Having made it this far through the book, you might be wondering how to protect yourself from all this stuff, so this chapter is dedicated to a discussion of some fundamental security measures that you might want to take.
For business users, the level of protection that you decide to apply to your computers, data and networks is entirely dependent on the value you place on the data. The figures show that 90 per cent of all companies which lose valuable data go to the wall within 12-18 months, so it is vitally important that you have some form of security. However, the security measures you apply should be just part of a much larger business continuity plan. It is no good locking down your computers and networks so tight that you can guarantee no crackers get in if you fail to take steps to ensure that backups are readable, or if you have no disaster recovery plan.
If you are an ordinary (i.e. non-business) Internet user, the problems you face are far less severe, as mostly you are online for a very short time and, if you stay away from the dodgier net backwaters, no-one is even going to know you are there. However, if you are cruising the net in some of the less salubrious neighbourhoods, you need to take some steps to protect yourself. If you are using Win95 to netsurf, you need to ensure that you know what problems there are in Win95 security, and if you are using a real operating system, such as LINUX, then you need to be even more careful about what services you leave running or turn off. Either way, having read this far you should know about some of the problems that lead to system insecurity, and should know by now how to avoid them.
If you are in business, your security requirements are going to be far more strenuous, than if you are a student, casual Internet user or computer enthusiast. Computer security cannot be looked at as an isolated part of business planning. It must be integrated into the wider plan for business continuity and disaster recovery. When planning a security policy, you need to look at three important areas and assess the impact of losses in each one of them.
There are legal requirements for confidentiality, and these must be maintained, but you have to ask yourself: "how much damage to the company would there be if X data were released to the wider public?". Some things are not important. If there was a breach of confidentiality over the membership of the coffee or lottery pool, this would cause very little damage to the integrity of the company. However, more sensitive information about sales could lead to a fall in stock valuation, and at the most extreme end of the scale, leaking details of a pending takeover could destroy your business forever. You need to look at all the data in the system and allocate a "damage factor" to it in order to assess how to protect it. Anything with a high enough damage factor needs to be protected whatever the cost, as no price is too high for keeping your company in business.
Making sure that your data is safe from prying eyes is one thing, but how sure are you that the data is correct? We have all heard horror stories of people joining book clubs and being overwhelmed by duplicate books and bills, even after they have left. The cause of this is a lack of integrity in the data entry process which is often down to human error. Simple errors in company data can cause problems which cost thousands or undermine confidence in your company, because if customers are billed for goods not received or returned, or if they get double bills, or if they get unwanted goods, they are likely to take their business elsewhere.
Furthermore, what if the data were lost completely? Suppose that the backups stopped backing up months ago and no-one noticed? This does happen, believe me! The amount of "unrestorable backups" I have seen is frightening. Worse still, shoddy programming can lead to data expanding beyond the capacity of a DAT or DLT backup tape without producing an error message. Losing your entire stock movements file for over 3,000 customers because some self-taught idiot of an operator was given the job of writing the backup scripts is something that *should not happen* to a large company, yet I have seen this very scenario occur.
When looking at system integrity you need to allocate a "damage factor" to each piece of data and ask: "what would be the result to the company if we lost this data?". Only once you have asked that of all the company data, including those odd mailing lists, customer contacts, and routine documents spread around umpteen PCs across the business, can you begin to assess what would happen if any part of it were lost. Once you have decided that, you are in a position to allocate resources to guarantee that loss does not occur. Remember, the cost of your business going under due to lost data is going to be far higher than anything you can spend to protect that data.
Of course, maintaining the confidentiality and integrity of your data is useless unless you can use the data, and this means that you have to ensure access to the data at all times. The recent spate of Denial of Service (DoS) attacks across the Internet have graphically illustrated how access to data can be denied by outside parties.
Making sure that you have access to your data means that you have to look at all possible ways that access to the data could fail. Once you have done this, you can assess the possible "damage factor" to each item, working out exactly what the impact on business operations would be. The main server could crash, a vital hub or router could fail, a hard disk could be wiped out. Each possible variant that could remove access to data must be considered, its likelihood assessed, and steps taken to ensure that access to data is not compromised. Often this is as simple as having a "mirrored" server or disk, which cuts in when the other fails, or keeping duplicates of vital network infrastructure, so that when one fails the new one can be slotted into place as soon as possible.
Backing up your data is an important part of access, if you can guarantee restoration, but keeping the data onsite is insecure in the face of fire, flood, earthquake or other disasters. The only way to ensure access to data in this instance is to keep *two* backups of vital data, one offsite with a responsible and reliable data archiving firm, and the other onsite in a waterproof and fireproof safe. If there is a disaster, and your entire building is wiped out overnight, then you *must* have a business continuity plan that includes IT disaster recovery whereby the company can set up on an alternative site within hours. This IT disaster recovery plan needs to be documented and checked every year to make sure it works.
IT security is more than just securing systems against crackers and other electronic vandals. It must be fully integrated with your overall security policy, which can only be determined within the context of a much larger business continuity plan. There is little point in spending hours securing your computers from attack via the Internet by script kiddies if you are failing to check that your backups are working, or you don't have any anti-virus protection.
If you are a systems administrator in a company, you must make sure that your managers and the board understand that IT security is not just a matter of technical mumbo-jumbo which they can safely leave to the techies. A proper IT security policy requires that everyone from the cleaner to the CEO be aware of the risks and "buy in" to whatever measures are deemed necessary to guarantee that the company does not go under the first time that there are any problems.
Proactive Security Measures
Know The Enemy
The only way to really understand who might be trying to crack your system's security is to "know the enemy". Understanding the computer underground makes it easy to assess the latest "threat" when the media hype against "evil hackers" sends your CEO into a state of panic. If you understand the nature of the threat, you are also less likely to waste your money on a software vendor's "security solution" that is being pushed your way. In addition to this, the majority of security holes are found by the computing underground long before security consultants, and keeping up with the computer underground is the best way of assessing new risks for yourself.
Understanding the computer underground means that , if you get attacked, the logs on your computer will give away whether the attackers are script kiddies or seasoned crackers. The script kiddies are likely to leave great big footprints all over your logs as they scan every port and test for every CGI hole known to mankind. If you are being attacked by seasoned crackers, the logs will contain far less information - fingerprints rather than footprints - and you need to learn to recognize what these small clues mean so that you realize that you are under attack.
The magazines, web sites and ezines coming out of the computer underground are the best source of information to any hackers, black or white-hat, and you should ensure that you have access to the very best information available. If this means paying for a subscription to get 2600 delivered to you, then this is money well spent. Finally, many hackers are more than happy to discuss system security with systems administrators at 2600 meetings or hacker cons, as long as you are "up front" with them.
The majority of hackers are interested in increasing computer security to ensure that computers are used responsibly and in ways that do not undermine privacy or abuse information of the ordinary man in the street. If you ask them how best to secure your computer, don't be surprised when they tell you. Don't believe the media misinformation about "evil hackers" - go out and meet them for yourself. You never know, you might have more in common with them than you thought.
Let's start with the obvious: if anyone can get physical access to your computers, then whatever security measures you take can be undone in an instant. You need to keep all mission-critical computers somewhere safe, preferably in a secure area under lock and key. Once an infiltration hacker gets his or her hands on your LINUX box or NT box, the game is over; your security has been compromised and you might as well publish your confidential company data on the web.
But it isn't just access to your servers you need to control, it is also access to your LAN. If a cracker can access your LAN, there is nothing to stop them from using a laptop, PCMIA Ethernet adapter and sniffer program like L0phtcrack to leech passwords directly from the packets whizzing along the LAN. Furthermore, even if you have physical security locked down tight, anyone who is working at the company can subvert any and all physical security measures by booting a PC using LINUX boot disks and then running up the TRINUX package, which includes sniffers, or any other tools that they might have acquired. For this reason, it is recommended that floppy disk access is tightly controlled to prevent unauthorized software, including security scanning packages and sniffers, being installed anywhere on the LAN.
In a large company, physical security will be in the hands of the security officer, and you should work with him or her to ensure that access to computers and the LAN is impossible for anyone but authorized personnel. If you put a lock onto your computer room, remember that Simplex and Digital locks are easy to hack. Use a decent mortise lock or logged swipe card system instead. Make sure that any cabling coming into the building is secure behind fastened covers or manholes. There is little point in securing the building if a cracker can walk up and tap into your telecommunications and WAN links by patching into the links via an unsecured service hatch or distribution point on the outside of the building.
To prevent trashing, make sure that everything is first shredded and then disposed of properly. Secure your dumpsters and other waste bins with padlocks - and, if possible, keep them locked up until the disposal day is due. Think about having certain paper waste shipped out to be destroyed by a security firm which specializes in destroying confidential information. It might cost money, but could also save money. When disposing of floppy disks and backup media, use a pair of scissors and then divide the bits into piles which go into different bins. This will remove the likelihood of a trasher recovering data from the magnetic media.
Easily guessed passwords are often the weakest link in a computer LAN, so great care must be taken to educate users about password choice. Here are some guidelines about what *not* to choose as a password.
- Don't choose a password with any part of your name, your relative's name or your pet's name. Likewise choosing the name of your favourite rock band, film or something related to your hobbies, degree or outside interests is a no-no.
- Don't choose a password with numbers relating to any part of your life, eg social security, passport, bank account or phone number.
- Don't use any word that is correctly spelt, and which could appear in an online dictionary. It makes things way too easy, even for script kiddies who don't know how to build custom dictionaries using standard UNIX tools.
- Don't think that using an acronym or mnemonic will be safe. I used to use MVEMJSUNP as a root password - using a mnemonic for the planets of the solar system in order made the password easy to remember. Unfortunately when I ran CRACK with custom dictionaries I also included things like mnemonics, for example Every Good Boy Deserves Favour. When I next ran CRACK I unintentionally cracked my own root password and, if I can do it, so can a cracker. That password lasted all of about 30 seconds once I realized.
- Don't think that spelling a password in a "hackish" way is going to be safe. It isn't. When building a custom dictionary the underground hacker magazines get fed into the wordlist building process along with everything else, so that password "31337" is *not* as safe as you think.
- Don't use a "password generator" as the algorithm will be easy to crack. A quick look at the "key generators" for cracking software protection will convince you that most key and password generation algorithms are weak and easily guessed.
Make sure that you issue password guidelines to your users telling them what to avoid and what is acceptable. If your system supports password "aging", then use it to enforce regular changes of password. Some systems can even keep a list of users' "old" passwords to prevent changing the password from "oldpass" to "newpass" and then back to "oldpass". Likewise, if your system supports a newer password program, like "npasswd", which checks for bad passwords, use it. If your system supports "shadow" passwords, where the passwords are kept in a different file to what is normally expected, use the shadowing provided.
Make sure that users understand that giving out their passwords to *anyone* is a disciplinary offence or equivalent, and that writing down passwords is a no-no. Make sure, too, that all default passwords shipped with the system or operating system software are changed, or the accounts are disabled. Finally, invest the time and effort in getting a password cracker program, such as Alex Muffet's CRACK. Then crack your own password file and disable any crackable accounts, inform the users of their lax passwords and their responsibilities, and make sure that they have a set of guidelines for "good" passwords so that they have no excuse next time.
The majority of insecurities in this book are those caused by networks. If your computers are attached to a LAN, or if your computers are attached to the Internet, you are vulnerable to a remote attack. Here are just a few of the things that you need to do when setting up hosts on the Internet or a LAN which can make the computer more secure. The important thing to remember is that a LAN will have a complex web of "trust" relationships between hosts and, once a single host on the LAN falls, the rest of the LAN is wide open as the cracker can exploit these trust relationships to break into other computers on the LAN.
- Turn off ALL services that are not being used - netstat, telnet, ftp, tftp, POP3 services, HTTP services, everything.
- Remove completely all the "r" services - rdist, rlogin, rsh, rcp, rexecd, rexd etc. Make sure that there are *no* .rhosts files anywhere on any of the computers on the LAN. They might make your life easier, but they also make life easier for the crackers.
- Remove completely any software that is not in use on the machine. If the host is used as a file server, remove sendmail. If it is a print server, remove sendmail. If it is a workstation, remove sendmail.
- Use TCP/IP "wrappers" to enable full logging on all services that are in use. If the version of TCP/IP wrappers you are using allows for access control via subnet descriptions, use it. Don't just exclude some machines, start off by excluding everything and then add what you need. Remember that it is far easier to lock down everything really tightly, and then loosen the bits that need loosening, than it is to make everything loose and then lock down the bits you don't trust.
- Use TCP/IP logging to keep track of half-open connections and ICMP messages. I use SYNLOG to keep track of unclosed SYN connections, and ICMPwatch to keep an eye on ICMP messages, but there are several packages that can do half-decent TCP/IP logging.
- If you are using Network Filing Services (NFS), only export the directories that are needed, even if it means making many entries in the /etc/exports file. Exporting your whole file system is a surefire way of opening the host to all comers - as surely as if your login banner gave out the root password.
- If you are using an HTTP server, pay special attention to the CGI scripts that you are running. Remove any generic or example scripts that come with the distribution. Make sure that any CGI scripts are written using NCSA or other security guidelines, and use CGI wrappers whenever you can.
- Secure all your X-Windows clients using xauth and xhost security mechanisms to prevent keystroke capture from remote machines. X-Windows security is a large subject that could fill a whole chapter on its own, so invest in a good book on X-Windows security if you are administering a large X-Windows site.
These are some of the minimum requirements for network security, and this list is far from exhaustive. It is recommended that you spend some time procuring, reading and understanding some of the books on network security listed in Chapter 14: Learning More in order to get a much fuller overview of network security than can be given here.
File System Security
The system of file permissions and access control lists provided by your software is a very important part of system security. When you install the operating system, make a list of the important files on the system and their file permissions. You should regularly check the system file permissions against the list to see if anything has changed. Likewise, you should also check disk usage regularly, to make sure that a cracker isn't storing tools or installing language compilers somewhere on the system.
To prevent tampering with the system, use something along the lines of TRIPWIRE or the more modern MD5 checksum system to ensure that no binaries have been tampered with and replaced, or a Trojan attached. If you do use some form of checksum system to detect tampering, make sure that you use a statically linked binary to prevent "Trojanning" of the checksum software. Keep the software and the checksum database on backup media, not on the computer you are protecting.
Some pieces of software are notorious security risks, as they are either badly written, buggy or both. Spend some time learning which software on your system needs to be fixed, patched or upgraded and you can probably eliminate 90 per cent of the holes used to get system administrator privileges on your system. There are a lot of things that can be fixed in minutes, but which will help to protect your system from crackers, so make sure that you know what can be fixed and what is vulnerable. If you can't fix it and don't need it, remove it from the system completely.
Always use the latest version of system and network software. Make sure that you apply all security patches as soon as possible after receiving them. If programs leak information about userids or network services, remove them as they will assist crackers. If ordinary workstations come with C compilers or other languages which are not used by the user, remove them completely. This will stop crackers compiling or writing exploits unless they install their own compilers, and these should show up when you run the standard checks on your file system listed above.
You should be aware of how your system stores system logs and where they are. These should be under the protection of the correct set of file permissions as there is little point in having logs which anyone can edit. Make sure that you check your logs regularly, as in weekly or even daily, otherwise you could miss the obvious signs of a cracker battering at your system services. If you can, write an automatic job which scans the logs for things that you know indicate possible breaking attempts. Make sure that logging is turned on for everything that supports it. If there is a part of the system that does not log access and errors, use some form of TCP/IP or shell "wrappers" to log access to various ports and the use of certain software.
Get hold of a security scanner such as NMAP, ISS, SATAN or COPS. Use it regularly but remember this caveat when using such a system: it is only as good as the person using it. The major problem with any pre-packaged security scanning solution is that it goes out of date very quickly, and will never scan for the newest insecurities. However, using a security scanner that is available on the Internet will at least give you a "cracker's eye view" of the state of your security, as the majority of the script kiddies out there will be using the same scanners as you. Don't be lulled into a false sense of security by one of these tools as new system vulnerabilities are being discovered all the time. If you want to check for the newest system vulnerabilities, see the section on hacking your own system below.
Hack Your Own System
This is the best way of making sure that your system is safe. Every time you read about a problem in a hacker ezine, a CERT, CIAC or other advisory, or somewhere from the web, make sure that you understand how the exploit works and make sure that it doesn't work on any of the hosts on your LAN. Keep a database of exploits and make sure that you know which operating systems and which versions of software are open to attack.
This is a far better option than buying or downloading a security scanner as you will always be working with the most up-to-date information. Using software to scan your host ports, check for CGI insecurity and attempt buffer overflows which will enable you to modify the source of this software to include new exploits and insecurities as soon as you learn about them.
By hacking your own system, you will know exactly what to look out for in the logs, what programs can be patched or substituted to provide "Trojan backdoors" and keep one jump ahead of the script kiddies. A really good cracker will very rarely bother to spend weeks breaking into your machine unless it is of some importance. What you are trying to protect against, first and foremost, is the zillions of script kiddies who haven't a clue. If they find the host is secure at first approach, they will rarely bother to go any further, preferring to switch their attention to another, less well-protected, machine.
Protecting against viruses is as much a part of IT security as checking passwords and backups. If a virus spreads unchecked throughout a large organization, the loss of data integrity and data access could wipe out the company or cost thousands to correct. Once again, you need to assess where the virus risks are and what data is vulnerable to virus attack. Once you have done that, you can apply the proper level of protection to each piece of equipment or data, depending on how large the impact to the company would be if you suffered any loss.
There are a large number of anti-virus packages on the market, and a proper choice can only be made after a full evaluation of the product. Is it easy to install and maintain? Can the virus "signature" file be upgraded easily or do you have to send a techie to every computer in the building? What about email coming in through your Exchange or SMTP server? Do the program attachments get scanned for viruses, and do document attachments get scanned for MACRO viruses? Can users bypass normal anti-virus checking? Is there a system to guarantee every single floppy disk that enters the building is checked for viruses? I have seen horrendous virus infections spread after the CEO turned off the virus checking on his laptop simply because it "took too long". Every shared floppy disk that then passed through his laptop, from his secretaries, his PA, his executives and line managers were all infected, and nobody thought to check these disks because they were given to them by the CEO.
The final section of this chapter will give a few tips on how to secure equipment related to telephone lines, ie modems, PBXs and VMBs.
If you have modems inside the company for dialling out, make sure that they are configured not to pick up when the phone rings. If you must have dial-in modems which attach to your LAN, use some form of ring-back verification, where the internal systems dial back out to the employee wishing to work remotely. If you have multiple modems attached to a terminal server, use any and all password facilities on the terminal server so that you need a password to login to the terminal server and then another password to login to the computer or network that access is required for. If you have outside modems attached to systems to enable outside suppliers to maintain, debug or upgrade large accounting or stock control packages, your staff should be required to keep the modems switched off at all times. When the support staff from the bespoke software company, or wherever, phone and ask for access, ring them back with the number and password that they can use - don't just hand it over on the phone.
If you run a large PBX or SWITCH for handling multiple lines, do NOT have any dial-ins routed to dial-outs configured, especially if your company supplies a "toll-free" number for sales representatives or marketing inquiries. If you leave the dial-outs, don't be surprised when you find your PBX has been heavily abused by people dialling in via the toll-free number and then dialling out to Australia, Chile or wherever. Don't put the master telephone on the receptionist's desk, but into the equipment room with other mission-critical kit, preferably under lock and key. If your PBX or SWITCH allows for remote administration, disable it immediately, as this is akin to leaving the front door key under the mat.
If you have a VMB, delete all unused boxes, or at least change the default passwords. Change the administration password the day you set it up, then make sure that you change it at least weekly. Some VMBs allow for remote administration; if they do, disable it. If the VMB allows for outdials, disable them. For both PBX and VMBs, use the reporting facility built in to check activity regularly. Get a feel for normal usage and how much it costs so that any attempted penetration of the telephone systems in your company is noticed.
If your company uses answerphones, the best way to make sure that phreakers aren't using them to exchange messages is to keep one eye on the overnight PBX logs. If the answerphone has a default administrator feature, make sure that the PIN has been changed and that the person responsible for the answerphone changes their PIN regularly - or disable the remote administration feature.
System security needs to be taken seriously if your company isn't going to suffer some form of loss from cracking attempts. You can only look at system security within the context of a much larger security philosophy which widens the notions of "computer security" away from simple access security and towards a solution which looks at possible failures in the areas of confidentiality, integrity and access. An integrated security philosophy will quickly map onto the security policies you are required to enforce, and these policies soon dictate which areas of security are more or less important to the survival of a company. Finally, don't be taken in by media and marketing hype when choosing the appropriate security measures to take - learn to assess security for yourself using the same attitudes and tools that crackers use.