intrusion_21
ICSA, Inc.
For more information, call 888-396-8348 21
An Introduction to Intrusion Detection and Assessment
We use a vulnerability assessment product com-
bined with a network management product to
help uncover information about user rights, per-
missions, account access, account restrictions, and
users that have easily-guessed passwords.
One eye-opening experience we found at a cus-
tomer site was where someone with user privileges
granted themselves administrator rights. When
we ran a user access report we found a user who
had used a hack to make himself an administrator.
To make matters worse, the account was active,
and it belonged to a former employee that had
been gone for two months.
It would have taken us forever to find this situ-
ation because it is extremely time consuming to
manually check each and every user account for
security violations. But it is much easier with a
vulnerability assessment product where information
across an entire enterprise can be consolidated
into one single report.
Case 3: Host-based Intrusion Detection
In December of 1998 a medium size California
bank decided that they needed better control of
their internal security. They needed both consis-
tency in their security configurations as well as
monitoring for suspicious behaviors from autho-
rized users inside the system. They selected a
host-based intrusion detection tool that also pro-
vided host-based assessment.
The agents were deployed to 10 servers and a
handful of workstations. After installation, an
audit policy was deployed that reduced the
amount of data collected to a reasonable level,
and a detection policy was also established that
matched the objective of monitoring for anoma-
lous behavior. The security officer then used the
assessment capabilities to bring all the servers up
to a consistent level of security configuration that
was acceptable to the security officer.
Within 24 hours of beginning monitoring the
security officer observed irregular usage of 2 ad-
ministrative accounts. They were being used to
read mail and edit documents during regular
working hours. The security policy specified that
administrative accounts were only to be used for
tasks requiring administrative privilege and were
not to be used for daily activities such as reading
mail. The employees who were using their admin
accounts were reprimanded and the activity
stopped.
Within 48 hours of monitoring the security officer
observed an unauthorized account using the
backup software. The immediate security risk was
that the backup software had privilege to read every
file on the system bypassing all access control.
The security officer called the account owner and
quickly determined that the backup software had
been installed under the wrong account making
this powerful software vulnerable to compro-
mise. The software was re-installed under a better-
protected account.
Within 72 hours of monitoring the security officer
observed regular account logins from a set of
three accounts at 1:30 AM, 2:30 AM, and 3:30
AM. All the indications were that this was an au-
tomated program using these 3 accounts to login
at the same time everyday. By using the data
forensics capabilities of the intrusion detection
tool the security officer looked back over the last
3 days to determine other accesses and executions
by these accounts during these times. The next
effort was to talk to the account owners to deter-
mine if they had knowledge of programs under
their control during this time. Through a combi-
nation of analyzing the data and interviewing the
end-users it was determined to be MAPI interactive