Interview with John Chirillo, author of “Hack Attacks Testing: How to Conduct Your Own Security Audit”

Who is John Chirillo? How did you gain interest in computer security?

Like most computer enthusiasts I began my career early on. At twelve years old I wrote a game entitled Dragon’s Tomb. This program was published for the Color Computer (COCO) System market. During the next five years I wrote several other software packages including, The Lost Treasure (a game writing tutorial), Multimanger (an accounting, inventory and financial management software suite), Sorcery (an RPG adventure), PC Notes (GUI teaching math from Algebra to Calculus), Falcon’s Quest I and II (a graphical, Diction-intensive adventure) and Genius (a complete windows-based point-and-click operating system).

From there I went on to attain certifications in numerous programming languages and entered the field as a consultant. I began working for companies performing numerous functions such as LAN/WAN design, implementation and troubleshooting, and developed a specialization in security and analysis. During this period I acquired internetworking and networking certifications including those of Cisco, Intel, Compaq, and CISSP, among others. To that end I authored and coauthored books including Hack Attacks Revealed, Hack Attacks Denied, Hack Attacks Encyclopedia, Networking Lab Practice Kit, Storage Security and Hack Attacks Testing.

Do you have any favorite security tools?

Yes, with regard to my favorite *NIX tools I most often use Nmap, hping and Nessus. On the subject of Windows-compatible security tools I use TigerSuite, a custom build of snmpwalk and most of the tools you can download at foundstone.com.

How long did it take you to write “Hack Attacks Testing: How to Conduct Your Own Security Audit” and what was it like?

I put together the manuscript for HAT in about 10 weeks. The editors at John Wiley & Sons and I felt that among available InfoSec books there hadn’t been much coverage on conducting security audits from a fundamental perspective. Albeit the presentation of tools and step-by-step techniques in the book mostly target security neophytes and managers, I found it enjoyable to rebuild my multi-OS TigerBox, target systems and compile the tools. In hindsight, however, I would like to have been permitted a much higher page count to include another 30 or so additional security tools.

What do you see as the major problems in online security today?

My latest new edition of Hack Attacks Revealed (Second Edition) contains a compilation of the top 75 attacks and countermeasures affecting general computing, internetworking, and Windows, UNIX, OS/2, MAC, and Linux operating systems. They are based primarily on research by System Administration Networking and Security (SANS), the Computer Emergency Response Team (CERT), the Computer Incident Advisory (CIAC), X-Force Alert, Microsoft Security Bulletin, the National Infrastructure Protection Center (NIPC) Watch and Warning Unit, and Red Hat Network Alert system. With that said the top five vulnerabilities everyone should mitigate, in no particular order, are as follows:

• Weak Passwords – Some systems and applications by default include accounts that either contain no passwords or require password input without strict regulation or guidelines.
• Too Many Open Ports – There are 65,535 ports on a computer. An attacker can use discovery or initial “footprinting” or information gathering to detect which of these ports are active and listening for requests; this can facilitate a plan that leads to a successful hack attack.
• Unprotected NetBIOS Shares – NetBIOS messages are based on the Server Message Block (SMB) format, which is used by DOS and Windows to share files and directories. In UNIX systems, this format is utilized by a product called Samba to collaborate with DOS and Windows. While network protocols typically resolve a node or service name to a network address for connection establishment, NetBIOS service names must be resolved to an address before establishing a connection with TCP/IP. This is accomplished with the previously mentioned messages or with a local LMHOSTS file, whereby each PC contains a list of network nodes and their corresponding IP addresses. Running NetBIOS over TCP/IP uses ports 137-139, where Port 137 is NetBIOS name (UDP), Port 138 is NetBIOS datagram (UDP), and Port 139 is NetBIOS session (TCP). This vulnerability can allow the modification or deletion of files from any exported, mounted file system. Server Messaging Block (SMB) can be compared to Sun’s Network File System (NFS), and it allows for the sharing of file systems over a network using the NetBIOS protocol. This vulnerability gives a remote intruder privileged access to files on mounted file systems. Consequently, an attacker could potentially delete or change files.
• Buffer Overflows – Buffers are types of data storage units in computer systems. They were designed to hold a specific amount of data, and when overwhelmed, can leak some into adjacent buffers causing an overflow and/or corrupting legitimate data. This type of attack not only distresses the integrity of data, but can also trigger malicious events such as file damage or exhausting system resources resulting in a denial of service (DoS).
• Malicious Code Threats – These include publicized virus and Trojan variations such as Myparty, Goner, Sircam, BadTrans, Nimda, Code Red I/II and many more.

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level? What are the most important things an administrator has to do in order to keep a network secure?

Upwards to $59 billion is lost each year in proprietary information and intellectual property, according to the 10th Trends in Proprietary Information Loss Survey by ASIS International, PricewaterhouseCoopers, and the U.S. Chamber of Commerce. The collective basis for these losses is a lower level of priority for information security-especially at the internetwork, desktop, and public sector user-and lack of management support. With the rapid release of new software and hardware and the progression of technology and processing power, the threat of further loss is imminent. We simply must equally integrate security throughout the infrastructure and should not depend so much on robust perimeter security such as firewalls.

High-speed networks of interconnected data storage and processing devices are centralized for better control over information assets. With stored data processing at the core, network capacity is emancipated outward to the users. The same methodology should be incorporated into corporate and public network security policies with a ripple effect-imagine a drop of water hitting a calm pool and causing ripples. With regard to a network each ripple correlates to a network point that has the potential to contain vulnerabilities from any direction and needs be taken into account from a security perspective. This is the essence of ripple security logic.

Using ripple security logic we can begin to identify and dissect the security components of each link in an infrastructure or components of a standalone system; for example, following is a common high-level enterprise ripple itemization with necessary security measures:

• Workstation – Personal IDS, two-factor authentication, antivirus, and monitoring tools implemented, updated regularly, and configured to adhere to company policies.
• Internetwork/Subnet – Packet filtering, link encryption, and network monitoring/IDS devices.
• Server Farm/Backbone – Change control, antivirus, audit logs, monitoring, regularly scheduled updates and backups.
• Internet Portal – Screened subnet with stateful firewalls and application proxies.
• Physical Building/Data Center – Intrusion monitoring, two-factor access control via swipe card and PIN, CCTV cameras/monitors, and log books.
• Extranet/Road Warriors – Callback, strong (two-factor) authentication, and virtual private networking, antivirus, personal firewalls, and IDS.

Once each ripple or link is identified and analyzed, appropriate protection measures and tactics can be employed to provide the necessary access while limiting the exposure. Once these are in place, security and business continuity/disaster recovery polices must be updated and enforced, and internal vs. external security audits should occur at regular intervals.

At the station and SOHO level, although it’s not practical to think you can be completely safe from exposure, there are ways to fortify your weakest links against most common threats and mitigate risk to an acceptable level. Be sure to follow these seven golden rules:

1. Use a personal firewall. Personal firewalls typically fortify against many incoming intrusions. Among those most popular and proven include, Norton Firewall, McAfee Firewall, BlackICE Defender, and ZoneAlarm Pro.

2. Use antiviral software. Protect your system from downloads and e-mail attachments that contain virii and Trojans with Norton AntiVirus, McAfee VirusScan, or PC-cillin.

3. Use personal intrusion detection software (IDS). Protect your system from hack attacks and malware that gets past your personal firewall and antivirus software. Personal IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise your system. IDS evaluates a suspected intrusion once it has taken place and signals an alarm, and then asks for action or acts-with it you can block an IP address, block a local or remote port, block all, or allow the connection altogether. Every workstation should run products such as TigerGuard IDS and Pest Patrol.

4. Don’t take candy from strangers. Defend your right to privacy with a good cookie manager, such as McAfee Internet Guard Dog or Norton Internet Security.

5. Encrypt sensitive data. Don’t even think about transmitting sensitive information without using encryption software. Among those most user-friendly is PGP.

6. Update Habitually. It’s important to follow a patch implementation schedule, for your operating and protective software, to keep you abreast of vulnerabilities and advisories with alleviations-each week.

7. Just say “No!” It’s none of their business–don’t ever reveal personal information such as your passwords, credit card limits, home address, birth date, driver’s license and social security numbers.

What do you think about the full disclosure of vulnerabilities?

Bearing in mind the pros and cons of the complete details of security vulnerabilities being made public, I personally consent to full disclosure with restrictions. I believe doing so would increase the general level of awareness, compel companies to take risk mitigation more seriously, strengthen the power of security tools, and force vendors to release patches and safeguards more rapidly.

With that said I feel restrictions including the following should apply: the vendor should be first notified, vulnerabilities should be accurately and fully disclosed at appropriate websites and published in monthly periodicals, and a principal consortium should be formed to test and release testing tools in an open source forum.

What are your future plans? Any exciting new projects? Do you plan to write any more books?

Currently I am completing a new book with coauthor Scott Blaul entitled Implementing Biometric Security. As you well know, biometrics is a rapidly evolving technology that can be used to prevent unauthorized access to buildings and devices such as ATMs, cellular phones, desktop PCs, notebooks and computer networks. We’re excited about this manuscript because it covers the hottest topics in biometrics development for applications and practical implementation. In a cookie-cutter fashion we give readers the steps, selection criteria, and in many cases even source code to develop and/or employ packages in an enterprise network or on your home computer.