Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
continuous scans are expensive, they impact<br />
the network and the actual regulatory requirement<br />
driving the scans may dictate intervals<br />
of 30 days, 90 days or even more.<br />
If you want to gain more security knowledge<br />
about your network, but you don!t have the<br />
time, resources or permission to do a full scan<br />
every day, you can use your SIM, NIDS or<br />
NBAD to obtain a list of hosts that have<br />
changed.<br />
Change detection can come in several<br />
forms<br />
The simplest list is the detection of new IP<br />
addresses. A mature feature would be to identify<br />
truly new systems that have been added<br />
to the network as compared to identifying a<br />
laptop that has given up its DHCP (Domain<br />
Host Control Protocol) lease and obtained a<br />
new IP. Scanning these IP addresses lets you<br />
know what got added to the network. Consider<br />
performing a full scan of these devices<br />
because you don!t know much about them,<br />
although a good SIM or NBAD may be able to<br />
fingerprint the device based on logs or network<br />
traffic.<br />
Change can also come to an existing host in<br />
the form of new services. SIMs and NBADs<br />
and NIDS may have the ability to identify<br />
when a new port has been opened on a host,<br />
or generate an event when a firewall rule<br />
change is permitting traffic to a server that<br />
was not occurring before. Scanning these<br />
systems can help identify what the new service<br />
was.<br />
Most SIMs can also detect internal changes.<br />
These types of changes include new software<br />
installation, applied software patches, configuration<br />
changes and new user accounts.<br />
Scanning these types of servers can help<br />
identify changes that have occurred and<br />
weakened security. For example, it!s possible<br />
that applying some patches actually rolls back<br />
previous patch fixes and reintroduces security<br />
issues. However, most patches actually fix<br />
security issues and this type of rapid scanning<br />
can help you minimize exposure in your<br />
otherwise regular audit period.<br />
Real-time security monitoring systems have a variety of methods<br />
they can use to monitor trust relationships.<br />
Perform deeper scans on popular and<br />
trusted servers<br />
Real-time security monitoring systems have a<br />
variety of methods they can use to monitor<br />
trust relationships. These can include analysis<br />
of <strong>Net</strong>Flow data, packet traces and system<br />
logs.<br />
If you have limited time and resources for performing<br />
scans and you can obtain a list of<br />
these popular and trusted services, the ability<br />
to perform deeper audits of them can help<br />
maximize your overall auditing efforts.<br />
Common services that everyone in an organization<br />
uses may include:<br />
• Intranet data nodes such as trusted web<br />
sites, discussion portals, and Wikis<br />
• Common mail servers<br />
• Common file sharing servers<br />
• Internally deployed chat servers and video<br />
conferencing.<br />
The list in your organization depends on what<br />
type of network you have and what sort of applications<br />
your users have.<br />
The point is to look deeper at the services that<br />
are being used by many people. For example,<br />
you may have identified twenty-five FTP servers<br />
that your scanner has identified as having<br />
“Anonymous FTP” access enabled. If you are<br />
using a SIM or NBAD, you may realize that<br />
four of the twenty-five FTP servers are directly<br />
connected to the Internet and three others account<br />
for 95% of the Internet traffic. Using<br />
credentials to perform patch audits, performing<br />
full port scans, or configuring your scan to<br />
perform a more “thorough” test mode would<br />
be more in order for these more important<br />
FTP servers.<br />
www.insecuremag.com 14