We have Cox (cable/Business communications cable modem) and they are
very solid and fast; they got a PC Mag Reader's Choice award for
good-things-Internet-connection. Recently, I have begun manually
disconnecting sometimes during the day at cable modem though for
concerns about Sasser (sp?) virus, and also I keep seeing several
attempted hack-ins. More than just general internet noise/traffic.
Also we have more vital data (credit card info) on our system than
previous.

We have Router/Hardware firewall + Zone Alarm software. Keeps most
attempts out, reports much, but I'm still concerned an employee might
inadvertently allow something through the zone alarm by unknowingly
granting a permission.
 
I also suspect someone may have tried/gotten through to our system
before, maybe even still be trying now to get into our system.
We still use NT4, and have updated its security patches, but security
with constant Internet connection and critical, confidential data
still worries me.
Do you know a way or a tool or a guru that can scope out such things?
(Check for attempted intrusions, track down the source, record and/or
investigate the source, even follow through for any follow up by
authorities if a hacker is identified, and then check and add
security?)
 
Tall order. don't know who does this / how to do this. But I want to
find out if someone has/is hacking in or trying to hack in, follow
that up, then make more secure. Don't have a huge budget for all that,
but want to take some action to check it out. Don't know who does this
kind of thing.
Any ideas?

Dear maxhodges,

The more you look into internet security, the more you realize that
there is no such thing as complete, total internet security - unless
you simply unplug from the internet.  Digital security is like having
physical home security - you aren't worried about keeping armored
tanks from breaking down the front door, but you would like to keep
the petty robbers at bay.  That said, here are some tips and tools for
testing out your own network's security.

First of all, I would suggest that having both a hardware firewall and
a software firewall such as Zone Alarm on your machines is probably
overkill.  A properly configured hardware firewall will block all
incoming scans and unwanted connection attempts.  Software firewalls
on individual PCs will then have no bearing on blocking incoming
connection attempts.  Zone Alarm does have the added functionality of
allowing or disallowing outgoing traffic based on the application -
but you've already pointed out the weakness of this approach.  The
average user will not know when to allow or disallow outgoing traffic
unless it's made very clear what the right choice is (eg. if the
warning says "VIRUS" or "TROJAN" somewhere).

Besides, outgoing traffic is only a serious problem if you've already
been compromised somehow, via a trojan horse or a hacker presence. 
Good antivirus software and some basic user education will take care
of 99.9% of your trojan worries.  All that said, if you feel that the
added security of a software firewall is still a good idea, I would
suggest that an administrator should be managing the configuration of
firewall rules, and users should not have access to them.

The best way to test your firewall is from the outside world.  Using a
tool such as 'nmap' on a remote system to scan your own network gives
you an idea of what an average hacker will see at your address.  (See
reference 1.)  Symantec also has a security scan tool available
through their website which will let you know of any major
vulnerabilities:

Symantec Security Check
http://symantec.com/cgi-bin/securitycheck.cgi

The Security Scan option will attempt to connect to the most commonly
used ports at the IP address you are browsing from and let you know
how your security rates.  Unless your network is hosting a service for
a good reason, all of the ports listed should be closed or stealth. 
Check your hardware firewall configuration if they aren't.

While you're there, you can use their virus scan webtool to check if
your system is infected with any viruses, trojans, and the like. 
However, you really should have good antivirus software installed on
all of your network's workstations.  Make sure that every system's
antivirus software is keeping up to date on virus definitions -
antivirus software with year-old, or even month-old virus definitions
is almost worthless.  There are some free antivirus programs out
there, but from my own experience I recommend Norton AntiVirus (or
Symantec AntiVirus for Small Business).  Symantec has a proven track
record of consistently defining and being able to catch new viruses
shortly after they're discovered.  There are reasons to look at other
packages though, such as price and the impact they have on your system
resources.  A search for "antivirus reviews" can give you more
information, and here's one person's well-informed list:

Top Windows Antivirus for 2004
http://antivirus.about.com/cs/beforeyoubuy/tp/aatpavwin.htm

A solid firewall and antivirus combination will protect you from 99%
of the dangers on the internet, in my personal estimation as a small
business system administrator.  If hackers have no specific reason to
target you already, a good firewall will make you unnoticable to a
random scan, as well as blocking any worms trying to exploit open
services (such as the infamous Sasser worm).  If a skilled hacker does
have a specific reason to attack you, and knows where to find you on
the Internet, your only largely-certain defense is to have a skilled
security expert on your side keeping tabs on your network for you.

Now, a note about your firewall warning you of detected hacking
attempts: there's a very good chance that an increase of warnings does
NOT indicate that you have a specific hacker or group of hackers
targetting your network.  Worms such as Sasser can look identical to a
hacking attempt to a firewall, since it is basically the sort of
exploit a hacker would use.  The difference is in whether it is an
automated exploit attempt from the thousands of random infected boxes
out there, or whether it is an exploit being creatively used by an
actual, living breathing hacker.  A firewall simply can't do the sort
of intelligent analysis needed to tell the difference, which must
include knowledge of what the current worms and viruses on the
internet are doing currently.  (For a good source of this type of
news, see reference 4.)

If a hacker has already made their way into your network, then you
really need a network security expert on-site helping secure your
network again, or you need to take drastic steps to start fresh. 
(Backing up data, formatting hard drives and reinstalling via the
guidelines in Reference 4.)  If you need a security expert to
investigate your network, I could attempt to find one for you, but it
would help greatly if you could tell me what city to look for someone
in.


Search strategies:
antivirus review
(and a lot of what I already knew from my day job!)


References:
1. Insecure.Org - Nmap Free Security Scanner, Tools, & Hacking resources
http://www.insecure.org/

2. Symantec Security Check
http://symantec.com/cgi-bin/securitycheck.cgi

3. Top Windows Antivirus for 2004
http://antivirus.about.com/cs/beforeyoubuy/tp/aatpavwin.htm

4. SANS - Internet Storm Center
http://isc.incidents.org/

4. SANS - Internet Storm Center - Windows XP: Surviving the First Day
http://www.sans.org/rr/papers/index.php?id=1298

5. Knoppix STD
http://www.knoppix-std.org/
A live-cd distribution of the Linux operating system.  A live cd Linux
can be run on any PC by simply booting from the CD, and the Linux OS
is loaded into memory without installing anything on the hard drive. 
The security tools distribution (STD) version of Knoppix is chock-full
of utilities relating to network security.  It's worth looking at the
webpage alone, simply for an idea of what the tools available to the
below-average hacker are capable of.


I hope that this information has been helpful to you!

Sincerely,
 - josh_g-ga

Thanks for the very relevant answer!

You can also use the port scan from dslreports, it works quite nicely.
http://www.dslreports.com/scan

josh can you tell me how to find a security expert?

I can try.  What city and country are you located in?

Client is in VA of USA

Here's a website with a list of security service providers in Virginia:

http://msd2d.com/ServiceProvider_view_03.aspx?section=server&state=Virginia