STE WILLIAMS

Win a top of the range HP Spectre laptop

India’s authorities are carrying out wide-ranging and indiscriminate internet surveillance of their citizens thanks to secret intercept systems located at the international gateways of several large ISPs, according to The Hindu.

The Chennai-based paper claimed after an investigation that Lawful Intercept and Monitoring (LIM) systems had been deployed by the Centre for Development of Telematics (C-DoT), in violation of the government’s own communications and privacy rules.

The LIMs are fully owned and operated by the government, unlike similar systems deployed by mobile operators which have to comply with Section 5(2) of the Indian Telegraph Act and Rule 419(A) of the IT Rules, it said.

In 2006 the government apparently released “Instructions for ensuring privacy of communications”, which forced all ISPs to employ “nodal officers” to regularly liaise with the authorities on interception requests. However, in reality few ISPs have such staff and the LIMs are operated without any consultation with them in any case, The Hindu claimed.

As a result no ISP contacted by the paper was able to confirm if it had ever received an authorisation letter for the monitoring of internet content.

The LIMs in question are apparently installed between the edge router and core network and have 100 per cent indiscriminate access to the online activity of India’s 160 million internet users with an “always live” link, so spooks can operate without legal oversight or ISP knowledge.

The authorities are therefore able to monitor not just by email address, URL or IP address but by broad keyword or text searches, paper said.

Nine security agencies are apparently involved including the Intelligence Bureau (IB) and the Research and Analysis Wing (RAW).

The government was not able to provide any clarity around who, if anyone, sends the interception requests, or who authenticates and implements it.

The news comes as New Delhi finalises a much more widely publicised surveillance system – the Rs.4 billion (£47.8m) Centralised Monitoring System (CMS).

The CMS, which has been branded as “chilling” by Human Rights Watch and is the subject of a popular Stop ICMS campaign, has hit several delays due to missing software and gaps in its coverage, but is expected to be pushed through.

The Indian government has shown itself to be pretty uncompromising when it comes to matters of “national security”, as BlackBerry can attest to after its long battle over providing spooks with access to customer comms. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/09/india_surveillance_intercept_isp_covert/

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

General interest

• Facebook privacy, Google security bug, Law Enforcement victories – 60 Sec Security [VIDEO]

• Sophos honoured with Partnership Award by Queensland Police

• Nokia is dead. Long live Nokia!

• US Army ignores shared PC login flaw, asks soldiers to keep quiet

Hacking and scams

• Anatomy of a phish – a “generic mass targeted attack” against WordPress admins

Law and order

• 15 years jail time for Romanian card heist ringleader, 5 for light-fingered company president

• Lawyers report steep rise in employee data theft cases

• Cyberextortion by US gov, or simple P2P security lapse by medical firm?

Social networks

• Has Facebook violated its 2011 Federal Trade Commission settlement?

• Does posting photos of your child on Facebook make you a bad parent? [POLL]

• Another 5 tips to help keep you safe on Facebook

• Twitter makes good on promise to make abuse reports easier and more obvious

• Facebook vulnerability that allowed any photo to be deleted earns $12,500 bounty

Cryptography

• Faces, gestures, heartbeats – how will the passwords of the future work?

OS and software

• Get ready: Microsoft Patch Tuesday looms large with 14 patches and 8 remote code execution holes

• Google coding glitch locks Apple iOS users out of on-line accounts

Privacy and online safety

• Database of illegal downloaders – are British ISPs to become the “music NSA”?

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Days of the week image from Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RY1VL5To58g/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

One of the world’s largest data brokers, Acxiom, has posted a project that either allows people to correct errors in their data, or turns individuals into mechanical turks working on an unpaid data quality project.

Acxiom collects data from a vast range of sources and on-sells in portfolio of products aimed at marketers. The low-profile company’s critics describe it as a cynical hoarder of personal data, a charge the company resists.

It does, however, admit it has a problem with CEO and President Scott Howe writing last Friday that “Companies like ours haven’t historically done a good job of educating people on what we do with data about them. Largely because of that, misperceptions abound.”

Acxiom’ answer is a new site, AboutTheData.com that lets Americans look up and correct data themselves, but only after a detailed sign-on process whose collection includes the last four digits of their social security number.

Howe promises that sign-on data is not used for marketing purposes, even if the rest of the data is only there for that reason.

That data has now sparked controversy for a different reason: it’s rubbish.

As Forbes reports, Acxiom’s data has qualities that will be depressingly familiar to any database administrator: it’s full of errors that range from the minor to the hilarious.

The Forbes article notes that in a small sample of individuals looking at their dossiers, errors ranged from nationality, household income, purchase habits, marital status, number of children – pretty much everything. As Penn State professor Adam D Smith said, “the data they had on me stank”.

As is noted by one of the Forbes interviewees, the service also means punters will be donating their time and effort to correcting datasets held by one of the world’s largest data brokers. The company is also criticised for opening only a couple of dozen of the hundreds of data points it holds on individuals.

AboutTheData also lets visitors install an opt-out cookie that will block advertising targeting based on Acxiom’s brokered data. It won’t block the ads: the company warns the result will merely be that someone with the no-track cookie installed will merely receive “generic” advertising instead. Since the howlers in its dataset identified a Georgian biology and anatomy teacher outed as a buyer of plus-size lingerie, the generic option would probably be an improvement. ®

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/08/acxiom_lifts_skirt_shows_secrets/

Whether to improve performance, gather business intelligence or detect security threats, log management boils down to three steps: Collect the logs, store the data, and analyze the data to identify patterns.

Yet, while the collection and analysis of log data is one of 20 critical security controls identified by the SANS Institute, most companies do not regularly collect and analyze their logs unless required by regulations. With so much data, information-technology professionals can be confused as to where to start, says Nicole Pauls, product manager for SolarWinds, a maker of IT management and monitoring software.

“When people come to log management, they are flooded with a lot of data,” she says. “What people are trying to find are the anomalies, the patterns that hint at something going on, but it’s difficult.”

Good security log analysis revolves around four principals, says Ben Feinstein, director of operations and development for Dell SecureWorks’ Counter Threat Unit. First, companies need to monitor the right logs, including data from firewalls, virtual private networking (VPN) appliances, Web proxies and DNS servers. Next, the security team must collect data on what “normal” looks like inside the company’s network. Third, analysts must identify the indicators of attacks in their log files. Finally, the security group must have a procedure for responding to incidents identified by log analysis.

“Just pulling all these logs into you SIEM systems is not going to get you anywhere if you security team does not know what bad or suspicious looks like to your monitoring system,” Feinstein says.

Here are five types of events that companies should be checking, according to security experts.

1. User access anomalies
The Windows security log and the records of Active Directory domain controllers are a good first stop to finding malicious activity on the network. Changes in permissions, users logging in remotely from unknown locations, and users accessing one system and using that system to access another are all possible signs of malicious activity, says Kathy Lam, product marketing manager for HP ArcSight.

“When we look at the types of attacks and how hackers have been getting into the environment, they have typically been inside a network posing as a user for months to longer than a year,” she says. “By really looking at the baseline and seeing how current activity deviates from that can really pinpoint attacks.”

Especially important are privileged accounts, those users that have administrator permissions on various systems in the network. Because those accounts have more power in the network, they should be monitored more closely.

[Enterprises have been leveraging big data tools and technologies to analyze everything from consumer buying patterns to competitors’ product strategies. See How Enterprises Can Use Big Data To Improve Security.]

2. Patterns that match threat indicators
Companies should also run comparisons between the data in their logs and whatever indicators of compromise they are able to obtain, whether through established blacklists or a more complete threat-intelligence service, says SecureWorks’ Feinstein.

Threat indicators can help companies identify suspicious IP addresses, host names, domain names, and malware signatures in firewall, DNS server or Web proxy logs.

“Web proxy logs are a powerful point of visibility into the Web traffic that is traversing your network, how your endpoint systems are reaching out to the Web,” he says.

3. Configuration changes outside the “window”
Attackers that have gained access to a system will typically try to change configurations to further compromise and gain a more certain foothold in the network.

Because most companies limit configuration changes to a limited time each week, month or quarter, those malicious configuration changes–whether to open the system up to attack or just turn off logging–can be a certain sign that an attack is in progress, says Sanjay Castelino, vice president with SolarWinds.

“Those changes typically happen inside a very narrow window, and so if there are changes happening to the configuration outside of that window, you are going to want to know,” he says.

Such analysis can help in certain cases. The rules created to manage security products are typically very complex, and it can be difficult to detect whether the rule is malicious by simple analysis, says Castelino. Instead, security teams will find it easier to flag any changes made outside of a specific maintenance window, he say.

4. Strange database transactions
Because databases are such an important part of a company’s infrastructure, the business should monitor database transactions to detect malicious activity. A query that attempts to select and copy a large range of data, for example, should be more closely scrutinized.

In addition, monitoring database communications is not enough. While logging transactions can hamper database performance, a journal of what transactions actually occurred becomes invaluable during investigations of whether any compromise resulted in a successful data breach, says Rob Kraus, director of research for security-management firms Solutionary’s Engineering Research Team (SERT).

“When clients ask us what records were accessed and what records can we prove were not accessed, the trail leads up to the database,” he says. “If they were not logging, it makes it a real challenge. In the end, unless you are logging database transactions, you cannot say which records were touched.”

5. New device-user combinations
Before mobile devices and the bring-your-own-device trend, companies could treat any new devices connecting to the network as suspicious. Now, that’s no longer a good indicator, says SolarWinds’ Castelino.

Instead, companies should link devices to their users, and treat changes as incidents, he says.

“You probably still want to flag a device, but you may want to flag devices and users together,” he says. “Because if I bring my tablet to work, no one else should be logging in with it.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/5-signs-of-trouble-in-your-network/240160980

Naked Security reader Lisa Goodlin is a website designer and a WordPress user.

That’s not exactly a secret.

If you happen to visit one of the sites she looks after, you’ll probably see her name and a link to her own website discreetly placed at the bottom of every page, as I’ve done on this site I made up to use as an example:

And why not?

It’s not just handy for Lisa as a spot of advertising, it’s handy for anyone who spots a problem with the site and wants to report it.

So that tells you she’s a web designer; finding out that she’s probably also a WordPress user (aside from the fact that it’s a good guess, being a very popular content management system for blogs and web servers) is similarly easy.

Just try adding /wp-admin to the website’s fully qualified domain name, and see if you end up redirected to a WordPress login page, something like this:

Once you get this far, you can be pretty sure that:

1. [email protected] is a working address that will reach someone in the business of caring for websites.
2. luresite.example is one of lisagoodlin.com’s customers.
3. Sending emails to (1) about WordPress issues on site (2) would not be entirely out of the ordinary.

And that’s exactly what phishers did to Lisa, in what I like to call a “generic mass targeted attack.”

We’ll assume that they don’t know Lisa from a bar of soap, and that they aren’t targeting her because she’s Lisa Goodlin. (Sorry, Lisa: I don’t mean to imply you are unimportant!)

They’re targeting Lisa simply because their web crawler identified her business as a website design company that uses WordPress.

That gives them a way to phish her more believably than just hitting her up randomly, out of the blue.

What happens next

The phishers’ rogue back end server is surprisingly simple.

On a compromised web server belonging to an innocent third party, the crooks have set up some PHP scripts that simulate a wp-admin login page.

Visiting a realistic looking URL like this (don’t bother trying it: 192.0.2.0/24 is an IP range reserved for documentation only):

http://192.0.2.62/blog/wp-login.php?

  redirect_to=http://luresite.example/wp-admin/reauth=1

produces a realistic looking login screen like this, tailored with the text luresite.example:

Of course, it should be obvious that something is wrong, not least because the domain luresite.example looks familiar but the starting domain, 192.0.2.62, does not.

Nevertheless, if you’re in a hurry, or just trying to tidy up a few loose ends for your customers before bedtime, you might not look carefully enough at the URL, and instead rely on two other factors:

• The presence of the text luresite.example, which lends familiarity because it’s your customer.
• The look and feel of the login screen, which is visually correct because it’s ripped off from WordPress.

If you fall for the phish, the username and password you enter are sent to the crooks, not to the luresite.example server.

Casting the bait

The next step the phishers need to take is to persuade you to click through to the login page.

And what better way of attracting a WordPress user’s attention than by means of a notification about a pending website comment?

Any switched-on web site operator who has enabled comments on a customer’s site will be putting regular and frequent effort into keeping the comments flowing: it’s a great way to attract and build an online community, and it’s fun, too.

Using comment bait is exactly what Lisa’s phishers did; fortunately, their creativity and attention to detail fell apart at this point, and she received an email like this:

It was for amusement rather than pedagogic value that Lisa sent the phish to us – as she herself put it, “‘Sing in’! Yes, let’s all get together and sing Kumbayah!”

But it wouldn’t take much effort for the crooks to produce something significantly more believable.

What to do?

You probably frequently see emails that are obviously bogus but which nevertheless make you think, “However did they know that?”

It might be a DHL scam just after you make an online purchase from a company that uses DHL, or a promised tax refund soon after you submit your annual return, or (as in this case) an email that happens to match both your content management system and your customer.

Whenever this happens, I suggest you actually stop and take the time to answer.

Treat the rhetorical question literally and you’ll quickly realise that there are often many ways that “they could have known.”

In Lisa’s case, it was simply that her domain name was listed on a website that happens to use WordPress.

Here are some other steps you can take:

• Don’t use login links provided in emails. It’s too easy to make a mistake.
• Consider managing your customers’ websites from inside their networks via a full-blown Virtual Private Network (VPN), so you don’t need to leave the website administration portal visible to the world.
• Consider using two factor authentication for remote logins, so that your password alone isn’t enough for the crooks.
• Remember that “Sing ins” are for church choirs and choral societies, not for WordPress administrators.

More about two factor authentication

By the way, for a discussion of how two factor authentication helps protect you in cases of this sort, you might like to listen to this Techknow podcast:

(15 April 2013, duration 16’25”, size 9.9MBytes)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eb7UadClCBo/

Naked Security reader Lisa Goodlin is a website designer and a WordPress user.

That’s not exactly a secret.

If you happen to visit one of the sites she looks after, you’ll probably see her name and a link to her own website discreetly placed at the bottom of every page, as I’ve done on this site I made up to use as an example:

And why not?

It’s not just handy for Lisa as a spot of advertising, it’s handy for anyone who spots a problem with the site and wants to report it.

So that tells you she’s a web designer; finding out that she’s probably also a WordPress user (aside from the fact that it’s a good guess, being a very popular content management system for blogs and web servers) is similarly easy.

Just try adding /wp-admin to the website’s fully qualified domain name, and see if you end up redirected to a WordPress login page, something like this:

Once you get this far, you can be pretty sure that:

1. [email protected] is a working address that will reach someone in the business of caring for websites.
2. luresite.example is one of lisagoodlin.com’s customers.
3. Sending emails to (1) about WordPress issues on site (2) would not be entirely out of the ordinary.

And that’s exactly what phishers did to Lisa, in what I like to call a “generic mass targeted attack.”

We’ll assume that they don’t know Lisa from a bar of soap, and that they aren’t targeting her because she’s Lisa Goodlin. (Sorry, Lisa: I don’t mean to imply you are unimportant!)

They’re targeting Lisa simply because their web crawler identified her business as a website design company that uses WordPress.

That gives them a way to phish her more believably than just hitting her up randomly, out of the blue.

What happens next

The phishers’ rogue back end server is surprisingly simple.

On a compromised web server belonging to an innocent third party, the crooks have set up some PHP scripts that simulate a wp-admin login page.

Visiting a realistic looking URL like this (don’t bother trying it: 192.0.2.0/24 is an IP range reserved for documentation only):

http://192.0.2.62/blog/wp-login.php?

  redirect_to=http://luresite.example/wp-admin/reauth=1

produces a realistic looking login screen like this, tailored with the text luresite.example:

Of course, it should be obvious that something is wrong, not least because the domain luresite.example looks familiar but the starting domain, 192.0.2.62, does not.

Nevertheless, if you’re in a hurry, or just trying to tidy up a few loose ends for your customers before bedtime, you might not look carefully enough at the URL, and instead rely on two other factors:

• The presence of the text luresite.example, which lends familiarity because it’s your customer.
• The look and feel of the login screen, which is visually correct because it’s ripped off from WordPress.

If you fall for the phish, the username and password you enter are sent to the crooks, not to the luresite.example server.

Casting the bait

The next step the phishers need to take is to persuade you to click through to the login page.

And what better way of attracting a WordPress user’s attention than by means of a notification about a pending website comment?

Any switched-on web site operator who has enabled comments on a customer’s site will be putting regular and frequent effort into keeping the comments flowing: it’s a great way to attract and build an online community, and it’s fun, too.

Using comment bait is exactly what Lisa’s phishers did; fortunately, their creativity and attention to detail fell apart at this point, and she received an email like this:

It was for amusement rather than pedagogic value that Lisa sent the phish to us – as she herself put it, “‘Sing in’! Yes, let’s all get together and sing Kumbayah!”

But it wouldn’t take much effort for the crooks to produce something significantly more believable.

What to do?

You probably frequently see emails that are obviously bogus but which nevertheless make you think, “However did they know that?”

It might be a DHL scam just after you make an online purchase from a company that uses DHL, or a promised tax refund soon after you submit your annual return, or (as in this case) an email that happens to match both your content management system and your customer.

Whenever this happens, I suggest you actually stop and take the time to answer.

Treat the rhetorical question literally and you’ll quickly realise that there are often many ways that “they could have known.”

In Lisa’s case, it was simply that her domain name was listed on a website that happens to use WordPress.

Here are some other steps you can take:

• Don’t use login links provided in emails. It’s too easy to make a mistake.
• Consider managing your customers’ websites from inside their networks via a full-blown Virtual Private Network (VPN), so you don’t need to leave the website administration portal visible to the world.
• Consider using two factor authentication for remote logins, so that your password alone isn’t enough for the crooks.
• Remember that “Sing ins” are for church choirs and choral societies, not for WordPress administrators.

More about two factor authentication

By the way, for a discussion of how two factor authentication helps protect you in cases of this sort, you might like to listen to this Techknow podcast:

(15 April 2013, duration 16’25”, size 9.9MBytes)

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kol_8VqcCmA/

In the coming week, Friday falls on the thirteenth day of the month.

That used to be a bad omen in computer security circles, because of the association with computer viruses that deliberately chose that date to unleash their warheads.

These days, however, it doesn’t tell you much more than that Tuesday is the Tenth, making it the second Tuesday of the month, and thus a Patch Tuesday.

Get ready: September’s Patch Tuesday has 14 bulletins, eight of which are listed as fixing remote code execution vulnerabilities.

The biggie is Bulletin Three, a “spare no versions” Internet Explorer (IE) update.

From IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT, this one hits the Patch Trifecta: it is considered critical, permits remote code execution, and requires a reboot.

At the other end of the risk scale, Server Core installations benefit once again from their reduced attack surface area, with no critical or remotable vulnerabilities reported.

(Windows 2008 R2 Service Pack 1 Server Core will, however, require a reboot to fix an Elevation of Privilege bug listed as important.)

There are four sorts of security flaw patched this month, so let’s take this opportunity to revise the implications of each vulnerability type.

Remote code execution

An RCE is the most serious sort of vulnerability.

It means that content supplied from outside your network, such as a web page or email, can trick your computer into running executable code that would usually require explicit download and installation.

This bypasses any security warnings or “are you sure” dialogs, and can lead to what’s called a drive-by download, where just visting a webpage or viewing an image could lead to infection with malware.

Elevation of privilege

EoP vulnerabilities allow a user or process to perform activities usually reserved for more privileged accounts.

Often, an EoP will allow regular users to convert themselves temporarily into an administrator, which pretty much means that all security bets are off.

With administrator privileges, untrusted users may be able to change file access permissions, add backdoor accounts, dump confidential databases, bypass many of the security protections on the network, and even alter logfiles to hide their tracks.

If an EoP vulnerability is combined with an RCE, an attacker may be able to take over your account while you’re browsing, and then make the leap to Administrator once they’re in.

Information disclosure

An information disclosure vulnerability, or leak, happens when software inadvertently lets you retrieve data that ought to be protected.

If passwords or similar data are leaked, this could facilitate future attacks; if confidential data is recovered, this could lead to corporate emabrrassment or even data breach penalties.

Denial of service

A DoS is just what it sounds like: by needlessly consuming computing resources, or by deliberately provoking a crash of vulnerable software, you compromise the availability of a system.

DoSes are often considered to be at the bottom of the severity scale, since they don’t usually allow unauthorised access or lead directly to the exfiltration of confidential data.

Nevertheless, DoSes can be very costly, because they may hamper your ability to do business online, cost you revenue, or mask other parts of an attack.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jSO_-Byr1MM/

Tags: 2FA, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, authenticator, class action, Facebook, gauteng, Google, hacking, law enforcement, lockout, Microsoft, Nokia, oprea, Privacy, SAPS, south africa, Subway, Texas, two step verification, windows phone

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/w3cZX1omT38/

Tags: 2FA, 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, authenticator, class action, Facebook, gauteng, Google, hacking, law enforcement, lockout, Microsoft, Nokia, oprea, Privacy, SAPS, south africa, Subway, Texas, two step verification, windows phone

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-zvJu08BU78/

Whether to improve performance, gather business intelligence or detect security threats, log management boils down to three steps: Collect the logs, store the data, and analyze the data to identify patterns.

Yet, while the collection and analysis of log data is one of 20 critical security controls identified by the SANS Institute, most companies do not regularly collect and analyze their logs unless required by regulations. With so much data, information-technology professionals can be confused as to where to start, says Nicole Pauls, product manager for SolarWinds, a maker of IT management and monitoring software.

“When people come to log management, they are flooded with a lot of data,” she says. “What people are trying to find are the anomalies, the patterns that hint at something going on, but it’s difficult.”

Good security log analysis revolves around four principals, says Ben Feinstein, director of operations and development for Dell Secureworks’ Counter Threat Unit. First, companies need to monitor the right logs, including data from firewalls, virtual private networking (VPN) appliances, Web proxies and DNS servers. Next, the security team must collect data on what “normal” looks like inside the company’s network. Third, analysts must identify the indicators of attacks in their log files. Finally, the security group must have a procedure for responding to incidents identified by log analysis.

“Just pulling all these logs into you SIEM systems is not going to get you anywhere if you security team does not know what bad or suspicious looks like to your monitoring system,” Feinstein says.

Here are five types of events that companies should be checking, according to security experts.

1. User access anomalies
The Windows security log and the records of Active Directory domain controllers are a good first stop to finding malicious activity on the network. Changes in permissions, users logging in remotely from unknown locations, and users accessing one system and using that system to access another are all possible signs of malicious activity, says Kathy Lam, product marketing manager for HP ArcSight.

“When we look at the types of attacks and how hackers have been getting into the environment, they have typically been inside a network posing as a user for months to longer than a year,” she says. “By really looking at the baseline and seeing how current activity deviates from that can really pinpoint attacks.”

Especially important are privileged accounts, those users that have administrator permissions on various systems in the network. Because those accounts have more power in the network, they should be monitored more closely.

[Enterprises have been leveraging big data tools and technologies to analyze everything from consumer buying patterns to competitors’ product strategies. See How Enterprises Can Use Big Data To Improve Security.]

2. Patterns that match threat indicators
Companies should also run comparisons between the data in their logs and whatever indicators of compromise they are able to obtain, whether through established blacklists or a more complete threat-intelligence service, says Secureworks’ Feinstein.

Threat indicators can help companies identify suspicious IP addresses, host names, domain names, and malware signatures in firewall, DNS server or Web proxy logs.

“Web proxy logs are a powerful point of visibility into the Web traffic that is traversing your network, how your endpoint systems are reaching out to the Web,” he says.

3. Configuration changes outside the “window”
Attackers that have gained access to a system will typically try to change configurations to further compromise and gain a more certain foothold in the network.

Because most companies limit configuration changes to a limited time each week, month or quarter, those malicious configuration changes–whether to open the system up to attack or just turn off logging–can be a certain sign that an attack is in progress, says Sanjay Castelino, vice president with SolarWinds.

“Those changes typically happen inside a very narrow window, and so if there are changes happening to the configuration outside of that window, you are going to want to know,” he says.

Such analysis can help in certain cases. The rules created to manage security products are typically very complex, and it can be difficult to detect whether the rule is malicious by simple analysis, says Castelino. Instead, security teams will find it easier to flag any changes made outside of a specific maintenance window, he say.

4. Strange database transactions
Because databases are such an important part of a company’s infrastructure, the business should monitor database transactions to detect malicious activity. A query that attempts to select and copy a large range of data, for example, should be more closely scrutinized.

In addition, monitoring database communications is not enough. While logging transactions can hamper database performance, a journal of what transactions actually occurred becomes invaluable during investigations of whether any compromise resulted in a successful data breach, says Rob Kraus, director of research for security-management firms Solutionary’s Engineering Research Team (SERT).

“When clients ask us what records were accessed and what records can we prove were not accessed, the trail leads up to the database,” he says. “If they were not logging, it makes it a real challenge. In the end, unless you are logging database transactions, you cannot say which records were touched.”

5. New device-user combinations
Before mobile devices and the bring-your-own-device trend, companies could treat any new devices connecting to the network as suspicious. Now, that’s no longer a good indicator, says SolarWinds’ Castelino.

Instead, companies should link devices to their users, and treat changes as incidents, he says.

“You probably still want to flag a device, but you may want to flag devices and users together,” he says. “Because if I bring my tablet to work, no one else should be logging in with it.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/five-indicators-to-watch-for-on-your-net/240160980