Auditing Security Measures Preventing Automated Attacks

Root Tools to Gain Access

Attackers are those who are attempting to gain unauthorized access to your business and personal systems. It does not surprise anyone that attackers do not have programming or profound knowledge of communications systems in order to gain "root" or "administrative" access to a system or application.

Tools of the attacker's trade, inside or outside your organization include programs that will give them what they want, administrator or root access to the target. Attackers currently have the ability to launch automated tools to scan ports looking for sockets.

Experience Note

Sockets are programs listening at Transmission Control Protocol, TCP, or User Datagram Protocol, UDP, ports waiting to connect to incoming traffic.

The act of gaining administrator or root access is commonly called "rooting" or "busting root" on a system. Attackers use tools scanning networks and even standalone machines for exploitable applications and other vulnerabilities. Once a system is successfully compromised, virtually any type of malicious code can be installed. Sensitive data including proprietary information may be captured and stolen, or Web pages can be vandalized, or services may be installed allowing attackers to launch denial-of-service attacks, DoS, targeting other systems. When the information packets are traced, they show a return to your compromised system.

Experience Note

Many legal experts do not understand that the return address on information packets, commonly known as Internet Protocol, IP, does not necessarily reflect the IP packet's true origin.

Computer networks that have been compromised by attackers often have the logged evidence of their origins erased making the determination of who and where the attacker is virtually impossible. Often lawyers and law enforcement officers ask for the IP address of someone sending an obscene e-mail only to find the IP address is incorrect and not traceable.

Who Uses Attacking Tools?

Automated network and vulnerability scanning tools may be used for legitimate auditing reasons as well as illegitimate purposes. This is not the case with attacker root tools. In the Internet community, attackers having little if any true technical skill and even less regard for the resources of others are known as "script kiddies."

Usually, script kiddies have little, if any, idea who or why an exploit works; nevertheless, they are successful because they have the leisure time and resources to scan thousands of systems without any consideration of the damage or resources they waste. Script kiddies locate root tools and other vulnerability tools on the Internet, download, install, configure, click, and attack.

A few years ago, attackers needed a port scanning tool, similar to Nmap, to explore and map large ranges of networks. Once done, the attacker would then review the data her tool had collected. She looked for specific open ports, vulnerable versions of operating systems, or exploitable services. From this, she would construct a list of potential targets. After deciding the easiest way to gain entry, the attacker would enter the system, install malicious code on the compromised systems, erase the log files that documented her activities, and repeat the process on the compromised systems to launch attacks on other systems to disguise her identity.

With the arrival of automated root tools, an attacker does not need to manually scan systems for open ports or operating system information. The actual technical knowledge required earlier is no longer required. Attackers, using automated root tools, merely point them to a range of IP addresses and launch the tool. Every network device within the specified address range will be tested for potential vulnerabilities. All collected data will be organized by the root tool and will launch attacks against exploitable machines. If the tool is successful, the root tool will delete log entries attempting to remove traces of its intrusive activities.

The ramifications of this type of point-and-click attacking are frightening for system professionals and users. Today, a relative novice can attack literally hundreds of systems in a matter of a few hours. If only one in two hundred machines is vulnerable, the attacker can have visibility into dozens of vulnerable machines by one night's work. Entire networks may be caught if they are not properly updated with the latest security patches or if they have been improperly configured. Root tools can be configured to attack the systems surrounding the target. As an example, if a packet screen is improperly configured, a compromised interior network server can be used by the attacker to attack machines on the interior network.

What is the defense against automated attacker tools? It boils down to protection based in system's best practices:

  • Workstations and servers must install updated antivirus software because root tools may spread via e-mail and Web scripts. Today's antivirus software will detect and stop root tools.

  • Disabling services. Remove or disable unnecessary services from all system devices is an important step in defending against root tools. Many root tools spread from compromised services. Consequently, this step will go a long way to effectively thwarting their effects.

  • Firewalls. Packet screens filtering ingress and egress traffic will be effective. Partition sensitive interior systems using firewalls. This measure can be used to prevent and contain the proliferation of root tools.

  • Intrusion detection systems can act like alarms by alerting employees of malicious activities.

  • Update your systems. Successful root tools depend on the frequency of security holes in a system or its connected systems. Systems must be updated with the latest patches to thwart these automated tools.

Experience Note

Do not allow secure systems to be connected to a system having lower levels of security than your own. If you do, they will be used as launching pads against your system.

Due Diligence

If one of your systems becomes compromised, follow your policies and procedures in taking it offline. If you allow it to remain active, the root tool is going to spread to other systems.

Following good system policies and procedures can thwart automated root tools. It is imperative that these steps receive the attention of the auditors and self-assessment, so systems can function correctly. It is not magic, just good business procedure.

Popular Posts