HostedDB - Dedicated UNIX Servers
intrusion_21 ICSA, Inc. For more information, call 888-396-8348                 21 An Introduction to Intrusion Detection and Assessment “We use a vulnerability assessment product com- bined with a network management product to help uncover information about user rights, per- missions, account access, account restrictions, and users that have easily-guessed passwords. “One eye-opening experience we found at a cus- tomer site was where someone with user privileges granted themselves administrator rights. When we ran a user access report we found a user who had used a hack to make himself an administrator. To make matters worse, the account was active, and it belonged to a former employee that had been gone for two months. “It would have taken us forever to find this situ- ation because it is extremely time consuming to manually check each and every user account for security violations. But it is much easier with a vulnerability assessment product where information across an entire enterprise can be consolidated into one single report.” Case 3: Host-based Intrusion Detection In December of 1998 a medium size California bank decided that they needed better control of their internal security. They needed both consis- tency in their security configurations as well as monitoring for suspicious behaviors from autho- rized users inside the system. They selected a host-based intrusion detection tool that also pro- vided host-based assessment. The agents were deployed to 10 servers and a handful of workstations. After installation, an audit policy was deployed that reduced the amount of data collected to a reasonable level, and a detection policy was also established that matched the objective of monitoring for anoma- lous behavior. The security officer then used the assessment capabilities to bring all the servers up to a consistent level of security configuration that was acceptable to the security officer. Within 24 hours of beginning monitoring the security officer observed irregular usage of 2 ad- ministrative accounts. They were being used to read mail and edit documents during regular working hours. The security policy specified that administrative accounts were only to be used for tasks requiring administrative privilege and were not to be used for daily activities such as reading mail. The employees who were using their admin accounts were reprimanded and the activity stopped. Within 48 hours of monitoring the security officer observed an unauthorized account using the backup software. The immediate security risk was that the backup software had privilege to read every file on the system bypassing all access control. The security officer called the account owner and quickly determined that the backup software had been installed under the wrong account making this powerful software vulnerable to compro- mise. The software was re-installed under a better- protected account. Within 72 hours of monitoring the security officer observed regular account logins from a set of three accounts at 1:30 AM, 2:30 AM, and 3:30 AM. All the indications were that this was an au- tomated program using these 3 accounts to login at the same time everyday. By using the data forensics capabilities of the intrusion detection tool the security officer looked back over the last 3 days to determine other accesses and executions by these accounts during these times. The next effort was to talk to the account owners to deter- mine if they had knowledge of programs under their control during this time. Through a combi- nation of analyzing the data and interviewing the end-users it was determined to be MAPI interactive