Tracking System Abuse with Unicenter TNG

By Sandy Sampson, Steve Pazol, Charles B. Wang

Okay, you’ve set the rules and relayed them to the user community via company policy memos, e-mail reminders, self-service training exercises, and every other mode of communication you can think of. And still (still!) — you find someone clowning around after hours in the hope of hacking into the internals of your system and wreaking havoc with company secrets — or at least finding out how much money other people make or who’s flirting with whom in e-mail messages.

So, what’s the noble security chief to do?

  • Organize a public flogging, with the weapon of choice being the scores of obsolete magnetic tapes that you’ve been hanging onto just in case someone decided they want to retrieve that file they archived 13 years ago.
  • Plaster a photo of the offender in the “Most Wanted” section of his or her hometown post office.
  • Immediately freeze the user’s account and rescind all system privileges.

While the third option is preferable, it’s still not enough and may even not be viable. For example, a hacker’s transgressions may be pardoned because he is deemed “too valuable” to dismiss or to even whack upside the head. (Go figure!).

To prevent similar scenarios, you need to

  • Review how that person managed to find the back door to your system to begin with
  • Review who has access to what.
  • Find out if the hacker had any help (witting or unwitting).
  • Determine what you can do to ensure that the infiltrators don’t compromise the system again.

Security logs (also known as audit trails) may assist you in tracing weaknesses in your security procedures. Both Unicenter TNG and Windows NT can log security events.

Generating security management reports

Windows NT also maintains a security log that can be viewed by choosing Select Log –> Security from the Event Viewer. (You can find the Event Viewer by clicking the Start button and choosing Programs –> Administrative Tools (Common) –> Event Viewer.)

If you’re not receiving any messages in the security log, make sure security is activated. Check status by typing unifstat from the command prompt. Unicenter returns a list with the status of Unicenter TNG components.

Reviewing audit trails

IT security people know there are no guarantees of absolute security. But audit trails can help ensure that security violations do not go unchallenged. Audit trails contain records of security events, which may include login records and other event records that enable you to determine who accessed what and when. Such information can be particularly useful if you discover a security breach and you want to re-create who was logged in at a certain point of time and to what they have access.

Unicenter TNG enables you to trace activities according to user ID or file access. So when defining a user profile, you can establish log as an access type associated with a particular user ID (or group of users), meaning that anything the user (or group) does is recorded in a log file.

Setting access type to log can degrade system performance. You should set logging judiciously — perhaps only in increments (say, from midnight to 6:00 a.m.) and for only select sets of users.

Alternatively, you can assign the logging mechanism to a particular file. You may want to do this with sensitive data, such as salary information or the secret formula for your cola product. The audit trail reveals which user account or accounts accessed the file. (Note: The assumption is that the user accessed the file through their designated account — it does not account for unauthorized users who have somehow figured out a password and usurped someone’s user ID. But that’s a completely different security issue!)

Audit trail information can be reviewed through the event console logs and the Windows NT event log window. To review event console logs from previous days, select Start –> Programs –> Unicenter TNG –> Enterprise Management –> Enterprise Managers –> Windows NT. From the Windows NT (Enterprise Managers) window that appears, choose Event –> Console Logs. The window that appears is the current day’s Event console log. To review logs from other days, choose Console –> Open from the Event console log menu bar. You have a choice of selecting Previous (for the previous day’s log) or entering particular dates or file names.

You can also view security messages sent to both the Held Messages and Log Messages area of the Event Console. The Held messages area is a special panel of the event console in which important messages requiring operator attention are held. After the operator acknowledges the message, the message is sent to the Log messages area.

When tracking down security breaches, it’s helpful to remember that both Unicenter TNG and Windows NT record security events. A security problem overlooked in one log may stand out in the other.

You can enhance Unicenter TNG’s basic security features with several Unicenter TNG options such as Single Sign-On and Virus Protection. Additionally, Unicenter TNG works with third-party products, so if you already have a security solution in place, Unicenter TNG can defer to that solution.