comStar Firewall alert - PhaseThrough
comStar Firewall alert - PhaseThrough
comStar Firewall alert - PhaseThrough
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
filled with a high-rating Data Bomb, archived with strong IC, or<br />
anything else a spider can invent. The node can also use Stealth<br />
on itself, masking its true Matrix attributes, running programs,<br />
or other pieces of information normally garnered by a Matrix<br />
Perception Test.<br />
When a node is using a decoy, the gamemaster should roll an<br />
Opposed Test, per the normal Matrix Perception Test rules involving<br />
Stealth (p. 217, SR4). If the observer gains no net hits, she<br />
instead receives one piece of fictional information that the Stealth<br />
program is configured to give. This technique may only be used<br />
with files and nodes.<br />
Decoys can be especially effective when used with a honeypot.<br />
Honeypot<br />
A honeypot is a file or node that appears to be valuable to<br />
an attacker, but in fact is a trap set to lure intruders. All of the<br />
personnel that have genuine access to the system are aware of the<br />
honeypot’s true nature, and are instructed to leave it alone. This<br />
means that any icon that attempts to access the honeypot is likely<br />
to be an intruder.<br />
Honeypots are usually implemented in two ways, either as a<br />
decoy masquerading as an important file or node, or a ruse that appears<br />
to be a weak spot in the system’s security. A decoy is usually<br />
only visible to security or admin accounts and encrypted, attached<br />
to a Data Bomb, or otherwise protected by security measures reserved<br />
for important files and nodes, to support the deception. As<br />
a ruse, they honeypot has low security and is used either as an indicator<br />
or a diversion into a non-critical node designated for such<br />
uses, often filled with IC or spiders. In either case, the honeypot is<br />
often placed where a hacker can find it.<br />
Honeypots are often used in conjunction with patrolling<br />
IC that are scripted to watch for icons accessing the honeypot. A<br />
more advanced form of this strategy uses several honeypots that<br />
all appear identical to the actual important node or file, forcing an<br />
intruder to guess which is truly valuable and which is a trap.<br />
Layered access<br />
A spider can use an “onionskin” approach to security. In this<br />
method, the network is configured to have multiple gateways, each<br />
leading to the next. Unless the attacker can access the target node<br />
directly, she will be forced to work her way into a desired target<br />
one node at a time, slowing the attack and giving the system a<br />
chance to defend itself.<br />
Limiting account privileges<br />
Employees at a secure physical facility are not allowed to be<br />
in areas to which they do not require access as part of their jobs.<br />
Likewise, users in a secure system should not have access to actions<br />
that are not critical to their performance. A simple way to do this is<br />
to deny lower account levels the ability to do certain things, such<br />
as see some or all of the files or subscriptions in the node, making<br />
or accepting commcalls, running certain programs, etc.<br />
Likewise, accounts are often watched and/or restricted in<br />
terms of how many connections may be logged into them at a<br />
particular time. In this setup, the system assumes that if two<br />
or more entities are logged in under the same account, one of<br />
them is a hacker. This security feature is tempered by the fact<br />
Unwired<br />
that many users run autonomous agents, and these agents usually<br />
have access to their accounts. Nevertheless, some spiders<br />
configure their systems to automatically refuse any account<br />
login after the first, to closely scrutinize multiple logins, or at<br />
least limit simultaneous logins to a small amount in order to<br />
deter bots and malware.<br />
passkey checking<br />
A system that uses a passkey system will initiate an <strong>alert</strong><br />
when the access log shows the activities of a user that does not<br />
have a proper passkey, usually (System) Combat Turns after the<br />
start of the hacker’s intrusion. For many governments, corporations,<br />
and other entities that have spent serious budget on a<br />
passkey system, this is not soon enough. Adding patrolling IC<br />
or spiders, specifically Analyzing icons for the proper passkey,<br />
is good for shortening intrusion times to a few seconds, if that.<br />
See Passkeys, p. 64.<br />
protected access Log<br />
The access log does not offer much in the way of protection<br />
for a node, but it can help track down intruders after the fact.<br />
Disallowing the ability to see, read, or edit the access log to accounts<br />
below admin will help protect it against hackers. Another<br />
possibility is to Encrypt the log, if the node has the processing<br />
power to spare; this will only slow an attacker, however.<br />
Yet another possible but unwieldy solution is to store the access<br />
log in another node. This requires a dedicated link and node<br />
access on the other node, but might confuse an intruder enough<br />
to keep the data that the system collects about him.<br />
rebooting<br />
Shutting down a device and allowing it to reboot will<br />
remove an intruder from a node with a Complex Action. In<br />
fact, it will remove all users from the system at the end of the<br />
Combat Turn in which the Reboot was initiated. The system<br />
then begins to start up again the following Combat Turn (see<br />
Reboot, p. 221, SR4).<br />
However, it is not always feasible to reboot a node, even<br />
for a few seconds. Marketing computers, security control<br />
nodes, medical mainframes, Matrix traffic hubs, corporate<br />
work servers, and military analysis devices are all machines<br />
that have critical applications that require the system remain<br />
up and running.<br />
A system can be set to automatically reboot when an active<br />
<strong>alert</strong> is initiated, whether it be by the <strong>Firewall</strong>, IC, or a user<br />
with appropriate account access. This is not always desirable,<br />
and many systems leave the decision to reboot in the hands of<br />
a spider. High-priority nodes disable the rebooting option completely,<br />
and can only be rebooted by physically disconnecting the<br />
power from the hardware.<br />
remote Spider<br />
Having a spider on-site ensures that a system has a living person<br />
available and (usually) in the node, ready to handle security<br />
breaches. However, many spiders choose to work remotely. This<br />
allows them to confront intruders without the vulnerabilities that<br />
can be associated with an opponent in one’s node of residence (for<br />
example, if an intruder successfully hacks into a node and gains<br />
Simon Wentworth (order #1132857) 9<br />
73<br />
systeM security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .