[A]s I was thinking of the article to work on this week, I thought of my upcoming TEDx talk on how organizations continue to be impacted by vulnerabilities that have been around for many years. I remembered an article I wrote back in 2002 — 17 years ago. Some of the talking points were mentioned in a previous article on VTDigger, as well. The article, below, is a pretext to my upcoming TEDx talk where I will be discussing a possible solution, as well. I will be laying out the details more in this column on VTDigger how the solution could work in practice after my talk.
The topic in the article below is still, sadly, relevant. There are a couple of changes — the SANS Top 20 is now the CIS controls and I bet most organizations don’t use inetd anymore (or do they?).
Reminder, the issues discussed in the article below are from **17 years** ago:
Attackers are still compromising servers with well-known attacks. General awareness can assist the busy administrators and users to protect their systems from these kinds of attacks. SANS provides a list of the Top 20 most common security vulnerabilities, how to identify each, and what can be done to protect against these vulnerabilities. “He got into the UUCP account. No password protection. Wide open. …Worse, Elxsi had its UUCP account set up with system privileges, It took the hacker only a minute to realize that he’d stumbled into a privileged account. …He didn’t lose any time. He edited the password file, and added a new account, one with system manager privileges. Named it Mark. “Keep it bland,” I thought.”
That is an excerpt from the book “Cuckoo’s Egg,” published in 1989. As far as the principles of how the attacker gained access to the system above, nothing much has changed since that time. Attackers are still exploiting the most well-known vulnerabilities in computer systems.“This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools.”(www.sans.org)
This article is nothing new but it has to be reinforced every now and then.
Many administrators are already overworked with other system administration tasks or keeping a system up and running. Also, administering in a large network environment with a small computer staff doesn’t help the issue of keeping systems secure. Attackers know that and are actively exploiting it.
The availability of attack tools and people posting bugs in software only puts an urgency on keeping systems secure. In his book “Secrets and Lies,” Bruce Schneier stated very simply that the internet is “…a perfect medium for propagating successful attack tools. Only the first attacker has to be skilled; every one else can use his software” (Schneier). The availability of the internet today is a blessing and a curse (though only a small portion is a curse). The blessing is that for each exploit of a well-known vulnerability there are a lot more resources on how to fix the problem. SANS has a Top 20 List of the most common security vulnerabilities and what to do to fix each one. In cooperation with some commercial and open source organizations there are tools to help identify these vulnerabilities and documentation on how to fix these problems or mitigate the risks. The SANS list will help the overworked admins to identify and fix those vulnerabilities. The SANS lists and recommendations won’t prevent attackers from compromising your servers but help minimize the risk of the most common attacks and it will make you AWARE. Awareness is critical on the part of the admins and users.
Once a system has been compromised or is suspected of being compromised then all systems have to be checked for compromise. If you have servers that have been compromised that are on your internal network then you have a much bigger problem. Someone has compromised an external server, or internal computer, and “bounced” around your network or you have an attacker inside your organization. Internal networks and internal servers tend to have weaker trust relationships and weaker security standards than a server directly accessible from outside the network. There should be no distinction between which is more important, internal or external network security. Equal weight should be put on each. Patching a service directly accessible from the Internet should be given a high priority, however, quickly followed up by patching internal services. Imagine the work and time involved in checking 200 servers for a compromise in a short period of time versus the time to comment out unneeded services in /etc/inetd.conf and running: killall -HUP inetd.
“OK, I read the list, but how do I know what services aren’t needed?” The SANS documentation, the linuxsecurity.com mailing list, talking to other administrators, and those you work with can help you find out. If no one is sure, shut it off and see who complains. If someone complains because you shut off a service, question it before turning it back on. If you have to keep a service running with a significant history of security problems then be sure it is monitored closely and only the people who need access to the service have access to it (patches and updates could possibly remove security settings or enable a service you had previously shut off so keep a close eye on these kind of services and other services, for that matter, after patching or upgrading).
Getting started with basic security procedures
Go somewhere quiet and follow these recommendations:
1. SANS Top 20 Security Vulnerabilities
2. Check the Appendix of the SANS Top 20 List for the most common ports to block, as well. The further out, topologically, you can block ports on your network the better. Block it at the router before it has a chance to even get inside your network.
3. Subscribe to the SANS free security digest
4. Linuxsecurity.com has daily headlines and archives to keep you up-to-date on pressing security issues and security HOWTO’s
5. Subscribe to Bugtraq to stay abreast of security vulnerabilities
6. Send out periodic easy-to-read email messages to your employees and co-workers on how to deal with a security problem. There is nothing I love more than a call from a fellow employee about a suspicious email, for example, with an attachment. Even though I may tell the same person the same thing “Delete it and empty it from the trash”, it brings me comfort that they are vigilant and on the look out.
7. Any network service you run and any OS distribution you run, subscribe to their security and/or their announcement mailing lists.
8. Keep senior-level management informed on security issues that directly affect your organization and what can be done to prevent any problems from occurring.
Conclusion
Keeping computers secure is not an easy task. It requires diligence and patience but it is required. Customers believing their credit card was on the server with “Hackers looooooooooooooooove noodles” on the front page is enough to lose customer satisfaction and revenue. Revenue lost is not just from the customer dissatisfaction but is magnified by the downtime associated with a compromise. The basics in security can go a long way. While you are at it go ahead and write a document that explains what procedures are to be done before a server even goes on the network. Securing a server is much easier to do when done from a fresh install.
Managers, ensure that your admins have read the SANS Top 20 list and are working on implementing the recommendations on the list. Also, Managers, we need your support!
