Re: RE : [cobalt-security] Forensics on a hacked server

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Sonny,

> Have you had experience with any of the ISS products? 

Yes, I had the chance to take a peek at a few of their products a year ago.

> I would have to say that if your budget (or your providers budget) could
> handle the strain of a full commercial security installation, then I would
> argue that you CAN stop intruders.

With the right budget and right tools you can make it quite difficult for 
someone to get to your assets. The more time, effort and money you invest, 
the more likely it is that you can stop intruders. But there will always be 
that lucky guy with a 0-day exploit at hand (or make it a 60-day exploit when 
you look at how long it takes Sun to roll up patches) and then you're screwed 
nonetheless - despite all precautions. That can happen to someone who uses 
ISS to monitor the firewall or IDS streams as well - it's just less likely, 
but still possible.

However, most hosting shops operate on a tight budget, so you'll hardly find 
the latest and greatest security appliances there. I don't say that anything 
is better than nothing, but it's better to have some precautions in place 
than nothing at all. Something along those lines.

> If you were going to try to utilize opensource security countermeasures
> only, then the answer is probably that you get what you pay for.

Many (if not most) great security tools are open source software. If someone 
can make use of 'em properly, then there is no need to pay an arm and a leg 
for professional support. If a company rolls up open source software in a way 
that a person with no (or modest) Linux skills can make use of 'em, then 
that's a good start. It's not perfect, but a good start. If you can afford 
professional 24/7 support and monitoring, then that sure provides you with an 
even better security - at a price. It's good that there is so much choice to 
pick whatever suits your budget and your needs best. 

> Some simple tips would be:

Nice outline. I for myself use the multi layered approach myself, which 
includes monitoring on the servers themselves (integrity & IDS), dedicated 
firewalls, honeypots, network sniffers, VPNs and therelike. Some of it is 
cobbled together with open source software, some is proprietory soft- or 
hardware from various vendors. 

A properly planned and carefully designed network also helps to tighten up 
security and the last line of defense is of course having backups - just in 
case. ;o)

> hehe one of my colleagues just suggested that if your customers were
> only active during the day, then why not shut off your server at
> night??..... wicked security stuff now

Well, then you hopefully have a 2ndary MX which queues the incomming emails at 
odd hours. ;o) But yes, for a small office which just needs connectivity 
during the office hours it's sure best to drop the connection once it is no 
longer needed. That depends on their specific needs.

> Lastly, the aim is to make your attacker jump through as many hoops as
> it takes for him/her to get bored, or for the time it takes one of your
> security systems to notice him/her and shut down the first hoop,
> reroute the second hoop and block the third and fourth hoop from
> accessing your server and send you a nice message saying sleep tight,
> all is well here - all without spending too much money, wasting too
> many hours, and still giving your customers good service!

As there will never be enough security the goal is to lengthen the time which 
an intruder needs to get to the crown jewels. So it is all about buying time 
- enough time that you (or your security measures - whatever they are) detect 
the intrusion attempt before any actual damage is done. I'd rather have one 
toying with the honeypot than with the actual servers. Which is can also be 
quite educating as I learned some nice (new?) tricks from the honeypot logs. 
;o)

-- 

With best regards,

Michael Stauber