The process of detecting hacker attacks on corporate networks is as much an art as a science. There is no shortage of products designed to detect security breaches Ã, tools and appliances ranging from firewalls to intrusion detection system (IDS) software, log analysis programs and hosted online services are among the options.
But technology is only part of the solution for managing risk and exposure in the corporate environment. Critical to effective attack and vulnerability detection is persistent curiosity. Administrators should constantly scan for unusual network activity Ã, perhaps asking why certain services are running, or why an employee is using email at an unusual time, or what is causing a spike in network traffic, for example. Unless IT managers are alert and ask questions, many network attacks will go undetected until it is too late.
Network maps
A good starting point is to make a rough map that shows the entire network, and list every outside supplier, partner and customer in the margin. At the end of this exercise, administrators should know how, where and when each sub-net is interconnected and secured. In other words, IT managers need to be familiar with the boundaries Ã, and the strengths and weaknesses of the boundaries Ã, between the data held on their company's network and the outside world.
An exhaustive knowledge of internal network resources is one of the few advantages that IT managers have over outside attackers. It is important that IT managers scrutinise their network map and ask how a hacker might breach the defences, as well as how they might exploit company data. Crucially, administrators should try to imagine what they would do if they were hackers themselves.
Many texts are available to guide IT managers in their detection efforts. Secrets and Lies by Bruce Schneier, and online sources such as the Common Vulnerabilities and Exposures site Ã, see the Web address below Ã, provide useful pointers for improving security strategy.
Source: Network Ice
A desirable long-term goal is to keep IT infrastructure as simple as possible, because this reduces the number of possible vulnerabilities and makes maintenance easier. This is important because administrators must look for vulnerabilities throughout their network, while hackers only have to find one weak link in the chain.
To detect attacks, IT managers must be aware of the pattern of normal, permitted behaviour on the network. This can be easier said than done. It may take a long time to review the statistics that document regular IT operation, and the task is often too much for one person. Network protocol analysers able to capture and record snapshots of network activity can help, as can the log files from applications and servers.
There is usually little to differentiate one brand of packet sniffer from another, but they are all useful products in tracking down potential security problems on the network. Network Associates' Sniffer Pro and WildPackets' EtherPeek, for example, are serviceable software-only tools that are effective at capturing and analysing traffic movement on the network.
Hardware probes, along with software from companies such as Finisar, are useful but much more expensive to deploy in firms where long-term monitoring of high-volume networks is required. NetIQ's WebTrends and Telemate.net Software's SetSpective rely on log data to track user activity, and are good additions to an application manager's detection toolkit.
Log files and performance reports can reveal important clues about attacks. Capturing and studying data about IT usage is the best way to determine if an attack has been perpetrated and the extent of the damage done. Checking logs and other performance data should be done on a daily basis at least. Even looking over a small section of an activity report can provide clues that a probe is in progress, thereby alerting IT managers to take further action to detect the source of the attack. Because security threats change regularly, administrators will probably have to make regular adjustments to the parameters for data capture.
In addition to network sniffers and log analysis products, a variety of other tools and services are available to protect IT assets without restricting their availability to those who need them. IDS software such as Lancope's StealthWatch appliance can be programmed to look for a limited range of anomalous behaviours to identify attacks. However, IT managers should understand that security software can also be used by hackers to cause harm.
Many of these security tools are designed to probe for weaknesses, and in the process they may cause other problems Ã, blocking access to required ports on a Web server or causing applications to break, for example. Therefore, these tools should not be used on a production network during business hours. A good solution is for administrators to set up a lab that mimics the company's IT environment. There, they can practice using IDS tools and fine tune the system so that it sends as few false-positive alerts as possible: security staff are likely to turn off or ignore an IDS that they think is crying wolf.
Outsourced security
Regardless of how fast and thorough IDS software may be, it can still find only the attacks it has been programmed to look for. As a result, these tools can reduce the pest factor Ã, the unimaginative hackers who use existing code to initiate attacks Ã, but often miss new types of incursion based on innovative techniques.
Intrusion detection, and security in general, should be reviewed and possibly revised every day. Ideally, IT managers should come back to the IDS system for a few minutes every morning and ask themselves whether the hardware and software they are deploying is adequately equipped to cope with the latest types of attack reported in the news.
The natural inclination is to manage security from within the company. There are many reasons for this, not the least of which is that effective security requires an intimate, day-to-day knowledge of the equipment, data and business operations of the firm. Even so, outside expertise can be a benefit in the installation and maintenance of detection systems. A good security auditing firm will be familiar with the case histories of successful attacks, and should have an inspection regimen that quickly reveals any weaknesses in a corporate network. This is key to detecting problems.
Security service firms that go beyond the assessment process to offer monitoring capabilities may be able to observe patterns of attack across a large number of customers. This means they are likely to see new problems more quickly and formulate timely recommendations to prevent new types of threat.
A variety of assessment, monitoring and response services are available from vendors such as Counterpane Internet Security and Digital Defense. When evaluating service providers, IT managers should look for companies that have experience of their particular industry. A hospital, for example, is unlikely to get the best advice from a service provider with no experience in securing medical institutions and patient information.
Security-monitoring companies can also afford to train staff members specifically in the recognition of the latest threats and attacks. This expertise may be very useful and cost of such training may be hard to justify in-house where it would only be used to protect a single firm.
The drawbacks of outsourced security are exposure and dependency. Effective security means knowing the IT system, and outsourcing security means transferring that knowledge to an outside firm. Companies that outsource detection and response authority should bear in mind that providing another organisation with enough information to secure their network is a security risk in itself.
