 |
|
Guide to What Hackers Know About Your Network - That You Don't
Hackers are constantly scanning your networks - learn how to find out what they know about your network.
By Thomas Raef
|
Whether you call them hackers, crackers or cyber criminals doesn’t matter.
You may not realize it but hackers are scanning your Internet connection looking for an opening – constantly.
When they find one they’ll launch an attack against that opening to see if they can get in.
But it all starts with scanning your network.
Automated Tools Are a Wonderful Thing
Cyber criminals don’t scan each individual network on the Internet one by one. They have automated tools that randomly scan every IP address on the Internet.
Hackers aren’t lazy people – just efficient and intelligent. The tools they use can be preloaded with a range of Internet addresses to scan. As this tool finds an Internet address with certain openings it produces a list of the address and the opening. This list is then fed into another tool that actively tries to exploit that opening with various programs. If no exploit works, the hacker’s program will move on to the next potential victim.
When you see the scanning activity in your firewall logs, you’ll know where you’re being scanned from and what they’re trying to target. Armed with that data you should check to see if you’re running software that uses that port and if it has any newly discovered openings. If you’re using software listening on that scanned port and there is a patch available, you should have that patch applied immediately.
As stated, you’ll see this activity in your firewall logs – that is, if someone is actually reviewing your firewall logs.
Oh, my firewall has logs?
When most business owners are asked about their firewall logs, the typical response is usually, “Oh, my firewall has logs?”
Yes, all firewalls produce log files. Most of them only show what’s been blocked, which is like showing pictures of all the thieves that are in prison, while the bank down the street is being robbed.
You want to see all traffic. If your firewall only logs activity it knows about, your security is totally dependent on the ability of your firewall and the way it’s configured with default settings.
Many people believe that “having” a firewall is sufficient. Have you ever seen the firewall settings for the router/modem that many DSL or Cable providers give you?
The configuration is usually something like:
Firewall: Yes No
These companies don’t want you calling them every time you can’t get a connection on the Internet. So they predetermine what your firewall should block and what should be allowed – to save them the expense of tech support calls.
An Example Log File
Let’s review a log entry.
Date Time: 06/18/2007 12:04:03.416
Source IP: 218.10.111.119
Source Port: 12200
Destination IP: 55.66.777.1
Destination Port: 6588
What is this showing?
Well the Source IP address is from Heilongjiang, a province in China. The destination IP is our client (mangled to protect the innocent) but the important data is the destination port. That identifies what the hackers are looking for.
Port 6588 can be a few different things. They could be scanning for a Trojan that uses that port. If their scan responds with the typical response of the remote access Trojan, they know they’ve found an infected system. The hacker's system will tell them what service is listening on port 6588 so they know what tools to use to attack that port.
Without reviewing your logs you have no idea what is trying to get into your network.
Without a properly configured firewall, this type of attack would surely get through.
When talking security with a business owner I always ask, “When was the last time your network was scanned for openings?” They usually respond with, “Never”. To which I reply, “Oh you’re wrong there. You’ve been scanned, you just don’t know by whom!”
Regular scans of your network show you what the hackers are seeing of your network. It’s a simple process and should be performed at least once a month. The results should be presented to you in a very readable, understandable report.
What to Do Next
The first thing you should do is check your firewall to make sure it’s logging all activity. Then, your job is to start reviewing the logs either everyday or at a bare minimum, once a week.
Some routers have the firewall “built-in”. I’ve often found these are very limited in their ability to protect. Even more limiting is their logging functionality. Typically these devices will only show what’s blocked. Often these router/firewalls have the option to have the logs emailed to someone when they’re filled with entries. This is a nice option as you can have them directed to someone who will (should) review them in detail and notify you of any entries to be concerned with.
If your firewall doesn’t provide the level of detail described in this article, you should seriously consider upgrading. You can keep your existing router just turn off the firewall feature and buy a dedicated firewall.
Then you’ll know what the hackers know about your network.
 Is any content on this page inappropriate? To let us know, please click here.
|
|
|
 |
|
Ads by Google
Free white paper - advantages of implementing Network Access Control
Learn Computer Networking. Train at Anthem Institute in New York City.
IT Management 101. Plus ongoing it network security advice.
Learn Why So Many Switch from Full Disk Encryption to Credant
|
Related Resources from Business.com
Comments
