Hackers aren’t as sneaky as you think

Two weeks ago, I essentially claimed that nearly every company I know is hacked — and in many cases, thoroughly hacked. Although there’s a bit of hyperbole in that statement, it isn’t that far from reality. That statement, however, has led some readers to believe detecting hackers and preventing attacks is impossible. Nothing could be further from the truth.

Discovering malicious hackers Despite what the movies show, hackers are never good enough to go unnoticed. Even the professionals hackers who are making millions of dollars really don’t do much to stay hidden. They don’t need to: Most admins aren’t looking.

[ A new Energizer Bunny Trojan is on the loose. | InfoWorld’s Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

The Verizon 2008 Data Breach Investigations Report [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: “Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon.”

Your No. 1 tool for detecting malicious activities is your log files. Most admins don’t turn them on, and those who do usually don’t monitor them. Additionally, many companies only turn on logging on their servers, even though most of the malicious break-ins occur on their user’s workstations.

Every company should enable an enterprise-wide log management plan, a topic I covered the basics of last year. In a very small nutshell, you need to collect all your log events in a central location and generate alerts on abnormal events that dictate a reaction. Don’t be that company with an enabled event logging management system that sends dozens to hundreds of “alerts” a day, a figure that guarantees that none will be acted upon. A well-designed events-management system only requests action for the stuff that deserves to be investigated. (On a related note, I’m just finishing up a review of event log management systems that should be published on InfoWorld soon.)

Another effective way to detect hackers is to scan for common hacking tools: password crackers, man-in-the-middle tools, sniffers, and so on. Most anti-malware scanners will detect commonly used hacker tools. Although not all hackers use the same tools, they generally do.

I’m also a big believer in creating network traffic flow baselines. Most data should be going from servers to workstations and vice versa. Unexpected server-to-server traffic should be investigated, as should unexpected workstation-to-workstation traffic. Moreover, if you have a workstation hitting every server in your environment, investigate it. Many insider attacks have been interrupted because astute network flow analysts noticed very large amounts of data going to a single employee’s machine.

Implementing host-based and network-based intrusion detection systems (IDS) is also worthwhile. Each is capable of catching what the other might miss. I’m a huge believer in setting up a few juicy honeypots as early-warning systems. Just take a few old PCs that you’re getting ready to throw away and set them out on the network. Turn on logging or install honeypot software. My favorite software is Kfsensor and Honeyd. Spend a few hours or a day filtering out the legitimate traffic. After that, any logon to the fake systems deserves to be investigated. Hackers may be good, but they have to touch a machine to hack it.  If they touch your honeypots, you got ’em.

Preventing successful hacks I’ve covered this topic plenty over the last year, but I’ll repeat the most useful advice here for continuity. The No. 1 way to prevent hacking is to stop end-users from accidentally executing Trojan horse programs. There are several ways to accomplish this goal: You can remove their elevated rights, use application control programs, or simply provide improved education around today’s sophisticated threats.

Second, make sure all software, both OS and applications are patched, especially your browser add-ons. Most software comes with auto-updating routines, but not all. Secunia, one of my favorite companies, just announced free software for home consumers that will help keep them update on patches.

Third, use anti-malware software, including a host-based firewall, antivirus, antiphishing, and antispam. Fourth, learn where your data is so that you can protect it. Fifth, make sure you have good security controls and policies, and that people follow them, and are disincentivized for not following them. Everything else you can do to provide better defense-in-depth should be considered, but don’t let the extraordinary efforts and products stop you from better focusing on the simple things that will return tangible results.

There are no silver bullets that will defeat all hackers. But it doesn’t take some extraordinary rocket-scientist defender to defeat most hackers. It just takes good effort on the few defense items that are mostly likely to provide the best bang-for-the-buck defenses.

The Verizon report said it best: “87 percent [of successful hacking attacks] were considered avoidable through reasonable controls.”

This story, “Hackers aren’t as sneaky as you think,” was originally published at InfoWorld.com. Follow the latest developments in security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com.