Home > Blogs > There are no secrets III

In IT many assume our settings are secret, but each tool shrieks announcements that hackers can hear...

My years in security show a disturbing trend: this over-reliance in Obscurity that too many base their lives on.  I've discussed how server and client applications reveal their details.  Let's discuss the typical network.

Network settings are carefully cataloged in many neat structures.  Your IP address ranges are available for a simple search.  Many organizations do not understand DNS security basics, and so it is so very easy and permissable to fetch a copy of an organization's IP address to Hostname assignments.  Even if you stop an entire zone transfer, each IP address assignment can be retrieved, one-by-one. 

Once found, what are the chances that a hostname, "www..." will allow http, https, or ftp access to it?  Too many perform website content management with ftp.  More to the point, do you have a hostname, "ftp...", "smtp...", or "pop..."?  Your hostnames are screaming their services.

But I'm not recommending obscurity.  There are port mappers and other tools that will 'walk' a firewall, probing for weaknesses.

Hackers have learned to use your network against you.  Botnet authors know that many organizations allow outbound website traffic, without any authentications.  The Zeus botnet will attempt to 'obscure' its traffic using https as a tunneling protocol.

Your Border Gateway Protocol (BGP) AS numbers are researchable.  There are websites that collect and display IDs and passwords that allow access to your Internet-facing applications, in some cases.

In fact, your networks converge, they cooperate with other networks through a series of trusted broadcasts, I did you not.  Windows systems would proclaim their NetBEUI names and services (and role in the domain) through broadcast.  Ditto for some aspects of AppleSqualk...  Today, ARP broadcasts announce the IP address to MAC address pairings.  You systems get their IP address and network settings from the DHCP server, whose pronouncements you trust 1000%.  RIP and OSPF broadcasts help set your borders.

So what's a security person to do?

1. Understand and accept that little is secret.  Running old applications or network gear and protocols will announce your vulnerabilities.

2. Forget security through obscurity.  The 'secret' account and static password you give an Internet partner just may be shared.  Is your firewall a swiss cheese of holes?

3. Work with a premier consultancy to design your infrastructure service security: DNS, Email, File Transfer, Firewall, Routing design and announcement, IP address management, etc.  Feel confident about the current design?  Have it tested.

4. Set Realistic Goals, Design, Update, & Test.  Applications, networks, and borders.

5. Read my past article on firewall design, the importance of default routes, etc.  Too many set up firewalls to fail... 

6. Review the security benchmarks at the Center for Internet Security, (www.CISecurity.org).

jt

Comments

comments powered by Disqus