Network Breaches: Inevitable But Manageable

Last winter's Internet attack against Windows NT servers at government and university sites was one of the more widespread assaults on Windows NT-based Web servers. As more Windows NT- based systems are employed in mission-critical or high-profile environments such as major Web sites, there is a need to plan and prepare for inevitable security breaches.

The SANS Institute (Bethesda, Md., recently issued guidelines on handling network security issues, based on a consensus of 54 leading network security professionals. The key message: Be prepared, and stay cool. "The bottom line is that organizations have to cut a hole in their systems so that their computers can be accessed over the Internet," says Allen Paller, director of research, SANS Institute. "Once you cut a hole, it's highly likely you're going to have security incidents. If you have a plan for dealing with them, you can minimize the damage."

Two principal attacks that are made on Windows NT systems are Server Message Block (SMB) and denial-of-service attacks, Paller says. SMB attacks are insidious because they occur below the application layer in systems, Paller notes. Last winter's attack on Windows NT servers was a denial-of-service attack, he points out. In such an attack, the hacker "makes your system unreliable until people stop using you," he says. They may feed "certain characters to your box, until it stops working." Another tactic is to bring a machine to its knees with a flood of e-mail acknowledgments (sometimes referred to as mail spamming and mail bombing), accomplished through domain spoofing, he states.

Password hacking attacks are the most troublesome for Windows NT systems, Paller relates. "It's approximately 100,000 times easier to break a password on a Windows NT machine than it is a Unix system," he points out. "If hackers can get their hands on a password file, they can crack [the passwords], and come in and take control of the machine," he says.

If a company is prepared for network security problems with proper technology and procedures, then an actual incident won't be as disruptive to company operations, Paller says. "There are specific solutions to problems, such as firewalls, log analysis systems and network burglar alarms. If you put those in place, you'll do fine. You don't have to live scared all the time."

It's impossible and unrealistic to try to stop or prevent hacker attacks, Paller continues. "You're not going to stop the system administrator from screwing something up," he says. "You're not going to stop a contractor -- whom you've given brute access to your system and now hasn't got paid in 3 weeks -- from holding you hostage. You need a plan to deal with those kinds of incidents." Some of the basic steps recommended by the Institute include the following responses to specific types of attacks.

-- Malicious code attacks (viruses, Trojan horses, worms and scripts): Have virus-checkers in place. Monitor for abnormal outgoing traffic. Install software locally, from tested configurations.

-- Probes and network mapping (failed unauthorized access attempts, followed by attempts to map your network): Assess any damage. Examine logs carefully.

-- Denial of service (for example, altering network functionality through e-mail floods): Employ backup facilities for core services. The SANS report also recommends that managers maintain high-capacity disk drives to facilitate emergency backups.

-- Unauthorized access (improperly logging into a user's account, planting an unauthorized "sniffer" program to capture packets): Examine firewall or filtering router protections. If possible, do not allow people to run "r-utilities," the X Window System or NetBIOS/IP. Isolate DNS servers and mail relay systems from other services. Regularly examine access services.

In a related study, IDC (Framingham, Mass.) surveyed 750 companies and found growing acceptance of key security technologies and methods available to IS managers, including single sign-on measures, firewalls, anti-virus tools, user authentication, encryption and routine auditing. The study found that the use of these security technologies and methods is on the rise, with usage expected to increase by up to 50 percent over the next year.

Anti-virus tools are the most prevalent security technology, with about 70 percent of the corporations surveyed using them. Paller of SANS believes that the proliferation and availability of anti-virus tools has reduced this type of threat to the network. "If you talk to 100 security people, you won't hear them worrying about monitoring viruses," he says.

User authentication via smart cards, tokens, biometrics and related software technology is the least used of the six technologies noted in the IDC study, with only 6 percent of companies using it. However, this technology is strong in the financial services, telecommunications and transportation sectors.

Network security measures among smaller companies lags in the IDC survey. For instance, anti-virus protection is being used or being implemented at only one-third of the small companies surveyed. Awareness of security issues is strong, however. "We anticipate a dramatic increase in the adoption of anti-virus tools during the next 12 to 18 months such that a complete penetration will occur in use of this essential line of protection across companies of all sizes," says Carey Azzara, program manager with IDC.