Processors Toolkit

You've been hacked: Now prevent future attacks

Tags:
Hacker Attack,
Long Term,
What To Do,
Been

Robert L. Bogue Tech Republic

Published: 03 Jun 2003 09:16 BST

Perform an external security audit
I keep two systems out on the Internet, hosted in a colocation facility, that are secured but are not behind a firewall. They're out there for the explicit purpose of allowing me to perform quick intrusion tests for any of our clients. One of the systems is a Linux box that can run a series of open source vulnerability analysis tools, such as Nmap and Whisker. The other system is a Windows machine that runs a different set of tools, including Foundstone's SuperScan and N-Stalker's N-Stealth.

Why are there two systems running two different sets of tools? The answer is simple: No single tool can provide a complete vulnerability assessment. Each tool has its limitations and quirks. It would be expensive for an organisation to maintain a set of systems outside the firewall, to purchase multiple scanning packages, and to learn them well enough to run them effectively. For this reason, it's important to engage an independent firm to perform an external security audit. When interviewing the firm, you should ask about its experience and the types of tools it uses to identify vulnerabilities.

Reset passwords
After a hacker has gained access to your network, you may want to change every password. This means every user and service account password on every server and every device. On the surface, this might seem like an easy thing to do. But, in reality, it's an exhaustive process that can take a substantial investment of time.

The reason you may want to change every password is that it's possible -- depending on the machine that was hacked and the type of intrusion -- that some or all of the passwords on the system were compromised. A hacker who has obtained all of the users' passwords will eventually try to gain access again using valid usernames and passwords. The only way to be certain that the hacker doesn't have any valid accounts is to change all account passwords.

Before taking this plunge, consider these three things:

All user accounts will need a new password. This is potentially disruptive to the users; however, in a Windows 2000 environment, the passwords can be changed with a minimum number of keystrokes.
Changing the services account passwords could prove to be a more daunting task, since every server will have to be rebooted to confirm the new passwords for the service account. It also means that network-level service account password changes will need to be coordinated so that all the servers using the service accounts can be changed at the same time.
Changing all of the device passwords can be tricky. Myriad devices within your network have their own usernames and passwords. Unless you've developed a list somewhere, it's likely that you'll forget at least one or two devices. The critical ones, such as your routers and firewalls, may be easy to remember. However, it may not be so easy to remember the passwords on print servers, security cameras, and other network-attached devices.

Ultimately, whether you decide to change all of the passwords depends on your willingness to skip a step that might cause your network to be hacked again. For environments where security is vital, you may have to change every password.

Proper fortification
Recovering the security of systems once they have been compromised is painful. Often, IT pros are so exhausted after the first battle that they forget to prepare for the war. But if you build the right barriers and construct the right kind of surveillance to determine when an attack occurs next time, you should be able to stop the barbarians before they breach your network.

More enterprise IT news in ZDNet UK's Tech Update Channel.

For a weekly round-up of the enterprise IT news, sign up for the Tech Update newsletter.

Let the editors know what you think in the Mailroom.

Go to section: