IT was Tuesday, November 27, 2001, early in the morning when a newspaper headline screamed — "The Website of Punjab Police Hacked!" Like me all those who logged on to the site were shocked to find Pakistani flag along with a message "Ramadan Mubarak".
Many such attacks are continuously being reported throughout the globe. This problem becomes a major issue when somebody breaks into a site where financial transactions are done more frequently. In such cases the damage could be far more devastating for a business. In some cases it may even bring the entire corporate giant down to its knees. Interestingly, some security breaches go unobserved for a considerable amount of time. Even a giant IT player such as Microsoft could do nothing about the intruder who breached their security and continued to do so for a period of well over 2 months.
To watch the unusual
behaviour of a network, intranet working and the Internet, we need to
know something about the Intrusion Detection System (IDS). While
establishing an Intrusion Detection System Process, concentrating on
software, networks, and hardware is the key to success. Before operating
systems can be hardened, system sensors installed and networks
monitored, a model must be created for each unique network segment;
assumptions cannot be made -what worked once is not the guarantee for
success the next time.
Systems security program
To begin with, identify the systems that must be protected for business to continue or trust to be maintained. Where does a company direct its personnel, hardware and monetary resources? Then you must realise that levels of protection are informal processes for most companies. These informal security steps must be documented, defined, and firmly established formally as part of the corporate culture. The key is not to react, as most of the companies are doing, but rather to be proactive, establish standards and policies and document where the company is supposed to evolve in a systematic process. This is possible by creating a systems security program. This program, if designed correctly, will stop intruders from entering into the sensitive area of corporate organisations. Equally important is that this security program must be a living model (real life); it must be continuously evaluated and updated. Finally, the executives must "buy" this process or it is destined to fail.
Following are some of the common practices that needs to be remembered and more importantly implemented, however they are often overlooked by the system administrators and security personnel and the bizarre consequences are left to be borne by the CEOs of the corporate.
First and the foremost, for any model to succeed, the perimeter must be defined. It is not only a question of where are the servers, switches, hubs and routers located, but also where are the doors and windows located that individuals can access to obtain "local control" of these devices? Are there metrics to validate entrance into those rooms and devices? A company’s physical security program must include actively monitoring all personnel entering and exiting these physically protected spaces. Additionally, routers must be configured to provide both passive and active defences against hacking and Denial of Service (DOS) type attacks.
Patching up the Operating System (OS) and applications is the fundamental layer of the security. Without patch updates and fixes, even the most physically isolated computer can be compromised in minutes. Statistically speaking, every computer will be probed at least 6 times during its life cycle.
Reports about servers being compromised have also become a common occurrence. Where does the problem lie? In all cases, system administrators forgot to install the updates and patches. These updates can provide protection against software related vulnerabilities and hazards. One must implement the latest applicable patches, remove or tighten unnecessary services, and tighten system settings on each host operating system. These simple steps will solve two-thirds of a company’s problems.
There are many programs and processes available that can provide a lot of valuable information about the health of a network to system administrator. These processes should be included as an indications and warning network. MRTG, HP OpenView and a multitude of other programs provide information on bandwidth monitoring, CPU utilisation, disk space usage, application usage and other such valuable information. As system administrators intuitively know what is considered "normal activity" for their networks, any "out of band" increases are readily noticeable. Incorporating this raw information into a central area will allow security and systems administrators another means to detect something going amiss.
Every authorised systems administrator and system security personnel must continuously audit the internal networks. Firewall logs, switch and router activity, computer system logs, and read/write permissions should be reviewed on a weekly or twice monthly basis. These audits may provide critical information on the activities occurring not only on the network, but also on each system. Once these items are audited, and logs archived for forensic purposes, the activity of each system cannot just be tracked and monitored but changes immediately noticed during the audit.
One needs to carefully select an Intrusion Detection System (IDS) software program that will allow the system security team to determine when critical software files and programs on all systems are changed, added, or deleted. This program must be tiered and cover network and operating systems issues. Further, it should be understandable and yet robust.
The selected program must be able help the system administrator in assessing how does the hacker view your network. It should be able to implement a file integrity (cryptographic fingerprinting) system to ensure you can tell which files were changed in an attack. Finally it ties in database type scanners with the system type scanner.
These two programs allow you to know what the read and write permissions are for every file/executable program with the system and who has to access which files.
Be warned of the danger that no matter how well protected your system is, you must assume it will be penetrated someday. If the attack and system compromise does not originate from an outside source, it will be from a disgruntled employee, systems administrator’s fault or internal intruder. Therefore, a dummy LAN-generating enticing data patterns, promising folder descriptors and other such fronts can lure an intruder or a hacker away from the actual network and systems and provide you time to recover from a successful network penetration. This dummy LAN should be equipped with probes, operating system sensors and tracking software to identify the intruders who "mistakenly" negotiate through the outer layers. This inducement will give you a real chance to trace the intruder. However, this may not be feasible for small corporate players.
Under no circumstances you should allow unrestricted, unencrypted and unvetted access to the operating system. Simply stated: never conduct sysadmin processes from an unvetted link. It is as easy as never transmitting clear text passwords and ensuring a trusted relationship is established between the two systems.
Nearly every informal process will fail without proper documentation during a critical phase. Documenting security policies and procedures will provide an integral standard that guarantees efficient, reliable, and responsive security practices to meet all security requirements for safeguarding the facility, personnel, and your customers.
This is a fact that no one knows the
network and system devices like the security and system administrators,
who are continuously monitoring the network health and current status of
IDS activity. These individuals will often know something is going wrong
before a sensor or probe will provide an alert. Additionally, they often
provide early warning to management that "something" is wrong.
While this is an informal by product, the system security engineer and
systems administrator needs to have a means to provide these symptoms to
management for evaluation as a situation is developing and to the
security incident response team if