Attacks/Breaches
11/5/2013
11:08 AM
Rajat Bhargava
Rajat Bhargava
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Don't Be A Hacker's Puppet

Even if your company is not a primary target, hackers may be using you to get to the big fish. Here's how to protect your servers without breaking the bank.

With the Halloween season just in our rearview, I can't help but be reminded of the body snatcher movies, where human beings are converted to zombies and centrally controlled. Unfortunately, this is an apt analogy for what is happening every day on the Internet.

Countless servers are being converted to zombie or drone systems as part of botnets or coordinated attack machines. The risk to organizations is significant. A compromised network can result in embarrassment as you are blamed for the attacks on high-value targets and potentially massive costs from bandwidth and server utilization. Also, being blacklisted on the Internet makes it much harder to do business. Worse, if your infrastructure is used in a particularly heinous crime, it could be confiscated.

Many organizations simply don't believe they are a target. They don't host credit cards, conduct financial transactions or save personal information, so why would a hacker care about them?

In fact, hackers count on finding people who think exactly this way. These "low-value targets" are often left wide open and become the unwitting accomplice to attacks on the "high-value targets" such as banks and government sites. Every organization with servers connected to the Internet should care about this issue, or the results could be disastrous. The good news is that you don't need to spend significant money and time on security to make sure you don't end up a hacker's puppet.

[ As hackers get more sophisticated, it's time to step up the defenses. Read Is Your DNS Server A Weapon? ]

Hackers focus in on the easy targets. They aren't interested in working too hard on low-value targets. They want to compromise the server quickly or they will move on to another one. Their ultimate goal is not to compromise most of us, but to use us to get to the real money.

Most hackers use fairly common techniques to take over servers:

Attack weak passwords. A surprising number of servers and applications have default passwords or simple passwords. Hackers have automated tools that test your passwords, and if you have easy ones it will take virtually no time for your server to be theirs.

Phish key users. A now age-old trick that is becoming even more sophisticated as hackers pick up passwords and access by targeting key users.

Exploit old software. Unpatched systems are an easy target, especially given all the well-known and distributed exploits for old software.

SMBs are the most vulnerable. The bad guys know that small organizations can't afford to spend significant dollars or time on security. Further, these organizations often don't have the resources to implement best practices as enterprise-level organizations do. As a result, they allow the hacker to dilute or mask their trail.

As mentioned above, you can protect your company without breaking the bank or piling on additional resources -- a few basic practices will get you there. Open source or inexpensive monitoring software will let you experiment with low- or no "hard"-cost tools to see what works best for your organization. Though open-source software typically requires more effort, it has the benefit of proving success before any real dollars are spent. Open source is also generally more secure than closed source because it allows for more analysis from more users with different skills. As a result, security vulnerabilities are identified and fixed more quickly.

Here are a few simple protection techniques to start with:

Lock down who has access to your servers. Give access to only those users who need it and make sure that they understand how to secure their access with strong passwords -- or better yet, use cryptographic keys.

Track and monitor access. Monitor on a regular basis to ensure that only the people who should have access are on your system and that they are doing what they should be.

Harden your systems. Keep your servers updated and your configurations locked down. Patching your servers can be simple to execute depending upon the complexity of your application, and there are plenty of resources that describe solid configurations. For example, the National Institute of Standards and Technology maintains a comprehensive checklist for a number of operating systems and applications to help ensure secure configurations.

Know who your servers are talking to. Lock down network access to your servers and track whether or not the servers are talking to the right systems. Most servers shouldn't be initiating communication with a lot of different servers or services. Just as you want to know who your children are talking to, know who your servers are talking to.

Unfortunately, any business with an Internet presence is a potential target, whether or not it has valuable digital assets. While executing these basic techniques won't eliminate compromises, they will increase the effort a potential hacker needs to make in order to take control of a server, making it more likely that the hacker will move on to an easier target.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Rajat Bhargava
50%
50%
Rajat Bhargava,
User Rank: Apprentice
11/12/2013 | 9:57:07 PM
re: Don't Be A Hacker's Puppet
Hello G㢠a contracted IT provider is a perfectly acceptable method of solving the problem. There are, of course, issues that need to be reviewed with any firm or consultant that you hire which is a separate, but important topic. I do believe an organizationGăÍs data is important to them irrespective of if it is confidential, financial data, or personally identifiable information, but the challenge is how do you actually solve the problem of keeping it secure. For many organizations that is a daunting task and one that can be very expensive. I do believe that most organizations have the best of intentions, but how you get from here to there is not always clear nor easy which is why we are trying to help people understand the problem and potential options to solve it.
Rajat Bhargava
50%
50%
Rajat Bhargava,
User Rank: Apprentice
11/12/2013 | 7:46:42 PM
re: Don't Be A Hacker's Puppet
Hi, Doug! For tracking and monitoring access, we'd recommend OSSEC. For server hardening, Nessus provides great suggestions for ways to lock down your servers. Snort can help you understand who your servers are talking to. As far as locking down access to your servers as well as gaining high-value security and patch monitoring, I recommend JumpCloud. Full disclosure: I'm CEO of JumpCloud.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/9/2013 | 10:11:59 PM
re: Don't Be A Hacker's Puppet
I think
you can cut your chances of being hacked by following some best practices:
-Make users change their passwords at least every 6 months, preferably 3.
-Keep your servers patched. Don't run unsupported OS's.
-Have antivirus on all machines that updates every day.
-Enforce complex passwords.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/9/2013 | 10:06:05 PM
re: Don't Be A Hacker's Puppet
Nice article
Rajat. It is all to common where companies don't spend the necessary time and
effort on security. To me it's worth getting a contracted IT provider to help
you with security. Weak passwords are a big concern or passwords that don't
need to be changed. You just have to say how important is your data and do you
want publicity from being hacked and unknowingly contributing to a bigger hack?
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
11/5/2013 | 6:30:17 PM
re: Don't Be A Hacker's Puppet
Rajat: How about sharing a few names of the kind of open source or inexpensive security tools you mention. This advice would be easier to implement if you point us in the right direction.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.