Deep down inside, we all wish for a unique solution that will protect our machine or our network completely forever and ever, preferably one that can be activated with a simple flick of a switch and then promptly forgotten. Although beautiful, this fantasy is something we must shake off and concentrate on reality.
The reality is that even successful hackers are not omnipotent, nor do they usually come, hack, and leave without a trace. We actually have multiple tools at our disposal that we must start combining to get a clear picture of what’s normal, so that we can notice when it’s not. We have to realize that attack prevention is attainable in most cases, and start looking.
Roger Grimes has some good advice on that subject. He says that log files are your best friends when it comes to detecting malicious activities. Turn logging on, and monitor the files. Turn it on not only on your servers, but on the users’ workstations as well, and don’t fall into the trap of configuring the system to send you an alert message every time something minor happens – you will be more likely to ignore the important ones if you get hundreds of irrelevant messages every day.
Another thing worth doing often is scanning for hacking tools such as sniffers, password crackers, MitM tools, and others.
Check out also patterns in the network traffic – workstation-to-server and server-to-workstation is good; server-to-server, workstation-to-workstation or workstation-to-multiple-servers could be an indication that something might be wrong.
Host-based and network-based intrusion detection systems working together will catch most threats, and honeypots are a godsend – they can be your early-warning system.
Educate your employees or restrict their privileges. Use application control programs. Ensure that ALL the software in use is patched. Use anti-malware software. Make sure security policies are followed. Know where your data is stored.
Making the effort to implement these basic security measures is one of the best things you can do for your system or network. It may not be the unique forever-and-ever solution you dream of, but the hard work will pay off the first time you detect a breach.