Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Kill switches coming to iPhone, Android, Windows devices in 2015
Still deploying 11n Wi-Fi?  You might want to think again
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases
6 Amazing Advances in Cloud Technology
Collaboration 2.0: Old meets new
Data breaches nail more US Internet users, regulation support rises
With a Wi-Fi cloud service, Ruckus aims to help hotspot owners make money
How to get Windows Phone 8.1 today
Secure browsers offer alternatives to Chrome, IE and Firefox
10 Big Data startups to watch

Guidelines for would-be corporate vigilantes

Today's breaking news
Send to a friendFeedback

Today's breaking news
Send to a friendFeedback

There are many ways to detect break-ins and a variety of options on how to proceed once you do. Here's a collection of insights from dozens of users, analysts and vendors on the techniques that work best.

n Use quality detection systems. You want to detect miscreant insider behavior as well as external hacking. Host-based auditing, network behavior statistics and traffic analysis are all good sources of security-related data that can alert you to abnormalities that may indicate a security incident. Keep in mind that intrusion detection systems (IDS) are all a little different. Some excel in NT, others in Unix or Novell, and some pick up anomalies and events that others don't. It's a good idea to use more than one IDS.

n Determine your first course of action once you detect an incident. Many people suggest isolating the source into a specific, noncritical part of your network. Others say cutting off the source of the attack is all they want to do. Your reaction should reflect your corporate security policy.

n Let your legal department know what's going on. If you ever have to get law enforcement authorities involved, you want to ensure you've taken the right steps. If your in-house counsel doesn't know how to proceed, strongly suggest he get advice from an experienced cyberattorney.

n Collect all systems logs from firewalls, routers and servers so you can identify what tools the attacker used and which of your vulnerabilities were exploited if you cut off the attack. Act upon this knowledge and reconfigure accordingly.

n Make sure all your auditing tools are active if you don't cut off the attack. You may want to increase the tools' sensitivity to capture more data points. Monitor the intruder's actions closely, so you can cut off the attack at any time you choose.

n Consider the use of forensic tools, especially if you have an insider hacking at your systems. Forensic tools will allow you to perform a sector backup of the suspect's hard disk with cryptographic seals to prevent tampering and assist in maintaining a quality chain of evidence. In addition, you may need to search the suspect's hard disk and floppies (including Zip drives and the like) for erased files and other hidden attributes. Don't forget to involve human resources personnel; they can keep you out of a heap of trouble.

n Attempt to trace the source of the attack. This is not easy, and often involves a lot of people with different organizations. Know whom to call at your ISP in the event of a breach. Be able to reach your contact 24-7 in case of an after-hours attack. ISPs coordinate with each other in many cases, and if you plan for the eventuality, you will be ahead of the game and able to react much faster.

n Have a game plan, especially if you call in law enforcement, which is more restricted in its ability and legal right to gather evidence than your company. Get legal advice regarding proper investigative techniques and evidence gathering so they will hold up in court. Recognize that investigative procedures and techniques can be disrupting, causing downtime and a drain in manpower.

n Strike back if you choose, but only with adequate legal counsel. There is a range of actions you can take - some more offensive than others.

n Prepare for the acts of man as much as for acts of God. Your disaster recovery people can handle floods, earthquakes and tornadoes. But can they handle a hacker?


Striking back
The main story.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.