I received many responses to last week's commentary about ISPs and the way some of them prioritize revenue above Internet security. Some readers told me about similar horror stories; others asked why I didn't name the ISPs to which I eluded; still others asked what sort of monitoring software I use to track incidents. This week I'll address those questions.
I didn't name the Minnesota-based ISP that failed to respond in a reasonable, timely fashion for several reasons. First and foremost, naming the company might unnecessarily damage its reputation. We all make mistakes—and presumably learn from them. Although I can't be certain, I hope the incident taught the ISP a valuable lesson. If the ISP is intelligent enough to build and operate a complex network, it should also be intelligent enough to realize its mistakes and correct its procedures to ensure that such incidents don't occur again.
I also mentioned a Colorado-based ISP that did respond admirably when I reported that one of its user's systems seemed to be infected with a malicious worm. The company is Front Range Internet, and I commend its support staff for a genuine caring attitude and swift actions to fix a serious problem. Kudos to Front Range Internet's entire staff—they're network professionals who deserve attention in good light.
As for naming which monitoring software I use: Don't ask me that! It isn't prudent to ask, nor is it prudent for me to tell. The reasons should be obvious. Would you walk into your bank and ask the manager what kind of security system it uses? I doubt it. You would raise too much suspicion. Even if you did ask, I doubt that you'd get an answer because you don't have a need to know that sort of information. The same goes for networks: It's not wise to ask people about their network security systems.
If you're interested in monitoring packages for various levels of system and network activity, I can point out several things that might help you. First, every good firewall provides considerable logging features that include various levels of tracking and alerting. If you aren't monitoring such logs at regular intervals, you need to start; otherwise, you'll find out after damage has already occurred that someone attacked your network. Some firewalls use their own log files; others send their events to the Windows event log. Several software packages can monitor and consolidate event-log records and deliver alerts to appropriate personnel. I offered tips about some of these products in "Which Software Can Help Monitor Event Logs," October 2000.
Keep in mind that when your log entries indicate that someone is attacking your system, the information might not point to the intruder's true point of origin. Savvy attackers cover their tracks as deeply as they can. An intruder will hijack other peoples' equipment and launch attacks from those hijacked systems. It's often extremely difficult, if not impossible, to determine an attack's true origin. So be careful when you contact an ISP about intrusion attempts. Don't assume that you know exactly where the intruder originates. Work with the ISP to help make that discovery as accurately as possible.
When someone attacks your system, you might want to know which files or registry keys an intruder accesses as the attack occurs. A great tool that can help you learn this information in realtime is Winternals Software's Monitoring Tools. Monitoring Tools captures and displays file and registry accesses that occur on any Windows system on your network. The product displays results on your local computer and can filter for specific details. Monitoring Tools lets you know which application is accessing your system and logs results to a file for review or offline processing. Be sure to check out this tool and other Winternals Software tools.
We're conducting a new poll this week to ask about your experiences with intruders and ISPs: If you've ever caught intruders and reported them to an ISP, did the ISP respond immediately? Please visit our home page and tell us your answer.