Lead

Security compromised, service denied

With hackers adopting methods like DDoS to launch attacks, it's becoming increasingly difficult for enterprises to guard themselves. By Neeraj Gandhi

The operational stability and security of critical information infrastructure is vital for the existence and survival of any enterprise. With mounting virus threats, phishing cases and hacking attempts becoming the order of the day, it’s hard for enterprises to manage data and run their operations safely and efficiently. Incidents of cyber attack have become rampant over the years. According to the Indian Computer Emergency Response Team (CERT-in), almost 200 cases related to computer security were reported this year.

While advances in technology have been a boon for all enterprises, it certainly has not been a bane for cyber criminals. On one hand it is helping enterprises adopt new solutions to counter cyber attacks. On the other, it is providing hackers with new means and modes to launch attacks.

Cyber attacks not only hamper the workflow in an organization, but considerable time and money goes towards getting things back in order. This tends to tarnish the reputation of an enterprise. Therefore cyber attacks are a grave threat for any enterprise and make an organization vulnerable.

“Cyber attacks like hacking put an organization in jeopardy. The top-most risk is the leakage of sensitive information concerning financials and internal information regarding policies and strategies. By launching an attack a hacker can bring down a company’s Web site and completely shut it down. He can also get an insight into the network architecture of an enterprise and cripple it from within,” says Kartik Shahani, Regional Director, India, McAfee Inc.

“The current Internet threat environment is characterized by an increase in data theft, data leakage, and the creation of targeted, malicious code for the purpose of stealing confidential information that can be used for financial gain,” says Prabhat Singh, Director - Security Response, Symantec.

He adds, “Recent trends indicate a rise in zero-day vulnerabilities. A zero-day vulnerability is one for which there is sufficient public evidence to indicate that the vulnerability has been exploited in the wild prior to being publicly known. From July 1st to December 31st 2006, Symantec documented a dozen zero-day vulnerabilities, a significant increase over the previous year. In September 2006 alone, four zero-day vulnerabilities were documented, the majority of which affected Microsoft Office applications, Internet Explorer and ActiveX controls.”

Today’s enterprise is more prone to cyber attacks. Cyber criminals have devised new and sophisticated methods in an attempt to remain undetected and to create global, cooperative networks to support the ongoing growth of criminal activity. There has been a considerable increase in the number of cases where enterprises have been attacked by spam, phishing, malware, DDoS and hacking.

Shahani believes that the increase in incidents of cyber attacks cannot be attributed to the rise in numbers of cyber criminals alone. He says, “Hacking attacks are on the rise because the numbers of Internet users has increased over the years. Essentially the percentage of attacks has remained constant.”

A hacker’s modus operandi

Cyber criminals have become more alert, and are always on the lookout for loopholes using which they can wage war. Enterprises, in response, guard themselves with security solutions that are offered by different security vendors. The irony is that even though companies deploy the latest security measures, hackers manage to develop a more evolved and dangerous modus operandi to attack every time.

Some of the commonly used techniques by hackers are:

Port scan: In this process a hacker scans the network host for open ports and then launches an attack.

Web site spoofing: It is the act of creating a Web site, as a hoax, with the intention of misleading readers that the Web site has been created by a different person or organization. The objective may be fraudulent, often associated with phishing or e-mail spoofing, or to criticize or make fun of the person or body whose Web site the spoofed site purports to represent.

Lost password method: It is an intrusion technique wherein the hacker obtains a password to get past an organization’s firewall or intrusion detection system. Then the hacker develops an account for himself so that he can access any information that he wants.

Virtual Probe: Here a hacker contacts users on a network using the pretext of being a vendor that a company normally deals with. The hacker then asks for sensitive information concerning the wireless network. A commonly used example of this is when a hacker pretends to be conducting a survey, and asks for information about firewalls, or other sensitive information.

Reconnaissance: This refers to the exploration or enumeration of network infrastructure including network addresses, available communication ports, and available services.

Denial of Service (DoS): Under DoS, a hacker routes a huge amount of Internet traffic towards a particular Web site, so much so that legitimate users are unable to access the site.

Other techniques involve exploiting operating system vulnerabilities, application vulnerabilities, abusing valid user accounts, guessing passwords and exploiting poor access controls.

When it comes to launching an attack, cyber criminals have their preferences. “The hacker community as a whole has its own technology perspective favoring open systems, integrated solutions and distributed resources. The preferred choice of operating system among the hacker community remains Linux with C, C++, PERL and SHELL as the programming or scripting language,” says Santhosh Koratt, Senior Consultant, SecureSynergy.

However, “In terms of attacks to the core internet infrastructure including the root servers and the top-level domain name servers, attackers continue to use distributed denial of service (DDoS) and distributed recursive denial of service (DRDoS) attacks to cripple the accessibility to the Internet for entire regions around the world,” says Ram Mohan, Director, Afilias India & VP Business Operations and Chief Technical Officer, Afilias Ltd.

DDoS as a threat

Distributed Denial of Service or DDoS is a serious threat to any enterprise. Not only can DDoS steal data, disrupt services, and cripple bandwidth, it can also damage a company’s customer relationships and goodwill. DDoS has of late emerged as one of the most threatening forms of cyber attack and has caught the attention of security vendors and enterprises.

Cyber crimes like spamming, copyright breach, data didling and the like come under the category of crimes in which the computer or network is used as a tool for criminal activity. In contrast, DDoS comes under the category where the computer or network becomes a target of criminal activity.

DDoS occurs when a hacker routes huge amount of Internet traffic towards a particular Web site such that even legitimate users are not able to access the site. This essentially involves exhausting a site’s bandwidth and router processing capacity. During a DDoS attack, a Web site receives a large amount of traffic from a series of computers controlled by a hacker. The rush of incoming messages to the target system forces it to shut down, thereby making it inaccessible even for legitimate users.

“Targeted attacks with distributed attack sources have been on the rise for the past couple of quarters and are one of the hottest hacking trends. A significant number of such attacks are happening against Indian enterprises with a goal to either steal data or to disrupt the availability of business critical services,” says Koratt of SecureSynergy.

Singh adds, “China was most frequently targeted by such attacks, accounting for 63 percent of attacks during the last six months of 2006. South Korea was second with 13 percent of attacks (up from 10 percent in the first half of the year).”

A hacker starts a DDoS attack by exploiting vulnerabilities in one computer system and makes it the DDoS master. From the master system, he identifies and communicates with other systems thereby compromising other systems. The hacker then loads cracking tools available on the Internet on thousands of compromised systems. With a single command he instructs the controlled machines to launch one of many flood attacks against a specified target. The stream of packets to the target causes a denial of service.

Mohan of Afilias says, “These attacks may include the execution of malware intended to overuse CPU usage, trigger errors in the microcode of the machine, trigger errors in the sequencing of instructions—all of which are aimed at forcing the computer into an unstable state or lock-up, exploit errors in the operating system to cause resource starvation and crash the operating system.”

Many Indian Web sites have been targets of such attacks in the past. According to Mohan, some of the Web sites that experienced DDoS attacks were: AIIMS, Andhra Pradesh’s National Informatics Centre, Tamil Nadu government, Kolkata’s National Information Technology Promotional Units, Economic Research & Market Intelligence Unit (HQ), 123india.com, Rediff.com, VSNL Ernakulum, South Gujarat University, University Grants Commission, Indian Institute of Science, Indira Gandhi Centre for Atomic Research, Weather Resource System for India and Indian Oil Corporation Gujarat Refinery.

Even the Banking, Insurance and Financial Services sector has experienced similar attacks. Many corporate Web sites have also been targeted. Other targets include mail and domain name systems due to the fairly unrestrictive nature of their services.

Singh of Symantec adds, “Cyber criminals have also used DDoS attacks as a threat, particularly against online gambling sites expecting a rush of business around a sporting event, to extort businesses.”

Are Indian enterprises secured?

Cases of cyber attacks have rocked both government departments and private companies. This huge influx of attacks in the cyber domain has proved detrimental for the economy. Enterprises have gradually started moving away from a traditional perimeter-based security approach to a more robust security enforcement model encompassing multiple layers of security.

No matter how well equipped the security solution is to handle attacks; cyber criminals still manage to launch attacks. “No doubt an enterprise should always install the best available solution to counter such attacks. However, there always remains a loophole that a hacker can exploit,” says Shahini.

As regards DDoS attacks in particular, Mohan says, “DDoS attacks are a substantial threat to all Internet infrastructures. These attacks by their very nature are difficult to defend against and will continue to be an attractive and effective form of attack.”

That said the question arises, are Indian enterprises safe from cyber attacks?

“Enterprises today operate globally. Technology is global, and so is the threat. So it cannot be said that India lags behind in technology. Simultaneously it should be added that enterprises in India are as vulnerable and prone to such attacks as any other enterprise in the world,” says Shahini.

Mohan adds, “In emerging markets the level of security is not where it is in the western world. In India, the number of broadband users has risen from 8 million to 20 million in three years. In a market with a lot of unprotected PCs and a boom in practices of online banking and e-commerce, this sudden traffic only adds to the threat landscape. Therefore an ideal combination of law and technology needs to be implemented to establish common security standards to achieve a more secure cyber space in the country.”