Hacking the Hackers
For discerning flawed behaviors, he recommended education and the implementation of clear, specific security policies. A security consultant will point out behaviors that put your network at risk—ones an administrator may not even be aware of or will take for granted.
For the more ambitious, Firstbrook said organizations could monitor hacking websites but that approach is generally very time intensive.
“Basically, you should be aware of the common tools that hackers use to attack networks, and you should test your security against them.”
Amol Sarwate, director of Qualys’ Vulnerability Research Lab, does just that. He studies new forms of malware to figure out what holes each threat intends to exploit.
“We often use reverse-engineering tools to analyze various forms of malware, such as Trojans and spyware,” he said.
By doing so, Sarwate is taking a page from the hacker’s playbook. Hackers often use tools like IDA Pro to disassemble applications in search of holes, but a security expert can use this same tool to understand the code behind the malware.
Again, this is probably best left to a third-party security pro, but it’s important to realize that legitimate administrator and developer tools like IDA Pro and Microsoft Windows Resource Kit are often used for ill purposes.
What security vendors such as Qualys attempt to do is discern trends in order to predict where the next class of attacks will come from. Even the most savvy IT pro will be too weighed down by administrative burdens to counter zero-day attacks.
Client Side Attacks
“Today, there’s a growing trend of the client-side attack,” Sarwate said. “They exploit vulnerabilities in client applications like Explorer, Mozilla, or PowerPoint. At a recent Black Hat conference, I attended a presentation about inserting malicious code into JPEGs, which is something security professionals should be very concerned about.”
Malicious code in a JPEG or WMF file sits dormant until executed by a vulnerable client, and often that client, if it’s a laptop or handheld, brings the compromised image file into the network from outside. The malware is in the trusted network already, and traditional tools like firewalls and intrusion detection won’t prevent the attack.
“No matter how you harden your security, if someone hauls an infected laptop into the network, you’re in trouble,” Sarwate said.
Security is a constant arms race. Hackers create a new exploit and security pros respond by developing a new layer of protection. Hackers then look for ways around it.
In the case of client-side attacks, many security vendors are forcing quick virus and configuration scans to run on any device entering the network. From an end-user perspective, these scans may be seen as a time-consuming nuisance but the alternative is a disaster waiting to happen.
Sarwate noted that attacks relying on social engineering are the best way around any form of strong security and until a new security tool emerges with spooky intelligence, the weak link in any network will always be the end user.
Carelessness, lack of knowledge, or even intentional bad behavior can all undermine security. The best you can do is have a workable security plan in place that constantly scans, monitors, and patches your network, and when trouble emerges, gives you ways to lockdown and isolate the attack.
“Enterprises that implement a vulnerability management process will experience 90 percent fewer successful attacks than those that make an equal investment only in intrusion detection systems,” a recent Gartner study found.
All well and good but what keeps conscientious security pros up at night is that other ten percent.