Introduction

Threats to hosts are everywhere. They include software such as remote exploits, viruses, and poorly written software applications. A threat can also be a malignant administrator, a malicious user, or even uncontrolled physical access. This chapter focuses on the threats that host integrity monitoring looks for, specifically insider threats and rootkits. We also look at some successful worms and their effect on the hosts they infected. Finally, we look at threats to host integrity monitoring (HIM) tools and discuss ways to mitigate them.

Before you can establish a plan for monitoring the integrity of your hosts, you must understand their environment and the threats to that environment. This process includes defining what the threat is and its potential impact on the environment. Once you understand the impact, you can define symptoms that will indicate if a threat has been realized. Those symptoms are used to establish a plan for monitoring the environment.

An example of this is the training required to become a doctor. Even though most doctors eventually specialize, their medical training still requires them to understand basic anatomy. This background proves helpful when detecting things that are out of the ordinary. In addition, doctors study the nature and effects of diseases to learn how they behave and to be able to detect them. Like all analogies, this one eventually breaks down, but effective host integrity monitoring requires an understanding of the host environment, how it can be attacked, and how those attacks can be detected.

Malicious Software