| Previous | Contents | Index |
INTOUCH INSA is now constantly scanning for a PAYROLL alert incident to occur.
If the PAYROLL example was a real situation, incidents would occur when the payroll program was run. However, to cause a PAYROLL incident right now, you can perform these steps:
Typing in "Corp Internal - Salary Maintenance" caused an incident.
The next example sections tell what actions INTOUCH INSA takes and how to get incident information.
4.6 Example: INTOUCH INSA E-mail Action
After two to three minutes have elapsed (it takes INTOUCH INSA a couple
of minutes to cycle through its scanning process), INSA Manager
receives an E-mail message. The message contains information about the
PAYROLL alert incident. For example:
From: TEST::SYSTEM "NSA: PAYROLL, IP 204.182.52.233:1973 (USERXX)" 23-JAN-199
7 00:16:18.47
To: nsa_manager
CC:
Subj: NSA: PAYROLL, IP 204.182.52.233:1973 (USERXX)
***************** Session Incident on January 23, 1997 16:18:47 ****************
Alert type : PAYROLL
Description: Audit corp salary maintenance
Pattern : Corp Internal - Salary Maintenance
Alert text : Corp Internal - Salary Maintenance
Location : IP 204.182.52.233:1973
Username : Probably USERXX
********************************************************************************
( text which caused the incident )
|
The E-mail message was sent because you specificed "email" as one of the PAYROLL alert actions.
4.7 Example: INTOUCH INSA Flagging the Incident
You can now display the active sessions as you did in the first example
(see Section 4.2, Example: Displaying Active Sessions).
Here are the steps:
User names (AAA,BBB,...)? USERXX_____________________________________________ |
+-----------------------------------Security-----------------------------------+ | Sessions Clear Exit | +------------------------------------------------------------------------------+ +-----------------1 active session as of 23-Jan-1997 16:23:27------------------+ | Refresh | | | | Source Location Destination Loc Type User Last Cnct Ins Status | | LAT 2.22:97 LAT 97.1 INTER USERXX 09:23 1:30 1 (r) | +------------------------------------------------------------------------------+ |
+-------------------------------Session Security-------------------------------+ | Refresh Actions Incidents Exit | +------------------------------------------------------------------------------+ +-------------------Session as of 23-Jan-1997 16:25:04-------------------+ | | | LAT 2.22:97 --> LAT 97.1 | | | | Type : INTER | | User name : probably USERXX | | Incidents : 1 | | Last login : 23-Jan-1997 16:15:10 | | Last activity : 23-Jan-1997 16:20:13 | | Watch status : Recording... | +------------------------------------------------------------------------+ |
+-------------------------------Session Security-------------------------------+
| Refresh Actions Incidents Exit |
+-----------+------Actions------+----------------------------------------------+
| Watch |
| Unwatch |
| Snapshot |
| Playback |
| Start Recording |
| Stop Recording |
| Disconnect |
+-------------------+
|
4.8 Example: Reports
Now that you are getting familiar with the menus and how to select
items, you can go back to the main menu and select
Reports.
+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+
| Security Status Reports Maintenance General Advanced Exit |
+----------------------+-------Reports-------+---------------------------------+
| Incident |
| Alert |
| Recordings |
| Browser Accesses |
| URL Accesses |
| Active Browsers |
| Audit |
| Page |
| Top [>|
| Archive [>|
+---------------------+
|
You can run the Incident, Alert and Recordings options to get information about the PAYROLL incident that has occurred.
To run the reports, go to Chapter 10, Report Menu Procedures, and follow the steps for each report. You can select the default prompts or enter data if you wish. If you need help, press the [Help] key at any prompt or menu item.
Chapter 6, Using the INTOUCH INSA Utilities and Desktop Management, provides general information on INSA Manager, how to get around, and what to expect in various situations.
4.9 Example: Playing Back a Recorded Session
Since the PAYROLL incident was recorded, you can play back the
recording and see exactly what the user was doing when the incident
occurred and afterward until the recording was stopped. To play back
the recording, select Security from the main menu.
Then, select the Playback item from the Security menu.
+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ | Security Status Reports Maintenance General Advanced Exit | ++------Security-------+-------------------------------------------------------+ | Sessions | | Playback | | Archive Playback | +---------------------+ |
Go to Section 9.2, Playback Option, and follow the steps to play back the recording.
For the most part, you know what users should be doing on your network, but you also want to be made aware of suspicious activity. Computer policies and what is "suspicious" activity vary from site to site. INTOUCH INSA allows you to tailor surveillance to your site needs. You can use INTOUCH INSA as an alarm system to alert you to inappropriate activity, or to monitor specific user activities, or to gather statistical information on certain procedures.
To use INTOUCH INSA as a surveillance tool or an alarm system, you need to tell it what to look for. You need to define the incidents or activities you do NOT want on your network and what you want to do when they are detected. For example, if you have a home alarm system, you might have it programmed to call the police if an intruder opens a locked door or window. In this same manner, you can tell INTOUCH INSA what to look for (opened door or window) and what to do about it (call).
The alert that was set up in Chapter 4 shows one example of how INTOUCH INSA can be used. This chapter provides other generic scenarios of INTOUCH INSA surveillance usage and how to set up the alerts.
5.1 Scenarios and Setting Up the Alerts
5.1.1 Example 1
You have a special equipment file that is updated by two authorized
users. You want to know if and when anyone, other than the two
authorized users, touches the equipment file and what they do to it.
You will provide INTOUCH INSA with:
To actually set up this alert, you would select "Alerts" from the Maintenance Menu and enter the following alert and rules data:
Alert record data:
INTOUCH INSA Alert File Maintenance 25-Jan-1997 Alert name : EQUIP Description : Equipment file non-authorized changes Action : email,record Priority : 1 |
Rules data:
exclude "2.248:2" <-- authorized user 1
exclude "205.232.159.106:1913" <-- authorized user 2
alert equip "E-Part No:"
^
|
pattern that identifies equipment file maintenance
|
INTOUCH INSA will scan for "E-Part No:" and ignore incidents for the two authorized users, but it will send an E-mail message and record the session if there is any other user accessing the equipment file. The "Playback" option on the Security menu is used to play back recorded sessions. Also, incident and alert reports would show detected alerts.
5.1.2 Example 2
When your users log on to your system, they are automatically placed
into a menu which controls their activities. Should any user get to the
system prompt, you want to know how that occurred and what they are
doing - NOW!
You will provide INTOUCH INSA with:
To set up this alert, you would enter the following alert and rules data:
Alert record data:
INTOUCH INSA Alert File Maintenance 25-Jan-1997 Alert name : USERS Description : Questionable activity Action : watch,record Priority : 1 |
Rules data:
alert users "ABC>>" |
If a user gets to the system prompt, INTOUCH INSA will open a window and start displaying the user's keystroke activity; the session will also be recorded. To find out how the user got to the system prompt, you can run an incident report using the "Session Text" report type. The session text includes some user activity just prior to the incident which will show what the user was doing.
5.1.3 Example 3
Your company provides computer services to customers who have terminals
in their offices and dial up to your system. One of your customers
thinks that someone is creating unauthorized transactions, and wants a
list of users who enter specific data.
You will provide INTOUCH INSA with:
To set up this alert, you would enter the following alert and rules data:
Alert record data:
INTOUCH INSA Alert File Maintenance 25-Jan-1997 Alert name : CUSTOMERS Description : Customer activity Action : Priority : 5 |
Rules data:
alert customers "{|nocase|}DM?*SP"
|
INTOUCH INSA would log incidents if it detected "DM2648SP", "dm452sp", etc.
At the end of the day, you would run detail and session text Incident reports. The report selection criteria would include alert name "CUSTOMERS" and the day's date. These two reports would provide your customer with information on who created the questionable transactions.
5.2 Summary
When you are trying to determine what alerts to set up, you need to
think about the things that are "sacred" to your system and how can
someone tamper with them; what are the things/situations you do NOT
want on your system; what events can occur that will corrupt your
system? These "unwanted" things/situations are what you set up as
alerts for INTOUCH INSA to monitor.
Once you determine what you want to be alerted to, you can set up the alerts and the rule patterns to scan for. The alert data identifies the alert and tells INTOUCH INSA what to do when an incident is detected. The rule pattern data tells INTOUCH INSA what to look for.
Alerts can be given names that describe what you are monitoring (i.e. logins, payroll, etc.), or the names might describe departments that you are monitoring for (i.e. sys_manager, engineering, accounts, etc.). Alert names can be anything that you think is appropriate.
When you are setting up alert rule patterns, you can set up one or more rule patterns for an alert name. When setting up rule patterns, you must keep in mind that INTOUCH INSA scans for "exactly" the patterns you provide. For example, if a user can input a pattern in either upper or lowercase, you need to specify "nocase".
INTOUCH INSA logs ALL incidents regardless of whether you take any immediate action (i.e. E-mail, watch, record, etc.) or not. The Incident and Alert reports provide information on ALL incidents that have been detected. You could monitor file accesses to determine who is using a certain file and run an Incident report to get the information. In this case, you probably would not want to take any immediate action when incidents occur.
Section 8.2, Alert File Maintenance, and Section 8.3, Rules Maintenance, provide detailed information on alerts and rules.
The INTOUCH INSA utilities, controlled by INSA Manager, allow you to review session information, maintain alerts and rules data, create incident, alert and other reports, watch sessions, play back recorded sessions, etc. All of these procedures can be executed by selecting options from the INTOUCH INSA --- Network Security Agent menu system.
6.1 The INTOUCH INSA Menu
After INSA Manager is initialized, the INTOUCH INSA --- Network
Security Agent main menu is displayed. (Appendix A, Summary of INSA Manager Menus, describes other
menus.)
+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ | Security Status Reports Maintenance General Advanced Exit | ++------Security-------+-------------------------------------------------------+ | Sessions | | Playback | | Archive Playback | +---------------------+ |
The main menu selections are:
| Security | display and watch active sessions, play back recorded sessions | |
| Status | display status information for the network, INTOUCH INSA, security | |
| Reports | create incident, alert, recordings and other reports | |
| Maintenance | maintain alert, rules and page data, create and edit E-mail distribution and page distribution lists, purge and archive records | |
| General | miscellaneous procedures | |
| Advanced | perform system procedures | |
| Exit | Exit INSA Manager |
6.2 Selecting Menu Items
Menu items or options are displayed on the INTOUCH INSA - Network
Security Agent menu screen.
To select a specific item, use the mouse to locate the item and then click to execute that item.
An item can also be selected by entering the item name. You need enter only as many characters of the item name as is necessary to distinguish the item from all other items on the menu.
Some menu items have submenus. To select an item from a submenu, use the mouse to select an item and click to execute the item.
If you select the wrong menu or submenu item, press the "\" (backslash) key and you are returned to the menu or submenu.
6.3 Exiting and Backing Up
From anywhere within INTOUCH INSA you can EXIT the current procedure or
BACK UP to a previous prompt or menu.
Select the EXIT option or enter the word EXIT to get out of a menu procedure and return to the previous menu. To exit out of the INTOUCH INSA menu, select the "Exit" option on the main menu.
Press the "\" key to back up to the previous prompt, or if at the first prompt of a menu item, to go back to the menu.
6.4 Entering Dates
In some procedures, such as when creating an Incident report, you are
asked to enter dates. For example:
Begin date (MMDDYYYY)? ___________ |
You can enter the date in MMDDYYYY format as the prompt shows, or use another date format. The following date formats are allowed:
| Format | Example |
|---|---|
| MMDDYYYY | 01251997 |
| MMDDYY | 012597 |
| DD-MON-YYYY | 25-Jan-1997 |
| DD-MON-YY | 25-Jan-97 |
6.5 On-line Help System
Extensive HELP is always available. The help system provides help for
menu items as well as input prompts.
To get help at any time, just press the [Help] key. The screen clears and the help text is displayed.
In some cases you are also presented with a list of related help topics. If you are interested in a related topic, just enter the topic name when prompted. You need enter only as many characters of the topic as is necessary to distinguish the topic from all other topics.
When you have finished getting the help that you need, press [Return] or enter EXIT at the "Topic?" prompt. The help screen is replaced with the screen that was displayed before you requested help information.
6.5.1 Examples
To get help on a menu or submenu item, use the arrow keys to highlight
the item or type the menu item name and press [Return] to
move the cursor to that item, and then press the [Help] key.
The help system displays information about that item.
For example, if you highlight Maintenance and press [Help], the following information is displayed:
MAINTENANCE
The MAINTENANCE menu option displays a submenu of items that include:
Alerts - add, change, delete, inquire on alert file records
Rules - add, change, delete text data in the rules file
E-mail Distribution Lists - create and maintain E-mail distribution lists
Page - add, change, delete, inquire on page file records
Page Distribution Lists - create and maintain page distribution lists
Purge and Archive Records - purge and/or archive incident, recording
and/or audit records
Related topics:
alert_maint rules_maint em_maint page_maint
page_dist_maint purge help_topic
menu_navigation nsa_main_menu
Topic?
|
The help text tells about the Maintenance submenu items. It also shows a list of related topics. If you want information on alerts, you can type in alert_maint and press [Return]. If you want information on how to move around in the menu system, you can enter menu_nav. You can enter topics whenever the "Topic?" prompt is displayed. To get out of the help system, press [Return] or type EXIT at the "Topic?" prompt.
To get help when at an input prompt (where you type in data or select an item from a pop-up menu), just press the [Help] key.
For example, if you are at the following prompt:
Begin date (MMDDYYYY)? Earliest___ |
and press the [Help] key, you see:
INC_ASK_BEGIN_DATE
You are asked for a begin date.
To specify a begin date, enter the date in MMDDYYYY format.
Enter EARLIEST to start with the oldest date and time.
Press RETURN to accept the default.
Topic?
|
Or, if you are at this prompt:
+-Proceed-+
| Yes |
| No |
|---------|
| Exit |
+---------+
|
and press [Help], you see:
INC_ASK_PROCEED
Select one of the following options:
Select YES to create the report.
Select NO to go back to the report type prompt.
Select Exit to abandon the report and go back to the Reports menu.
Topic?
|
| Previous | Next | Contents | Index |