427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	356/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 352 353 354 355 356 357 358 359 ... 387

Bog'liq
Botnets - The killer web applications

Administrator account and disable the Guest

Audit Policies
, ensure that the Security Setting for the following
policies is set to
Success
,
Failure
:
■
Audit account logon events
■
Audit logon events
■
Audit Account management
■
Audit policy change
■
Audit privilege use
www.syngress.com
Responding to Botnets • Chapter 12
431
427_Botnet_12.qxd 1/9/07 3:08 PM Page 431

This, coupled with the Internet firewall logs and network moni-
toring logs, will permit you or investigators to determine where
attacks came from, which other machines might be part of the
botnet, and which accounts have been compromised. If you are in an
enterprise or organization, consider software that will centrally collect
and protect the local event logs from your workstations.This would
enable monitoring of brute force and password-guessing attacks in
near real time.
■
Run a virus checker, especially on Windows.Your virus checker
needs to be patched. We have nothing against commercial vendors,
but free virus checkers do exist (here’s a hint: search Google for “free
virus checker”).There is no reason to run unprotected.
■
Virus checkers may not do a good job checking for so-called spyware
or adware. Adware checkers exist, too. Use one.
■
Rename the
Administrator
account and disable the
Guest
account.
Every password-guessing tool in the hacker inventory knows about
these accounts and tries to break them. Don’t use account names like
Track_Cash or others that beg to be owned.
Enterprise Practices
Here are some effective practices for users in enterprise environments to
consider.
■
Use an intrusion detection system (IDS), as you need something
watching your network. As two examples, ourmon as an anomaly
detection system watches for attacks that have unfortunately suc-
ceeded. Snort watches for known attacks that will be repeated.
Ourmon and snort are complementary.
■
Any organization that does not have a firewall today is asking to be
tagged with negligence damages related to many information tech-
nology losses.They are in the same position that the tugboat operator
was in when the principle of “due care” was introduced. Firewalls of
all shapes, sizes, and performance capabilities exist, and most organiza-
tions have them in place. Attack logs can be useful as long as they are
reviewed and analyzed. A firewall is better if it denies everything and

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 352 353 354 355 356 357 358 359 ... 387