Network Computingwww.networkcomputing.com

Take Two Another possible scenario, though we have yet to encounter it, is failure to break through any of the Internet connections. If this were to happen, we would begin a systematic dial-up attack to scan the telephone exchanges used by the organization. This would succeed even if the company has implemented an advanced dial-up security system. As all seasoned network professionals know, there's always at least one employee who decides to set up his or her own remote access to a desktop machine using Symantec Corp.'s pcANYWHERE or a similar product without a password.

Note that during the early stages of the attack, we work exclusively at night. This strategy gives us the advantage of being alone on the network and lowers the risk of detection. It also gives us the time needed to clean up evidence of our activities before the network administrators come in for their morning coffee and routine check of the system logs.

Network Intrusion Detection Knowing that the risk of such an attack is real, you're probably wondering how you can tell if this is happening on your network, and how you can stop it. Let's deal with detecting the intrusion first.

People always ask us how an attack would look from a systems/network administrator's standpoint. We answer that question with questions. What type of monitoring and logging are you using? How much of it is actually turned on? Where do you store the logs? How do you protect them from modification? Which firewalls, terminal servers and internal machines are logging events? How often do you review the logs? Do you have tools to reduce the "signal-to-noise" ratio? Do you have an alarm mechanism?

All of these factors, and more, will dictate how much of an attack you can detect and how fast. Many organizations concentrate their intrusion detection efforts on their firewalls and ignore internal machines and dial-up lines. This is a mistake. Many firewalls are configured to log direct attacks against the firewall and don't highlight unusual activity coming from a trusted external machine, such as a Web server or DNS server. Additionally, attackers may not bother with your Internet connections. They may go straight for the dial-ups or come in from a business partner network connection. Your firewall can't log something it didn't see, right?

Some people will tell you that all you have to do is monitor your network perimeter--firewalls, dial-ups, business partner network connections, and so on--and you'll be fine. This kind of thin king assumes that you know what your "perimeter" is at any given time. Remember our employee with the desktop dial-up? It also ignores the threat from malicious employees or contractors on your internal network.

We recommend that you focus your efforts across the board. It's important to monitor your network perimeter; however, you should also enforce security monitoring on internal machines. We have found that many organizations ignore the internal component of intrusion detection, much to their chagrin.

Network Intrusion Prevention It's difficult to decide how to go about securing a large network and influencing an even larger number of users to practice good network security. Most people have a reactionary mind-set. Wait until something happens, then panic. For example, at the conclusion of these penetration tests, we provide a briefing to the senior management team at the client. The usual knee-jerk reaction is to shut down the Internet connections, pending the purchase of (better) securit y software.

What do we recommend? You might think that our advice, as advanced system hackers, would be of a technical nature. Do we suggest something along the lines of an advanced cryptographic system, smartcards, biometric authentication and the like? Nope.

We recommend that our clients start with the basics--build a strong foundation that can realistically improve security without wasting resources on ineffective security measures. There are so many simple things that an organization can do that get overlooked. Start simple.

The most often overlooked problem is that there must be an overall plan to address the many components that make up security. A risk assessment should be performed to determine the acceptable risk level to the organization. The results of the risk assessment will then drive the tone and rigor of a set of security policies, procedures and guidelines that tell people what they should do and how to manage information assets. Finally, a security architecture can be drafted to giv e direction as to which products and tools will be required to enforce the security policy. Just buying security software and distributing it to systems administrators is a waste of time and money. They'll get the software and not really be sure how to configure and manage it. And without understanding your risk, you'll never know when enough is enough.

This type of program is a long-term investment. It doesn't give instant results and there's no point where you can say "we're secure." Nothing will do that. There is no such thing as 100 percent secure. However, what it will do is gradually but surely improve security over time, giving you the peace of mind you're seeking. At the heart of any secure network should be a well-thought-out security policy. Otherwise, your network security will amount to some cheap trick, just smoke and mirrors.

Mark Abene is an independent securityconsultant. Steven Lutz is an information security consultant at Ernst & Young LLP.
Dr. Gerald L. Kovacich, CFE, CPP , CISSP, is president of Information Security Management Associates, an InfoSec and high-tech crime investigations consulting firm.

Mark Abene can be reached at phiber@phiber.com. Steven Lutz can be reached at steven.lutz@ey.com. Gerald L. Kovacich can be reached at kovacich11@home.com.