A Checklist for Developing Defenses

Step

Description

Use proactive patch management.

Always proactively patch your system. This is probably the first key to preventing the need for a forensic investigation. Don't let your systems that have known vulnerabilities continue to be vulnerable. See Chapter 12.

Deactivate/uninstall nonessential services.

Services that aren't running, or even better, aren't installed are not vulnerable. As a general rule, the fewer services you have running, the more secure you will be and you'll be less likely to require forensic investigation.

Perform vulnerability assessments.

Perform periodic vulnerability assessments against your systems, and the services they run. Vulnerabilities that you proactively find and patch yourself lessen the potential for intrusion that may require forensic investigation.

Implement a file integrity solution.

Implementing a file integrity solution provides a means of comparing the digital checksums of files during an intrusion, with the known good checksums to determine if files have been modified. This process greatly increases your likelihood of recovery and a successful forensic investigation.

Perform active log monitoring.

Monitor the output of the programs that you have running on your system, and actively review what they place into their log files. Often, intrusion attempts are logged as unusual behaviorsomething that the program doesn't expect. Send the logs to a central location, via syslog or another application, or e-mail the output to your administrators for their review on at least a daily basis. Consider implementing a centralized log aggregation and correlation software package.

Follow the forensic analysis process during investigations.

Make sure to follow the forensic analysis process, as outlined in this chapter, which details techniques that ensure the integrity and flow of information. It is critical to document the actions taken, the times they were taken, and the results of each action to prevent loss of critical information during the recovery effort.

Assemble a toolkit to support your forensic processes.

The best toolkits blend open source software with commercial software such as EnCase (the industry leader). Familiarize yourself with the plethora of available software and don't depend on one vendor for everything.

Implement other intrusion detection systems.

Implement other intrusion detection systems, including process accounting, user auditing, and filesystem monitoring as appropriate. For more details on IDS/IPS, see Chapter 7.

Recommended Reading

  • Hacking Exposed Computer Forensics, by Chris Davis, et al. (McGraw-Hill/Osborne, 2004)

  • Software Forensics: Collecting Evidence from the Scene of a Digital Crime, by Robert Slade (McGraw-Hill Professional, 2004)

  • Exploiting Software, by Greg Hoglund and Gary McGraw (Addison-Wesley, 2004)

  • Open Source Digital Forensics (http://www.opensourceforensics.org/)

  • SecurityFocus Infocus Archives (http://www.securityfocus.com/infocus/incidents)

  • SecurityFocus Forensics mailing list archives (http://www.securityfocus.com/archive/104)

  • CERIAS: Center for Education and Research in Information Assurance and Security (http://www.cerias.purdue.edu/research/forensics/resources.php)

  • SANSInternet Storm Center (http://isc.sans.org//index.php)

  • Incident Reponse and Computer Forensics, Second Edition, by Chris Prosise, et al. (McGraw-Hill, 2003)

  • Guidance Software's EnCase Solution (http://www.encase.com/)



Extreme Exploits. Advanced Defenses Against Hardcore Hacks
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
ISBN: 0072259558
EAN: 2147483647
Year: 2005
Pages: 120

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net