Regardless of whether you call them hackers, veggies or cyber criminals doesn’t matter. What does matter is whatever you call them – they’re looking for a way into your network!
You may not realize it but hackers are scanning your online connection looking for an opening.
What will they do if they find one? They’ll release an attack against that opening to see if they can exploit a weeknesses that will allow them to remotely execute a few commands thereby giving them access to your network.
But it all starts along with scanning your network.
Automated Tools Are a Wonderful Thing
Cyber criminals don’t scan each individual network on the web one by one. They have automated tools that randomly scan every IP address on the Internet.
Hackers aren’t lazy people – just very efficient. And incredibly intelligent. The tools they use can be preloaded with a range of Internet addresses in order to scan. As this tool finds an Internet address with certain openings this produces a list of the address and the opening. This list is then fed into another tool that actively tries to exploit that opening with various programs. If simply no exploit works, the hacker’s plan moves on to the next potential victim.
When you see the scanning activity in your firewall logs, you’ll know where occur to be being scanned from and what could possibly be trying to target. Armed with that data you should check to see if you’re running software that uses that port and when it has any newly discovered open positions. If you are using software listening on that scanned port and there is a repair available, you should have that patch applied immediately – because the hackers might know something you don’t.
NOTE: Novice our experience that many businesses spot their Microsoft Windows software but rarely do they check for pads for all the other software used in the business.
As stated, you’ll see this activity in your firewall logs – that is, in the event that someone is actually reviewing your firewall logs.
Oh, my firewall has logs?
If you have any concerns regarding where and how to use Cell phone hackers for hire, you can contact us at our site.
However , when most business owners are asked about their firewall records, the typical response is usually something like, “Oh, my firewall has logs? inches Yes, all firewalls produce log files. Most of them only show precisely been blocked, which is like displaying pictures of all the thieves that are in prison, while the bank down the street has been robbed.
Wouldn’t you want to see all of traffic? This produces more work, but if your firewall only logs exercise it knows about, you’re security is totally dependent on the ability of your firewall as well as the way it’s configured.
Many firewall companies want to reduce their quantity of tech support calls. Their business model revolves around having tech support available, but in the process they’re also seeking ways of reducing the number of times people call in. This isn’t necessarily a poor thing, but when their products have less features, thus fewer benefits because of this – that is a bad thing.
Most firewalls designed for the small business market lack features that most small businesses might benefit from. Many of them have all the technical buzzwords like “deep packet inspection”, “spyware prevention”, “intrusion detection” and many more, however they don’t go into the level of details needed to be effective.
First, many firewalls that are “designed” for small businesses begin with companies that have 100 – 250 users. These might be considered small enterprises by the Bureau of Labor Statistics, but for technology purposes companies of this size have their own IT staff (96% do). Not just one IT person, but an IT staff which means that someone is probably responsible for security. If not, they’ll have someone train all of them in the proper setup, installation plus monitoring of security appliances.
The firms we consider small have between 3 – 50 PCs. The businesses at the higher end of this scale might have someone dedicated to handling IT problems. But this person is usually therefore inundated with PC support issues that they have little time “left over” to effectively monitor firewall logs.
Towards the lower end of this scale, they often have either an outside person or even firm responsible or they have an employee who “is pretty good with computers” who has other responsibilities as well. Hardly ever will these small businesses have someone watching the firewall logs on the consistent basis. Someone might look them over if there’s a problem, but these logs rotate when stuffed so the valuable information might be dropped before it’s ever reviewed. Which is a shame. Without reviewing the particular logs you have no idea what or even who is trying to get in with which or what.
An Example Log File
Let’s take a review some logs. This happens to be a log from a client. The columns are labeled accordingly. This review has been cleaned up to make it easier to explain and understand.
Date Time Source IP Source Port Location IP Destination Port
06/18/2007 twelve: 04: 03. 416 218. ten. 111. 119 12200 55. sixty six. 777. 1 6588
06/18/2007 twelve: 16: 05. 192 41. 248. 25. 147 4925 55. sixty six. 777. 1 5900
06/18/2007 thirteen: 08: 02. 256 218. 10. 111. 119 12200 55. sixty six. 777. 1 6588
06/18/2007 13: 22: 10. 224 58. 180. 199. 163 4637 55. 66. 777. 1 2967
What is this showing?
Well the first source IP (Internet) address is from Heilongjiang, the province in China. The destination is our client (mangled to safeguard the innocent) but the important data is the destination port. That identifies what they’re looking for.
Port 6588 can be a few different things. They could be checking for a Trojan that uses that will port. If their scan responds with all the typical response of the remote accessibility Trojan, they know they’ve discovered an infected system. Port 6588 can also be a proxy server (which we won’t describe here) using a recent bug. This bug makes it simple for a hacker to exploit thereby giving them remote access to the system running the particular proxy server software. The hackers system will tell them what support is listening on port 6588 so they know what tools to use in order to attack that port.
The second range in our log file above is usually from Africa. Port 5900 is VNC which is used by many, many program administrators to remotely connect to a method to perform maintenance on it. This software program has had a few exploits and one just last year allowed the attacker to get remote control of the system with VNC installed without having to crack any passwords!
Line 3 has our buddy from China back trying once again. Same port. They must be trying a few exploits against this port. Maybe they know something that the general safety community isn’t aware of yet.
On line 4 in our logs we get a new IP address in the source. This one is from Korea but notice it’s scanning port 2967. This happens to be the port that Symantec’s Anti-virus software listens on for new updates.
There is a known exploit that allows remote attackers to execute arbitrary code via unknown attack vectors. When hackers find this slot they know exactly what exploit to try. In other words, the security software that is designed to secure systems is actually a way in for cyber criminals due to a software bug. It could be that there exists a new “hole” in Symantec’s software program that hackers know about but Symantec doesn’t. The previous hole was patched so either the hackers are searching for yet unpatched Symantec software or even they know of a new hole and therefore are looking for ways to infect them.
Without researching your logs you have no idea what is trying to get into your network.
Without a correctly configured firewall, this type of attack would certainly surely get through. This happens to be a firewall we configured so we know of slots like this and we blocked outside entry because this client does not use Symantec products.
When talking security with a business owner I always ask, “When was your last time your network had been scanned for openings? ” They often respond with, “Never”. To which I reply, “Oh you’re wrong generally there. You’ve been scanned, you just how to start by who! ”
Regular tests of your network show you what the cyber-terrorist are seeing of your network. May simple process and should be performed at least once a month. The results should be introduced to you in a very readable, understandable statement.
What to Do Next
The first thing you should do is check your firewall to make sure it can logging all activity. Then, your work is to start reviewing the records either everyday or at a minimum amount, once a week. Some routers have the firewall “built-in”. I’ve often found they are very limited in their ability to protect. A lot more limiting is their logging functionality. Typically these devices will only show can be blocked. Often these router/firewalls have the choice to have the logs emailed to someone when they’re filled up with entries. This is a nice option as you can have them instructed to someone who will (should) critique them in detail and notify you of any entries to be worried about.
If your firewall doesn’t provide the level of detail described in this article, you should seriously consider upgrading. You can keep your existing router just turn off the firewall feature and buy a dedicated firewall.