View
214
Download
0
Category
Tags:
Preview:
Citation preview
Exam
● On May 15, at 10:30am in this room● Two hour exam● Open Notes● Will mostly cover material since Exam 2● No, You may not take it early.
Intrusion Detection
● We have discussed the Security, “Life Cycle” Maintain
● Keep your system secure and up to date Detect
● Detect an attack Recover
● Repair damage from attack and restore the system to working order.
Intrusion Detection
● We have spent a lot of time dealing with Types of attacks How to help secure systems against attack.
● We have spent some time on the issue of backups The most simple and cost effective solution to
restoration on your level● We need to talk about the issue of Detecting
attacks.
Intrusion Detection -- Baselining
● The most important concept in ID is baselining We need to know what our system looks like
ordinarily, so we can notice something extraordinary has happened
● We do this by making a record of the normal state of our system Configuration files Network Traffic Data files . . .
Defenses
● Last week we divided our defenses into three groups Network defenses – perimeter defenses Host defenses Data defenses
Defenses
● We will continue our discussion by talking about ways to detect breaches on these various levels
Network Defenses
● Network Defenses Protect our LAN from attacks outside our LAN Defenses are usually implemented by a boundary
router or a personal router providing the following services
● Firewall● NAT● Possibly DHCP
Traffic Analysis
● We typically detect that an intruder has gotten into our local net by doing traffic analysis We look at the kinds of packets on our net
● What protocols or applications generate them● How heavy is the traffic on the network● How much traffic does each host generate● Anything else we can grab
We make a record of normal behavior, (baselining) and we look for unusual activity
Traffic Analysis
● Port scanning Easy to detect, if carelessly done Look for someone looking at a lot of ports on the
same host.● Increased Traffic
Hosts that have been taken over as zombies can generate greater than normal traffic
Traffic Analysis
● Looking for specific kinds of packets Packets that carry worms can have a signature
● Similar to the signature of a file that has a virus This signature can be detected Sometimes, attack packets have header information
that can be looked for.● Any unusual activity
Could indicate an attack Could simply indicate a hardware or software
problem.
Host Defense
● Host Defenses can include Anti Virus and anti Spam software Personal firewall Secure configurations or add ons to network
software Human Factors, (to be discussed later)
Host Defenses
● Again, we use baselining. Contents of configuration files Normal levels of CPU activity
● Hard to do Normally running tasks and processes
Anti Virus Software
● Looks for “signatures” of viruses in executable files. Alerts user if signatures found This gives evidence of intrusion . . . at some point
● Anti Virus software can also help in recovery Cleans infected files
Anti Spyware software
● Looks for a couple of things Files associated with known threats Tasks running that look like threats
● Out of the ordinary Suspicious changes in configuration information
● In Windows, the registry● In OS X, netinfo● In Linux, state of configuration files
Anti Spyware Software
● Anti Spyware Software can contribute to recovery Remove suspicious tasks, (stop them from
executing) Quarantine files Remove or repair configuration changes
● Fix the registry
Other Approches
● Alert on Attempts to write to the bios
● Often a parameter that can be set in the bios Root Logins
● Fair or Foul, a root login is an important event Attempts to write to system areas
● Areas where system programs are stored are usually only written to during upgrades or software installations. Writes at other times are suspicious.
Other Approach
● Alert on Port Scans
● Again easy to detect
ID Host -- Tools
● Most Anti Virus Vendors provide total security packages that implement most of what I have discussed
● There are Freeware packages Snort – Linux and Windows Tripwire – used to be free, now nominal
● Most Unix Systems, including all Linuxes Not much available for OS X
● Ports of some Unix packages
Data Defense
● Principle tool for defending data is encryption Also detects modification of data An encrypted file that is modified, can not be
completely decrypted.● We can also use baselining
Only on files that are relatively static
Baselining Data
● We can store, for static files. Last modification date Last access date File size A digital digest, or signature of the file.
● If any of these change, we know the file has been modified
Candidate files for Baselining
● Configuration files Including Host files (redirecting to false websites) Other network configuration files Files related to the configuration of security
software● Executable files
Parts of the operating system Frequently used executables
File Baselining
● Its tough to baseline files that are frequently changing New baselines have to be computed for each
modification Modifier must authenticate himself/herself to the
baselining software for each modification
Tools – File Monitoring
● Again about the same Security packages from major vendors implement
much of this Tripwire and its replacements and descendants
provide these services Again, Mac OS X uses Unix tools
Recovery
● Critical Element of recovery is a plan Reduces recovery time Insures that needed materials are at hand
● Backups● Replacement hardware
The process of planning exposes weaknesses
Backups
● As we have discussed, on your level, recovery, generally means restoring from backups Unlikely to maintain duplicate equipment or file
systems Unlikely to employ a data warehouse
Recovery
● To restore usefulness to your system you must restore Operating System
● OS cd/dvd and/or system restore disks Application Programs
● Original installation disks● Original installation files on removable media● Web site addresses for downloading the programs
Recovery
● Critical Data Documents
● Don't forget email folders if stored locally Bookmarks
● Often forgotten in backups.● Use Export Bookmarks in favorite browser
Program configuration information Personal Digital certificates
● Else you will get encrypted emails you can't read
Recovery
● With a simple recovery plan like this you must budget hours or days to get back to full function
● However, it is cheap.● If your need do not permit that much downtime
you need to look for backup software and hardware that allows you to make complete disk or system images.
Recommended