|
|
The following sections describe these phases for both attemptedand successful break-ins.
In all phases, train personnel to retain information and dataas evidence, should there be a need to apprehend and prosecute theperpetrator.
Unsuccessful IntrusionAttempts
Unsuccessful intrusion attempts include situations where someonehas attempted to guess passwords or browse through files.
DetectingIntrusion Attempts
You usually detect intrusion attempts through the followingsources:
Identifyingthe Perpetrator
Enabling file auditing simplifies identification of file browsers.If, however, browsing is being initiated from another node in thenetwork, you must inspect the network server log file (NETSERVER.LOG)that corresponds to the times of the protection violations. Coordinateyour investigation with the security administrator at the remotenode.
Identifyinga perpetrator who is guessing passwords is considerably more difficult,especially when the source is anonymous, as from a dialup line.Usually, you must trade identification for prevention. Often the onlyway to positively identify an outsider attempting to enter the systemrequires that you permit further attempts while establishing theperpetrator's identity.
PreventingIntrusion Attempts
The prevention phase for this kind of attack involves preventingthe would-be intruder from actually gaining access to the systemand making future attempts more difficult.
To reduce the opportunities for successful password guessing:
To reduce the opportunities for successful file browsing:
Successful Intrusions
A successful security breach can include a successful passwordguessing scheme, theft or modification of either information orsystem resources, and placement of damaging software on the system.An intrusion may require a considerable amount of time to repair,depending upon the skill and intent of the perpetrator.
Identifying the Successful Perpetrator
Identification is often the most difficult part of handlingan intrusion. First, you must establish whether the perpetratoris an authorized user or not. This determines the nature of thepreventive measures that you will take. However, the distinctionbetween insiders and outsiders may be difficult to achieve.
Tradeoff Between Identification and Prevention
You may have to make a tradeoff between a positive identificationof the intruder and preventing future attacks. Often, the data availableinitially does not allow complete identification. If it is importantto identify the perpetrator, you will often find it necessary topermit continued intrusions while you analyze the intrusion activity.Increase your auditing. Consider planting traps in system proceduresthat are under your control (such as SYLOGIN.COM) to obtain additionalinformation. Increase your system backup efforts to permit easierrecovery if files become damaged.
Identifying external intruders is particularly difficult,especially if they use any switched forms of communication (suchas dialup lines or public data networks). DECnet for OpenVMS softwareprovides many features to help you trace the activity through thenetwork back to the source node. If a local terminal is involved,physical surveillance may be appropriate.
When a switchedconnection is involved, one of the major computer security problemsis the telephone system itself. Tracing a telephone or public datanetwork connection is time-consuming. Chasing an intruder through thetelephone system is likely to take months and will require the assistanceof law enforcement authorities. The existence of multiple long-distancetelephone services compounds the problem by increasing the number oforganizations with whom you must deal.
As a result, identifying an outside intruder is usually worthwhileonly when you have sustained substantial financial damage. In manycases, it may be more useful if you concentrate on preventing recurrencesof the problem.
Securingthe System
The actions you must take to secure your system after an intrusiondepend on the nature and source of that intrusion. This sectiondescribes these actions in order of priority.
Repair After a Successful Intrusion
After an intrusion, restore corrupted files. Decide whetherit is appropriate either to do a wholesale restoration of your system'sdata or to repair problems as they are discovered. Look for modificationsto file protection that would have created paths for viruses andfor Trojan horses that were introduced into the system and may stillreside there.
|
|