File integrity tools can detect unauthorized
modifications to critical system files and data.|
You suspect that a hacker got into your network. But how do you know if any data was damaged or changed? Even worse: you have no idea that a hacker got into your network, but accounting just called and found a really strange discrepancy in the books.
What people think: If a hacker gets into our network and does damage, it’ll be obvious.
What we think: It’s easy to tell if you’ve been hacked if the hacker changes your company Web page. But what if he breaks in and subtly change a few files? What if the programs you use to check up on your system have been replaced by hacked versions that hide the hacker’s activities? How will you know?
File Integrity tools help determine if critical system and data files have been tampered with or altered. When something looks unusual the integrity checker will send out some type of alert (an email, a message to a pager, and so on). Some integrity systems will automatically replace the tampered file with a version that’s known to be safe. This process can help detect and recover from intrusions. It can also help with general system problems such as corruption due to hard drive failure.
Many situations that might result in the destruction of data can be identified, remedied, and possibly prevented with file integrity tools. Most of the major file integrity tools will first make sure that critical system files haven’t been altered. Under Windows, this means the registry, startup files (autoexec.bat), and many of the files that live in the Windows, or WinNT directory, especially the major system libraries (Dynamic Link Libraries [dlls]). It might also
include major Microsoft programs such as Outlook, Word, and Excel. Under UNIX systems, the core files are the system configuration files, the boot files (kernel), the standard system programs (/bin, /sbin), standard library files (/lib), and some critical user applications (/usr/bin, /usr/lib, /usr/sbin).
Past the basics, the rest is often up to the administrator to configure. Checking all files for changes is not an option as some files change too frequently while others are simply not important. The administrator will usually have to approve all changes to files that are being monitored. This can be a timesink, so finding the right balance between effective monitoring and critical monitoring is important.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.