When you first think about computer network security you might picture two security guards watching your computer. Actually computer network security is the line of defense that stops intruders from accessing your computer or network. Detection provides information when someone tries to access your systems, whether or not they were successful and understanding what they could have done. Information stored on your computers include banking details, credit card credentials and communication logs either chat or email. You can live with someone reading you personal conversations but not when they steal your bank or credit card information.
Intruders often use other computers as a way to launch attacks and disguise themselves as the intruded computer. Custom Malware is one of the largest network security problems facing the internet. Targeted attacks, designed to be used against a single target, can avoid signature detection. Since the Malware is custom designed to avoid any known signatures and has never been publicly released, a signature for it will not exist and no signature detection mechanism will find it, either in anti-virus software, intrusion detection software, or any other form. Malware can also be disguised from signature detection by using polymorphic tools that change the code constantly, creating a unique version with a unique signature each time the program is created. Polymorphic toolkits such as: ADMutate, PHATBOT, Jujuskins, TAPioN and CLET put this kind of functionality within the reach of the average skilled malware creator, if not the novice In another separate, but real-life example of stealthy malware, the Gozi trojan exists in the wild for over fifty days in the beginning of 2007, and it has been estimated that the first variant of it infected more than 5,000 hosts and place account information for over 10,000 users. Gozi's primary function was to steal credentials being sent over SSL connections before they were encrypted and add them to a database server that would dispense them on demand in exchange for payment. Had the malware author made a better choice of the packing utility used, the trojan may have gone much longer before being detected.
Intruders are discovering new vulnerabilities or loop holes every day. Developers or computer vendors often provide patches that cover up previous loop holes. A "zero-day" attack is an attack that targets a vulnerability for which there is no solution easily available. Once the vendor releases a patch, the zero-day exposure has ended. A recent example of a critical zero-day vulnerability was the Windows Animated Cursor Remote Execution Vulnerability that was patched by MS07-01719 (Microsoft Security Bulletin 925902). This was considered a critical hole because it could allow remote code of the attackers' choosing to be executed. A security research company called Determina notified Microsoft of the problem on December 20, 2006. The vulnerability was publicly announced on March 28 2007. On April 2nd, Determina released a video demonstration of Metasploit using exploit code against Vista. Microsoft then released the patch on April 3, 2007 ending at least six days of zero-day exposure. Exploit code that targeted this vulnerability was active in the wild for at least several days, if not several weeks before the patch was released Even after patch is released, many organizations take several days to get around to updating systems with the patch. Most of the time it is your job to download and install these patches. It is a good idea to check for updates at least once a day or use an enterprise tool to manage updates on your network.
How can an intruder infiltrate my system? Well intruders have numerous tools available that provide them access to your system. Tools such as:
- Paros Proxy
- Metasploit Framework
- Aircrack
- Sysinternals
- Scapy
- BackTrack
- P0f
- WebScarab
- WebInspect
- Core Impact
- IDA Pro
- Rainbow Crack
If your organization has an Internet connection or one or two disgruntled employees (and who does not!), Your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. You need to understand attackers' tactics and strategies in detail so you can find vulnerabilities and discovering intrusions.Equipping yourself with a comprehensive incident handling plan is vital in protecting your organization against attackers.