Recognizing Network Security Threats - Dr. Tom Shinderamp;#039;s Configuring ISA Server 1002004 [Electronic resources] نسخه متنی

Recognizing Network Security Threats

In order to effectively protect your network, you must consider the following question: from whom or what are you protecting it? In this section, we will approach the answer to that question from two perspectives:

Who: types of network intruders and their motivations

What: types of network attackers and how they work

These questions form the basis for performing a threat analysis. A comprehensive threat analysis is often the product of collaborative brainstorming among people who are knowledgeable about the business processes, industry, security, and so on. In fact, it is desirable that a threat analysis not be conducted solely by computer security experts, as this group might lack important 'big picture' knowledge of the business and industry. The ability to think creatively is a key requirement for members of a threat analysis team.

First, we will look at intruder motivations and classify the different types of people who have the skill and desire to hack into others' computers and networks.

Understanding Intruder Motivations

There are probably as many different specific motives as there are hackers, but we can break the most common intruder motivations into a few broad categories:

Recreation Those who hack into networks 'just for fun' or to prove their technical prowess; often young people or 'anti-establishment' types.

Remuneration People who invade the network for personal gain, such as those who attempt to transfer funds to their own bank accounts or erase records of their debts; 'hackers for hire' who are paid by others to break into the network; corporate espionage is included in this category.

Revenge Dissatisfied customers, disgruntled former employees, angry competitors, or people who have a personal grudge against someone in the organization.

The scope of damage and extent of the intrusion is often, although by no means always, tied to the intruder's motivation.

Recreational Hackers

Recreational hackers are often teen hackers who do it primarily for the thrill of accomplishment. In many cases, they do little or no permanent damage, perhaps only leaving 'I was here' type messages to 'stake their claims' and prove to their peers that they were able to penetrate your network's security.

There are more malevolent versions of the fun-seeking hacker, however. These are the cyber-vandals, who get their kicks out of destroying as much of your data as possible, or causing your systems to crash.

Profit-motivated Hackers

Those who break into your network for remuneration of some kind-either directly or indirectly-are more dangerous. Because money is at stake, they are more motivated to accomplish their objective. And because many of them are 'professionals' of a sort, their hacking techniques may be more sophisticated than the average teenage recreational hacker.

Monetary motivations include:

Personal financial gain

Third-party payment

Corporate espionage

Those motivated by the last are usually the most sophisticated and the most dangerous. There is often big money involved in theft of trade secrets. Corporate espionage agents may be employees who have been approached by your competitors and offered money or merchandise, or even threatened with blackmail or physical harm.

In some instances, those working for competitors will go 'undercover' and seek a job with your company in order to steal data that they can take back to their own organizations (to add insult to injury, these 'stealth spies' are getting paid by your company at the same time they're working against you to the benefit of your competitor).

There are also 'professional' freelance corporate spies. They may be contacted and contracted to obtain your company secrets, or they may do it on their own and auction it off to your competitors.

These corporate espionage agents are often highly skilled. They are technically savvy and intelligent enough to avoid being caught or detected. Fields that are especially vulnerable to the threat of corporate espionage include:

Oil and energy

Engineering

Computer technology

Research medicine

Law

Any company that is on the verge of a breakthrough that could result in large monetary rewards or world-wide recognition, especially if the company's involvement is high profile, should be aware of the possibility of espionage and take steps to guard against it.

Vengeful Hackers

Persons motivated by the desire for revenge are dangerous, as well. Vengeance seeking is usually based on strong emotions, which means these hackers may go all out in their efforts to sabotage your network.

Examples of hackers or security saboteurs acting out of revenge include:

Former employees who are bitter about being fired or laid off or who quit their jobs under unpleasant circumstances

Current employees who feel mistreated by the company, especially those who may be planning to leave soon

Current employees who aim to sabotage the work of other employees due to internal political battles, rivalry over promotions, and the like

Outsiders who have grudges against the company, such as those at competing companies who want to harm or embarrass the company or dissatisfied customers

Outsiders who have personal grudges against someone who works for the company, such as former girlfriend/boyfriends, spouses going through a divorce, and other relationship-related problems

Luckily, the intruders in this category are generally less technically talented than those in the other two groups, and their emotional involvement may cause them to be careless and take outrageous chances, which makes them easier to catch.

Hybrid Hackers

Of course, the three categories can overlap in some cases. A recreational hacker who perceives himself to have been mistreated by an employer or in a personal relationship may use his otherwise benign hacking skills to impose 'justice' for the wrongs done to him, or a vengeful ex-employee or ex-spouse might pay someone else to do the hacking for him.

It is beneficial to understand the common motivations of network intruders because, although we may not be able to predict which type of hacker will decide to attack our networks, we can recognize how each operates and take steps to protect our networks from all of them.

Even more important in planning our security strategy than the type of hacker, however, is the type of attack. In the next section, we will examine specific types of network attacks and how you can protect against them.

Classifying Specific Types of Attacks

The attack type refers to how an intruder gains entry to your computer or network and what he does once he has gained entry. In this section, we will discuss some of the more common types of hack attacks, including:

Social engineering attacks

Denial of Service (DoS) attacks

Scanning and Spoofing

Source routing and other protocol exploits

Software and system exploits

Trojans, viruses and worms

When you have a basic understanding of how each type of attack works, you will be better armed to guard against them.

Social engineering attacks

Unlike the other attack types, social engineering does not refer to a technological manipulation of computer hardware or software vulnerabilities and does not require much in the way of technical skills. Instead, this type of attack exploits human weaknesses-such as carelessness or the desire to be cooperative-to gain access to legitimate network credentials. The talents that are most useful to the intruder who relies on this technique are the so-called 'people skills,' such as a charming or persuasive personality or a commanding, authoritative presence.

What is social engineering?

Social engineering is defined as obtaining confidential information by means of human interaction (Business Wire, August 4, 1998). You can think of social engineering attackers as specialized con artists. They gain the trust of users (or even better, administrators) and then take advantage of the relationship to find out the user's account name and password, or have the unsuspecting users log them onto the system. Because it is based on convincing a valid network user to 'open the door,' social engineering can successfully get an intruder into a network that is protected by high-security measures such as biometric scanners.

Social engineering is, in many cases, the easiest way to gain unauthorized access to a computer network. The Social Engineering Competition at a Defcon annual hackers' convention in Las Vegas attracted hundreds of attendants eager to practice their manipulative techniques. Even hackers who are famous for their technical abilities know that people make up the biggest security vulnerability on most networks. Kevin Mitnick, convicted computer crimes felon and celebrity hacker extraordinaire, tells in his lectures how he used social engineering to gain access to systems during his hacking career.

These 'engineers' often pose as technical support personnel-either in-house, or pretending to work for outside entities such as the telephone company, the Internet Service provider, the network's hardware vendor, or even the government. They often contact their victims by phone, and they will usually spin a complex and plausible tale of why they need the users to divulge their passwords or other information (such as the IP address of the user's machine or the computer name of the network's authentication server).

Protecting your network against social engineers

It is especially challenging to protect against social engineering attacks. Adopting strongly worded policies that prohibit divulging passwords and other network information to anyone over the telephone and educating your users about the phenomenon are obvious steps you can take to reduce the likelihood of this type of security breach. Human nature being what it is, however, there will always be some users on every network who are vulnerable to the social engineer's con game. A talented social engineer is a master at making users doubt their own doubts about his legitimacy.

The 'wannabe' intruder may regale the user with woeful stories of the extra cost the company will incur if he spends extra time verifying his identity. He may pose as a member of the company's top management and take a stern approach, threatening the employee with disciplinary action or even loss of job if he doesn't get the user's cooperation. Or he may try to make the employee feel guilty by pretending to be a low-level employee who is just trying to do his job and who will be fired if he doesn't get access to the network and get the problem taken care of right away. A really good social engineer is patient and thorough. He will do his homework, and will know enough about your company, or the organization he claims to represent, to be convincing.

Because social engineering is a human problem, not a technical problem, prevention must come primarily through education rather than technological solutions.

Denial of Service (DoS) attacks

Denial of Service (DoS) attacks are one of the most popular choices of Internet hackers who want to disrupt a network's operations. Although they do not destroy or steal data as some other types of attacks do, the objective of the DoS attacker is to bring down the network, denying service to its legitimate users. DoS attacks are easy to initiate; software is readily available from hacker websites and warez newsgroups that will allow anyone to launch a DoS attack with little or no technical expertise.

In February of 2000, massive DoS attacks brought down several of the biggest websites, including Yahoo.com and Buy.com.

The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that will crash the servers, overwhelm the routers or otherwise prevent the network's devices from functioning properly. Denial of service can be accomplished by tying up the server's resources, for example, by overwhelming the CPU and memory resources. In other cases, a particular user/machine can be the target of denial of service attacks that hang up the client machine and require it to be rebooted.

Distributed Denial of Service attacks

Distributed DoS (DDoS) attacks use intermediary computers called agents on which programs called zombies have previously been surreptitiously installed. The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs, which may be on networks anywhere in the world, the hacker is able to conceal the true origin of the attack.

Examples of DDoS tools used by hackers are TFN (Tribe FloodNet), TFN2K, Trinoo, and Stacheldraht (German for 'barbed wire'). While early versions of DDoS tools targeted UNIX and Solaris systems, TFN2K can run on both UNIX and Windows systems.

It is important to note that DDoS attacks pose a two-layer threat. Not only could your network be the target of a DoS attack that crashes your servers and prevents incoming and outgoing traffic, but your computers could be used as the 'innocent middle men' to launch a DoS attack against another network or site.

DNS DoS attack

The Domain Name System (DNS) DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network's bandwidth is tied up by bogus DNS queries. The attacker uses the DNS servers as 'amplifiers' to multiply the DNS traffic.

The attacker begins by sending small DNS queries to each DNS server, which contain the spoofed IP address (see IP Spoofing later in this chapter) of the intended victim. The responses returned to the small queries are much larger in size, so that if there are a large number of responses returned at the same time, the link will become congested and denial of service will take place.

One solution to this problem is for administrators to configure DNS servers to respond with a 'refused' response, which is much smaller in size than a name resolution response, when they received DNS queries from suspicious or unexpected sources.

SYN attack/LAND attack

Synchronization request (SYN) attacks exploit the Transmission Control Protocol (TCP) 'three-way handshake,' the process by which a communications session is established between two computers. Because TCP, unlike User Datagram Protocol (UDP), is connection-oriented, a session, or direct one-to-one communication link, must be created before sending data. The client computer initiates communication with the server (the computer whose resources it wants to access).

The 'handshake' includes the following steps:

The client machine sends a SYN segment.

The server sends an acknowledgement (ACK) message and a SYN, which acknowledges the client machine's request that was sent in step 1 and sends the client a synchronization request of its own. The client and server machines must synchronize each other's sequence numbers.

The client sends an ACK back to the server, acknowledging the server's request for synchronization. When both machines have acknowledged each other's requests, the handshake has been successfully completed and a connection is established between the two computers.

Figure A.4 illustrates how the client/server connection works.

Figure A.4 TCP uses a 'three-way handshake' to establish a connection between client and server

This is how the process normally works. A SYN attack uses this process to flood the system targeted with multiple SYN packets that have bad source IP addresses, which causes the system to respond with SYN/ACK messages. The problem comes when the system, waiting for the ACK message, puts the waiting SYN/ACK messages into a queue. The queue is limited in the number of messages it can handle, and when it is full, all subsequent incoming SYN packets will be ignored. In order for a SYN/ACK to be removed from the queue, an ACK must be returned from the client, or the interval timer must run out and terminate the three-way handshake process.

Because the source IP addresses for the SYN packets sent by the attacker are no good, the ACKs that the server is waiting for never come. The queue stays full, and there is no room for valid SYN requests to be processed. Thus service is denied to legitimate clients attempting to establish communications with the server.

The LAND attack is a variation on the SYN attack. In the LAND attack, instead of sending SYN packets with IP addresses that do not exist, the flood of SYN packets all have the same spoof IP address-that of the targeted computer.

The LAND attack can be prevented by filtering out incoming packets whose source IP addresses appear to be from computers on the internal network. ISA Server has preset intrusion detection functionality that allows you to detect attempted LAND attacks, and you can configure Alerts to notify you when such an attack is detected.

Ping of Death

Another type of DoS attack that ISA Server can be set to specifically detect is the so-called 'Ping of Death' (also known as the 'large packet ping'). The Ping of Death attack is launched by creating an IP packet larger than 65,536 bytes, which is the maximum allowed by the IP specification (this is sometimes referred to as a 'killer packet'). This can cause the target system to crash, hang or reboot.

Although newer operating systems are generally not vulnerable to this type of attack, many companies still have older operating systems deployed against which the Ping of Death can be used.

ISA allows you to specifically enable detection of Ping of Death attacks.

Teardrop

The teardrop attack works a little differently from the Ping of Death, but with similar results. The teardrop program creates IP fragments, which are pieces of an IP packet into which an original packet can be divided as it travels through the Internet. The problem is that the offset fields on these fragments, which are supposed to indicate the portion (in bytes) of the original packet that is contained in the fragment, overlap.

For example, normally two fragments' offset fields might appear as shown below:

Fragment 1:  (offset) 100-300
Fragment 2:  (offset) 301-600

This indicates that the first fragment contains bytes 100 through 300 of the original packet, and the second fragment contains bytes 301 through 600.

Overlapping offset fields would appear something like this:

Fragment 1: (offset) 100-300
Fragment 2: (offset) 200-400

When the destination computer tries to reassemble these packets, it is unable to do so and may crash, hang or reboot.

Variations include:

NewTear

Teardrop2

SynDrop

Boink

All of these programs generate some sort of fragment overlap.

Ping Flood (ICMP flood)

The ping flood or ICMP flood is a means of tying up a specific client machine. It is caused by an attacker sending a large number of ping packets (ICMP echo request packets) to the Winsock or dialer software. This prevents it from responding to server ping activity requests, which causes the server to eventually timeout the connection. A symptom of a ping flood is a huge amount of modem activity, as indicated by the modem lights. This is also referred to as a ping storm.

The fraggle attack is related to the ping storm. Using a spoofed IP address (which is the address of the targeted victim), an attacker sends ping packets to a subnet, causing all computers on the subnet to respond to the spoofed address and flood it with echo reply messages.

You can use programs such as NetXray or other IP tracing software to record and display a log of the flood packets. Firewalls can be configured to block ping packets to prevent these attacks.

SMURF attack

The Smurf attack is a form of 'brute force' attack that uses the same method as the ping flood, but directs the flood of ICMP echo request packets at the network's router. The destination address of the ping packets is the broadcast address of the network, which causes the router to broadcast the packet to every computer on the network or segment. This can result in a very large amount of network traffic if there are many host computers, which can create congestion that causes a denial of service to legitimate users.

In its most insidious form, the Smurf attacker spoofs the source IP address of a ping packet. Then both the network to which the packets are sent and the network of the spoofed source IP address will be overwhelmed with traffic. The network to which the spoofed source address belongs will be deluged with responses to the ping when all the hosts to which the ping was sent answer the echo request with an echo reply.

Smurf attacks can generally do more damage than other forms of DoS, such as SYN floods. The SYN flood affects only the ability of other computers to establish a TCP connection to the flooded server, but a Smurf attack can bring an entire ISP down for minutes or hours. This is because a single attacker can easily send 40-50 ping packets per second, even using a slow modem connection. Because each is broadcast to every computer on the destination network, that means the number of responses per second is 40-50 times the number of computers on the network-which could be hundreds or thousands. This is enough data to congest even a T-1 link.

One way to prevent a Smurf attack from using your network as the broadcast target is to turn off the capability to transmit broadcast traffic on the router. Most routers allow you to do this. To prevent your network from being the victim of the spoofed IP address, you will need to configure your firewall to filter out incoming ping packets.

UDP bomb or UDP flood

An attacker can use the UDP and one of several services that echo packets upon receipt to create service-denying network congestion by generating a flood of UDP packets between two target systems. For example, the UDP chargen service on the first computer, which is a testing tool that generates a series of characters for every packet that it receives, sends packets to another system's UDP echo service, which echoes every character it receives. By exploiting these testing tools, an endless flow of echos go back and forth between the two systems, congesting the network. This is sometimes called a UDP packet storm.

In addition to port 7, the echo port, an attacker can use port 17, the quote of the day service (quotd) or the daytime service on port 13. These services will also echo packets they receive. UDP chargen is on port 19.

Disabling unnecessary UDP services on each computer (especially those mentioned above) or using a firewall to filter those ports/services, will protect you from this type of attack.

UDP Snork attack

The snork attack is similar to the UDP bomb. It uses a UDP frame that has a source port of either 7 (echo) or 9 (chargen), with a destination port of 135 (Microsoft location service). The result is the same as the UDP bomb-a flood of unnecessary transmissions that can slow performance or crash the systems that are involved.

WinNuke (Windows out-of-band attack)

The out-of-band (OOB) attack is one that exploits a vulnerability in Microsoft networks, which is sometimes called the Windows OOB bug. The WinNuke program (and variations such as Sinnerz and Muerte) creates an out-of-band data transmission that crashes the machine to which it is sent. It works like this: a TCP/IP connection is established with the target IP address, using port 139 (the NetBIOS port). Then the program sends data using a flag called MSG_OOB (or Urgent) in the packet header. This flag instructs the computer's Winsock to send data called out-of-band data. Upon receipt, the targeted Windows server expects a pointer to the position in the packet where the Urgent data ends, with normal data following, but the OOB pointer in the packet created by WinNuke points to the end of the frame with no data following.

The Windows machine does not know how to handle this situation and will cease communicating on the network, and service will be denied to any users who subsequently attempt to communicate with it. A WinNuke attack usually requires a reboot of the affected system to reestablish network communications.

Windows 95 and NT 3.51 and 4.0 are vulnerable to the WinNuke exploit, unless the fixes provided by Microsoft have been installed. Windows 98/ME and Windows 2000 are not vulnerable to WinNuke, but ISA server allows you to enable detection of attempted OOB attacks.

Mail bomb attack

A mail bomb is a means of overwhelming a mail server, causing it to stop functioning and thus denying service to users. A mail is a relatively simple form of attack, accomplished by sending a massive quantity of email to a specific user or system. There are programs available on hacking sites on the Internet that allow a user to easily launch a mail bomb attack, automatically sending floods of email to a specified address while protecting the attacker's identity.

A variation on the mail bomb program automatically subscribes a targeted user to hundreds or thousands of high volume Internet mailing lists, which will fill the user's mailbox and/or the mail server. Bombers call this list linking. Examples of these mail bomb programs include Unabomber, extreme Mail, Avalanche, and Kaboom.

The solution to repeated mail bomb attacks is to block traffic from the originating network using packet filters. Unfortunately, this does not work with list linking because the originator's address is obscured; the deluge of traffic comes from the mailing lists to which the victim has been subscribed.

Scanning and Spoofing

The term scanner, in the context of network security, refers to a software program that is used by hackers to remotely determine what TCP/UDP ports are open on a given system, and thus vulnerable to attack. Administrators also use scanners to detect and correct vulnerabilities in their own systems before an intruder finds them. Network diagnostic tools such as the famous Security Administrator's Tool for Analyzing Networks (SATAN), a UNIX utility, include sophisticated port scanning capabilities.

A good scanning program can locate a target computer on the Internet (one that is vulnerable to attack), determine what TCP/IP services are running on the machine, and probe those services for security weaknesses.

Many scanning programs are available as freeware on the Internet.

Port scan

Port scanning refers to a means of locating 'listening' TCP or UDP ports on a computer or router and obtaining as much information as possible about the device from the listening ports. TCP and UDP services and applications use a number of well-known ports, which are widely published. The hacker uses his knowledge of these commonly used ports to extrapolate information.

For example, Telnet normally uses port 23. If the hacker finds that port open and listening, he knows that Telnet is probably enabled on the machine. He can then try to infiltrate the system, for example by guessing the appropriate password in a brute force attack.

The official well-known port assignments are documented in RFC 1700, available on the web at www.freesoft.org/CIE/RFC/1700/index. The port assignments are made by the Internet Assigned Numbers Authority (IANA). In general, a service will use the same port number with UDP as with TCP, although there are some exceptions. The assigned ports were originally those from 0-255, but the number was later expanded to 0-1023.

Some of the most used well-known ports include:

TCP/UDP port 20: FTP (data)

TCP/UDP port 21: FTP (control)

TCP/UDP port23: Telnet

TCP/UDP port 25: SMTP

TCP/UDP port 53: DNS

TCP/UDP port 67: BOOTP server

TCP/UDP port 68: BOOTP client

TCP/UDP port 69: TFTP

TCP/UDP port 80: HTTP

TCP/UDP port 88: Kerberos

TCP/UDP port 110: POP3

TCP/UDP port 119: NNTP

TCP/UDP port 137: NetBIOS name service

TCP/UDP port 138: NetBIOS datagram service

TCP/UDP port 139: NetBIOS session service

TCP/UDP port 194: IRC

TCP/UDP port 220: IMAPv3

TCP/UDP port 389: LDAP

Ports 1024-65,535 are called registered ports; these numbers are not controlled by IANA and can be used by user processes or applications.

There are a total of 65,535 TCP ports (and the same number of UDP ports) used for various services and applications. If a port is open, it will respond when another computer attempts to contact it over the network. Port scanning programs such as Nmap are used to determine which ports are open on a particular machine. The program sends packets for a wide variety of protocols and, by examining which messages receive responses and which don't, creates a map of the computer's listening ports.

Port scanning in itself does no harm to your network or system, but it provides hackers with information they can use to penetrate the network.

IP half scan attack

'Half scans' (also called 'half open scans' or FIN scans) attempt to avoid detection by sending only initial or final packets, rather than establishing a connection. A half scan starts the SYN/ACK process with a targeted computer, but does not complete it. Software that conducts half scans, such as Jakal, is called a stealth scanner.

Many port scanning detectors are unable to detect half scans; however, ISA Server provides IP half scan as part of its intrusion detection.

IP Spoofing

IP spoofing involves changing the packet headers of a message to indicate that it came from an IP address other than the true source. The spoofed address is normally a trusted port, which allows a hacker to get a message through a firewall or router that would otherwise be filtered out. Modern firewalls protect against IP spoofing.

Spoofing is used whenever it is beneficial for one machine to impersonate another. It is often used in combination with one of the other types of attacks. For example, a spoofed address is used in the SYN flood attack to create a 'half open' connection, in which the client never responds to the SYN/ACK message because the spoofed address is that of a computer that is down or doesn't exist. Spoofing is also used to hide the true IP address of the attacker in Ping of Death, Teardrop and other attacks.

IP spoofing can be prevented by using Source Address Verification on your router, if it is supported.

Source Routing attack

TCP/IP supports source routing, a means that permits the sender of network data to route packets through a specific point on the network. There are two types of source routing:

Strict source routing: the sender of the data can specify the exact route (rarely used).

Loose source record route (LSRR): the sender can specify certain routers (hops) through which the packet must pass.

The source route is an option in the IP header that allows a sender to override routing decisions normally made by routers between the source and destination machines. Source routing is used by network administrators to map the network, or for troubleshooting routing and communications problems. It can also be used to force traffic through the route that will provide the best performance. Unfortunately, source routing can be exploited by hackers.

If the system allows source routing, an intruder can use it to reach private internal addresses on the LAN that normally would not be reachable from the Internet, by routing the traffic through another machine that is reachable from both the Internet and the internal machine.

Source routing can be disabled on most routers to prevent this type of attack.

Other protocol exploits

The attacks we have discussed so far involve exploiting some feature or weakness of the TCP/IP protocols. Hackers can also exploit vulnerabilities of other common protocols, such as Hypertext Transfer Protocol (HTTP), Domain Name System (DNS), Common Gateway Interface (CGI), and other commonly used protocols.

Active-X controls, Java script, and VBscript can be used to add animations or applets to web sites, but hackers can exploit these to write controls or scripts that allow them to remotely plant viruses, access data, or change or delete files on the hard disk of unaware users who visit the page and run the script. Many e-mail client programs have similar vulnerabilities.

System and software exploits

System and software exploits are those that take advantage of weaknesses of particular operating systems and applications (often called bugs). Like protocol exploits, they are used by intruders to gain unauthorized access to computers or networks or to crash or clog up the systems to deny service to others.

Common 'bugs' can be categorized as follows:

Buffer overflows Many common security holes are based on buffer overflow problems. Buffer overflows occur when the number of bytes or characters input exceeds the maximum number allowed by the programmer in writing the program.

Unexpected input Programmers may not take steps to define what happens if invalid input (input that doesn't match program specifications) is entered. This could cause the program to crash or open up a way into the system.

System configuration bugs These are not really 'bugs,' per se, but rather are ways of configuring the operating system or software that leaves it vulnerable to penetration.

Popular software such as Microsoft's Internet Information Server (IIS), Internet Explorer (MSIE) and Outlook Express (MSOE) are popular targets of hackers looking for software security holes that can be exploited.

Major operating system and software vendors regularly release security patches to fix exploitable bugs. It is very important for network administrators to stay up to date in applying these fixes and/or service packs to ensure that their systems are as secure as possible.

Trojans, viruses and worms

Intruders who access your systems without authorization or inside attackers with malicious motives may plant various types of programs to cause damage to your network. There are three broad categories of malicious code, as follows:

Trojans

Viruses

Worms

We will take a brief look at each of these attack types.

Trojans

The name is short for 'Trojan horse,' and refers to a software program that appears to perform a useful function, but in fact, performs actions that the user of the program did not intend or was not aware of. Trojan horses are often written by hackers to circumvent the security of a system. Once the trojan is installed, the hacker can exploit the security holes created by the Trojan to gain unauthorized access, or the Trojan program may perform some action such as:

Deleting or modifying files

Transmitting files across the network to the intruder

Installing other programs or viruses

Basically, the Trojan can perform any action that the user has privileges and permissions to do on the system. This means a Trojan is especially dangerous if the unsuspecting user who installs it is an administrator and has access to the system files.

Trojans can be very cleverly disguised as innocuous programs, such as utilities or screensavers. A Trojan can also be installed by an executable script (Javascript, a Java applet, Active-X control, and others) on a web site. Accessing the site may initiate the installation of the program if the web browser is configured to allow scripts to run automatically.

Viruses

The most common use of the term 'virus' is any program that is installed without the awareness of the user and performs undesired actions (often harmful, although sometimes merely annoying). Viruses may also replicate themselves, infecting other systems by writing themselves to any floppy disk that is used in the computer or sending themselves across the network. Viruses are often distributed as attachments to e-mail, or as macros in word processing documents. Some activate immediately upon installation, and others lie dormant until a specific date/time or a particular system event triggers them.

Viruses come in thousands of different varieties. They can do anything from popping up a message that says 'Hi!' to erasing the computer's entire hard disk. The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning-generally circulated via email or websites-about a virus that does not exist or that does not do what the warning claims it will do.

Viruses, however, present a real threat to your network. Companies such as Symantec and McAfee make anti-virus software that is aimed at detecting and removing virus programs. Because new viruses are being created daily, it is important to download new virus definition files, which contain information required to detect each virus type, on a regular basis to ensure that your virus protection stays up to date.

Worms

A worm is a program that can travel across the network from one computer to another. Sometimes different parts of a worm run on different computers. Technically, a worm-unlike a virus-can replicate itself without user interaction; however, much modern documentation makes little distinction between the two, or classifies the worm as a subtype of the virus. Worms make multiple copies of themselves and spread throughout a network. Originally the term worm was used to describe code that attacked multiuser systems (networks) while virus was used to describe programs that replicated on individual computers.

The primary purpose of the worm is to replicate. These programs were initially used for legitimate purposes in performing network management duties, but their ability to multiply quickly has been exploited by hackers who create malicious worms that replicate wildly, and may also exploit operating system weaknesses and perform other harmful actions.