DOC PREVIEW
DMC ITSY 2430 - Stop Hacker Attacks at the OS Level

This preview shows page 1 out of 4 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 4 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 4 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

2INTERNET SECURITY ADVISOR - SEPTEMBER/OCTOBER 2000Despite the benefits of current securitysolutions, hackers continue to circum-vent firewalls to gain access to corpo-rate servers. Once there, they candisrupt critical business functions (e-com-merce) and gain illegal access to confidentialdata. To achieve their goals, these intrudersattempt to exploit security holes in both theoperating system (OS) and in applications run-ning on top of it. New vulnerabilities are dis-covered daily and the hacking community isprimed to find ways and means to exploit theseweak spots. To date, system administratorshave relied on vendor patches and kludges toplug the holes, but these fixes are seldom avail-able in a timely fashion. The effort to dispatchthem to the whole server infrastructure is time-consuming, labor-intensive, and disruptive.Fixing one problem often creates new ones.Protecting the operating system and theapplication layers is fundamental to prevent-ing a hacker from destroying files, defacingWeb sites, accessing confidential data, anddisrupting or crashing Web applications. In a2000 survey, 60 percent of organizations indi-cated they have suffered security breaches inthe last two years. Another 2000 survey estab-lished that over half the respondents reportedbetween two and ten attacks, and 64 percentof those have suffered Web site vandalism.Yet, no existing solution tackles the problemin an adequate manner. There's clearly a needfor more advanced technologies, as the futuregrowth of e-business is largely dependent onthe ability of the security market to keepahead of the hacker community.Existing solutions aren't enoughFirewalls are the main perimeter protectiontool effectively determining which ports intothe corporate network are left open. Theseopen ports provide a conduit for the hackerto bypass the firewall and break into a servermachine. A great example is port 80 (HTTPprotocol), which Web servers use and, there-fore, is always left open. An attacker can senda specifically crafted (yet legitimate) HTTPmessage to a Web server, passing rightthrough the firewall and exploiting vulnera-bilities in the Web server. By exploiting a vul-nerability in the Web server, this HTTPmessage causes a chain of events that ulti-mately lets the intruder obtain privilegedaccess to the Web server machine. This mayseem like a far-fetched scenario, but exe-cutable programs that do this are widelyavailable for download off the Internet forthose who look for them.A recent example is the MDAC RDS vulner-ability found in Microsoft's IIS Web server.MDAC is a package used to integrate Web anddatabase services. It includes the RDS compo-nent that provides remote access to databaseobjects through IIS. Exploiting a vulnerabilityin RDS, provided that several conditions in thetarget Web site are met, attackers can use theshell () VBA command with System privilegeson the Web server, forcing it to OS Level SecurityTECHNOLOGIESFirewallsIntrusion DetectionSystemsNetwork-based IntrusionDetection SystemsIntrusion PreventionSystemsStop Hacker Attacks atthe OS LevelFirewalls aren’t enough to protect your system. You mustsafeguard the operating system and the applications running on it.By Dr.Yona Hollander and Romain AgostiniDr. Yona Hollander is vice president of strategy for ClickNet Security Technologies, a leading provider of proactive anti-hacking solutions for e-business. Hollander is responsible for identifying security market trends and engaging ClickNet's product development resources to engineer new and innovative anti-hacking solutions. ·Romain Agostini is director of security research for ClickNet Security Technologies where he manages the enterceptTM Knowledge Acquisition Team (eKat). ClickNet's eKat researches computer and Internet vulnerabilities and develops signatures for ClickNet's entercept product line. Platform Securityexecute highly privileged system commands on their behalf.The firewall sees the communication packets as a valid HTTPstream and doesn't block the data exchange. But the hackergains privileged access to the Web server, leading to full controlof the machine itself. The attackers have cracked the hard shellthat the firewall was supposed to be, and gained access to thedata content of your Web server.Typically, the DNS port is also left open. DNS providesname resolution services and is crucial for providing access tosites. The BIND program (on UNIX) is the most popular DNSserver and known to be vulnerable. Potential attackers cangain full control of the machine and use several techniques toredirect communication. Intrusion detection products are perceived to be the comple-mentary solution to perimeter security. Intrusion detection toolsare reactive, monitoring tools that let a security expert identifyattack attempts. However, these tools have limited detectioncapabilities and don't provide on-the-spot attack prevention.Network-based Intrusion Detection Systems (NIDS) employsensors that record all communication packets on a networksegment. This solution is extremely elegant, as no software isinstalled on production machines, providing a transparentand easy-to-manage solution. Despite its elegance, there areseveral inherent problems with the NIDS approach.1. NIDS aren't blocking and therefore can't prevent attacks inreal time. They listen to packets on the wire, but don't blockthe transfer of the packet. In most cases, the packet reachesits destination and is processed prior to its interpretationby the NIDS. As a result, an attack is often successful beforethe NIDS identifies it. Even when the NIDS was quickenough to identify the attack, it has still very limited meansof reaction. It can alert an operator, or attempt to terminatethe communication session. Most often, these means areinadequate for real-time termination of the attack and onlyprovide data for some post-mortem analysis.2. NIDS have fundamental difficulties in identifying manyattacks. In their paper, "Insertion, Evasion and Denial ofService: Eluding Network Intrusion Detection," Ptacek andNewsham from Secure Networks, Inc., give some impor-tant examples of the limitations of NIDS. These examples demonstrate several basic facts:• At the wire level, the information is partial, and it's difficult—if not impossible—to build a high-level picture out of thedetails. Data and configuration information that can easily beretrieved at the machine level aren't known at the wire level.As a result, the context of the monitored


View Full Document

DMC ITSY 2430 - Stop Hacker Attacks at the OS Level

Documents in this Course
Load more
Download Stop Hacker Attacks at the OS Level
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Stop Hacker Attacks at the OS Level and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Stop Hacker Attacks at the OS Level 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?