Unix & Security: 243 Days

If someone told you that, on average, an advanced attacker was on a system for 243 days before he was detected, would you fall off your seat? If so, then, fall off your seat.


243 days -- nearly eight months -- is the time that the typical advanced attack against a computer system goes unnoticed. This number comes from a report published by Mandiant, a leader in security incident response management, in mid-March of this year.

NOTE: And we're not talking just Unix systems. This number refers to all kinds of systems.

Just think about this number -- 243. And keep in mind that it's an average. For many organizations, attackers may spend spend years gleaning information from their victims' systems before they are discovered. This is staggering! While this number may be shocking, it's actually down 173 days from the same measure computed a year or so earlier.

So, what do you do?

First, you need to take the security of your systems very seriously. Very intense and very targeted attacks are being conducted on systems near you. The only questions are how near and how effective. You need to be proactive in managing your Unix systems. This is going to involve a number of very important steps and a lot of routine monitoring.

Ensuring good passwords by requiring periodic change and configuring password complexity settings is just a start. You are also going to have to review accounts periodically for those that are no longer in use. Using last login measures (i.e., the Unix last command) will help you spot accounts that have been abandoned. Also look for accounts that are not set to have their passwords expire. Make sure you know who all of your users are or who can verify that they're all legitimate users and verify the accounts periodically. One old account with a compromised password can provide the entry a hacker needs.

Understand the content of your servers. What are the most sensitive data they contain? Who has access to it? How is it protected? Are those protections functional? Never run services that aren't needed. Keep your host-based firewall running and current.

Know what typical usage looks like on your servers. Knowing what kind of activity is common will help you spot abnormal activity. Examine network connections from time to time. Be familiar with where your users are coming from and where outgoing connections are headed. If you can set up alarms that alert you when something out of the ordinary is occurring, you may get a head start on addressing a compromise.

Check permissions on key directories. Examine checksums on critical files and have a reliable system that you can use to compare them to or a reliable reference.

Understand that, if your system is infected by a rootkit, that you may not be able to rely on system executables. Have a spare set of critical commands available on media that cannot be compromised.

As Mandiant puts it, you need to make incident response a continuous practice. You must always be on the lookout for signs of compromise.

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

Ask a Question