General discussion

Locked

How To Verify External/Internal Threat?

By TekGeek052401 ·
What is another method of determining whether or not an unauthorized access and modification to network policy is a result of an external or internal threat, when the security audit log has been erased and disabled.

We have already re-enabled thesecurity audit function. I am trying to determine whether the hack was external or internal (physical access).

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

How To Verify External/Internal Threat?

by mshavrov In reply to How To Verify External/In ...

It's pretty "state of art" process. Try to find all footprints available:

* May you estimate what time did it happened? Was it day time or night time?

* Check your firewall log files, if it have any records for that time. Enable more advancedlogging, may be log all transactions for a few days to look for suspicious activity.

* Try to setup sniffer on your network to watch traffic to hacked server. To avoid overflow, use filters to cut off "unwanted traffic".

* If possible, buy andinstall IDS (Intrusion Detection System) to watch your network. It can send administrative alerts on most haching attempts.

* If possible, (I mean, if Operation System allows to do that), forward log messages or SNMP traps to another server.

*Perform system security scanning against server, which was hacked (and against potentially hacked servers). Install required patches, disable unused services, etc.

* Watch your users :-)

Good luck.

Collapse -

How To Verify External/Internal Threat?

by TekGeek052401 In reply to How To Verify External/In ...

This is helpful, however, many of the strategies discussed have been or are being deployed for prevention. IDS wouldn't work, as IP Spoofing is now common method od gaining access. Sniffer is a possibility, but again only tells me what legitimate users are doing (he said/she said scenario. We are setting up FTP site to have auditing logs sent to in the event the logs ever get deleted again. Implementing more robust firewall, so logs will be helpful, but here again, they will need to be set-up to automatically save to FTP site or something. Thank you for the comments and suggestions, am initiating some of your suggestions already. What I am trying to do is figure out whether or not some one came in the bldg to effect the changes/hackor someone from Inet conducted attack.

Collapse -

How To Verify External/Internal Threat?

by PENGUINSRULE In reply to How To Verify External/In ...

Please let us know a little more about your environment - what's your operating system? Unix? OpenVMS? VM/CMS? Windows 2000? MVS? ??

What's your network environment?
What happened? What's the problem statement?

Collapse -

How To Verify External/Internal Threat?

by TekGeek052401 In reply to How To Verify External/In ...

Poster rated this answer

Collapse -

How To Verify External/Internal Threat?

by TekGeek052401 In reply to How To Verify External/In ...

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums