What steps should be taken to protect a system that is going down for, or coming back up from, maintenance? Why would this be a good potential time for an attacker to strike?

A system going down for maintenance, or coming up from maintenance is highly vulnerable.

While going down for maintenance-

  • Indicative of a system that needs to be patched/upgraded – and it implies vulnerabilities – a hacker launching attacks on known vulnerabilities hits gold
  • The defenses are down as the system is on its way to going offline and the attacker can find loopholes
  • The “under maintenance” page isn’t the most tested page is the system and can expose backdoors for attackers to enter through
  • If the “under maintenance” page “helpfully” lists why it’s going down – then it gives a smart attacker more inside knowledge on the internal systems and business decisions taken by the organization wrt patching and upgrades. More knowledge is usually more power, and he can use this effectively and productively while planning his next attack.
  • Organizations think an offline system is “safe” and can let down their guard. They will not be monitoring firewall logs, IDPS systems, and anti-malware logs as vigilantly as when the system is live. If a hacker makes his way in, he has a higher probability of going undetected.

While coming up from maintenance-

  • System is like a new-born in the woods – and a sitting duck for possible zero-day exploits
  • If the new patches have exposed undocumented new vulnerabilities, the entire system can be compromised
  • Quick and hurried maintenance cycles encourage carelessness and there may be open backdoors waiting to be exploited by experienced attackers
  • Every organization looks at having as minimal an “offline time” as possible, so testing isn’t usually as thorough – leaving the system open to be “tested” and successfully exploited by hackers
  • New pages, interfaces, and input fields if not extensively tested, are potential targets for SQL injections
  • If the system still has open ports, legacy pages, ftp file servers (not linked but accessible) – they are vulnerabilities which will be attacked

Any boundary situation or scenario, or transition, is usually a high-risk entity, and the same is true for the time buffers around maintenance – just before it goes down, and soon after it comes up.