Hacking Your Way to Better Security

By Jeff Vance

(Back to article)

When Consumer Reports put anti-virus products to the test last month, they did so with a twist: they created new viruses. The response to this has mostly been negative, with AV and anti-spyware vendors crying foul.

What’s been missed in the hoopla, however, is that Consumer Reports did the right thing. Maybe it’s not ethical to introduce new viruses to the world, but any organization hoping to protect its network from intruders should take a cue from Consumer Reports . When thinking about security, start by thinking like an intruder.

This is not novel advice. Scan the bookshelves of any executive’s office, and chances are you’ll see Sun Tzu’s Art of War. One of its most quoted passages? “Know thy enemy and know thyself, find naught in fear for 100 battles.”

The problem for most security pros is figuring out how to “know” hackers and, conversely, how to know their own weaknesses better than those seeking to exploit them.

Hacking is considered a black art. Hackers spend their lives glued to computers and will eventually come up with some new, unusual method for circumventing security. Hackers don’t think or act like the rest of us. That’s the perception.

The reality is altogether different, according to Eric Schultze, chief security architect at security firm Shavlik Technologies. Most hackers follow predictable patterns and most gravitate to the easiest hacks first.

Security Gaps

“The problem is that security pros assess their vulnerabilities using an administrator’s point of view, instead of thinking like someone trying to crack a network, Schultze said.

“As an IT administrator, I know that I use the same password across all networks and applications. It makes my job easier. What I forget is that hackers know this and it makes their job easier too. As a hacker, I know that if I crack one password it might be valid system-wide.”

Schultze pointed out some other admin behaviors that undermine security. “If I’m a hacker and I want to guess passwords, who do I go after?”

That’s right, the answer is, again, administrators. And that’s not just because their passwords are the most valuable, but also because they’re often the easiest to crack.

Most users must change their passwords every month or so. Administrators do not. They have the luxury of leaving their passwords in place indefinitely. Better still, from a hacker’s perspective, many administrator accounts don’t have automatic lockout features turned on; meaning that a hacker can try an infinite number of user-name password combinations until they hit on the one that lets them in.

While understanding your own behavior is important, how do you accomplish this? “It’s hard to do on your own,” cautioned Peter Firstbrook, an analyst with Gartner. “Smart organizations get outside help.”

Firstbrook recommended a few steps for understanding your security profile and, more importantly, your organizational security behaviors. Services like vulnerability assessments and device inventories are essential, while configuration and patch management tools should be used regularly to keep the network up to date.

Hacking the Hackers

For discerning flawed behaviors, he recommended education and the implementation of clear, specific security policies. A security consultant will point out behaviors that put your network at risk—ones an administrator may not even be aware of or will take for granted.

For the more ambitious, Firstbrook said organizations could monitor hacking websites but that approach is generally very time intensive.

“Basically, you should be aware of the common tools that hackers use to attack networks, and you should test your security against them."

Amol Sarwate, director of Qualys’ Vulnerability Research Lab, does just that. He studies new forms of malware to figure out what holes each threat intends to exploit.

“We often use reverse-engineering tools to analyze various forms of malware, such as Trojans and spyware,” he said.

By doing so, Sarwate is taking a page from the hacker’s playbook. Hackers often use tools like IDA Pro to disassemble applications in search of holes, but a security expert can use this same tool to understand the code behind the malware.

Again, this is probably best left to a third-party security pro, but it’s important to realize that legitimate administrator and developer tools like IDA Pro and Microsoft Windows Resource Kit are often used for ill purposes.

What security vendors such as Qualys attempt to do is discern trends in order to predict where the next class of attacks will come from. Even the most savvy IT pro will be too weighed down by administrative burdens to counter zero-day attacks.

Client Side Attacks

“Today, there’s a growing trend of the client-side attack,” Sarwate said. “They exploit vulnerabilities in client applications like Explorer, Mozilla, or PowerPoint. At a recent Black Hat conference, I attended a presentation about inserting malicious code into JPEGs, which is something security professionals should be very concerned about.”

Malicious code in a JPEG or WMF file sits dormant until executed by a vulnerable client, and often that client, if it’s a laptop or handheld, brings the compromised image file into the network from outside. The malware is in the trusted network already, and traditional tools like firewalls and intrusion detection won’t prevent the attack.

“No matter how you harden your security, if someone hauls an infected laptop into the network, you’re in trouble,” Sarwate said.

Security is a constant arms race. Hackers create a new exploit and security pros respond by developing a new layer of protection. Hackers then look for ways around it.

In the case of client-side attacks, many security vendors are forcing quick virus and configuration scans to run on any device entering the network. From an end-user perspective, these scans may be seen as a time-consuming nuisance but the alternative is a disaster waiting to happen.

Sarwate noted that attacks relying on social engineering are the best way around any form of strong security and until a new security tool emerges with spooky intelligence, the weak link in any network will always be the end user.

Carelessness, lack of knowledge, or even intentional bad behavior can all undermine security. The best you can do is have a workable security plan in place that constantly scans, monitors, and patches your network, and when trouble emerges, gives you ways to lockdown and isolate the attack.

“Enterprises that implement a vulnerability management process will experience 90 percent fewer successful attacks than those that make an equal investment only in intrusion detection systems,” a recent Gartner study found.

All well and good but what keeps conscientious security pros up at night is that other ten percent.