Two recent SearchSecurity.com webcasts focused on the topic of network security. The first talk was by resident network security expert Ed Skoudis on new trends in computer attacks. The other webcast was conducted by Richard Bejtlich, of Foundstone, and Robert Visscher, of Ball Corporation, on the topic of Network Security Monitoring.
I would hate for those that couldn't view the webcasts to miss out on some of the essential ideas conveyed in them. In the following paragraphs I will look at some of the more important thoughts on security discussed in the webcasts. Who knows, maybe the tidbits will pique your interest enough to take a look at the full webcasts.
Ed Skoudis begins his talk by pointing out that there was a severe drop in hacker activity after Sept. 11 that lasted about six months. But since that time hacker activity has increased. And the only defense is to stay diligent. To that end, Ed recommended some defenses against attacks.
One method of attack that is on the rise is Trojaning software distribution. The main defense of which is obvious, don't put any downloaded software directly into production. Put it into a test environment first. But he also recommended downloading the software from various sources when possible and comparing the hashes of the downloads. This might save you some grief even in the testing phase.
I think the most important piece of advice and information from Ed's webcast was the insight into hacker methods.
Ed's advice regarding these methods is to use the same tools as the bad guys. Find out everything you can about your company as seen from the outside; know what potential hackers know. You might even be able to use the same types of tools that hackers use to find holes in your security to discover them yourself. One possible tool is Dan Kaminsky's scanning tool available at Doxpara Research.
In theory, locking down your systems -- making them hacker proof -- is your goal, but some would call this an impossible goal. If this is the case, you must at least know when your security has been breached. Which brings us to the topic discussed in Bejtlich and Visscher's webcast, Network Security Monitoring. Bejtlich and Visscher pointed out that most people would call this intrusion detection, but they believe that intrusion detection is just part of what needs to be done. Just knowing that there has been an intrusion isn't enough. Beyond identification, network security monitoring provides forensic data, accelerates response and recovery actions, helps identify host and network misconfiguration, and it may be required by law.
Bejtlich and Visscher summarized the needs of network security monitoring by saying that it needed people, products and processes to work together. People are needed because products cannot interpret real world situations; products are needed because people have trouble interpreting network data; and processes are needed to make sure the data has a purpose.
Aside from explaining Network Security Monitoring and providing some guidelines for building a good network monitoring system, Bejtlich and Visscher also provide a wealth of resources on cyber crime and various security Web sites.
For more information, view the Network Security Monitoring Webcast at http://searchsecurity.com/r/0,,7956,00.htm.
Or catch up on the latest hacker methods at http://searchsecurity.techtarget.com/webcastsTranscriptSecurity/1,289693,sid14_gci847688,00.html.
About the author
Benjamin Vigil is a technical editor for SearchSecurity.com.
This was first published in December 2002