Abuse of Privilege…
These are not intrusions they are stupid user issues that if a proper policy were adhered to would never happen. I offer up some simple suggests. Never give a contractor full administrative access to a box. It is foolish. Offer up sandbox environments… restrictive administrative accounts or look over their shoulders…this is the best means of learning your system from the ground up). Know what you’re doing before making a change to the system.
Mission Critical data and modification…
In the case of the contractor you’ve given them access to your systems. Now if they try to escalate their privileges through means of attack (buffer overflow, application vulnerabilities, etc.) …an IDS should alarm. Outside of that, you’d have no way of know if they’ve accessed a file without strong Access Control List. Accessing restricted data should show up in system/secure log files and proper auditing of these files would reveal the transgression.
Changes in Security Configuration…
Outside of the ID10T errors and the improper configuration of a host, the author makes a valid argument with regard to compromised systems on your network. These should set off warnings! Virus attacks trying to propagate across your network is something an IDA (both network and host based) should pickup and alert you that something is not right. As a solution, one would do well to consider a separate network for visitors. I understand the risks of a wireless network but most laptops these days come with built-in Wi-Fi. Why not take advantage of that. Build a separate network that is completely isolated from your core internal network.
Attempts to Gain Access…
Now we’re talking. This is where Intrusion Protection Systems can come in handy. This is exactly what they are designed for unauthorized attempts to access resources
