Horror stories about cracked systems are, unfortunately, becoming commonplace. Nimda and Code Red are only two of the most recent scourges of the Web. In this tip excerpted from InformIT, security expert and author Ed Skoudis tells a dramatic story of an anonymous cracker's assault on a fictional company called Clarice Commerce. Skoudis examines the mistakes that Clarice Commerce makes in defending itself from the cracker and provides some advice to make sure you don't make the same mistakes.
Like many others on the Internet, Clarice Commerce failed to install a patch to repair the buffer overflow vulnerability in its Web server. Many software vendors release security vulnerability fixes on a frequent basis. If these patches are not applied in a timely fashion, an attacker can take over a target system. To defend your own systems, you must have an explicit process for determining when patches are available. Someone on your staff should subscribe to vendor and security mailing lists that distribute such warnings, such as the Bugtraq mailing list. Mistake #2
Clarice Commerce did not configure its systems to minimize security vulnerabilities, allowing the worm to easily take over the machine. Your organization should have detailed security-hardening guidelines, available from some system vendors as well as organizations such as SANS. One important element of hardening critical systems involves inoculating machines against simple buffer overflow attacks by configuring them with nonexecutable stacks. A large majority of buffer overflow attacks simply will not work if the system stack is configured in this way. Keep in mind that nonexecutable stacks can break some programs (so test these fixes before implementing them), and they do not provide a bullet-proof shield against all buffer overflow attacks. Still, preventing the execution of code from the stack will stop a huge number of known and even as-yet-undiscovered vulnerabilities in their tracks. Mistake #3
The Clarice Commerce Web site was allowed to send outgoing e-mail. For most organizations, an Internet-accessible Web server shouldn't be allowed to send e-mail. All outgoing connections from the Web server should be blocked, except responses to Web requests and any other communication with a vital business need, such as database access or management traffic. The firewall and routers protecting a Web server should block all connections other than those explicitly required. Mistake #4
Clarice Commerce had inadequate intrusion-detection capabilities. Many remotely accessible back-door programs use defined patterns for communicating across a network. One popular tool that uses ICMP for communication with a back door is called Loki. Because Loki and many similar tools have defined signatures to their network traffic, an intrusion-detection system analyzing the network traffic can alert a company to the use of these types of attack tools. Such an alert can trigger an investigation so that an organization can minimize damage early in the attack process. Although an intrusion-detection system cannot detect all such anomalous behavior, it can certainly help. Organizations should deploy some form of intrusion-detection capabilities on their sensitive networks, such as their Internet gateways. Mistake #5
Clarice Commerce allowed sensitive data to sit on its Web server machine for a period of time. Internet Web servers are extremely popular targets for computer attackers. Any sensitive data gathered through such a Web server should not be stored locally. If the Web server has a vulnerability, an attacker will be able to steal any information sitting on this machine. Therefore, your Web application should gather the required data from a user and quickly move it to another, more secure machine that does not have a Web server installed on it. The Web application should encrypt the data and send it to a database, transaction, or other application server immediately. Mistake #6
The internal DNS server was not securely configured. DNS servers fill a critically important function: to map domain names such as http://www.claricecommerce.com into IP addresses, among other things. Because they have such critical functions, they must be configured to be extremely secure. You must make sure that your organization carefully hardens all its DNS servers and guards these systems with intrusion-detection system tools. Mistake #7
Clarice Commerce sent sensitive data across its internal network without any encryption. With no cryptographic protection, an attacker or malicious employee on the internal network could intercept any sensitive communication. For critical servers exchanging sensitive information, all data should be encrypted as it moves across the network, even across an internal network. Mistake #8
Clarice Commerce did not have adequate security awareness activities for their employees. Without knowledge about how to handle these situations, the Web administrator did not know how to alert the security organization to mobilize an incident-response team. Further compounding the problem, Clarice Commerce did not have an established computer incident-response team to quickly and professionally handle this problem. Your organization must have clear awareness training for employees, directing them in security issues ranging from selecting strong passwords to reporting security incidents. Also, you should form an incident-response team made up of security, technical operations, legal, human resources, and public relations personnel. This team should agree on incident-response procedures to be utilized if and when an attack occurs. Mistake #9
The hesitation on the part of the Clarice Commerce Web administrator delayed contacting law enforcement. When evidence of a crime is discovered, your incident- response team should consult with legal counsel and contact law enforcement early in the process. Your legal team and law enforcement can provide excellent advice on how to minimize the damage and maximize your ability to achieve justice. Read the complete story of Hannibal the Cracker and Clarice Commerce over on InformIT. Registration is required, but it's free.