Chapter 27: Responding to Security Incidents

Previous page
Table of content
Next page

Chapter 27

Responding to Security Incidents

As a network administrator, you must be able to recognize when a security incident is under way. Unfortunately, not all attacks are obvious. Recognizing that the network is under attack early is essential for protecting information or computers that have not yet been compromised. The detection of security incidents centers on investigating events that fall outside of the normal behavior of the network or computers on the network. Consequently, the key to detecting security events is to have a clear understanding of the baseline network operation. Creating a baseline for the computers and network components includes cataloging applications and services that should be running, documenting appropriate user rights and group membership, and supporting these lists with solid change control processes that update them when an approved alteration occurs.

For more information on creating a performance baseline, see Chapter 27, Overview of Performance Monitoring, of the Microsoft Windows 2000 Professional Resource Kit (Microsoft Press, 2000).

For example, suppose an organization has implemented a host-based and network-based intrusion detection system (IDS) and analyzes the log files from the IDS software regularly. The regular analysis shows a normal spike occurring in reported connection attempts every night at 1:00 A.M.; the rest of the time, the attempted attacks are recorded at a consistent level. If the organization encounters a dramatic spike in the number of attempted attacks at 4:00 A.M., the network administrator could conclude that the organization is under a coordinated attack. Without the baseline log files for comparison, the attempted attacks might easily be dismissed as unremarkable port-scanning activity. Similarly, without the baseline, the normal spike in attacks at 1:00 A.M. might appear as a coordinated attack against the organization. Both cases illustrate the importance of having a baseline record of normal behavior.

Once you have established a baseline of behavior, you can monitor the network for sudden variations from the baseline, including short-term spikes and longer-term, more gradual increases. You should investigate all these variations. In most cases, you will find no attack in progress. In some cases, you will find an incident in progress and will be able to take action before the attacker can steal or destroy information or otherwise damage the network. The earlier you detect an anomaly and investigate it, the greater your likelihood of minimizing damage to the network.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Beginning Cryptography with Java
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
The Java Tutorial: A Short Course on the Basics, 4th Edition
Special Edition Using Crystal Reports 10
The Oracle Hackers Handbook: Hacking and Defending Oracle
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy