[ISN] Guidelines for would-be corporate vigilantes

From: mea culpa (jerichoat_private)
Date: Wed Jan 13 1999 - 09:46:03 PST

  • Next message: mea culpa: "[ISN] Teenage email code's a cracker"

    From: darek milewski <darekmat_private>
    Guidelines for would-be corporate vigilantes
    Guidelines for would-be corporate vigilantes
    By - Winn Schwartau
    Network World, 01/11/99
    There are many ways to detect break-ins and a variety of options on how to
    proceed once you do. Here's a collection of insights from dozens of users,
    analysts and vendors on the techniques that work best. 
    Use quality detection systems. You want to detect miscreant insider
    behavior as well as external hacking.  Host-based auditing, network
    behavior statistics and traffic analysis are all good sources of
    security-related data that can alert you to abnormalities that may
    indicate a security incident. Keep in mind that intrusion detection
    systems (IDS) are all a little different. Some excel in NT, others in Unix
    or Novell, and some pick up anomalies and events that others don't. It's a
    good idea to use more than one IDS. 
    Determine your first course of action once you detect an incident. Many
    people suggest isolating the source into a specific, noncritical part of
    your network. Others say cutting off the source of the attack is all they
    want to do. Your reaction should reflect your corporate security policy.
    Let your legal department know what's going on. If you ever have to get
    law enforcement authorities involved, you want to ensure you've taken the
    right steps. If your in-house counsel doesn't know how to proceed,
    strongly suggest he get advice from an experienced cyberattorney.
    Collect all systems logs from firewalls, routers and servers so you can
    identify what tools the attacker used and which of your vulnerabilities
    were exploited if you cut off the attack. Act upon this knowledge and
    reconfigure accordingly. 
    Make sure all your auditing tools are active if you don't cut off the
    attack. You may want to increase the tools' sensitivity to capture more
    data points. Monitor the intruder's actions closely, so you can cut off
    the attack at any time you choose. 
    Consider the use of forensic tools, especially if you have an insider
    hacking at your systems. Forensic tools will allow you to perform a sector
    backup of the suspect's hard disk with cryptographic seals to prevent
    tampering and assist in maintaining a quality chain of evidence. In
    addition, you may need to search the suspect's hard disk and floppies
    (including Zip drives and the like) for erased files and other hidden
    attributes.  Don't forget to involve human resources personnel; they can
    keep you out of a heap of trouble. 
    Attempt to trace the source of the attack. This is not easy, and often
    involves a lot of people with different organizations. Know whom to call
    at your ISP in the event of a breach. Be able to reach your contact 24-7
    in case of an after-hours attack. ISPs coordinate with each other in many
    cases, and if you plan for the eventuality, you will be ahead of the game
    and able to react much faster. 
    Have a game plan, especially if you call in law enforcement, which is more
    restricted in its ability and legal right to gather evidence than your
    company. Get legal advice regarding proper investigative techniques and
    evidence gathering so they will hold up in court.  Recognize that
    investigative procedures and techniques can be disrupting, causing
    downtime and a drain in manpower. 
    Strike back if you choose, but only with adequate legal counsel. There is
    a range of actions you can take - some more offensive than others. 
    Prepare for the acts of man as much as for acts of God. Your disaster
    recovery people can handle floods, earthquakes and tornadoes. But can they
    handle a hacker? 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:38 PDT