Organizations of all sizes need to mitigate the risk of insider threats. Misconduct by authorized users represents a grave threat to an organization. According to the 2005 Computer Security Institute and Federal Bureau of Investigation Computer Crime and Security Survey, organizations reported that computer intrusions from inside sources accounted for nearly half of all incidents. You can secure your network perimeter with intrusion detection systems, firewalls, and virus scanners, but don't neglect to monitor authorized users. The Linux Audit daemon can help you detect violations of your security policies.
This article looks at the Linux Audit daemon. Do you use this Linux security tool? If so what do you think about it?
Rootkit can be difficult to detect, especially when they are running in kernel. And therefore more difficult to prevent against. This is because they are running into kernel, they can alter functions used by all applications running on the system. These applications will include antivirus, anti-spyware, anti-rootkit etc. Whatever changes made by anti-rootkit or rootkit detectors to prevent against rootkit can simply be unblocked by the better rootkit. The same powers are available with infectors and preventers. This does not mean that all is lost for preventers. But one thing has to be always on the mind of detectors/preventers that what works today, may not work tomorrow.
Detecting rootkits can be a challenge but this article looks at a tool called ProcL. Do you use any other tools for finding hidden processes?
Source: Search Security Channel - Posted by Bill Keys
Once alert generation (intrusion detection) mode is enabled, the matter becomes complicated. Snort is no longer rendering or logging -- it has become a Traffic Intelligence System (TIS), as described in the last Snort Report. A TIS is valuable if it's trusted. Trust comes from being able to understand how a tool came to a certain conclusion. For example, if Snort reports seeing Attack X, you want to know how Snort made that judgment.
This article brings up some good points about intrusion detection. What do you feel is the state of intrusion detection software like Snort? Are they effective enough to implement on your network?
Source: Enterprise Networking Planet - Posted by Eckie Silapaswang
If you have only a single computer, then it's possible for you to spend your days giving it careful manual scrutiny for mischiefs and problems. Perhaps not entirely desirable, but possible. But in the real world we need good tools to monitor and warn us of mischiefs, so we can actually go outside and have a life every so often. Intrusion detection is one of those gnarly jobs that can make you paranoid and nervous — it seems the more you study it, the more difficult, scary, and unreliable it appears.
PSAD? Check. Snort? Check. Be sure to check out this article for a quick overview of IDS tools, then check out our HowTo's to see example implementations!
A breadth of anti-forensics tools -- most of them free -- is making it easier for the bad guys to cover their tracks in malware and data theft attacks.
"The bottom line is most criminals are not the brightest bolts in the box and they tend to make mistakes, which forensics has been able to use to its advantage," says Paul Henry, vice president of technology evangelism for Secure Computing. Henry will discuss the increasingly popular anti-forensics tools at a session at InfoSec World in Orlando this week. "But a smarter individual can [today] easily find tools to cover his tracks."
Source: Technet.com - Posted by Benjamin D. Thomas
In technical terms, a honeypot performs a function very similar to that of a "honeypot" in the outside world: a sweet lure. A "honeypot" is a system designed with the purpose of attracting the attention of prospective attackers, to assess how they are attempting to infiltrate the machine and what they doing once they gain access. There are literally thousands of honeypot networks and systems setup by security professionals and hobbyists worldwide. These systems can provide a wealth of information into forensics and assessing trends in network intrusion.
Snort and Sourcefire users are urged to update their intrusion detection software following the discovery of a potentially serious security vulnerability.
A stack-based buffer overflow security bug in the preprocessor handling DCE/RPC traffic means hackers could inject hostile code onto systems running the popular open source Snort package and its commercial equivalent, Sourcefire. Snort versions 2.6.1, 2.6.1.1, 2.6.1.2 and Snort 2.7.0 beta 1 are all vulnerable to the bug.
Source: ITworld.com - Posted by Benjamin D. Thomas
The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF have decided to launch web application honeynets with a new twist. The twist is, they plan to name not only the attack details, as is usual, but also to divulge the IP addresses and other tracking information about the attackers themselves.
I am frequently asked questions, many of the questions are the same things over and over again, and I always see the same mistakes being made when setting it up. So, i've compiled a list of the top ten mistakes and commonly misconfigured or overlooked things when configuring everyone's favorite IDS.
While the Storm Center handlers make an effort in the timely reporting and dissemination of information regarding malware and distributed threats as they occur to keep our readers in tune with the beat of things, we can't *always* be at the cutting edge. If you have the capability of deploying new tools and infrastructure you might consider extending your efforts to grow your organizations insight and visibility into the nefarious workings of the net. Provided you choose to do so, or already have such efforts underway I suggest sharing with us any significant findings!
