Analysis of External Sources of Information and System Behavior

In organizations that are careful about security, the users are instructed and educated (this topic will be covered in detail in Chapter 7). These users then inform administrators of all suspicious events. Administrators must pay attention to this information and analyze it along with the data obtained from other sources, such as security bulletins and reports published by various response teams, which were mentioned above. Proper attention to notifications received from system users significantly improves the security administrator's ability to control the information resources. Educated users, most probably, know best which resources are critical and which events must be considered as suspicious. Do not neglect user information, even if their notifications and alarms prove to be false later. By ignoring warnings a number of times you could find yourself in the situation where users stop reporting what seems to them to be suspicious because they fear their warnings will be ignored or ridiculed. When analyzing user notifications, do not rely entirely on a single report. It is best to confirm reports with information obtained from other sources as well - security tools, log-file information and notifications from other users. Correlate information from these sources and try to find matches. If the notification is not well grounded, you can disregard it, but do not forget to thank the user for his or her help. The next time, this user, noticing that you are carefully investigating his or her notifications, might inform you of something really important.

Do not forget that intruders might select your network as a starting bases for attacking other networks. They might infect your system with a "Trojan horse," through which they can later implement attacks on the information resources of other organizations. Or, for example, some hosts within your network might be compromised using "zombie" programs and become the base for attacks on other hosts. Investigate all materials and bulletins obtained from incident-response groups, and use various security analyzers. Your network could prove to be vulnerable to some problems identified by these sources.

Collect as much information as possible. Sometimes it may be necessary to contact the user (for example, one of your clients) or organization (ISP, for example), that has published information on a suspicious event. Analyze log files and, if you find clear evidence of an attack, initiate reaction procedures immediately.