Backdoors and Trapdoors

1. BACKDOORS
SHAH JAS -95

2. ABOUT BACKDOORS
• IN CYBERSECURITY, A BACKDOOR IS
ANYTHING THAT CAN ALLOW AN
OUTSIDE USER INTO YOUR DEVICE
WITHOUT YOUR KNOWLEDGE OR
PERMISSION.
• A BACKDOOR IS A MEANS TO ACCESS
A COMPUTER SYSTEM OR ENCRYPTED
DATA THAT BYPASSES THE SYSTEM'S
CUSTOMARY SECURITY MECHANISMS.

3. CAUSE OF BACKDOORS
• A DEVELOPER MAY CREATE A BACKDOOR SO THAT AN APPLICATION OR
OPERATING SYSTEM CAN BE ACCESSED FOR TROUBLESHOOTING OR OTHER
PURPOSES. HOWEVER, ATTACKERS OFTEN USE BACKDOORS THAT THEY
DETECT OR INSTALL THEMSELVES AS PART OF AN EXPLOIT. IN SOME CASES,
A WORM OR VIRUS IS DESIGNED TO TAKE ADVANTAGE OF A BACKDOOR
CREATED BY AN EARLIER ATTACK.

4. DETECTION
• BACKDOORS CAN BE VERY DIFFICULT TO DETECT, AND DETECTION METHODS
VARY CONSIDERABLY DEPENDING ON THE COMPUTER'S OPERATING SYSTEM.
IN SOME CASES, ANTIMALWARE SOFTWARE MAY BE CAPABLE OF DETECTING
BACKDOOR SOFTWARE. IN OTHER CASES, SECURITY PROFESSIONALS MAY
NEED TO USE SPECIALIZED TOOLS TO DETECT BACKDOORS, OR USE
A PROTOCOL MONITORING TOOL TO INSPECT NETWORK PACKETS.

5. PREVENTION
• THERE ARE SEVERAL DIFFERENT STRATEGIES FOR AVOIDING BACKDOOR
ATTACKS. FIRST AND FOREMOST, ORGANIZATIONS NEED TO ADHERE TO
SECURITY BEST PRACTICES, SUCH AS AVOIDING UNTRUSTED SOFTWARE AND
ENSURING THAT EVERY DEVICE IS PROTECTED BY A FIREWALL. APPLICATION
FIREWALLS CAN ALSO HELP TO PREVENT BACKDOOR ATTACKS, SINCE THEY
RESTRICT THE TRAFFIC THAT CAN FLOW ACROSS OPEN PORTS. IT IS ALSO
IMPORTANT TO MONITOR NETWORK TRAFFIC FOR SIGNATURES THAT MAY
INDICATE THE PRESENCE OF A BACKDOOR.

6. FAMOUS BACKDOOR ATTACKS
• IN LATE 2020, A CYBERSECURITY COMPANY CALLED FIREEYE DISCOVERED
AN EXTREMELY SERIOUS BACKDOOR HIDDEN IN UPDATES FOR SOLARWINDS’
ORION NETWORK MANAGEMENT SOFTWARE. THE ATTACKERS, WHO ARE BELIEVED
TO ORIGINATE AT THE NATION-STATE LEVEL, USED SOLARWINDS TO FACILITATE AN
ISLAND HOPPING ATTACK THAT INSTALLED MALWARE ON ORION CUSTOMER
NETWORKS IN ORDER TO GATHER INTELLIGENCE. THE UNITED STATES
CYBERSECURITY & INFRASTRUCTURE SECURITY AGENCY (CISA) BELIEVES THE
ATTACK BEGAN AS EARLY AS MARCH 2020 AND THAT NOT ALL COMPROMISED
ORGANIZATIONS WERE ACTUALLY TARGETED BY THE ATTACKER FOR FOLLOW-UP
ACTIONS.