Network Computing Says Internet To Crash and Burn!
05/01/2003 Syracuse, N.Y. -- On July 17, 2003, the Internet will come to a crashing halt. The flow of goods and data, so critical to the digital economy, will dry up. E-friendships will languish without the transfer of bytes and nybbles.
Remember, you read it here first.
Got your attention, didn't we?
Of course, this isn't likely to happen. But read enough news reports and listen to enough war stories, and it's easy to imagine the worst. When you connect to the Internet, or to any external network, there are legitimate reasons for concern, including the threat of directed attacks and worms. The reality, though, is nowhere near as bleak as the media--and some aggressive security vendors--would have you believe. Yes, there are dangers, but if you pinpoint the sources and types of exposure, you can manage your risk.
The key is in understanding the attack types. After gathering and interpreting data from a variety of sources--including CAIDA (Cooperative Association for Internet Data Analysis), ISS (Internet Security Systems), NIST's ICAT and Security Focus--and conferring with people on the information-security front lines, we came to several conclusions about the real dangers your organization
faces from Internet-borne attacks and how you can minimize your risk.
Reconnaissance Mission
An attack's progression is straightforward, typically following a well-defined set of steps. Getting root or administrative privileges is often the attacker's goal (for a detailed account of an actual attack see "Anatomy of a Network Intrusion").
The first phase is network reconnaissance. The attacker discovers as much as he or she can about the target using public databases and documents, as well as more invasive scanners and banner grabbers. Once services have been identified, the attacker tries to discover vulnerabilities, either through more research or by using a tool designed to determine if the service is susceptible.
Connect to the Internet and within moments you will see attack activity in the form of port and network scanners--a Network Intelligence customer who runs a relatively small network says he receives thousands of scans per week.
We charted the scan sources and targets for the top five active ports, as reported by the Internet Storm Center, on a specified date (see "Top 5 Port Scans for March 18, 2003"), and discovered that a relatively small pool of IP addresses scanned a large number of IP addresses. During this 24-hour period, ISC logged 9,598 unique IP addresses scanning for Port 445, which is used for file sharing (SMB) on Microsoft Windows 2000, and logged 161,532 targets of port scans for Port 445--roughly 16 times as many targets as sources.
From a damage point of view, scans typically are harmless. IDSs classify scans as low-level attacks, but they don't harm servers or services. Common wisdom says scans are precursors to attacks, and though that may be true, there isn't a 1:1 relationship. If Port 445 is open, that doesn't guarantee the attacker will return, but it does make it more likely that he or she will.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
REPORTS
ANALYTICS
Follow 
