Guidelines for would-be corporate vigilantes
Guidelines for would-be corporate vigilantes
By - Winn Schwartau
Network World, 01/11/99

There are many ways to detect break-ins and a variety of options on how to
proceed once you do. Here's a collection of insights from dozens of users,
analysts and vendors on the techniques that work best. 

Use quality detection systems. You want to detect miscreant insider
behavior as well as external hacking.  Host-based auditing, network
behavior statistics and traffic analysis are all good sources of
security-related data that can alert you to abnormalities that may
indicate a security incident. Keep in mind that intrusion detection
systems (IDS) are all a little different. Some excel in NT, others in Unix
or Novell, and some pick up anomalies and events that others don't. It's a
good idea to use more than one IDS. 

Determine your first course of action once you detect an incident. Many
people suggest isolating the source into a specific, noncritical part of
your network. Others say cutting off the source of the attack is all they
want to do. Your reaction should reflect your corporate security policy.

Let your legal department know what's going on. If you ever have to get
law enforcement authorities involved, you want to ensure you've taken the
right steps. If your in-house counsel doesn't know how to proceed,
strongly suggest he get advice from an experienced cyberattorney.

Collect all systems logs from firewalls, routers and servers so you can
identify what tools the attacker used and which of your vulnerabilities
were exploited if you cut off the attack. Act upon this knowledge and
reconfigure accordingly. 

Make sure all your auditing tools are active if you don't cut off the
attack. You may want to increase the tools' sensitivity to capture more
data points. Monitor the intruder's actions closely, so you can cut off
the attack at any time you choose. 

Consider the use of forensic tools, especially if you have an insider
hacking at your systems. Forensic tools will allow you to perform a sector
backup of the suspect's hard disk with cryptographic seals to prevent
tampering and assist in maintaining a quality chain of evidence. In
addition, you may need to search the suspect's hard disk and floppies
(including Zip drives and the like) for erased files and other hidden
attributes.  Don't forget to involve human resources personnel; they can
keep you out of a heap of trouble. 

[Exactly what point does a corporate security officer have
access to an attackers hard disk and floppies? Remember, this is 
guidelines for CORPORATE types, not law enforcement.]

Attempt to trace the source of the attack. This is not easy, and often
involves a lot of people with different organizations. Know whom to call
at your ISP in the event of a breach. Be able to reach your contact 24-7
in case of an after-hours attack. ISPs coordinate with each other in many
cases, and if you plan for the eventuality, you will be ahead of the game
and able to react much faster. 

Have a game plan, especially if you call in law enforcement, which is more
restricted in its ability and legal right to gather evidence than your
company. Get legal advice regarding proper investigative techniques and
evidence gathering so they will hold up in court.  Recognize that
investigative procedures and techniques can be disrupting, causing
downtime and a drain in manpower. 

Strike back if you choose, but only with adequate legal counsel. There is
a range of actions you can take - some more offensive than others. 

Prepare for the acts of man as much as for acts of God. Your disaster
recovery people can handle floods, earthquakes and tornadoes. But can they
handle a hacker?