A wise and prudent course of action is to become familiar with the people who pose a threat to you and your business and not underestimate them. Those who are responsible for network attacks are known by several different names. The most common are hackers, crackers, phreaks, or attackers. This book uses the term hacker and attacker interchangeably. Attackers are those who attempt to run software with malicious intent on or against a network device that doesn't belong to them. The sophistication of attackers ranges from people who are elite programmers to people who download and run well-documented scripts. Script downloaders are often referred to as script kiddies. Don't make the mistake of thinking that a script kiddie, who is not as experienced or knowledgeable as an elite hacker, can't break into your system. Scripted tools on the Internet are advanced and can break into almost any system with the same ease as an elite hacker. The predominant notion is that most security attacks are carried out by script kiddies. Never underestimate attackers. Most of them are highly intelligent people and know their way around a computer or a network as well as or better than many network or computer professionals. Attackers can be creative in ways they choose to compromise computers. For this reason, you should strongly consider using the previously mentioned layered security architecture (defense in depth) to counter their exploit attempts. The good news is that most attackers look to exploit networks that are marginally secured. If you implement defense in depth and subvert initial attacks, most hackers who are randomly looking for networks to attack will give up and start looking for the next victim. Although firewall deployment is the main focus of this book, you also learn how to deploy defense in depth all the way to your hosts and servers, providing a solid security platform that will deter or stop attackers. Motivation for AttacksSome people might be surprised that hackers aren't all evil and don't attack sites just to cause harm. Many attackers believe that because of their efforts to subvert security, they are making the industry stronger; after all, they reason, vendors are forced to provide more sophisticated and effective security. Many times, an attacker targets operating system vendors, application vendors, or network equipment makers so that they will clean up their security flaws, resulting in tighter security for everyone. Of course, many attackers exploit systems for fun, fame, bragging rights, profit, revenge, or just to be destructive. Whatever the motive of the attacker, the approach to defend a network is the same. Build layers of defense to ensure that if an attacker gets past the first layer, the next layer catches the attack. Chapter 2 covers this network defense strategy in detail. Anatomy of a Computer AttackTo know what security is required to stop an attack, you must understand how hackers launch an attack. This understanding also helps you to recognize whether networks or hosts within your network have come under attack. The first thing to know is that there are three "basic" types of attacks, as follows:
Any attack against a network host or server comprises five basic parts, as illustrated in Figure 1-1. Figure 1-1. Worm/Virus Attack ModelThe list that follows provides detailed information about the five different stages of the worm/virus/directed attack model illustrated in Figure 1-1. This is a general list. All attacks fall within this attack paradigm. For example, an e-mail virus might or might not do a probe, but its insertion point is still done in the penetrate or persistence phase:
This attack model was used in the first network attack (the Morris worm, 1988) and is still used today. This model is a classic worm attack. E-mail viruses and directed attacks use basically the same methods, except the probe phase isn't generally necessary before a virus attack. For more in-depth information on host mitigation, see Chapter 10, "Deploying Host Intrusion Prevention." Choosing VictimsIn many cases, except for revenge or fame, hackers randomly choose their victims, looking for easily exploitable systems. If they find a network that is easy to get into, they take advantage of that and start trying to exploit that network. If hackers try to penetrate a system and can't get the basic information, in many cases, they give up after a few tries. However, don't count on this to protect your network. It is important to put pervasive end-to-end security in place to defend against an attack in case hackers don't give up and do find a vulnerability. Hackers run network vulnerability scans for days on end using many different IP addresses. When the software reports a vulnerability that they can exploit, their target is identified. The scripted scanning software provides them the following information:
The bottom line is that any company that is connected to the Internet can be a victim of a random hacker attack. |