July 22, 2008

Achieving Information Security: Detection (2 of 3)

Any security expert will tell you that there is no such thing as absolute security, and there is no such thing as impenetrable or unhackable. The goal of security is, and always has been, to make getting something more trouble than it is worth. With that said, the secondary goal of security is to allow for detection if a breach does take place.

Detecting the Intrusion:

Depending on the type of attack you face, detection could be as easy as logging into your computer and seeing that your background image or the home page you have set has changed. It could even be that your companies web site has been changed from a friendly and informative page about your company, to the logo of some script kiddie. These are simple, and obvious ways to tell that something is going on.

But what if the attackers goal wasn't to damage any of your data, what if all they were looking for were a list of your clients, or details of a product your company is about to launch. If all the intruder plans on doing is take a copy of your data, how do you know it happened?

Server Security Logs:

One of the easiest ways to tell that an outsider is attempting to gain access to your network is already built into your Windows server. If you take a look at your Domain Controller's event log you will see a section for security. This log shows every attempt, both failed and successful, to authenticate a user to your domain. If you ever notice an abundance of failed attempts, you have one of two scenarios on your hands.

  1. An employee has forgot their password. Now, this is by no means rare, but what would be rare is an employee trying 20 times before giving up and calling the IT staff.
  2. Someone is trying to guess the password to an account. If you see dozens of failed attempts on the same account, you can almost be certain that the account is under attack.At this point, your best bet is to disable the account, and contact the user to verify it is not them doing this. Your next step is to find out who is trying to use the account. We will discuss this part 3 of this series.
In addition to your server logs, you should also enable logging on you primary network devices as well. Your firewall and gateway router are the entry points to your network, and if an attack is coming over the wire, there is no better place to look.

Intrusion Detection Systems:

Data security is so important, that there is an entire segment of the software industry dedicated to detecting data breaches. These types of software are called intrusion detection systems or IDS for short.

An IDS is a set of "sensors" on a computer or computer network that are looking for strange activity based on a predefined set of rules that if follows. An IDS knows what typical network traffic looks like, and can recognize attacks against your network as they occur, and in some cases can defend against those attacks, or at the very least sent your administrator a warning to let them know what is happening.

For Example, you IDS will learn about how much traffic should come to your network at a given time, if for some reason there is a sudden increase in the amount of data, or the number of connections being attempted on you network spikes passed a predefined threshold, the is a good chance that a Denial of Service attach may be under way. It can also recognize if someone is attempting to scan for available ports on your firewall.

Other intrusion detections systems are designed to monitor internal activity, after all, most data breaches are committed by employees. An IDS can look for signs such as large amounts of files being copied from a network share to a persons local computer.

For more information about Intrusion Detection Systems see the Wikipedia Entry HERE

Please check back for Part 3 of 3 of the Achieving Information Security series.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google