Monitoring covers much wider ground than just periodic or constant inspection of audit logs. Monitoring includes the following activities:
Penetration testing
Intrusion detection
Violation processing
Keystroke monitoring
Traffic and trend analysis
Facilities monitoring
The remainder of this section is dedicated to the discussion of these activities.
Instant Answer Penetration testing is the general term that describes the use of tools to discover and identify security vulnerabilities.
Penetration testing techniques include
Port scanning: A port scan is a tool that communicates over the network with one or more target systems on various Transmission Control Protocol/Internet Protocol (TCP/IP) ports. A port scan will discover the presence of ports that should probably be deactivated (because they serve no useful or necessary purpose on a particular system) or upgraded/patched (because of a software vulnerability that could lead to a break-in). Some example port scanning tools include SATAN, ISS, and NMAP.
Vulnerability scanning: Similar to port scanning, vulnerability scanning is a means for identifying exploitable vulnerabilities in a system. This is most often used to ensure that Web-based applications are free of vulnerabilities that would permit an attacker to break in to databases.
Packet sniffing: A packet sniffer is a tool that captures all TCP/IP packets on a network, not just those being sent to the system or device doing the sniffing. Recall that an Ethernet network is a shared-media network, which means that all packets on the local area network (LAN) can theoretically be viewed by any or all devices on the LAN. But switched-media Ethernets are becoming more prevalent today for performance reasons; sniffers on switched-media LANs generally pick up only packets intended for the device running the sniffer. We digress; sorry.
Tip One other term that you need to be familiar with is promiscuous mode. This is the altered state in which the network adaptor accepts all packets, not just the packets destined for the system, and sends them to the operating system. The reason promiscuous mode was chosen to describe this network adaptor setting is an exercise left to the reader.
War dialing: Hackers use war dialing to sequentially dial all phone numbers in a range to discover all the modems that are available. The hacker then uses the list of discovered modems to see whether any of them are easily penetrated and are connected to systems or networks worth the trouble to connect to.
War driving: War driving is the 21st-century version of war dialing, wherein someone uses a laptop computer equipped with a wireless LAN card and literally drives around a densely populated area in order to discover unprotected (or poorly protected) wireless LANs.
Radiation monitoring: Radio frequency (RF) emanations describe the electromagnetic radiation emitted by computers and network devices. Radiation monitoring is similar to packet sniffing and war driving in that someone uses sophisticated equipment to try to determine what data is being displayed on monitors, transmitted on LANs, or processed in computers.
Packet sniffing isn’t just a tool used by hackers to pick up userids and passwords from the LAN. Packet sniffing has legitimate uses as well. Primarily, it’s used as a diagnostic tool to troubleshoot a problem, such as a firewall (to see whether the desired packets are getting through), routers, switches, and virtual LANs (VLANs).
The obvious danger of the packet sniffer falling into the wrong hands is the capability to capture userids and passwords. Equally perilous is the fact that packet sniffers are next to impossible to detect on a network.
Dumpster diving: Dumpster diving is low-tech penetration testing at its best, and it is exactly what it sounds like it is. Dumpster diving can sometimes be an extraordinarily fruitful way to obtain information about an organization. Organizations in highly competitive environments also need to be concerned about where recycled paper goes. Hint: Buy a shredder. Or ten.
Eavesdropping: Eavesdropping is as low-tech as dumpster diving but a little more dignified. Basically an eavesdropper takes advantage of one or more persons who are talking or using a computer - and paying little attention to the fact that someone else may be listening to their conversations or watching them work over their shoulder. The technical term for the latter is shoulder surfing.
Social engineering: If eavesdropping is passive, then social engineering is the active way of getting information from workers. This topic is covered in more detail in Chapter 7.
Intrusion detection is the technique used to detect unauthorized activity on a network. An intrusion detection system is frequently called an IDS. The two types of IDSes used today are
Network-based intrusion detection (NIDS): This consists of a separate device attached to a LAN that listens to all network traffic by using various methods (which we describe later in this section) to detect anomalous activity.
Host-based intrusion detection (HIDS): This is really a subset of network-based IDS, in which only the network traffic destined for a particular host is monitored.
Both network and host-based IDSes use a number of methods:
Signature-based: A signature-based IDS compares network traffic that is observed with a list of patterns in a signature file. A signature-based IDS detects any of a known set of attacks, but if an intruder is able to change the patterns that he uses in his attack, then his attack may be able to slip by the IDS without being detected. The other downside of signature-based IDS is that the signature file must be periodically updated.
Anomaly-based: An anomaly-based IDS monitors all the traffic over the network and builds traffic profiles. Over time, the IDS will report deviations from the profiles that it has built. The upside of anomaly-based IDSes is that there are no signature files to periodically upgrade. The downside is that you may have a high volume of false-positives.
We are obligated to tell you that intrusion detection doesn’t stop intruders, but intrusion prevention does . . . or at least it slows them down. Intrusion prevention systems are the newer and more common systems that are designed to detect and block intrusions.
Instant Answer Intrusion detection is used to detect known attacks and or anomalous behavior on a network or host.
Violation analysis is the science of examining activity and audit logs to discover inappropriate activities. Violation analysis uses clipping levels, which are the thresholds that differentiate violations from nonevents.
Here’s an example. Users on a particular system sometimes type in their passwords incorrectly, so a few errors are allowed. But wisely, you set a clipping level of four failed login attempts per hour. Whenever a user has fewer than four failed attempts, everything’s cool. But when the clipping level is exceeded, then a violation has occurred. In this example, the violation may indicate that someone is trying to break in to the system by guessing passwords.
Keystroke monitoring is used to record all input activities on a terminal or workstation. Keystroke monitoring can sap your resources; it can be difficult to hide, and issues exist regarding the privacy rights of the person(s) whose activities are being monitored at this level of scrutiny.
Keystroke monitoring must be used with care - perhaps only as an aid for an active investigation. Only if you want to see yourself on TV (and not for good reasons) should you consider routinely installing keystroke-monitoring software on workstations.
Traffic and trend analysis are the techniques used to make inferences about the activities of an individual or an organization based upon the type and volume of traffic on a network. For instance, a dramatic rise in network traffic at 2 a.m. might be an indication of backups or batch processing.
Hackers use traffic and trend analysis too. Read more about this topic in Chapter 7.
No monitoring plan is complete without some physical monitoring capabilities. A few methods are
Watching the logs of buildings with card-key access control to see whether doors are being propped open or if people are attempting to enter restricted areas
Monitoring unmanned entrances and other locations with closed-circuit television (CCTV) monitoring systems
Staffing key locations with security guards
Installing and monitoring security alarm sensors on doors, windows, and motion sensors in areas not normally manned
Okay, so through your foresight and leadership (and the excellent book that you’re reading right now), your organization has full security monitoring capabilities. What do you do when one of the monitoring systems indicates that a security event is unfolding? How will you recognize and respond?
Instant Answer The process of detecting, responding, and fixing a problem is known as problem or incident management.
Cross-Reference Like business continuity planning and disaster recovery planning (read more about this in Chapter 11), security event recognition requires advance planning:
Monitoring personnel: Who is monitoring which events, audit logs, and other facilities?
Initial response: What are the first steps to be performed when a suspicious event is seen? Written procedures would be a good idea here.
Confirmation: Who will perform this task, and how will they do it? Someone needs to determine whether the event is a false alarm or not.
Notification: How will the appropriate persons or the affected community be notified? Who bears this responsibility? Presuming that someone is using the system generating the alarm, key personnel and/or the user community may need to be notified in the event that the event will continue to unfold and interrupt service.
Escalation: Who defines which senior managers need to be notified and when? If the event crosses predetermined thresholds, higher levels of management may need to be notified.
Resolution: What are the plans for resolution? Most of the time, someone will need to do something to manage the event. This could be a server shutdown and reboot, locking a user account, suspending a service, or any number of other actions.
Event reporting: Will there be standard reporting formats, and by what means will reports be delivered? How various events will be reported needs to be worked out in advance, too.
Event review: How will the event be reviewed in terms of action and prevention? At the conclusion of the event, stakeholders need to discuss the event to determine whether the response was appropriate and whether the event (or ones like it) can be avoided in the future.
How should an organization define resolution of a security event? Is it when the affected systems’ functionality has been restored? Is it when the perpetrator has been identified? Is it after any architecture or process changes designed to prevent a repeat of the event have been put into place? Each organization will need to get its arms around this so that senior management and the security community agree on the term resolution.