F o c u s - I D S 
- -   S e c t i o n   T w o   - - 


Table Of Contents

  1. What is Computer Security?
  2. What do you mean by Risk Management?
  3. Is one OS more secure than another?
  4. Every once in a while I see words with odd spellings or numbers used as words (31173 h@ck3rz) in web pages or emails. What is this and how do I read it?
  5. How do I check for security vulnerabilities in a way that is legal and keeps me from being fired?
  6. How do I report an attack?
  7. Should I reverse attack the IP attacking me?
  8. Where do I go to find info about the IP?



Questions About Computer Security

1:   What is Computer Security?

Computer Security is a goal. It is never a completed task. Computer Security is really risk management.

2:   What do you mean by Risk Management?

In the construction industry no one expects a 10 story crane to fall sideways and harm people and
property. But it has happened. So the construction industry calculates the possible problems, finds
what problems can be eliminated, which one can be reduced and what kind of employee training needs
to be done to reduce the risk. Then they plan for unlikely but possible situations such as a crane
falling or an earthquake. If the unlikely happens, they implement a plan. Afterward they review the
plan and improve it. Computer Security at it's best is the same process. Instead of cranes
falling, we plan on DOS attacks, remote vulnerabilities,  and malicious code. We also plan for  the 
unlikely but possible, such as someone from another company getting physical entry to the servers and 
walks away with the hard drives.  This is why Computer Security is really Risk Management.   

3:   Is one OS more secure than another?

This is a very subjective question.
OpenBSD is known for its secure install. It has not had a remote vulnerability
in the default install for 4 years. But, also by default nothing is turn on.
Hence it is also not very useable out of the box. As soon as a network service
is started, a possible vulnerability has now sprung. On the other hand, Windows
NT 4.0 has hundreds of items to make it vulnerable. However I have seen NT Servers
uncompromised due to good security practices. Certain operating systems have better
tools available to them for network security (Linux/UNIX distributions have many cool tools for free)
but good security is still influenced more by a good admin then by a good OS. 

4:   Every once in a while I see words with odd spellings or numbers used as words (31173 h@ck3rz) in web pages or emails. What is this and how do I read it?

This is a form of slang. It is often used on IRC, but it can be carried over
to discussions or can be found on web pages. To learn more about how to read and
understand it, read The Hacker Jargon file 
By the way, the above phase is "elite hackers" 5: How do I check for security vulnerabilities in a way that is legal and keeps me from being fired? The difference between legal and illegal is permission. You could be testing password strength on servers in which you have authority. But if you do not have written permission, you could be breaking the law. Conversely, you could scan a company's subnet for vulnerabilities and in the process crash some of the servers, but, if you have written permission, it will not be illegal.
See State Oregon v. Randal Schwartz for a case study. 6: How do I report an attack? There are several places to report attacks. You can report to the owner of the IP address. (See the question about getting info on the IP) If that fails, contact the upstream provider. This is usually the end users ISP. You can report the incident to CERT. http://www.cert.org/contact_cert/contactinfo.html You can report the incident to NIPC (This is the FBI). http://www.nipc.gov/incident/incident.htm 7: Should I reverse attack the IP attacking me? In general, this is a bad idea. You can't be sure the attacking IP is real, it may be spoofed. Machines attacking you, are usually already compromised and all you would be doing is attacking someone who really isn't involved. Some people find it necessary to port scan the attacker and attempt a login. While this may give you info about the attack, you have just illegally gained access to another computer. Are you interested in being under investigation because you logged in to a compromised machine? 8: Where do I go to find info about the IP? There are several different websites that can help track down an IP address. Here are a few examples that have combined several tools on one page. http://www.samspade.org/ http://packetderm.cotse.com/cgi-bin/lookuptools If you know of others, send them in.


PacketNexus.com

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |

     ^
     |