Computerworld - One nice thing about tuning intrusion-detection sensors is that once you've eliminated most of the false positives, you can focus on the events. With tuning done, alerts are more likely to be active attacks.
I've gotten our sensors tuned to the point where I've picked out a half-dozen alerts that are to be sent to my pager automatically via e-mail. This week I was alerted to an Nmap stealth scan coming from an IP address at one of our technical support centers in Florida. (Nmap, or Network Mapper, is a freely available port-scanning tool.) I was able to resolve that IP address to a Linux firewall machine. Using the MAC address (the unique hardware address assigned to an interface card) of the source system provided in the alert, I traced the scan to a user's machine.
That's what's nice about switched Ethernet: I can use the MAC address to discover which switch port the target computer is attached to and trace it all the way down to the exact office jack.
I asked the user's manager to question the employee. Unfortunately, our new acceptable-use policy is still awaiting legal review, so we would have a hard time taking administrative action against the user. His intent wasn't malicious, however. He was testing an application and using the Nmap utility to see if the server on which he had installed the software was responding. He agreed not to use such tools in the future without receiving prior approval.
Reinforcements on the Way
Our staffing dilemma finally ended this week with the hiring of two security engineers. One starts today, and the other in a few weeks. I plan on transferring all intrusion-detection duties to them. That should free me to concentrate on engineering and architecture issues, such as the upcoming implementation of Siebel 7 for customer relationship management. It was painfully obvious that a lack of security was one of the main delays and a cause of great grief in our recent PeopleSoft implementation.
I want to ensure that security is addressed early on this time. I've advised the project manager to think about security early and often, and as a result I'm being invited to a couple of meetings per week. But I've had to miss some of them because of my staff shortage.
On the upside, managing the intrusion-detection sensors afforded me the opportunity to quickly learn many aspects of our networked environment. For instance, I had to meet with the Domain Name System (DNS) administrator to address one problem,
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
