Overview of the Methodology

To perform a useful SHA, the different types of hackers must be identified and understood. The stereotype of a hacker as a brilliant computer science graduate sitting in a laboratory in a remote part of the world is a dangerous misconception. Although such hackers exist, the majority of security breaches are performed by staff members of the breached organization. Hackers can be categorized into four types:

•  Persons within an organization who are authorized to access the system. An example may be a legitimate staff member in the Accounting department who has access to Accounts Payable application menu functions.

•  Persons within an organization who are not authorized to access the system. These individuals may include personnel such as the cleaning staff.

•  Persons outside an organization who are authorized to access the system. An example may be a remote system support person from the organization’s software vendor.

•  Persons outside an organization who are not authorized to access the system. An example is an Internet user in an overseas country who has no connection with the organization.

The objective of the SHA is to use any conceivable method to compromise system security. Each of the four hacker types must be considered to assess fully all potential security exposures.

POPULAR HACKER TECHNIQUES

The following sections describe the techniques most commonly used by hackers to gain access to various corporate systems. Each section discusses a hacker technique and proposes basic controls that can be implemented to help mitigate these risks. The network administrator should attempt each of these techniques and should tailor the procedures to suit the organization’s specific environment.

Accessing the Log-In Prompt

One method of gaining illegal access to a computer system is through the log-in prompt. This situation may occur when the hacker is physically within the facility or is attempting to access the system through a dial-in connection.

Physical Access

An important step in securing corporate information systems is to ensure that physical access to computer resources is adequately restricted. Any internal or external person who gains physical access to a terminal is given the opportunity to attempt to sign on at the log-in prompt.

To reduce the potential for unauthorized system access by way of a terminal within the organization’s facility, the network administrator should ensure that:

•  Terminals are located in physically secure environments.

•  Appropriate access control devices are installed on all doors and windows that may be used to access areas where computer hardware is located.

•  Personal computers that are connected to networks are password-protected if they are located in unrestricted areas. A hacker trying to access the system would be required to guess a legitimate password before gaining access through the log-in prompt.

•  Users do not write their passwords on or near their work areas.

Dial-in Access

Another method of accessing the log-in prompt is to dial in to the host. Many “daemon dialers” are readily available on the Internet. These programs, when given a range of numbers to dial, can identify valid modem numbers. Once a hacker discovers an organization’s modem number, he or she can dial in and, in most cases, immediately gain access to the log-in prompt.

To minimize the potential for security violations by way of dial-in network access, the network administrator should ensure that:

•  Adequate controls are in place for dial-in sessions, such as switching off the modem when not in use, using a call-back facility, or requiring an extra level of authentication, such as a one-time password, for dial-in sessions.

•  The organization’s logo and name are removed from the log-in screen so that the hacker does not know which system has been accessed.

•  A warning message alerts unauthorized persons that access to the system is an offense and that their activities may be logged. This is a legal requirement in some countries.

Obtaining Passwords

Once the hacker has gained access to an organization’s log-in prompt, he or she can attempt to sign on to the system. This procedure requires a valid user ID and password combination.

Brute Force Attacks

Brute force attacks involve manual or automated attempts to guess valid passwords. A simple password guessing program can be written in approximately 60 lines of C code or 40 lines of PERL. Many password guessing programs are available on the Internet. Most hackers have a “password hit list,” which is a collection of default passwords automatically assigned to various system accounts whenever they are installed. For example, the default password for the guest account in most UNIX systems is “guest.”

To protect the network from unauthorized access, the network administrator should ensure that:

•  All user accounts are password protected.

•  Password values are appropriately selected to avoid guessing.

•  Default passwords are changed once the system is installed.

•  Failed log-in attempts are logged and followed up appropriately.

•  User accounts are locked out after a predefined number of sign-on failures.

•  Users are forced to select passwords that are difficult to guess.

•  Users are forced to change their passwords periodically throughout the year.

•  Unused user accounts are disabled.

•  Users are educated and reminded regularly about the importance of proper password management and selection.