Cryptography and Network Security Chapter 20Chapter 20– IntrudersIntrudersSlide 4Examples of IntrusionHackersHacker Behavior ExampleCriminal EnterpriseCriminal Enterprise BehaviorInsider AttacksInsider Behavior ExampleIntrusion TechniquesPassword GuessingPassword CaptureIntrusion DetectionSlide 16Approaches to Intrusion DetectionAudit RecordsStatistical Anomaly DetectionAudit Record AnalysisRule-Based Intrusion DetectionSlide 22Base-Rate FallacyDistributed Intrusion DetectionDistributed Intrusion Detection - ArchitectureDistributed Intrusion Detection – Agent ImplementationHoneypotsPassword ManagementPassword StudiesManaging Passwords - EducationManaging Passwords - Computer GeneratedManaging Passwords - Reactive CheckingManaging Passwords - Proactive CheckingSummaryCryptography and Cryptography and Network SecurityNetwork SecurityChapter 20Chapter 20Fifth EditionFifth Editionby William Stallingsby William StallingsLecture slides by Lawrie BrownLecture slides by Lawrie BrownChapter 20– Chapter 20– IntrudersIntrudersThey agreed that Graham should set the test for They agreed that Graham should set the test for Charles Mabledene. It was neither more nor less Charles Mabledene. It was neither more nor less than that Dragon should get Stern's code. If he than that Dragon should get Stern's code. If he had the 'in' at Utting which he claimed to have had the 'in' at Utting which he claimed to have this should be possible, only loyalty to Moscow this should be possible, only loyalty to Moscow Centre would prevent it. If he got the key to the Centre would prevent it. If he got the key to the code he would prove his loyalty to London code he would prove his loyalty to London Central beyond a doubt.Central beyond a doubt.——Talking to Strange Men, Talking to Strange Men, Ruth RendellRuth RendellIntrudersIntruderssignificant issue for networked systems is significant issue for networked systems is hostile or unwanted accesshostile or unwanted accesseither via network or localeither via network or localcan identify classes of intruders:can identify classes of intruders:masqueradermasqueradermisfeasormisfeasorclandestine userclandestine uservarying levels of competencevarying levels of competenceIntrudersIntrudersclearly a growing publicized problemclearly a growing publicized problemfrom “Wily Hacker” in 1986/87from “Wily Hacker” in 1986/87to clearly escalating CERT statsto clearly escalating CERT statsrange range benign: explore, still costs resourcesbenign: explore, still costs resourcesserious: access/modify data, disrupt systemserious: access/modify data, disrupt systemled to the development of CERTsled to the development of CERTsintruder techniques & behavior patterns intruder techniques & behavior patterns constantly shifting, have common featuresconstantly shifting, have common featuresExamples of IntrusionExamples of Intrusionremote root compromiseremote root compromiseweb server defacementweb server defacementguessing / cracking passwordsguessing / cracking passwordscopying viewing sensitive data / databasescopying viewing sensitive data / databasesrunning a packet snifferrunning a packet snifferdistributing pirated softwaredistributing pirated softwareusing an unsecured modem to access netusing an unsecured modem to access netimpersonating a user to reset passwordimpersonating a user to reset passwordusing an unattended workstationusing an unattended workstationHackersHackersmotivated by thrill of access and statusmotivated by thrill of access and statushacking community a strong meritocracyhacking community a strong meritocracystatus is determined by level of competencestatus is determined by level of competencebenign intruders might be tolerablebenign intruders might be tolerabledo consume resources and may slow performancedo consume resources and may slow performancecan’t know in advance whether benign or maligncan’t know in advance whether benign or malignIDS / IPS / VPNs can help counterIDS / IPS / VPNs can help counterawareness led to establishment of CERTsawareness led to establishment of CERTscollect / disseminate vulnerability info / responsescollect / disseminate vulnerability info / responsesHacker Behavior ExampleHacker Behavior Example1.1.select target using IP lookup tools select target using IP lookup tools 2.2.map network for accessible services map network for accessible services 3.3.identify potentially vulnerable services identify potentially vulnerable services 4.4.brute force (guess) passwordsbrute force (guess) passwords5.5.install remote administration tool install remote administration tool 6.6.wait for admin to log on and capture wait for admin to log on and capture passwordpassword7.7.use password to access remainder of use password to access remainder of networknetworkCriminal EnterpriseCriminal Enterpriseorganized groups of hackers now a threatorganized groups of hackers now a threatcorporation / government / loosely affiliated gangscorporation / government / loosely affiliated gangstypically youngtypically youngoften Eastern European or Russian hackersoften Eastern European or Russian hackersoften target credit cards on e-commerce serveroften target credit cards on e-commerce servercriminal hackers usually have specific targetscriminal hackers usually have specific targetsonce penetrated act quickly and get outonce penetrated act quickly and get outIDS / IPS help but less effectiveIDS / IPS help but less effectivesensitive data needs strong protectionsensitive data needs strong protectionCriminal Enterprise BehaviorCriminal Enterprise Behavior1.1.act quickly and precisely to make their act quickly and precisely to make their activities harder to detectactivities harder to detect2.2.exploit perimeter via vulnerable portsexploit perimeter via vulnerable ports3.3.use trojan horses (hidden software) to use trojan horses (hidden software) to leave back doors for re-entryleave back doors for re-entry4.4.use sniffers to capture passwordsuse sniffers to capture passwords5.5.do not stick around until noticeddo not stick around until noticed6.6.make few or no mistakes. make few or no mistakes.Insider AttacksInsider Attacksamong most difficult to detect and preventamong most difficult to detect and preventemployees have access & systems knowledgeemployees have access & systems knowledgemay be motivated by
View Full Document