Beruflich Dokumente
Kultur Dokumente
Intruders
Computer security detect / prevent unauthorised use of computer sysytem Security process
Intruder Watches our system Gains control Uses to attack other systems
Intruder types Human gains unauthorised access Program secretly invades system 3 types of intruders Misformer legitimate user accessing unauthorised resource A holds a patent on his machine a/c & mails a drawing to a competitor Masquerader outsider penetrates system A steals Bs ID & password & uses it to access system Clandestine user gets supervisory control & prevents detection A identifies security loophole & gets administrative riveleges
First intrusion report 1992 Two types of attacks Sophisticated hackers with good knoledge of system Foot soldiers with leisure attacking computers identified as weakly secure Attacks Passive Info. Flow moitored Active Info. altered / corrupted / destroyed Most attacks Use automated tools From hackers with ill intensions
Intrusion types
Intrusion Techniques
There are many ways to gain access to systems even if one is working remotely. The primary ways by which an attacker can get into the system are as follows: Physical Intrusion: This type of intrusion assumes that an attacker has physical access to a machine System Intrusion: This type of hacking assumes that the attacker already has a low-privilege user account on the system Remote Intrusion: This type of hacking involves those attackers who do not have any special privilege and still attempt to break through a system remotely across the network.
Exploitation of Weak Passwords: Left to their own devices, users often choose easy passwords. An intruder who knows something about the user may be able to guess the password easily. Use of any word that is in the dictionary creates vulnerability, because brute force methods and dictionary attacks can crack them. Exploitation of User Behavior: If the password is more complex (a random combination of letters and numbers), the user may have trouble remembering it and this may lead to his writing it down. Careless users keep them in prominent places such as desk drawer or even on a sticky note stuck to the monitor. Even when users exercise reasonable diligence, hackers can often use social engineering to persuade users to divulge their passwords by posing as tech support or administrative staff. Capture of Credentials in Transit: Even when strong passwords are used and users keep the passwords to themselves, intruders may be able to capture the credentials when they are sent across the network if sufficient security measures are not in place to prevent this.
Strong Passwords
Make it lengthy. Combine letters, numbers, and symbols. The fewer the types of characters in a password, the longer it must be. Use the entire keyboard. Avoid sequences or repeated characters. Avoid using login name. Avoid dictionary words in any language. Use more than one password everywhere. Avoid using online storage. Change passwords regularly. Do not reveal them to others. Protect any recorded passwords. Never provide password over e-mail or based on an e-mail request. If a password is stolen, notify authorities as quickly as possible.
The firewall provides security by allowing only specific services (determined by policy) through it. An intrusion detection system (IDS), on the other hand, detects if someone tries to break in through the firewall or manages to break in the firewall security and tries to have access on any system in the trusted side, and alerts the system administrator in case there is a violation in security. Intrusion prevention system (IPS) is the latest in a line of products created to counter network attacks.
History
1980 1983 1984 1988 1989 1990s 1994 James Andersons paper Computer Security Threat Monitoring and Surveillance gave birth to the notion of intrusion detection. Dr. Dorothy Denning worked on a government project that launched a new effort into intrusion detection development. Dr. Denning published the decisive work An Intrusion Detection Model which included means of tracking and analyzing audit data. IDS for the US Air Force was developed. Host-based intrusion detection technologies were introduced. UC Davis's Todd Heberlein introduced the idea of network intrusion detection. Commercial development of intrusion detection technologies; NetRanger was the first commercially viable network intrusion detection device. RealSecure IDS was released.IDS was amongst the top-selling security vendor technologies. Emergence of active IDS. Intrusion detection and prevention (IDP). Intrusion prevention systems (IPS). Convergence of technologies (Firewall + IDP + Antivirus). Appliances and security switches.
19971999 2000s
Network-Based IDS: It consists of a network appliance/sensor with a network interface card operating in promiscuous mode and a separate management interface. This IDS is placed along a network segment or boundary and monitors all traffic on that segment.
Stack-Based IDS: It is of recent origin and it integrates closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. The IDS pulls the packet from the stack before the operating system or application has a chance to process the packets. Signature-Based IDS (Knowledge-Based IDS): Signature-based IDS uses a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It compares the information gathered against those attack signatures (stored in database) to detect a match. The disadvantage of this type of IDS is that if the database is not updated with regularity, new attacks would slip through.
Anomaly Based IDS (Behaviour-Based IDS): Anomaly based IDS examines ongoing traffic, activity, transactions, and behaviour in order to identify intrusions by detecting anomalies. The system administrator defines the baseline of normal behaviour (state of the networks traffic load, breakdown, protocol, typical packet size, etc.) Anomaly detectors monitor network segments, compare their state with the defined baseline/threshold, and look for current behavior that deviates from the normal.
Anomaly Detection: This is one of the earliest approaches that try to meet requirements described in [Ande1980] Implementations of this approach are realized in statistical- or rule-based forms. Anomaly detection requires little knowledge of the actual system beforehand. In fact, usage patterns are established automatically by means of neural networks.
Rule-based detection(RBID)
Analyze historical audit records generate automatically rules Rules represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Then observe current behavior
An audit record generally contains the following information: Subject, Action, Object, Exception Condition, Resource Usage, Timestamp.
Many invaders sneak in with things that one needs (a free computer game, downloads from well-established official websites, etc.) Secure the computer by: Password-protecting the computer. Installing virus and spyware protectors. Setting the security of the web browser to a high level. Follow good e-mail and instant messaging practices such as: Do not open files from strangers. Do not give e-mail or IM address or personal information to strangers. Do not reply to spam. Delete junk e-mails without opening them. Do not forward chain e-mail messages. Do not reveal personal information on the Internet. Always be prepared for a disaster: Periodically backup important files. Install detectors and prevention programs. Keep an eye out for threats and act quickly to eliminate problems.
Honeypots
The main functions of honeypots Diverting the attention of the attacker from the real network, in a way that the main information resources are not compromised. Building attacker profiles Identifying new vulnerabilities and risks of various operating systems, environments, and programs which are not thoroughly identified at the moment. Capturing new viruses or worms for future study. Advantages of honeypots Fewer intruders will invade a network designed to monitor and capture their activity in detail. An intruder will spend his/her energy on a system that causes no harm to production servers. Properly designed and configured honeypot provides data on the methods used to attack systems. Honeypots can provide valuable information on the patterns used by insiders. The bogus data honeypots provide to attackers, can confuse and confound.
Honeynet
A honeynet is placed behind an entity called a honeywall. The honeywall separates the honeynet and the Internet such that all inbound and outbound data traffic has to flow through it. Advantages of honeynets Spam traps (not to mix with e-mail/spam trap): catch spammers trying to use open services (like HTTP proxy, misconfigured SPAM). Security research: Enables one to learn how and why systems are attacked. Security mitigation: Allows use of honeynets as a platform to divert attackers from some other systems.
Padded Cells
Instead of trying to attract attackers with tempting data, a padded cell waits for an attacker to be detected and then seamlessly transfers him/her to a special padded cell host. The attacker, not realizing what has happened, lands in a simulated environment where no harm can be caused. Like the honeypot, this simulated environment can be filled with interesting data to convince an attacker that the attack is going as planned.
Footprinting
This is the blueprinting of the security profile of an organization, undertaken in a methodological manner. Web scanners can be used to collect footprints.
Fingerprinting
It is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment. It is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment.
Port Scanners
Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are running on the target device. These tools are capable of performing specific or generic scans.
Packet Sniffers
A packet sniffer, or network protocol analyzer, is a network tool that collects copies of packets from the network and analyzes them. They provide a network administrator with valuable information for diagnosing and resolving networking issues.