Be sure to specifically audit the most commonly targeted areas for intruders. Our research shows that these include host systems, WAN links, local segments and zones, management points, and archives.
Host Systems
Host systems refer to host or Web servers that cross-reference storage media for data- base compilations. If these systems are compromised by an intruder, the connected storage network and the stored data would most likely be vulnerable to intrusion and/or data theft.
WAN Links
Traffic containing storage data over WANs and/or the Internet is typically vulnerable to data theft and modification, TCP session hijacking, and spoofing attacks. Attackers typically use IP and DNS spoofing to take over the identity of a trusted host to subvert security and attain trustful communication with a target host. Using IP spoofing to breach security and gain access to the network, an intruder first disables, then mas- querades as, a trusted host. The result is that a target station resumes communication
with the attacker, as messages seem to be coming from a trustworthy port. Under- standing the core inner workings of IP spoofing requires extensive knowledge of the IP, the TCP, and the SYN-ACK process.
To engage in IP spoofing, an intruder must first discover an IP address of a trusted port, then modify his or her packet headers so that it appears that the illegitimate pack- ets are actually coming from that port. Of course, to pose as a trusted host, the machine must be disabled along the way. Because most internetworking operating system soft- ware does not control the source address field in packet headers, the source address is vulnerable to being spoofed. The attacker then predicts the target TCP sequences and, subsequently, participates in the trusted communications. The most common, and like- wise deviant, types of IP spoofing techniques include:
■■ Packet interception and modification between two hosts
■■ Packet and/or route redirection from a target to the attacker
■■ Target host response prediction and control
■■ TCP SYN flooding variations
Local Segment and Zones
Be sure to audit and monitor for unauthorized servers or switches attempting to legit- imately attach to a Fibre Channel network with open ports. This includes the storage infrastructure between the host and switch, administrators and the access control man- agement systems, the management systems and the switch zone, and between sepa- rate switch zones. Be sure to use plugins or modules that test the access controls, access control lists, and encryption mechanisms.
Management Points
Administrative systems, management ports, and SNMP devices may be vulnerable to attacks launched by intruders against the storage networks, especially with Denial-of- Service (DoS) attacks, insertion of viruses, and the execution of Trojan horses inside the storage network. Be sure to target these during your local audits and monitor the ser- vices and ports they use.
DoS attacks can bring networks to a screeching halt with the flooding of useless traf- fic. Flooding, generally speaking, involves the SYN-ACK (three-way) handshake, where a connection is established between two nodes during a TCP session for unam- biguous synchronization of both ends of the connection. This process allows both sides to agree upon a number sequencing method for tracking bytes within the communica- tion streams back and forth. Basically, the first node requests communication by send- ing a packet with a sequence number and SYN bit. The second node responds with an acknowledgment (ACK) that contains the sequence number plus one, and its own sequence number back to the first node. At this point, the first node responds, and communication between the two nodes proceeds. When there is no more data to send,
a TCP node may send a FIN bit, indicating a close control signal. At this intersection, both nodes close simultaneously. In the case of a form of SYN flooding, the source IP address in the packet is “spoofed,” or replaced with an address that is not in use on the Internet (it belongs to another computer). An attacker sends numerous TCP SYNs to tie up as many resources as possible on the target computer. Upon receiving the connec- tion request, the target computer allocates resources to handle and track this new com- munication session, then responds with a SYN-ACK. In this case, the response is sent to the spoofed or nonexistent IP address. As a result, no response is received by the SYN-ACK; therefore, a default-configured Windows NT server retransmits the SYN- ACK five times, doubling the time-out value after each retransmission. The initial time-out value is 3 seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up waiting to receive a response and thus reallocates the resources that were set aside ear- lier. The total elapsed time during which resources are unavailable equates to approx- imately 189 seconds.
Viruses are a form of passive penetration — passive because the attacker isn’t wait- ing on the other end of the connection. They’re used to wreak havoc. In this passive context, a virus is a computer program that makes copies of itself by using a host pro- gram. This means the virus requires a host program; thus, along with executable files, the code that controls your hard disk can, and in many cases will, be infected. When a computer copies its code into one or more host programs, the viral code executes and then replicates.
Typically computer viruses that hackers spread carry a payload — that is, damage that results after a specified period of time. The damage can range from file corruption, data loss, or even hard disk obliteration. Viruses are most often distributed through e-mail attachments, pirate software distribution, and infected floppy disk dissemination.
The damage to your system caused by a virus depends on what kind of virus it is.
Popular renditions include active code that can trigger an event upon opening an e-mail (such as in the infamous I Love You and Donald Duck “bugs”). Traditionally, there are three distinct stages in the life of a virus: activation, replication, and manipulation.
■■ Activation. The point at which the computer initially “catches” the virus, com- monly from a trusted source.
■■ Replication.The stage during which the virus infects as many sources as it can reach.
■■ Manipulation.The point at which the payload of the virus begins to take effect, such as a certain date (for example, Friday 13 or January 1), or an event (for example, the third reboot or scheduled disk maintenance procedure).
A virus is classified according to its form of malicious operation:
■■ Partition sector virus
■■ Boot sector virus
■■ File-infecting virus
■■ Polymorphic virus
■■ Multipartite virus 132 Part II
TE AM FL Y
Team-Fly®
■■ Trojan horse virus
■■ Worm virus
■■ Macro virus
When a virus acts as a Trojan, on the other hand, it can be defined as a malicious, security-breaking program that is typically disguised as something useful, such as a utility program, joke, or game download. Trojans are often used to integrate a back- door, or “hole,” in a system’s security countenance.
Simple Network Management Protocol
In a nutshell, the Simple Network Management Protocol (SNMP) directs network device management and monitoring and typically utilizes ports 161 and 162. SNMP operation consists of messages, called protocol data units (PDUs), that are sent to dif- ferent parts of a network. SNMP devices are called agents. These components store information about themselves in management information bases (MIBs) and return this data to the SNMP requesters. UDP port 162 is specified as the port that notification receivers should listen to for SNMP notification messages. For all intents and purposes, this port is used to send and receive SNMP event reports. The interactive communica- tion governed by these ports makes them juicy targets for probing and reconfiguration, so be sure to audit them extensively.
Archives
Archives and data warehouses retain data and information backups over time, and time and again, they are overlooked. They should be audited and monitored, since they may be exposed to theft, modification, and/or deletion.
Other General Insecurities
You know that perimeter security is simply not enough to protect against malicious users and local/remote attackers; therefore, some other common critical inherited security risks to audit include:
■■ Unauthorized access.Local users and remote attackers access classified data.
■■ Unauthenticated access.Unprivileged users access privileged data.
■■ Unprotected administrator access.This is caused by unencrypted local and remote authentication.
■■ Idle host scanning and spoofing.Advanced discovery and/or local trusted systems masquerade to retrieve sensitive information and/or compromise security.
■■ Vulnerable delivery channel access points.This includes exposed zones, islands, and remote networks.
■■ Data hijacking and sniffing.This targets exposed data links and vulnerable oper- ating systems.
135 Cerberus Information Security, the Cerberus Internet Scanner (CIS) (www.cerberus- infosec.co.uk/CIS-5.0.02.zip), is a free security scanner designed to help administrators locate and fix security holes in computer systems. CIS detects primarily Internet services (i.e., HTTP, SMTP, POP3, FTP, and Portmapper), and in addition, it scans Windows NT systems to see whether any accounts, shares, groups, and registry checks are vulnerable to remote attackers. The following are some of its features:
■■ It takes a modular approach.Each scan module is implemented as a dynamic link library (DLL), so when an update to a particular module occurs, the user needs only to download the updated DLL. The user can also choose which modules to run.
■■ It is comprehensive, making approximately 300 checks.As far as scanning web servers go, CIS is one of the best.
■■ It has hidden command-line capability—that is, it runs scans in the background.
What this means is that if a user wants to scan a large number of hosts, he or she can implement this hidden capability in a batch file; once a scan has started, control will be returned to the command prompt so the next and subsequent scans can start immediately.
■■ It includes numerous scan modules—for example, WWW, SQL, FTP, SMTP, POP3, DNS, finger, and various Windows NT checks.
■■ It generates HTML-based reports with hypertext links to more information.