Plan ahead to prevent hackers
2005-06-02 10:09David SimsTechTarget
<
In this tip , you will learn: A simple web page defacement will show how valuable a detailed emergency response plan is!
The experience of being hacked is similar to getting a pitiful income. At least, this is the feeling I learned recently after one of my web pages was defaced and destroyed.
Sure enough, our investigation found that the damaged server was running an unpatched PHP forum program. The hacker used a PHP exploit to leave a short, friendly message indicating that he had occupied this territory. . Although this was a relatively minor incident, it highlights how important it is to have a prepared and informed emergency response plan.
There is a saying that is right: No one will see the value of a strategy until a critical moment.
The information response (IR) plan gives us the process of immediate response, investigation analysis and recovery. They are like three rings intersecting in our hands. In order to ensure its success, we must do the following Several aspects:
Server isolation
This is a very important server, so we must ensure its installation and isolate it from the network. We use firewall rules between the server and the external network to intercept attacks, and then we can close the responding switch port and isolate the server. Once the isolation is complete, we can pause the recording of the discovery, which will uncover the hacker and the actions he performed, which is also an important step in providing evidence for forensic analysis and possible litigation.
Hacker Tracking
The hacker did not delete the logs, so it took us a short time to discover that the hacker used a fixed script to try to attack PHP multiple times. What we really want to know is whether the hacker gained root access or if he used this server as a stepping stone to attack other systems. CRC checks on important files tell us that they have not been altered or corrupted, and there are no suspicious processes running in the memory. We checked the forum program vendor's site, and indeed, a week before the attack, the vendor had issued a statement about the vulnerability and had rolled out a patch. That's no problem - a week is enough for a hacker.
We were shocked to find no evidence of a PHP attack in our IDS logs, and our IDS vendor told us that the signatures would be approximately two weeks old before the next planned signature update. That leaves a gap of three weeks before vulnerabilities and attacks are discovered and IDS signatures become available.
Response and Recovery
Our incident response strategy is that any compromised machine will be rebuilt regardless of the severity of the incident (leaving no chance of taking a chance). Systems are set up and hardened in terms of security according to generally accepted guidelines, and we also check our work by scanning machines for weaknesses with vulnerability scanners. Of course, we also detect similar machines through attack software.
Lessons Learned
The lessons we learned from this incident are: Make sure your system administrators are up to date with the latest patches (once a month is not enough), and Check the log frequently (once a week is not enough). Security administrators must know what software is installed on each machine so that they can guard against related vulnerabilities and weaknesses. Do not rely on any single IDS provider as the signature may arrive too late for the first line of defense. Consider implementing Tripwire (an intrusion detection system) on public-facing servers to monitor changes to important file attributes.
Finally, keep your incident response strategy current and adaptable to current system requirements. Let everyone know what to do in an emergency, so as to ensure the smooth implementation of remedial measures.
Ten Tips to Prevent Hackers
1. Use anti-virus software and update it frequently to keep destructive programs away from your computer.
2. Online merchants are not allowed to store your credit card information for your future shopping.
3. Use a password that is a combination of numbers and letters that is difficult to decipher, and change it frequently.
4. Use different passwords for different websites and programs to prevent them from being deciphered by hackers.
5. Use the latest versions of World Wide Web browser software, email software and other programs.
6. Only send credit card numbers to websites with guaranteed security, and look for the padlock icon or key icon displayed at the bottom of the browser.
7. Confirm the address of the website you want to deal with, and pay attention to the address you enter. For example, do not put ana-zon. com is written as amozon. com.
8. Use a security program that has control over the cookie program. The cookie program will send information back to the website.
9. If you use a digital subscriber line or cable modem to connect to the Internet, you must install firewall software to monitor data flow.
10. Do not open email attachments unless you know the source of the information.