Attackers are still compromising servers with well-known attacks. General awareness can assist the busy administrators and users to protect their systems from these kinds of attacks. SANS provides a list of the Top 20 most common security vulnerabilities, how to identify each, and what can be done to protect against these vulnerabilities. "He got into the UUCP account. No password protection. Wide open. ...Worse, Elxsi had its UUCP account set up with system privileges, It took the hacker only a minute to realize that he'd stumbled into a privileged account. ...He didn't lose any time. He edited the password file, and added a new account, one with system manager privileges. Named it Mark. "Keep it bland," I thought."

That is an excerpt from the book Cuckoo's Egg published in 1989. As far as the principles of how the attacker gained access to the system above, nothing much has changed since that time. Attackers are still exploiting the most well-known vulnerabilities in computer systems. "This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools."(www.sans.org)

This article is nothing new but it has to be reinforced every now and then.

Many administrators are already overworked with other system administration tasks or keeping a system up and running. Also, administering in a large network environment with a small computer staff doesn't help the issue of keeping systems secure. Attackers know that and are actively exploiting it.

The availability of attack tools and people posting bugs in software only puts an urgency on keeping systems secure. In his book Secrets and Lies Bruce Schneier stated very simply that the Internet is "...a perfect medium for propagating successful attack tools. Only the first attacker has to be skilled; every one else can use his software."(Schneier) The availability of the Internet today is a blessing and a curse (though only a small portion is a curse). The blessing is that for each exploit of a well-known vulnerability there are a lot more resources on how to fix these problem. SANS (Cyber Security Training, Degrees & Resources | SANS Institute) has a Top-Twenty List of the most common security vulnerabilities and what to do to fix each one. In cooperation with some commercial and open source organizations there are tools to help identify these vulnerabilities and documentation on how to fix these problems or mitigate the risks. The SANS list will help the overworked admins to identify and fix those vulnerabilities. The SANS lists and recommendations won't prevent attackers from compromising your servers but help minimize the risk of the most common attacks and it will make you AWARE. Awareness is critical on the part of the admins and users.

Once a system has been compromised or is suspected of being compromised then all systems have to be checked for compromise. If you have servers that have been compromised that are on your internal network then you have a much bigger problem. Someone has compromised an external server and "bounced" around your network or you have an attacker inside your organization. Internal networks and internal servers tend to have weaker trust relationships and weaker security standards than a server directly accessible from outside the network. There should be no distinction between which is more important, internal or external network security. Equal weight should be put on each. Patching a service directly accessible from the Internet should be given a high priority, however, quickly followed up by patching internal services. Imagine the work and time involved in checking 200 servers for a compromise in a short period of time versus the time to comment out unneeded services in /etc/inetd.conf and running: killall -HUP inetd.

"Okay I read the list but how do I know what services aren't needed?" The SANS documentation, the linuxsecurity.com mailing list, talking to other administrators, and those you work with can help you find out. If no one is sure, shut it off and see who complains. If someone complains because you shut off a service, question it before turning it back on. If you have to keep a service running with a significant history of security problems then be sure it is monitored closely and only the people who need access to the service have access to it (patches and updates could possibly remove security settings or enable a service you had previously shut off so keep a close eye on these kind of services and other services, for that matter, after patching or upgrading).

Getting started with basic security procedures.

Go somewhere quiet and follow these recommendations:

  1. SANS Top 20 Security Vulnerabilities (Be sure the check the "Related Resources" section on that page) -- CIS Controls v8 Released | SANS Institute
  2. Check the Appendix of the SANS Top 20 List for the most common ports to block, as well. The further out, topologically, you can block ports on your network the bet ter. Block it at the router before it has a chance to even get inside your network.
  3. SANS free security digest --
  4. Linuxsecurity.com has daily headlines and archives to keep you up-to-date on pressing security issues and security HOWTO's -- /
  5. Subscribe to Bugtraq to stay abreast of security vulnerabilities --
  6. Send out periodic easy-to-read email messages to your employees and co-workers on how to deal with a security problem. There is nothing I love more than a call from a fellow employee about a suspicious email, for example, with an attachment. Even though I may tell the same person the same thing "Delete it and empty it from the trash", it brings me comfort that they are vigilant and on the look out.
  7. Any network service you run and any OS distribution you run, subscribe to their security and/or their announcement mailing lists.
  8. Keep management informed on security issues that directly affect your organization and what can be done to prevent any problems from occurring.

Conclusion

Keeping computers secure is not an easy task. It requires diligence and patience but it is required. Customers believing their credit card was on the server with "Hackers looooooooooooooooove noodles" on the front page is enough to lose customer satisfaction and revenue. Revenue lost is not just from the customer dissatisfaction but is magnified by the downtime associated with a compromise. The basics in security can go a long way. While you are at it go ahead and write a document that explains what procedures are to be done before a server even goes on the network. Securing a server is much easier to do when done from a fresh install.

Managers, ensure that your admins have read the SANS Top 20 list and are working on implementing the recommendations on the list. Also, Managers, we need your support!

References

"Linux Security". 2002. Linux Security - The Community's Center for Security. /

"SANS/FBI Top 20 List". Version 3.2.1. SANS Institute. 2002. "SANS/FBI Top 200 List: The Twenty Most Critical Internet Security Vul nerabilities (Updated) ~ The Experts Consensus. https://www.sans.org/blog/cis-controls-v8/.

Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons. 2000.

Stoll, Clifford. The Cuckoo's Egg. New York: Doubleday, 1989.

First and foremost, thanks to the Linuxsecurity.com team for their continued support.

Thanks to Bone, Chris, Cris, Barium Spring Home for Children ("The Foundation of Duane's Path to Liberation"), Charla, Chris sy, Mr. David, Bob, Donna, CFCC, Pfeiffer University, Leslie, STG, NCDC, Patti, Lauren, Jason, The Inskeep's, The Sherrill's, and mutsman for their continued support for all that I do. All that I have learne d and do on a daily basis is because they never say, "No!" or "Don't do that!" because they believe in what I do and have faith that I will choose the rig ht path. Their love is great support. They are "My Soul's Joy"

Duane Dunston is a Computer Security Analyst at STG Inc. for the National Climatic Data Center in Asheville, NC. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. He hangs out at Old Europe Cafe, Early Girl's eatery, Anntony's, and any place with good tea and hot chocolate.

Duane has been working in security for 5 years and wishes he had the funding for a "Basic Security Tour" so he could provide the world with hands-on training on how to implement the security recommendations from the Sans Top 20 List of the most common vulnerabilities. He knows that applying these recommendations to any network can minimize the most common types of attacks. Not only does he enjoy his work in computer security, he also likes to get involved in its ever-growing technologies. Duane says, "Security is one of those jobs where you have to stay abreast of new technologies and new ways that attackers are compromising computer systems. Security keeps evolving and the industry has to keep up with it, that is why we need well-trained, evolving security professionals supportive managers to help us with this ongoing process".