While the famous Chinese general may not have had hacking techniques in mind when he penned The Art of War some 2500 years ago, there is great merit in knowing your enemy, and the techniques s/he may use against you. If you are a network administrator, a critical part of your job is defending your systems. Knowing what these attacks are, and how to defend against them, will help immensely with the task of protecting your information systems from harm. While there are thousands of potential attacks, and many books and countless websites that cover them to the tiniest detail, the following five general categories can help you defend against the lion’s share of threats facing your systems.
1. Attacking Defaults
These days, essentially every piece of hardware and network application on the market comes with a set of default credentials; a username and a password that grant administrative access to the system. One of the most common ways of gaining unauthorised access to a system is by exploiting the fact that often, admins do not know, or do not care to change, these defaults.
Whether we are talking about a database application, a router, or a printer, defending against these attacks is simple. The first thing you should do when connecting a system to your network or installing an application on a server is to change the default credentials.
2. SQL Injection
Arguably one of the most devastating attacks against web based systems is the SQL Injection attack. Today’s dynamic websites often comprise much more than just a web server serving html code and graphics files to users. Ecommerce sites use database servers to host the backend information that is used to build interactive sites, present product information, and take orders. Even some of the most simplistic seeming websites may have a database on the backend. If the site provides a way for users to log on, or to submit information, you can bet there is a database behind the scenes.
SQL Injection attacks are when an attacker inputs SQL commands into the fields meant for other information, like usernames or search strings. A properly designed website will examine any data submitted by a user to make sure that the information is valid. A username typically will contain only letters; an email address might have letters and numbers, but only a few metacharacters like @, ., -, and +. If this input contains something a simple as a single quote ‘ sign at the end of the username, it could be interpreted by the database application as constructed SQL, and interpreted as a query. While it may not be a valid query, the database server may return an error that exposes information like the name of the database, its tables, and key fields. Continuing down this path, an attacker could submit SQL commands into the username field that could be executed to return the contents of the database, or to do things like drop tables.
To defend against this attack, your web applications must evaluate all submitted data for input that does not contain expected and allowed characters. Whether your application sanitizes user input by removing invalid characters, escaping any SQL specific characters before passing input to the database, or rejects it with a message back to the user asking them to try again using only allowed characters, it must act as the first line of defense to ensure that no commands can be passed to the database. Remember, even a command that fails, if executed by the database server, may reveal more information to the attacker that will make the next attack more effective.
3. Exploiting Unpatched Services
I have been in the information security field since 1997, and have been a CISSP since 2003. Of all the hundreds of security incidents I have been involved in, whether on behalf of an employer or for a client, I can still count on my two hands the number of intrusions that have not been the result of an attacker taking advantage of an unpatched system. Patching is time consuming, often difficult, and can sometimes introduce problems even as it is trying to prevent others, but the fact remains that you must patch your systems. Every operating system, whether it is installed on a computer or embedded as firmware on a piece of networking equipment, and every application your users run, has flaws. They were all written by humans, and mistakes were made. As these flaws are uncovered, updated code is released by the manufacturer to correct these issues, hopefully before a bad guy uses these flaws to exploit a system.
As an administrator, you must keep up with these patches, testing them as necessary, and deploying them to all networked systems. As operating systems and applications age, and fall out of support, you need to budget the necessary time and resources to update/upgrade these systems. Just because a vendor no longer issues updates for a system does not mean that there are no more security issues to be discovered.
The bad guys may frequently use any or all of the three hacking techniques we just covered, but there are still more you need to be prepared against. In the second part of this series, we’ll look at two more common hacking methods that you will be up against, and summarize some best practices to help you defend against them all.
About the Author: Ed Fisher is an information systems manager and blogger at several sites including his own site, http://retrohack.com. An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) he has been getting my geek on full-time since 1993, and has worked with information technology in some capacity since 1986. Stated simply, if you need to get information securely from point A to B, he’s your guy. He is like “The Transporter,” but for data, and without the car; and with a little more hair.