Hacker school: Beating the hackers starts with knowing what you're up against

April 29, 2008
Ethical hacker shares ideas on proactive data security

Larry Detar has a job that tech-loving kids only dream of having when they grow up. As the vice president of global services for a company called EC-Council, Albuquerque, N.M., he hacks into networks for a living.

As a Certified Ethical Hacker, Detar conducts vulnerability assessments and penetration tests for financial institutions, government agencies and corporations. He executes code to infiltrate systems. He enters data centers pretending to be a member of the IT staff. He even digs through dumpsters to get to find whatever Achilles' heel exists in a seemingly impenetrable business.

And never once in the last five years since Detar's association with EC-Council did he fail to get at a company's sensitive data.

"That's the state of security," Detar said. "The majority of those access points are open to the 9-to-5ers. Not only the passwords to get into the computer, but the core application that controls the financials for that institution. They have access to everything that's not locked up."

Over the years, Detar has seen some security breaches that would make a TJX executive cringe. The simple fact, however, is that many security holes are avoidable.

While there is to date no security solution that is completely hackproof, Detar and fellow security experts agree that there are definitely some tried-and-true strategies that, when applied, will significantly reduce the odds that hackers will pick your business for their next attack.

1. Training, Training, Training

You can't get enough. Most experts agree that the security of an organization is as good as its weakest link-which is why they emphasize that training and awareness should be implemented at every level.

"Although everybody gives lip service that security starts at the lowest rung, nobody bothers to train that rung of the organization," Detar said.

Basic security training reinforces common sense behaviors, such as Internet safety, regularly installing security updates, file sharing protocols or mobile technology best practices. Yet many breaches occur as the result of carelessness or lack of user education, experts say. One such example is phishing, and there are other socially engineered attacks that can bring down a network by active consent from an unsuspecting user.

"People will get phished if they've never heard about phishing," said Guillaume Lovet, manager for the EMEA Threat Response Team at Fortinet Inc., Sunnyvale, Calif. "That's why social engineering is so cherished by hackers-it's so effective."

2. Encrypt Sensitive Data

Porous networks and mobile devices like BlackBerries and laptops have enabled increased mobility for workers, but have increased exposure to critical data. As a result, companies need solutions for protecting the information, as opposed to protecting the device in which it is stored, experts say.

Paul Kocher, president and chief scientist of San Francisco-based Cryptography Research Inc., said that companies need to protect at-risk data, or get it off their network altogether.

"The main thing encryption does is make it so data itself is no longer the critical thing to protect, but the keys are," he said. "In a way, you can think of encryption as transferring the security properties of an object to something that's easier to manage."

3. Pass On The Passwords

Passwords: easy to write down, impossible to remember. Overreliance on passwords is one of the biggest downfalls for any business' security strategy, no matter how comprehensive, experts say. Why? Because many employees will use the same easy-to-remember password for numerous applications. Or, they will write more difficult-to-remember passwords down and store them "safely" on a Post-It note stuck to the bottom of their keyboard.

To strengthen applications, businesses should start adopting a two-factor authentication system that could require a biological component, or Smart Card as well as a password.

"We need to move toward two-factor authentication-something you know, something you are," said Tony Kellerman, vice president of security awareness at Boston-based Core Security Technologies Inc. If you're going to rely on passwords, make them complex, "particularly those who have the keys to the castle," he said.

4. Update Your Security Policies

Threats change. And as the security threatscape evolves so, too, should your policies. But these policies won't benefit an organization unless they're understood by all its employees.

"The way all these technologies blend together, you forget what set of disciplines apply," said John Theilens, vice president of technology at Tumbleweed Communications Corp., Redwood City, Calif. "You get this very broad set of tools on your desktop. What's the right way to communicate content? And who's keeping a record of it forever?"

5. Keep An Eye On Third Parties

It's no secret that in a tough economy, businesses will tighten their belts and outsource functions previously occupied by in-house staff. But cutting costs should never be at the expense of security, experts say.

Outside contractors, particularly those with access to the network or privileged information, should receive just as much scrutiny as regular employees, and be subjected to regular audits, security experts say.

"They have a direct pipeline to the bowels of your network. And that inevitably will put your operations at risk," Kellerman said. "If they get polluted, you get polluted."

6. Hack Yourself

"Test the security, not just outside in, but inside out," Kellerman said.

There's no other way to test your strategy than by-well, testing your strategy. Experts recommend that companies need to make it a point to regularly hack into their own systems to determine which devices can be taken over, and what can be done to strengthen those devices.

"You have to know where the vulnerabilities are, and you have to know which of those vulnerabilities are a threat to an organization," Detar said. "Otherwise, why spend $30,000 if all [the hackers] are going to get is an access code for the company Starbucks card?"

Larger organizations might want to invest in an independent security consulting company to conduct penetration tests. Smaller companies can ask members of their IT staff to do it. Once the weak points are detected, organizations then need to remediate all the vulnerabilities.

"One hundred percent hacker-proof security does not really exist. There's always a risk," Kellerman said. "The goal is to reduce that risk and to manage it, to react and to respond. The more layers of protection you have, the better off you are."

---

Class Is In Session

In an effort to help businesses keep their systems hack-resistant, Larry Detar, vice president of global services for EC-Council, helped develop curriculum for Security5, a "hacker course" conceived to "teach the 9-to-5ers the basics about security." That means anyone from custodial staff on up to CEOs.

The goal of the two-day security course is to reduce the occurrence of simple mistakes that can lead to catastrophic security breaches. During the training, Detar emphasizes the fundamentals of security in nine core areas that cover everything from basic security procedures and administering Windows securely to recognizing security threats and attacks, and incident response.

The training provides a way for employees to help hack-proof their businesses by learning how attackers can enter in the first place, while also encouraging workers to think twice before circumventing company security protocol.

"(Employees) think it's going to make it harder for them to get their work done. Or harder to do something that they're used to doing. To keep the boss off their backs, they find a way around the rules," Detar said. "Anything you've heard about the lower level is true. But it's not their fault. Nobody has trained them."

And Security5 is just the beginning. For the aspiring ethical hacker, EC-Council also offers the more advanced certified ethical hacker (CEH) and Computer Hacking Forensic Investigator (CHFI) certifications.

-Stefanie Hoffman

---

It Would Have Helped Hannaford

Securing a network or a database can be a Herculean task, but with increasing reports of data theft, database tampering incidents and a host of regulatory compliance leveraged at businesses, Security Information Management (SIM) solutions are becoming a required module of every data center's comprehensive and secure network architecture.

Edison, N.J.-based security vendor netForensics Inc. has developed a line of midmarket and enterprise-level products that are based on the nFX security methodology. nFX security is a software platform comprised of Windows, Linux and Solaris providing security administrators with incident detection, remediation tools and reporting.

Late last year, netForensics released an enhanced version of nFX Data One, a component in its solution to focus on database threat management.

Products such as nFX Data One could be considered for enterprises that need to address compliance issues, which in many cases are as business-critical as the databases themselves. Consider the jarring message that supermarket chain Hannaford Bros Co., Scarborough, Maine, delivered last month: As many as 4.2 million customer credit-card numbers had been compromised as the result of a malicious database attack.

NFX Data One is a SIM product that provides nonintrusive database monitoring and is available as a hardened Linux appliance or as a software download. Supported databases include MS SQL, MySQL, Oracle, DB2 and Sybase. Supported operating systems are Red Hat, Centos, Solaris and AIX.

The Test Center looked at the appliance version that was preconfigured with Linux. This particular model supports 50 to 100 databases (limited by throughput) and up to 15,000 transactions per second. The device utilizes SPAN ports on switches, network taps or hubs to replicate database traffic.

For testing purposes, the appliance was connected to an Intel 10/100 stackable hub. Deployed for monitoring were an Oracle 11g database on Windows Server 2008 and an MS SQL 2005 server on Windows Server 2003. Queries to both databases were executed from a client running Windows XP SP2.

Management of the device is done through the console using Secure Shell or through a browser using Webmin. Configuration of database monitoring and tracking is done through a browser. Data Collection was easy to set up; there is a data collection rule by default for each supported database.

A particularly useful feature is the Filtering Rule Builder. The device comes with hard-coded "basic stock rules." These rules are defined by database type, by regulation or by solution. There's an Advanced Rule Builder to create custom rules as well.

The management interface opens up to the Data Viewer, where all database activity is monitored line-by-line. As soon as the Oracle Database Control interface was logged into with the SYS account, the activity showed up in Data Viewer. The query's record account, the user name, client IP, client and server ports were all logged. Data One will log all types of queries from simple SELECT statements to permissions changes.

The management utility has its own backup/restore service for disaster recovery of the full set of configuration files. A backup was initiated for tests. A prompt appeared to give a backup name. When "Backup" was selected and a backup folder name given, the system confirmed that "Backup has been created successfully" and also reported "Failed to create backup folder." Where to create that backup folder was not apparent in the management interface. Yet the restore option was chosen and the backup data was listed. A restore was executed successfully.

Overall, this is a powerful product that runs without additional overhead to database servers. It's not plug-and-play out of the box, but an appliance that a network security-centered VAR would have to get familiarized with to configure for optimal usage on a network.

-Samara Lynn