bill’s blog

We as network administrators need to understand that we provide a service both to the companies we work for and the end users we serve. Without them we would find ourselves unemployed. IT is a service organization and as such, end users are our customers. We must understand that their needs sometimes come before our own. Sometimes this dedication includes giving of ourselves and our family in terms of the many hours that we will miss because a server is down. Fortunately we can prepare ourselves and lower the risk of downtime (and time away from home) with continued education.

Know the basics!

Confidentiality, Integrity and Availability… the foundation of everything we do. While confidentiality didn’t play out this week, Integrity and availability certain did. I spent most of the past week (on the clock and off) getting an image database online. A number of things went wrong. From an integrity point of view, we had a database that went south. It contained a record of every image the company had captured in the last 10 years. Backups proved to be too old to be of use (though as a second option something to consider). Long story short, we were able to get the database back online BUT there was corruption that needed to be addressed. This is where dedication comes into play. It would be too easy to give up on the database recovery efforts. We did have backups (though not current). Piecing together various databases proved to be the answers. While not the most elegant method it did get the database online and intact. Additionally, many hours were put into the recreation of the database to shorten the time the users were without the database. Thus availability comes into place. The game plan to pull data from various backups and stitch them together was going to take time. One must balance your own time with that of the greater good. And thus this paper was late but my end users got their data sooner rather than later.

Know the Policy!

IT is about making sure that people can work. Everyone! Sometime one individual can bring down a network. Just take a look at any virus. One person writes and distributes the code… the rest of the world suffers. IT polices are there to protect everyone both the end user AND IT administrators. So what goes into IT policies?

1. Clear understandings – This pertains to everyone in the organization. The policies are written so that everyone in the organization knows what they can and can’t do. Does the company allow external USB thumb drives? Are smart phones allowed? Who is allowed to have smart phones? Password sharing and ramifications? There is a whole plethora of things that should be covered.

2. Emergency situations – What are the procedures or actions to be taken during an emergency? What should be done? Who should be informed? When is a Disaster Recovery plan implemented?

3. Access – Who should have access to which data? AND where does one go to get access they have. What are the steps to be taken?

One thing to keep in mind is that the above questions are distributed to everyone within the organization.

Education!

Without continued education we as IT professionals would go the way of the dinosaur, though perhaps not as dramatically. IT changes rapidly. If one were to ask about virtual machines 5 years ago, no one would understand what we are talking about. More and more IT professionals are asked to take on technologies in a production environment and to support them. While reading, toying, trial and error can bring you most of the way… formal training is needed to support these advance technologies.

IT is about putting your heart and soul into your work. One must have the desire and drive to succeed in this industry. Only a select few can truly excel here!

The Internet has come a long way from its humble beginnings. Originally established by the Department of Defense for use of Military contractor to pass information back and forth. Then as a natural progression select universities were brought into the fold. As students left the university, it became apparent that the lack of this service in the outside world was problematic. Communication and the sharing of ideas/information had stopped and that was not a good thing. It is often said that the world is a small place and it is based in large part to the Internet. Today millions of people share the Internet. Millions of people now have broadband (instant access) connections. Viruses in the ‘old’ days spread through the sharing of floppy discs. Today, with these ‘always on’ connections, floppy discs are a thing of the past. Sun Computer’s slogan is “The Network is the Computer” and in today’s Internet enhanced world, this is very much the case.

Unfortunately, with all this access is the proliferation of malware. Malware takes all forms these days. Viruses, Trojans and Spyware are just a few of the dangers that are present on the Internet today.

One of the first memorable attacks across the Internet was the Melissa virus. It was spread through the distribution of an infected word document. The virus took advantage of Word‘s macro language. Once the file was open the macro enabled the worm to gather the first 50 names in the users address book and the send itself to those unknowing individuals. See that the email was sent by acquaintance, the unsuspecting individual would open the email perpetuating the cycle. The virus was not intended to cause any harm to the infected users computer, however the side affect of clogging networks with massive amounts of data. Many networks and hosts were unprepared to deal with the massive amount of traffic and ’stopped’ the Internet. This virus is a prime example of how human engineer was used to proliferate the spread of a virus.

Next came the Love Bug virus (aka ILOVEYOU). Once again, this virus relied upon the use of social engineering and the Visual Basic scripting language. Unlike the Melissa bug, the ILOVEYOU virus was designed to be more destructive. In addition to the self-propagation aspect, the ILOVEYOU virus would make entries into the Windows registry. These registry entries would enable the worm to continue its wave of destruction after each reboot. Lastly, the worm had the ability to infect other files most notably; .doc, .mp3 and .jpg. Infected files would be rendered useless and once infected any use of these files would continue the spread on infestation. In fact, the Pentagon, CIA, and the British Parliament had to shut down their e-mail systems to get rid of the virus, as did most large corporations (wikipedia.org, 2009).

Part of the problem with malware is keeping up with the threats. The MS Blaster virus spread and infected thousands on computers even though a patch was available to prevent its execution. To make matters worse, many IT administrators spent the days leading up to the 11th of August feverously patching their machines only to be caught off guard when their system was attacked and infected by the very thing they worked so hard to prevent. In the confusion of the vent many administrators scrambled to see which machine they forgot to patch. It took many administrators time to realize that they were dealing with a variant of the original virus and that their machines were once again unprotected. Anti-virus manufacturers were quick to release updates to their AV engines and definition files but the damage was already done.

Even today, viruses are still being spread at alarming rates. The Conficker virus is currently spreading itself across the Internet as of January 20th, 2009. It is estimated that over 9 million machines have been infected. The Conficker worm was first discovered in October 2008. Like the MS Blast virus, patches from Microsoft were in place before the vulnerability was widely known. Conficker takes advantage of a vulnerability in which a specially crafted RPC request could allow remote code execution. This can affect a great many machines that range from Windows XP all the way up to Windows 2008 Server. Among those known to have been infected by this worm are the United Kingdom’s Ministry of Defense and the Royal Navy. Unfortunately, many experts agree that the worst is yet to come. Experts are warning that hackers have yet to activate the payload of the Conficker virus. F-Secure’s Mikko Hypponen said…

“It is scary thinking about how much control a hacker could have over all these computers. They would have access to millions of machines with full administrator rights. But they haven’t done that yet… maybe they’re scared. That’s good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect.”

As with anything computer related, often the weakest link is that of its operator. Users need to be current on system patches. Anti-Virus programs need to be updated regularly (both engine and definition files). Many over looked areas that can be used to slow and/or stop the spread to virus are:

Turning off unused services. Many time users will turn on file sharing. If you have to run file sharing, turn off guest access. Many systems allow this by default.

Firewalls… Block unused ports or at the very least create rules on your firewall that limits access from known IP addresses.

Resources:

Reece, D., (2009 January 20th), Conficker Virus Dormant – Hackers Still to Activate, Retrieved on January 22, 2009 from http://startupearth.com/2009/01/20/conficker-virus-still-dormant-hackers-still-to-activate/

Various, (2009, January 20th), ILOVEYOU, Retrieved on January 22, 2009 from http://en.wikipedia.org/wiki/ILOVEYOU

For a complete listing of affect machines and a more through analysis of the virus please see Microsoft KB Article ID: 962007 and the webpage on Win32/Conficker at:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker

CIA

There are many things in daily life that depend on something to work. A car needs gas. A light bulb needs electricity. And we all need air to breathe. Computers can be simple like a calculator or more complex like the Cray super-computer. Most of our computing needs usually fall somewhere between the two. Most of us rely on the Internet on a daily basis, whether it is for checking the latest sports scores or researching term papers. What most people don’t think about is what’s involved with protecting the resources out on the Internet.

In computing terms CIA stands for:

Confidentiality
Integrity
Availability

These three things make up the basic stepping-stones when it comes to securing data stored on a shared resource (of which the Internet is). Without these three things the Internet would be useless. Let’s take a look for example at an online banking operation. How do these three objects relate to its operation?

Confidentiality is about making sure data is only accessed by individuals that have been granted permission to access it. (Keeping data Private). In the online banking scenario, many banks (and other security minded websites) provide an image that is displayed after you enter your user ID. This image is selected by you when setting up you online account. If you don’t see your image then you might think twice about entering your password. Many phishers are adept at making their sites look authentic. Underpinning the goal of confidentiality are authentication methods like user-IDs and passwords; that uniquely identify a data system’s users (Miami.edu, 2006). Ultimately, one needs to insure that not only are you providing the right credentials to access the data but that the resource is actually ‘who’ you think it is!

One other area that needs to be examined with regard to confidentiality is the use of secure transmissions. HTTP transmits data in clear text. This is problematic in two areas:

1. Passing of your credentials in the clear. This is especially troublesome as any one that can sniff the network could grab those credentials and use it to manipulate your funds.
2. In terms of privacy, if encryption is not used during the transfer of data anyone sniffing the network can look into your private records. Again this is something that is not desirable.

SSL goes a long way to providing this security. SSL (or Secure Socket Layer) enables the data that you pass between the bank and your browser to be encrypted.

It terms of Integrity, this is making sure that the data remains intact and changes to the data can only be made by authorized personnel. There is the notion that an asset should be trusted; that is, there is an expectation that an asset will only be modified in appropriate ways by appropriate people (purdue.edu, 2004). Data is only useful if it can be relied upon as accurate. System administrators need to insure that the data has not been tampered with. Accidental or intentional manipulate of data is a very bad thing. This is where things such as ACLs (or Access Control Lists) and other permission models come into play. ACLs can be used to control access to file-systems or more importantly databases.

In addition to who has access to the data one needs to check that the data that is being captured is accurate. Error checking must be an intracle part of data entry (garbage in… garbage out). Without this functionality, one could easily see a situation where an online banking user could pay a bill with funds that they don’t have (or vice versa… they want to pay a bill and the bank’s data is not currently reflecting yesterday’s deposit). There is another aspect on integrity that needs to be discussed and that is the validity of the data should something actually happen to it. Accidents happen, whether on purpose or not. Ultimately, what is of utmost importance is that the data can be restored back to its trusted state.

Availability is making sure that the data remains accessible. Data is no good if you can’t get at it. This is the first thing that network/system administrators learn. Your servers need to stay up all the time. In the banking industry, because this data needs to be accessed whenever the customer needs access, system administrators need to this in terms of high availability. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades (Wikipedia.org, 2009). In today’s fast paced world of Internet banking, banks without this would soon find that if its customers were unable to get to their money, they would be without customers.

Computer/network security is a moving target. Vectors of attack change on a daily basis. One can only plan their defenses based on the known. What information do we have today? However, using the above-mentioned criteria, network administrators can apply what is known about attacks, and how valuable their data is to properly plan defenses for the future.

Resources:

Purdue University (2004, Feb. 23), RASC: Confidentiality, Integrity and Availability (CIA), retrieved on January 19, 2009 from www.itap.purdue.edu/security/files/documents/RASCCIAv13.pdf

Unknown, (2006, April 24), Confidentiality, Integrity, Availability (CIA), retrieved on January 19, 2009 from http://privacy.med.miami.edu/glossary/xd_confidentiality_integrity_availability.htm

Various, (2009, January 20), Information security, retrieved on January 19, 2009 from, http://en.wikipedia.org/wiki/Information_security#Integrity

One thing that every network administrator needs to keep in mind is without computers and end users there would be no need for your network. Why do I say this? Unfortunately over the years we’ve seen a proliferation of target attacks on companies that get perpetrated using the Internet. Money can be gotten by attacking corporate networks looking for credit card information and then selling the information for profit. In fact, the term Cyber-Warfare is no longer in the realm of science fiction. In May of 2007, Russia launched a DDOS attack against government and banking computers. The Estonian government says its state and commercial websites – including a number of banks – are being bombarded by mass requests for information – overwhelming their computer servers (bbc.uk.co, 2007).

So what are we to do? We do what man has done since the beginning of time. We build layer of defenses to thwart our attackers. We need to understand what (the data) we are trying to protect. We also need to understand what is considered normal so that when things become ‘odd’ we understand that something is not right. According to a 2005 survey conducted by the FBI, 87% of those polled have conducted security audits to serve as a baseline for a meaningful security program (fbi.gov, 2005). Baselines should be taken of end-users computers to make sure that virus and backdoors have not been infected. Servers for the same thing as well as which services are being run. Network traffic so that you have an understanding of how a healthy network should look like under normal conditions. Once baselines are completed, checks must be preformed at regular intervals to insure that no unauthorized changes have occurred. Unfortunately, in many organizations this is where things break down. In today’s economic climate, dollar and resources are scarce. Following up on procedures often take a back seat to more imminent problems of the daily break fix routine.

Once the baselines are established, rules can be entered into security device with a clear understanding of the trade-offs that will be required to secure your environment. Firewall rules can get very complicated. Many appliance-based devices try to make understanding your rules easier but others miss hitting the mark terribly. Simply put, firewall rules are a series of allow or deny statements. These statements contain criteria through which the firewall knows which to let the packet pass or stop it in its tracks. One important thing to keep in mind is whether the allow statement takes precedence over the deny statement or vice-versa. Different firewalls handle this very differently. Be sure you know how your firewall handles this otherwise you’ll find no packets getting through.

SO what do these rule look like?

So what does this all mean? This firewall is a deny/allow-based system. Let’s take a look at the rules one at a time:

Rule 1: Denies all access from everywhere to anywhere on the LAN. This is a pretty generic rule. It covers the network administrators it case they miss setting up an explicit rule for a service.

Rule 2: ALLOWS all users on the LAN to access any thing on the outside world. In other words LAN users can go anywhere.

Rule 3: Is an explicit rule. It stipulates that any one from the 129.33.82.0/24 network is DENIED access to ANY service even those allowed on this network.

Rule 4: Is an explicit rule that DENIES the computer using 192.168.1.55 from accessing FTP servers outside of the LAN. This rule is in effect during business hours, Monday thru Friday. (Seems this user might be abusing something).

Rule 5: Is an explicit rule that ALLOWS access to the SSH server outside of business hours. This is one way to help protect and minimize your exposure. Additionally, they cold have access an IP address to ALLOW access from thereby minimizing their exposure even more.

These rules are fairly simple and easy to follow. However in a true environment, they can get quite complex. In many corporations, firewalls are used as a means of restricting access for troublesome or abusive individuals. Unfortunately, this puts the network administrator in the role of having to deal with HR issues, rather than Human Resources dealing with the issue more directly.

Resources:

Unknown, (2005, July 25), Headline Archives, Retrieved Feb. 27, 2007 from

http://www.fbi.gov/page2/july05/cyber072505.htm

Unknown, (2007, May 17), Estonia hit by ‘Moscow cyber war’ Retrieved on January, 17, 2009 from http://news.bbc.co.uk/2/hi/europe/6665145.stm

Today I woke to a cold but bright day. I worked late last night and slept until 8:30. Tracy and Izzy left the house early before I got out of bed. They went to the nail place, where I’m told everyone gushed over Izzy.

After getting my morning cup of coffee, I had a look in on the servers I’d been toiling over the night before. Sometimes it’s not easy being in IT. Nothing much had changed. The RAID was still rebuilding and I could get xSAN to recognize it. I did some school work as I debated my next decision… Should I go into the office?

It’s getting harder to leave the kids behind. It’s hard to see them grow and have the days pass. I miss them.

I finally decided to go in… Spent about five hours there. During that time Will went to karate, Izzy crawled on the floor, Tracy started dinner, and I rebuilt a server.

After driving home from work, I gave everyone a kiss hello and spent sometime with Will. It was short lived as he had made arrangements to sleep over at a friend’s house. Tracy put the baby to bed as I tried to figure out the cause of my server’s woes. Tracy and I had a wonderful dinner in the sun room, beef stew! A change in our usual menu!

After dinner we finished watching Benjamin Button. What a great movie! But in the end I felt sad… I don’t want me life to pass by without enjoying every moment. Just before bed, I checked in on little Izzy, watching her peacefully sleep. I woke Tracy who had fallen asleep watching the movie and crawled into bed. Hopefully, I’ll figure out that server problem tomorrow!

What an amazing sight!

I heard some kind of buzz on the floor while going about my work today… something about a plane that crashed in to the Hudson River. I’ve always had a strange fascination with plane crashes. This one brought me back in time to 26 year almost to the day. Air Florida flight 90 crashed into the Potomac shortly after take-off. I remember it snowing that day though I can’t remember how much. I remember being glued to the television set. I must have been home sick that day. Unfortunately, 74 people were lost when the plane sank into the icy waters.

Today, US Air flight 1549, crashed into the Hudson River, unlike that fateful day 26 years ago all 151 passengers made it out alive. It has been said that no other water landing has resulted in any loss of life. Since 9/11, New Yorker’s, of which I consider myself one of, have a certain anxiety when it comes to planes falling out of the sky. Fortunately, thanks to the fly skills of Captain Chesley B. “Sully” Sullenberger III, the plane landed intact allowing the passenger the exit the plane while it floated with the Hudson’s current. Passing boats from around the river quickly came to the stricken plane and removed the passengers to safety.

Photo: Brendan Mcdermid/Reuters

Photo: Edouard HR Gluck/AP

Photo: Janis Krums/Associated Press