Don't Be A Hacker's Puppet

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.informationweek.com/security/intrusion-prevention/dont-be-a-hackers-puppet/240163574

With the Halloween season just in our rearview, I can't help but be
reminded of the body snatcher movies, where human beings are converted to
zombies and centrally controlled. Unfortunately, this is an apt analogy for
what is happening every day on the Internet.

Countless servers are being converted to zombie or drone systems as part of
botnets or coordinated attack machines. The risk to organizations is
significant. A compromised network can result in embarrassment as you are
blamed for the attacks on high-value targets and potentially massive costs
from bandwidth and server utilization. Also, being blacklisted on the
Internet makes it much harder to do business. Worse, if your infrastructure
is used in a particularly heinous crime, it could be confiscated.

Many organizations simply don't believe they are a target. They don't host
credit cards, conduct financial transactions or save personal information,
so why would a hacker care about them?

In fact, hackers count on finding people who think exactly this way. These
"low-value targets" are often left wide open and become the unwitting
accomplice to attacks on the "high-value targets" such as banks and
government sites. Every organization with servers connected to the Internet
should care about this issue, or the results could be disastrous. The good
news is that you don't need to spend significant money and time on security
to make sure you don't end up a hacker's puppet.

[ As hackers get more sophisticated, it's time to step up the defenses.
Read Is Your DNS Server A Weapon? ]

Hackers focus in on the easy targets. They aren't interested in working too
hard on low-value targets. They want to compromise the server quickly or
they will move on to another one. Their ultimate goal is not to compromise
most of us, but to use us to get to the real money.

Most hackers use fairly common techniques to take over servers:

Attack weak passwords. A surprising number of servers and applications have
default passwords or simple passwords. Hackers have automated tools that
test your passwords, and if you have easy ones it will take virtually no
time for your server to be theirs.

Phish key users. A now age-old trick that is becoming even more
sophisticated as hackers pick up passwords and access by targeting key
users.

Exploit old software. Unpatched systems are an easy target, especially
given all the well-known and distributed exploits for old software.

SMBs are the most vulnerable. The bad guys know that small organizations
can't afford to spend significant dollars or time on security. Further,
these organizations often don't have the resources to implement best
practices as enterprise-level organizations do. As a result, they allow the
hacker to dilute or mask their trail.

As mentioned above, you can protect your company without breaking the bank
or piling on additional resources -- a few basic practices will get you
there. Open source or inexpensive monitoring software will let you
experiment with low- or no "hard"-cost tools to see what works best for
your organization. Though open-source software typically requires more
effort, it has the benefit of proving success before any real dollars are
spent. Open source is also generally more secure than closed source because
it allows for more analysis from more users with different skills. As a
result, security vulnerabilities are identified and fixed more quickly.

Here are a few simple protection techniques to start with:

Lock down who has access to your servers. Give access to only those users
who need it and make sure that they understand how to secure their access
with strong passwords -- or better yet, use cryptographic keys.

Track and monitor access. Monitor on a regular basis to ensure that only
the people who should have access are on your system and that they are
doing what they should be.

Harden your systems. Keep your servers updated and your configurations
locked down. Patching your servers can be simple to execute depending upon
the complexity of your application, and there are plenty of resources that
describe solid configurations. For example, the National Institute of
Standards and Technology maintains a comprehensive checklist for a number
of operating systems and applications to help ensure secure configurations.

Know who your servers are talking to. Lock down network access to your
servers and track whether or not the servers are talking to the right
systems. Most servers shouldn't be initiating communication with a lot of
different servers or services. Just as you want to know who your children
are talking to, know who your servers are talking to.

Unfortunately, any business with an Internet presence is a potential
target, whether or not it has valuable digital assets. While executing
these basic techniques won't eliminate compromises, they will increase the
effort a potential hacker needs to make in order to take control of a
server, making it more likely that the hacker will move on to an easier
target.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.