Don’t 529 events (Logon Failure – Unknown user name

Don’t reuse passwordsOn more than one occasion, I’ve run into situations where the same username/password combination was used over and over. I realize it’s easier. But if I know this, I’m pretty sure the bad guys do as well. If they get their hands on a username/password combination, they’re going to try it elsewhere. Don’t make it that easy for them.There are many helpful password vaults that require you to only remember the master password to gain access to the vault. After that, it’s usually a matter of selecting the proper entry.For instance, Figure A shows Password Safe, the password vault I use. It’s open source and recommended by Bruce Schneier.Figure AMonitor outbound network trafficMalware is becoming sophisticated enough to avoid detection. One method of exposing it is monitoring outbound network traffic. Suspicions should be raised when the number of outbound connections or the amount of traffic deviates from normal baseline operation. To tell the truth, it may be the only indication that sensitive information is being stolen or that an email engine is actively spamming.Most firewall applications can monitor outbound traffic. Advanced firewalls can even create scheduled reports similar to the one in Figure B.Figure BImplement a security planNo matter what size the organization, having a security plan in place is invaluable for the following reasons:Everyone is working off of the same playbook, which provides continuity.When the organization is in panic mode, the security plan will provide solid solutions developed at a time when everyone was less anxious.Security plans should be individually sculpted to fit the needs of each organization. To get an idea of what’s required, I’ve linked to two guides, a rather generic one by Microsoft and an all-encompassing guide by NIST.Examine security logsGood administrators know about baselining and try to review system logs on a daily basis. Since this article deals with security breaches, I’d like to place special emphasis on security logs, as they’re the first line of defense.For example, when reviewing a Windows server security log, the administrator comes across multiple 529 events (Logon Failure – Unknown user name or bad password). That should immediately raise an alert, with the administrator trying to determine whether a valid user has forgotten a password or an attacker is attempting to gain access.Windows security logs are cryptic, to say the least, so having some kind of reference guide is beneficial. That’s where Randy Franklin Smith helps out; he has a Web page that defines most every Windows security log event. Randy also has a free reference chart that can be invaluable in explaining security log events.