into the system if they are detected trying to enter through the front door, or if they want to enter the system without being detected. The most common backdoor point is a listening port that provides remote access to the system for users (hackers) who do not have, or do not want to use, access or administrative privileges. Firewalls or router filtering may prevent the hacker from later accessing these ports. However, common router filtering may not block high-numbered TCP ports (or any UDP ports). In addition, firewalls and filters may allow traffic originating on a source port such as TCP 20, 53, or 8 to pass. When these ports are blocked, back doors that are more complex are necessary. Reverse trafficking is a complex backdoor point that enables the attacker to bypass the existing security mechanisms. While routers and firewalls may prevent all unsolicited packets from entering the network from the outside, a client inside the firewall can still initiate a connection on a specified port number to any host on the outside. Assume that a hacker installs a reverse trafficking Trojan horse to use TCP port 80 to contact the computer of the hacker on a regular basis. Because the client computer “pushes” a system-level command shell to the hacker, the hacker can execute code on the “protected” computer. The Code Red worm is an example of a backdoor approach. The Code Red worm used reverse trafficking. When installed, Code Red used TCP port 80 to instruct unpatched web servers to execute a TFTP connection from the server to a randomly chosen host on the Internet where it obtained a piece of rogue code. Because the initiating traffic to the web server was legitimate, it passed the firewall. Subsequently, firewalls and routers allowed the web server to initiate a TFTP (UDP 69) connection to the computer belonging to the hacker. If the exploit is successful, the victim host will experience defacement on all web pages requested from the web server. Port Redirectors
Port redirectors can help bypass port filters, routers, and firewalls, and can evade intrusion detection. For example, assume that a firewall has ports 80 (HTTP) and 443 (HTTPS) open by default, but port 443 is unused. Assume that there is a database server on port 3389 (ms-wbt-server). A hacker can select port 443 as a listening port and remain undetected. The hacker can then set up a port redirector without disrupting operations. A port redirector takes traffic coming in on one port and directs it to another host on another port. In this example, the port redirector on the web server takes incoming traffic on port 443 and sends it out to port 3389 on the database server.

Content 5.1 Thinking Like a Hacker 5.1.8 Step 7: Leverage the Compromised System The hacker is now in control of the system and can take advantage employing any of the techniques listed in Figure . After installing back doors and port redirectors, hackers try to attack other systems after fully hacking the local system. Recall that reverse trafficking enables hackers to bypass security mechanisms. Trojan horses help hackers execute commands undetected. If the target host enables failed login auditing or runs a third-party intrusion detection system (IDS), it will record the IP address or computer name of the host running the port redirector and not the system used by the hacker. This makes it difficult to identify the attacker directly. After hackers gain administrative access, they enjoy hacking other systems on the network. As each new system is hacked, the attacker performs the steps outlined previously to gather additional system and password information. Hackers will try to scan and exploit a single system or a whole set of networks. The whole process can be automated. It is difficult to identify this type of activity because the attacker is usually operating under the guise of a valid administrator account. Unless you catch the attacker before the person gains administrator access, it may be nearly impossible to flush the attacker from the network.

Content 5.1 Thinking Like a Hacker 5.1.9 Best Practices to Defeat Hackers Defending your network against attack requires constant vigilance and education. These ten practices summarized in Figure represent the best insurance for your network:

Keep patches up to date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.
Shut down unnecessary services and ports.
Use strong passwords and change them often.
Control physical access to systems.
Avoid unnecessary web page inputs. Some websites allow users to enter usernames and passwords. A hacker can enter more than just a username. For example, entering “jdoe; rm -rf /”might allow an attacker to remove the root file system from a UNIX server. Programmers should limit input characters and not accept invalid characters such as | ; < > as possible input.
Perform backups and test the backed up files on a regular basis.
Educate employees about the risks of social engineering and develop strategies to validate identities over the phone, via e-mail, or in person.
Encrypt and password-protect sensitive data.
Implement security hardware and software such as firewalls, intrusion prevention systems (IPSs), antivirus software, and content filtering.
Develop a written security policy for the company.

These methods are only a starting point for sound security management. Organizations must remain vigilant at all times to defend against continually evolving threats.

Content 5.2 Mitigating Network Attacks 5.2.1 Types of Network Attacks An attack against an enterprise network occurs in several stages. In the initial stages, the attacker may have only limited information about the target. Figure illustrates these types of attack. One of the primary attacker objectives is to gather intelligence about the target vulnerabilities. Reconnaissance attacks involve the process of unauthorized collection of information about the network weaknesses. Other attacks that typically do not require in-depth knowledge about the target include access attacks and denial of service (DoS) and distributed DoS (DDoS) attacks. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. DoS attacks are one of the most publicized forms of attack and are among the most difficult attacks to completely eliminate. They can employ various techniques, such as overwhelming network resources, to render systems unavailable or reduce the network functionality. A DoS attack on a server sends extremely large volumes of requests over a network or the Internet. These large volumes of requests cause the attacked server to dramatically slow down, resulting in the attacked server becoming unavailable for legitimate access and use. DDoS attacks are the “next generation” of DoS attacks on the Internet. Victims of DDoS attacks experience packet flooding from many different sources (possibly spoofed IP source addresses) that overwhelm the network connectivity. In the past, the typical DoS attack involved a single attempt to flood a target host with packets. With DDoS tools, an attacker can conduct the same attack using thousands of systems. Once the attacker has gathered information about the target network or even has direct access to the resources as an inside user, a range of other attack types can be launched against the enterprise systems. Figure illustrates attacks requiring more intelligence or insider information. Worms, viruses, and Trojan horses are examples of malicious code that can compromise the hosts in the enterprise network. These attacks can either be injected by an inside user or can be used to exploit a vulnerability in the network defense in order to compromise a protected system. Application layer attacks aim at the highest Open System Interconnection