Snapshots In Security Breaches Article

Hey, did you know that the home page on your Web site says, 'Hacked by Chinese'?"

Getting an e-mail or a phone call to this effect is not how you want to find out that something has gone wrong with your Web server, but this is exactly how many locale administrators were informed that their systems had wax infected with the convention Red worm. These administrators accordingly had to deal with the question, "What do I do now?"

Answering this question, and the many that will attend it, is the focus of Part 4 of eWeek Labs' specific gradation, 5 Steps to energy Security. Responding to security breaches involves not only stopping attacks but likewise lore from the experience to intercept future attacks.

Nontechnical responses to attacks will differ depending on the type of vocation. Government agencies, for citation, will acknowledge in a miscellaneous way than private companies, which will reciprocate differently than universities.

In any case, the following steps are essential in responding to an attack.

Stop It

An infected tactics needs to be taken off the Internet instantly to prevent the spread of a malicious program.

Say you've just received an e-mail alerting you to a problem, or perhaps your IDS (intrusion detection philosophy) detected a potential attack, or maybe you create unexplained files on a system. You may be tempted to leave the entity up and running and allied while you fix it, but you must avert this temptation—even if it way losing revenue. If it's your establishment's Web point or another pressing server, there is (or there should be) a backup procedure in place.

If you've been hit by a worm or cracker, every second the system stays allied is time that it could be infecting other systems in your network or possibly attacking systems at fresh companies. You don't want to flatter part of someone else's comeback strategy—they capacity not be as nice as you are.

This doesn't mean, however, that you embrace to shut down systems you're suspicious of; disconnecting them from the network will be enough.

ascertain From It

You eventually procure to clean up an infected ideology but not before verdict out how the ideology was compromised.

Some worms, such as Code Red, are immediately lucid because they cause telltale Web defacements. However, fresh worms aren't as overt, and if a cracker has commandeered the system, it can be almost unimaginable to find out how.

An IDS can detect some illegal use of corporation systems, but crackers and worms can likewise bury in standard structure traffic and on standard ports. Still, there are several steps that can be taken to find out what happened.

On Windows servers, a virus scanner may be prepared to find worms or Trojan backdoor programs. Administrators should look for new user accounts and new files (such as in the scripts catalogue or any number of banal Gateway Interface programs). Warez directories in your Web or FTP server are likewise a dead giveaway that your ideology has come someone's playground.

technique and application log files are a big help in detecting what happened. These files detail changes and let you know when these changes happened.

philosophy snapshot tools such as Tripwire Inc.'s Tripwire, (.com), can be overly beneficial. Using these tools, administrators can take steady snapshots of way files and settings and can accordingly easily see any changes that retain been made to the organization.

collection a union of these system changes and entering the information on the search pages at sites such as .org, .org and . com will repeatedly mark you to the exact exploit that was used on your system or the breach that was abused.

liquidate It

After you've figured out how a system was compromised, you need to eradicate worms or exploit programs and possibly even wipe the manner clean.

Some worms can be removed by simply deleting a celibate file, but others, including Nimda, infect a large number of files on a system. A cracker looking to do as much harm as possible has probably loaded several backdoor programs, created and changed user accounts, and created new holes.

On Windows servers, an updated virus scanner will probably detect any worm or backdoor programs. For Unix and Linux systems, the security sites mentioned above offer details on how to clean systems.

However, it's almost impossible to ever feel good about a system that was cracked or infected by a worm. The best course of activity is often to wipe the ideology and reinstall the operating technique and applications. Besides being sure that there aren't any potential problems progressive behind, you can again implement stronger armor from the ground up.

Use of disk-imaging tools such as Symantec Corp.'s Norton Ghost can be accommodating when restoring systems to default configurations or for backing up systems. However, it is notably important to derive undeniable that the images themselves are free from security problems and are fully patched, or poorly secured systems could continue to pop up down the passage.

Fix It

The next step is to receive sure that a problem doesn't recur—patches must be applied or workarounds implemented to prevent future attacks. Following the steps from Prevention, Part 2 of this line, is a good start. (See story at .com/links.)

However, it's important to retain that patches and workarounds are not cure-alls. A system in eWeek Labs that was infected by Code Red had been properly patched, but subsequent installation of an application on that entity negated the patch.

This is a good time to increase the total security level of your systems. In addition to adding patches, remove all unused applications and extensions, and add additional layers of security, such as firewalls or trusted operating ideology programs such as Argus Systems Group Inc.'s PitBull (.com).

Free programs such as Microsoft Corp.'s HFNetChk (. com/support/kb/articles/Q303/2/), the Center for Internet Security's security benchmarks (www. ) and the Bastille Linux hardening scripts (.org) will either find potential holes, represent improved security measures or actually configure systems to be more secure.

For new defense problems—especially for people and organizations unhappy enough to be the first affected by them—there will be no patch available. In these cases, a workaround will possibly be attainable from defense sites, but it may also be necessary to disqualify an entreaty or service until the emergency is addressed.

You should likewise ponder changing the IP address of a compromised server, especially if it was used for warez or if its IP address has been passed around or added to lists used by hand kiddies. In these cases, systems might be probed constantly, which—at the very minimal—will inspire spectacle. likewise protect in mind that worms and crackers unusually hit one system. You must check every system on your network to see if they embrace been affected by the worm or intruder.

recoil to It

Perhaps the most laborious part of the comeback process is dealing with the nontechnical issues that come up after an intrusion—expressly, how to deal with the attackers, inner government and external agencies interested.

IT administrators' first response after an attack is repeatedly anger and frustration. The desire to strike back at attackers can be very able-bodied.

There are programs that will launch contradiction-of-liturgy attacks against attacking IP addresses, and honeypots have been used to entice crackers and accordingly trap them. However, these kinds of retaliation or entrapment are a bad perception. For one thing, the odds are high that the IP address you're responding to is a zombie tactics, idea that you are attacking another victim. At that point, you could be studied a nasty cracker and could be subject to right activity. And honeypots are best left to security experts and valid authorities, who are better equipped to deal with an irascible cracker.

Every IT province should let a written policy on how intrusions are handled and who should be notified, from province heads to guidance to the legal department to law administration agencies—specially, the FBI. This is especially influential during this time of heightened risk.

Of course, many businesses may want or need to take legal action of their own. IDS programs and log files will usually provide the IP address of attackers, and standard tools such as traceroute and Whois structure it earthly to find out who is running that IP address.

However, this is a very gray area legally because the systems launching the attacks are likely zombies. While valid action may be crucial in cases where attacks are poor and the owners refuse to address security issues, in most cases the best and most effective comeback is an e-mail to system administrators alerting them that there is a potential conundrum. This is possibly the acknowledgment that you would appreciate in cases where your own systems are turned against others.

This doesn't mean that there is nothing that can be spent to fight back. At eWeek Labs, our favorite acknowledgment is to run the free LaBrea application, which actually traps worms at practical IP addresses and prevents them from spreading. (See the Labs' review of LaBrea at .com/links.) We expect LaBrea and proactive tools like it will become more bourgeois as the security society looks for ways to stop the spread of worms.

However, the best way to fight against crackers and worms is to practice good refuge. élan as a cracker or a worm becomes a lot more laborious once asylum administrators start closing all the open doors in their systems.

East Coast industrial supervisor Jim Rapoza can be reached at .