The following are current examples of how corporate, banking, home and other I/T systems can become  compromised.  The five basic ways that an Internet attacker can gain control over your system(s) include:

1. External Internet hacker accessing your internal systems
2. Internal workstation (employees) visiting an infected external web site
3. Email (and email attachments) sent to your employees
4. Hijacking external Internet infrastructure components
5. Social engineering methods

In addition to the above, there are many other methods that either internal employees or external hackers can use to compromise workstations and servers. 

1. External Hackers Accessing Your Systems

Figure 1 depicts a simplified diagram of an internal network with a web/email server, a workstation, and a firewall providing Internet access.  Rules programmed into the firewall allow Internet users to access the internal web and email server, as well as allowing internal workstation access to Internet sites.

The firewall inspects each data packet as it arrives from the Internet.  If the packet is tcp port 80 (web traffic) or tcp port 25 (email traffic), the packet is sent to the server by the firewall without inspecting the content or information contained within the packet. All other non-port 80 or 25 traffic is simply dropped by the firewall.  Regardless of whether the server is running Microsoft's IIS or Apache web software, incorrect web software settings and software bugs can allow an Internet user (or hacker) to execute other programs on the server or access data considered to be confidential.  Likewise, many email servers are not properly configured allowing unscrupulous individuals to relay porn and other mail messages through the server.  The relayed email messages oftentimes appear as though they originated from your server.

Two web server vulnerability examples include:  Microsoft IIS and Apache. (Note: the two popular web servers have had 30+ such vulnerabilities.  Others will be discovered in the future.)

The corrective actions include applying the vendor's hot fixes and service packs, and ensuring all software configuration parameters have been properly set for your business environment.  In addition, the server's security settings (permissions, auditing, and logging) need to be set to reasonable values.  The vendor's default installation values for security are very inadequate and are oftentimes disabled.

2. Internal Workstation Accessing Infected Web Sites

Figure 2 depicts the same simplified diagram, however an internal workstation is accessing an Internet web server.  If the Internet web server is already infected with any number of trojans or worms, the trojan or worm can be transferred to the internal workstation without the knowledge of the workstation user.  This was the case with the popular CodeRed and Nimda worms that were prevalent in 2002.  In more recent cases, hackers have found ways to send trojans and worms to firewall-protected workstations by taking advantage of software inadequacies (or bugs) within Microsoft's operating systems while the workstation user is simply using their web browser to innocently access an interesting web site.

As the sophistication of unscrupulous hackers increase, the sophistication of the methods used to gain access also increases.  A recent approach encourages an innocent user to visit a certain web site and listen to free music.  Rather then providing the music, the hacker's site has taken advantage of a software bug within the Windows Media Player and transfers a trojan to the user's workstation without their knowledge.  The trojan includes a call-home function that allows the hacker to access the infected workstation at any time, day or night.

Once an internal workstation has been compromised, the hacker can then access all other internal workstations and servers (from the compromised workstation) using the same authority the workstation's normal user has been given.

Two such examples (of many) include a Microsoft's Internet Explorer software bug and a Microsoft Windows Media Player.

The corrective actions include applying the vendor's hot fixes and service packs on a regular basis, and ensuring all software configuration parameters (including Internet Explorer) have been properly set for your environment.  In addition, current anti-virus software is consider a must; all unused services must be disabled (many are implemented during operating system installation); and, security settings (authority and auditing) reviewed to ensure employees only have the permissions necessary to perform their responsibilities.

3. Email Sent to Your Employees

Many email-based mechanisms exist that allow Internet hackers to gain access to confidential data. Figure 3 depicts the flow of an email message arriving from the Internet, passed by the firewall to an internal email server, and finally downloaded and read by an internal workstation user. An email-based compromise can be initiated via:

• Guessing a valid email address (UserID) and sending a test message to the server. If the message is accepted, the UserID is valid and the hacker need only guess the user's password. (Likewise, rejected email messages provide additional technical information that can be used to further the hacker's access attempts.)
• Sending certain email-system commands within an email message may cause the server to return additional technical information that can then be used to advance the compromise. (Both the email server and workstation can be compromised.)
• Sending worms, trojans, and scripts via email attachments has been a popular compromise mechanism for several years.

The corrective actions include applying the vendor's hot fixes and service packs on a regular basis, and ensuring all software configuration parameters (including Internet Explorer and Outlook) have been properly set for your environment.  In addition, current anti-virus software is consider a must; and, security settings (authority and auditing) reviewed to ensure employees only have the permissions necessary to execute their responsibilities.

4. Hijacking Internet Infrastructure Components

Many different mechanisms currently exist that can be used to compromise the security of many Internet-based systems.  One such mechanism is depicted in Figure 4 where a hacker simply visits the target web site, and recreates the image of that web site on his Fake Server.  Copying the web site image is as simple as executing the Save-As function from within Internet Explorer, or by using any  number of free software packages commonly available from the Internet.  Once copied to the Fake Server, the hacker pollutes selected Domain Name Services (DNS) servers to cause customers accessing the  www.his-target.com site to be redirected to the Fake Server instead of the intended actual server.  The hacker simply modifies the web source code on his Fake Server to store the UserID and Password/PIN entered by an unsuspecting customer.

At some later time, the hacker visits the actual company's web site and uses the real UserID and Password/PIN previously captured to execute erroneous transactions. The transaction might include the creation of new vendors, payments issued to this new vendor, as well as many other activities that appear as though they were originated by your customer.

The corrective actions required to secure each such mechanism varies depending upon the specific service and site construction.  Monitoring selected external Internet components is required to detect such hacking attempts.

5. Social Engineering Methods

Social engineering mechanisms include calling an employee, convince the employee you are an employee of the company (Help Desk or I/T employee), and ask the employee for his/her UserID and Password in order to resolve a technical problem.  Other mechanisms include:

• Checking the employee's desk for sticky notes containing UserID and Passwords,
• Dumpster diving (look for sticky notes and other documents placed in the garbage)
• Send an email to an employee suggesting you are an employee of Microsoft and have the user access a particular web site to obtain a critical software fix. (The web site could be the fake server as noted in Figure 4, above, that automatically installs a worm or trojan.)
• Send an email to an employee that appears authentic suggesting selected files on the employee's workstation have been compromised asking the reader to delete key system files. The method generally suggests the reader email the same message to other employees, friends and neighbors.

To summarize, the deployment of a firewall for all Internet-connected systems is important, however a firewall should be considered as only one step of many required to protect internal  systems.  Other steps include the use of current anti-virus software on both workstations and servers, application of vendor-recommended hot fixes and service packs, disabling unneeded system services, configuring the required system services with parameters appropriate for how the services are being used, and implementation of system security settings that can provide awareness (and alerts) to system compromise attempts.
 

Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference