Recent statistics from the CERT Coordination Center (CERT/CC), the central reporting center for Internet security issues maintained by Carnegie Mellon University, indicate an increasing threat to corporate network security. The number of computer vulnerability reports more than doubled (from 1,090 to 2,437) from the year 2000 to 2001. And in the first two quarters of 2002, more than 2,100 new vulnerabilities were reported.
Hackers not only have more vulnerabilities to exploit, they have also developed advanced tools to probe networks for weaknesses (e.g., Security Administrator’s Tool for Analyzing Networks [SATAN] and Security Administrator’s Integrated Network Tool [SAINT], originally developed to help enterprises discover and close network vulnerabilities). They've also created more elusive infection techniques, such as viruses and Trojans attached to e-mail messages, instant messages, and graphic files that can initially escape detection.
But even more disturbing is the fact that many companies develop response plans only after they've been attacked. There are numerous ways a hacker could attack your network, so your company should take action before an attack occurs. In the event your company has been attacked, however, there are also steps your IT department should follow to gather information and close the breach.
Be prepared and aware
To protect your company's network, your IT department should establish an attack response plan. A good first step is to conduct a complete inventory of all systems. Collect serial numbers and pertinent data on all networking hardware and computer hardware (e.g., servers, Web servers, and desktop computers) and compile information about operating systems and application software.
The inventory needs to be fairly extensive and specific—down to the level of operating system and software package versions in place. This level of thoroughness is required because many hacker attacks are aimed at exploiting a specific version of an application or OS. For instance, a known security hole in an earlier version of an OS is likely to have been plugged by the vendor in later releases. If your office runs a mix of the newer and older OS versions and hasn't plugged the hole in the older versions, the systems would be vulnerable, so you should apply a patch to correct the hole.
Read up on new security threats
Your IT department's staff should frequently search sources of information about newly discovered vulnerabilities so that they can keep abreast of such weaknesses and correct them before they can be exploited. One place to get information about new security vulnerabilities is the CERT/CC site. A quick look provides information about recently identified threats. You can also search through an extensive archive of identified vulnerabilities.
Another excellent source of information is the Common Vulnerabilities and Exposures (CVE) system maintained by Mitre Corporation. It offers a list of standardized names for vulnerabilities and information security exposures. On its site, Mitre cites the list as a sort of dictionary that helps tech professionals understand vulnerabilities and enables data sharing about threats contained in different databases. The CVE list can be downloaded and used as an internal vulnerability reference in the event an attack occurs. CIOs should also check out the National Institute of Standards and Technology’s (NIST) ICAT Metabase, which also provides helpful information about vulnerabilities.
Tools to alert you about potential weaknesses
There are also several technologies that can be integrated as security measures. One such tool is a notification system that can automatically prompt net admins when a relevant internal threat is discovered. For instance, Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS) offers a tool called Cassandra that lets admins create a list of hosts and applications on a network and then notifies them via e-mail when a vulnerability for any of the systems is discovered. Cassandra uses NIST’s ICAT Metabase as the source for identified vulnerabilities.
Commercial products are available that notify subscribers of threats, such as SecurityFocus’s DeepSight Alert Services. Subscribers specify the systems and applications their companies use, and whenever a vulnerability or threat affecting those systems is identified, the service sends out an alert.
When your security has been breached
Many of the sources I discussed also provide excellent resources on what to do when your network has been hacked. For example, the CERT/CC site provides information on survivability during an attack and recovery from attacks.
If your network has been attacked, follow these steps to gather data about the attack and close the gap:
- Examine log files of main computer systems and firewalls. Check for unusual entries or attempts to access the systems by unauthorized users.
- If the attack was due to the exploitation of an identified security hole in a system or application, get the patch and install it. Then, check all systems files to see if any have been tampered with or corrupted.
- If an attacker used a worm or other intrusive program, check antivirus and security vendor sites for a program to detect and remove the malicious code.
- Once you've closed the exploited hole or removed the malicious code, restore any damaged files that you have identified. You can usually find out which files to look for on sites that identify vulnerabilities.