Avoiding Attacks

Avoiding Attacks

J

ust after midnight on Aug. 16, 1996, hackers cracked the Justice Department Web site, replacing the Attorney General's picture with Adolf Hitler's. Deputy Assistant Attorney General Mark Boster, contacted by the FBI, ordered the site brought down at 2:45 a.m.

Boster, in charge of information resources management, ordered the department to review its online security, and what he learned can help others who want to make their systems less vulnerable.

Top management is asking information technologists to do more work on the Web, which makes organizations more vulnerable because internal networks are connecting to the world outside. In response, technologists buy a "firewall," a device that limits network access, and declare themselves safe. Actually, they're practicing "security by prayer"-praying people will hack other sites, where entry is easier.

"We know we'll be attacked again. We want to be ready," Boster says, offering these tips:

1 Don't allow outside organizations to set priorities. Justice attorneys said they were at a disadvantage because private lawyers, with whom they compete, have Web access. "Just because it can be done [elsewhere] doesn't mean it should be done at the Department of Justice," Boster says. The key, he says, is to explain the consequences of unfettered network access in easily understood language, and to manage expectations.

2 Don't believe self-proclaimed "security experts." Contractors and internal security staff have widely varying expertise, so Boster suggests a system of checks and balances. First, he makes at least two contractors responsible for a project, then rotates vendors to keep getting new perspectives. While he tends to hire individuals, if he hires large companies he puts every employee on the project through a background check.

3 Don't assume that once a system is secure it stays secure. Boster has three full-time security employees, and he says the job takes their full attention. The hackers are working full time, so security teams must continually change the system to make it less vulnerable. In addition, systems often expect too much of their firewalls, incorrectly assuming they offer comprehensive security. "We . . . forgot we had lots of modems and dial-in ports," Boster said. Every modem on a network is a back door through which a hacker can enter the system, bypassing the firewall. As a result, Justice eliminated individual modems on networked ma-chines and established standards for remote access to networked information.

4 Have a plan to deal with the next break-in. Boster suggests keeping up-to-date lists of pager numbers for key on-call personnel. In addition, have plans for bringing the site down and back up, and know what information should be kept, what needs to be replaced and where to find original material. And because there may be questions from the press, have a plan to deal with the media.

5 Designate a central authority. When a loose federation of groups populate and host Web sites, there may be rogue sites that don't adhere to standards. Justice has taken the exceptional step of moving toward one Internet access point, allowing the agency to monitor its site more closely to detect problems more quickly and, if needed, shut down.

6 Don't encourage heterogeneous telecommunications equipment. When Attorney General Janet Reno decided she wanted to be able to send e-mail to any Justice employee, the agency connected its separate networks--making it easier to send e-mail but increasing system vulnerability. If any part of the network is penetrated, the entire system may be at risk.

7 Don't believe your site can be removed quickly. The day after the attack on the Justice site, the offensive materials could still be viewed. Boster's staff had turned off the server, but had forgotten--or didn't know--that important Web sites are replicated on the large service-providers computers, such as America Online, without the knowledge of the Web site owner. The replicas of the hacked site are maintained until the next regular update, which could be several days later.

8 Maintain logs and other incident data on the Web server. Standard hacker procedure usually calls for a "cover your tracks" step just before leaving a hacked site. That often includes erasing the logging records that show which files were opened and what was done in those files. Sites that maintain remote logs, instantly updated and archived, can shift the information advantage away from the hacker. Boster also advises maintaining a completely separate backup site. When the main site is hacked, the backup can be compared with the hacked site to find where and what changes were made.

9 Don't leave tools hackers can use. Justice had followed general industry practice and removed most system administration software from the server, but the hacker found and used several tools. The best practice, Boster says, is to build the Web content remotely and transfer only essential files to the active Web server, using encrypted transmission.

10 Don't send unprotected information between servers. Sniffers are software tools that read all computer traffic. They can be useful for administrators who must find the cause of network problems, but they can also be used by hackers to find user names, passwords and other critical data. To counter that threat, Boster has implemented encryption of all information transferred among Justice computers used for Web development.

11 Don't participate in networks in which some members are careless about security. Weak sites can be hacked easily and used as entries to other sites. If the weak link is inside a trusted community-say another agency-attacks may be successful. It's important, Boster says, that all members of a networked community practice safe Internet.

12 Be tough on crime. Some organizations cover up security breaches, but attacks may increase because companies and agencies that ignore hackers create a crime-friendly environment. "You must . . . be willing to prosecute offenders to the full extent of the law," Boster says.

Finally, Boster says, "the best thing that ever happened to security at the Department of Justice was having our Web site hacked." The attack enabled officials to rearrange responsibilities, implement and enforce policies, and allocate resources.

Alan Paller is president of the CIO Institute in Bethesda, Md.

NEXT STORY: Transformation of Quality Efforts