How To Secure Against Computer Attacks
by Peter Benjamin

prepared for Web Spinners Meeting November 3rd, 2001

Abstract: An Overview of Home/Office Computer Protection

Today there exists new threats to everyone's future and well being in the form of denial of service (DOS) attacks against the computer networks that form the underpinnings of the international economy. This paper presents some of the issues involved and how you can be directly responsible for reducing the potential of cyberterrorism.

Table Of Contents

Security Software And Policies

  1. How to prevent a cyber attack?
  2. How do you make good network security work?
  3. What to do if you suspect an attack?
  4. What to do if attacked?
  5. Hacker, Attacker, or Cyberterrorist?
  6. How to lockout attacks?
  7. Whether to encrypt your email and files

How Security Software Works

  1. How viruses work, are detected and removed.
  2. How the new email worms work
  3. How ISPs are virus scanning your email
  4. How firewall software works
  5. How sniffers work
  6. How attack detectors work
  7. How encryption works

Security Software And Policies

How to prevent a cyberattack?

Risk assessment is the first step followed by several angles on cost analysis of key components of what is being protected and the security software and policies to protect it. Design security from top down.

  1. Determine Economic Risks
  2. Determine Technical Risks
  3. Costs of Risks determine policy
  4. Policy sets security funding levels
  5. Funding levels selects the countermeasures
  6. Countermeasures determine procedures

Enterprise security strategy and security architecture will be endorsed by executives and they ensure compliance with security procedures. Staff will be trained and tested in procedures and software methods.

Economic Risks

  1. Determine cost of data on computer.
    1. Business data is extremely valuable.
      1. Refunding your client's money...
        It's not going to happen... You spent it already.
      2. Is it worth 10% of the contract to protect clients' assets?
      3. Your internal business data is critical.
        Contacts, contracts, spreadsheets, databases, invoices, taxes, emails, etc.
  2. Determine cost of restoring data, apps, and OSes including labor.
    1. OS and Application software can be restored from original CD install disks.
    2. Back ups will restore:
      1. Operating System Configurations
      2. Application Software Configurations
      3. Client Data
      4. Internal Business Data
      5. Application preferences and user defined libraries (templates, textures, etc).
    3. Time to restore to resume daily operations - idle staff
  3. Policy sets security funding levels. Establish percentage of income for the security concerns of:
    1. Preserving Data from total loss (deletion)
    2. Protecting Data from theft or corruption (break in, file transfer, edits)
    3. Audit Trail Creation
    4. Audit Trail Daily Review with Weekly Oversight Review
    5. Break In Analysis of Data Loss or Theft or Edits
    6. Data Loss Recovery, Theft Tracking, Suspect File Restore and Compare
      Data acquired before back up (daily/hourly?) and corrupted or edited has a cost associated with correcting and/or confirming data.
  4. Funding levels selects the countermeasures
    1. Staff access to data of various types, salaries, contracts, finance, HR, etc.
    2. Prospective employee background searches
    3. Staff annual background check up
    4. Staff Security Methods and Procedures Training
    5. Procedures for backup, traffic analysis, network blocking, etc.
    6. Also, see the next "Technical" section.
  5. Countermeasures determine procedures
    1. Staff access to restricted areas and computers
    2. Data Back and Restore and backup secure storage areas including off site
    3. Data Corruption Recovery and Confirmation methods
    4. Daily Audit Trail Review
    5. Weekly Oversight Review
    6. Also, see the next "Technical" section.

Technical Risks

  1. Determine risk level of access
    1. Security Cameras and recordings
    2. Secure Entry: keys, id cards, card keys
    3. Biometric Identification failure
    4. Security Search for removal media - entry/exit bulk erasers, CD/DVD body search
  2. Determine risk level of computer network components:
    1. networks: routers, firewalls, switches, cabling, ISP'es, internal/external
    2. computers: desktop, application and database servers
    3. hardware components: hard drives, NICS, motherboards, wireless
    4. operating systems: personal, professional, workstation, server, mini, mainframe
    5. applications: finance, HR, client, libraries, databases
    6. data: client, internal, archival, backup media, removal media
      Removal media can both insert viruses and allow data theft
  3. Data back up failure
  4. Printed Audit Trail paper supply

How do you make good network security work?

Simply putting a firewall up and monitoring what comes through it is a very big oversight. Don't rely on a product to give you good security. The return on security investment depends upon business requirements and spending not too little nor too much.

  1. No single silver bullet
  2. No comprehensive computer solution
    1. Staff involvement required
    2. Policies and Procedures
    3. Annual retraining
  3. Layer protective measures
    1. Firewall (hardware or software based)
    2. AntiVirus Scanning
      1. Incoming WAN Traffic
      2. Outgoing WAN Traffic
      3. Internal LAN Traffic
      4. Local Computer - Email Readers
        1. HTML based mail
          1. Scripting (JavaScript, Visual Basic, Java, etc)
          2. External Tracking URLs/Images
        2. Attachments: virus/worm payloads
    3. Monitoring (sniffers, etc)
  4. Monitoring depends on risk assessment from business requirements
    1. Squishware (Staff monitoring):
      1. Cameras
      2. Spot checks
    2. Computer Hardware Monitoring:
    3. Traffic streams
      1. Monitor Network Traffic on both sides of the firewall
        1. the WAN external port
        2. the LAN spanning port
      2. Monitor Internal Traffic
        1. Removal media file access
        2. Switch traffic between computers
      3. Monitor Audit Trails on a regular basis
        1. File accesses
        2. Access attempts
        3. Command history
        4. Keyboard sniffers

What to do if you suspect an attack?

  1. Suspicion of an attack comes from many symptoms:
    1. Someone telling you,
    2. Crashing computer,
    3. Slow computer,
    4. Slow network services or internet access,
    5. Network lights flashing or continuous on,
    6. Loss of network service or internet access,
    7. Hard drive excessive sound,
    8. Excessive hard drive access lights flashing or continuous on,
    9. Emails going out you did not queue,
    10. New files not installed or created by you,
    11. Corrupted files,
    12. Missing Files,
    13. Any unknown or unpredictable computer behavior,
    14. Pop up messages, or
    15. Ants crawling on the screen.
  2. Attacks come in many flavors now.
    1. Virus/Worms in downloads or emails threaten
      1. Data Destruction,
      2. Data Corruption,
      3. Data Theft,
        1. Credit Card Information
        2. Identity Theft
        3. Financial Dealings (money spreadsheets)
        4. Contract Negotiations
        5. Insider Trading
      4. Loss of CPU time (distributed computing),
      5. Loss of Hard drive space (FTP upload - CD/DVD sharing ala Napster),
      6. 'Zombied' Computer under hackers' control,
      7. Network disruption or slowdown,
      8. Loss of internet connectivity or service, and
      9. Hardware failures.
    2. Denial of Service (DOS) and Distributed DOS (DDOS)
    3. Domain Name Theft
  3. Government Involvement for large businesses is possible now.
    1. Contact the local FBI office. Their current involvement limit is rumored to be a potential loss of $100,000 or greater for them to take a further report.
    2. The FBI National Information Protection Center (NIPC) provides computer crime services.
    3. InfraGard, sponsored by the NIPC, provides a forum about computer crime. InfraGard hosts educational seminars around the country.
    4. If you think you have been targeted the FBI/NIPC/InfraGard is a powerful tool.
  4. Small Businesses and Home Users should disconnect the LAN/computer from the network, unless prepared to immediate attack analysis, which requires specialized knowledge and software tools to analysis traffic and isolate suspect traffic and determine what the suspect activity is doing in order to determine the appropriate response including but not limited to countermeasures, audit trail printout, and attacker identification.
    1. Tracking an attacker to identify them is beyond the means of most businesses and computer consumers.
  5. Be Prepared. Learn now what to do. Get the FAQ and study it.
    1. Read up at your Anti Virus site what you can do (find the FAQ).
    2. Visit or similar organization for the FAQ.

What to do if attacked?

Attacks now vary across a wide range with different responses. Some attacks can be resolved on your computer, others your ISP would become involved, and the FBI NIPC is available for espionage type attacks.

  1. Small Businesses and Home Users
    1. Disconnect your computer from the network (either LAN or WAN)
      1. Turn off the modem or unplug the modem cable or phone line (either end).
      2. Unplug the RJ45 jack out of the hub, router, or computer.
    2. Download the most recent DAT file for your AntiVirus Software
      1. Use a second computer, a neighbor's, colleagues', friend's computer,
      2. use the library computer
    3. Run the AntiVirus software from CD ROM or read only diskette.
    4. Check you outgoing email for email possible sent by the virus/worm.
    5. Check your data files for corruption against your back ups.
    6. Check your operating system for possible hacker installed back doors.
  2. Large businesses should follow established procedures. Typically the procedure includes immediately contacting a computer system administrator and let them handle it.

Hacker, Attacker, or Cyberterrorist?

There is now the new threat of cyberterrorist to be countered. Or so many security consultants, companies, and government agencies and departments would have you believe. They may be right. Certainly, the recent email worms, Code Red and Nimda, have shown the availability of resources and privacy of data are easily attacked. Extending these prank attacks to terrorist levels is an easy stretch of the imagination, and is equally easy to achieve for the terrorist.

The threat is real of losing a responsive international network and with severe impact of financial transactions that now share the same bandwidth that would be under attack.

These new threats mean we must pick up the slack and protect the underpinnings of our society as an obligation to the American people for every computer owner.

[parts below are an uncredit quote (at this time)]
  1. Hackers
    1. Hackers are interested in exploiting the detailed underpinnings of the Internet and its security ramifications for their own personal enjoyment, or for some desire to make a name for themselves.
    2. The mind set of the hacker is "I want to do something either for the shear thrill of the challenge or for the public recognition of my abilities."
    3. Many hackers will invade privacy, but not steal or destory data.
    4. Hackers that invade privacy, steal or destory data are listed here as Attackers.
    5. For these hackers it is the thrill of knowing when you booted your computer a message "The Cat Has Stuck" appears or ants crawl across your screen.
  2. Attackers
    1. Attackers are hackers who steal or destroy data.
    2. Some attackers steal CPU time or hard drive space, reducing your valuable computer resources.
    3. There is controversy if the later offense rates punish equal to the former.
    4. The laws are under review to make both crimes equally punished or not.
  3. Cyberterrorist
    1. The cyberterrorist is a completely different animal.
    2. If you look at traditional terrorist movements and what they are trying to accomplish, you see things that are very insidious, well-planned, highly rehearsed, and well-coordinated.
    3. That's what makes the recent events of the WTC bombings so terrifying to America is the degree of coordination it took to execute that attack and planning with which how to actually strike into the heart of the American psyche.
    4. A terrorist tries to build awareness of his goals and change international events.
    5. From the cyberterrorist perspective, look for highly planned, well-researched attacks on critical pieces of information infrastructure rather than something that indiscriminately targets a wide variety of sources, for instance, a widespread denial of service attack.

How to lockout attacks?

  1. Control Internet access.

    [parts below are an uncredit quote (at this time)]
    1. Build a program that understands what access you require to achieve your business objectives, and eliminate everything else.
    2. Technically you can do that through routers and firewalls.
    3. You can monitor that compliance through intrusion detection.
    4. Most importantly, you need to respond when you see a problem.
    5. Incident response is one area we fail in.
    6. Don't be afraid, be encouraged, be proactive about going out and doing the right thing from a security perspective.
    7. We stand a chance of actually making a difference here.
  2. Small Office and Home Consumers
    1. Here are the must have, must do protections:
      1. Install a firewall
        1. Types of Firewalls
          1. Hardware based for broadband cable or DSL - cost $80 to $180.
          2. Software based for modem, cable or DSL - cost FREE!!! to thousands.
        2. Configure the firewall
        3. Activate the firewall
        4. Test your firewall configuration.
          If it does not work due to misconfiguration ...
          better learn this sooner, not later.
        5. Test that your firewall works upon rebooting.
      2. Install AntiVirus (AV) software
        Update the AV DAT regularly.
        Purchase the auto update feature.
      3. Patch your software
        Enable auto update, if available.
    2. Be Prepared - Invest time in learning these things:
      1. How firewalls are configured.
      2. How firewalls are tested.
      3. How to Test your firewall configuration.
      4. How AntiVirus software works.
      5. How to configure, activate and run the AntiVirus software
        1. How to determine if the AV is activated.
        2. How to determine if the AV is actively scanning what you think it should be.
        3. Most AV software is self testing, but must be activated, especially upon rebooting, usually automatically by setting the configuration option.
        4. Configuring the AV Software
          1. How to enable download scanning
          2. How to enable email scanning
          3. How to enable email attachment scanning
          4. How to enable compressed or archived format files scanning
          5. How to enable Master Boot Record (MBR) scanning
        5. Scanning Files
          1. What file types to scan, and when
          2. How to scan files on diskette
          3. How to scan files on the hard drive

    Whether to encrypt your email and files

    1. Privacy has always been a concern for the American.
    2. Privacy issues abound on the internet and web.
    3. It is not possible to cover most of these privacy issues.
    4. Here are some email encryption highlights.
      1. Both business and personal matters are legit reasons to encrypt email.
      2. No all such email requires encrypting.
      3. Your ISP and any intervening computer or admin staff for those computers can read your email.
      4. Encryption will prevent such reading.
      5. Only the person(s) with the decoding key can read the email.
      6. Some encryption schemes have two separate keys, one for encoding, the other for decoding, thus the encoder can not decode their own message. Such schemes are considered 'better' long term protection than single key schemes as the sending party can not compromise the decoding key to other parties.
    5. Government Email Scanning Facts
      1. Yes, it happens.
      2. No laws currently protect the privacy of digital communications.
      3. Only domestic analog/voice communications have some legal privacy protection laws.
      4. International digital and analog communications are always scanned by the USA government. Profiled messages are automatically recorded for later human review.
      5. Encrypted emails increases the burden of federal authorities in determining that your encrypted email is not threatening in nature to national security.
      6. Some (perhaps fanatical) privacy advocates promote encryption of all emails and/or inclusion of select keywords, in clear text - typically in the signature block, known to trigger the government's monitoring software in order to overburden it and defeat it's invasion of privacy.
      7. Some privacy advocates are now rethinking that activity in light of the recent terrorist attacks.
  3. Here are some file encryption highlights.
    1. Encrypted files, if stolen, seldom are decryptable by the thief.
    2. Decryption keys when stolen compromise all encrypted files. Changing the encryption is necessary.
    3. If stolen encrypted files are valuable, the thief is likely to come back for the decryption key, but by a different route. Social engineering is possible.
    4. Encrypted files sometimes break resulting in loss of ALL data.
    5. Backing up un-encrypted files and storing offline is safe.

How Security Software Works

The software methods and policies of good security will be overviewed with some in depth discussion on selected topics:

  1. Computers and data are protected by restricting access.
  2. Computers are protected with this methods:
    1. It prevents some incoming attempts to access computers.
    2. It prevents those incoming attempts on legitimate ports from loading viruses.
    3. It creates an audit trail for review and a realtime printed version for legal purposes like court prosecution.
    4. It works best when all staff follow all security procedures, to the letter.
    5. The two weakest links are:
      1. People not trained or not following security procedures.
      2. Software not fully installed, configured, activated or tested (regularly).
  3. Data is protected by these methods:
    1. Restrict access by special operating systems using userids and passwords.
    2. Encypting the data file so only people with the key can read the file.

How encryption works

Encryption is a two part process, the first part is encrypting the source material in a format that is not readable by person nor any application. The second part is reversing or decrypting the first part so the file can be read again by a person or software application.

Due to the complexity only an overview is within the scope of this paper.

  1. The source file is processed by the encryption software and the results stored into a second file.
  2. Typically, this involves a mathematical scrabbling of the data according to rules that use a special key value in order to create an unique scrabbling for just that one key.
  3. There are billions of billions of keys to choose from.
  4. That is where the security comes from.
  5. While every one knows what the range of valid keys are, to try them one at a time until the encrypted file is 'cracked' would take billions of years.
  6. Descrambing involves reversing the mathematics to recreate the original source material.
  7. There are many types of encryption algorithms or ciphers.
  8. Some ciphers require the same key to encrypt and decrypt.
  9. Other ciphers have two keys, one to encrypt that can be known by the public, and the other key to decode and is only known by the person who created the two keys for their private use.
  10. This 'key pair' is also known as a public/private key.
  11. Such key pairs are good for sending emails.

How viruses work, detected, and removed.

Viruses come in a variety of types. Only a brief overview is within the scope of this paper.

  1. What is a Virus? Some Virus Facts.
    1. The virus is a computer file, like any other file.
    2. The virus must run or execute on the computer in order to truly infect it and have bad effects.
    3. The virus 'inserts' itself into other programs and hard drives.
    4. This insertion sometimes damages the program.
    5. Sometimes the damage is severe enough the program does not run.
    6. A program that does not appear to run, may still be spreading the virus to other files on your computer and other hard drives, sending emails, etc.
  2. Virus Trivia
    1. It is possible to store a virus file on your computer. If it never runs, then there are no bad effects. If someone runs it by mistake...
    2. Most professionals store their virus samples in password protected archives where they can not be easily run by accident.
  3. Virus Detection
    1. Run the AntiVirus Software
    2. If it was running, then
      1. a pop up window may alert you to the fact a virus was found,
      2. what action was taken,
      3. and whether the removal was complete,
      4. or do you have to manually finished the removal.
  4. Virus Removal
    1. AntiVirus software often completely removes the virus.
    2. Some virus require you to complete the removal. The AV software will instruct you or will provide where to get the instructions, usually an URL.
      Sometimes, the virus in only inactive, or damaged portions of the operating system must be restored before rebooting.
    3. Usually, the instructions are very much step by step and can be completed by any one who knows what a menu item and mouse click is and how to type.
      Hire a professional if you can not understand the instructions.
      Or let your sibling or neighbor's kid to it. It is often that easy.
    4. Some viruses can not easily be removed.
    5. These are called 'stealth' virus and they 'hide' themselves.

How the new email worms work

The two recent email worms that received world wide attention due to the rapid speed of infecting millions of computers are named Code Red and Nimda. These email worms are explained.

  1. Code Red and Nimda work only on Windows Operating Systems.
  2. Macintosh and Unix and other OS'es are immune.
  3. Both viruses appear to have started from a free virus creation toolkit that allows drag and drop of features.
  4. The Code Red and Nimda email worms work only with MS Outlook, My Documents Folder and its files, IIS (MS's web server), and IE web cache as follows:
    1. After MS Outlook checks your incoming email at your ISP and downloads the email to your computer's inbox file, then Outlook reads each email for selected header fields and displays an email selection list with those field values.
    2. A LookOut feature is/was (a patch is available that removes this feature) that the entire email body was parsed at header scanning time and all Visual Basic code was run or executed.
    3. Thus, without you selecting, highlighting, or reading the email, the virus was activated by Outlook.
    4. Upon activation the virus does these things:
      1. Reads your address book for email addresses
      2. Reads your Internet Explorer web page cache and grabs random email addresses in the html pages
      3. Scans your "My Document" folder for your personal files
      4. Emails your personal files with included virus to the found emails
      5. Scans for other hard drives on the local network and infects files there.
      6. Scans for web servers with similar IP numbers as your computer and attempts 8-12 viral infection programs.
  5. The Nimda is a modified drag and drop virus with some features the professionals do not yet understand. These features might include:
    1. Automatic deletion of all files on the computer
    2. Code(s) to be run on specific dates and/or times.
    3. Back Doors
    4. Trojan Horses
    5. Viruses
    6. Other Worms
    7. Other infection vectors

How ISPs are virus scanning your email

Your ISP may have purchased special bulk incoming email anti virus scanning software. Here is how these bulk scanners work.

  1. Incoming emails to your ISP for you are first scanned for HTML format and attachment viruses.
  2. Attachments that are compressed archives are openned and the individual files are scanned.
  3. At no time is data examined, only DAT file virus definition strings are scanned for.
  4. The cleaned email is then sent to the normal email server.
  5. The email server puts the email into your inbox.

How firewall software works

Firewall software is becoming both exceeding complex and easier to configure. The ease of configuration is from add on front ends that contain predefined common configurations to protect home consumers, and small and large offices.

Due to the complexity only an overview is within the scope of this paper.

  1. The types of traffic is dividing into these four
    1. Outgoing Initiating traffic (login in)
    2. Outgoing Follow up traffic (file transfer)
    3. Incoming Initiating traffic (the dangerous stuff to block)
    4. Incoming Expected traffic (requested files like web pages)
  2. Most firewalls are configured like this:
    1. Allow ALL outgoing
      Except those applications that are block by company policy
    2. Allow ALL Incoming Expected traffic
    3. Block or deny ALL Incoming traffic that is not expected.
      Except those applications that are permitted for remote access by salespersons, perhaps from an authorized userid list or IP number list or both.

How sniffers work

Sniffers know what network traffic looks like and displays that data to the user.

Due to the complexity only an overview is within the scope of this paper.

  1. Network traffic generally is not readable by a person, or enough so that sniffer software is needed.
  2. Sniffer software presents the traffic in a more readable format.
  3. Sniffer software limits the traffic to display to the traffic that meets the rules set by the user.
  4. Sniffer software will reconstruct the original files or inputs of the sender for the user to review.

How attack detectors work

An attack detector senses profiled patterns in the incoming and/or outgoing traffic and dynamically blocks the suspected suspected and sends alerts to responsible staff.

  1. An attack detector is an ordinary sniffer combined with a realtime traffic pattern analysis tool that sends alerts upon certain detected patterns.
  2. Patterns are stored in the configuration file with the desired alert and logging action(s).
  3. Alerts are of many types: log to file, emails, pager, faxes, tones, phone calls, etc.
  4. Alerts are of many action levels, that is some are just logged, others are considered more critical and are configured to send emails or even page staff.
  5. Logging actions typically list a summary, including the pattern number, the alerts issued, but not the full details of the suspect traffic, unless so configured to stored the suspect traffic for later review.

The end