20/20 Hindsight – Walmart Lessons Learned for Tenable Customers
- Friday, October 23, 2009, 3:00
- Threat Research
Wired magazine recently ran an excellent
story detailing how Walmart suffered a deep intrusion. The story provides many
examples of cliché security lapses such as not disabling a remote VPN account
for a former Walmart worker. This blog entry describes how customers using
Tenable Unified Security
Monitoring solutions can learn from these mistakes and get more value out
of their investment with Tenable.
Crash Analysis
Walmart IT staff was first alerted to the compromise when
they responded to a report of a crashed server. The server crashed when the
intruder ran the L0phtcrack password-cracking tool.
Logs that indicate crashes or reboots can be valuable for
analysis and trending. Although servers and applications can crash because of
high usage, resource starvation, poor configuration or design, most of the time they do not crash without
external help. Malicious users can cause systems to inadvertently crash because
they are trying to exploit a technical attack such as a buffer overflow or because they are specifically attempting a
denial of service attack or unintentionally exhausting resources such as memory
or disk space.
Performing crash analysis with Tenable’s Log Correlation Engine
is very straightforward.
Tenable’s log normalization rules recognize
crashes, critical errors and restarts in a wide variety of applications and
operating systems. (continue reading...)