[650] in Intrusion Detection Systems
Re: Question. (Was re:hacker's intro)
daemon@ATHENA.MIT.EDU (J.R.Valverde (jr))
Thu Feb 29 10:28:51 1996
Date: Mon, 26 Feb 1996 10:53:27 +0100 (WET)
From: "J.R.Valverde (jr)" <JRVALVERDE@Samba.cnb.uam.es>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
>I is my understanding that most of them in the 75% are either bribed or
>getting revenge, so what can you do?
>
Well, you can't (or shouldn't) try to find out the incentivated
ones prospectively. But you can't as well find out for external hackers
their interests either. That's not the point.
What I think one has to do is to look (as for external hackers)
for unauthorized accesses. Obviously you can't catch a CEO who tells his
or her friends about the latest company policies. Hell, s/he may even have
devised them but not put them on paper or computer yet.
But one should be able to find about the assistant or secretary
that accesses documents s/he shouldn't. On the typical system, security
is so low that almost anyone can see anyone else's work (or passwords).
But, as with external crackers you can expect a pattern of behaviour.
A system that can point out extrange 'legal' access patterns would
be useful:
- if some sensitive one who always leaves at 6 suddenly has accesses
at late hours it may be worth a look
- if someone accesses a sensible file he almost never (or never)
accesses it could be interesting to look at
- you can (on serious systems) monitor access to specific files and
raise alarms when some specific people accesses them
- one should be able to totally hide the file system structure a
user sees so s/he can't see anything s/he shouldn't and even some things
should only be 'partially' seen in a transparent way
- well, not only files, almost any object in the system, should be
access controllable, e.g. jobs that are running, tapes, programs...
- even for databases and files, there should be support for access
levels and a capability to monitor transgresions or attempts
That won't be enough, but may help you
- restrict the intelligence an insider can gain about what other
people is doing
- detect forbidden accesses to information
- detect unusual activity/access patterns that may reflect "apparently
legit" spionage
An example: a peasant that uses 'ps' all too frequently and whose
use increases in parallel with management activities might be trying to
know what these people are doing. He may not see their data, but that
could be enough for a competing company to make decisions and deduce their
intentions.
A warning bell that some regular hours user begins to log in
after hours may mean s/he's got an unusual task, but could also mean
someone saw his/her password on a desk and is accessing his/her data when
the legal user can't notice. Then simple call could rule out any of
these possibilities.
And so on: it's just like with external hackers, only you extend
it to monitor internal usage too. And that you modify or restrict some
tools (e.g. ps) so users can't see anything tehy shouldn't.
I'm afraid this all means one should consider moving to a higher
security level system (beyond class C) but that's where our work is: showing
management the perils they run and the possible solutions, getting them
to push on to get a safer environment.
I mean: while they don't pay more attention to security and stay
happy believeing Windows NT is "secure" (C2 in single non-networked user
mode is enough?) it will be very difficult to detect any insider or prove
anything at all reliably enough.
jr
