Information about an organization finds Its way to the Internet various routes. Employees are often easily tricked into providing tidbits of information which, over time, act to complete a complete picture of processes, organizational structure, and potential soft-spots.
However, there are some things you can do which make it much harder for an attacker, including * Make sure your systems don’t leak information to the Web, including: * Software versions and patch levels * Email addresses Names and positions of key personnel * Ensure proper disposal of printed information * Provide generic contact information for domain name registration lookups * Prevent perimeter LIANA devices from responding to scanning attempts Phase 2 –
Scanning Once the attacker has enough Information to understand how the business works and what Information of value might be available, he or she begins the process of scanning perimeter and Internal network devices looking for weaknesses, Including * Open ports * Open services * Vulnerable applications, including operating systems * Weak protection of data in transit * Make and model of each piece of LILLIAN equipment Scans of perimeter and Internal devices can often be detected with Intrusion detection (IDS) or prevention (PIPS) solutions, but not always. Veteran black hats know says around these controls.
In any case, some steps you can take to thwart scans include * Shutting down all unneeded ports and services * Allow critical devices, or devices housing or processing sensitive information, to respond only to approved devices * Closely manage system design, resisting attempts to allow direct external access to servers except under special circumstances and constrained by end-to-end rules defined In access control lists * Maintain proper patch levels on endpoint and LANA/WAN systems Phase 3 ; Gaining Access Gaining access to resources is the whole point of a modern-day attack.
The usual goal is to either extract information of value to the attacker or use the network as a launch site for attacks against other targets. In either situation, the attacker must defensive steps described above, security managers should make every effort to ensure end-user devices and servers are not easily accessible by unauthenticated users. This includes denying local administrator access to business users and closely monitoring domain and local admit access to servers.
Further, physical security controls should detect attempts at a hands-on attack, and delay an intruder long enough to allow effective internal or external human response (I. E. , security guards or law enforcement). Finally, encrypt highly sensitive information and protect keys. Even if network security is weak, scrambling information and denying attacker access to encryption keys is a good final defense when all other controls fail. But don’t rely on encryption alone.
There are other risks due to weak security, such as system unavailability or use of your network in the commission of a crime. Phase 4 – Maintaining Access Having gained access, an attacker must maintain access long enough to accomplish his or her objectives. Although an attacker reaching this phase has successfully circumvented your security controls, this phase can increase the attacker’s vulnerability to detection. In addition to using IDS and PIPS devices to detect intrusions, you can also use them to detect extrusions.
A short list of intrusion/ extrusion detection methods, described enchanter 3 – Extrusion Detection Illustrated (Extrusion Detection: Security Monitoring for Internal Intrusions, Richard Bakelite, 2006), includes * Detect and filter file transfer content to external sites or internal devices * Prevent/detect direct session initiation between servers in your tat center and networks/systems not under your control * Look for connections to odd ports or nonstandard protocols * Detect sessions of unusual duration, frequency, or amount of content * Detect anomalous network or server behavior, including traffic mix per time interval Phase 5 – Covering Tracks After achieving his or her objectives, the attacker typically takes steps to hide the intrusion and possible controls left behind for future visits.
Again, in addition to anti- mallard, personal firewalls, and host-based PIPS solutions, deny business users local administrator access to desktops. Alert on any unusual activity, any activity not expected based on your knowledge of how the business works. To make this work, the security and network teams must have at least as much knowledge of the network as the attacker has obtained during the attack process. The final word This article is not intended to make you an expert in network defense. Instead, it should serve as an introduction to methods employed by black hats when compromising an information resource. Armed with this information, security professionals are better prepared to prepare for battle, locating and engaging the enemy wherever or whenever necessary.