Network Attacks: A Serious Problem


Every device that connects to the Internet is subject to security threats. The risk of network and host attacks not only affects businesses that sell goods via the Internet but also any computer that connects to the Internet at any time. Internet-connected hosts can be attacked from many different sources and in many different ways. A host can be infected with worms and viruses through e-mail, web pages, or almost any network service.

The impact on computers that have been attacked can be as benign as a pop-up message that does no harm to as harmful as the removal of critical files causing computers to crash, consequently destroying critical data. The attack that most people fear the most is the theft of confidential data.

CAUTION

Don't be fooled into thinking that because you have a personal firewall and antivirus software that you are protected from attacks. Antivirus software can stop only known attacks, and personal firewalls generally limit traffic but stop few attacks. Personal firewalls need to let valid traffic into a host, and hackers generally attack a network or a device using the valid traffic passed by firewalls. Chapter 2, "Principles of Network Defense," covers this issue in greater detail.


The average user often overlooks the fact that not only PCs are subject to attacks. The network devices that support the network connectivity of PCs, such as routers, switches, and firewalls, can also be attacked and used for malicious activity that can compromise the network.

Rising Security Incidents

One thing that is clear is that security incidents are on the rise and that the trend is concerning. Several of the worms that have hit the Internet since 2001 have affected in excess of one million computers. In several cases, such as the Slammer attack in January 2003 and the Blaster attack in August 2003, disruptions included services such as airline reservation systems going down and the interruption of bank machine operation.

Accurately measuring the problem of computer and network exploits is not an easy task. Most security professionals today refer to data from an organization called the Computer Emergency Response Team (CERT), run by the U.S. government, and the CERT/Coordination Center (CERT/CC), run out of the Carnegie Mellon Software Engineering Institute. Another good source for attack trends and statistics is the attack survey published jointly each year by the FBI and the Computer Security Institute (CSI) (the latter of which holds conferences attended by business owners, engineers, and administrators to help them understand Internet security risks). In addition, nongovernmental (and sometimes nonprofit) organizations such as the SysAdmin, Audit, Network, Security (SANS) Institute track computer security incidents and publish "vendor-impartial" best practices for dealing with network and host security issues.

NOTE

You can find more information about the CERT organizations at http://www.cert.org. The CSI website at http://www.gocsi.com prominently features a link to the results of the most recent Computer Crime and Security Survey.


This book uses the statistics collected by CERT/CC. According to their survey, there has been almost a 100 percent increase in computer-related incidents year over year since 1998. Table 1-1 lists the number of security incidents reported to CERT/CC for the past four years. The data for 2003 is only four months into the year, so you can see the number will likely be doubled by the end of the year.

Table 1-1. CERT/CC Security Incidents

Year

1998

1999

2000

2001

2002

2003

Incidents

3734

9859

21,756

52,658

82,094

137,529


When looking at the data in Table 1-1, you also need to consider that many companies don't report incidents because they are afraid of the intangible costs they might incur if the market finds out they have been compromised. With this in mind, the numbers might be, and probably are, much higher than reported.

According to the CERT/CC, because of widespread use of attack tools, they have changed their reporting metrics and no longer publish the number of incidents reported. However, the number of incidents is still on the rise and is not abating, which underscores the basic message that security incidents are a concern that must be addressed.

Hacking Tools

The number of security incidents is high for many reasons. Probably the two most common reasons are as follows:

  • The ease of obtaining attack tools

  • The simplicity of using those tools

A search on Google using the search criteria "hacker tool download" nets a result of 26,000 websites. If you take out the quotes and use the words separately (hacker, tool, download), the result is more than 800,000 sites. Not to be all doom and gloom: The actual number of hacker download sites is probably fewer than the 26,000 reported in the first Google query, because many of the sites refer to a download site more than once. However, the fact is that there are many, many sites and many, many tools available to anyone who wants to search and download.

NOTE

The number of Google hits actually increases on a weekly basis. Before this chapter was completed, the number of hits using the separated words increased to more than 826,000.


Many hacker tools have the lethal combination of being sophisticated and easy to use. Many of these tools enable a hacker to gain administrative or root access to your systems. After hackers have gained root access, they have a remote shell to their computer, the equivalent of your DOS prompt or UNIX shell, which enables them to perform a wide range of malicious activities, including the following:

  • Reading your e-mail.

  • Sending e-mail from your account.

  • Copying files to the hacker's own machine.

  • Creating usernames and passwords.

  • Deleting key files.

  • Scanning keyboards to steal passwords.

  • Sniffing the network to steal other passwords or sensitive data.

  • Accessing customer or engineering databases.

  • Using any application stored on the machine.

  • Stealing credit card numbers or web password information.

  • Accessing personal files, such as addresses books or password lists.

  • Planting programs that will crash your computer.

  • Installing software that will allow other hackers full access to your system.

  • Crippling your network by using all of your available network bandwidth.

  • Accessing other computer or network devices.

  • Launching an attack from your computer.

  • With tools such as BO2K, when used as a malicious tool, an attacker can even randomly eject your CD-ROM drive; so, don't set a full cup of coffee in front of your CD-ROM if you don't have security deployed in your network.

The preceding list is just a small sample of damage that can be done with these tools. The limit is really the imagination of the hacker. After hackers have privileged access to your system, no limit applies to what they can do except what you have imposed by the security that you have deployed.

Not all tools used for attacks are designed to gain privileged access and cause damage to a computer. Some tools focus more on specific malicious activity such as sniffing data on your network and stealing usernames and passwords. These more-focused tools even create a helpful, easy-to-read formatted report for the attacker, showing the site name along with the stolen username and password. Note that the authors of these tools did not intend for them to be attack tools used by hackers. The intent was to provide proof-of-concept tools to show that certain vulnerabilities existed and to encourage vendors to fix vulnerabilities. Even with this in mind, remember that these tools can be used for malicious purposes.

CAUTION

The sniffing tools previously mentioned also work on encrypted Secure Sockets Layer (SSL) and Secure Shell (SSH) connections. SSL and SSH are often thought of by common users as secure methods to protect logon credentials, but not so with the sophistication of some easy-to-obtain, easy-to-use tools such as ettercap or dsniff. Although threats clearly exist, don't panic. As indicated in Appendix A, "Deploying Effective Security Management," you can mitigate these types of attacks by deploying the Layer 2 best practices as outlined on the Cisco SAFE web page at http://www.cisco.com/go/safe. For more information on how dsniff and ettercap work, refer to their respective web pages at http://www.monkey.org/~dugsong/dsniff/ and http://ettercap.sourceforge.net/.


Many of the tools hackers use in attack kits were originally designed to help security administrators track vulnerabilities in their systems and are freely available on the Internet. An example of one such tool is Nessus, which enables you to scan a network, find all of the devices on the network, and then generate an informative and easy-to-read report that provides the following information:

  • The IP addresses of all devices

  • The operating systems of each device

  • The version of the operating system

  • The applications that have network ports open

  • The version of those applications

  • A full list of vulnerabilities present in each device

If you want to see a description of Nessus to get an understanding of these types of tools, take a look at the http://www.nessus.org web page.

The ease of use, availability, and sophistication of the tools add up to fun for hackers and a challenge for businesses.



Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net