Sponsors



SECURECon is endorsed by

Security precautions at LaTrobe University, Bendigo – How we track/locate infected machines

Russell J.N. Bovaird 2007

The processes of monitoring the unwanted elements of a network connected to the Internet are varied and unique compared with other types of monitoring. Whether it be virus activity or unauthorised users Network Administrator’s and Engineers need to be vigilant about who and what is using the network.

The Network is always on and usually accessible to all, even to this day because workable network access control is still rare. However, any organisation connected to the Internet should show ownership and responsibility of its network and thus logging mechanisms are essential, but even the less technical security policies and processes are of great value when suspect activity is noticed.

Once the security breach has been noticed it must be investigated and explained. Scans of the computer, such as checking and probing open ports, listing active processes and applications, all help to discover if the particular computer is compromised – either by a virus (including worms and the like) or an active hacker that could be depositing a vault of cracked software on the compromised platform.

Having established that there is unauthorised use or software on a computer; the traits of the software are usually searchable by a search engine. Usually most viruses have signatures that are searchable and have antidotes available that can be applied and unauthorised software removed. In most circumstances the affected machines should be removed from the network. Formal takedown procedures are vital in this process.

Firewalls and other devices or utilities can be deployed at entry points for such malicious software. Whilst these will filter most of the offensive software not everything will be removed. Most critically, boundary utilities are a balance of useability and protection. The trade-off is the higher the protection, the lower the useability and vice versa.

This presentation outlines how such activity is discovered and eliminated on the network at Latrobe University, Bendigo campus.

About Russell J.N. Bovaird

Russell has a Bachelor of Computing and a Bachelor of Business (Accounting). He worked in private enterprise as a Computer Accounting Consultant at Communicat from 1994 – 1996, before joining the University of Melbourne as a Local IT Expert in the Education faculty. Russell then moved to the Melbourne University Help Desk in 1998 where he stayed for two (2) years. A move to Bendigo resulted from securing employment as the Network Administrator at the Bendigo Campus of La Trobe University, where he is currently employed since January 2000.