How to Plan for a Possible Network Attack

WindowSecurity.com - Editor's Note: This article was first posted on Jan. 10, 2005
When you are an administrator in a company with a perimeter connection to the Internet, you have to consider that you could very well be under attack at any moment. You shouldn't worry about it, lose sleep over it, and consider it by protecting against it proactively. Consider a top 10 list for ensuring that you don't fall under attack 'for sure'. What would that mean?

Protect

1. Windows Updates (patches): Make sure your systems are patched up. Test first, but make sure it gets done. It's important to patch up these systems frequently, the 'security' hot fixes come out very often and are many times so important that if not installed, will leave your system (or 100s of systems) open to the latest and greatest piece of malware out there.
   
2. Antivirus Protection: Speaking of malware – you should take a look at your antivirus solution and if you haven't done anything about it, then you should start now and get your systems updated, make sure that you have analyzed protection from every angle, not just from your own personal PC, but to all your servers and clients in a corporation.
   
3. Assess theft potential. Keep a close eye out for your PDA's, your laptops, portable hard disks, data backups on CD, anything – make sure you assess your own safety as well.
   
4. SOHO Users: Roaming clients pose very big risks. Roaming clients may not be back to a location to get Antivirus updates or Windows updates. This is not good because at the rate they come out these days, and the 'importance' of installing them¿ it's important to consider. SOHOs are a threat to an organization if not considered¿ they can spread worms through the corporate network if you do not put strong security controls in place.
   
5. End users gobbling up your bandwidth. Have no controls on your network to stop shoppers? Well, you'll wish you had it this year! As folks send more and more cards and emails, they send a ton of junk to each other via email too¿ all the jokes, the image files, the games, etc. Make sure you keep an eye on your bandwidth so you can keep some around for some legitimate business.
   
6. Data Backups (verifiable): make sure you check your backups, have they been getting done? Are they 'verifiable' meaning you tested one and know that the data backup is good – you verified it was good – by doing a sample restore and testing the sample? If you have no verification, then you don't have a known good backup. Sometimes there is damage to the backup drive hardware, sometimes tapes get screwed up. I have seen tapes for 3 months with no data on it because of a system glitch. Test your backups; you'll be glad you did.
   
7. Perimeter Protection: as you progress more and more to the Internet in our organization, and run your company's data over it, consider that public Internet connections pose a threat. Any junior high school kid with a free network scanner like nmap and all the time in the world will rattle your doorknob once this year for sure. Do it yourself before they do. Check out what's open; maybe think about closing it up really quick before someone thinks about exploiting you.
   
8. Data Confidentiality: This is about intercepted data not only in transit, but also on your laptop. If a laptop gets stolen, then it can be used to penetrate the network if you left a spreadsheet full of public IPs and some credentials on it. Someone can use that laptop to now access the network. Consider using EFS to encrypt files on your local system, consider using PGP to encrypt your email, think about VPN technologies to encrypt your data.
   
9. Disaster Recovery Plan: consider drafting one if you don't have one yet. This is the number one reason why network attacks succeed, because if you had prepared to be attacked, the attack wouldn't have been so bad, or 'as' bad had you not prepared.
   
10. Hot Site: if your operations warrant it, I would suggest having a spare office to go to if your company relies heavily on it. Even if it's a secondary meeting place, the events of 9/11 show us that it's impossible to consider every disaster that may take place. Consider making a plan to meet up to do business elsewhere.

Prepare

1. Incident Response Plan: think about your team. If you have an incident such as a DoS attack, what would you do? Who enacts the plan? Who has what specific responsibility?
   
2. Disaster Recovery Plan: Consider revisiting your disaster recovery plan soon if you haven't. RAID disks have a Mean Time Between Failure (MTBF), so they are likely to go if they haven't gone in a very long time – consider when the last time a disaster struck and what you needed to fix things, did you have all the tools you needed? Consider what you didn't.

More Considerations

1. Install freeware security software to do tests and or to augment anything that you may need. Tools like nmap, tcpdump, GFI's LANguard, and literally dozens of other tools you can use to do a vulnerability scan on your perimeter to get an idea where you are at with security at this point. What are your open ports?
   
2. Commonly heard, not commonly followed is the advice that all systems used be stripped of unneeded services and protocols. Unix, Novell, Microsoft Windows, it doesn't matter who – just disable unnecessary or optional services that may open up new problems for you, if you don't need a service or a protocol, immediately get rid of it.

Summary
In this article we covered the basics of preparing for a network attack and disaster. It's a quick assessment; this article's whole purpose is to get you to think about your own network, when was the last time it was tested? Some companies do not have the same process, remember IT is everywhere; computers are in every company around the world. Everyone can use a hand when it comes to assessing security. Let's take a look at where we are at now and think of ways to do better as security analysts. Just because a network isn't, or hasn't, doesn't mean it won't be under attack in the future. Don't get complacent! We covered some things to think about when considering your own network under attack. Stay tuned for more articles!

Robert J. Shimonski (Truesecure TICSA, Cisco CCDP, CCNP, Cisco Firewall Specialist, Nortel NNCSS, Microsoft MCSE, MCP+I, Novell Master CNE, CIP, CIBS, IWA CWP, Prosoft MCIW, SANS GSEC, GCIH, CompTIA HTI+, Security+, Server+, Network+, Inet+, A+, e-Biz+, Symantec SPS and NAI Sniffer SCP) is a Lead Network and Security Engineer for a leading manufacturing company as well as a part time technical trainer. Robert's specialties include network infrastructure design with the Cisco and Nortel product line, network security design and management with CiscoSecure software and PIX firewalls, Systems Engineering with all major operating system platforms and troubleshooting with Sniffer-based technologies. Robert is author of many security related articles and books, including the "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). You can contact Robert at rshimonski@rsnetworks.net




Proactive Security


Stories in this report:


• Proactive Security
  
• Security on the Offensive
  
• Baked-In Security
  
• Intrusion-Prevention Systems: Erecting barriers
  
• Supersmart Security
  
• Secure the People
  
• Security Quiz
  
• Security Data Points
  
• Making Security Everyone's Business
  
• 15 Tips for Responsible Computing
  
• How to Plan for a Possible Network Attack
  
• Book Excerpt: Exploiting Software
  
• Q&A: Quality Software Means More Secure Software
  
• No Agreement on Oath Authentication
  
• Freebie Security Scanners