|
Tutorials: You've been hacked: Now prevent future attacks |
|
|
 We have already shown you what to do immediately following a hacker attack; now we will look at some longer term measures to prevent a future attacks
In the aftermath of a network attack, you must act quickly to recover systems and prevent further attacks. In this article, we'll focus on long-range measures you can implement to strengthen your defences after the dust settles. [more...]
June 03, 2003
Robert L. Bogue, TechRepublic.com
Establish monitoring
One of the main challenges in
restoring systems is determining when those systems were compromised, how the
systems were compromised, and what vulnerabilities were exploited to compromise
them. The reality is that hackers rarely get in on their first attempt. They
typically have to attempt to exploit a series of vulnerabilities or try a large
number of username and password combinations before they find a crack in your
systems' armour. Those attempts can, and often do, leave telltale fingerprints
of the hacker trying to break down the doors. It's up to you to make sure that
you record the attempts and that you have procedures or systems in place to
notify you when an attack is being waged.
So a key piece of your long-term security
strategy -- especially after a successful attack has occurred -- is the
development of a monitoring system that doesn't allow intrusions to go
unnoticed.
Log review
When was the last time you reviewed the event
logs on your servers or the firewall's logs? If you're like most IT
professionals, you're too busy to check logs unless there is a problem. Of
course, we all know that this isn't an ideal situation, but there never seems to
be enough time.
After you've had someone break into your systems, it's important to
make a point of doing periodic log reviews. Scheduling a log review for first
thing Monday morning means you might have it done by the end of the day Monday.
It also gives you a chance to look at what happened over the weekend--when most
hackers launch their attacks because they know that no one will be in the office
to stop them.
The first week you're back on the Internet after an attack, you
should review the logs every day or every few hours, since it's likely that the
hacker will be jiggling the locks on all of the doors he or she opened before
you discovered the intrusion. If you don't want to manually collect all of the
logs from every system and would prefer to receive alerts when certain events
occur, you can implement Microsoft's Operations Manager.
Intrusion-detection software
With log reviews, there's an
inherent delay between when an attack occurs and when it's discovered. Even if
you're reviewing logs daily, an attack can go unnoticed for hours -- which
leaves a lot of time for a hacker to try to find the right opening in your
systems. That's where intrusion detection comes in. An intrusion-detection
system (IDS) constantly watches your network and alerts you or takes other
actions when an intruder is detected.
IDSs can work with your existing firewall to add filters to prevent
the attacker from making further progress. By adding an explicit "deny" rule for
the location that the attack is coming from, you can prevent the hacker from
making any progress on hacking into your systems -- ever.
| |
|
Article continues...
ZDNet - Tech Republic |
 | |
|
|
|
 |
| "Tutorials: You've been hacked: Now prevent future attacks" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
