ATale of Two Logfiles (Final)

[Tiger Shark]

Undies:

So I takle it from the story, that my approach of getting me mates together and rolling around to the intruders house in pickups , and taking to the black hat with crobars and pick axes isn't the best solution?

Well, to be honest that's a question of your corporate policy and the laws in Oz....

Really, there are only three "results" in a forensic investigation:-

1. No-one can find the attacker, ever.... he's too good.
2. You can't find the attacker but the government can... But that's going public.
3. You can find him, then you decide what to do.

Unless the attacker makes a really _stupid_ mistake like Joshua did you will be relying on lawyers or the authorities to track the attacker back through ISP's, ('cos you won't get the time of day from them). If the trail leaves the country even the government may "dead end" right there too, but by then it's probably public information.

As far as I am concerned, no matter how much of a bitch fit I might throw about being "beaten", my attitude is that I need to know where, what, and how.... Then I have a chance of cleaning it up and preventing a repeat episode. I see, all too often, people saying that their web page was defaced and they have restored from a backup, then it got defaced, then they restored from a backup...... etc... endlessly. It's like sleeping on a bed of rocks... You wake up every morning sore all over, so you replace the rocks..... All the while there's a bed 5 yards away..... Fix the problem not the symptom. The logs and the procedure are the bed, if it isn't there you will continue to sleep on the rocks.

I do like your solution though.....

[IKnowNot]

But Why aren't we asking more questions ?

I for one need time to assimilate all that was discussed, whether it was purposeful or merely as a consequence of the original intent.

OK. Question: What was the point of the story ( tutorial ) ?

1) the necessity to know your network and be prepared

2) the need to clean up after poor, sloppy predecessors

3) the necessities of adequate logging

4) the need to understand proper forensic techniques

5) the need to understand economic vs. legal ramifications of prosecuting hackers

6) the role of Google in helping solve a problem

7) the three "results" in a forensic investigation

How about something a little less obviously stated: The more security aware you are, the more you know your network, the more you know how an attacker will attempt to penetrate your network, and the more prepared you are, the less chance that the network will be compromised.

Isn’t this story really what A.O. is all about? If one understands and implements these concepts they can better defend against attacks.

Again, great posts!!

My ONLY disappointment is that most people ( other then Geeks ) will not get out of this what was intended. I sat here trying to make a list of all the people to e-mail links to this tut, but was disheartened when I realized that most of the “decision makers” who employ the geeks will not understand many of the points made in this series. Hopefully this tut will spreed and become manditory reading, and all future Admins will “carry” the “decision makers” and steer them away from trouble.

[Tiger Shark]

Iknownot:

Interesting post that carries very salient point of it's own:-

but was disheartened when I realized that most of the “decision makers” who employ the geeks will not understand many of the points made in this series. Hopefully this tut will spreed and become manditory reading, and all future Admins will “carry” the “decision makers” and steer them away from trouble.

Not the bit about "mandatory reading" but the bit about "decision makers" and "admins".

We see it all too often both here and in our "real" lives with friends and colleagues....

"My boss is so overbearing"
"I've told them a thousand time that....."
"They say I'm wrong when I tell them"
etc, etc, etc.....

Who's fault is this? Is it the employer or the admin?

I think the "blame" can be quite firmly placed in both camps.

The Employer:

He hires his IT guy to make a network work and do what he wants it to. He has certain expectations:-

1. He should be able to get his email.
2. He should be able to surf like a "demon" whatever, wherever and whenever he likes.
3. He should be able to get to his stuff no matter what city in the world he's in.
4. The network should never fail.
5. If it fails the backups are immediately available and are good backups.
6. His web site(s) should be up 100% of the time.
7. None of his users should experience any problems.
8. If they experience problems they must be fixed immediately because they affect productivity.

These are all lofty goals that are achievable by any competent admin.... Assuming the workload is reasonable. Most should be able to handle these issues, alone, on a network of less than 100 machines in a single location. The reality is that we are often asked to do the same, and much more, without being granted the appropriate resources. The other reality is that you will note that there was no reference to the security of the systems in the "bosses plan". This is a problem because he wants "freedom of access" but he hasn't considered the ramifications of such a policy.

We should all understand by now that security is the balance between usability and security but the employers, all too often, fail to understand the usability issue, ("my buddy Bill's company let him get his email from anywhere...."), as it pertains to the security issue and get a "tad miffed" when what they get paid monthly becomes public knowledge because someone used the "usability" of his network against him, or worse yet he gets sued by an employee for providing a "hostile work environment" because Joe in accounting was surfing porn when Julie, (the company prude), walks into his office. All of a sudden the admin's rear is the one on the line..... Why? Because the boss never understood the implications or never wished to face the potential for his "needs".

The Admins:

Ok.... I'm going to start with a statement that will be offending to many. Before you start yelling at my scrawny old butt.... Sit back and think about the reality.....

Many poeple being hired into administrative positions on networks worldwide are young "hotshots", just out of college with no experience of the "real" world, who need a job, will take what's offered by anyone and let the boss dictate what can and can't be done because he can fire their butt if they don't play his game..... Sad, but true.

Now you have sat back, thought about yourself, (now or "back then when...."), we need to see if we can fix this. The first problem I can see is that many of these "hotshots" haven't been taught a darned thing about the true cost of a security breach to their employer. In fact, very few of them have ever had security addressed at all in all of their classes and teachings. So they don't really _know_, often until it is too late. So, there's an education issue right up front... Colleges need to have a mandatory course in any computer related major, or minor, that stresses the costs of a failure in computer security to a company. This should probably also be mandatory nowadays for business majors or minors too... But I don't see that happening...

I think when you interview for a position you should make a strong point that security is a major part of your existence as a network adminstrator. You need to delineate _why_ it is important to you, (It's a "profesional thing"), and why it's important to the potential employer, (it's a "financial thing"). When you interview you have to make it clear that it's "his train set and he can play with it any way he likes", _but_, as his network admin you have certain responsibilities that may restrict or preclude his "vision". I believe you need to be a bit forceful about this at the outset.... Tell them up front that if they employ you that you are going to assess risk against "vision" and you are going to enforce a policy that manages the risk while allowing the "vision" as best you can. Keep stressing how important to his business your actions will be and that you will do whatever you can to allow the "vision" to occur but that you may have to place some "hardships" in order to make it happen.

Hard to do? No doubt.... If you are just coming out of school and need that job it may seem insurmountable and easier just to say "screw it, I'm going for the job". In the end you probably won't be happy.... Have a nice life.... 30% of it will be spent in the employment of someone you think is an idiot.....

Smart people run businesses, (sometimes). Appeal to them, let them learn from you, they will appreciate it... though sometimes only "eventually". When you get the job let them know what you have done for them. Drop them an email telling them that the latest worm didn't get in because you applied the patches promptly, the new virus didn't get in because it always came as a .pif file and the new firewall you bought for him, (at his cost and your insistence), allowed you to strip the .pif file before the virus definition was available. Put out warnings to all the users about the latest scam, (both for their work and home systems), so you can show your value.....

Be insistent, constantly.... Don't just show them the threat..... Show them the _cost_ if it weren't addressed..... but address it first... then tell them why. The smart ones "get it", trust me... and they appreciate you for it.... If you are stuck with an idiot you aren't happy anyway so what's the problem with throwing out a few resumes.

Well..... that was longer than I expected..... I'd be happy to advise on some "boss handling" techniques if anyone has specific issues but I can't guarantee they will work.... Some people just don't see what's good for them when it stands up and slaps them in the face.....

[D0pp139an93r]

Hey, Tiger, don't keep me in suspense here....


Does Dirk.... Ummmm.... Root Amy's box?