This breach (HERE) occurred at a university in Michigan when a hacker compromised two servers and used them to launch attacks on other computers outside the university. When hackers take control of a computer (usually without the knowledge of the system’s owner), the system is said to be “owned” by the hackers.

By the way, there were apparently databases containing personal addresses, birth dates and Social Security numbers of 5,500 students on the servers that were compromised.

What went wrong?

There is not much detail in the article about how the hackers compromised the systems, but there are many possibilities, including:

1. Improperly hardened servers could allow attackers to take advantage of various programs running on systems that may have security weaknesses or default configurations that are easy for hackers to guess. Once they find a weakness they usually look for a way to change configuration files or account permissions to gain total control of the system.
2. Improperly configured firewalls could allow hackers to scan and attempt to locate servers inside the perimeter that might be vulnerable to certain types of attacks.
3. Improperly configured, or non-existent Intrusion Detection or Prevention Systems (IDS or IPS) could make system administrators unaware of attacks, giving the attackers time to explore the environment and launch an attack.
4. A contributing factor in this case appears to be the fact that the database servers were accessible by users on the Internet. Usually servers with sensitive information are hidden and inaccessible through a series of more than one perimeter safeguards such as firewalls.

The Bottom Line

1. Servers on any production system should be hardened. This involves removing all unnecessary software that may have vulnerabilities, especially if the software is not updated. Required software should have security updates applied in a timely manner to reduce the risk of known vulnerabilities being exploited. In addition, unneeded ports on every system should be closed to limit the number of “doors” into a system. There are many other methods for reducing the ability of attackers to succeed in taking over a system, even if they know its address and have access to the network segment the system is on.
2. Firewalls are the front line in preventing attacks from the outside. They are used to hide the addresses and limit the protocols allowed to specific systems. Many firewalls have more advanced features for protecting the systems behind them, but need to have the features properly configured to be effective.
3. Intrusion Detection or Prevention Systems (IDS or IPS) are used to monitor servers and network segments for indications of unusual traffic patterns. These can automatically cause alerts to system administrators, or even take action to automatically lock out sessions from the originating systems. This gives the administrators and Security Response team a chance to analyze the problem and determine if it is a real attack before making adjustments to the security settings, if necessary.
4. Zoning is a strategy used to create multiple layers of network segments that contain only systems that are used for similar types of traffic. This way, the most vulnerable systems can be isolated from the systems that contain the most sensitive information. The Demilitarized Zone (DMZ) or Public Access Zone (PAZ) usually contains only systems that need to be accessible by users and systems coming in from the Internet. The Operations Zone is usually the next layer containing systems that are primarily used for accepting connections from the DMZ systems and processing their requests. There may even be additional “security zones” that would house database servers with sensitive information. Each zone’s systems are only allowed to communicate with specific systems and/or applications from other zones. In this way, the data flow and sessions are broken up to the point where it becomes difficult for hackers to send their carefully constructed commands that would form the attacks on the most sensitive systems.

Disclaimer: This analysis is only based on the breach information provided in the SC Magazine article, which is assumed to be accurate. It is only intended as general Security Management guidance, and to illustrate approaches that can help reduce security risks in an organization.

Copyright 2007 - Scott Wright - All Rights Reserved