A Five-Step Plan to Help You Stay Ahead of Computer Security Attacks, Risks, and Threats, Part Two

Feb 28
18:13

2007

Etienne A. Gibbs

Etienne A. Gibbs

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Security information and event management software rolls up alerts from firewalls and intrusion-detection/protection systems, along with event data from antivirus products, databases, Web servers and elsewhere. It offers two tracks to get to the source.

mediaimage

Step No. 2: Follow the Threat to Its SourceWhen an alert shows up on a security manager's console,A Five-Step Plan to Help You Stay Ahead of Computer Security Attacks, Risks, and Threats, Part Two Articles it's as if someone set off an alarm, says Morrow, the Chief Security and Privacy Officer for Electronic Data Systems Corp. The security group's first question is obvious: Where is the problem? But finding the answer requires ingenuity. There's no single surefire method for finding a security breach and nailing down its scope.

The task is still more art than science. Event logs generated by firewalls and early warning intrusion-detection/prevention systems give security analysts one route of inquiry. And the demand for tools that help correlate the mass of security data held by the various systems is growing. Security experts advise looking at security information and event management software, which helps security managers detect incidents, for clues that may help identify the source of the attack as well.

Security information and event management software rolls up alerts from firewalls and intrusion-detection/protection systems, along with event data from antivirus products, databases, Web servers and elsewhere. It offers two tracks to get to the source. One is its visualization portion, which looks like a large, continuously scrolling spreadsheet and provides some amount of detail on a network attack, detected virus or other event, including the Internet Protocol address of the affected equipment and device name.

The initial information gives a basic sketch of the problem and where it may exist. Every device connected to a network is identified by an Internet Protocol address, for example, which can guide security personnel to the general areas requiring investigation. However, there are limitations to this line of inquiry; one is a lack of context. What does the IP address mean?  Where is it and who is using it?The other limitation is that an attack may spoof the IP address. Security analysts thus have to dig deeper into the second source, the event logs, which contain more finely grained detail. They'll be looking for Media Access Control addresses, which identify network nodes, to see if a given IP address is correct and valid, Lawson explains. The logs also will provide details on how an attack progressed through a network. By examining the firewalls and routers and operating systems, analysts can piece together how many Media Access Control addresses, Internet Protocol addresses and routers were targeted in a given incident, Lawson says. Security personnel need information beyond the alert itself. A good security information and event management system will archive logs from different security devices, routers and operating systems. A security information and event management system's data gives the security team direction; after that, they must still physically find the affected system. A configuration management database, which holds information about the components of an organization's information-technology infrastructure, can help. By identifying components and their status, the database helps security managers zero in on the source of trouble, though that doesn't mean all devices are easy to find; a laptop plugged into the corporate network by a temporary worker or other visitor will be elusive. For all the automated sleuthing, a certain percentage of devices will be discovered only by simple hand-on crawling through offices, plugging and unplugging things. When it comes to detecting an attack, human intelligence must support automated systems in determining the scope and severity of an attack. Security managers say they seek out the affected asset's owner.  

Determining the appropriate response means taking the attack's venom into account. Besides wanting to know how many systems are affected and the location of the attack, security personnel also seek to determine the insidiousness of the attack. They will want to know if it is a random exploit or a botnet propagating through the network and reporting information back to somebody or some organization through an IRC [Internet Relay Chat] channel. Something like that is much more impactful."

While corporate security groups chase down incursions when they happen, they've tried to become more proactive, looking for and fixing weak spots before attacks occur with the help of vulnerability management tools. Like intrusion-detection sensors and firewalls, these tools may feed into security information and event management systems and configuration engines. Many organizations scan for vulnerabilities on a regular basis, allowing security personnel to determine which systems are vulnerable to attack and patch accordingly.

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk.

These cybercriminals leave you with three choices:

1. Do nothing and hope their attacks, risks, and threats don’t occur on your computer.

2. Do research and get training to protect yourself, your family, and your business.

3. Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVII, Etienne A. Gibbs, MSW, The Internet Safety Advocate and Educator