July 26, 2008

Achieving Information Security: Response (3 of 3)

Given enough time and resources, any security system put in place will be over come. This is undisputed fact. Coming into the office one morning, and seeing that your network has been compromised, knowing that detailed and confidential client or patient data has now been stolen, is not the time you want to figure out how you should react to the situation. It situations like this, you need to move quickly and intelligently, and not let your emotions (fear for your business, anger for the violation) take hold of you.

One of the most important parts of planning a proper response is to understand who is at risk because of the breach. You need to understand that as violated as you feel right now, other, who don't even know they are in danger, possibly are. If you run a business who bills clients (basically every business), then that payment information is on file somewhere, and puts those clients at risk. If you are a doctor, you likely have highly personal information about your patients.

Once you established who is at risk, establish a list of who needs to be contacted, and how you plan on contacting them. The most obvious, yet over looked often, are the police. If you think or know you have had a security breach, and data has been stolen, it is time to contact the authorities. data theft is still theft, and computer crimes are a big deal. Also, check which other authorities may need to be required based on your industry.

Once the proper Authorities have been contacted, contact others who may be at rick. If patient information has been stolen, contact your patients. If billing or financial information of clients has been compromised, let them know.

Contacting a client to tell them their information may have been stolen is a difficult thing. Expect to get a lot of calls, and be ready to answer a lot of questions. And in today's world, be prepared to compensate the client for their loss. It is typical for the company responsible for the data loss to pay for identity theft insurance for their clients for up to a year following the breach, anything more than that is nice, but unless what was stolen caused direct loss to your client, then you don't own them much, in my opinion.

Now that you have contacted the proper authorities and the people affected, then last step is to find out what went wrong, and fix it. How did the thief get the data, what type of attack was used, and what can you do to prevent it from happening again.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

July 25, 2008

Happy SysAdmin Day!

Happy Systems Administrator Day Everyone!


Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

July 22, 2008

Achieving Information Security: Detection (2 of 3)

Any security expert will tell you that there is no such thing as absolute security, and there is no such thing as impenetrable or unhackable. The goal of security is, and always has been, to make getting something more trouble than it is worth. With that said, the secondary goal of security is to allow for detection if a breach does take place.

Detecting the Intrusion:

Depending on the type of attack you face, detection could be as easy as logging into your computer and seeing that your background image or the home page you have set has changed. It could even be that your companies web site has been changed from a friendly and informative page about your company, to the logo of some script kiddie. These are simple, and obvious ways to tell that something is going on.

But what if the attackers goal wasn't to damage any of your data, what if all they were looking for were a list of your clients, or details of a product your company is about to launch. If all the intruder plans on doing is take a copy of your data, how do you know it happened?

Server Security Logs:

One of the easiest ways to tell that an outsider is attempting to gain access to your network is already built into your Windows server. If you take a look at your Domain Controller's event log you will see a section for security. This log shows every attempt, both failed and successful, to authenticate a user to your domain. If you ever notice an abundance of failed attempts, you have one of two scenarios on your hands.

  1. An employee has forgot their password. Now, this is by no means rare, but what would be rare is an employee trying 20 times before giving up and calling the IT staff.
  2. Someone is trying to guess the password to an account. If you see dozens of failed attempts on the same account, you can almost be certain that the account is under attack.At this point, your best bet is to disable the account, and contact the user to verify it is not them doing this. Your next step is to find out who is trying to use the account. We will discuss this part 3 of this series.
In addition to your server logs, you should also enable logging on you primary network devices as well. Your firewall and gateway router are the entry points to your network, and if an attack is coming over the wire, there is no better place to look.

Intrusion Detection Systems:

Data security is so important, that there is an entire segment of the software industry dedicated to detecting data breaches. These types of software are called intrusion detection systems or IDS for short.

An IDS is a set of "sensors" on a computer or computer network that are looking for strange activity based on a predefined set of rules that if follows. An IDS knows what typical network traffic looks like, and can recognize attacks against your network as they occur, and in some cases can defend against those attacks, or at the very least sent your administrator a warning to let them know what is happening.

For Example, you IDS will learn about how much traffic should come to your network at a given time, if for some reason there is a sudden increase in the amount of data, or the number of connections being attempted on you network spikes passed a predefined threshold, the is a good chance that a Denial of Service attach may be under way. It can also recognize if someone is attempting to scan for available ports on your firewall.

Other intrusion detections systems are designed to monitor internal activity, after all, most data breaches are committed by employees. An IDS can look for signs such as large amounts of files being copied from a network share to a persons local computer.

For more information about Intrusion Detection Systems see the Wikipedia Entry HERE

Please check back for Part 3 of 3 of the Achieving Information Security series.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google


Hey Everyone,

As most of you have noticed, I have been M.I.A. for the last few months. This is just a formal "I'm Back" message. A lot has happened in the last few month. I got a new job, got my degree finally, and got a handful of new certifications, so check back soon for some actual posts. What does this mean for you all? Well, with the new job comes more challenges for me to write about and hopefully to help you resolve issues quicker. Thanks again for ahnging around, while I was gone, and hope you enjoy what is coming up.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google