Valoración de la dependencia: índice de Barthel

Most systems generate security logs and audit files of activity. These files do absolutely no good if they aren’t periodically reviewed for unusual events. Many web servers provide message auditing, as do logon, system, and application servers.

94 Chapter 2 N Identifying Potential Risks

The amount and volume of information these files contain can be overwhelming. You should establish a procedure to review them on a regular basis.

A rule of thumb is to never start auditing by trying to record everything because the sheer volume of the entries will make the data unusable. Approach auditing from the opposite perspective: Begin auditing only a few key things, and then expand the audits as you find you need more data.

Audit files and security logs may also be susceptible to access or modification attacks. The files often contain critical system information, including resource sharing, security status, and so on. An attacker may be able to use this information to gather more detailed data about your network.

In an access attack, these files can be deleted, modified, and scrambled to prevent system administrators from knowing what happened in the system. A logic bomb could, for example, delete these files when it completes. Administrators might know that something happened, but they would get no clues or assistance from the log and audit files.

You should consider periodically inspecting systems to see what software is installed and whether passwords are posted on sticky notes on monitors or keyboards. A good way to do this without attracting attention is to clean all the monitor faces. While you’re cleaning the monitors, you can also verify that physical security is being upheld. If you notice a password on a sticky note, you can “accidentally” forget to put it back. You should also notify that user that this is an unsafe practice and not to continue it.

You should also consider obtaining a vulnerability scanner and running it across your network. A vulnerability scanner is a software application that checks your network for any known security holes; it’s better to run one on your own network before someone outside the organization runs it against you. One of the best-known vulnerability scanners is Nessus.

Summary

This chapter focused on the types of attacks you’ll encounter and your network’s vulnerabilities: Types of attack Û N TCP/IP Û N Malicious code Û N Social engineering Û N

Denial of service, distributed denial of service, back door attacks, spoofing attacks, man-in-the-middle attacks, and replay attacks are all types of attacks you may encounter. Each takes advantage of inherent weaknesses in the network technologies most commonly used today.

TCP/IP is particularly vulnerable to attacks at the Host-to-Host (or Transport) layer and the IP layer. Transport layer attacks are designed to take advantage of the synchronization method used by TCP, the unsynchronized characteristics of UDP, and the maintenance messages generated by ICMP.

Common attacks on TCP include the SYN or ACK flood attack, TCP sequence number attack, and TCP/IP hijacking.

UDP is vulnerable to flooding attacks. Flooding attacks are DoS attacks, and they’re designed to prevent access by authorized users.

TCP/IP uses protocols and services at each layer of the network model. These protocols and services offer ports to receive and send messages to other services or applications. The ports are vulnerable to attack depending on the protocol. Thousands of ports are available for use in TCP/IP. The ports numbered below 1024 are considered well known, and they usually require administrative access to be used.

Applications interface with the TCP/IP suite using either APIs or Windows sockets. These interfaces are well established and published.

Each layer of the protocol suite communicates with the layers above and below it. The process of preparing a message for transmission involves adding headers as the packet moves down this stream. This process is called encapsulation.

Malicious code describes an entire family of software that has nefarious intentions for your networks and computers. This includes viruses, Trojan horses, logic bombs, and worms. Viruses and worms are becoming a major problem on the Internet. The best pre- vention methods available include antivirus software and user education.

The process of using human intelligence to acquire access to information and systems is called social engineering. Social engineering involves someone contacting a member of an organization and attempting to con them out of account and password information. The best method of minimizing social engineering attacks is user education and positive verifi- cation of the identity of the person committing the attack.

Audit files and system logs are very effective for tracking activity in a network or on a server. They should be reviewed regularly to identify if unauthorized activity is occurring. Systems should be routinely inspected to verify whether physical security procedures are being followed.