ASSOCIATION MANAGEMENT, August 2001
By: Dave McClure
Hyperactive computer hackers have technology experts hustling to create a new line of digital defense.
It is easy to convince yourself that your association is immune to serious hacker attacks. You imagine perhaps a random push at the network defenses, but not a full-scale attack. After all, the association is a nonprofit organization. It doesn't have major assets to raid. No major corporate secrets. In fact, were it not for an IP (Internet protocol) address or two and a Web site, you'd hardly know the association network even existed.
But the reality is that your network is under serious assault every minute of every day. For example, my home computer log recently showed 14 blocked attacks in the span of less than one second. And the situation is growing worse.
In early May, for instance, a pseudonymous hacker launched a Web graffiti spree, defacing with a pro-Napster message Web sites of organizations ranging from the National Aeronautics and Space Administration to the Communications Workers of America. During a flare-up between Israel and Palestine last year, a small cadre of Israeli loyalists set up a Web site to conduct a pre-emptive propaganda strike against the Web pages of Hezbollah and other pro-Palestinian groups. After an effective bombardment shut down six sites including www.Hamas.org, a furious Arab counterattack sent several Israeli government sites offline and then attacked the Web sites and networks of pro-Israeli lobbying groups in the United States.
Increasingly, the attacks are part of cyberwarfare intended to sow confusion and disrupt electronic commerce. In May of 2001, Chinese hackers waged a weeklong battle against Web sites in the United States, defacing some sites and crippling others with denial of service (DOS) attacks.
Responses to the "2001 Computer Crime and Security Survey," conducted by the Computer Security Institute, San Francisco, with participation of the San Francisco FBI Computer Intrusion Squad, confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting. Findings based on a survey of 538 computer security practitioners in American corporations, government agencies, financial institutions, medical institutions, and universities indicated Internet connections a more frequent point of attack than internal systems. Seventy percent of the respondents had suffered attacks to their organizations' connections to the Internet. Sixty-four percent acknowledged financial losses due to computer breaches. As in previous years, the most serious financial losses occurred through theft of proprietary information.
Hacker heritage
Hackers have been a part of the online industry since the first computer networks were forged. But the advent of a global Internet has dramatically increased the number and types of people seeking to penetrate the computers of organizations.
The threat was initially directed toward government and corporate computers that might yield data that could be sold, or that might offer direct access to financial accounts. As more individuals connected to the Internet, however, there also emerged a cadre of wannabes who do not have sophisticated hacking skills but are capable of using hacking tools to break into networks. Many of these novice hackers do it for recognition and peer support.
One 1993 report to the FBI referred to the three classes of hackers as "hippies, kids, and thieves." That is, those who did it were either people having the necessary skills, kids seeking recognition, or professionals looking for money and data.
But these are no longer the only threats. Within the past few years, a new kind of hacker has emerged.
"They are a new generation of 'hacktivists,'" says Jim Basara, chief operating officer of security services firm PromiseMark, a computer security company in Fairfax, Virginia. "They are social or political activists who spread their message by defacing the Web sites of others, or penetrating and disrupting the computer networks of those they oppose. And while their acts have been limited until now to fairly simple acts of hacking, new tools are giving them unprecedented power to cause damage."
Hacktivism emerged in the mid-1990s, and most of the early attacks were directed toward governments. But the techniques of this digital vandalism have spread to private-sector and nonprofit targets. Recent attacks have been launched by animal rights activists and supporters of the online music service Napster.
Preferred methods of attack
Though new tools and threats arise almost daily, most attacks on a network or site fall into one of seven categories:
1. E-mail relay. Virtually every mail server has the capability to redirect to another server or destination the e-mail that it receives. This capability allows organizations greater efficiency in the way they handle e-mail, breaking the load among several servers for large or geographically separated operations. But this is also a common capability exploited to use an organization's servers to send unwanted messages. Most servers turn off the relay function by default, but this may not be the case in older servers. The server software is generally the culprit. And while the software usually can be replaced inexpensively depending on the number of users of the system, sometimes patches and quick fixes have been known to re-enable this relay.
2. Virus attack. One of the simplest forms of hacker attack, this method uses a computer virus that is sent as part of a file (document, e-mail, or other) with the intention of extracting information or destroying segments of the network. The Chernobyl virus works in this way. More recent versions such as Melissa and Pictures for You are capable of hiding from antivirus software or sending themselves to others on the network or across the Internet. These more insidious incarnations of the computer virus are known as computer worms. (See companion article, "Computer Parasitology," for descriptions and preventions of these latest invaders.)
3. Denial of service. A DOS attack occurs when legitimate users are prevented from accessing and using a Web site or network service. This style of hacker attack has become increasingly popular in the past year, with such high-profile companies as CNN Interactive, Yahoo!, Amazon.com, and eBay coming under fire. Two primary methods are used to mount the attack. One is a mail bomb, in which thousands of e-mail messages are used to overwhelm a news, e-mail, or chat server. The other is the use of continuous hypertext markup language (HTML) requests, which tie up a Web site as it tries to respond to thousands of simultaneous requests for the downloading of a Web page. Associations are vulnerable to either type of attack, which would deny staff and members access to critical resources for the duration of the attack. Some sites have been inoperable for days or even weeks.
4. Defacing of a Web site. This is an increasingly popular form of attack due to the low security of many Web sites and inherent weaknesses of the World Wide Web architecture. In this form of attack, the hacker penetrates the Web server and replaces the existing Web page with one of his or her own. While relatively easy to fix--by closing the security hole and re-installing the original pages--the attack can create embarrassment and may go unseen if the altered pages are buried within the site.
5. Theft of intellectual property. One of the most damaging attacks is one in which the hacker penetrates a Web site to steal stored member information (address, credit card number, and so on) or penetrates a network to steal sensitive documents and internal memos. Particularly vulnerable are the databases used in evergreen renewal models, which store credit card or bank account information for members in order to automatically renew the membership or selected purchases on a regular basis.
6. Snooping attack. This intrusion is designed to capture information or reset server functions to make a greater hack possible at some future date. The goal of the attack is to place a Trojan horse (a special program that looks like something else in order to fool antihacker systems) on the server that can sniff out user names and passwords or reset server defaults to allow for easier penetration of the network.
7. Destructive attack. This attack is one of the most problematic because its sole purpose is to destroy the network. In this form of attack, hard drives and backups may be destroyed, settings altered to prevent operation of the network, and devices used to burn up resources--such as sending continuous print commands to use up printer paper.
Hacking prevention tools
A wide range of hardware and software tools may be used in an effort to thwart attempts to hack the network. Four are in common use:
1. Firewalls. Firewall is a generic term for a spectrum of technologies intended to provide protection from communication attacks. Screening routers, application gateways, proxy servers, and authentication servers are all examples of firewalls in use today. It is possible and often desirable to combine these different technologies according to the needs of the organization and its budget limitations.
The term firewall refers to the class of antihacking tools that are used to manage the traffic on each port on the server, accepting or rejecting access by specific IP addresses or remote users. Most firewall systems work at the router. However, a proxy server is a form of firewall that resides on a workstation or server, allowing the proxy to front for the hardware and manage access through the ports.
A firewall in and of itself is not sufficient to stop a hacker, but it will close off many of the easiest methods of penetrating the network. It serves, as much as anything, to weed out the attacks of real hackers from those of the wannabes.
Hardware and software firewall products are available from a number of vendors, including Check Point Software Technologies Ltd., Cisco Systems, Intel, Zone Labs, McAfee, and Symantec.
2. Secure socket layer. SSL is a protocol that is inserted between the application protocol and the transmission control protocol (TCP) used for transmission of data. In simple English, it is an encryption device that allows the sender and receiver of information to share data securely. It is commonly used for secure transactions such as ordering or renewing membership from a Web site. If the association collects credit card or other sensitive information on the Web site, use of SSL is a mandatory step in protection.
3. Virtual private network. VPN technology brings an additional level of security to remote access to the network. It creates a tunnel across the Internet through which data can move securely between remote users and the network. VPN technology offers protection, but does not affect the inherent weaknesses at the access point to the network. A VPN is recommended if the remote user is sending or retrieving information that is sensitive in nature--it is not needed for routine communication.
There is a form of software-based VPN built into Windows operating systems that provides adequate information. For more serious security, consider a hardware-based VPN solution, available from a number of vendors.
4. Intrusion detection system. The IDS is a step up from the firewall, and serves to analyze network traffic against known hacker signatures, or techniques that are associated with a particular hacker or hacker group. The system is usually outsourced, and is operated on a 24/7 basis to provide immediate alerts when penetration of the network is attempted. Once considered a tool only of larger organizations, IDS systems are becoming as indispensable as firewalls.
"This is a tool needed particularly by associations that take positions on public issues, or that are opposed by international or activist groups," says PromiseMark's Jim Basara. "If I were the National Rifle Association, for example, I would not operate without an active IDS system."
In addition to hacker-specific preventions, it pays to develop a consistent and ongoing methodology for keeping your association's Web site safe. (See sidebar, "Fortification Framework," for more details.)
As Patrice Rapalus, director, Computer Security Institute, San Francisco, remarked with regard to the results of the annual Computer Crime and Security Survey, now in its sixth year: "The survey results over the years offer compelling evidence that neither technology nor policies alone really offer an effective defense for your organization. Intrusions take place despite the presence of firewalls. Theft of trade secrets takes place despite the presence of encryption. Net abuse flourishes despite corporate edicts against it. Organizations that want to survive in the coming years need to develop a comprehensive approach to information security, embracing both the human and technical dimensions. They also need to properly fund, train, staff, and empower those tasked with enterprisewide information security."
Dave McClure is president and CEO of the U.S. Internet Industry Association, Washington, D.C., and a member of ASAE's Technology Section Council.
No comments:
Post a Comment