Hacking A Profession
Small and medium sized IT businesses, from ISPs, call-centres to software and consultancy firms routinely deal with sensitive data. Keeping this information private and out of reach of competitors or disgruntled employees is extremely important in today's high-tech environment where proliferation of new technologies and devices are unprecedented.
This presents a constant threat from the popular hacker community. Hacking is no more a hobby; it is a profession that is no longer people look down at or scorned. The notion ‘to hack is to be bad' has been trashed and replaced with classification of white-hat and black-hat hackers who respectively hack with good and bad intentions.
I will very briefly go through the steps that typical hackers take, and how to counter them. It is only when we know how something works that we can take preventive and mitigating measures against it. In fact, this has been the idea behind some very successful books on the topic, for example, the Hacking Exposed series.
Hackers begin with selecting a target, which can be either random or targeted. The next step is called ‘foot printing'. Here, hackers try to glean as much public information about the target as possible. Using a variety of freely available network scanning tools, an attacker can compile a comprehensive data set about target's networking including details like domain names in use and the associated IP address, DNS data, search engine-based and newspaper research data to get phone numbers and locations and e-mail addresses since this may result in discovery of more related networks like linkined sister-concerns. An application called Trace Route is also applied to discover network topology and access control devices in place.
This step makes use of foot printing information combined with scanning tools' results which provides data about live machines, their operating systems, names and version of applications running on them. Attackers can make use of free tools such as Nmap, and Netcat, and use a combination of TCP and UDP scan options. NetBIOS information, network file shares and even machines listening for dial-in connections can be detected using various such tools.
Tools such as Ping and automated network discovery utilities can be very useful if the target system administrators have not configured their systems properly to reject such traffic. The best countermeasure against scanning and enumeration is to disable services not in use, for instance, RPC is notorious for exploits and stop suspicious UDP traffic.
Using the known exploitable service and vulnerabilities harvested in the last step, attacker breaks in and may access or delete information, install backdoors or root-kits (to replace legitimate system calls with attacker's own versions to avoid detection) and remove system logs to cover their tracks. This can also involve addition of new users in the system and escalating privileges of some junior users for easy access later.
To counter this, it is imperative that no confidential information is placed in plain-text even behind a supposedly secure system since attackers often search for plain-text authentication detail in batch files and automation scripts.
It is often said, and rightly so, that the weakest link in information security are the people. Social engineering is a threat that is ever persistent and has proved time and again to be externally dangerous. These include the time-tested network administration calling for password trick, innovative techniques like leaving a bunch of USB disks with malicious programs in a company, incite company's own employees and inadvertently install backdoors in their system. For this, only proper training and policy measures can be used to error-proof the system to maximum extent.
How to Fight Back?
There are a number of ways to counter the ever-emerging threats from the wild. The conventional wisdom asks for patching the system that is updating all user and server applications, hardening the operating systems by enabling recommended security settings and following the industry standard best practices like, firewall and anti-virus, besides scouting the vendor or vulnerability disclosure sites for regular security updates.
The next common task is to change the default exploitable settings including all common usernames and password combinations and the administrative settings which give out identification of systems and network devices.
Going a step further, there could be some proactive measures as well, like actively obscuring the banner-type information in an attempt to misguide the attackers, or performing monitoring through IDS (Intrusion Detection System) with well-defined parametres to counter emerging threats rather than relying on defaults.
For all these measures to be effective, there must be policies and procedures in place along with a review and oversight mechanism.
Here, it is worth mentioning that in small and medium-sized organisations, data leaks do take place but are often not reported. This happens primarily because security implementation is misinterpreted as a restrictive measure although it has basically to do with knowing who should have what level of access and rights, without necessarily barring people from using the internet or LAN sharing. This is why it is important to have either a dedicated or a shared resource in an organisation, who as part of job description, takes responsibility of managing enterprise security.
However, such management alone is not enough as some of the specular attacks occur due to insider involvement or some silly mistake. For instance, plugging a company laptop insecurely during a demo at prospective client or during an exhibition can be catastrophic no matter how much secure the company network is.
Therefore, it must be kept in mind that the security can never be implemented in an ad-hoc product installation type approach. Rather, it requires formation of security culture and constant awareness.