Cryptography and Network Security Chapter 20Chapter 20– IntrudersIntrudersSlide 4Examples of IntrusionHackersHacker Behavior ExampleCriminal EnterpriseCriminal Enterprise BehaviorInsider AttacksInsider Behavior ExampleIntrusion TechniquesPassword GuessingPassword CaptureIntrusion DetectionSlide 16Approaches to Intrusion DetectionAudit RecordsStatistical Anomaly DetectionAudit Record AnalysisRule-Based Intrusion DetectionSlide 22Base-Rate FallacyDistributed Intrusion DetectionDistributed Intrusion Detection - ArchitectureDistributed Intrusion Detection – Agent ImplementationHoneypotsPassword ManagementPassword StudiesManaging Passwords - EducationManaging Passwords - Computer GeneratedManaging Passwords - Reactive CheckingManaging Passwords - Proactive CheckingSummaryCryptography and Cryptography and Network SecurityNetwork SecurityChapter 20Chapter 20Fifth EditionFifth Editionby William Stallingsby William StallingsLecture slides by Lawrie BrownLecture slides by Lawrie BrownChapter 20– Chapter 20– IntrudersIntrudersThey agreed that Graham should set the test for They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have had the 'in' at Utting which he claimed to have this should be possible, only loyalty to Moscow this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the Centre would prevent it. If he got the key to the code he would prove his loyalty to London code he would prove his loyalty to London Central beyond a doubt.Central beyond a doubt.——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth RendellIntrudersIntruderssignificant issue for networked systems is significant issue for networked systems is hostile or unwanted accesshostile or unwanted accesseither via network or localeither via network or localcan identify classes of intruders:can identify classes of intruders:masqueradermasqueradermisfeasormisfeasorclandestine userclandestine uservarying levels of competencevarying levels of competenceIntrudersIntrudersclearly a growing publicized problemclearly a growing publicized problemfrom “Wily Hacker” in 1986/87from “Wily Hacker” in 1986/87to clearly escalating CERT statsto clearly escalating CERT statsrange range benign: explore, still costs resourcesbenign: explore, still costs resourcesserious: access/modify data, disrupt systemserious: access/modify data, disrupt systemled to the development of CERTsled to the development of CERTsintruder techniques & behavior patterns intruder techniques & behavior patterns constantly shifting, have common featuresconstantly shifting, have common featuresExamples of IntrusionExamples of Intrusionremote root compromiseremote root compromiseweb server defacementweb server defacementguessing / cracking passwordsguessing / cracking passwordscopying viewing sensitive data / databasescopying viewing sensitive data / databasesrunning a packet snifferrunning a packet snifferdistributing pirated softwaredistributing pirated softwareusing an unsecured modem to access netusing an unsecured modem to access netimpersonating a user to reset passwordimpersonating a user to reset passwordusing an unattended workstationusing an unattended workstationHackersHackersmotivated by thrill of access and statusmotivated by thrill of access and statushacking community a strong meritocracyhacking community a strong meritocracystatus is determined by level of competencestatus is determined by level of competencebenign intruders might be tolerablebenign intruders might be tolerabledo consume resources and may slow performancedo consume resources and may slow performancecan’t know in advance whether benign or maligncan’t know in advance whether benign or malignIDS / IPS / VPNs can help counterIDS / IPS / VPNs can help counterawareness led to establishment of CERTsawareness led to establishment of CERTscollect / disseminate vulnerability info / responsescollect / disseminate vulnerability info / responsesHacker Behavior ExampleHacker Behavior Example1.1.select target using IP lookup tools select target using IP lookup tools 2.2.map network for accessible services map network for accessible services 3.3.identify potentially vulnerable services identify potentially vulnerable services 4.4.brute force (guess) passwordsbrute force (guess) passwords5.5.install remote administration tool install remote administration tool 6.6.wait for admin to log on and capture wait for admin to log on and capture passwordpassword7.7.use password to access remainder of use password to access remainder of networknetworkCriminal EnterpriseCriminal Enterpriseorganized groups of hackers now a threatorganized groups of hackers now a threatcorporation / government / loosely affiliated gangscorporation / government / loosely affiliated gangstypically youngtypically youngoften Eastern European or Russian hackersoften Eastern European or Russian hackersoften target credit cards on e-commerce serveroften target credit cards on e-commerce servercriminal hackers usually have specific targetscriminal hackers usually have specific targetsonce penetrated act quickly and get outonce penetrated act quickly and get outIDS / IPS help but less effectiveIDS / IPS help but less effectivesensitive data needs strong protectionsensitive data needs strong protectionCriminal Enterprise BehaviorCriminal Enterprise Behavior1.1.act quickly and precisely to make their act quickly and precisely to make their activities harder to detectactivities harder to detect2.2.exploit perimeter via vulnerable portsexploit perimeter via vulnerable ports3.3.use trojan horses (hidden software) to use trojan horses (hidden software) to leave back doors for re-entryleave back doors for re-entry4.4.use sniffers to capture passwordsuse sniffers to capture passwords5.5.do not stick around until noticeddo not stick around until noticed6.6.make few or no mistakes. make few or no mistakes.Insider AttacksInsider Attacksamong most difficult to detect and preventamong most difficult to detect and preventemployees have access & systems knowledgeemployees have access & systems knowledgemay be motivated by