Network Security Illustrated buy the book at Amazon now!


search site
Table of Contents

Book
Introduction

Managing
Security

Outsourcing
Options

Reserving
Rights

Determining
Identity

Preserving
Privacy

Connecting
Networks

Hardening
Networks

Storing
Information

Hiding
Information

Accessing
Information

Ensuring
Availability

Detecting
Intrusions

Page Tools
print this pagePrint this Page
email this pageEmail this Page
notify me when this section changesWatch for Updates
send us feedbackSend us Feedback
File
Integrity
Chapter List
File Integrity
Viruses and Trojans
Network Scanners
Network Sniffers
Logging and Analysis
Computer Forensics (web bonus)
More Information
Resources (links)
Discussions
FAQs
Errata
Sample Pages
Buy The Book
at amazon.com
File integrity tools can detect unauthorized modifications to critical system files and data.

You suspect that a hacker got into your network. But how do you know if any data was damaged or changed? Even worse: you have no idea that a hacker got into your network, but accounting just called and found a really strange discrepancy in the books.

What people think: If a hacker gets into our network and does damage, it’ll be obvious.

What we think: It’s easy to tell if you’ve been hacked if the hacker changes your company Web page. But what if he breaks in and subtly change a few files? What if the programs you use to check up on your system have been replaced by hacked versions that hide the hacker’s activities? How will you know?


File Integrity tools help determine if critical system and data files have been tampered with or altered. When something looks unusual the integrity checker will send out some type of alert (an email, a message to a pager, and so on). Some integrity systems will automatically replace the tampered file with a version that’s known to be safe. This process can help detect and recover from intrusions. It can also help with general system problems such as corruption due to hard drive failure.

Many situations that might result in the destruction of data can be identified, remedied, and possibly prevented with file integrity tools. Most of the major file integrity tools will first make sure that critical system files haven’t been altered. Under Windows, this means the registry, startup files (autoexec.bat), and many of the files that live in the Windows, or WinNT directory, especially the major system libraries (Dynamic Link Libraries [dlls]). It might also

include major Microsoft programs such as Outlook, Word, and Excel. Under UNIX systems, the core files are the system configuration files, the boot files (kernel), the standard system programs (/bin, /sbin), standard library files (/lib), and some critical user applications (/usr/bin, /usr/lib, /usr/sbin).

Past the basics, the rest is often up to the administrator to configure. Checking all files for changes is not an option as some files change too frequently while others are simply not important. The administrator will usually have to approve all changes to files that are being monitored. This can be a timesink, so finding the right balance between effective monitoring and critical monitoring is important.

More Information

The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.

Below, you'll find links to online resources that supplement this portion of the book.


Resources

(websites, books, etc.)

Discussions

FAQs

Errata

Sample Pages