Graphics Programs Reference
In-Depth Information
minor outbreak early instead of years later when it can cause real damage.
If it weren't for Internet worms making a public spectacle of these security
flaws, they might remain unpatched, leaving us vulnerable to an attack from
someone with more malicious goals than just replication. In this way, worms
and viruses can actually strengthen security in the long run. However, there
are more proactive ways to strengthen security. Defensive countermeasures
exist which try to nullify the effect of an attack, or prevent the attack from
happening. A countermeasure is a fairly abstract concept; this could be a
security product, a set of policies, a program, or simply just an attentive system
administrator. These defensive countermeasures can be separated into two
groups: those that try to detect the attack and those that try to protect the
vulnerability.
0x610
Countermeasures That Detect
The first group of countermeasures tries to detect the intrusion and respond
in some way. The detection process could be anything from an administrator
reading logs to a program sniffing the network. The response might include
killing the connection or process automatically, or just the administrator
scrutinizing everything from the machine's console.
As a system administrator, the exploits you know about aren't nearly as
dangerous as the ones you don't. The sooner an intrusion is detected, the
sooner it can be dealt with and the more likely it can be contained. Intrusions
that aren't discovered for months can be cause for concern.
The way to detect an intrusion is to anticipate what the attacking hacker
is going to do. If you know that, then you know what to look for. Counter-
measures that detect can look for these attack patterns in log files, network
packets, or even program memory. After an intrusion is detected, the hacker
can be expunged from the system, any filesystem damage can be undone by
restoring from backup, and the exploited vulnerability can be identified and
patched. Detecting countermeasures are quite powerful in an electronic
world with backup and restore capabilities.
For the attacker, this means detection can counteract everything he does.
Since the detection might not always be immediate, there are a few “smash
and grab” scenarios where it doesn't matter; however, even then it's better
not to leave tracks. Stealth is one of the hacker's most valuable assets. Exploit-
ing a vulnerable program to get a root shell means you can do whatever you
want on that system, but avoiding detection additionally means no one knows
you're there. The combination of “God mode” and invisibility makes for a
dangerous hacker. From a concealed position, passwords and data can be
quietly sniffed from the network, programs can be backdoored, and further
attacks can be launched on other hosts. To stay hidden, you simply need to
anticipate the detection methods that might be used. If you know what they
are looking for, you can avoid certain exploit patterns or mimic valid ones.
The co-evolutionary cycle between hiding and detecting is fueled by thinking
of the things the other side hasn't thought of.
