Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/5/2013
11:08 AM
Rajat Bhargava
Rajat Bhargava
Commentary
50%
50%

Don't Be A Hacker's Puppet

Even if your company is not a primary target, hackers may be using you to get to the big fish. Here's how to protect your servers without breaking the bank.

With the Halloween season just in our rearview, I can't help but be reminded of the body snatcher movies, where human beings are converted to zombies and centrally controlled. Unfortunately, this is an apt analogy for what is happening every day on the Internet.

Countless servers are being converted to zombie or drone systems as part of botnets or coordinated attack machines. The risk to organizations is significant. A compromised network can result in embarrassment as you are blamed for the attacks on high-value targets and potentially massive costs from bandwidth and server utilization. Also, being blacklisted on the Internet makes it much harder to do business. Worse, if your infrastructure is used in a particularly heinous crime, it could be confiscated.

Many organizations simply don't believe they are a target. They don't host credit cards, conduct financial transactions or save personal information, so why would a hacker care about them?

In fact, hackers count on finding people who think exactly this way. These "low-value targets" are often left wide open and become the unwitting accomplice to attacks on the "high-value targets" such as banks and government sites. Every organization with servers connected to the Internet should care about this issue, or the results could be disastrous. The good news is that you don't need to spend significant money and time on security to make sure you don't end up a hacker's puppet.

[ As hackers get more sophisticated, it's time to step up the defenses. Read Is Your DNS Server A Weapon? ]

Hackers focus in on the easy targets. They aren't interested in working too hard on low-value targets. They want to compromise the server quickly or they will move on to another one. Their ultimate goal is not to compromise most of us, but to use us to get to the real money.

Most hackers use fairly common techniques to take over servers:

Attack weak passwords. A surprising number of servers and applications have default passwords or simple passwords. Hackers have automated tools that test your passwords, and if you have easy ones it will take virtually no time for your server to be theirs.

Phish key users. A now age-old trick that is becoming even more sophisticated as hackers pick up passwords and access by targeting key users.

Exploit old software. Unpatched systems are an easy target, especially given all the well-known and distributed exploits for old software.

SMBs are the most vulnerable. The bad guys know that small organizations can't afford to spend significant dollars or time on security. Further, these organizations often don't have the resources to implement best practices as enterprise-level organizations do. As a result, they allow the hacker to dilute or mask their trail.

As mentioned above, you can protect your company without breaking the bank or piling on additional resources -- a few basic practices will get you there. Open source or inexpensive monitoring software will let you experiment with low- or no "hard"-cost tools to see what works best for your organization. Though open-source software typically requires more effort, it has the benefit of proving success before any real dollars are spent. Open source is also generally more secure than closed source because it allows for more analysis from more users with different skills. As a result, security vulnerabilities are identified and fixed more quickly.

Here are a few simple protection techniques to start with:

Lock down who has access to your servers. Give access to only those users who need it and make sure that they understand how to secure their access with strong passwords -- or better yet, use cryptographic keys.

Track and monitor access. Monitor on a regular basis to ensure that only the people who should have access are on your system and that they are doing what they should be.

Harden your systems. Keep your servers updated and your configurations locked down. Patching your servers can be simple to execute depending upon the complexity of your application, and there are plenty of resources that describe solid configurations. For example, the National Institute of Standards and Technology maintains a comprehensive checklist for a number of operating systems and applications to help ensure secure configurations.

Know who your servers are talking to. Lock down network access to your servers and track whether or not the servers are talking to the right systems. Most servers shouldn't be initiating communication with a lot of different servers or services. Just as you want to know who your children are talking to, know who your servers are talking to.

Unfortunately, any business with an Internet presence is a potential target, whether or not it has valuable digital assets. While executing these basic techniques won't eliminate compromises, they will increase the effort a potential hacker needs to make in order to take control of a server, making it more likely that the hacker will move on to an easier target.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
11/5/2013 | 6:30:17 PM
re: Don't Be A Hacker's Puppet
Rajat: How about sharing a few names of the kind of open source or inexpensive security tools you mention. This advice would be easier to implement if you point us in the right direction.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/9/2013 | 10:11:59 PM
re: Don't Be A Hacker's Puppet
I think
you can cut your chances of being hacked by following some best practices:
-Make users change their passwords at least every 6 months, preferably 3.
-Keep your servers patched. Don't run unsupported OS's.
-Have antivirus on all machines that updates every day.
-Enforce complex passwords.
Rajat Bhargava
50%
50%
Rajat Bhargava,
User Rank: Apprentice
11/12/2013 | 7:46:42 PM
re: Don't Be A Hacker's Puppet
Hi, Doug! For tracking and monitoring access, we'd recommend OSSEC. For server hardening, Nessus provides great suggestions for ways to lock down your servers. Snort can help you understand who your servers are talking to. As far as locking down access to your servers as well as gaining high-value security and patch monitoring, I recommend JumpCloud. Full disclosure: I'm CEO of JumpCloud.
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
11/9/2013 | 10:06:05 PM
re: Don't Be A Hacker's Puppet
Nice article
Rajat. It is all to common where companies don't spend the necessary time and
effort on security. To me it's worth getting a contracted IT provider to help
you with security. Weak passwords are a big concern or passwords that don't
need to be changed. You just have to say how important is your data and do you
want publicity from being hacked and unknowingly contributing to a bigger hack?
Rajat Bhargava
50%
50%
Rajat Bhargava,
User Rank: Apprentice
11/12/2013 | 9:57:07 PM
re: Don't Be A Hacker's Puppet
Hello G a contracted IT provider is a perfectly acceptable method of solving the problem. There are, of course, issues that need to be reviewed with any firm or consultant that you hire which is a separate, but important topic. I do believe an organizationGs data is important to them irrespective of if it is confidential, financial data, or personally identifiable information, but the challenge is how do you actually solve the problem of keeping it secure. For many organizations that is a daunting task and one that can be very expensive. I do believe that most organizations have the best of intentions, but how you get from here to there is not always clear nor easy which is why we are trying to help people understand the problem and potential options to solve it.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...