LINUX SECURITY --- March 20, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* Identifying your attacker is usually easier said than done.
__________________________________________________________________________
____
Know your Enemy
By Rick Johnson
As we all know, you must identify the person before you can hope to
catch a potential attacker. Catching the bad guy seems easy to most:
You find a mistake that caused the attacker to leave behind a critical
piece of evidence in your log files that leads you back to their lair.
Good concept, but it rarely is that easy.
Most of the time, you have little information; maybe a partially
undeleted file, possibly an obscure log entry, but never a smoking
gun. Besides, having the perpetrator dropped in your lap wouldn't be
fun. Even assessing the damage is difficult without understanding the
evildoers' mindset. To this end, I will sketch a vague idea of the
types of attackers you will be facing.
There are three primary categories I use when trying to profile a
hacker:
* Those who do it for fun;
* Those who are looking for financial gain;
* Those who are looking to ruin your organization.
Probably the least of your concern, those who do it for fun just want
to see if they can break in. A decent set of defenses usually will bore
them and send them seeking an easier target. Should they actually get
in, they typically will not know what is of value and how to capitalize
on the compromise.
Next, hackers looking for financial gain receive the most press.
Some "entrepreneur" looking for the credit card mother lode always
makes the headlines. This group also includes those focusing on
corporate espionage. Your intellectual property can be of great value
to the right person. Common sense: If it has value, then protect it.
The last, and worst, group is those deliberately looking to ruin your
organization. Sure, the other two types have the potential to
accomplish this but nothing is quite as bad as the person with this as
their primary goal. This group could include anyone from a disgruntled
customer or employee to some activist upset by your company's political
views. The theft itself is not nearly as important as the publicity and
damage. Their attack will usually focus around your Web server, or some
other public information venue. They will want the world to know that
you were made to pay.
Lastly, you have to figure out whether they are a professional or some
script kiddie who has been hanging out on IRC instead of going to
school. The amateur can be dangerous, but most of the time they simply
get lucky. If the perpetrator is a pro, then may your deity of choice
help you. Chances are, you will never see it coming and they will only
leave a trace (if they choose to do so at all). If you do see
verifiable traces of the hack, then it was not a professional.
About the author(s)
-------------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
__________________________________________________________________________
______
<<attachment: winmail.dat>>