understanding the full impact. The DOS attacks in the first quarter of 2000 against CNN, Amazon, Yahoo, Excite, and eBay were carried out by a 15-year-old script kiddy called MafiaBoy. The estimated lost revenue was in the billons.
Disgruntled employees are the biggest threat to any firm. This stems from the fact that they have so much knowledge and access to firm information and resources. Most firms do not even consider employees to be a source of a threat, but you must establish guidelines of trust between what is necessary to accomplish their job and what is necessary to provide security for the firm. Having a good security awareness training program and strong security policies in place will help in this area.
Organized crime or terrorist organizations are not a post September 11th threat; they have always looked at computer crime or fraud as a way of acquiring funds. The new twist to this threat is that now as opposed to just credit card numbers, they are using attacks to gather information necessary for carrying out identity theft. Accounting firms may be especially vulnerable to this as the tax return information that you have provides everything an attacker would need to steal your client’s identity.
The last group is what I call the “others” or the catchall category. This group contains Hacktivists, governments, competitors, and your own poorly trained end-users. Except for poorly trained end-users, this group is generally not a threat to accounting firms. The exception to this may be if you are engaged with a controversial client.
Hacktivists use their attacks to make social or political statements. Generally this is limited to web site defacement or the public posting of embarrassing electronic documents. An attack on your network by a government entity would generally be due to working with an individual or group that was considered hostile by that government or as part of a criminal investigation. Competitors are fairly straightforward; they want something they can use to gain a competitive advantage. An example would be a list of staff or clients. By far, the worst of this group is our own poorly trained end-users who accidentally delete a file that they weren’t supposed too or introduce a virus that spasm every one of our clients with pornography. It isn’t their fault; it is our job to ensure that they are trained and that we have the proper policies and procedures in place to prevent it from happening.
So now that we know who wants to attack us, let’s discuss the types of attacks that they may use against us. There are five general categories of attacks: denial of service, intrusion attacks, information theft, indirect attacks, and hybrid attacks.
Denial of Service (DOS) attacks are almost always deliberate and are aimed at depriving a firm of a resource that it expects to be able to use. This resource may be your mail server or your Internet connection. Denials of service attacks are generally caused by sending an inordinate amount of traffic to a particular service. One example would be a mail bomb that sends hundreds of thousands of fake emails to a server overwhelming its ability to deal with legitimate mail traffic. This type of attack also includes what are termed Distributed Denial of Service Attacks (DDOS), which is the use of multiple computers to launch an attack against a specific target; this is what MafiaBoy used to bring Amazon, eBay, and others to a halt.
Intrusion attacks are the most familiar and probably the most common type that you will face. This attack is where an attacker gains access to your network systems and uses your computing resources. Sometimes an attacker may only be doing this for the thrill and the ability to brag about it. But most times they are doing it so that they can plant a “zombie” program that will later allow them to use your resources to launch a DDOS attack against another target.
Information theft attacks are where an attacker is able to steal data from a target. These attacks do not always require that they gain access to a target’s network system. Many times they may use passive methods such as monitoring network traffic or intercepting email traffic. This attack may also employ low-tech means such as “Dumpster Diving” - basically digging through your trash or acquiring a copy of your backup media.
Indirect attacks are attacks that aren’t directly executed against you by an attacker; rather they are “turned loose” into the wild to infect any unsuspecting user. This is where we classify viruses, Trojans, and worms. Trojans are in many ways the worst type of indirect attack. When you are infected with a conventional virus, you can destroy it and restore from tape. With a Trojan, you may not know that your resources are being compromised for a long period of time.
Many times indirect attacks are used as part of our final category - hybrid attacks. Hybrid attacks are simply any combination of the other four categories. A common scenario is to send out an email carrying a Trojan infected program that installs a backdoor into the system or a “zombie” program for an attacker to use at a later date.
Now that you are familiar with the types of attacks you may have to contend with, let’s walk through how an attacker would perform a typical intrusion attack against you. The first step in any attack is reconnaissance or information gathering. An attacker wants to find out as much as he can about your network: what operating system do you use, what applications you are using, what type of hardware, and even the names and phone numbers of your technical staff and/or partners. The more information he can gather, the easier it is for him to find potential holes to exploit.
After he has assembled his information, he begins to try different exploits until he comes across one that gives him access to your network. When an attacker gains initial access, it is generally at a level less than he desires, therefore he continues to use additional exploits against the system to elevate his level of access hoping to gain administrator or equivalent rights. It may take him more than one attack to achieve his desired level of access privileges.
When he has accomplished the level of access that he needs, he will then carryout his attack. This step will vary on the type of attack that he has planned; it could range from stealing information to planting a “zombie” for future use. After he has finished his attack, he will want to ensure that he has a backdoor into the system should he ever need it again. He will generally set up a couple of extra accounts that he could use later or he may plant a program that will allow him access in the future. Finally, our attacker will want to make a clean getaway. He will attempt to accomplish this by removing all traces from the system access or changing logs that he was there. He now owns your system to do with what he may; how would your clients feel if they knew?
Hopefully I have shown you why network security is a concern for everyone in the firm and not just something that the tech guys worry about. While you may say this can’t happen to us, I would say to you that you are wrong and it probably already has or will be in the near future in one form or another. So how do you protect yourself and your firm?
Eric D. McMillen, MCSE, CCA
Boomer Consulting, Inc.
Manhattan, KS 66502
Eric D. McMillen is a Consultant and Technology Director at Boomer Consulting, Inc., an organization devoted to the application of computer technology and management consulting, located in Manhattan, Kansas.
On a technical level, Eric is a Microsoft Certified Systems Engineer (MCSE) and a Citrix Certified Administrator. Eric is also certified as a Systems Administrator by Sequent Computer Systems. He also has over ten years of experience in network and imaging system administration.
He has extensive experience in leadership positions in the training, management and logistics fields. Eric is also essential in the research and development of new applications and systems. He is the key technical contact for all of Boomer Consulting’s clients.
He holds a Bachelor of Arts degree from The University of Kansas in Lawrence, Kansas.