In this case, however, you need to be sure that the "hot spare" itself has not been compromised. Some malicious code can remain around for many months before causing problems. This is another good reason to use updated antivirus software on a regular, frequent basis.
Another way to protect servers is to use the tools that the operating system provides to protect some services. For example, you'd be a fool to place a directory on your system disk for use as an anonymous FTP site. The last thing you want is to have someone filling up all the space on your system disk. Most operating systems allow you to set quotas that define how much space a particular user account can use on a server's hard drives. Enforcing quotas can help prevent an attack that consists of consuming all the available space on a disk. In addition, you can set alarms to notify you when quotas are being used up at a rate that is faster than what you see during normal operations. It's then an easy matter to track down the source of the data coming into the server and to terminate the user process.
Additionally, protecting computers should also involve software that detects malicious code. Even home PC users are aware of the value of antivirus programs. There are so many vendors of this software that it would be pointless to attempt to list them here. However, when you do choose an antivirus program, there are some things you should consider when making a purchasing decision. For example, does the vendor respond quickly with updates to the software as new viruses are discovered? Does the software have the capability to remove the virus after it has been discovered? Does the software have the capability to scan floppy disks and files transferred to the computer through the network? Of these, the capability to quickly respond to new threats is perhaps the most important. However, your situation might dictate other factors that are more important. Note also that many firewall products now contain some type of virus-detection mechanism.
Using Tripwire
There are many programs you can use to help determine whether your system has been compromised. Tripwire is a very popular host-based DOS (HDOS) program that can be used for this purpose. Tripwire was originally developed in 1992 by Gene Kin and Dr. Eugene Spafford. The Academic Source Release (ASR) version of Tripwire can be downloaded for noncommercial use from Tripwire's Web site. In addition, Tripwire has created commercial versions of the software, including an enterprise manager program (Tripwire Manager) that uses SSL for communications and simplifies management of multiple servers and workstations.
Tripwire is based on the concept of taking a "snapshot" of system resources, such as files, directories, and, in the case of Windows NT, Registry settings. The information gathered by Tripwire is stored in a secure database and is used to compare a server later to determine whether changes have been made and what those changes were. A policy file allows the network administrator to control the types of data that Tripwire monitors and to prioritize certain events using a rule base. In addition, Tripwire can produce reports that make monitoring the system easier for administrators.
Currently, Tripwire runs on the following operating-system platforms:
- Windows NT 4.0, Windows 2000, Windows 2003, and Windows XP Professional
- Solaris (SPARC) versions 2.6, 7.0, 8.0, 9.0, and 10
- IBM AIX 4.3.3, 5.1, 5.2, and 5.3
- HP-UX 10.20, 11.0, llivl, 1 liuZ
- Several versions of Linux
Some of the things that Tripwire can monitor are specific to an operating system, whereas others (such as file types and sizes) can be monitored on all platforms. For example, here are a few of the items you can use Tripwire to monitor on Unix systems:
- Addition, deletion, or modification of files, along with file permissions, types, and sizes
- Inode number and number of links
- Owner and group IDs for files
- Modification timestamps and access timestamps
In addition, hash algorithms can be used to ensure the integrity of the contents of files. Tripwire supports several kinds of hashing algorithms, such as CRC-32, MD5, and the SHS/SHA algorithm, among others.
For Windows NT systems, the list that can be monitored includes the standard file components and things such as these:
- File attributes, such as archive, read-only, hidden, or offline
- Create and access times
- NTFS Owner SID, NTFS Group SID, and other NTFS attributes
- Addition, deletion, and modification of Registry keys and the values of those keys
These lists are not all-inclusive. For more information about acquiring an evaluation copy of Tripwire, visit the Web site www. . tripwire . com.
User Awareness and Training
Social engineering is a term used a lot lately to describe an easy method for gaining access into your network. Put quite simply, are the users of your network trained in security measures? A quick test is to simply have someone from your help desk call a user and ask him for his password. I would bet that in at least half of the cases the users will give out their passwords. A help-desk person shouldn't have to ask this type of question! Instead, if people at your help desk need to access a user account, they can notify the user that they are changing the password temporarily and will notify the user when to reset the password to a value known only to the user.
A password policy should also be in effect to ensure that common names and words are not used. Yet, one must be careful to avoid making passwords so difficult that users have a hard time remembering them. Most operating systems have the capability to keep a history list of passwords to prevent their reuse within a specified amount of time. You'll also find that you can usually set a minimum and maximum password length.
Social engineering also can involve dumpster diving. How secure are the printouts that you throw in the trash can? Do you have paper shredders (and a security policy dictating their use) in place? Even Hollywood stars know that much useful information can be obtained from a trash can! This goes not just for paper materials. When you decommission old tapes or old computer hard drives, do you take the time to destroy any data that is stored on them? It may be well and good to donate old computers to nonprofit organizations or schools, but it's also a good idea to reformat the hard drives and reinstall the operating systems before you do so. Tapes can be made useless by various means, including bulk tape erasers that zap the contents in just a few seconds.
Staying on Top of Security Issues
Your network will never be secure unless you make an effort to keep up-to-date with the latest discoveries concerning security issues. There are many good sites on the Web that you can use as resources to help you get the latest information as well as advice on how to better secure hosts and networks. Keep in mind that those who would do harm to your network are usually one step ahead of you. It's a continual catch-up game. The quicker you find out about a problem, the quicker you can take precautions to protect your network.
No comments:
Post a Comment