Quarterly Journal on Management
From the publishers of THE HINDU BUSINESS LINE
Vol. 2 :: Iss. 3 :: February 1999
The broken window
Accessibility leads to a major problem -- security.
S. Suresh
Organisations have come to rely on Information Technology heavily, running business critical applications integrating different business processes and geographically spread locations in faster and faster businesses cycles. Buzzwords like ERP, data mining, and e-commerce are changing the way business is conducted. Information boundaries, earlier static and clear defined, are becoming blurred. The internet is providing interesting ways to market products, and thereby redefining business rules.
By their very nature, the internet and the World Wide Web, and the TCP/IP protocol were designed to encourage and promote universal communication and information sharing between and within organisations. It is this very strength that poses the danger. Security is of utmost concern since secure information is the key to the success of business. Imagine thousands of lines of source code of a software company being hacked, critical engineering drawings being stolen, and sneak previews of confidential e-mails and financial data. This would mean losing the competitive edge - doom.
While it is easy to close your eyes and say that hacking is not common in India since internet business applications have not taken off yet, thanks to unreliable communication infrastructure, internal threats can never be ignored. Many organisations adopt ad hoc measures as and when internal hacking takes place. An Ernst and Young survey of 4322 IT professionals around the world indicates a sharp rise in the percentage of internal attacks from 12 in 1996 - 1997 to 43 in 1997-1998.
The traditional security measures were Access Control - well-defined users who can access the applications and Authentication mechanism - validating authorised users. Once validated, communication between a client and an application server is transparent. In some cases the information flow from the client and the server is encrypted, i.e., scrambled. These deliver specific solutions to network security problems and are necessary for reducing risk.
Transactional security relies on authentication, identification, and encryption while enterprise security employs firewalls and security auditing. But enterprise networks are vulnerable to additional security risks such as improperly configured firewalls, default accounts and vulnerable versions of network services. These 'open doors' could be shut if companies knew where they were. However, an intruder might discover one of these doors before you do. These traditional safeguards were all right until a while ago, but are no longer sufficient.
A firewall does not address internal network compromise. Approximately 60 per cent of all network security breaches occur from within the corporation, that is, by someone already past a firewall. A modem dial-up established by the company or by an engineer for remote access is one easy way past a firewall.
Yet another issue lies in misconfigured firewalls. Is the firewall doing its job and keeping out intruders? Firewalls are highly susceptible to human error. In a dynamically changing environment, system managers routinely reconfigure firewalls without regard to security implications. Access control lists on a firewall can be numerous and confusing. You must be sure that the firewall has been set up correctly and that it is performing well.
When an organisation is putting up a Website, be it internet, intranet or extranet, there is a definite need for users internal and external to the network to access these applications. Typically Firewalls are installed which define the information flow in and out of the network. The rapid adoption of IP as the protocol of application communication has given a new dimension to security. While IP provides a 4 dotted decimal notation providing details of the addresses of network and host (target computer system), TCP provides connection oriented services to the application. For example applications like telnet, FTP, HTTP use specific ports provided on the TCP layer of communication. Modern firewalls provide functionality to filter traffic at packet and application levels.
TCP uses a 16 bit addressing schema and this provides 2^16 i.e., 65,536 ports for applications to use. Not all ports are clearly defined for applications. Configuring a firewall is also difficult to regulate the traffic on all these ports. It is through these undefined ports that hackers bypass the firewall and gain access to internal networks. A Firewall is like the tough outer shell of an egg. Once the shell is broken the entire internal network is vulnerable.
The internet is a great media for a plethora of information - both constructive and destructive. Ready made hacking tools are posted on the web, and there are some popular sites that provide tools for cracking passwords. For example, LOphtcrack.exe is used to crack LANMAN and NT hashed passwords. By simply installing this utility on an NT server or workstation or Win 95 machine one may dump passwords from the registry of a critical information server.
This utility then cracks the password of all the users on the server / workstation. Cracking the password of a UNIX system can similarly be done using John the Ripper's Crack program.
These utilities really put us on the defensive, compounded by very limited knowledge on security of systems, networks and application. Let us get to the real business of hacking? What is hacking? Hacking is done to gain privileged access to critical system resources by wading through all stratified layers. All systems in a network are vulnerable. Vulnerability could become a threat if it can be exploited to perform any of the following activities:
- Denial of service
- Unauthorised access attempts
- Pre-attack probes
- Suspicious activities
- Protocol decodes
Denial of Service is meant to bring down a target system from being available to users. Typically Denial Of Service is launched against Web, ERP application, e-commerce servers, routers, firewalls etc. Typically, FTP servers allow anonymous login and probably have writable temp directories. A hacker could log in as an anonymous user and plant a backdoor program like NETBUS. This backdoor program allows communications via TCP ports 12000 series to the hacker. Once the program is planted, a hacker can get access to the FTP server and can dump all information related to trusted users - the hacker can cause havoc on the network after gaining such sensitive information. From a typical Win95 workstation, a hacker can gain complete control of the server. Programs for hackers are available for free download in the internet. Similarly, by just knowing the IP address of a target system, a hacker - internal or external - can bring down a machine. A typical case is that of Windows Out of Band Attack that uses port no. 139 and sends out large ICMP packets, typically crashing the target system.
Imagine any disgruntled employee within an organisation intending to damage a critical information server. All the operations on application server will come to a grinding halt, corrupting the database and putting the entire business operations in jeopardy.
Time tested and freeware port scan programs can be used to find TCP port vulnerabilities on target systems, routers etc. The Port Scan program can scan all TCP ports from 0 - 65536 to find which ports are open on a target system.
Using the information of all open ports, a hacker can attempt to gain access to the internal network by the appropriate selection of a hacking program. An example would be port no. 143 on a UNIX firewall - known as IMAPD exploit.
Normally, a firewall is not configured to regulate traffic on this port. By exploiting this vulnerability on the firewall, a hacker can gain root access to a UNIX system that is inside the electronic perimeter of the firewall without having to type in the root password.
There are many more ways a hacker can get in to the electronic perimeter and gain privileged access on critical information servers. How does one prevent such attempts? First and foremost is to understand what is on the network.
- Inventory of all resources - Hardware , Operating System, Applications
- Inventory of all services running on the network
- What is vulnerable?
- Vulnerabilities that become threats!
Organisations depending on IT heavily need to have a security program in place. Every organisation should raise the following questions:
- How vulnerable is the computer network?
- Or perhaps, how secure is their company's information ?
In this age of distributed computing, and of client-server and Internet-enabled information access, computer security consistently rises to the top of most "important issues" lists.
Network security is realised through policy, procedures, and tools. Currently, the most common security products include encryption tools, authentication and identification tools, firewalls and policy management tools.
Organisations should deploy the right tools to audit their networks, systems and applications to assess vulnerabilities. By categorising vulnerabilities as high, medium and low, the organisation can be responsive to attend and close all high vulnerabilities (by definition High Risk Vulnerabilities allow an intruder to gain immediate access to a machine). As and when new applications, hardware, services etc., are added, a thorough audit should be conducted to assess the vulnerabilities.
Periodic audit depending on the dynamic nature of the IT environment is a must. While auditing tools like Internet Scanner and System Scanner from ISS (Internet Security Systems, a pioneer in the field of adaptive security management solutions) are pro-active, detection and prevention of intrusion attempts is a must to keep hackers at bay. This is more so in the case of financial institutions that do e-commerce on the internet. Real secure, a state-of-the-art intrusion detection and prevention solution from ISS, does exactly that.
To summarise, it is necessary to assess the risk exposure of networks and identify organisational security policy and practice. Find out what the company practice is on security, whether the company's stated security policy is well within the acceptable limits. After all, security is your statement of acceptable risk.
S. Suresh is Manager - Technical, RAMCO Systems. He has 12 years of experience in IT industry and handles a complete range of Network Security Products and solutions. Email: ssuresh@rsi.ramco.com.