Think HackBy David Strom | Posted 2008-02-21 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Defending your digital castle requires a little devious thinking so you can understand—and counter—threats.
These days you have to think like a hacker to protect your enterprise network. This doesn’t mean you have to invest in a lot of tools, have specialized knowledge or hire a security consultant. You just need the ability to understand your adversary’s thinking and methodologies to devise appropriate defenses.
There are three basic steps in the process: First, look for the easy vulnerabilities and most common loopholes for compromising your network. Many hackers are lazy and take the path of least resistance, so you should too.
While it may be hard to get into a hacker mindset, there are numerous scanning tools that can help you get started, including Hewlett-Packard’s SPI Dynamics, Qualys’ Guard, and McAfee’s Foundstone and ScanAlert. The tools look for unpatched applications and operating systems, as well as known and potential vulnerabilities.
One of the more common exploits is SQL injection, in which an attacker leverages the way Web and database servers share information. Most databases can be thought of as a collection of information tables: customer address records in one table, purchase records and product inventories in others.
When a typical e-commerce customer uses a browser to start shopping and clicks on some product of interest, it kicks off a query of inventory data to see if the item is in stock. The Web server produces a shopping-cart page showing selected items for purchase. A SQL injection attack manipulates this process to force the database into revealing data or grant greater access. Products such as Breach Security’s Web Defend can be used to stop SQL injection exploits by blocking such queries from being processed by the database server.
Because Web servers are stateless, there has to be some way for the server to track what path a browser uses as the shopper moves from page to page on the site and queries these particular databases on their journey toward checkout and purchase. A variety of techniques are used for this purpose, including setting cookies on a user’s machine; using downloaded programs that save the browser state; using customer logins and passwords; and storing the Web queries in their own tables. Make sure you understand which method or methods are being used on your systems.
Even outside of e-commerce, Web browsers regularly request information from databases, and the Web servers are used to collect, organize and present the information. As Web 2.0 technologies and mashups become popular, more information is presented to browsers dynamically, and more information originates from databases.
There are a number of methods to lock down the interaction between Web and database servers (see “2 Ways to Lock Down Database Servers,” right).
Then, dig a little deeper to see what proxies and administrator passwords are available to the outside world. Proxy servers are easily exploited by hackers because they assume anyone accessing them is coming from a trusted source.
The “homeless hacker” Adrian Lamo gained infamy by accessing The New York Times and other high-profile enterprise networks by taking advantage of corporate network managers who didn’t put the right kinds of protective measures in place.
Here’s where simple searches using Google can uncover some major loopholes. Open proxy servers and unprotected databases can both be easily found by searching for the right keywords. There are just a few typical search terms, such as login.asp, asp?id=, php?id= and other statements indicating database queries such as “filetype:sql password” or “index.of.password.”
Other Google hacks include finding IP addresses and passwords to Web security cameras, administrator passwords for particular applications, sensitive areas that aren’t usually seen by the general browsing public, the private phone numbers for company executives and even the contents of certain Internet commerce transactions. In every case, a hacker can enter a site and leave with its most precious data without leaving a trace, because the information is already indexed and stored on the servers of various Internet search sites. These hacks require no specialized tools and very little skill.
Finally, understand the threats from within your own networks. These days, the notion of a security perimeter is quaintly outmoded, and you should worry about a laptop that can infect your network or a rogue employee who can walk off with your entire customer account data. Start by examining your intrusion and firewall logs for suspicious behavior, and put in place a regular scanning and analysis program to catch misuse.
“Some Web site owners may simply not understand that their sites aren’t as secure as they think,” says Jeff Williams, chief executive of Aspect Security, a Maryland consulting firm, and chairman of the Open Web Applications Software Security Project.
Thinking like a hacker may not come naturally, but you’ll sleep better at night knowing your data is well-protected.