Trusted SF Member
Joined: 26 Jul 2002
|Posted: Sat Nov 30, 2002 11:43 pm Post subject: 10 simple ways to stop hackers
10 simple ways to stop hackers
By Candice Neethling
Hackers are always on the prowl for weaknesses in your systems, but there are ways to beef up security so you don’t become the next easy target.
Hackers are finding new systems vulnerabilities and developing new means of attack all the time. What methods do they favour and how secure is your network? This article identifies some common vulnerabilities and offers 10 useful and easy-to-apply tips on how to make your network more secure.
1. Perform discover-and-scan tests
The purpose of these tests is to highlight all entry points from the internet to the internal network. Make sure you know all entry points into your network rather than assume where these points are.
Most large organisations, organisations that have merged or been taken over, and organisations that have in any way gained systems from sources not under their direct control cannot confidently say they are aware of all entry points to their network.
A firewall is merely a door to the network; there may be many holes and entry points that an organisation is unaware of. These supposedly ‘unknown’ points are targets for hackers, as they normally have the weakest security controls in place.
The first step in securing these weak entry points is to identify them. This is not an easy task and requires skilled attack-and-penetration experts to perform the discovery successfully.
2. Perform attack-and-penetration tests
The aim of these tests is to quickly highlight vulnerable points and aspects of the network: ones that are accessible from both an external and internal user’s perspective. By assessing the extent to which you are able to thwart attacks from external sources through the tests, you are able to patch and correct the holes that could allow intruders to hack into your network.
As surveys have consistently shown, hacking is as great a concern from an internal user’s perspective as from an external unknown source. Thus, these penetration tests should be performed from the inside (internal user) as well as from an external (unknown) perspective for the true vulnerabilities to be detected.
3. Launch user-awareness campaigns
Users should be made aware of the pitfalls of security and how to minimise these risks by applying good security practices in day-to-day operations.
Social-engineering tests are an effective means of determining the current levels of user awareness. Such tests are also a good way to highlight to users the potential pitfalls resulting from a lack of awareness and application of security in everyday operations.
User awareness is that element of security that is often ignored and it can lead to the most vulnerability. All the security technologies in the world cannot protect against a user giving away company secrets or security information, such as passwords, of critical systems.
4. Configure firewalls appropriately and have them reviewed independently
An incorrectly configured firewall is an open door for any intruder. It is imperative to allow only the traffic that is critical to the business through the firewall. Even ports 443 (SSL) and 80 (http) sometimes present more risk than the business warrants.
An open port is an open door. As a start, close all ports and then open only those that are more critical than the risk they present. Each firewall – and, indeed, each organisation – is different, requiring different firewall rule-set configurations. However, there are general guidelines that can be applied, namely: never open all ports to any source or destination and make sure the stealth rule is in the correct place in the rule set.
A firewall is not merely a router; it has logging and monitoring capabilities that are often more important than the routing functions. Traffic to a valid destination through a valid port is often an attack that can be detected only through analysing the composition and nature of the traffic itself.
By performing penetration tests, organisations are able to determine the vulnerabilities that a certain firewall configuration presents. Also, by performing independent assessments of the rule sets, their vulnerabilities can be determined.
5. Implement strong password policies
Most organisations still make use of usernames and passwords as their primary, if not their only, authentication mechanism. Unfortunately, as surveys and analyses have revealed, passwords are a weak form of authentication. So-called “strong” passwords (not easily guessable) tend to be written down or forgotten, while passwords that can be remembered, and hence not written down, tend to be “weak” (easily guessable). This is the situation most organisations find themselves in.
So what can be done? Two-factor authentication seems to be the solution, where an additional authentication mechanism is used, such as a physical thing (take, for example, your ATM card, which requires both the card and the personal identification number for you to be authenticated).
Other two-factor authentication mechanisms include storing biometric details on a smartcard, but two-factor authentication is costly as well as time-consuming to implement. So a temporary measure of strong password policies is important.
These policies should require a balance between strong and easily remembered passwords. Leading practice is to have passwords of seven characters (the most secure length for a Windows NT password, yet still relatively easy to remember).
Also, leading practice indicates that these passwords be changed every 60 days so as to reach a balance between changing passwords too frequently – thereby changing them in a repetitive or predictable manner (for example, by adding a digit to the end of a password) – and having a password remain the same – thereby increasing the chances of it being known to unauthorised persons. The password should also be made up of both alpha and numeric characters to increase the number of possible password combinations.
6. Remove all comments in website source code
Comments often contain insight into the design of the application and, hence, its shortcomings, as well as insight into the design of the database, network and systems supporting the application.
Comments in code often contain usernames and sometimes passwords as well. By removing all comments, the thoughts on and details of the code itself are removed and safe from attackers. Even comments in code that are seemingly inaccessible to external users should be removed. There are many exploits and techniques available that enable an attacker to view the source code of nearly all web applications.
7. Remove all default
Most default, test and example pages have some vulnerability associated with them. These test and example pages can lead to a complete compromise of the web server and, indeed, the entire network. Common exploits allow an attacker, through the use of test or example pages, to extract the password files in clear text from the server, thereby circumventing all security controls in place.
Other common exploits include buffer-overflows, allowing the attacker to issue commands against the server as a privileged user – again, circumventing all security controls in place.
Even if the specific test or example pages have no known vulnerabilities associated with them (which is unlikely), it gives insight into the design of the system and, hence, insight into the vulnerabilities associated with the specific design.
8. Disable all unnecessary services from all devices
The only service that is not vulnerable to exploits is one that is disabled and removed from the system. Some services, however, present greater vulnerabilities and threats than others. The question you need to ask yourself is: “Do you need the service more than the risk and impact of it being exploited?”
By performing a search of readily available online vulnerability databases, such as on www.esecurityonline.com, organisations can determine the number of vulnerabilities certain services present, as well as their effects. This way, you are able to assess whether the services are worth the risks of being exploited.
9. test and example pages
Hackers are finding new vulnerabilities and developing exploits, viruses and Trojans daily. To keep up with these hackers, it is imperative that intrusion detection systems and anti-virus software are updated regularly, and preferably on a daily basis. As most analysts are always claiming, “detection systems are only as good as the last update.”
10. Ensure physical access to the organisation and its systems is secure
Why spend a fortune installing a state-of-the-art burglar alarm system if you leave your front door open, or your valuables on the street? By the same token, why spend a fortune on technical security when access to the organisation and its systems is not secured?
First, if physical security in an organisation is lacking, intruders could simply gain whatever information they were after by simply walking into the office building and taking it. If the objective was to interrupt operations and cause havoc, an intruder could simply switch off the critical servers.
If the aim was to gain access to the systems, the intruder’s task is made extremely easy by having physical access to the systems. Often administrators of critical systems remain “logged in” to systems throughout the day, which allows intruders to gain whatever access they desire.
Whatever the objective of an intruder, his task is made that much easier through lax physical security measures. It is thus important, as with technical security, to test these physical security mechanisms regularly, as the smallest loophole can lead to a full compromise. Often, combining physical-access tests with social-engineering tests reveals the most useful information.
Candice Neethling presents Ernst & Young’s eXtreme Hacking and ‘Train the trainer’ courses.
(no follow-up links)