The Fundamental Reasons for Protecting Your Windows Network
When was the last time you used a computer that was not connected to a network? I am not talking about using your laptop on an airplane. That is a planned disconnection from the network, and we can copy necessary information to the machine before we disconnect. We are talking about getting to a hotel room only to discover that they do not have a high-speed Internet connection or a data port on the phone (and the phone cable is connected using screws, inside the phone!); about moving into a new house before you get the cable modem or DSL line installed; about the network going down unexpectedly. Remember that feeling of helplessness? That feeling that the computer in front of you is just a pile of useless plastics and silicon, more useful as a boat anchor than a business (or entertainment) tool.
In today's environment, a computer that is not connected to the network is about as useful as a car without gasoline. It is pretty. The stereo still makes cool sounds—until the battery dies. The seats even lean back, but the car does not exactly do very much.
A computer today is only as useful as the network(s) it is attached to. This book is about how to protect the network and the computers attached to it so that you, its rightful owner or operator, can get maximum benefit out of it. In the end, information technology is most valuable when it is used to aggregate data from multiple sources, perform some really interesting task with that data, and then share it with someone else. The infrastructure that makes this all happen is the network. Several years ago, Microsoft launched a marketing campaign themed around the "Digital Nervous System." The digital nervous system was the network. It sounds corny to those of us who do not spend all day thinking about how to sell something, but it does make some sense. The network is what allows data to flow from the place where it is stored to the place where it has some impact. In the end, it is all about data; data that you convert into information and then share in such a way that you get maximum benefit from it. Network protection is about ensuring that the infrastructure where all this happens is available, that data and information does not leak into the wrong hands, and that the data and information arrives at its destination intact.
When we first proposed this book, someone asked, "So, is it a book about how to build a secure network?" Our answer was no. Network security as an end state is a pipe dream, an impossible reality that we cannot attain. We constantly get asked how to make a network secure, but that really is the wrong question to ask. The concept of "security" denotes some finite state, some end goal. "Security" is defined as "freedom from risk or danger; safety." It is obvious that "security" in computers can never attain this lofty goal. Computer security is more "management of risk." In fact, is secure or security the right word to even use? Nothing is truly secure or has security if we look at the true definition. Secure means you can stop working because the network is now secure. Network security is a process, a task description, not an end state. Put another way, security is a journey, not a destination. Therefore, we like to talk about network protection as the goal, and network security as a task description. The task (as shown in Figure 1-1) is to detect problems and, preferably before someone else does, respond to those problems in a way that prevents them from becoming security vulnerabilities. At that point, the process repeats, and we look for more problems to prevent.
Figure 1-1 The security process.
We often get asked the "big question" as our colleague Ben Smith calls it: Is my network secure? Contrary to Ben, however, we have not been able to make an entire 75-minute presentation out of it, because the answer is so simple: No. Your network is not secure. The state of being secure is typically considered an absolute. Consider the corollary: Can someone break into our network? Obviously, if the answer to that is no, your network is secure. The problem is that you can never conclusively answer no to that question, and because that is the bar we use for measuring whether something is secure, you will never have a secure network. You may have a "secure enough" network though. For the time being, know that we are aiming to protect the network, to have good enough security for our purposes. What does that mean? Well, it could mean a lot of things. One way to look at it is by comparing it to a car alarm. Does a car alarm make it harder to steal a car? No, not really. Even ignition killers can be bypassed easily by those who know what they are doing. Does it prevent theft? Well, that depends. If you have an alarm but the car next to you does not, it is likely that a thief may just steal the car next to yours (unless he really wants yours). It is kind of like the old story about a camping trip. Two guys are sitting by the fire and one of them asks what they will do if a bear comes. The other guy says, "That's why I am wearing sneakers." The first guy asks, "Do you really think you can outrun a bear though?" The second responds, "No, but I don't need to. I just need to outrun you!" In some cases, it is simply enough to be a more difficult target than someone else!
As long as people are not out to get you specifically, if you protect your network sufficiently, it is likely that the attackers will attack a network that is less secure, unless they really want something on your network. So, we face two challenges: protecting our network from the casual attacker or virus that does not care which network it destroys, and protecting our network from the determined attacker who wants your information. The latter is definitely much more difficult. However, if you take some fundamental steps, you will have accomplished the former as well as make the job of the determined attacker much harder. This frees you up to focus on the rest of the job, which is staying far enough ahead of the determined attacker so your network, and the data on it, remains protected. In a sense, protection is like temporal security. It makes sure that you are secure until the bad guys learn enough to break down your defenses. At that time, you had better have additional defenses in place.
Why Would Someone Attack Me?
One key question we hear a lot is why someone would attack you. The people that attack networks and systems that do not belong to them are criminals, pure and simple. You will often hear the description of them couched in terms such as script kiddie and hacker, but why beat around the bush? They are criminals.
The vast majority of people who attack networks today are not hackers under the original definition of that term—they are merely criminals. Therefore, the real explanation of why they do these things delves into the mind of criminals, and is best answered by a psychiatrist. However, there are several relatively obvious reasons. To understand the reasons, let us first look at the types of attacks you may see.
Types of Network Attacks
Essentially, network attacks can be distinguished on two dimensions: passive versus active and automated versus manual. A passive attack is one that uses network tools, such as a sniffer to capture network traffic, that simply listen on the network. These tools may capture traffic that contains sensitive information.
Active attacks, by contrast, are where the attacker is actively going after the protected resource and trying to get access to it, possibly by modifying or injecting traffic into the network.
On the other dimension, we have automated attacks. The vast majority of the attacks we hear about today are automated attacks, where the attacker creates some tool that attacks a network all by itself. The tool may have some intelligence built in, but fundamentally, if the network is not configured the same way as the one the tool was written for, the tool fails. Worms are methods of automated attack. In most cases, automated attacks are based on a known vulnerability in a system. The best method of defense against an automated attack is simply to keep the system fully patched at all times and monitor your network for suspicious events or messages. That is easier said than done, but Chapter 3, "Rule Number 1: Patch Your Systems," gives you some hints on how.
A manual attack occurs when the attacker is actually executing the attack without using automated tools. In this case, the attacker is actively analyzing the network and responding to its inputs. These types of attacks are much rarer, largely because the ratio of expert attackers to networks is relatively small. When we think of an attacker breaking into a network and stealing or modifying information, we are typically thinking of a manual attack.
Consider these four types of attacks; we have four intersections, ordered roughly in order of severity from least to most severe, as shown in Table 1-1.
- Passive-automated— This type of attack is usually some kind of sniffer that captures particular types of data. For instance, a keystroke logger that automatically sends data to the attacker falls into this category. So does a sniffer that captures and automatically replays an authentication sequence. It is pretty unlikely that these will generate a large percentage of useful data for the attacker, and it would require more skill than some of the other types that generate more access faster.
- Passive-manual— In this type of attack, the attacker is just sniffing everything. A packet sniffer that logs everything falls into this category. We worry a lot about these attacks, but as discussed in Chapter 10, "Preventing Rogue Access Inside the Network," they are not nearly as important as we make them out to be. An attacker who can perpetrate these can usually, with some notable exceptions such as wireless networks, perpetrate other more serious attacks.
- Active-automated— At first, it appears these attacks do not exist. How could an automated attack, such as a worm, involve an active attacker? However, into this category also falls attacks from attackers with sophisticated tools at their disposal. Most network worms fall into this category. For instance, a worm that searches for machines that are missing a particular patch, exploits it, and then uses the compromised machine to find additional targets falls into this category. Another example of this is an attack that uses thousands of hosts to target a single network to cause a denial-of-service condition. Tools now exist that can exploit hundreds, maybe even thousands, of systems at the click of a button and return information to the attacker about exactly which attacks succeeded. These attacks are very disturbing, but they are usually also very noisy. In addition, they usually rely on exploiting unpatched vulnerabilities. When doing this, the risk of crashing systems is pretty high, and that would be very noticeable.
- Active-manual— This is the most worrisome attack. Many people ask how this could be more worrisome than a tool that can exploit thousands of systems at the click of a button. The reason is that if you are subject to one of these, you are up against someone with at least a basic, probably more, knowledge of systems and how to attack them in general, and your network in particular. In this type of attack, the attacker manually attacks a particular network, adjusting the techniques and tools as necessary to counter your defenses. This attacker is probably out to get you, or someone you do business with. They have the time, skill, and resources to do the job thoroughly and to hide their tracks. If the attacker behind one of these attacks is skilled, you may never even know you got attacked!
Table 1-1. Types of Attack Against a Network
Hard to pull off, unlikely to generate much value
Reaches thousands of systems, but (relatively) easy to defeat
Sometimes fruitful, but takes longer than an active attack
Extremely dangerous, but rarer than the others
We frequently discuss the types of attacks that worry us. It is not the first two, and to some extent, not even the third. We know pretty well how to stop worms. (Patch your stuff, and then see the discussion on isolation in Chapter 10.) We also know how to detect mass automated attacks, not to mention how well we know how to stop e-mail worms. The attack that worries us is the one where someone adds himself to your payroll system; the attack where someone gets access to all the patient records at Mass General Hospital; the attack where someone modifies all trades on the New York Stock Exchange by one cent and funnels the proceeds into a Cayman Islands bank account; the attack where someone gets access to the intercontinental ballistic missile systems and obliterates Minneapolis! Those are the types of attacks that worry us. This book is about what we need to do to protect ourselves against those types of attacks.
All the attacks can cause incredible amounts of damage. However, an active-manual attack can cause more targeted damage. An active-automated attack, in the form of a worm, is designed to cause widespread damage; but because it is designed to attack as many systems as possible, it is by necessity generic in nature. The basic principle behind worms is usually to cause the maximum amount of harm to the greatest number of people.
Thus, the damage it can inflict is often more generic. In an active-manual attack, the damage can be much more specific and designed to cause maximum harm to the current victim. There is one notable exception to this: the active-automated attack that is designed to use the maximum number of people to cause the greatest amount of harm possible to one victim. Microsoft, along with others, has been the victim of these types of attacks several times. In them, some criminal wrote a worm designed to infect as many systems as possible and then use them to disrupt access to Microsoft's Web sites. However, these attacks still pale in comparison to what a dedicated active-manual attack can do.
Types of Damage
Generally speaking, four kinds of damage can be inflicted on a network or its data: denial of service (DoS), data destruction, information disclosure, and data modification. You will often see these discussed under the CIA acronym: confidentiality, integrity, and availability. However, data destruction and data modification, although they both fall under integrity, have vastly different consequences, and deserve to be separated. In essence, CIA fails to capture the nuances of what modern criminals do.
The simplest, and most obvious type of damage, is where an attacker slows down, or disrupts completely, the services of your infrastructure or some portion thereof. This is a typical DoS attack. The aforementioned attack on Microsoft's Web presence is an example of this type of attack. In some cases, the damage results from an attack that crashes or destroys a system. In other cases, a DoS attack can consist simply of flooding the network with so much data that it is incapable of servicing legitimate requests. In a flooding attack, it usually comes down to a matter of bandwidth or speed. Whoever has the fattest pipes or fastest computers usually wins. In other cases, particularly in the case of an automated attack, simply moving the computers to a different IP address mitigates the attack.
Of potentially much more serious consequence than a DoS attack is a data-destruction attack. In this type of attack, you are not merely prevented from accessing your resources, they are actually destroyed. Perhaps database files are corrupted, perhaps operating systems are corrupted, or perhaps information is simply deleted. Imagine if someone deleted your accounts receivable database? This type of attack can be extremely damaging, but can be mitigated by maintaining backup copies of both data and equipment.
Damage can also result from information disclosure. This damage may be more serious than data destruction, particularly because it is much less obvious. For instance, in February 2004, someone posted portions of Microsoft Windows source code on the Internet. This was an information-disclosure attack that involved portions of intellectual property. In a sophisticated information-disclosure attack, the victim may not know for years whether any data was disclosed. This is often the objective of government spies—to steal information such that they get an advantage while the enemy is unaware of what is happening. One extremely famous example of this happened during World War II. In 1942, the United States had accessed some of the Japanese naval codes, including the code used by Admiral Yamamoto, head of the Japanese combined fleet. The Americans knew that Yamamoto was planning an assault on a location designated as "AF." The problem was that they did not know what the designation AF meant, although they suspected it designated Midway. Commander Rochefort, of the code-breaking command at Pearl Harbor, and Captain Edwin Layton, Admiral Nimitz's fleet intelligence officer, devised a plan to determine whether AF actually did mean Midway. They sent a message via underwater line to Midway asking them to transmit a message in the clear stating that their desalination facility used to produce fresh water was broken. Shortly after the message was sent, the Japanese transmitted a new coded message indicating that AF was short on fresh water and that the conditions for an attack were favorable. Nimitz now had all the information he needed and was able to position the fleet to intercept the Japanese attack at Midway, leading to one of the most spectacular victories of World War II; a definitive turning point in the war in the Pacific.
A covert information-disclosure attack could either leave the victim with a false sense of security, or a nagging feeling of insecurity, both of which can be damaging in the long run. When information is disclosed, an attacker may be able to use it for malicious purposes. For example, confidential trade secrets can be used to undermine market share, to cause embarrassment, or to obtain access to money. Many people think that destruction of data is more damaging than an attacker reading the data, and, of course, whether it is depends on the data and whether regulatory confidentiality requirements are involved. (Some locales, notably California, now have regulatory requirements regarding confidentiality of all data, and virtually all jurisdictions are subject to regulatory confidentiality requirements of at least some data.) However, since we usually have some form of backup, disclosure is typically more severe. If you still have doubts, ask victims of identity theft if they would have rather had the criminal destroy their bank records rather than steal them.
Data modification may cause the most serious damage of all. The reason, as in the case of information disclosure, is that it is very difficult to detect. For example, suppose that the perpetrators broke into your payroll system and added themselves to the payroll? How long would it take you to notice? If you work in a small organization, it probably would be discovered during the next pay period; in a company with thousands of employees, however, it may go undiscovered for years. When writing this book, we were told of a story (no word on the truth of it) about a company that made all employees come pick up their paychecks one week instead of getting them automatically deposited. Apparently, several fake employees were discovered in the process.
When the Microsoft source code mentioned earlier was discovered on the Internet, the immediate concern was whether the perpetrators had also been able to insert back doors into the source code. (This is always the concern when a large software vendor is attacked, even if, as in this case, it was not actually the vendor that was attacked. The news reports immediately stated that "there is no word yet on whether any back doors have been inserted.") Data modification can be used to cause all kinds of damage, some of which may never be discovered, and some of which may only be discovered in very rare events, when the altered data are actually put to use. If someone wants to cause huge amounts of destruction to IT systems, obviously attacking a large software vendor and modifying the source code represents an efficient way to achieve that objective. If we may say so ourselves (after all, we helped design the protection), the Microsoft source code is extraordinarily well protected. However, back doors and Trojans have been discovered in several open source projects to date. Examples from other realms can easily be constructed. Consider, for instance, what would happen if attackers modified patient blood type data in a medical database, or tax information in an accounting database, or whatever data you consider important in your line of business.
Most of Us Are Just Roadkill
A friend of ours describes most of the victims of viruses and worms today as "roadkill." They just happen to be standing in front of the truck when it, in the form of the latest worm, comes barreling down the information superhighway. (Yes, this will be the last time we refer to the "information superhighway," and you may complain loudly if we break that promise!) Although it may be true that the person who wrote the worm was not out to attack you specifically, roadkill is still just as dead as if it had been shot with a high-precision weapon. There is an important lesson in that: Do not become roadkill. More specifically, there are some very simple things we can do—such as patching—to avoid being roadkill. If we can just avoid being creamed by the latest worm, we can devote our attention to protecting ourselves against the attacks that are actually targeting us.
There Are People Out There Who Are Really Targeting You
Many of the people who are causing damage on our networks today are best compared to the people who spray-paint highway overpasses. They are in it for the sheer joy of destruction and to broadcast their pseudonym. They may not be out to attack you specifically. As long as they ruin someone's day, that is sufficient. In some cases, they may not actually be after you at all. They may be after the vendor from whom you purchased your software or hardware. By causing damage to you, they discredit the vendor by making it seem as if the vendor's products are more insecure or cause more problems than some other vendor's systems.
The people you really have to worry about are the ones who are directly targeting you. In some cases, they are attacking you actively only because you use some technology that they know how to take advantage of, and taking advantage of it will earn them money, fame, or prestige in a community of like-minded deviants. In other cases, they are after you because you have something they want. You may, for example, have a list of customers. If competitors steal it, they can target your customers. You may have an accounts receivable database. If someone destroys it, you do not know how much money to ask people for, and you will not get paid. You may have a payroll system. If someone destroys it, how long before your employees leave when they do not get paid?
It really does not matter what business you are in. Every organization has something that is of value to someone else. You need to consider what those things are, how much they are worth, and how much money you should spend protecting them. Think of it this way: We all have insurance. Some large companies are self-insured, but they still have to set aside money to pay for claims. Although we can buy insurance for our information technologies, we still have to take reasonable measures to protect them. In Chapter 4, "Developing Security Policies," we discuss how to analyze how much money to spend protecting information and technology assets. Until then, keep in mind that the value of technology is not the technology itself; it is what you do with it. Technology is replaceable, but the services and data you are using it for are not. If your systems are down, the services they would have rendered while they are down are lost forever.