LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: July 25th, 2014
Linux Advisory Watch: July 18th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
If It Ain't Broke See If It's Fixed Print E-mail
User Rating:      How can I rate this item?
Features Attackers are still compromising servers with well-known attacks. General awareness can assist the busy administrators and users to protect their systems from these kinds of attacks. SANS provides a list of the Top 20 most common security vulnerabilities, how to identify each, and what can be done to protect against these vulnerabilities. "He got into the UUCP account. No password protection. Wide open. ...Worse, Elxsi had its UUCP account set up with system privileges, It took the hacker only a minute to realize that he'd stumbled into a privileged account. ...He didn't lose any time. He edited the password file, and added a new account, one with system manager privileges. Named it Mark. "Keep it bland," I thought."

That is an excerpt from the book Cuckoo's Egg published in 1989. As far as the principles of how the attacker gained access to the system above, nothing much has changed since that time. Attackers are still exploiting the most well-known vulnerabilities in computer systems. "This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools."(www.sans.org)

This article is nothing new but it has to be reinforced every now and then.

Many administrators are already overworked with other system administration tasks or keeping a system up and running. Also, administering in a large network environment with a small computer staff doesn't help the issue of keeping systems secure. Attackers know that and are actively exploiting it.

The availability of attack tools and people posting bugs in software only puts an urgency on keeping systems secure. In his book Secrets and Lies Bruce Schneier stated very simply that the Internet is "...a perfect medium for propagating successful attack tools. Only the first attacker has to be skilled; every one else can use his software."(Schneier) The availability of the Internet today is a blessing and a curse (though only a small portion is a curse). The blessing is that for each exploit of a well-known vulnerability there are a lot more resources on how to fix these problem. SANS (http://www.sans.org) has a Top-Twenty List of the most common security vulnerabilities and what to do to fix each one. In cooperation with some commercial and open source organizations there are tools to help identify these vulnerabilities and documentation on how to fix these problems or mitigate the risks. The SANS list will help the overworked admins to identify and fix those vulnerabilities. The SANS lists and recommendations won't prevent attackers from compromising your servers but help minimize the risk of the most common attacks and it will make you AWARE. Awareness is critical on the part of the admins and users.

Once a system has been compromised or is suspected of being compromised then all systems have to be checked for compromise. If you have servers that have been compromised that are on your internal network then you have a much bigger problem. Someone has compromised an external server and "bounced" around your network or you have an attacker inside your organization. Internal networks and internal servers tend to have weaker trust relationships and weaker security standards than a server directly accessible from outside the network. There should be no distinction between which is more important, internal or external network security. Equal weight should be put on each. Patching a service directly accessible from the Internet should be given a high priority, however, quickly followed up by patching internal services. Imagine the work and time involved in checking 200 servers for a compromise in a short period of time versus the time to comment out unneeded services in /etc/inetd.conf and running: killall -HUP inetd.

"Okay I read the list but how do I know what services aren't needed?" The SANS documentation, the linuxsecurity.com mailing list, talking to other administrators, and those you work with can help you find out. If no one is sure, shut it off and see who complains. If someone complains because you shut off a service, question it before turning it back on. If you have to keep a service running with a significant history of security problems then be sure it is monitored closely and only the people who need access to the service have access to it (patches and updates could possibly remove security settings or enable a service you had previously shut off so keep a close eye on these kind of services and other services, for that matter, after patching or upgrading).

Getting started with basic security procedures.

Go somewhere quiet and follow these recommendations:

  1. SANS Top 20 Security Vulnerabilities (Be sure the check the "Related Resources" section on that page) -- http://www.sans.org/top20/
  2. Check the Appendix of the SANS Top 20 List for the most common ports to block, as well. The further out, topologically, you can block ports on your network the bet ter. Block it at the router before it has a chance to even get inside your network.
  3. SANS free security digest -- http://www.sans.org/sac/
  4. Linuxsecurity.com has daily headlines and archives to keep you up-to-date on pressing security issues and security HOWTO's -- http://www.linuxsecurity.com
  5. Subscribe to Bugtraq to stay abreast of security vulnerabilities -- http://online.securityfocus.com/cgi-bin/sfonline/subscribe.pl
  6. Send out periodic easy-to-read email messages to your employees and co-workers on how to deal with a security problem. There is nothing I love more than a call from a fellow employee about a suspicious email, for example, with an attachment. Even though I may tell the same person the same thing "Delete it and empty it from the trash", it brings me comfort that they are vigilant and on the look out.
  7. Any network service you run and any OS distribution you run, subscribe to their security and/or their announcement mailing lists.
  8. Keep management informed on security issues that directly affect your organization and what can be done to prevent any problems from occurring.

Conclusion

Keeping computers secure is not an easy task. It requires diligence and patience but it is required. Customers believing their credit card was on the server with "Hackers looooooooooooooooove noodles" on the front page is enough to lose customer satisfaction and revenue. Revenue lost is not just from the customer dissatisfaction but is magnified by the downtime associated with a compromise. The basics in security can go a long way. While you are at it go ahead and write a document that explains what procedures are to be done before a server even goes on the network. Securing a server is much easier to do when done from a fresh install.

Managers, ensure that your admins have read the SANS Top 20 list and are working on implementing the recommendations on the list. Also, Managers, we need your support!

References

"Linux Security". 2002. Linux Security - The Community's Center for Security. http://www.linuxsecurity.com

"SANS/FBI Top 20 List". Version 3.2.1. SANS Institute. 2002. "SANS/FBI Top 200 List: The Twenty Most Critical Internet Security Vul nerabilities (Updated) ~ The Experts Consensus. http://www.sans.org/top20/.

Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons. 2000.

Stoll, Clifford. The Cuckoo's Egg. New York: Doubleday, 1989.

First and foremost, thanks to the Linuxsecurity.com team for their continued support.

Thanks to Bone, Chris, Cris, Barium Spring Home for Children ("The Foundation of Duane's Path to Liberation"), Charla, Chris sy, Mr. David, Bob, Donna, CFCC, Pfeiffer University, Leslie, STG, NCDC, Patti, Lauren, Jason, The Inskeep's, The Sherrill's, and mutsman for their continued support for all that I do. All that I have learne d and do on a daily basis is because they never say, "No!" or "Don't do that!" because they believe in what I do and have faith that I will choose the rig ht path. Their love is great support. They are "My Soul's Joy"


Duane Dunston is a Computer Security Analyst at STG Inc. for the National Climatic Data Center in Asheville, NC. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. He hangs out at Old Europe Cafe, Early Girl's eatery, Anntony's, and any place with good tea and hot chocolate.

Duane has been working in security for 5 years and wishes he had the funding for a "Basic Security Tour" so he could provide the world with hands-on training on how to implement the security recommendations from the Sans Top 20 List of the most common vulnerabilities. He knows that applying these recommendations to any network can minimize the most common types of attacks. Not only does he enjoy his work in computer security, he also likes to get involved in its ever-growing technologies. Duane says, "Security is one of those jobs where you have to stay abreast of new technologies and new ways that attackers are compromising computer systems. Security keeps evolving and the industry has to keep up with it, that is why we need well-trained, evolving security professionals supportive managers to help us with this ongoing process".

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
How Hackers Hid a Money-Mining Botnet in Amazonís Cloud
Homeland Security gets into software security
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.