Reducing the Risk of an Attack

Having the knowledge about how attackers attack and what attack tools they use, the risk and vulnerability assessor is better equipped to defend against such attacks. These attacks can be mitigated and prevented from occurring within your IT infrastructure; however, it requires a thorough understanding of how best to implement security controls and security countermeasures to mitigate the risk caused by these attacks.

The following list presents risk mitigation recommendations that an organization can deploy against the attack methods and attack tools commonly used on IT infrastructures and their assets. Note that these recommendations are not a fail-safe solution for preventing an attack, but will certainly deter an attacker because proper security controls and security countermeasures may be enough to discourage the attacker from continuing.

• PING sweeps Risk mitigation for PING sweeps can be accomplished by disabling ICMP echo requests and ICMP echo replies on IP host devices where needed. Also, ICMP echo requests and ICMP echo replies can be blocked at key points throughout the network infrastructure on router and firewall switches. Router Active Control Lists (ACL) can allow ICMP echo request and ICMP echo reply packets only to targeted IP devices and disallow ICMP traffic for all other IP devices.
• Port scanning It is difficult to mitigate the risk caused by port scanners mainly because many port scanners go undetected while performing a port scan on an IT infrastructure and its assets. Use of strategically placed Intrusion Detection Systems (IDS) and IP firewalls will allow the organization to monitor and audit its network traffic so that the IP firewall can be configured to limit the connection attempts between the port scanner and the scanned device. However, by understanding and learning what port numbers, services, and applications are running in production throughout the IT infrastructure, organizations can better plan on how to control network traffic flow, limit access to network segments, and apply appropriate security controls and security countermeasures to protect mission-critical systems, resources, and applications.
• OS fingerprinting Mitigating the risk caused by OS fingerprinting scanners is best supported by an IDS/IPS monitoring system and IP firewalls in strategic locations throughout the network infrastructure. The IDS/IPS will examine the network traffic to look for patterns in responses from targeted machines. Using this information, IP firewalls can be configured to prevent the targeted IP devices from responding to the OS fingerprinting requests for information.
• Password sniffing Mitigating the risk caused by password sniffing requires understanding that a local network connection is required to exploit password sniffing. This can be mitigated by using switched ethernet ports for LAN connectivity, rather than shared media ethernet LAN segments. Use of encrypted passwords so that they are not visible as clear text in the payload of an IP packet is also recommended.
• Password cracking Mitigating the risk caused by password-cracking attack tools is best handled with an access control and password changing policy and standard. The longer the password and the more alphanumeric and nonalphanumeric characters, the more difficult it is to crack that password. With proper security controls for periodic password changes and standards for how to create a password, users and their login IDs and passwords can mitigate the risk caused by password-cracking attack tools.
• Malformed data attack Mitigating the risk of malformed data attacks requires a more stringent software development life cycle process that incorporates security into the actual design of the application. Because many applications were developed without security in mind, the bugs, flaws, and vulnerabilities in software are commonplace. With proper security design requirements and testing and quality assurance, data fields can be more stringently designed to accept only certain data inputs and no others. This will eliminate the malformed data input vulnerability that can cause a buffer overflow error or other exploit.
• Banner grabber Developers and applications programmers should not put in plain English or other language any information that could potentially be used in an attack. By eliminating confidential information pertaining to the IT asset on banner messages, the attacker will not have anything to grab or review, thus eliminating the ease of identifying potential vulnerabilities in known IT assets.
• Password guessing Mitigating the risk from password-guessing attacks and tools is best supported with an access control and password changing policy and standard. The longer the password, the more alphanumeric and nonalphanumeric characters, the more difficult it is to crack that password. With proper security controls for periodic password changes and standards for how to create a password, users and their login IDs and passwords can mitigate the risk caused by password-guessing attack tools.

Reducing the risk caused by these attack methods and attack tools requires an understanding of how these attacks are conducted at the TCP/IP protocol level as well as at the services and applications level. This understanding allows the risk and vulnerability assessor to focus the assessment project on these known attack methods and attack tools and how they would attack the IT infrastructure and the assets that are being assessed. This puts the assessor in the shoes of the attacker when the assessment project is under way. By understanding the attacker, the risk and vulnerability assessor will be able to focus on the defense and security countermeasures on these known attack methods. Specific recommendations will be presented that address risk mitigation of the threats and vulnerabilities that the IT organization must face, including risk mitigation from attacks and attack tools commonly used on IT infrastructures and their assets.