Tuesday, March 28, 2006

Is your Network Security and User Access in the Right Balance?

The whole meaning of networking is to share programs, but granting others to access a computer device reveals an open window for those with foul motives, too. In the early days networks were quite secure because they were closed in systems, and to do any harm you had to get physical access to a server wired to the LAN. Remote access and Internet possibility to hook up has changed that. Broader availableness and less cost of broadband (DSL and cable) connections means that even home computers remain linked up to the Internet round-the-clock, which add the chances for hackers to gain access to computers.

Computer operating systems were originally planned for stand-alone computers only, not networked ones, and security was not an issue. When computer networking became known, applications and operating systems concentrated on easy accessibility rather than security. Because of this earlier focus on accessibility; security are now retrofitted into a lot of hardware systems. Modern operating systems such as Windows XP are planned with security in mind, but they still have to operate using conventional networking protocols, which can result in security problems.

Security versus access. The users want easy access to network resources. Administrators want to remain the network secure. These two goals are at odds, because access and security are always on conflicting ends of the scale; the more you have of one, the less you have of the other.

For business computer networks, the key is to hit a balance so that employees are not annoyed by security measures, while trying to maintain a level of protection that will keep unauthorized individuals from getting access.

Internal network security threats are those that come from within the organization, as opposed to those that come through the Internet. Internal threats include employees who on purpose attempt to nick data or bring in viruses or attacks on the computer network. Other internal threats are posed by outside employees (contract workers, janitorial services and people posing as utility company employees) who have physical access to the LAN computers. Though, many internal threats are unintended. Employees may install or use their own software or hardware for a private purpose, unaware that it poses a security threat to their computers and the complete network.

External security threats are those that come from outside the LAN, typically from the Internet. These threats are the ones we usually think of when we talk about hackers and computer network attacks. Such people can make use of flaws and characteristics of computer operating systems and software applications. They take advantage of the way various network communications protocols work to do a range of things, including the following: Enter a system and access (read, copy, change or delete) its data. Break down a system and harm or destroy operating system and application files so they do not work anymore. Install virus and worms that can spread to other systems across the LAN. Or use the system to start attacks against other systems or other network.

Thursday, March 23, 2006

"Network Security" -Compliance

Most of the industries such as health care and financial institutions are mandated to be compliant with HIPAA and SOX acts. These acts enforce stringent rules in all aspects of the enterprise including the physical access of information. (This section concetrates on the software requirement of the acts) There are quite a number of agencies that offer the compliance as a service for an enterprise. But it all depends on whether you want to handle compliance yourself or employ a third party vendor to ensure compliance to the acts.


HIPAA Compliance:
HIPAA defines the Security Standards for monitoring and auditing system activity. HIPAA regulations mandate analysis of all logs, including OS and application logs including both perimeter devices, such as IDSs, as well as insider activity. Here are some of the important reports that need to be in place:

1. User Logon report: HIPAA requirements (164.308 (a)(5) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

2. User Logoff report: HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

3. Logon Failure report: The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

4. Audit Logs access report: HIPAA requirements (164.308 (a)(3) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.


SOX Compliance:
Sarbanes-Oxlet defines the collection,retention and review of audit trail log data from all sources under section 404's IT process controls. These logs form the basis of the internal controls that provide corporations with the assurance that financial and business information is factual and accurate. Here are some of the important reports to look for:

1. User Logon report:SOX requirements (Sec 302 (a)(4)(C) and (D) - log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

2. User Logoff report:SOX requirements (Sec 302 (a)(4)(C) and (D) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

3. Logon Failure reportThe security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

4. Audit Logs access report:SOX requirements (Sec 302 (a)(4)(C) and (D) - review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

6. Track Account management changes:Significant changes in the internal controls sec 302 (a)(6). Changes in the security configuration settings such as adding or removing a user account to a admistrative group. These changes can be tracked by analyzing event logs.

7. Track Audit policy changes:Internal controls sec 302 (a)(5) by tracking the event logs for any changes in the security audit policy.

8. Track individual user actions:Internal controls sec 302 (a)(5) by auditing user activity.

9. Track application access:Internal controls sec 302 (a)(5) by tracking application process.

10. Track directory / file access:Internal controls sec 302 (a)(5) for any access violation.

GLBA Compliance:
The Financial Services Modernization Act (FMA99) was signed into law in January 1999 (PL 106-102). Commonly referred to as the Gramm-Leach-Bliley Act or GLBA, Title V of the Act governs the steps that financial institutions and financial service companies must undertake to ensure the security and confidentiality of customer information. The Act asserts that financial services companies routinely collect Non-Public Personal Information (NPI) from individuals, and must notify those individuals when sharing information outside of the company (or affiliate structure) and, in some cases, when using such information in situations not related to the furtherance of a specific financial transaction.

1. User Logon report:GLBA Compliance requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

2. User Logoff report:GLBA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot.

3. Logon Failure report:The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report.

4. Audit Logs access report:GLAB requirements (review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs.

5. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.

Saturday, March 18, 2006

"Network Security" -Forensics

The most important features you need to lookout,when you short list a network security forensic product is the ability to archive the raw records. This is a major factor when it comes to acts and laws. So in the court of law, the original record has to be produced as proof and not the custom format of the vendor. The next one to lookout for is the ability to create alerts, i.e the ability to notify whenever some criteria happens ex: when 3 unsuccessfull login attempts mail me kind of stuff, or better still if there is a virus attack for from the same host more than once, notify me etc. This will reduce the lot of manual intervention needed in keeping the network secure. Moreover the ability to schedule reports is a big plus. You don't have to check the reports daily. Once you have done your ground work as to configure some basic alerts and some scheduled reports. It should be a cakewalk from then on. All you need to do is check out the information(alerts/reports) you get in your inbox. It is recommended that you configure reports on a weekly basis. So that it is never too late to react to a potential threat. And finally a comprehensive list of reports is a vital feature to lookout for. Here is a list of reports that might come in handy for any enterprise:

Reports to expect from edge devices such as a firewall:

1. Live monitoring

2. Security reports

3. Virus reports

4. Attack reports

5. Traffic reports

6. Protocol usage reports

7. Web usage reports

8. Mail usage reports

9. FTP usage reports

10. Telnet usage reports

11. VPN reports

12. Inbound/Outbound traffic reports

13. Intranet reports

14. Internet reports

15. Trend reports


Reports to expect from compliance and internal monitoring: ( see compliance sub-heading for reports on compliance)

1. User Audit reports (successfull/unsuccessful login attempts)

2. Audit policy changes (ex: change in privileges etc)

3. Password changes

4. Account Lockout

5. User account changes

6. IIS reports

7. DHCP reports

8. MSI reports( lists the products installed/uninstalled)

9. Group policy changes

10. RPC reports

11. DNS reports

12. Active directory reports

The gating factor for choosing a monitoring product is to cross verify whether the devices you have in your network are supported by the vendor you choose. There are quite a number of products which address this market, you might want to search for "firewall analyzer" and "eventlog analyzer" in google.

Sunday, March 12, 2006

"Network Security" -Monitoring

No matter how fine your defense systems are, you need to have someone to make sense out of the huge amount of data churned out of a edge device like firewall and the system logs. The typical enterprise logs about 2-3GB/day depending upon the enterprise the size might vary. The main goal of the forensic software is to mine through the vast amount of information and pull out events that need attention. The "Network security" softwares play a major role in identifying the causatives and security breaches that are happenning in the enterprise.

Some of the major areas that needed to be addressed by any network security product is to provide a collective virus attacks across different edge devices in the network. What this offers for an enterprise is a holistic view, of the attacks happening across the enterprise. It offers a detailed overview of the bandwidth usage, it should also provide user based access reports. The product has to highlight sescurity breaches and misuse of internet access, this will enable the administrator to take the necessary steps. The edge devices monitoring product has to provide other stuffs like Traffic trends,insight into capacity planning and Live traffic monitoring, which will help the administrator to find causes for network congestion.

The internal monitoring product has to offer the audit information of users, system security breaches and activity audit trails (ex: remote access) As most of the administrators are ignorant of the requirements for the compliance acts, it is better to cross reference which acts apply to their enterprise and ensure that the product supports reporting for the compliance acts

Thursday, March 09, 2006

What is Network Security?

network security: the protection of a computer network and its services from unauthorized modification, destruction, or disclosure

Network security is a self-contradicting philosophy where you need to give absolute access and at the same time provide absolute security. Any enterprise needs to secure itself from two different access of information/transaction for that matter(ex:ftp,http etc.), internal access and external access. Securing the access of information or resources from the external world(WWW) is quite a task to master, that is where the firewalls pitch in. The firewalls act as gatekeepers who seggregate the intrusive and non-intrusive requests and allow access. Configuring & maintaining a firewall is by itself a task which needs experience and knowledge. There are no hard and fast rules to instruct the firewalls, it depends on where the firewall is installed and how the enterprise intends to provide access to information/resources. So, the effectivity of any firewall depends on how well or how bad you configure it. Please be informed many firewalls come with pre-configured rules, which intend to make the job of securing the information access from external sources. In short firewall gives you information about attacks happenning from the external world.

The toughest job is to secure information from the internal sources. More than securing it, managers need to track the information flow, to identify possible casuatives. The tracking of information flow will come in handy in case of legal situations. Because what seemingly to be a sharing of information could be held against you in the court of law. To enforce this, acts such as HIPAA, GLBA, SOX have been putforth, to ensure that the scam(s) like that of "Enron" does not happen. In short the tracking of information and audit gives you information abouot security breaches and possible internal attacks.

There are a variety of network security attacks/ breaches:

* Denial of Service

* Virus attacks

* Unauthorized Access

* Confidentiality breaches

* Destruction of information

* Data manipulation


Interestingly , all these information are available across the enterprise in the form of log files. But to read it through and making sense out of it, will take a life time. That is where the "Network Security" monitoring also known as "Log Monitoring" softwares pitch in. They do a beautiful job of making sense out of the information spread across various locations and offer the system administrators a holistic view of what is happening in their network, in terms of Network Security. In short they collect,collate,analyze & produce reports which help the system administrator to keep tabs on Network Security.


"Network Security" -Monitoring

No matter how fine your defense systems are, you need to have someone to make sense out of the huge amount of data churned out of a edge device like firewall and the system logs. The typical enterprise logs about 2-3GB/day depending upon the enterprise the size might vary. The main goal of the forensic software is to mine through the vast amount of information and pull out events that need attention. The "Network security" softwares play a major role in identifying the causatives and security breaches that are happenning in the enterprise.

Some of the major areas that needed to be addressed by any network security product is to provide a collective virus attacks across different edge devices in the network. What this offers for an enterprise is a holistic view, of the attacks happening across the enterprise. It offers a detailed overview of the bandwidth usage, it should also provide user based access reports. The product has to highlight sescurity breaches and misuse of internet access, this will enable the administrator to take the necessary steps. The edge devices monitoring product has to provide other stuffs like Traffic trends,insight into capacity planning and Live traffic monitoring, which will help the administrator to find causes for network congestion.

The internal monitoring product has to offer the audit information of users, system security breaches and activity audit trails (ex: remote access) As most of the administrators are ignorant of the requirements for the compliance acts, it is better to cross reference which acts apply to their enterprise and ensure that the product supports reporting for the compliance acts(please refer

href="#Compliance">here for details on compliance)

In altoghether they will have to support archiving, scheduling of reports and a comprehensive list of reports. please follow the next section for more details.

Saturday, March 04, 2006

Wireless Network Security: How to Use Kismet

Kismet is a wireless network detector / sniffer which can give you a vast amount of information about wireless networks. Wireless network security flaws are well documented but often very hard for the common person to understand. I will be showing you how to use kismet with out even having to install Linux, or compile kismet.

First you need to proceed to remote-exploit.org and download and burn their Auditor CD. (IF you don’t know how to burn an ISO image, go to Google). This version of Linux doesn’t install or modify your hard drive; it will boot from the CD and use a Ram Drive (On your Memory).

Auditor is not only a great tool for testing wireless network security with kismet but it also has many other computer security tools on it as well.

Client Window

Next, to start Kismet proceed to the Linux version of the start menu, and press Auditor. Now proceed to the wireless /scanning/kismet tools/kismet.

Once you click on Kismet it will ask you for a default location to place the Kismet log files for analyzing later, just press the desktop or temp file.

Now I will show you how to use Kismet. When kismet initially opens you will see a greenish box with numbers and network names (If any are near you) clicking away don’t be overwhelmed. (Also I can’t show you how to use kismet if you don’t have the correct wireless adapter, get an ORINICO Gold Classic Card off EBAY.) The Orninco gold classic card will be automaticly detected by auditor linux.

The Kismet columns will show the wireless networks SSID (Name), Type of device (Access point, gateway) Encryption or no Encryption, an IP range and number of packets. Kismet will pick up hidden networks with SSID broadcast Disabled also, Netstumbler will not.

Now Press H, to bring up the Help Menu. This will give the nuts and bolts on how to use kismet. If you tab down to the network you are auditing and press “C”, Kismet will show you all the computers that are using that wireless access point / gateway. This Kismet screen will show you the clients MAC address, Manufacture of Wireless Adapter, IP address range and traffic.

Kismet: Help Menue

Now to get out of that screen press “Q”. Tab Down on the Main Kismet Screen to another SSID and press “I”. This Kismet window will show detailed information about the wireless network. The Kismet detail screen will show the type of network (Infrastructrure / Adhoc), signal strength, channel, encryption type, and much more.

Kismet will also give you sound alerts when new wireless networks are discovered or security alerts or suspicious clients are in range. Suspicious clients would be people like you who are using Kismet or Networkstumbler. Unlike you these could be Wardrivers looking for venerable networks to hack into.

Kismet Alert Page

You can prevent War drivers from discovering your wireless network by performing a proper site survey which will help limit signal bleed off to unneeded areas. You should write down the suspicious MAC address and keep an eye on your access logs. If the War Drivers are really stupid just look out your window and look for cars with weird antennas.HA HA HA.

Kismet is more than just a tool to discover wireless networks; it can be used in conjunction with other tools to crack WEP/WPA. Many websites will claim that WEP can be cracked in less that five minutes. This is only half the truth because it could take many hours,days,months to gather enough packets to crack. Good luck and have fun learning the more advanced applications of kismet.