The following hacker scenario was created by Eric Cole, author of "Hackers Beware." The solution was written by
SearchWebManagement.com user "Lythander," a systems administrator.
HACKER SCENARIO: Company Beta is a large financial institution and has spent a good amount of money on security. Most of their effort, however, has been on protecting their back-end databases that store all of their critical information. They have some servers and workstations that are accessible from the Internet and have minimal protection. Most of these systems are running the default install of the operating system and have not been patched in a while. The company's security staff did not think this was a problem, because even now the systems are potentially exposed and there is nothing of value on the systems and therefore not a high-risk item.
Starting about two weeks ago, they noticed that these systems that were exposed to the Internet were experiencing some problems. One or two would periodically reboot and most of the hard drive space was being used up. The administrators just figured that someone was downloading a large amount of data off of the Internet. It was not until they got a call from law enforcement asking why Company Beta's computers were breaking into other governments' networks that they realized there might be a problem.
1)What are some of the risks of putting systems (with no data) exposed to the Internet?
Systems, even with no data, present a point of presence for the Company. Even if they represent no intellectual property or other data of importance (why are they there anyway, if this is the case?), they can be a liability, both from a legal standpoint and one of reputation. Sounds like a good way to end up in the press as having been "hacked." The machines can be compromised and used to attack other machines, perhaps elsewhere on the Internet, perhaps by exploiting some sort of trust relationship into the Company's intranet. Perhaps they're being used to store illegal "warez" or "tunez," exposing the company to the wrath, err, assistance of the BSA or MPAA/RIAA. No good can come of any of that. Also, the attackers are using the Company's bandwidth, which they are presumably paying for.
2) What things could be done to protect these systems?
These systems should be protected as stringently as any production machine connected to the Internet would be -- kept up to date on patches and security updates, have the OS's tightened up to provide maximum security for the service being provided, they should be placed behind a properly-configured firewall and router ACLs limiting access. Monitored using host- and network-based IDS. Perhaps placed off the internet but made accessible via a corporate VPN. Hard to say exactly, depends much on the roles these machines are to do.
3) What should Company Beta do moving forward?
Carefully scrutinize the machines, and probably rebuild them from scratch. Prior to that, perform full forensics (in conjunction with law enforcement) to ascertain the extent of the breach and what may have been launched from this platform.
4) What assumptions did Company Beta make that were incorrect?
The assumption that since no mission-critical data was stored on the machines they served they posed no threat to their network is quite flawed. They failed to see the need for adequate protection for their entire network, security being a weakest-link sort of issue.
5) What is Company Beta's potential liability?
The Company is potentially liable for a great deal of the damage done because their neglect of computer security, depending on the targets attacked from their systems, not to mention possible seizure of the systems for forensic analysis and use in evidentiary proceedings. Depending on the use they were put to, the company could become the target of a BSA audit, lawsuits from the entertainment industry, of other companies attacked from their systems.