Computer Network Security

1

Computer Network Security

Page : 2

Identify the challenges for computer and network security

• Ten-fifteen years ago Firewalls, IDS, anti-virus software, OS update

were rare• Now

Virus attacks : every day E-mail : scanned for suspicious attachments Network admins : work overtime to

• Build the latest security defenses• Keep the defenses up-to-date

Computer attacks via the Internet• Making computer security one of the prime concerns

Page : 3


• Why security is becoming increasingly difficult Speed of attacks

•Widely available of modern tools–Used to scan systems

»To find weaknesses»Launch attacks

•Most tools are automated –Easy to attack target systems

Page : 4


Speed of attacks: (examples)

In 2003 : the Slammer worm infected 75,000 computers in the first 11 minutes after it was released and infected double every 8.5 seconds. As its peak, Slammer was scanning 55 million computers per second looking for a computer to infect.

Later that year, Blaster worm infected 138,000 computers in its first four hours and eventually infected over 1.4 million computers.**

** From M. Ciampa, Security + Guide to Network Security Fundamentals, 2nd edition, Thompson, 2005

Page : 5

Identify the challenges for computer and network security (cont.)

• Why security is becoming increasingly difficult Sophistication of attacks

•Security attacks are becoming more complex– Difficult to detect

Faster detection of weaknesses•Newly discovered system vulnerabilities double

annually»More difficult for software developers to update

their products

Page : 6


• Why security is becoming increasingly difficult Distributed attacks

•Multiple systems can be used to attack against a single computer or network

•(many against one) approach– Impossible to stop an attack by identifying and

blocking the source Difficulties in patching

• So, users do not apply patches

Page : 7


Attack name

Impact of attack Date patch first issued

Date attack began

Days between patch and attack

Bugbear Infected more than 2 million computers

16/5/2001 30/9/2002 5002

Yaha Unleashed 7,000 attacks per day as an e-mail distributed distributed-denial-of-service worm

16/5/2001 22/6//2002 402

Blaster Infected > 1.4 million computers

16/7/2003 11/8/2003 26

8

Security Terminology

9

Vulnerabilities and Exploits

Vulnerabilities Security weaknesses that open a program to attack An exploit takes advantage of a vulnerability Vendors develop fixes Zero-day exploits: exploits that occur before fixes are

released Exploits often follow the vendor release of fixes

within days or even hours Companies must apply fixes quickly

10

Vulnerabilities and Exploits

Fixes Work-arounds

▪ Manual actions to be taken▪ Labor-intensive so expensive and error-prone

Patches:▪ Small programs that fix vulnerabilities▪ Usually easy to download and install

Service packs (groups of fixes in Windows) Version upgrades

CompromiseThe successful exploitation of a target by an attacker

11

Applying Patching

Problems with Patching Must find operating system patches

▪ Windows Server does this automatically▪ LINUX versions often use rpm▪ …

Companies get overwhelmed by number of patches▪ Use many programs; vendors release many patches per

product▪ Especially a problem for a firm’s many application programs

12

Applying Patching

Problems with Patching Cost of patch installation

▪ Each patch takes some time and labor costs▪ Usually lack the resources to apply all

Prioritization▪ Prioritize patches by criticality▪ May not apply all patches, if risk analysis does not justify

them

13

Applying Patching

Problems with Patching Risks of patch installation

▪ Reduced functionality

▪ Freeze machines, do other damage—sometimes with no uninstall possible

▪ Should test on a test system before deployment on servers

14

Threat An adversary (devil/satan) who is capable and

motivated to exploit a vulnerability▪ (exploit = utilize, especially for profit)

A person, thing, event▪ which poses some danger to an asset in terms of that

asset’s confidentiality, integrity, availability Accident threats Delibrate threats : Passive and Active

Threats

15

Examples of threat Hacker/cracker Script kiddies Spies and Malware Denial-of-service (DoS) attack Zombies Insecure/poorly designed applications Virus Worms

Threats

16

Script kiddies Want to break into computers like crackers, but

▪ unskilled users▪ download software from web sites, use to break into

computers

Script kiddies

Page : 17

Spies

• Spies A person who

• Has been hired to break into a computer and steal information

• Do not randomly search for unsecured computers to attack

•Malware•A group of destructive programs such as viruses,

worms, Trojan horse, logic bombs, and spyware

18

Virus

Virus : a computer program that can copy itself and infect a computer without

permission or knowledge of the user spreads from one computer to another when its

host (such as an infected file) is taken to that computer

viruses always infect or corrupt files on a targeted computer

19

Worm

Worm : a computer program that is a self-replicating code

▪ Resides in active memory (the program is executed)▪ Propagates itself

uses a network to send copies of itself to other node can spread itself to other computers without

needing to be transferred as part of an infected file always harm the network

20

Trojan horse

Trojan horse : a program that installs malicious software while under the guise of

doing something else differs from a virus in that

▪ a Trojan horse does not insert its code into other computer files

▪ appears harmless until executed

21

Logic Bomb

Logic Bomb : a program that inactive until it is triggered by a specific event, e.g.

▪ a certain date being reached once triggered, the program can perform many

malicious activities is difficult to defend against

22

Spyware

Spyware : a computer program that installed surreptitiously on a personal computer

▪ to intercept or take partial control over the user's interaction with the computer, without the user's awareness• installing additional software • redirecting web browser activity

▪ secretly monitors the user's behavior• collects various types of personal information,

23

Mobile Code (more spyware) Executable code on a webpage Code is executed automatically when the webpage is

downloaded Javascript, Microsoft Active-X controls, etc. Can do damage if computer has vulnerability

Mobile Code

24

Social Engineering in Malware Social engineering is attempting to trick users into

doing something that goes against security policies Several types of malware use social engineering

▪ Spam

▪ Phishing

▪ Spear phishing (aimed at individuals or specific groups)

▪ Hoaxes

Social Engineering in Malware

25

Denial-of-service (DoS) attack

Denial-of-service (DoS) attack : a threat that Prevents legitimate traffic from being able to access

the protected resource Common DoS

▪ Crashes a targeted service or server▪ Normally done by

• Exploiting program buffer overflow problem• Sending too many packets to a host causing the host to

crash

26

Zombies

Zombies : systems that Have been infected with software (e.g. Trojan or

back doors)▪ Under control of attackers

Be used to launch an attack against other targets Insecure/poorly designed applications

One of the most difficult threats to be detected

Page : 27

Cyberterrorists

• Cyberterrorists Terrorists that attack the network and computer

infrastructure to • Deface electronic information (such as web sites)• Deny service to legitimate computer users• Commit unauthorised intrusions into systems and

networks that result in infrastructure outages and corruption of vital data

Page : 28

Security Terminology

• Security attack• Any action that compromises security information, or• The use or exploitation of a vulnerability.

• Security mechanism• A mechanism that designed to detect, prevent, or

recover from a security attack• Security service

• A service that enhances the security of data processing systems and information transfers.

• Makes use of one or more security mechanisms

Page : 29

Risk

• Risk A qualitative assessment describing the likelihood

of an attacker/threat using an exploit to ▪ successfully bypass a defender▪ Attack a vulnerability▪ Compromise a system

• Risk analysis : Provides a quantitative means of determining

whether an expenditure on safeguards is warranted

Page : 30

Definition of computer and network security

Security In a general-use environment, the system will not be openly

vulnerable to Attacks, Data loss, Privacy loss

• Security is about the protection of assets*

Protective measures• Prevention • Detection• Reaction/Response* From : Gollmann D., Computer Security, John Wiley &Sons, 1999

Page : 31


• Information security The tasks of guarding digital information

• Information : – Typically processed by a computer– Stored on a some devices– Transmitted over a network

Ensures that protective measures are properly implemented• A protection method

Page : 32


• Computer Security Computer security deals with the prevention and

detection of unauthorized actions by users of computer system*

The goal is to protect data and resources Only an issue on shared systems

• Like a network or a time-sharing OS No “global” solution

* From : Gollmann D., Computer Security, John Wiley &Sons, 1999

Page : 33


• Computer security No absolute “secure” system Security mechanisms protect against specific

classes of attacks

Page : 34

Definition of computer and network security• Network security

Security of data in transit• Over network link• Over store-and-forward node

Security of data at the end point• Files• Email• Hardcopies

Page : 35

• Network security differences from computer security Attacks can come from anywhere, anytime Highly automated (script) Physical security measures are inadequate Wide variety of applications, services, protocols

• Complexity• Different constraints, assumptions, goals

No single “authority”/administrators


36

•Prevention – Take measures that prevent assets from being damaged– Addresses the steps to deter an attack or lessen a

system compromise– The measures, e.g.

– Physical network architecture– Firewall elements– Antivirus systems– System hardening– User education

Protective measures

37

•Detection– Take measures that be able to detect when

an asset has been damaged– Knowing when a system is under attack– Provides an important step toward

responding to threats– Examples of measures

– Intrusion Detection System (IDS)– SNORT

Protective measures

38

•Reaction/Response– Take measures that be able to recover from a

damage– Common mitigation (lessen) options

– Intrusion Prevention System (IPS) – (an IDS that remove access control)

– Backup devices– Response procedure

Protective measures

39

Example of response procedure (POLICIES) Turn off the compromised systems : may be

desirable to▪ Power off and individual workstation▪ Shutting off a server

▪ (could cause a significant impact for many mission-critical environment)

Inform law enforcement▪ Which organization?

Protective measures

40

Example of response procedure (POLICIES) Reset the system, investigate the cause

▪ Some attacks▪ Restore the system should be sufficient

▪ Complicated attacks▪ Blindly resetting a system may not lessen the problem▪ Should analyze the attack methods▪ Reset the environment to a state that led to the initial compromise !!

For sensitive information▪ How much information was compromised>▪ How long was the attacker accessing the system?▪ Knowing this

▪ Directly leads to damage control

Protective measures

41

Example of response procedure (POLICIES) An individual/team in charge of leading the response

▪ Have one can save valuable time

Protective measures

42

Threat Models

43

Internal attacker motivation Corporate spies Disgruntled employees

▪ Personal issues, e.g.▪ Disagreement with boss or coworker▪ General frustration

▪ Unfair disadvantage▪ Greed

▪ May see value in selling insider access to an interested external party▪ Curiosity▪ Ignorance

▪ May not be aware that specific information should be confidential

Threat Models : Internal versus External

44

External attacker motivation Political Status demonstrate his/her skill Power show his/her technical superiority

Threat Models : Internal versus External

45

Internal v.s External Attacker/ing

Corporate Site

128.171.17.13

128.171.17.47

Attacker

1.IP Address Scanning PacketResponse Confirms a Host at

128.171.17.13

3.ExploitPacket

128.171.17.22

2.Port Scanning Packet

to Identify RunningApplications

Probe and Exploit Attack Packets

46


128.171.17.13

128.171.17.47

Attacker

1.Spoofed Packet to 128.171.17.13

Source IP address = 128.171.17.47Instead of 10.6.4.3 10.6.4.3

2.Reply goes to

Host 128.171.17.47

IP Address SpoofingHides the Attacker's Identity.

But Replies do Not Go to the Attacker,So IP address Spoofing

Cannot be Used for All Purposes

Source IP Address Spoofing

47


Chain of Attack Computers

Target Host60.168.47.47

Attacker1.34.150.37 Compromised

Attack Host3.35.126.7

CompromisedAttack Host

123.125.33.101

Usually Can Only Trace Attackto Direct Attacker (123.125.33.101)

or Second Direct Attacker (3.35.126.7)

Log In Log InAttack

Command

For probes whose replies mustbe received, attacker sendsprobes through a chain of

attack computers.Victim only knows the identityof the last compromised host

(123.125.33.101)Not that of the attacker

48

Traditional External Attackers: Hackers


Social Engineering◦ Social engineering is often used in hacking

Call and ask for passwords and other confidential information E-mail attack messages with attractive subjects Piggybacking Shoulder surfing Pretexting Etc.

◦ Often successful because it focuses on human weaknesses instead of technological weaknesses

49

Security Goals (Objectives)

50

Confidentiality Authenticaion Authorizatoin Integrity Repudiation Availability

(most common : CIA confidentiality, integrity, availability)

Security Goals

51

Confidentiality / privacy System that provide confidentiality

▪ Lessen the risks of eavesdropper or attacker Example

▪ Email is transmitted in plain text problem Authentication

Permits one system to determine the original of another system

Security Goals

52

Authorization and access control The level of access control that is permitted Not everyone is equal Based on authentication

▪ Systems, processes, users are offered different levels of access Integrity

Information is not modified by unauthorized party Nonrepudiation

Ensures that an originator cannot deny

Security Goals

Page : 53

Identification and Authentications

• Authentication Basics• Passwords• Biometrics• Multiple methods

Page : 54

Authentication Basics

• Authentication A process of verifying a user’s identity

• Two reasons for authenticating a user The user identity is a parameter in access control

decision (for a system) The user identity is recorded when logging

security-relevant events in an audit trail

Page : 55


• Authentication Binding of an identity to a principal (subject) An identity must provide information to enable the system

to confirm its identity Information (one or more)

• What the identity knows (such as password or secret information)

• What the identity has (such as a badge or card)• What the identity is (such as fingerprints)• Where the identity is (such as in front of a particular

terminal)

Page : 56


• Authentication process Obtaining information from the identity Analysing the data Determining if it is associated with that identity

• Thus : authentication process is The process of verifying a claimed identity

Page : 57


• Username and Password Very common and simple identities Used to enter into a system Username

• Announce who a user is• This step is called identification

Password• To prove that the user is who claims to be• This step is called authentication

Page : 58

Authentication Mechanism

• Password• Password Aging• One-Time Password

Page : 59

Password

• Password Based on what people know User supplies password Computer validates it If the password is associate with the user, then the

user’s identity is authenticated

Page : 60

Password

• Choosing passwords Password guessing attack is very simple and always

works !!• Because users are not aware of protecting their

passwords Password choice is a critical security issue

• Choose passwords that cannot be easily guessed• Password defenses

• Set a password to every account• Change default passwords• Password length

– A minimum password length should be prescribed

Page : 61

Password

• Password defenses Password format

• Mix upper and lower case symbols• Include numerical and other non-alphabetical symbols

Avoid obvious passwords

Page : 62

Password

• How to improve password security? Password checker tool

• Check passwords against some dictionary of weak password Password generation

• A utility in some system• Producing random password for users

Password aging• A requirement that password be changed after some period of time • Required mechanism

– Forcing users to change to a different password– Providing notice of need to change– A user-friendly method to change password

Page : 63

Password

• How to improve password security? One-Time Password

• A password is valid for only one use Limit login attempts

• A system monitors unsuccessful login attempts– Reacts by locking the user account if logging in process failed

Inform user• After successful login a system display

– The last login time – The number of failed login attempts

Page : 64

Attacking a password system

• Password guessing Exhaustive search (brute force)

• Try all possible combination of valid symbols Dictionary attack Random selection of passwords Pronounceable and other computer-generated

passwords User selection passwords

• Passwords based on– Account names– User names– Computer names, etc.

Page : 65

Biometrics

• The automated measurement of biological or behavioral features that identifies a person

• Method: A set of measurement of a user is taken (recorded)

when a user is given an account When a user access the system

• The biometric authentication mechanism identify the identity

Page : 66

Biometrics

• Fingerprints• Voices• Eyes• Faces• Keystrokes

Keystroke intervals Keystroke pressure Keystroke duration

• combinations

Security Awarenesses

68

Intrusion Profiles

Exploiting passwords Exploiting known vulnerabilities Exploiting protocol flaws Examining source files for new security flaws Denial-of-service attacks Abusing anonymous FTP Installing sniffer programs IP source address spoofing

69

Typical Network Intrusions

Locate a system to attack New systems Network sweeps

Gain entry to a user’s account No password or easy-to-guess password Sniffed password

Exploiting system configuration weakness or software vulnerability to obtain access to a privileged account

70

Typical Network Intrusion

Once inside, and intruder may: Remove traces from auditing records Install back door for future use Install Trojan Horse programs to capture system and

account information Jump to other hosts on your network Use your system to launch attacks against other sites Modify, destroy, or inappropriately disclose

information

71

Why Should You Care

Protect your own operational environment Protect your user’s data Provide service to your users

72

What Should You Do?

Stay current with security issues

73

Internet Etiquette-1

Do: Understand and respect security policies Take responsible for your own security Respect other Internet neighbours Cooperate to provide security

74

Internet Etiquette-2

Avoid: Unauthorised access to other accounts and systems Cracking password file from other systems Sharing accounts Unauthorised access to unprotected files Reading the e-mail of other users Disrupting service

75

Security Management

76

Security Management

Understanding Security Writing a security policy Monitoring the network Auditing the network Preparing for an attack Handling an attack Forensics Log analysis Damage control

77

Monitoring Your Network

The Shape of Logging System What to Log Logging Mechanisms Time Sensor Log Management

78

Monitoring Your Network

Goals of a monitoring system Reduce the likelihood of an attack going unlogged Increase the likelihood that the events logged for an

attack will be recognized as an attack

79

The Shape of Logging System

Problem of logging system What events to be logged?

▪ if every event is logged the log file will be very large▪ if only selected events are logged some crucial events

might not be logged !! Log file can be tampered by attackers

▪ To delete attack traces Attackers can tamper the log file

▪ If the logs are accessible to them

80


Log should not be accessible to an attacker Mechanisms can deny access to logs

The logs are kept on a separate machine The logs are encrypted The logs are stored in a write-only media The logs are stored in multiple places

81


Log should not be tampered with Tampering efforts should be easily detected

Achieved by Cryptographically signing each log entry to detect

invalid entries Monitoring the log entries to look for a sudden

decrease in log size▪ Indicates that the log entries have been deleted

Assigning a sequence number to each log entry and verifying that the sequence is unbroken

82

What to Log

The network should log any events necessary to detect known attack patterns

The network should log any events necessary to detect unusual patterns of access

83

Logging Mechanisms

Syslog The most common network logging mechanism Runs on Unix systems

Components Syslog daemon Syslog ruleset Syslog-enabled programs

84

Syslog

Syslog daemon A program that runs in a background on all machines

using syslog Serves several purposes

▪ Collects messages from syslog-enabled programs on the machine hosting it

▪ Collects certain messages from the system that are not syslog enabled (such as kernel messages regarding starting-up and some device problems)

▪ Listens on the syslog port (port 514/UDP) for messages ▪ Save all of the above messages in a file

85

Syslog Ruleset

Usually in /etc/syslog.conf Contains directives to the syslog daemon

Determine where various types of messages should be logged

Choices of logging Put a message into a file Log a message to another machine via UDP Write a message to the system console Write a message to all log-in users

86

Syslog-enabled Program

Syslog is a standard facility in Unix many Unix programs have calls to syslog built into

them Enable these programs to log various events

▪ To the local syslog daemon

87

Pro (of syslog)

Universally available Standard implementation Available from nonprogrammable devices A read-only logging mechanism

88

Con (syslog)

Unauthenticated protocol Can be spoofed

Unencrypted transmission Can be eavesdropped by attackers

Unreliable UDP transmission Not all syslog messages reach their intended

destination

89

Time

An important issue in log gathering and analysisJun 4 22:33:21 machine1.ycom.com login: user smt login okJun 4 22:34:29 machine3.ycom.com login: user smt login ok

Time is used in analysis process It should be accurate and synchronised with

other systems A logging system should synchronise its time

with a time server machine (NTP server)

90

Sensors

A mechanism that can be used to aid device-based logging

Provides a means for gathering information and integrating it into the logging system

91

Sensors

Examples Some sensors can detect several variations on

attacks Some sensors can detect problems with the network

being monitored

92

Sensors

Some sensors are built to detect conditions on the logging system Are the logs increasing monotonically?

▪ If not a log file might be tampered Is the logging system receiving all the logs that are

being sent?▪ Some devices transmit a sequence number with each log

entry▪ if a particular number is missing something goes wrong

93

Sensors

Has any machine stopped logging?▪ A machine that has stopped logging

▪ Might indicate a network problem OR an attack

94

Log Management

A process of making sure that logging system Stable Useful

95

Unix System Security

96

Unix Security: Security Features

Authentication and authorization mechanism Account

▪ Stores information about users (subjects)▪ Including privileges granted to a user

Identification and authentication▪ Verify a user identity

▪ Allowing the system to associate the user’s privileges with any process started by the user

Permissions on resources (objects)▪ Can be set by the system manager or the owner of the

resource

97

Super User Account◦ Every operating system has a super user account◦ The owner of this account can do anything◦ (Called Administrator in Windows)◦ Called root in UNIX

Hacking Root◦ Goal is to take over the super user account◦ Will then “own the box”◦ Generically called hacking root

The Super User Account

98

Appropriate Use of a Super User Account Log in as an ordinary user

Switch to super user only when needed▪ In Windows, the command is RunAs▪ In UNIX, the command is su (switch user)

Quickly revert to ordinary account when super user privileges are no longer needed

The Super User Account

99

Assigning Permissions in UNIX

Category UNIXNumber of permissions Only 3: read (read only), write

(make changes), and execute (for programs).Referred to as rwx

For a file or directory, different permissions can be assigned to

The account ownerA single group, andAll other accounts

100

Unix Security : Security Features

Authentication and authorisation mechanism When a user request to access any resource

▪ An operating system has to make a decision▪ Grant or deny the access ?▪ Based on

User’s identity User’s privilege The permission of the object

Detection mechanism Unix provides an audit log (audit trail)

▪ To keep track of actions performed by users▪ These records can be used to investigate security breaches

101

Unix Security : Authentication and authorisation

Unix users (accounts) are defined by user names Users are authenticated by passwords Passwords

(most unix systems) limited to 8 characters Enciphered with the crypt(3) algorithm

▪ Repeats a slightly modified DES algorithm 25 times▪ Using all-zero block as start value▪ Using the password as key

The encrypted passwords are stored in the /etc/passwd file

102


Example of /etc/passwd file (old versions of Unix systems)

For security-conscious version of unix Stored encrypted password field in another file, such

as /etc/shadow or /.secure/etc/passwd An entry in a /etc/passwd file is as follows

user_name:encrypted password: userID:groupID:User full name:home directory:login shell

user_name:*: userID:groupID:User full name:home directory:login shell

103


Changing password Command passwd(1)

▪ A user is asked to supply the current password ▪ To prevent someone else changing a user password

▪ A user is then asked to enter new password two times▪ Password characters are not displayed on the screen when

the password is entered Logging

/usr/adm/lastlog log user last login time


Users and Superuser A user name is represented internally (in a system or

user process) by a 16-bit number, called uid (userID) Unix does not distinguish between users having the

same uid▪ several user name can be set to the same uid

Some of the uid have special meanings such as

-2

nobody 2 uucp

0 root 3 bin

1 daemon

9 audit


In every Unix system There is a user with special privileges It is called superuser , has a uid = 0 User name is usually called root The root privilege is used

▪ By an operating system for essential tasks, such as▪ Recording the audit log▪ Access to I/O devices

▪ By system administrators to▪ Perform certain system administration tasks

Almost all security check is turned off for the superuser account !!

106


The superuser Very powerful, can do everything, such as

▪ Can become any other users▪ Can change the system clock▪ Can write into a read-only file (if a proper methods are

used) This becomes a weakness of Unix systems

▪ If an attacker achieves a superuser status ▪ It can take control of the entire system !!!

107

Unix Security : Access Control

Access control Based on attributes of users and resources Standard Unix systems facilitate discretionary access

control with a granularity of owner, group, world Unix treats all resources in a uniform manner

▪ Making no distinction between files and devices


Unix File Structure Arranges files in a tree-structured file system Containing files and directories

-rwxr--r--1 user1 users 1212 Jan 23 11:21 myfile.txt

drwx----- 2 user1 users 512 Jan 21 16:42 mydirectory

File type file permission link counter (counting the number of links (pointers) to the file

size of the file (in bytes) file name

name of the owner and group of the file

Modified/accessed/created time

mode Type of file and access rigths

Uid User who owns this file

Gid Group which owns this file

Atime Access time

Mtime Modification time

Itime Inode alteration

Block count

Size of file

Selected fields in the inode (file data structure of Unix systems)

109


Unix File Structure File permissions (permission bits)

▪ 3-group ▪ Read▪ Write ▪ Execute

▪ Each group is for▪ An owner of the file▪ Group (users in the same group)▪ Other (other users)

- r w - r - - r - -

Gives read and write access to owner

Read access to group and other

110


Access permission granting decision making If the user uid indicates that it is the owner of the file

▪ The permission bits for owner decide whether the user can get access

if the user is not the owner of the file, but the gid indicates that the user’s gro up owns the file▪ The permission bits for the group decide whether the user

can get access If the user is neither the owner of the file nor a

member of the group that owns the file▪ The permission bits for other decide whether the user can get

access

111

Unix Security : Audit Log and Intrusion Detection

Unix provides some mechanisms which allow to detect Security violations Suspicious events

Examples of these mechanisms Auditing Intrusion detection Automatic retaliation (intrusion response)

112


Auditing Records security relevant events in and audit log or

audit trail files The audit log files must be protected

▪ Set the logical protection ▪ Only privileged users have write access

▪ Send the audit log to another computer ▪ Root on the audited machine has no superuser privilege▪ Offer double protection

▪ Send the audit log to a secure printer▪ Physical security measures are required to protect the integrity of the

audit log

113


Auditing files (for some Unix versions)

/usr/adm/lastlog Records the last time a user has logged in; this information can be displayed with the fingercommand

/var/adm/utmp Records accounting information used by the who command

/var/adm/wtmp Records every time a user logs in or logs out; this information can be displayed with the last command. To prevent this file from taking over all available memory, it may be pruned automatically at regular intervals

/var/adm/acct Records all executed commands; this information can be displayed with the lastcomm command

Documents

Computer Network Security