Two weeks ago, I essentially claimed that nearly every company I know is hacked -- and in many cases, thoroughly hacked. Although there's a bit of hyperbole in that statement, it isn't that far from reality. That statement, however, has led some readers to believe detecting hackers and preventing attacks is impossible. Nothing could be further from the truth.
Discovering malicious hackers
Despite what the movies show, hackers are never good enough to go unnoticed. Even the professionals hackers who are making millions of dollars really don't do much to stay hidden. They don't need to: Most admins aren't looking.
[ A new Energizer Bunny Trojan is on the loose. | InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
The Verizon 2008 Data Breach Investigations Report [PDF], which is quickly becoming one of the most respected sources on computer crime statistics, said it best: "Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: Information regarding the attack was neither noticed nor acted upon."
Your No. 1 tool for detecting malicious activities is your log files. Most admins don't turn them on, and those who do usually don't monitor them. Additionally, many companies only turn on logging on their servers, even though most of the malicious break-ins occur on their user's workstations.
Every company should enable an enterprise-wide log management plan, a topic I covered the basics of last year. In a very small nutshell, you need to collect all your log events in a central location and generate alerts on abnormal events that dictate a reaction. Don't be that company with an enabled event logging management system that sends dozens to hundreds of "alerts" a day, a figure that guarantees that none will be acted upon. A well-designed events-management system only requests action for the stuff that deserves to be investigated. (On a related note, I'm just finishing up a review of event log management systems that should be published on InfoWorld soon.)
Another effective way to detect hackers is to scan for common hacking tools: password crackers, man-in-the-middle tools, sniffers, and so on. Most anti-malware scanners will detect commonly used hacker tools. Although not all hackers use the same tools, they generally do.
I'm also a big believer in creating network traffic flow baselines. Most data should be going from servers to workstations and vice versa. Unexpected server-to-server traffic should be investigated, as should unexpected workstation-to-workstation traffic. Moreover, if you have a workstation hitting every server in your environment, investigate it. Many insider attacks have been interrupted because astute network flow analysts noticed very large amounts of data going to a single employee's machine.
Get the most out of the storage you already own. Download this whitepaper today and examine 7 key technologies behind maximizing your storage efficiency.
Download now »
Stop unscrupulous insiders. A clever criminal can lull the boss into believing nothing is amiss. Systems designed to monitor the network for patterns of criminal or destructive behavior are much harder to fool. Learn how to put the right countermeasures in place and vastly reduce the threat posed by insiders.
Download now »
Examine the 5 unique requirements that virtualization imposes on hardware, and discover how the next generation of HP's ProLiant server line can deliver virtualized, efficient data centers, rapid ROI and lower operational expenses.
Download now »
Address the backup and restore challenges created by virtualized server environments by following these technical recommendations. Learn how VMware Consolidated Backup in conjunction with HP Data Protector can realize a VMware ESX backup that surpasses the 1 TB/h performance threshold, while minimizing storage resources overhead.
Download now »
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
907 Recommendations
1 reply