At each 'service window' that your firewall leaves open (technical term: 'open port'), you should have a computer program. This program should be providing some sort of service to your users.
Any program which isn't being used, but which has a connection outside your network, should be shut down and the 'service window' (port) closed at the firewall. Every port which isn't specifically in use should be shut down. Admittedly, this is a 'paranoia' position - the rationale for shutting them down being that a closed port is safer than an open one, regardless of how good the program is.
Programs which you are using need to stay operational, and their ports 'open'. However, occasionally programs are vulnerable to clever attackers.
Vulnerabilities are reported to organisations on the Internet which make a point of informing the companies or groups who write those programs, and distributing the modifications that these companies or groups produce to patch the vulnerabilities.
Every so often someone in your company should go to those sites, read their reports for your programs, and install the patches. Once a month is common, but you need to determine your own balance between security and convenience.
How do you know if someone has broken into your system? The only way to know for sure is to monitor it.
Some common types of monitoring tools are:
The tripwire: On a read-only medium (like a write-protected floppy), store a program and a small database. The program checks every file in the database to find out when it was last changed, and sends the user the list of all the files which have changed since it first ran. To prevent false reporting, the database should only include files which should never be changed.
If any of the files have been changed, you may have been broken into. (Or your system administrator installed a new version of the operating system and forgot to warn whoever does the monitoring!)
The sniffer: This tool checks all the traffic which goes through the network, looking for suspicious activity. It's usually installed on the firewall, or on a special box just to one side or the other of the firewall - though it would be more useful on the outside.
It doesn't attempt to block any activity, only to report it when it finds it.
The honeypot: One for special circumstances - this system has most of the useful programs (like directory listers or file removers or editors) removed and replaced with special programs that shut the computer down as soon as they're run. The shutdown prevents the intruder from further intrusion, and also from modifying the honeypot's logs.
These aren't very useful as working computers - they're simply traps.
Log analysis: This is difficult - most intruders will be careful to wipe traces of their activity out of the logs. I don't recommend its use by laymen, and include it here only because it is an important tool for more experienced administrators.
Most operating systems keep a set of logs of their network activity. This usually consists of things like 'opened this port', 'sent mail to this person', 'closed the port'. The content of the mail is not kept, but the fact of its being sent is. This sort of information is a useful tool for intrusion analysis (and for checking whether the system is running correctly).
Log analysis involves whoever does the monitoring going through the logs and looking for strange occurrences. Logs look something like this:
May 13 09:57:03 gondwanah dhclient-2.2.x: DHCPDISCOVER on lo to 255.255.255.255 port 67 interval 2 May 13 09:57:05 gondwanah dhclient-2.2.x: No DHCPOFFERS received. May 13 09:57:05 gondwanah dhclient-2.2.x: No working leases in persistent database - sleeping. May 13 09:57:05 gondwanah dhclient-2.2.x: No DHCPOFFERS received. May 13 09:57:05 gondwanah dhclient-2.2.x: No working leases in persistent database - sleeping. May 13 10:00:21 gondwanah dhclient-2.2.x: DHCPREQUEST on eth0 to 10.0.3.1 port 67 May 13 10:00:21 gondwanah dhclient-2.2.x: DHCPACK from 10.0.3.1 May 13 10:00:21 gondwanah dhclient-2.2.x: bound to 10.0.1.1 -- renewal in 3500 seconds. |
You're not expected to understand what this is! It's an attempt by my computer to get an IP address (a number address) from the master computer on our home network. Log analysis involves reading a lot of stuff like this, knowing what's normal and what isn't, and dealing with the abnormalities.
Which is why I don't recommend it for laymen.
If it was a physical break-in, call the police.
If it was a network break-in, either call the police or:
Shut your computer down.
Call your trusted computer-expert friend, or hire specialists in computer security.
Consider calling the police. Consider preserving the evidence.
Let the experts take your computer off the network, reboot it, and take a look at the logs. They will hopefully be able to figure out what type of attack it was.
If you chose to preserve the evidence, make sure your computer experts know this before they change anything.
Let the experts check your files for damage. They may recommend reinstalling the operating system, they may recommend restoring your data from your latest backup. Ask them for the pros and cons of each option they offer, and each recommendation they make. It's your data, but you hired them for their knowledge. So lean towards their advice, but you make the decision.
Get their advice on further securing your system. Listen to it.
Your security system is only as strong as its weakest part. A determined intruder will keep looking until they find a vulnerability.
Security through obscurity is weak. A hidden thing is more secure than a highly visible one, but don't trust hiding on its own to protect your data. A hidden safe is more secure than a sock under the floorboards.