Attacks/Breaches
11/5/2013
11:08 AM
Rajat Bhargava
Rajat Bhargava
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Don't Be A Hacker's Puppet

Even if your company is not a primary target, hackers may be using you to get to the big fish. Here's how to protect your servers without breaking the bank.

With the Halloween season just in our rearview, I can't help but be reminded of the body snatcher movies, where human beings are converted to zombies and centrally controlled. Unfortunately, this is an apt analogy for what is happening every day on the Internet.

Countless servers are being converted to zombie or drone systems as part of botnets or coordinated attack machines. The risk to organizations is significant. A compromised network can result in embarrassment as you are blamed for the attacks on high-value targets and potentially massive costs from bandwidth and server utilization. Also, being blacklisted on the Internet makes it much harder to do business. Worse, if your infrastructure is used in a particularly heinous crime, it could be confiscated.

Many organizations simply don't believe they are a target. They don't host credit cards, conduct financial transactions or save personal information, so why would a hacker care about them?

In fact, hackers count on finding people who think exactly this way. These "low-value targets" are often left wide open and become the unwitting accomplice to attacks on the "high-value targets" such as banks and government sites. Every organization with servers connected to the Internet should care about this issue, or the results could be disastrous. The good news is that you don't need to spend significant money and time on security to make sure you don't end up a hacker's puppet.

[ As hackers get more sophisticated, it's time to step up the defenses. Read Is Your DNS Server A Weapon? ]

Hackers focus in on the easy targets. They aren't interested in working too hard on low-value targets. They want to compromise the server quickly or they will move on to another one. Their ultimate goal is not to compromise most of us, but to use us to get to the real money.

Most hackers use fairly common techniques to take over servers:

Attack weak passwords. A surprising number of servers and applications have default passwords or simple passwords. Hackers have automated tools that test your passwords, and if you have easy ones it will take virtually no time for your server to be theirs.

Phish key users. A now age-old trick that is becoming even more sophisticated as hackers pick up passwords and access by targeting key users.

Exploit old software. Unpatched systems are an easy target, especially given all the well-known and distributed exploits for old software.

SMBs are the most vulnerable. The bad guys know that small organizations can't afford to spend significant dollars or time on security. Further, these organizations often don't have the resources to implement best practices as enterprise-level organizations do. As a result, they allow the hacker to dilute or mask their trail.

As mentioned above, you can protect your company without breaking the bank or piling on additional resources -- a few basic practices will get you there. Open source or inexpensive monitoring software will let you experiment with low- or no "hard"-cost tools to see what works best for your organization. Though open-source software typically requires more effort, it has the benefit of proving success before any real dollars are spent. Open source is also generally more secure than closed source because it allows for more analysis from more users with different skills. As a result, security vulnerabilities are identified and fixed more quickly.

Here are a few simple protection techniques to start with:

Lock down who has access to your servers. Give access to only those users who need it and make sure that they understand how to secure their access with strong passwords -- or better yet, use cryptographic keys.

Track and monitor access. Monitor on a regular basis to ensure that only the people who should have access are on your system and that they are doing what they should be.

Harden your systems. Keep your servers updated and your configurations locked down. Patching your servers can be simple to execute depending upon the complexity of your application, and there are plenty of resources that describe solid configurations. For example, the National Institute of Standards and Technology maintains a comprehensive checklist for a number of operating systems and applications to help ensure secure configurations.

Know who your servers are talking to. Lock down network access to your servers and track whether or not the servers are talking to the right systems. Most servers shouldn't be initiating communication with a lot of different servers or services. Just as you want to know who your children are talking to, know who your servers are talking to.

Unfortunately, any business with an Internet presence is a potential target, whether or not it has valuable digital assets. While executing these basic techniques won't eliminate compromises, they will increase the effort a potential hacker needs to make in order to take control of a server, making it more likely that the hacker will move on to an easier target.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rajat Bhargava
50%
50%
Rajat Bhargava,
User Rank: Apprentice
11/12/2013 | 9:57:07 PM
re: Don't Be A Hacker's Puppet
Hello GÇô a contracted IT provider is a perfectly acceptable method of solving the problem. There are, of course, issues that need to be reviewed with any firm or consultant that you hire which is a separate, but important topic. I do believe an organizationGÇÖs data is important to them irrespective of if it is confidential, financial data, or personally identifiable information, but the challenge is how do you actually solve the problem of keeping it secure. For many organizations that is a daunting task and one that can be very expensive. I do believe that most organizations have the best of intentions, but how you get from here to there is not always clear nor easy which is why we are trying to help people understand the problem and potential options to solve it.
Rajat Bhargava
50%
50%
Rajat Bhargava,
User Rank: Apprentice
11/12/2013 | 7:46:42 PM
re: Don't Be A Hacker's Puppet
Hi, Doug! For tracking and monitoring access, we'd recommend OSSEC. For server hardening, Nessus provides great suggestions for ways to lock down your servers. Snort can help you understand who your servers are talking to. As far as locking down access to your servers as well as gaining high-value security and patch monitoring, I recommend JumpCloud. Full disclosure: I'm CEO of JumpCloud.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/9/2013 | 10:11:59 PM
re: Don't Be A Hacker's Puppet
I think
you can cut your chances of being hacked by following some best practices:
-Make users change their passwords at least every 6 months, preferably 3.
-Keep your servers patched. Don't run unsupported OS's.
-Have antivirus on all machines that updates every day.
-Enforce complex passwords.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/9/2013 | 10:06:05 PM
re: Don't Be A Hacker's Puppet
Nice article
Rajat. It is all to common where companies don't spend the necessary time and
effort on security. To me it's worth getting a contracted IT provider to help
you with security. Weak passwords are a big concern or passwords that don't
need to be changed. You just have to say how important is your data and do you
want publicity from being hacked and unknowingly contributing to a bigger hack?
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
11/5/2013 | 6:30:17 PM
re: Don't Be A Hacker's Puppet
Rajat: How about sharing a few names of the kind of open source or inexpensive security tools you mention. This advice would be easier to implement if you point us in the right direction.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.