Who will protect from hackers? Only the Shadow group knows

Featured eBooks
Artificial Intelligence and Efficiency
Changing Workforce
Future of Tech Infrastructure
Insights & Reports
Delivering Efficiency in Cyber Risk Management for Federal Agencies with a Risk Operations Center
Presented By Qualys
Download Now
Collaboration Challenges Across the US Government
Presented By Carahsoft & Atlassian
Download Now
By GCN

By GCN

|

Hackers have help breaking into government networks. They share their resources and techniques on special mail lists and encrypted chat areas. Government security administrators are taking a similar team approach to combat the intruders. A small group of government network security experts has been using the method with industry counterparts. The exchanges have helped them form a consensus, though not full agreement, on what to do when an intruder penetrates a private network via the Internet.

Hackers have help
breaking into government networks. They share their resources and techniques on special
mail lists and encrypted chat areas.


Government security administrators are taking a similar team approach to combat the
intruders.


A small group of government network security experts has been using the method with
industry counterparts. The exchanges have helped them form a consensus, though not full
agreement, on what to do when an intruder penetrates a private network via the Internet.


The Shadow group includes representatives from several Defense Department sites, the
Geological Survey and Energy’s Los Alamos National Laboratory. Corporate
representatives range from General Dynamics Corp. to Disney Online.


Two big efforts have grown out of these chats. The first is a book: Computer Security
Incident Handling Step by Step. Published by the Sans Institute of Bethesda, Md., at http://www.sans.org, the $27 book discusses how to deal
with intrusions, denial of service attacks, cybertheft and other security events.


The book’s incident handling report lists six stages of response: preparation,
detection, containment, eradication, recovery and follow-up. By far the largest section
discusses preparation. It stresses yet again the need to be proactive and protect networks
before an attack occurs.


The Shadow group found that a good place to start is by justifying the need for
investment in a security infrastructure. It also found that many sites don’t have a
solid security policy or even a philosophy in place, which slows and complicates things
when an incident occurs.


“You have to choose which philosophy you will follow and get management
approval,” Northcutt said, before formulating a response plan.


And the group learned that everyone needs security training.


The group decided that what works for large organizations doesn’t always suit
small ones.


Large groups have dedicated staffs to handle incidents. Small ones generally press a
staff member into an expert role on short notice.


An inadequately trained network administrator, for example, might begin using a
privileged account the admin had never used before. That would tell intruders they had
been detected, so they would start destroying evidence and cause other damage.


The Shadow group’s discussions quickly revealed the flavor of the month in hacker
attacks. Members agreed on ways to deal with malicious code attacks (use virus checkers,
and scan for inexplicable packets sent automatically from your network out to the
Internet).


They also agreed on probes and network mapping (run your own probes to see what can be
learned from Simple Network Management Protocol commands and pings). And they talked about
denial of service attacks (establish an emergency backup facility), organized espionage
(track traffic, point to false documents to throw intruders off), hoaxes (keep employees
informed, check the hoax page at http://ciac.llnl.gov),
and unauthorized access (restrict IP addresses allowed to connect).


Surprisingly, Northcutt said he’s not too concerned about script-driven attacks
that pound away at sites.


“The information-gathering probes give me the greatest concern,” he said.
“In several cases, we have noted very accurate targeting attack attempts, which
indicates someone knows a lot about our structure.”


DOD sites turn to their computer incident response teams for fast help. An example
appears at http://www.assist.mil.


The second result to come out of the Shadow group is called the Cooperative Intrusion
Detection Evaluation and Response project, or CIDER. Also a Sans Institute project, with
Navy cooperation, it aims to help organizations build their own network monitoring and
analysis capability.


CIDER concentrates on two techniques. The first is TCPdump, a program that monitors and
filters TCP activity for matches that indicate a problem. The second is Network Flight
Recorder, a set of tools under development to monitor, archive and alert authorities.


CIDER details are available at http://www.nswc.navy.mil/ISSEC/CID/. When
you visit, you can download intrusion detection shareware. But because huge log files are
kept, you may need to add gigabytes of drive space to make it work. The tools come with
good user endorsements, however.


Finally, bear in mind that not all emergency recovery scenarios result from hacker
attacks. External causes also include natural disasters, backhoe accidents and faulty
equipment. Having a response plan and a disaster recovery plan is the first step to
control loss of service.


For a list of Web security tools, visit http://www.perl.com/latro.
 


To monitor UseNet newsgroups dealing with security issues, check out
comp.sys.www.security or comp.infosystems.www.cgi.


See the Best of Security list at best-of-security-request@cyber.com.au
and Computer Emergency Response Team advisories at cert-advisory-request@cert.org. You can
join both sites by e-mail. 


Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for
Cahners Business Information Inc. E-mail him at smccarthy@cahners.com.


NEXT STORY: Faxes are low on Army's priorities list

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.