Chapter 20 Intruders Cryptography and Network Security They agreed - PDF document

4/19/2010 Chapter 20– Intruders Cryptography and Network Security They agreed that Graham should set the test for Chapter 20 Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have this should be t Utti hi h h l i d t h thi h ld b possible, only loyalty to Moscow Centre would Fifth Edition prevent it. If he got the key to the code he would by William Stallings prove his loyalty to London Central beyond a doubt. — Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Intruders Intruders • clearly a growing publicized problem • significant issue for networked systems is – from “Wily Hacker” in 1986/87 hostile or unwanted access – to clearly escalating CERT stats • either via network or local • range • can identify classes of intruders: id if l f i d – benign: explore, still costs resources – masquerader – serious: access/modify data, disrupt system – misfeasor • led to the development of CERTs – clandestine user • intruder techniques & behavior patterns • varying levels of competence constantly shifting, have common features Hackers Examples of Intrusion  remote root compromise • motivated by thrill of access and status  web server defacement – hacking community a strong meritocracy  guessing / cracking passwords – status is determined by level of competence  copying viewing sensitive data / databases • benign intruders might be tolerable  running a packet sniffer – do consume resources and may slow performance – can’t know in advance whether benign or malign  distributing pirated software  using an unsecured modem to access net • IDS / IPS / VPNs can help counter  impersonating a user to reset password • awareness led to establishment of CERTs  using an unattended workstation – collect / disseminate vulnerability info / responses 1

4/19/2010 Hacker Behavior Example Criminal Enterprise • organized groups of hackers now a threat 1. select target using IP lookup tools – corporation / government / loosely affiliated gangs 2. map network for accessible services – typically young 3. identify potentially vulnerable services – often Eastern European or Russian hackers 4 4. brute force (guess) passwords b t f ( ) d – often target credit cards on e ‐ commerce server 5. install remote administration tool • criminal hackers usually have specific targets 6. wait for admin to log on and capture • once penetrated act quickly and get out password • IDS / IPS help but less effective 7. use password to access remainder of • sensitive data needs strong protection network Criminal Enterprise Behavior Insider Attacks  among most difficult to detect and prevent 1. act quickly and precisely to make their  employees have access & systems knowledge activities harder to detect  may be motivated by revenge / entitlement 2. exploit perimeter via vulnerable ports  when employment terminated  when employment terminated 3. use trojan horses (hidden software) to  taking customer data when move to competitor leave back doors for re-entry  IDS / IPS may help but also need: 4. use sniffers to capture passwords  least privilege, monitor logs, strong authentication, termination process to block access & mirror data 5. do not stick around until noticed 6. make few or no mistakes. Intrusion Techniques Insider Behavior Example • aim to gain access and/or increase privileges 1. create network accounts for themselves and on a system their friends • often use system / software vulnerabilities 2. access accounts and applications they wouldn't • key goal often is to acquire passwords normally use for their daily jobs – so then exercise access rights of owner – so then exercise access rights of owner 3 3. e-mail former and prospective employers il f d ti l • basic attack methodology 4. conduct furtive instant-messaging chats – target acquisition and information gathering 5. visit web sites that cater to disgruntled – initial access employees, such as f'dcompany.com – privilege escalation 6. perform large downloads and file copying – covering tracks 7. access the network during off hours. 2

4/19/2010 Password Guessing Password Capture  one of the most common attacks  another attack involves password capture  attacker knows a login (from email/web page etc)  watching over shoulder as password is entered  then attempts to guess password for it  using a trojan horse program to collect  defaults, short passwords, common word searches  monitoring an insecure network login  user info (variations on names, birthday, phone, common • eg. telnet, FTP, web, email words/interests)  extracting recorded info after successful login (web  exhaustively searching all possible passwords history/cache, last number dialed etc)  check by login or against stolen password file  using valid login/password can impersonate user  success depends on password chosen by user  users need to be educated to use suitable precautions/countermeasures  surveys show many users choose poorly Intrusion Detection Intrusion Detection • inevitably will have security failures • so need also to detect intrusions so can – block if detected quickly – act as deterrent d – collect info to improve security • assume intruder will behave differently to a legitimate user – but will have imperfect distinction between Audit Records Approaches to Intrusion Detection • statistical anomaly detection • fundamental tool for intrusion detection – attempts to define normal/expected behavior • native audit records – threshold – part of all common multi ‐ user O/S – profile based profile based – already present for use l d f • rule ‐ based detection – may not have info wanted in desired form – attempts to define proper behavior • detection ‐ specific audit records – anomaly – created specifically to collect wanted info – penetration identification – at cost of additional overhead on system 3

4/19/2010 Statistical Anomaly Detection Audit Record Analysis • threshold detection • foundation of statistical approaches – count occurrences of specific event over time • analyze records to get metrics over time – if exceed reasonable value assume intrusion – counter, gauge, interval timer, resource use – alone is a crude & ineffective detector alone is a crude & ineffective detector • use various tests on these to determine if • profile based current behavior is acceptable – characterize past behavior of users – mean & standard deviation, multivariate, markov process, time series, operational – detect significant deviations from this – profile usually multi ‐ parameter • key advantage is no prior knowledge used Rule ‐ Based Intrusion Detection Rule ‐ Based Intrusion Detection • observe events on system & apply rules to  rule ‐ based penetration identification decide if activity is suspicious or not  uses expert systems technology • rule ‐ based anomaly detection  with rules identifying known penetration, – analyze historical audit records to identify usage analyze historical audit records to identify usage weakness patterns or suspicious behavior weakness patterns, or suspicious behavior patterns & auto ‐ generate rules for them  compare audit records or states against rules – then observe current behavior & match against  rules usually machine & O/S specific rules to see if conforms  rules are generated by experts who interview & – like statistical anomaly detection does not require prior knowledge of security flaws codify knowledge of security admins  quality depends on how well this is done Base ‐ Rate Fallacy Distributed Intrusion Detection • practically an intrusion detection system • traditional focus is on single systems needs to detect a substantial percentage of • but typically have networked systems intrusions with few false alarms • more effective defense has these working – if too few intrusions detected ‐ > false security – if too few intrusions detected ‐ > false security together to detect intrusions h d i i – if too many false alarms ‐ > ignore / waste time • issues • this is very hard to do – dealing with varying audit record formats • existing systems seem not to have a good – integrity & confidentiality of networked data record – centralized or decentralized architecture 4