|
|
Sniffing out secrets
IN the recent past, a great deal has been said and written about across-the-border Distributed Denial of Service (DDoS) attacks targeting Pakistani networks. In fact, studies in developed countries, such as the United States, list information security as one of the biggest threats to national security.
For this purpose, Sci-tech World undertook a short study to determine the vulnerability of local networks, in particular Internet Service Providers (ISPs). Faiz Ahmed Shuja, serving as a security analyst at a local ISP and the chairman of Pak Con, a cyber security convention, then analysed the research with Ayaz Uqaili, a graduate of the Asian Institute of Technology, Thailand.
Resources
“The situation is much better as compared to the last two to three years and it’s getting better day-by-day. But still there is a lack of information security awareness,” is Faiz’s optimistic reply about the effective use of the right kind of people to secure networks. One has to wonder the effect this inadequacy will have on Pakistani networks.
To this end, he adds: “I still see network administrators compromising network security for the sake of ease and usability. They fail to understand the consequences of such an activity until hackers attack. Administrators really need to understand and prioritize security measures.” Clearly, training network administrators in high-tech security education is the need of the hour. They will do a better job provided they coordinate with specialists, who will guide them on security specifics. “Generally, network administrators focus on running the network rather than securing it. This is why it is always better to have a security expert.”
Ayaz, however, feels differently: “Most of the time, the network administrators have enough surface knowledge to make the boss happy. We lack real administrators.” What do they do if a catastrophic situation arises? “Ninety-nine per cent of all measures taken are reactive, using whatever is available or known. At best, they can call for help. Another popular way out is to just shutdown everything and redo it. Here, administrators do not bother with forensic analysis and methodological data collection to investigate into the catastrophe.”
Understanding needs
So then, what could be the cause of this casual approach? It seems as if organizations have not acknowledged the importance of this issue. They must first understand the security needs of the organization, its customers and all stakeholders.
Policies must be formulated in such a manner so that all activities can be monitored on a regular basis for purposes of assessment. Is this being done? Ayaz does not seem to think so. “Of about 100 administrators only 20 are probably aware of this and 5 could be taking measures to avoid things.”
That is too little for us to feel secure. One does not have to look too far for proof. How many companies require employees to have length-specific passwords, with a security policy in place and a domain controller? How many monitor PC activities, restrict installations, periodically check the network and all PCs for viruses and worms, create backups and simulate attacks? “Administrators are aware of security concerns but are unable to manage it properly. Information security is a continuous process rather than one-time thing,” says Faiz. “Organizations do take the necessary security measures while setting up their network but don’t administer them regularly.”
Working towards specifics
It seems like all talk, doesn’t it? It probably is. One can only differentiate between them when concrete steps are taken. Some of these steps would include following the basics, which provide the first line of defense against outside attacks.
These include shunning defaults (default database passwords, etc.), patching up systems against known hacks by installing security updates, installing physical and logical firewalls, basic filtering and analysis techniques, keeping audit trails, setting thresholds and flagging alerts when benchmarks are crossed and looking into new vulnerabilities, popularly known as Zero Days.
How keen have our administrators have been in this area? “This has been missing in most organizations,” is Faiz’s honest response. “The basics you just pointed out are part of security processes and are need to be managed regularly. I believe this is the area where organizations are ignorant and need to start planning about.”
Ayaz feels that “a few basic things are followed…and that is probably because of some experienced who left behind some good practices, rather than their personal efforts.”
Determined hackers
The study that was referred to at the beginning of this article shows that vital network information can be sniffed out, using the right tools and techniques by just about anyone. This includes IP ranges, server host names, running services, reverse DNS interrogation, open ports, database machines, router’s info, use of SNMP strings for scanning, etc.
When asked if network administrators are aware of the amount of information that can be gleaned about their networks, Ayaz points out that “yes, I do believe they know but not to the extent that is possible. Only about 10 per cent are probably fully aware of all possibilities available to a non-professional, and about 2 per cent regularly check for such activities.”
Faiz believes that although network administrators know about the phenomenon, they rarely put this knowledge to use. “Administrators should always provide necessary information. The important thing is that such information should not compromise the network.” He further says that “follow the rule of blocking everything first and then specifically allowing access to required information. Do not rely on default installations - they are mostly hack-able. Always modify default settings, harden the operating system, stop unnecessary services and patch up services visible on the internet. Remember to always misguide automation and change banners.”
Extent of damage
Both security experts feel that a lot needs to be done when it comes to damage assessment. According to Ayaz, it’s “sheer agony,” among many other things. “You won’t find proper risk-analysis documents in any organization, so there is no point in assessing the damage. You see, this happens repeatedly because we do not have a proper, incident-response system in Pakistan that collects and documents all such incidents, in order to prevent their reoccurrence.” However, Ayaz says that FIA’s website
Having spent time with various ISPs here and frequent correspondence with foreign security experts, Faiz discloses that in spite of improved management, our networks remain under constant threat from the big, bad playground — the internet. “Well, there have been statistics that Pakistani networks are regularly targeted by different attackers and cause damage to them. So, if the system is insecure, it won’t take much time for an attacker to compromise it. Currently, the state of Pakistani networks is much better as compared to before, but still, regular system compromises continue unabated.”
One must understand that maintaining network security is an ongoing process which needs commitment, comprehension and following established policies and practices, instead of giving in to one’s instinct to overcome security breaches.
Worms like “Yaha” have attacked Pakistani sites, because DoS attacks were not properly initiated. It is imperative develop sound network security practices so that it can withstand and counter any challenge posed by external or internal threats.
“I always recommend taking a looking at the bigger picture,” says Faiz, on a parting note. “Protections need to be layered - a principle called defense in-depth. Also, it is important to have proper information security policies in place, to make sure that security procedures are followed regularly.”
The writer
