Unix & Security: 243 Days

If someone told you that, on average, an advanced attacker was on a system for 243 days before he was detected, would you fall off your seat? If so, then, fall off your seat.

243 days -- nearly eight months -- is the time that the typical advanced attack against a computer system goes unnoticed. This number comes from a report published by Mandiant, a leader in security incident response management, in mid-March of this year. NOTE: And we're not talking just Unix systems. This number refers to all kinds of systems. Just think about this number -- 243. And keep in mind that it's an average. For many organizations, attackers may spend spend years gleaning information from their victims' systems before they are discovered. This is staggering! While this number may be shocking, it's actually down 173 days from the same measure computed a year or so earlier. So, what do you do? First, you need to take the security of your systems very seriously. Very intense and very targeted attacks are being conducted on systems near you. The only questions are how near and how effective. You need to be proactive in managing your Unix systems. This is going to involve a number of very important steps and a lot of routine monitoring. Ensuring good passwords by requiring periodic change and configuring password complexity settings is just a start. You are also going to have to review accounts periodically for those that are no longer in use. Using last login measures (i.e., the Unix last command) will help you spot accounts that have been abandoned. Also look for accounts that are not set to have their passwords expire. Make sure you know who all of your users are or who can verify that they're all legitimate users and verify the accounts periodically. One old account with a compromised password can provide the entry a hacker needs. Understand the content of your servers. What are the most sensitive data they contain? Who has access to it? How is it protected? Are those protections functional? Never run services that aren't needed. Keep your host-based firewall running and current. Know what typical usage looks like on your servers. Knowing what kind of activity is common will help you spot abnormal activity. Examine network connections from time to time. Be familiar with where your users are coming from and where outgoing connections are headed. If you can set up alarms that alert you when something out of the ordinary is occurring, you may get a head start on addressing a compromise. Check permissions on key directories. Examine checksums on critical files and have a reliable system that you can use to compare them to or a reliable reference. Understand that, if your system is infected by a rootkit, that you may not be able to rely on system executables. Have a spare set of critical commands available on media that cannot be compromised. As Mandiant puts it, you need to make incident response a continuous practice. You must always be on the lookout for signs of compromise. Waiting until a system compromise smacks you in the face is going to put you in the "243 days" category. Have tools that can help you evaluate your systems and be practiced at using them. If the only time you think about where the emergency exits are is when your building is on fire, you're a lot less likely to get out in time. If the only time you cook a souffle is when your in-laws are coming to dinner, you'd better have a back-up plan. Similarly, if the only time you use a security tools is when your manager or CEO is breathing down your neck because critical servers are being owned and proprietary data are flying out the door, you're not likely to make a very good impression. Know what your organization's priorities are. Is yours a "get the system cleaned up and back online" shop? Or is it a "figure out what happened and what we might have lost" kind of shop? Have a plan for preserving evidence if that's important and understand what steps you need to take to make sure your evidence will be seen as reliable. Understand that sometimes what you're looking for may be sitting in memory and nowhere else. Be prepared with tools and techniques for analyzing your log files. Or, better yet, analyze your log files routinely and send yourself a summary of the findings. Like the tools that I use to send myself daily performance reports on critical servers, tools that help you to identify what Mandiant calls Indicators of Compromise (IOCs) could be set up to let you know on a routine basis whether anything looks "off" on the systems you manage. Periodically evaluate your systems for vulnerabilities. There are plenty of tools available, both free and commercial. Some will not only discover problems, but tell you how to fix them. Learn to use them. Get permission (so you don't get yourself in trouble) and start scanning some systems. And don't forget that some threats come from inside. Be alert to any indications that members of your own staff are attempting to elevate their privileges. And, lastly but not leastly, read the critical reports -- like Mandiant's "2013 Threat Report" and its phenomenal coverage of "APT1: Exposing One of China's Cyber Espionage Units". Both of these reports are eye-opening and extremely relevant to information security today. And they're free. For the threat report, use this link to register and a link will be emailed to you so that you can download a copy. https://www.mandiant.com/resources/m-trends/# Use this one to get a copy of the APT1 report: http://intelreport.mandiant.com/?gclid=CN3e7vu52LcCFYuZ4AodMjEASg Don't wait 243 days to find out that one of your systems has been compromised.

Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest IT news at ITworld, Twitter and Facebook.

What’s wrong? The new clean desk test
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies