owner-ids@uow.edu.au wrote: > > On Tue, 20 Feb 1996, Gene Spafford wrote: > > > 4) This whole thread is getting far afield of IDs. I already dropped > > my subscriptions to several other security mailing lists because they > > had a high noise level from people who had installed "crack" and > > "COPS" and thus decided they were security experts. Please let's not > > let that happen to this list too? Can we please go back to intrusion > > detection as a topic? > > > > For instance, let's get back to the fact that more than 75% of system > > abuses in typical commcercial environments comes from insiders. Is > > anyone looking at what is different about these insiders that can be > > detected or monitored? > > > > --spaf > > > I'm with Gene i've dropped so many list in the last few months. However > on the topic of insiders attacks. Internal security is a nessary to > maintian a safe system. There are howerver, a few simple rules that i > have incountered that will help you along in this field. > > 1) Network security is a key to a secure working enviroment. Do not > leave simple things uncovered. example Novell is a batchfile OS so > secure it, do not allow users to execute it's sudo-dos commands. > 2. I'm not a windows expert but i've hear NT has a good passwd > program unlike Novell which is all text based. > > 2) Teach your people that hacker love the telephone. If you got a dumb > person answering fones with a account on your system and they call in > your introuble. Example "Hello this is Rob johnson down in maintance i > need you to tell me your login and passwd so i can fix your account" Most > people will give that info out. > > 3) I got some others if anyone cares to continue this theme.I agree with you, for the m ost part. However, there is more to consider than just securing your Passwd. Everything should be cross-checked, meaning if you have a user that connects remotely, you better have a call back verification system, PLUS, On your hardware level, only the users could get through the modems (unless a hacker sets up and echo program as you would in distinguishing Unix passwords and so forth) But when you are on a hardware level base the only users that could be possible would be your insiders. There are ways to deal with the worst problem out there.. 75% of all hack come from within the Facility, know since we know that perhaps it is time to start cracking them, understand them. Educate our users on computer policies, and password policies. Education in this age of information is the key to secure systems. There will always be a way into a system it is just the nature of the beast the idea is to counter before being mated. As for the specific problem of insiders I have a few comments. 1.) Know your users! If you have no idea to who your users are you will never know the ones that are capable of system breaches, and other secure data leaks. By knowing your users, perhaps giving some type of interview with them etc. you will begin to build a mental database you will know who are capable and who are your normal "users." 2.) Use Eclipsed Passwords! By using Eclipsed Passwords only your user will know the password. Only the Root, or SU, will have access to the Shadowed password, no one else 3.) Use secure remote systems! Sometimes by trying to completely build a secure internal system we forget to also secure our remote capability, modems, wans, etc. Be sure to use modems that implement hardware passwords, this is another big thing for security. If the user can not access the system he is not a threat. 4.) Maintain adequate systems Maintenance! System breaches come with the territory. If you are always maintaining hackers will have to adjust to new devices, bridges, firewalls, etc. Internal security may be the hardest to trace, but my far it is more difficult hacking on-site then from remote site, simply due to time scales, and witnesses.