VeeMost Technologies
2404 Fourth Street, Suite 2
Cuyahoga Falls, OH

(330) 928-1100 Telephone
(877) 349-7938 Fax
info@veemost.com

VeeMost Delivers

What makes us stand apart is our dedication to maintaining a strong, caring and honest relationship with every client.

July 23 , 2003

TODAY'S HEADLINES -

** You've been hacked, what do you do in the first hour?
** Tech Quiz
** New Cisco IOS command that all administrators should know
** Manage your data with Novell Ifolder
** Cisco warns of serious router flaw
** Introducing NewsGroups for CPA Firm/Network Administrators
----------------------------------------------------

You've been hacked, what do you do in the first hour?
by Robert L. Bogue

The hair stands up on the back of your neck, and you feel the first bead of sweat roll down the side of your face: You've been hacked. The adrenaline starts to flow and you're ready to jump into action. But what do you do first?

In the first installment of this series, we talked about the steps you should take within the first few minutes of discovering that someone may have compromised your system. Now, we'll focus on actions you should take during the first hour. Last time, we wrapped up the initial steps by disconnecting the network from the Internet. In this article, we'll see what you need to do to patch all vulnerabilities and get back online.

--------------------------------------------------------------------------------
First reactions
To learn what to do immediately after you detect an attack, see "You've been hacked: What to do in the first five minutes."
--------------------------------------------------------------------------------

Image the system to preserve a record
If you're hoping to identify the individual who caused the problem or perform more diagnosis to determine the exact source of the attack, you'll want to image the system or systems that were compromised. Imaging a system, using a package such as Symantec Ghost, creates a file you can use to re-create the system as it was when you discovered the attack. You can copy the image to another hard drive to preserve a record of the problem and then use it to help pinpoint the attacker or specific vulnerabilities. Once you've created the image, you can restore the production system to its operational state.

It's best to image to another set of hard drives and use them for your further investigations, because the imaging process copies only data that is marked as being used in the file allocation tables. As a result, recently deleted files that can be recovered will not be copied to the image. Ultimately, few go to the lengths required to recover files that have already been deleted, but some do.

Evaluate systems to detect tampering
Before reconnecting systems to the Internet, you have to determine whether they have been compromised. This is perhaps the most difficult part of being hacked because it requires a critical look at the status of the systems and the logs that may have been generated.

The first step is to review every security account on the machine and all of the connected systems. In a typical network environment, this means both the local machine accounts and the network accounts coming from Novell Directory Services (NDS) or Active Directory. It also means reviewing database accounts and verifying that they have not been tampered with. This includes making sure that none of the disabled accounts that you have in your system has been activated. You're looking for any account that shouldn't be there or can't be explained. If you find one, it should be disabled until you can determine its reason for being on the network.

Read More

Tech Quiz
---------------------------------------------------------------

How long does a password need to be before it becomes uncrackable? (Look for the answer on our next newsletter)

News Flash
---------------------------------------------------------------

New Cisco IOS command that all administrators should know
Among the many commands that Cisco introduced in their IOS version 12.3, the most interesting is the "auto secure" command. This command locks down everything that you need locked down on your router by default. This is a welcomed command since Cisco routers by default aren't configured for adequate security.

OTHER TECH INDUSTRY NEWS
----------------------------------------------------------------

Manage your data with Novell Ifolder
As your enterprise begins to grow, you must answer some difficult questions: How many of your corporate digital assets are saved to the local hard drives of laptops that leave your office each day? If your one-person accounting department smashes the hard disk in his or her computer before resigning, do you have a backup of these files?

Cisco warns of serious router flaw
Cisco warned Internet service providers Wednesday that a flaw in the Cisco IOS software could leave routers vulnerable to a denial of service (DoS) attack. News of the vulnerability spread hours before Cisco acknowledged the problem or published a workaround, as several ISPs shut down their networks for unscheduled maintenance on Wednesday.

Can't remember all those passwords? There is a solution for you
With security on the mind of every computer user, it is becoming increasingly difficult to remember all those passwords. Password Agent is a password manager program that allows you to store all your passwords, secret notes and data snippets in a single, easy to navigate, and secure database.

Introducing NewsGroups for CPA Firm/Network Administrators
Think of it as free counseling. VeeMost and Brott Mardis & Co. team up to bring CPA firms an invaluable tool.

---------------------------------------------------

To access previous newsletters, go to http://www.veemost.com/newsletter.htm

---------------------------------------------------

WHEN YOUR NETWORK IS TOAST, CALL VEEMOST

We have risen to the task many times. We can help you get your network back to normal. Save yourself some time, we are just a phone call away.

Call VeeMost at 330-928-1100 or 1-877-VeeMost