On 7/10/06, David Robert <david31900@rogers.com> wrote:
Hello all,
I've been reading this list for some time and I can't help but notice that
there is a lot of information and discussion about securing systems, but
very little about how to detect if you *are* compromised.
Yes, that's my impression too.
This one of my major concerns. I can advocate all kinds of practices and
procedures, but eventually someone will get through. So how can I tell?
Especially if they are trying not to leave traces?
Is there a few very simple, dumb things that everyone should do in this
regard? If so, then I haven't heard them. If you could list them, or point
me to some good resources, it would be much appreciated.
I am somewhat biased, but I have long held a view that (depending on
the importance of the systems being protected - you can't always
justify the additional costs) one should have an independent auditing
component in addition to all protective/preventive measures that are
put in place. This is because I prefer detection to prevention and
believe that, in a general case, you must accept that you will fail to
protect your assets. Prevention works well for automated attacks (e.g.
worms) but not so well for determined attackers going after your
custom web application.
In ideal circumstances the auditing component would record the entire
traffic stream and keep it around for several months. If you can't
afford to record everything then you should selectively log
transactions and sessions based on a custom policy.
With this setup you get alerts in real-time, warning you about
potential attacks, but you are also able to perform thorough forensic
analysis and go back in time (e.g. did anyone exploit this
vulnerability in the past).
Now, since this is a webappsec mailing list, my discussion relates
only to HTTP. For a discussion of how to do the same for the lower
network layers I recommend reading "The Tao of Network Security
Monitoring" by Richard Bejtlich.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
