【翻译】黑掉Hacker：一个顾问如何关闭恶意用户

Hacking the hacker: How a consultant shut down a malicious user

黑掉Hacker：一个顾问如何关闭恶意用户

by John Verry
作者：John Verry
翻译：endurer

Keywords: Business strategies and functions | Diagnostics and monitoring | Security | Consulting | Legal | Business planning | Strategy
关键字：商业策略和功能 | 诊断和监控器 | 安全 | 参考 | 合法 | 商业计划 | 策略

http://techrepublic.com.com/5100-6329-5055990.html?tag=nl.e101

Takeaway:
Take a look at how one security consultant discovered a hacker and turned the tables on the offending miscreant.

概述：
看看一个安全顾问如何发现Hacker(黑客)并翻转这个厌恶的恶棍的桌面。

---

Ethical hacking is one of the most intriguing and exciting elements of our work at CQUR IT. In most engagements, our efforts involve attempting to penetrate a client's network, documenting the results of our efforts, and recommending optimal strategies for mitigating the risks we have identified.

(道德)黑客攻击模拟是我们在CQUR IT的工作中最迷人和令人兴奋的元素。在我们的主要职务中，我们努力潜心于尝试渗透客户网络，记录我们努力的结果，推荐最佳策略来减轻我们已经确认的风险。

A recent engagement for a software development firm took an interesting twist at the onset of the project, as we quickly discovered the client's FTP server had already been hacked and was being used for illegal purposes. I'll describe the techniques we used to meet the client's requirements and explain how our efforts turned from hacking their network to hacking the hacker.

最近受雇一个软件开发商进行项目攻击中发生了一个有趣的小插曲。因为我们迅速发现了客户的FTP服务器已经被黑并正被用于非法目的。我将描述我们用来满足客户要求的技术，并解释我们如何努力从黑他们的网络转移到黑Hacker(黑客)。

Late to the party
We convened with the client for a brief kickoff meeting to reconfirm the objectives of the Limited Knowledge Penetration Test (PT) and to gather sufficient information to ensure that the testing did not affect normal business operations. We began our preliminary research by reviewing publicly available information relating to the target company, including news releases, newspaper articles, annual reports, SEC filings, and the corporate Web site. Hackers commonly use these resources to gather potentially vital information relating to a company, including names of key employees, product lines/releases, key dates (such as the date a partnership was formed and a network administrator's birthday), empire locations, hardware/software used, etc.

迟到的聚会

我们召集了客户开简短的 开场白会议/首次会议 来再确定渗透测试（PT）的目标，收集充足的信息以确认测试不影响正常的商业操作。我们通过回顾与目标公司相关的公开可用信息开始初步研究，这些信息包括新闻稿件，报纸文章，年度报告，美国证券交易委员会财务情报(endurer注：SEC--Securities and Exchange Commission(美国)证券交易委员会)，和网站。Hacker们通过使用这些资源来收集与公司相关的潜在重大信息，包括关键员工姓名，产品线/发布，关键日期（例如组建合资公司的日期和网络管理员的生日），大企业位置，使用的硬件/软件，等等。

During these operations, we discovered that an internal user at the client's organization was the leading poster of messages and/or content to a Web site that distributed illegal pornographic images. This was immediately reported to Client Management, which became increasingly concerned as it disclosed that there were multiple instances of often unexplainable periods of full utilization of the outbound Internet links during odd hours. (We are still unsure why it didn't disclose this at the kickoff meeting.)

在这些操作中，我们发现客户组织的一个内部用户正引导 信息 和/或 内容 发布者到一个散布非法色情图像的站点。这被立即报告给客户管理部门，这成为越来越关注的，因为它揭示了存在在经常无法解释的时期的多个实例，在不固定的时间/小时完全使用那些外部因特网连接。（我们仍然不确定为什么在 开场白会议/首次会议 中不透露它。）

After using nMap to footprint the external network, we focused our attention on an FTP server that was curiously installed outside the firewall. A port scan against the box returned extremely troubling results. In addition to the expected open port (port 21), we found a half dozen other open ports, including 139, 2187, 3437, and 14120.

在使用nMap追踪外部网络后，我们把注意力集中到一个令人好奇地装上了外向防火墙的FTP服务器。反击端口扫描返回了极端令人困惑的结果。除了预期的开放端口(端口21)外，我们发现了半打其它的开放端口，包括139，2187,3437,和14120。
《endurer注：
1。Nmap是Linux平台上的一个强大的端口扫描程序，支持种类繁多的扫描技术，同时也是著名安全工具Nessus所依赖工具。详情和下载可参考：http://download.enet.com.cn/html/211912001071701.html
2。footprint n.足迹, 脚印
3。in addition to 除...之外》

• Port 139 was running NetBIOS and allowed extensive leaking of information via Null Session Enumeration.
  端口139运行NetBIOS并允许通过空会话枚举的广泛信息泄漏。
• Port 2184 was running Microsoft Windows Telnet Server, which generally runs on port 23. Sometimes an admin will run this on an odd port; however, attempts to log in to Telnet with a valid username/password combination we obtained via Enumeration of port 139 would result in a hung Telnet session.
  Port 2184 was running Microsoft Windows Telnet Server, which generally runs on port 23. Sometimes an admin will run this on an odd port; however, attempts to log in to Telnet with a valid username/password combination we obtained via Enumeration of port 139 would result in a hung Telnet session.
  端口2184运行微软Windows远程登录（Telnet）服务，这个服务通常运行在端口23。有时管理员将在不固定的端口上运行它；然而，用我们通过139端口枚举获得的有效的用户名/口令组合试图登录Telnet将导致一个挂起的Telnet会话。
  《endurer注：1。result in v.导致》
  
• Port 3437 was running a service that prompted for a password. We connected to it with both Telnet and NetCat. If no valid password was given for three seconds or an invalid password was given, the connection would be terminated.
  端口3437运行提示口令的服务。我们用Telnet和NetCat连接它。如果三秒钟内没给出有效口令或者给的是无效口令，连接将被终止。
  
• Port 14120 was running a second FTP Service.
  端口14120运行另一个FTP服务。

Some key details of our FTPing the site include:
我们FTP站点包含的一些关键细节：

• Two users were currently connected; in the past 24 hours, 23 users had connected.
  当前两个用户连接；在过去24小时里，23个用户连接过。
• 19 MB had been downloaded since the last time the server was restarted (earlier that morning).
  自服务器最后一次启动（那天清晨）以来已经有19MB被下载了。
• Anonymous logins were rejected and our attempts to password-guess were unsuccessful.
  匿名登录被拒绝，我们尝试猜测口令也不成功。
• Searches based on the hacker tags in the banner returned only links to listings of various hacked pubstors.
  基于banner的hacker标签搜索只返回了不同的黑过的pubstors的链接链表。
• Searching on the machine's IP address failed to reveal its public listing in any warez or pubstor directories.
  关于机器IP地址的研究未能揭露它的一些盗版软件中的公开列表或pubstor目录。

We assumed that access to this site was being traded via Internet Relay Chat (IRC). Interestingly, in the hour or so it took us to document our observations, 195 MB of files were downloaded from the rogue FTP site.

我们认为这个站点的访问权正通过Internet实时聊天(IRC)进行交易。有趣地，在我们记录我们的观察报告的时间里，195MB的文件从这个流氓FTP站点被下载了。

Should the client prosecute?

客户需要起诉吗?

The client's first concern was the potential correlation between the posting of messages/content to a site that housed illegal images and the distribution of large files from its FTP Server. Was an employee using their FTP server to distribute pornography?

客户的首要关心的是潜在的发信息/内容到封装违法图像的站点和它的FTP站点上的大量文件的散布之间的相互关系。是不是一个员工利用他们的FTP服务器散布色情。

We advised the client that if it intended to prosecute, it would need to work within the legal framework of forensic investigations. Most notably, it would be critical for the forensic data to be authenticated as genuine.

我们建议客户如果它打算起诉，它需要在法庭调查研究的合法框架内工作。尤其是，它作为法庭数据要被鉴定是真实的。

Many of the actions an individual might take, including rebooting the machine, copying files from the server, and reviewing security logs, can alter the drive data. The client's management was adamant about conducting the investigation in a manner that would provide the opportunity to prosecute if necessary. The client's lawyer also believed that by demonstrating due diligence, it would minimize the risk of a third party taking legal action against the organization as a result of the hack.

一些单独的活动可能要进行，包括重新启动机器，从服务器拷贝文件，回顾安全日志，改变驱动器数据。客户管理部门在以提供在必要时起诉的时机的方式引导调查方面是坚硬的。客户的律师也相信，通过尽职调查论证，它将使第三者由于黑/破坏对组织起诉的危险减到最小。
《endurer注：
1。legal action诉讼
2。as a result of adv. 作为结果，由于
3。hack v. 砍 n. 出租》

A particularly important legal case, "Gates Rubber Co. vs. Bando Chemical Indus, Ltd," helped define the mandatory legal duty of a forensic investigator with regard to creating a mirror image copy of the hard drive in a manner that maintains chain of evidence and custody. In that case, the investigator's decision to perform logical "file-by-file" copying to preserve the evidence precluded legal use of the data because the copying might have resulted in lost information and the creation of new temporary files on the media.

特别重要的案件，盖兹合成橡胶公司（Gates Rubber Co.）对阪东化学工业公司 （Bando Chemical Industries Ltd.日本），帮助定义了法院调查人员考虑以维护证物和保管系列的方式创建一个硬盘镜像拷贝的托管法律职责。如果是那样的话，调查人员的执行逻辑“一个文件一个文件”拷贝来保持证物的决定排除了数据的合法使用，因为拷贝可能导致丢失信息和在媒体上创建新的临时文件。

《endurer注：
1。legal case 案件 ,案子,词讼,法律案件
2。legal duty n. [律]法律职责
3。regard to vt.顾及,考虑
4。in that case 如果是那样的话》

Assessing the hack

访问hack

We used Encase software, which is used extensively by law enforcement professionals, to gather a mirrored image of the drive. We then mounted it in a Windows 2000 machine but were unable to navigate/view the directory structure of the illicit FTP Server. There are a number of ways that hackers (and Windows itself) can hide directories and files. A simple way to make folders invisible (dependent upon Explorer settings) is to set a folder's property to +s[ystem] within Windows Explorer or via DOS. For example, although users may clear their Internet History, the data is still maintained in hidden files that can be accessed by an investigator.

我们使用了Encase软件，它被法律执行专业人员广泛地使用，收集驱动器镜像。我们在一台Windows 2000的机器上安装了这个软件，但是我们不能浏览/查看违法FTP服务器的目录结构。hacker们（和Windows自身）有许多的方法来隐藏目录和文件。一个简单的方法是使文件夹不可见（依赖Explore的设置）是在Windows Explorer或通过DOS设置文件夹的属性+S（系统）。例如，尽管用户可能清除了它们的Internet历史，数据仍然被维持在调查人员可以访问的隐藏文件中。

Other methods include using device driver names such as "prn," "con," and "com1" or a special combination of characters such as "..--1" (dot dot dash dash 1).
其它方法包括使用诸如“prn”,"con",和"com1"之类的设备名或者例如“..--1”（点点破折号破折号1）之类的字符的特殊组合。

To access the hidden directories and determine the content being distributed, we added the drive to a Windows 2000 Server and mounted it read-only from a Red Hat 9 Linux machine.

要访问隐藏目录并确定被散发的内容，我们把来自一台Red Hat 9Linux机器的驱动器增加到Windows服务器并设置只读。

Assessing the facts before looking at the drive, we knew the following:
在看驱动器之前看看实情，我们知道的如下：

• A Serv-U daemon (a rogue FTP Server) had been installed by the hacker.
  hacker已经安装了一个Serv-U daemon（一个流氓FTP服务器）
• This installation would have required administrator access.
  这个安装要求管理员访问。
• Microsoft Telnet server was running on TCP 2184 without NTLM authentication, enabling a malicious user to gain access to the system.
  微软Telnet服务运行于无需NTLM验证的TCP 2184端口，使恶意用户获得系统访问权。
• An unknown service was running on TCP 3437.
  一个未知服务运行于TCP 3437端口。
• The penetration test manager advised that they had found directories within their FTP root they could not delete.
  渗透测试经理警告说他们已经发现了无法删除的FTP的根目录（root）下的目录。

We first viewed the FTP root of the Serv-U daemon. Three files immediately caught our attention:

我们首先查看了Serv-U daemon的FTP根目录。三个文件立即吸引了我们的注意力：

• 1kbtest.ptf
• 1mbtest.ptf
• space.asp

The first two files were used by the hacker to measure the available bandwidth of the server and gauge the efficacy of using this machine to conduct other attacks. The Space.asp Active Server Page was used to enumerate drives and their free space on the server. These files illustrate the dangers of anonymous uploads.

头两个文件被hacker用于衡量服务器的可用带宽，测量使用这台机器指挥其他攻击的效力。Space.asp活动服务页被用于枚举服务器上的驱动器及其可用（自由）空间。这些文件说明了匿名上传的危险。

Next, we looked at the Serv-U daemon. Normally, Serv-U is run through the information contained in an ini configuration file. We searched the drive for .ini files and examined the output. This resulted in the discovery of r_bot.ini in the system directory (E:/winnt/system32). An examination of this file revealed that the attacker was using e:/winnt/system32/inf as his base of operations on the host. It also showed that the attacker was using IRC to remotely control the machine.

接下来，我们看Serv-U daemon。通常，Serv-U通过一个ini配置文件中的信息通行。我们在驱动器上搜索.ini文件并检查输出。这导致系统目录(E:/winnt/system32)里的 r_bot.ini的发现。文件的检查揭示攻击者正使用e:/winnt/system32/inf作为主机操作的基地。这也显示攻击者正使用IRC来远程控制机器。

Further examination of the system32 directory showed the appearance of several suspicious files, all of which appeared on Feb. 17, 2003:
对system32目录更进一步检查显示了几个可疑文件的面目，所有这些出现于2003年2月17日：

• info.exe—An enumeration tool to detail information about the local server to the hacker
  info.exe—一个枚举本地服务器的详细信息给hacker的工具
• hlp32.exe—A renamed version of Bouncer v1.0.RC6, which is a Proxy utility
  hlp32.exe—一个Bouncer v1.0.RC6改名版本，代理工具。
• jrun.exe—A renamed version of "Netcat," the TCP/IP Swiss Army knife of hackers
  jrun.exe—一个“Netcat”改名版本，hacker们的TCP/IP瑞士军刀
• kill.exe—A utility to allow the hacker to terminate processes that he did not want running on the box
  kill.exe—允许hacker终止他不希望运行的进程的工具
• pslist—A utility that provides Proccess IDs for running processes (UNIX-like), which was likely used in concert with kill.exe
  pslist—提供正在运行的进程（UNIX-类似）的进程ID的工具，很可能与kill.exe配合。
• wshell.exe—A Windows shell application (Winshell) that provided the hacker with a remote graphical user interface (on TCP port 3437), which was password-protected (we cracked the password)
  wshell.exe—一个Windows壳应用程序(Winshell)，为hacker提供远程图形用户界面（在TCP端口3437），这是口令保护的（我们破解了口令。）
• reg.exe—A utility to make it possible to edit the machine registry from a command line (DOS)
  reg.exe—使用从命令行（DOS）下编辑注册表成为可能的工具。
• service.exe—An IRC bot used to control the machine; notify that it's online
  service.exe—一个用来控制机器的IRC bot；注意它是在线的。

More anomalies present in the directory were IIS log file directories for February 15 ^{through 18. An examination of the abbreviated logfiles showed the upload of the speed test files and space.asp page on the 15th. We could also observe the creation of a directory and upload of a copy of Photoshop.}

^{存在于目录之中的更多的反常情况是2月15到18日的IIS日志文件目录。简化log文件的检查显示速度测试文件和space.asp页是15日上传的。我们也能观察到目录的创建和一个Photoshop拷贝的上传。}

<sup>《endurer注:present in  vt.存在于...之中,存在于》

Examining the winnt/system32/inf directory, we found the home directory of the Serv-U service. We saw that the attacker had created directories for applications, movies, and games. Files in these directories included an ISO image of Windows Server 2003 and movies, including an Indiana Jones movie and the documentary Bowling for Columbine.</sup>

<sup>检查winnt/system32/inf目录，我们发现Serv-U服务的主目录。我们看到攻击者已经为应用程序，电影和游戏创建了目录。这些目录中的文件包括了Windows Server 2003的ISO镜像和电影，包括印地安纳琼斯电影和记录片《科伦拜恩的保龄》(Bowling For Columbine）的。

Another directory found in /system32 provided further detail of the intruder's activity. This directory included the following attack utilities:
在/system32中发现的其他目录提供了入侵者行动的更详细的信息。这个目录包括下列攻击工具：</sup>

• sfind.exe—A command-line vulnerability scanner
  sfind.exe—一个命令行缺陷扫描器
• X-Scan—A command-line and GUI scanner
  X-Scan—一个命令行和GUI的扫描器
• IpcScan—A command-line and GUI Windows account cracker
  IpcScan—一个命令行和GUI的Windows帐号破解器

We also discovered that the attacker had removed most of the log files generated by these tools. (They had been stored in E:/!!!!/SQLEXECl.) An examination of the slack space in the drive showed that the files had been overwritten. However, the entire Class B network belonging to a significant U.S. governmental agency had been scanned for vulnerabilities.

我们也发现攻击者已经移动了这些工具产生的大部分log文件（它们存在E:/!!!!/SQLEXECl.）。驱动器上的松散空间(Slack space)的检查显示文件被写满了。然而，属于重要的政府机构的全部B类网络已被缺陷扫描。

Turning the tables

翻转桌面

In light of the potential liability associated with the distribution of copyrighted materials and the attack on government agencies, the client authorized us to attempt to identify the source of the hack. Most notably, we recognized that the attacker was very comfortable using IRC. We examined the communications of the installed IRC bot and determined the IP Address it was connecting to.

根据版权所有材料销售相关潜在义务和政府机构攻击，客户批准我们尝试确定攻击源。尤其是，我们认识到攻击者很轻松自在地使用IRC。我们检查IRC bot的通讯，确定它连接到的IP地址。
《endurer注：in light of adv. 按照, 根据》

Using the information in r_bot.ini, coupled with these potential passwords, we attempted to access the attacker's password-protected chat room. Unfortunately, our attempts to guess the password were unsuccessful. Returning to the drive, we cracked a password by using an internally developed cracker that can identify potential passwords via regular expression searching. We returned to the chat room and conducted a whois to obtain information regarding the owner/moderator of the chat room

利用r_bot.ini里的信息，给合这些可能的口令，我们尝试访问攻击者用口令保护的聊天室。很不幸，我们猜测口令的尝试没有成功。回到驱动器，我们用可以通过正则表达式确定可能口令的内部开发的破解程序破解了口令。我们返回到聊天室，指挥whois来获取关系这个聊天室的所有者/主席的信息。

At this point, we knew which host the attacker was connecting from. Provided the host legally belonged to the attacker, we could obtain his identity from his ISP. From the IRC site, we identified nine additional servers that had been compromised in the same manner, including two universities and a large regional bank. (We notified the ISP and the owners of the IPs of our findings.)

在这一点上，我们知道攻击者从哪个主机连接。提供的主机法律上属于攻击者，我们可以从他的ISP获得他的标识。从IRC站点，我们确定了被同一方式损害的另外9台服务器，包括2个大学和一个大地域银行。（我们通报了ISP和我们发现的IP地址的所有者）
《at this point  prep.在这一点上,这里》

We began with an attempt to verify whether this connection was being proxied. We discovered that the server at xxx.xxxxxx.xx wouldn't allow IRC connections from unsecured proxy servers. (Note: We've replaced all IP addresses with Xs.) We then probed the attacker's machine to view the available services.

我们开始尝试检验这个连接是否被代理了。我们发现位于xxx.xxxxxx.xx的服务器不允许来自不固定代理服务器的IRC连接。（注意：我们已经用Xs替换了所有IP地址。）然后我们探测攻击者的机器，查看可用服务。

We used nMap to identify the services running on the hacker's system and found that the attacker was using a Windows XP Professional machine, located in Belgium (determinable by an IP address belonging to a Belgium ISP). He was running a private Serv-U FTP Daemon on TCP 1412, as well as a publicly available Serv-U FTP service (port 21).

我们使用nMap来确定hacker机器上运行的服务，发现攻击者正使用Windows XP专业版的机器，位于比利时（通过属于比利时ISP的IP地址确定的）。他正在TCP的1412端口运行一个人Serv-U FTP Daemon，也有公开可用的Serv-U FTP服务（端口21）。

We could see that he employed a common tactic: By having a publicly available FTP site, loaded with his hacking tools, he could compromise a machine and download the tools and files he needed. Note the absence of any banner advising that the machine was private and that public connections were not allowed—so we were not actually "hacking" the hacker.

我们可以看到他使用了一般策略：通过拥有一个公开可用FTP站点，装载他的破坏工具，他可以损害一个机器并下载他需要的工具和文件。注意一些横幅广告（banner）不在则在警告该项机器是个人的，公共连接是不允许的—所以实际上我们没有“黑”这个hacker。

We then proceeded to download the contents of the FTP server. Examining the files, we could piece together his attack methodology and actions:

我们随即进行FTP服务器内容的下载。检查文件，我们可以拼凑他的方法和行动：
《piece together  v. 拼凑》

• He scanned for machines with vulnerabilities in Microsoft SQL Server, IIS, or NetBIOS.
  用微软SQL Server, IIS, 或NetBIOS缺陷扫描机器。
• Once a victim was located, he downloaded and executed a batch file, which performed numerous actions before deleting itself.
  一旦定位到受害者，他下载并执行一个批处理文件，该文件在自动删除前执行许多的活动。
• He created an account called Admin, set the password, and added the account to the Administrator's group.
  创建名为Admin的帐号，设置口令，把这个帐号添加到Administrator组。
• He FTPed necessary tools to the machine, creating directories within winnt/system32 to store them.
  传输必要的工具到机器，在winnt/system32创建目录来存放它们。
• He configured the Microsoft Telnet Service to run on port 2184, disabling NTLM authentication.
  配置微软Telnet服务在2184端口运行，关闭NTLM验证。
• He installed a WinShell Service on port 3437.
  在端口3437安装WinShell服务。
• He installed the Serv-U daemon and configured directories.
  安装Serv-U daemon并配置目录。
• He installed an unsecured SOCKS proxy.
  安装不固定的SOCKS代理。

He then patched the machine to prevent other attackers from using the same exploits:

然后为机器打补丁以防止使用同样漏洞的其他攻击者：

• He disabled WebDav on IIS HTTP.
  关闭IIS HTTP的WebDav。
• He set RestrictAnonymous=1 in an attempt to prevent Null Session Enumeration. (This value should be set to 2 to be effective.)
  设置RestrictAnonymous=1试图防止空会话枚举。（这个值需要设为2才有效。）
• He deleted administrative file shares.
  删除管理文件共享。

Based upon what we found, we were able to create specific Web queries to determine the attacker's real identity. Our final report to the client included this information about the hacker:

• Full name
• Date of birth
• Town in Belgium where he lived
• E-mail address
• Photograph

Cleaning up the mess

整理脏乱

Although the client was relieved to learn it wasn't trafficking illegal pornography, it was concerned to be trafficking intellectual property. It was also concerned that its FTP server had been used to conduct scans and/or attacks on other networks. Our report included many recommendations, most notably:
尽管客户知道这不是秘密贩卖非法色情而感到安慰，涉及到交易智力特性。也涉及到的FTP服务器已经被用于指挥扫描和/或攻击其他网络。我们的报告包括一些建议，尤其是：

• Consult with legal counsel regarding the liability associated with the hack and current legal responsibility (a very subjective area at this time).
  与注意破坏有关责任和法律责任的法律顾问商量（这次中一个特别主观的区域）
• Consider reporting the hack to the appropriate agencies and affected parties, including:
  考虑把破坏报告对应机关和受影响的当事人，包括：
  —The local office of the FBI《FBI的本地机关》
  —The State Office of Information Technology《国家信息技术办公室》
  —The State Police's High Technology Crimes Unit《国家警察高技术犯罪单位》
  —CERT《Computer Emergency Response Team 目前处理Internet上各项安全问题的专责机构》
  —Microsoft
  —Adobe
  —The governmental agency scanned《被扫描的政府机关》
  —Paramount Pictures (Indiana Jones)《派拉蒙公司（印地安纳琼斯）》
  —United Artists (Bowling for Columbine)《联美电影公司（科伦拜恩的保龄）》
  —Clients regularly accessing the FTP server 《经常地访问FTP服务器的客户》
• Rebuild the FTP server.
  重建FTP服务器
• Move the FTP server behind the firewall and limit traffic to the FTP server to ports 20 and 21.
  把FTP服务移到防火墙后，限制FTP服务器端口20和21的通信。

Don't make it too easy

别让它太容易

Executing on the basics of IT security is not enough to ensure that your organization will not be hacked, but it will significantly reduce the chances. Further, if you are hacked, you'll be able to recognize and remediate it before significant damage to the organization is done.

实行IT安全基础（措施）不足以确保你的组织机构不被黑，但这将在相当大的程度上减少机会。此外，如果你被黑了，你将能在发生组织机构的重大损害之前认识和调整它。


The basics for systems that need to be externally accessible (Web, e-mail, FTP) include these steps:
对于需要被外部访问（Web, e-mail, FTP）的系统的基本（措施）包括：

• Put them behind an appropriate firewall (preferably in a DMZ).
  把它们置于专用防火墙之后（更适宜非军事区）
  《DMZ demilitarized zone 非军事区》
• Disable all services except those absolutely needed.
  关闭所有非必需的服务
• Filter all except port-specific traffic to systems (e.g., 20/21 for FTP).
  过滤所有除系统明确（例如FTP的20/21端口）的通讯。
• Turn on system and firewall logs.
  打开系统和防火墙日志功能。
• Review the logs on a daily basis.
  每天回顾日志
• Consider implementing intrusion prevention software for mission-critical boxes.
  考虑为任务-临界盒执行入侵预防软件。

Although this seems like (and truly is) "Security 101," I can assure you that many organizations are not executing on the basics. Virtually all of the hacks we investigate are caused by a failure to execute on some combination of these fundamentals.

尽管这看起来像（和确实是）“安全101”，我可以确信一些组织机构没有执行这些基本（技术）。事实上我们调查的所有破坏是不能执行这些基本（技术）的组合造成的。
《failure to  vt.不能,无法》