Forwarded From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
-----BEGIN PGP SIGNED MESSAGE-----
[Jay D. Dyson: *sigh* It started fairly clueful, then degenerated into
bureaucratic drivel and techno-illiteracy. Maybe this will serve as a
"security policy to avoid" model? Your call.]
http://www.cio.fed.gov/websec.htm
Avoiding Attacks
By Alan Paller
Just after midnight on Aug. 16, 1996, hackers cracked the Justice
Department web site, replacing the Attorney General's picture with Adolf
Hitler's. Deputy Assistant Attorney General Mark Boster, contacted by the
FBI, ordered the site brought down at 2:45 a.m.
Boster, in charge of information resources management, ordered the
department to review its online security, and what he learned can help
others who want to make their systems less vulnerable.
Top management is asking information technologists to do more work on the
web, which makes organizations more vulnerable because internal networks
are connecting to the world outside. In response, technologists buy a
"firewall," a device that limits network access , and declare themselves
safe-or at least safer. Actually, they're practicing "security by
prayer"-praying people will hack other sites where entry is easier. "We
know we'll be attacked again. We want to be ready," Boster says, offering
these tips:
1. Don't allow outside organizations to set priorities. Justice attorneys
said they were at a disadvantage because private lawyers, with whom they
compete, have web access. "Just because it can be done [elsewhere] doesn't
mean it should be done at the Department of Justice," Boster says, urging
caution. The key, he says, is to explain the consequences of unfettered
network access in easily understood language, and to manage expectations.
2. Don't believe self-proclaimed "security experts." Contractors and
internal security staff have widely varying expertise, so Boster suggests
a system of checks and balances. First, he makes at least two contractors
responsible for a project, then rotates vendors to keep getting new
perspectives. Finally, while he tends to hire individuals, if he hires
large companies he specifies every employee on the project and puts each
through a five-year background check.
3. Don't assume that once a system is secure it stays secure.. Boster has
three full-time security employees, and he says the job takes their full
attention. The hackers are working full time, so security teams must
continually change the system to make it less vulnerable. In addition,
systems often expect too much of their firewalls, incorrectly assuming
they offer comprehensive security. "We ... forgot we had lots of modems
and dial-in ports," Boster said. Every modem on a network is a back door
through which a hacker can enter the system, bypassing the firewall. As a
result, Justice eliminated individual modems on networked machines and
established standards for remote access to networked information.
4. Have a plan to deal with the next break-in. Boster suggests keeping
up-to-date lists of pager numbers for key on-call personnel. In addition,
have plans for bringing the site down and back up, and know what
information should be kept, what needs to be replaced and where to find
original material. And because there may be questions from the press, have
a plan to deal with the media.
5. Designate a central authority. When a loose federation of groups
populate and host web sites, there may be rogue sites that don't adhere to
standards. Justice has taken the exceptional step of moving toward one
internet access point, allowing the agency to monitor its site more
closely to detect problems more quickly and, if needed, shut down.
6. Don't encourage heterogeneous telecommunications equipment. When
Attorney General Janet Reno decided she wanted to be able to send e-mail
to any Justice employee, the agency connected its separate networks-making
it easier to send e-mail but increasing system vulnerability. If any part
of the network is penetrated, the entire system may be at risk.
7. Don't believe your site can be removed quickly. The day after the
attack on the Justice site, the offensive materials could still be viewed.
Boster's staff had turned off the server, but had forgotten- or didn't
know- that important web sites are replicated on the large
service-providers computers, such as America On Line, without the
knowledge of the web site owner. The replicas of the hacked site were
maintained until the next regular update, which can be a long as several
days.
8. Maintain logs and other incident data on the web server. Standard
hacker procedure usually calls for a "cover your tracks" step just before
leaving a hacked site. That often includes erasing the logging records
that show which files were opened and what was done in those files. Sites
that maintain remote logs, instantly updated and archived, can shift the
information advantage away from the hacker. Boster also advises
maintaining a completely separate back-up site. When the main site is
hacked, the backup changes were made.
9. Don't leave tools hackers can use. Justice had followed general
industry practice and removed most system administration software from the
server, but the hacker found and used several tools. The best practice,
Boster says, is to build the web content remotely and transfer only
essential files to the active web server, using encrypted transmission.
10. Don't send unprotected information between servers. Sniffers are
software tools that read all computer traffic. They can be useful for
administrators who must find the cause of network problems, but they can
also be used by hackers to find user names, passwords and other critical
data. To counter that threat, Boster has implemented encryption of all
information transferred among Justice computers used for web development.
11. Don't participate in networks in which some members are careless about
security. Weak sites can be hacked easily and used as jumping off points
to other sites. If the weak link is inside a trusted community-say another
Federal agency-attacks may be successful. It's important, Boster says,
that all members of a networked community practice safe internet.
12. Be tough on crime. Some organizations cover up security breaches, but
attacks may increase because companies and agencies that ignore hackers
create a crime-friendly environment. "You must ... be willing to prosecute
offenders to the full extent of the law," Boster says. Finally, Boster
says, "the best thing that ever happened to security at the Department of
Justice was having our web sit hacked." The attack enabled officials to
rearrange responsibilities, implement and enforce policies, and allocate
resources. The Attorney General herself directly ordered several major
security upgrades.
Other organizations take heed: Learn how to avoid hacker attacks.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNTKNnee1NzV7EsRFAQGBbAP/Qbkl6QZYGcT4MKQ4JUYSTNEXfdLGSlaC
Li01cJ8xoJUHa5xiT+/1I0u5dhX5BTwTfccH5kTozgdm1tR8XLl3qy3JXFKx/p2t
mbN0ROu00iap0gGJfNmSd+W3/c72fXNMvIAFI/k+ykdPBmNGoVvlDtYaU4HBWk5v
zKjNaMtNHpM=
=ORZj
-----END PGP SIGNATURE-----
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Mon Apr 13 20:23:36 1998