Chapter 12

Intruders

 Computer security detect / prevent unauthorised use of computer sysytem Security process

Intruder Watches our system Gains control Uses to attack other systems

Intruder types Human gains unauthorised access Program secretly invades system 3 types of intruders Misformer legitimate user accessing unauthorised resource A holds a patent on his machine a/c & mails a drawing to a competitor Masquerader outsider penetrates system A steals Bs ID & password & uses it to access system Clandestine user gets supervisory control & prevents detection A identifies security loophole & gets administrative riveleges

 First intrusion report 1992 Two types of attacks Sophisticated hackers with good knoledge of system Foot soldiers with leisure attacking computers identified as weakly secure Attacks Passive Info. Flow moitored Active Info. altered / corrupted / destroyed Most attacks Use automated tools From hackers with ill intensions

Intrusion types

Intrusion Techniques
There are many ways to gain access to systems even if one is working remotely. The primary ways by which an attacker can get into the system are as follows: Physical Intrusion: This type of intrusion assumes that an attacker has physical access to a machine System Intrusion: This type of hacking assumes that the attacker already has a low-privilege user account on the system Remote Intrusion: This type of hacking involves those attackers who do not have any special privilege and still attempt to break through a system remotely across the network.

Protecting Against Intruders

Password Protection Usually user password or password file is essential to intrude Protection of password file
One-way encryption : the system stores an encrypted form of the users password, and compares it with the encrypted output of presented password Access control : access to the password file is limited to one or a very few accounts

Techniques for cracking passwords

Try default passwords used for standard accounts Exhaustively try all short passwords (those of one to three characters). Collect information about users A row of letters from the qwerty keyboard qwerty, qwertyuiop. The users name or login name. The name of their friend, relative, or pet. The birthplace or date of birth of their friends or relatives. Their automobile license plate number. Their office number, residence number, or their mobile number. A name of a celebrity they like. Use a Trojan horse. Tap the line between the remote user and the host system.

The Vulnerability of Passwords

Different ways by which a person can prove his/her identity: Providing something they know (the password). Providing something they have in their possession (such as ID card). Providing something they are (a physiological characteristic like a fingerprint). Providing something they do (speaking for voice pattern analysis).

Exploitation of Weak Passwords: Left to their own devices, users often choose easy passwords. An intruder who knows something about the user may be able to guess the password easily. Use of any word that is in the dictionary creates vulnerability, because brute force methods and dictionary attacks can crack them. Exploitation of User Behavior: If the password is more complex (a random combination of letters and numbers), the user may have trouble remembering it and this may lead to his writing it down. Careless users keep them in prominent places such as desk drawer or even on a sticky note stuck to the monitor. Even when users exercise reasonable diligence, hackers can often use social engineering to persuade users to divulge their passwords by posing as tech support or administrative staff. Capture of Credentials in Transit: Even when strong passwords are used and users keep the passwords to themselves, intruders may be able to capture the credentials when they are sent across the network if sufficient security measures are not in place to prevent this.

Password Selection Strategies

User Education Computer-Generated Passwords Reactive Password Checking Proactive Password Checking

Strong Passwords
Make it lengthy. Combine letters, numbers, and symbols. The fewer the types of characters in a password, the longer it must be. Use the entire keyboard. Avoid sequences or repeated characters. Avoid using login name. Avoid dictionary words in any language. Use more than one password everywhere. Avoid using online storage. Change passwords regularly. Do not reveal them to others. Protect any recorded passwords. Never provide password over e-mail or based on an e-mail request. If a password is stolen, notify authorities as quickly as possible.

UNIX Password Scheme

 The firewall provides security by allowing only specific services (determined by policy) through it. An intrusion detection system (IDS), on the other hand, detects if someone tries to break in through the firewall or manages to break in the firewall security and tries to have access on any system in the trusted side, and alerts the system administrator in case there is a violation in security. Intrusion prevention system (IPS) is the latest in a line of products created to counter network attacks.

Intrusion Detection and Prevention

History
1980 1983 1984 1988 1989 1990s 1994 James Andersons paper Computer Security Threat Monitoring and Surveillance gave birth to the notion of intrusion detection. Dr. Dorothy Denning worked on a government project that launched a new effort into intrusion detection development. Dr. Denning published the decisive work An Intrusion Detection Model which included means of tracking and analyzing audit data. IDS for the US Air Force was developed. Host-based intrusion detection technologies were introduced. UC Davis's Todd Heberlein introduced the idea of network intrusion detection. Commercial development of intrusion detection technologies; NetRanger was the first commercially viable network intrusion detection device. RealSecure IDS was released.IDS was amongst the top-selling security vendor technologies. Emergence of active IDS. Intrusion detection and prevention (IDP). Intrusion prevention systems (IPS). Convergence of technologies (Firewall + IDP + Antivirus). Appliances and security switches.

19971999 2000s

Types of Intrusion Detection Systems

Host-Based IDS: A host-monitor monitors system logs for evidence of malicious or suspicious application activity in real time. Careful consideration is required in this area to ensure that performance is not degraded. Host-based IDS requires small programs/agents to be installed on individual systems to be monitored. The agents supervise the operating system and write data to log files and/or activate alarms. Host-based IDS can only monitor the host systems on which the agents are installed; it does not monitor the entire network.

Network-Based IDS: It consists of a network appliance/sensor with a network interface card operating in promiscuous mode and a separate management interface. This IDS is placed along a network segment or boundary and monitors all traffic on that segment.

Stack-Based IDS: It is of recent origin and it integrates closely with the TCP/IP stack, allowing packets to be watched as they traverse their way up the OSI layers. The IDS pulls the packet from the stack before the operating system or application has a chance to process the packets. Signature-Based IDS (Knowledge-Based IDS): Signature-based IDS uses a rule set to identify intrusions by watching for patterns of events specific to known and documented attacks. It compares the information gathered against those attack signatures (stored in database) to detect a match. The disadvantage of this type of IDS is that if the database is not updated with regularity, new attacks would slip through.

Anomaly Based IDS (Behaviour-Based IDS): Anomaly based IDS examines ongoing traffic, activity, transactions, and behaviour in order to identify intrusions by detecting anomalies. The system administrator defines the baseline of normal behaviour (state of the networks traffic load, breakdown, protocol, typical packet size, etc.) Anomaly detectors monitor network segments, compare their state with the defined baseline/threshold, and look for current behavior that deviates from the normal.

Intrusion Detection Techniques

Threshold detection
Counting the number of occurrences of a specific event type over an interval of time If the count surpasses threshold, then intrusion is assumed Variability across users a lot of false positive, false negative

 Anomaly Detection: This is one of the earliest approaches that try to meet requirements described in [Ande1980] Implementations of this approach are realized in statistical- or rule-based forms. Anomaly detection requires little knowledge of the actual system beforehand. In fact, usage patterns are established automatically by means of neural networks.

Rule-based detection(RBID)
Analyze historical audit records generate automatically rules Rules represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Then observe current behavior

Two major approaches to RBID:

State-Based Model-Based

Intrusion Detection: The Traditional Way

Traditional intrusion detection systems are rule based and use signature for identifying attacks on the network traffic. The method of detection comprises of storing signature profiles ,identifying patterns associated with network intrusions in a signature database and generating classification rules based on the signature profiles. Data packets transmitted on the network are classified according to classification rules. Classified packets are then forwarded to a signature engine for comparison with signature profiles. Performing all the above steps is a time consuming process.

Intrusion Detection: The Statistical Way

A statistical based intrusion detection system(SBID) establishes a performance baseline based on normal network traffic evaluations. The anomaly detection within the IDS would then monitor the network, and compare its state to the normal baseline. If anomalies are discovered, a trigger results, and a report is generated.

Tools for Intrusion Detection

A fundamental tool for intrusion detection is the audit record.
Native Audit Records Detection-Specific Audit Records Contents of an audit record

An audit record generally contains the following information: Subject, Action, Object, Exception Condition, Resource Usage, Timestamp.

Evaluating Efficiency of IDS

Parameters for evaluation
Accuracy
Performance Completeness

How to Prevent Intrusion?

Keep eyes open and mind alert. Be watchful of the problems that spyware and other hidden attackers can cause to computer files. If the computer is acting strange, it might have an intruder. Some of the most common symptoms are: Computer may take a long time to start up or shut down. The computer is running very slow or slower than normal. The computer crashes and restarts every few minutes. The computer does not play DVDs or find drives. Accessories such as printers and scanners do not work properly. Strange error messages, menus, or dialog boxes appear on the screen. Default home page might have been changed by the invader. The common ways by which invaders arrive are: With downloaded software such as games, icons, or screen savers. With toolbar or pop-up programs such as weather or news alert boxes.

 Many invaders sneak in with things that one needs (a free computer game, downloads from well-established official websites, etc.) Secure the computer by: Password-protecting the computer. Installing virus and spyware protectors. Setting the security of the web browser to a high level. Follow good e-mail and instant messaging practices such as: Do not open files from strangers. Do not give e-mail or IM address or personal information to strangers. Do not reply to spam. Delete junk e-mails without opening them. Do not forward chain e-mail messages. Do not reveal personal information on the Internet. Always be prepared for a disaster: Periodically backup important files. Install detectors and prevention programs. Keep an eye out for threats and act quickly to eliminate problems.

Need for IPS

One needs IPS to: Trap undesirable elements that manage to make their way through firewalls. Lessen DoS attacks.

Build more security into the core of the network.

Distributed Intrusion Detection

Honeypots
The main functions of honeypots Diverting the attention of the attacker from the real network, in a way that the main information resources are not compromised. Building attacker profiles Identifying new vulnerabilities and risks of various operating systems, environments, and programs which are not thoroughly identified at the moment. Capturing new viruses or worms for future study. Advantages of honeypots Fewer intruders will invade a network designed to monitor and capture their activity in detail. An intruder will spend his/her energy on a system that causes no harm to production servers. Properly designed and configured honeypot provides data on the methods used to attack systems. Honeypots can provide valuable information on the patterns used by insiders. The bogus data honeypots provide to attackers, can confuse and confound.

Honeynet
A honeynet is placed behind an entity called a honeywall. The honeywall separates the honeynet and the Internet such that all inbound and outbound data traffic has to flow through it. Advantages of honeynets Spam traps (not to mix with e-mail/spam trap): catch spammers trying to use open services (like HTTP proxy, misconfigured SPAM). Security research: Enables one to learn how and why systems are attacked. Security mitigation: Allows use of honeynets as a platform to divert attackers from some other systems.

Padded Cells
Instead of trying to attract attackers with tempting data, a padded cell waits for an attacker to be detected and then seamlessly transfers him/her to a special padded cell host. The attacker, not realizing what has happened, lands in a simulated environment where no harm can be caused. Like the honeypot, this simulated environment can be filled with interesting data to convince an attacker that the attack is going as planned.

Scanning and Analysis Tools

Scanner and analysis tools are useful in finding vulnerabilities in systems, holes in security components, and unsecured aspects of the network. Scanning tools are typically used as part of an attack protocol to collect information that an attacker would need to launch a successful attack.

Footprinting
This is the blueprinting of the security profile of an organization, undertaken in a methodological manner. Web scanners can be used to collect footprints.

Fingerprinting
It is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment. It is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment.

Port Scanners
Port scanning is the process of connecting to TCP and UDP ports for the purpose of finding what services and applications are running on the target device. These tools are capable of performing specific or generic scans.

Firewall Analysis Tools

They automate the remote discovery of firewall rules and assist the administrator in analyzing them to determine exactly what they allow and what they reject.

Packet Sniffers
A packet sniffer, or network protocol analyzer, is a network tool that collects copies of packets from the network and analyzes them. They provide a network administrator with valuable information for diagnosing and resolving networking issues.