Is there an Intruder in my Computer?
by Larry Rogers
Understanding the ways you can secure your home has much in common with understanding how to protect the security
of your computer network. Lets look at the parallels. Imagine that it's summertime, and you are getting ready to
go on vacation. This year is a little different, though, because over the last few months, you've bought a new DVD
player, a big-screen TV, and a computer. You decided to beef up your home security by contracting the services of a
security company. They've installed a system intended to guard the perimeter of your house. With everything now secure,
you head for the beach and a week away from cell phones, beepers, email, and your boss! When you come home, all looks
well; the TV, DVD player, and computer are all where you left them. There were no calls from the security company, so
it's safe to assume that your house wasn't broken into and robbed, right? That seems like a reasonable conclusion.
Let's add to that scenario fresh tire marks on the lawn, a broken pane of glass from a door, and a report from the security company that
an alarm
went off. Now you are sure that somebody tried to break in. Did they get in, and, if so, what did they do?
You check the house and everything looks normal, that is, everything is as you remember it. Nothing was moved or disturbed, as nearly as
you can
tell. You conclude that even though there was a break-in, nothing was taken. You fix the window, reseed the lawn, thank the security
company for
their information, and move on.
You might have drawn the wrong conclusion, though. The thieves didn't steal the big items, preferring instead to take smaller ones, like
the ring
that was in your bedroom jewelry box. You remember that ring - it was a gift from your grandmother. Since you only wear it on special
occasions,
you probably won't notice it's gone until you want to wear it again. Even then, you might not connect its loss with the break-in.
So, how would you know if anything had been stolen or tampered with by someone breaking into your house? That's a tough question. You
could take
pictures all around your house to help jog your memory should there be a break-in. Would that have helped you to determine that your
grandmother's
ring had been stolen?
In order to remember all of the items around your house and know where they were you'd need to photograph literally every inch. That's
an almost
impossible task. Moreover, every time you left for a few days (or even a few hours), you'd have to re-take every picture so that you
would catch
recent changes on film. It might be fun to do once or twice, but the process would get old quickly.
Video surveillance is another way to record the events around your house. Assuming everything is installed properly, works as designed,
and the
video tape does not run out, a video log file can help you understand what happened while you were away. Again, constantly videotaping
every inch
of your house is a daunting task, and it can be fairly expensive.
Now let's switch from the scenario of a home break-in to a computer break-in. How would you know if an intruder tried to break into your
computer,
if they were successful, and ultimately what they did once they broke in?
Just as you needed to take photos of all items in your house to be able to detect unwanted changes, you need to have a record of every
file,
directory, device and setting on your computer. Similarly, as the videotapes show the changes that took place while you were gone, you
need a log
of the changes that happened while your computer was running.
Additionally, just as you are aware from the videotapes that it's normal for the mail carrier to come to your door at about noon every
day, you
need to be aware what events are normal for your computer.
Do you know these things about your computer system? Do you have a list of all of the files, directories, devices, and settings? Do you
know how
they change as the system and applications run? Do you know what is normal and, conversely, what is unexpected and therefore potentially
a sign of
an intrusion? If you don't, how would you know if you've had a break-in to your system? And if you have had a break-in, would you be
able to
figure out what the intruder did?
This process of identifying all files, directories, devices, and settings as well as a log of their changes and some understanding of
normalcy is
called characterizing a system. While it is pretty easy to create these lists, it's not as simple to know how they change as you system
runs.
It should be easy, though, because somebody does know, and you ought to be able to use their knowledge to help characterize your system.
Do you
have any idea who keeps this information? How about the operating systems and applications vendors? After all, they either wrote the
programs
you're running or they have access to the source code used to create them. They can identify which files, directories, and devices
change so you
can decide which changes are normal. Now, if only vendors would tell you what to expect when your system runs!
Is this reasonable information to expect from a software vendor? Let's look at vendors from other industries. Take the automobile
industry for
example. In my owner's manual - the one that's supposed to be in the glove compartment - it says "Under certain driving conditions such
as heavy
stop and go traffic, or driving up hills in hot weather, the [engine coolant temperature gauge] pointer may indicate at the top of the
NORMAL
band. This is also acceptable." What's more, the owner's manual goes on to tell me what to do when the pointer is out of the NORMAL
band. They are
telling owners what constitutes normal and how to react to an abnormal condition.
Now, go look at the documentation for one of your applications. Does it tell you what happens to your system when you run that
application?
Does
it tell you, for example, whether it creates files somewhere in the file system or that running 1,000 instances at the same time may
cause your
system to slow to a crawl? Probably not.
What are you - the vigilant systems administrator - to do? In this period of time before the vendors provide you with the information
you need to
understand and secure your systems, you'll need to figure all of this out yourself.
First, you'll need to characterize the operating system and its applications in a pseudo-production test environment. That usually means
acquiring
systems that you'll use to understand what happens once they're released for production use. Set them up and run them as you would in
production.
Next, you'll need some characterization software. There are both commercial and freeware products. One popular tool for characterizing a
system is
TripWire from tripwiresecurity.com. It is multi-platform and some versions even come with source code. There are many other tools with
similar
functionality. These all fall under the general category of host-based intrusion detection tools. Try an Internet search using that
phrase to see
what other tools are available.
Finally, you put it all together and learn what files, directories, devices, and settings are on your systems and how they change over
time. In
your controlled test environment, you'll learn what is normal. Be aware though that once your system goes into production, you'll
probably learn
more about what constitutes normal because no matter how good your test systems are, they only approximate your production environment.
That's all
right; just seek to understand this new set of changes and incorporate them into your characterization.
Now, files, directories, devices, and settings are really only a part of the complete characterization of a computer system. Other
attributes to
look at are
- running programs
What resources do they consume and what the times do they run? For example, if your file system backup programs
were running at 11a.m. would that be considered normal? How about a word processor that has already used ten hours of CPU time?
- network traffic
If your email server suddenly starts making HTTP connections to another computer system, is that normal?
What if
the flow
of web traffic suddenly increases by an order of magnitude; is that normal?
- performance
Would you know if your web server was "slow" today relative to other days? How many transactions can your
transaction
server
handle?
- the operating system itself
Intruders are actively changing how the operating system works so that applications work
differently
even though they remain unchanged. Imagine what would happen if the operating system call that executes a program was changed to execute
a different
program instead.
Unfortunately, the tools available to check these attributes are not as mature as those that check the files, directories, devices, and
settings.
Nevertheless, as a vigilant systems administrator, you need to account for these other attributes in your full system characterization.
Alas, it's summertime again and you're looking forward to some relaxing time away from your normal routine. You've noted where things
are in your
house, and you've employed that security company to keep an eye on your perimeter. At the office, you've also taken the time to learn
more about
your systems, and you feel confident that you know how they work and what constitutes normal. Your coworkers will use this newfound
characterization to watch these systems during your absence. Next stop: the beach!
PDF (printable) version
|
