Hacking

1
Hacking Defense 1

• CS 478 /CIS 678 Network Security
• Dr. Susan Lincke

2
Network SecurityHacking Defense Part 1

•  Text
• Computer Security Principles and Practice, W
  Stallings, L Brown
• Chapter 12 Operating System Security
•  
• Objectives
• The student should be able to
• Define traceroute, ping sweep, port scanning,
  finger printing, man-in-the-middle, spoofing,
  directory traversal, SQL injection, Nessus, nmap,
  native virtualization, hosted virtualization
• List 3 attacks and countermeasures for each of
  the hacking steps 1) Footprint, 2)
  Scan/Enumerate, 3) Gain Access , and 4) Exploit
  (3 attacks only)
• Describe the 3 major steps of hardening a
  computer. Explain the reason and methods of each
  of the steps.
• Class Time
• Lecture
• Hacking 1 hour
• General Controls 1/2 hour
• Lab 1 Footprinting 1 hour
• Total 2.5 hours

3
The Problem of Network Security

• The Internet allows an attacker to attack from
  anywhere in the world from their home desk.
• They just need to find one vulnerability a
  security analyst need to close every
  vulnerability.

4
Traditional Hacking

• The traditional way to break into a
  bank/museum/store include
• Footprint
• When are the worst guards off duty?
• When are there fewest people?
• What is the lingo?
• Scan Enumerate
• Where are the goods? Is there a back door?
• Who is the person to contact for social
  engineering?
• Gain Access
• Break in
• Find out needed information
• Exploit
• Dig tunnel to have continual access
• Establish good social engineering relationship to
  access further info.

5
Traditional Hacking

• The traditional way to hack into a system the
  steps include
• Footprint Get a big picture of what the network
  is
• Scan Enumerate Identify reachable hosts,
  services, OS/service versions
• Gain Access Take advantage of hacking
  reconnaissance
• Exploit Escalate and maintain access

6
Hacking NetworksPhase 1 Reconnaissance /
Footprint

• Physical Break-In
• Dumpster Diving
• Google, Newsgroups, Web sites
• WhoIs Database Sam Spade
• Social Engineering
• Domain Name Server Interrogations

• Registrant
• Microsoft Corporation
• One Microsoft Way
• Redmond, WA 98052
• US
• Domain name MICROSOFT.COM
• Administrative Contact
• Administrator, Domain domains_at_microsoft.com
• One Microsoft Way
• Redmond, WA 98052
• US
• 1.4258828080
• Technical Contact
• Hostmaster, MSN msnhst_at_microsoft.com
• One Microsoft Way
• Redmond, WA 98052 US
• 1.4258828080

Hi Ann, This is Tom, the Admin. We are having
a bad problem. What is your password?
7
1 Reconnaisance / Footprinting

• Footprinting Gather information about target.
  Stages include
• Determine scope of activity What is out there
  what does hacker hope to accomplish?
• Search company web pages locations,
  subsidiaries, contact names, phone numbers,
  email, privacy or security policies, links to
  organizations other web servers.
• Monitor HTML comment tags not publicly shown
• Perform open-source searches for info on target
  news, press releases
• www.sec.gov EDGAR database lists publicly traded
  companies recently-listed or recently-acquired
  often vulnerable
• Network Enumeration Discover networks attached
  to the domains
• Obtain information from whois databases
• Identify domain names ms.com and Microsoft.com
• Network Reconnaissance Learn network topology
  via DNS interrogation and network commands (e.g.,
  traceroute)

8
1 Whois

• Whois provides information on
• Registrar Sponsoring company
• Organizational/Point of contact Contact
  information
• Can be used for
• Social Engineering break into company via human
  interface via phone or email, posing as a
  trusted support person
• War dialers search for dial up modems
• Network/Domain DNS server names, CIDR range

• Whois databases include
• http\\whois.educause.net
• www.allwhois.com
• www.samspade.org
• www.arin.net American Registry for Internet
  Numbers
• Whois Example
• bash whois Tellurian Net_at_whois.arin.net

9
Whois - Controls

• Guard Security by
• Posting fictitious name in whois database
• Keep contact information, contact registration in
  registry up-to-date
• Ensure secure access to registry (AOL was
  defrauded in 1998)
• Guard personnel books

10
1 Network Reconnaissance

• Network Reconnaissance Learn network topology
• DNS Domain Name Server maps IP addresses to
  hostnames and vice versa
• DNS Interrogation Learn location of web, email,
  firewall servers
• Zone transfers dump the contents of the DNS
  database to a secondary site (intention backup
  site)

11
DNS Lookup Command nslookup

• nslookup
• set typeany
• ls d Tellurian.net. gtgt /tmp/store
• ce 1D IN CNAME Aesop
• au 1D IN A 192.168.230.4
• 1D IN TXT Location Library
• 1D IN RP jcoy.erebus jcoy.who
• 1D IN MX 0 tellurianadmin-smtp
• Above we are asking to use the Tellurian.net DNS
  server to list all records for the domain
• HINFO Identifies platform/OS
• MX Mail Exchange (Email server)
• A Internet Address

12
DNS Controls

• To Guard Security
• Dont give away information!
• Exclude internal network information in external
  name servers
• Eliminate HINFO records from name servers
• Prevent or restrict zone transfers to authorized
  machines/users
• Restrict access to internal DNS from outside
• Disable inbound connections to TCP port 53 TCP
  zone transfer, UDP name lookups
• UDP name lookups sent as TCP requests when gt 512
  bytes
• Log inbound connections to port 53 to track
  potential attacks

13
1 Traceroute

• Traceroute Provides list of routers between
  source and destination
• To run
• bash traceroute cs.uwp.edu
• DOS tracert
• Traceroute can be run from multiple locations to
  learn multiple entry points into network
• How traceroute operates
• Traceroute uses ICMP_TIME_EXCEEDED messages
• Windows Uses ICMP echo request packet
• UNIX uses UDP or ICMP with I option

• To Guard Security
• Do not permit pings from outside the network
• Block ICMP and UDP at network edge (firewall or
  router)
• Note Blocking only ICMP or UDP may allow
  access, since both may be used
• Detect attacks
• Use IDS systems to detect traceroute requests
• www.snort.org Free IDS program detects these
• RotoRouter www.ussrback.com/UNIX/loggers/rr.c.gz
  generates fake responses to traceroutes.

14
Hacking NetworksPhase 2 Scanning Enumeration

• Scanning
• Host Scanning Which IP addresses are valid?
• Network Scanning How is the network routing
  system organized?
• Port Scanning Which services are running on
  which ports?
• Enumeration
• Fingerprinting Which software versions are
  running on different sockets?
• Active fingerprinting Send specific messages
  observe replies
• Passive fingerprinting Observe patterns in IP
  packets
• Stealth scanning Slow scanning stays under
  intrusion detection radar screen

15
Hacking NetworksPhase 2 Scanning Tools

• War Driving NetStumbler
• War Dialing
• Network Mapping Nmap
• Vulnerability-Scanning Tools Nessus

16
2 IP/ICMP ScanningPing Sweep (Nmap)

• Which hosts exist?
• SRC 192.168.0.35 DEST
• Ping-gt 124.223.0.22
• Ping-gt 124.223.0.25
• lt-Ping Reply 124.223.0.25
• Ping-gt 124.223.0.34
• Ping-gt 124.223.0.38
• Ping-gt 124.223.0.28
• Windump Output
• 151942.744527 IP 192.168.0.4 gt 192.168.0.5
  icmp 1480 echo request seq 7168
• 151942.748241 IP 192.168.0.5 gt 192.168.0.4
  icmp 1480 echo reply seq 7168

17
2 Which ports exist?

• Initiate a TCP connection
• SYN ?
• ? SYN,ACK
• ACK ?
• Windump of establish connection
• 145450.191132 IP 192.168.0.4.1226 gt
  192.168.0.5.23 S 262694098262694098(0) win
  16384 (DF)
• 145450.192200 IP 192.168.0.5.23 gt
  192.168.0.4.1226 S 116356462116356462(0) ack
  262694099 win 17520 (DF)
• 145450.192249 IP 192.168.0.4.1226 gt
  192.168.0.5.23 . ack 1 win 17520 (DF)

18
TCP/UDP Port Scanning (NMAP)
160530.467167 IP 10.1.1.179 gt 10.1.1.1 icmp 8
echo request seq 21868 160530.467722 IP
10.1.1.179.51637 gt 10.1.1.1.80 . ack 4061861214
win 1024 160530.468380 IP 10.1.1.1 gt
10.1.1.179 icmp 8 echo reply seq
21868 160530.469126 IP 10.1.1.1.80 gt
10.1.1.179.51637 R 40618612144061861214(0) win
0 160530.471181 arp who-has 10.1.1.2 tell
10.1.1.179 160530.472160 arp reply 10.1.1.2
is-at 00141ccb7e40 160530.473194 IP
10.1.1.179.51637 gt 10.1.1.2.80 . ack 2891650718
win 4096 160530.473651 IP 10.1.1.2.80 gt
10.1.1.179.51637 R 28916507182891650718(0) win
0 160530.595387 IP 10.1.1.179.51614 gt
10.1.1.1.80 S 10574552111057455211(0) win
3072 160530.595590 IP 10.1.1.179.51614 gt
10.1.1.2.80 S 10574552111057455211(0) win
2048 160530.595723 IP 10.1.1.179.51614 gt
10.1.1.3.80 S 10574552111057455211(0) win
2048 160530.595837 IP 10.1.1.179.51614 gt
10.1.1.1.1723 S 10574552111057455211(0) win
4096 160530.596210 IP 10.1.1.3.80 gt
10.1.1.179.51614 S 19299891821929989182(0) ack
1057455212 win 5840 ltmss 1460gt 160530.597145 IP
10.1.1.179.51614 gt 10.1.1.3.80 R
10574552121057455212(0) win 0 160530.597371 IP
10.1.1.2.80 gt 10.1.1.179.51614 S
210104500210104500(0) ack 1057455212 win 4128
ltmss 536gt 160530.597723 IP 10.1.1.1.80 gt
10.1.1.179.51614 S 27502342212750234221(0) ack
1057455212 win 4128 ltmss 536gt 160530.597744 IP
10.1.1.179.51614 gt 10.1.1.1.80 R
10574552121057455212(0) win 0 160530.597810 IP
10.1.1.1.1723 gt 10.1.1.179.51614 R 00(0) ack
1057455212 win 0
19
NMAP Results
Interesting ports on sholmes.cybersec.cs.uwp.edu
(10.1.1.3) (The 1647 ports scanned but not shown
below are in state closed) PORT STATE
SERVICE 22/tcp open ssh 53/tcp open
domain 80/tcp open http 110/tcp open
pop3 111/tcp open rpcbind 113/tcp open
auth 139/tcp open netbios-ssn 143/tcp open
imap 445/tcp open microsoft-ds 548/tcp open
afpovertcp 631/tcp open ipp 644/tcp open
unknown 668/tcp open unknown 993/tcp open
imaps 2049/tcp open nfs 3128/tcp open
squid-http MAC Address 000EA65CE167
(Asustek Computer) Nmap finished 3 IP addresses
(3 hosts up) scanned in 2.360 seconds
Starting nmap 3.81 ( http//www.insecure.org/nmap
) at 2006-07-27 1605 Central Daylight
Time Interesting ports on MainRouter.cybersec.cs.u
wp.edu (10.1.1.1) (The 1659 ports scanned but
not shown below are in state closed) PORT
STATE SERVICE 22/tcp open ssh 23/tcp open
telnet 80/tcp open http 443/tcp open https MAC
Address 0014693AFEF6 (Unknown) Interesting
ports on MainSwitch.cybersec.cs.uwp.edu
(10.1.1.2) (The 1661 ports scanned but not shown
below are in state closed) PORT STATE
SERVICE 23/tcp open telnet 80/tcp open http MAC
Address 00141CCB7E40 (Unknown)
20
Scan Types

• TCP connect scan Performs 3-way handshake
• TCP SYN SYN ??SYN/ACK
• TCP FIN FIN??RST (UNIX)
• TCP XmasTree scan FIN/URG/PUSH??RST
• TCP Null no flags??RST
• TCP ACK ACK? Is firewall stateful?
• TCP Windows Identify system via window size
  reporting
• TCP RCP Identify RCP ports, program names and
  version numbers
• UDP Scan If inactive ?ICMP port unreachable

21
Scanner - Controls

• To Guard Security
• Detect attack
• Detect ping sweeps and incoming ICMP traffic for
  port scans via IDS/IPS
• Identify attacker and possible time of attack
• Prevent attacks
• Filter all incoming sessions from ports except
  those that are expressly permitted
• Filter traffic from attack source IP addresses
• Filter all ICMP traffic or
• Filter ICMP TIMESTAMP and ADDRESS MASK packet
  requests
• Minimal Allow ECHO_REPLY, HOST_UNREACHABLE,
  TIME_EXCEEDED into demilitarized zone (DMZ)

22
2 Enumeration gt Fingerprinting Identifying
the system software

• Active Stack Fingerprinting Send messages to
  determine versions of system software
• Stack Fingerprinting Identify host OS.
• Banner Grabbing Identify applications (including
  version if possible)
• Identify host OS version FIN probe, Bogus Flag
  probe, Initial Sequence Number sampling, Dont
  fragment bit monitoring, TCP initial window size,
  ACK value, ICMP message reactions, etc.

• Passive Stack Fingerprinting Monitors network
  traffic to determine OS type/version
• Tool Siphon
• TTL What is initial Time To Live value?
• Window Size What is the default window size?
• DF Is the Dont Fragment flag set?

23
2 Which services exist?Nessus
 
24
Nessus

• unknown (5900/tcp) The remote server is running
  VNC.VNC permits a console to be displayed
  remotely.Solution Disable VNC access from the
  network by using a firewall, or stop VNC service
  if not needed.Risk factor MediumPlugin ID
  10342Version of VNC Protocol is RFB
  003.008Plugin ID 10342Port is openPlugin ID
  11219

25
Enumeration Tools

• Port scanners and Enumeration Tools include
• Nmap or Network Mapper TCP/UDP, decoy or bogus
  scans supported to complicate IDS detection
• Windows scanners NBTStat, Winfingerprint,
  SuperScan, Enum
• Unix scanners Samba Smbclient, Nmblookup,
  Rpcclient, Rpcinfo, showmount, R-tools
• Wireless tools NetStumbler, AiroPeek,
  Wellenreiter, Kismet
• War Dialers ToneLoc, THC-Scan, Shokdial
• Netcat or nc TCP UDP port scanning, verbose
  options
• NetScan axfr, whois, ping sweeps, NetBIOS name
  table scans, SNMP walks, etc.

26
Enumeration Controls

• To Guard Security
• Evaluate computer from the inside
• Enumeration tools help the administrator to
  determine available services and evaluate
  vulnerabilities
• MS Baseline Security Analyzer (MBSA)
• NESSUS
• Evaluate computer from the outside
• Scan to find unnecessary services from outside FW
• Can use www.grc.com to scan your own machine or
  network
• Disable all unnecessary services
• UNIX comment out unnecessary services in
  /etc/inetd.conf
• WINDOWS Disable services via Control
  Panel/Services

27
Hacking NetworksPhase 3 Gaining Access

• Network Attacks
• Sniffing
• IP Address Spoofing
• Session Hijacking

• System Attacks
• Buffer Overflow
• Password Cracking
• SQL Injection
• Web Protocol Abuse
• Denial of Service

Login Ginger Password Snap
28
3 System Attacks

• Buffer Overflows
• Overflowing input buffers to corrupt system stack
  and cause code execution with intention of
  gaining access.
• Requires zero privilege
• Can exploit any node.

• Directory Traversal
• Using www.cs.uwp.edu/../../cmd.exe

29
Analyzing Protocols ARP

• ARP Sequence
• 192.168.0.4 192.168.0.5
• ARP Request?
• ?ARP Reply
• Windump Output
• 145450.190823 arp who-has 192.168.0.5 tell
  192.168.0.4
• 145450.191108 arp reply 192.168.0.5 is-at
  090271c50d0

30
ARP Man-in-the-Middle Attack
1.1.1.1
(1) ARP 1.1.1.1?
(3) ARP 1.1.1.1!
1.1.1.3
(1) ARP 1.1.1.1?
(2) ARP 1.1.1.1!
1.1.1.2
31
ARP Man-in-the-Middle Attack
1.1.1.1
1.1.1.3
(2) Login
(1) Login
(4) Password
(3) Password
1.1.1.2
32
Spoofing

• DNS Spoofing Attacker provides DNS reply before
  the real DNS server
• MAC Address Spoofing Impersonate another
  terminal to gain access
• IP Address Spoofing Send Receive-Window 0 or
  Session Hijacking
• Phishing Sending an email or providing a web
  page, pretending you are someone else but using
  your IP address
• May not receive any replies

Joe
I am John
Router/AP
John
33
Man-In-The-Middle Attack
Real AP
Login
Login
Trojan AP or Rogue Access Point
Also implements SPOOFING
Victim
34
Distributed Denial of Service
Zombies
Victim
Attacker
Handler
N. Korea
Russia
United States
SYN Flood Smurf Attack (Pings)
35
SQL Injection

• Java Original SELECT FROM users_table WHERE
  username username AND
  password password
• Inserted Password Aa OR
• Java Result SELECT FROM users_table WHERE
  usernameanyname AND password Aa OR
  
• Inserted Password fooDELETE FROM users_table
  WHERE username LIKE
• Java Result SELECT FROM users_table WHERE
  usernameanyname AND password foo DELETE
  FROM users_table WHERE username LIKE
• Inserted entry shell(cmd /c echo
  char(124) format c)

Login Password
Welcome to My System
36
Virus/Worm

• Virus Code that causes a copy of itself to be
  inserted into one or more programs.
• Worm Independent program which replicates itself
  and sends copies from computer to computer across
  network connections. Upon arrival the worm may
  be activated to replicate.
• Total Losses, 2005 Est 42, 787,767

To Joe
To Ann
To Jill
Email List Joe_at_uwp.edu Ann_at_uws.edu Jill_at_uwm.edu
37
3 Auditing Checks

• Auditing Checks
• Be careful of false positives and false
  negatives!
• Slow responses can result in wrong conclusion
• Vulnerabilities may be eligible only if combined
  with a particular version of OS
• Vulnerability tests can have bugs
• A vulnerability may exist but the context may
  not exist for the application
• Specific network h/w may impact test (e.g., load
  balancing, firewall proxies)
• Therefore
• Use two tools to test!
• Determine if vulnerability exist in context of
  OS, applications, etc.
• Treat information as confidential

38
Hacking NetworksPhase 4 Exploit/Maintain
Access
Hidden entrance Undesirable feature e.g., log
keystrokes access data
Backdoor
Trojan Horse
Replaces system executables e.g. Login, ls, du
User-Level Rootkit
Bots
Spyware/ Adware
Replaces OS kernel e.g. process or file control
to hide
Kernel-Level Rootkit
Slave forwards/performs commands spreads, list
email addrs, DOS attacks
Collect info, insert ads, filter search results
39
Step 4 Exploit

• Escalation of Privileges
• Password Guessing
• Exploit known vulnerabilities of software
• Session Hijacking Take over existing session
• After Break-In
• Create backdoors for reentry
• Weaken security
• Hide tracks Delete logs

40
General Controls

• A Few.

41
Key security mechanisms

• Maximize software security
• Patch OS, applications, 3rd Party applications
  with auto-update
• Configure security settings carefully
• Restrict access
• Restrict admin privileges
• Restrict number of services
• White-list approved applications

42
Plan to Maximize Security

• Design security into the system
• Security in Requirements
• Authentication Access
• Configure properly first time
• Careful administration
• Logs, local/remote management

43
Hardening a Computer

• Carefully install OS/App
• Install, patch in a protected network
• Anti-virus, firewall, IDS/IPS
• Auto-update patches
• Minimize access to services
• Remove unnecessary services
• Configure access permissions users groups
• Secure boot process
• Test the system
• Outside Inside

44
Install Additional Security Controls

• Anti-virus software
• Also for smart-phones
• IDS/IPS traffic monitoring, file integrity
  checking (tripwire)
• Firewall Can restrict input to certain ports, or
  protocols
• Whitelist applications (if possible)
• Only certain set of executables may run

45
Remove Unnecessary Services

• If every app has 1 vulnerability, then fewer apps
  are better
• Remove unnecessary services
• Customize installation
• Remove OS services and capabilities
• Balance between usability security
• Remove, dont disable
• Restrict account access
• Restrict default accounts
• Change default passwords
• Minimize access to existing services
• Restrict elevated privileges
• Use elevated privileges minimally
• Log privileged actions

GUEST
46
Securing Applications

• Install in protected network
• Limit permissions
• Web application should have minimal permissions
• Permissions can be increased for certain actions
• Set file permissions for administrator versus web
  user
• UNIX Chroot jail limits file system access
• Add controls as necessary Encryption, digital
  certificate

47
Security Maintenance

• Monitor log information
• Detective technique catches after-the-fact
• System, network, application
• Allocate sufficient space, best off-line
• Perform regular backups
• Archive retain copies of data over time
• Best if off-site
• Recover from Security compromises
• Regularly test system security
• Patch update critical software

48
Virtual Machine
App
App
Guest OS
App
Guest OS
App
Virtual Disk
Hypervisor/VMM
Guest OS
Guest OS
Hypervisor/VMM
Host OS
Physical Hardware
Physical Hardware
Native Virtualization Preferred for servers
Hosted Virtualization Common in clients
49
Virtual Machine Security

• Plan for security
• Secure host system, hypervisor, guest OSes, guest
  applications
• Restrict administrator access to the virtualized
  solution

50
Specific Applications

• From Hacking Exposed Network Security Secrets
  Solutions
• A Few.

51
Network Protocols

• TFTP TCP/UDP Port 69

• Simple Network Management Protocol (SNMP) UDP 161

• Simple file transfer protocol that sends in
  cleartext
• Lacks any authentication mechanism
• root tftp 192.168.202.34
• Tftpgt connect 192.168.202.34
• Tftpgt get /etc/passwd /tmp/crackpasswd
• Tftpgt quit
• Countermeasures
• Block TCP/UDP port 69 at firewall
• Limit access to the /tftpboot directory
• Avoid tftp

• Collects information from the network and may
  give it away too.
• Can provide usernames, OS version, share
  names/paths, running services, etc.
• Countermeasures
• Block TCP/UDP 161 at network perimeter
• Use an excellent password
• Disable if not required
• Use authentication encryption

52
More Network Services

• ICMP
• Function IP error reporting protocol
• Consider closing in ICMP
• Ping,
• Destination Unreachable,
• (Subnet) Address Mask Request,
• Echo,
• Host Unreachable,
• Port Unreachable,
• Redirect,
• Time Exceeded,
• Admin Prohibited (ACL denied)

• DHCP
• Function Dynamically allocates IP addresses
• DHCP Manager TCP 135
• DHCP Lease UDP 67-68

53
UNIX-Specific Applications

• UNIX Remote Procedure Call, TCP/UDP 111, 32771
• The portmapper provides info on RPC programs,
  versions, protocol, port
• root rpcinfo p ltip_addrgt
• C\gt rpcdump ltip_addrgt
• root nmap sS sR ltip_addrgt
• Countermeasures
• Use authentication (and possibly encryption) with
  RPC
• Block ports 111, 32771 and other RPC ports to
  outside
• UNIX port 111
• Sun port 32771

• Network File System, TCP/UDP 2049
• List directories being shared
• root showmount e ltip_addrgt
• export list for ltip_addrgt
• /pub (everyone)
• /usr user
• Countermeasures
• Ensure exported file systems have proper
  permissions (set read/write permissions per host)
• Block NFS at network perimeter TCP/UDP 2049

54
Windows-Specific Applications

• After Windows 2000
• Domain Name Server (DNS) UDP 53
• Lightweight Directory Access Protocol (LDAP)
  Selecting My Network Places to search to in
  Active Directory Server
• TCP/UDP 389 TCP port 3268
• TCP 3269 Global Catalog
• TCP 636 LDAP SSL
• Server Message Block (SMB) Direct Hosting
  Working with a service within My Network Places
  (e.g., print) TCP port 445 (older 137-139)
• Kerberos Encrypted Authentication TCP/UDP 88.
• TCP/UDP 464
• TCP 544 KShell

55
Additional Resources

• Web pages for MS Windows for security tools,
  checklists, and guides
• www.microsoft.com/technet/security/chklist/default
  .mspx
• US National Institute of Standards and Technology
  (NIST)
• www.csrc.nist.gov
• Recognize Trojans
• Close off all ports used by Trojan horses
  www.doshelp.com/trojanports.htm
• Port 80 (web) can also be used by trojans and
  other applications when their normal port is
  closed

56
Summary of Controls

• Vendor-Independent Controls to Minimize Security
  Risks
• Filter incoming connections for all ports, except
  those that are needed
• Build machines OS, Applications in a
  controlled environment
• Ensure machines run minimal services
• Run software with patches installed auto-update
  patches
• Restrict access to services (data, configuration
  files) based on need
• Display warnings against trespassing
• Collect and monitor logs via remote server (login
  attempts, changes in permissions, accounts, or
  log/audit settings, file/printer accesses, etc.)
• Ensure remote administration uses strong
  authentication and encryption controls
• Partition services and hardware in network to
  maximize security
• Use IDS/IPS to detect attack patterns