Handling a Security Breach

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

System Security Breaches

Routine System Surveillance

Securing a Cluster

Handling a SecurityBreach

There are four phases that security administrators experiencewhile handling a security breach, whether the breach actually occurredor was attempted:

Detection ofa problem

Identification of the perpetrator

Prevention of further security violations

Repair of damage

The following sections describe these phases for both attemptedand successful break-ins.

In all phases, train personnel to retain information and dataas evidence, should there be a need to apprehend and prosecute theperpetrator.

Unsuccessful IntrusionAttempts

Unsuccessful intrusion attempts include situations where someonehas attempted to guess passwords or browse through files.

DetectingIntrusion Attempts

You usually detect intrusion attempts through the followingsources:

Reports from users about unexplainedlogin failures

Unusual system activity or unavailability of dialuplines

Security alarms for login failures, break-in attempts,and file-protection violations

Examination of the intrusion database

Identifyingthe Perpetrator

Enabling file auditing simplifies identification of file browsers.If, however, browsing is being initiated from another node in thenetwork, you must inspect the network server log file (NETSERVER.LOG)that corresponds to the times of the protection violations. Coordinateyour investigation with the security administrator at the remotenode.

Identifyinga perpetrator who is guessing passwords is considerably more difficult,especially when the source is anonymous, as from a dialup line.Usually, you must trade identification for prevention. Often the onlyway to positively identify an outsider attempting to enter the systemrequires that you permit further attempts while establishing theperpetrator's identity.

PreventingIntrusion Attempts

The prevention phase for this kind of attack involves preventingthe would-be intruder from actually gaining access to the systemand making future attempts more difficult.

Password Guessing

To reduce the opportunities for successful password guessing:

Make certain your users choose appropriatepasswords. Consider use of the password generator (see Generated Passwords).

Enable system passwords at the points of entry.While a minor inconvenience to your users, system passwords arethe best protection against further probing. If you already hada system password enabled, change it (see System Passwords).

Enable auditing of successful logins to catch theevent if the intruder succeeds in getting in (see Security Auditing).

File Browsing

To reduce the opportunities for successful file browsing:

If you can identify the perpetrator,take action as established at your site.

Warn your users about the importance of adequateprotection of their files, and consider inspecting the protectionof user files.

If file browsing from other nodes in the networkbecomes a persistent problem, eliminate the default FAL accountand authorize individual users through proxy login accounts (see Setting Up a Proxy Database).

Successful Intrusions

A successful security breach can include a successful passwordguessing scheme, theft or modification of either information orsystem resources, and placement of damaging software on the system.An intrusion may require a considerable amount of time to repair,depending upon the skill and intent of the perpetrator.

Identifying the Successful Perpetrator

Identification is often the most difficult part of handlingan intrusion. First, you must establish whether the perpetratoris an authorized user or not. This determines the nature of thepreventive measures that you will take. However, the distinctionbetween insiders and outsiders may be difficult to achieve.

Tradeoff Between Identification and Prevention

You may have to make a tradeoff between a positive identificationof the intruder and preventing future attacks. Often, the data availableinitially does not allow complete identification. If it is importantto identify the perpetrator, you will often find it necessary topermit continued intrusions while you analyze the intrusion activity.Increase your auditing. Consider planting traps in system proceduresthat are under your control (such as SYLOGIN.COM) to obtain additionalinformation. Increase your system backup efforts to permit easierrecovery if files become damaged.

Identification of Outsiders

Identifying external intruders is particularly difficult,especially if they use any switched forms of communication (suchas dialup lines or public data networks). DECnet for OpenVMS softwareprovides many features to help you trace the activity through thenetwork back to the source node. If a local terminal is involved,physical surveillance may be appropriate.

When a switchedconnection is involved, one of the major computer security problemsis the telephone system itself. Tracing a telephone or public datanetwork connection is time-consuming. Chasing an intruder through thetelephone system is likely to take months and will require the assistanceof law enforcement authorities. The existence of multiple long-distancetelephone services compounds the problem by increasing the number oforganizations with whom you must deal.

As a result, identifying an outside intruder is usually worthwhileonly when you have sustained substantial financial damage. In manycases, it may be more useful if you concentrate on preventing recurrencesof the problem.

Securingthe System

The actions you must take to secure your system after an intrusiondepend on the nature and source of that intrusion. This sectiondescribes these actions in order of priority.

Restore SYSUAF.DAT,NETPROXY.DAT, NET$PROXY.DAT and RIGHTSLIST.DAT (if damaged) from backups.Alternatively, generate listings of the files and inspect them closely,looking for improper entries, additional privileges, and changedUICs. If you are unsure of when SYSUAF.DAT might first have been modified,inspect it carefully regardless of whether you are using a backupcopy or proceeding with the existing one. Be sure all authorizationfiles are secure.

The perpetrator may have discovered passwords bybrowsing either through files or from other nodes in the networkand may be using seldom accessed accounts for personal use. Changepasswords for accounts, and have your users appear in person tolearn their new passwords. At a minimum, change passwords on allprivileged accounts. Do not use the same new password for all accounts.

A sophisticated penetrator may have planted waysto provide future access to the system even though you have takenthe obvious steps of securing your system. Therefore, you may haveto restore selected components of the OpenVMS software from backupsor from your OpenVMS distribution kit. If the intruder was an outsider,the two critical components are LOGINOUT.EXE and NETACP.EXE, which validateall entries to the system.

However, if the intruder was an authorized user, restore allsystem files from backup copies. Authorized users can make use ofa wide variety of illicit software patches (called trapdoors ) that they insert in the executive (SYS.EXE),the file system (F11BXQP.EXE), DCL, and other system files. Thepenetrator may have planted damaging software in any piece of softwareor command procedure likely to be used by a privileged user. Thus,complete assurance of a secure system requires a wholesale restorationof files from backups. Also reinstall any image (even from layeredproducts) installed with privileges because it can also be usedfor a trap door. An alternate strategy is to restore trustworthycopies of the obvious targets of attack and to rely on increasedauditing for a period of time to catch suspicious events.

Consider implementing additional security features,such as system passwords, password generation, increased auditing,and more stringent file protection to prevent a recurrence.

Repair After a Successful Intrusion

After an intrusion, restore corrupted files. Decide whetherit is appropriate either to do a wholesale restoration of your system'sdata or to repair problems as they are discovered. Look for modificationsto file protection that would have created paths for viruses andfor Trojan horses that were introduced into the system and may stillreside there.

Routine System Surveillance

Securing a Cluster