Exam

● On May 15, at 10:30am in this room● Two hour exam● Open Notes● Will mostly cover material since Exam 2● No, You may not take it early.

Intrusion Detection

● We have discussed the Security, “Life Cycle” Maintain

● Keep your system secure and up to date Detect

● Detect an attack Recover

● Repair damage from attack and restore the system to working order.

Intrusion Detection

● We have spent a lot of time dealing with Types of attacks How to help secure systems against attack.

● We have spent some time on the issue of backups The most simple and cost effective solution to

restoration on your level● We need to talk about the issue of Detecting

attacks.

Intrusion Detection -- Baselining

● The most important concept in ID is baselining We need to know what our system looks like

ordinarily, so we can notice something extraordinary has happened

● We do this by making a record of the normal state of our system Configuration files Network Traffic Data files . . .

Defenses

● Last week we divided our defenses into three groups Network defenses – perimeter defenses Host defenses Data defenses

Defenses

● We will continue our discussion by talking about ways to detect breaches on these various levels

Network Defenses

● Network Defenses Protect our LAN from attacks outside our LAN Defenses are usually implemented by a boundary

router or a personal router providing the following services

● Firewall● NAT● Possibly DHCP

Traffic Analysis

● We typically detect that an intruder has gotten into our local net by doing traffic analysis We look at the kinds of packets on our net

● What protocols or applications generate them● How heavy is the traffic on the network● How much traffic does each host generate● Anything else we can grab

We make a record of normal behavior, (baselining) and we look for unusual activity

Traffic Analysis

● Port scanning Easy to detect, if carelessly done Look for someone looking at a lot of ports on the

same host.● Increased Traffic

Hosts that have been taken over as zombies can generate greater than normal traffic

Traffic Analysis

● Looking for specific kinds of packets Packets that carry worms can have a signature

● Similar to the signature of a file that has a virus This signature can be detected Sometimes, attack packets have header information

that can be looked for.● Any unusual activity

Could indicate an attack Could simply indicate a hardware or software

problem.

Host Defense

● Host Defenses can include Anti Virus and anti Spam software Personal firewall Secure configurations or add ons to network

software Human Factors, (to be discussed later)

Host Defenses

● Again, we use baselining. Contents of configuration files Normal levels of CPU activity

● Hard to do Normally running tasks and processes

Anti Virus Software

● Looks for “signatures” of viruses in executable files. Alerts user if signatures found This gives evidence of intrusion . . . at some point

● Anti Virus software can also help in recovery Cleans infected files

Anti Spyware software

● Looks for a couple of things Files associated with known threats Tasks running that look like threats

● Out of the ordinary Suspicious changes in configuration information

● In Windows, the registry● In OS X, netinfo● In Linux, state of configuration files

Anti Spyware Software

● Anti Spyware Software can contribute to recovery Remove suspicious tasks, (stop them from

executing) Quarantine files Remove or repair configuration changes

● Fix the registry

Other Approches

● Alert on Attempts to write to the bios

● Often a parameter that can be set in the bios Root Logins

● Fair or Foul, a root login is an important event Attempts to write to system areas

● Areas where system programs are stored are usually only written to during upgrades or software installations. Writes at other times are suspicious.

Other Approach

● Alert on Port Scans

● Again easy to detect

ID Host -- Tools

● Most Anti Virus Vendors provide total security packages that implement most of what I have discussed

● There are Freeware packages Snort – Linux and Windows Tripwire – used to be free, now nominal

● Most Unix Systems, including all Linuxes Not much available for OS X

● Ports of some Unix packages

Data Defense

● Principle tool for defending data is encryption Also detects modification of data An encrypted file that is modified, can not be

completely decrypted.● We can also use baselining

Only on files that are relatively static

Baselining Data

● We can store, for static files. Last modification date Last access date File size A digital digest, or signature of the file.

● If any of these change, we know the file has been modified

Candidate files for Baselining

● Configuration files Including Host files (redirecting to false websites) Other network configuration files Files related to the configuration of security

software● Executable files

Parts of the operating system Frequently used executables

File Baselining

● Its tough to baseline files that are frequently changing New baselines have to be computed for each

modification Modifier must authenticate himself/herself to the

baselining software for each modification

Tools – File Monitoring

● Again about the same Security packages from major vendors implement

much of this Tripwire and its replacements and descendants

provide these services Again, Mac OS X uses Unix tools

Recovery

● Critical Element of recovery is a plan Reduces recovery time Insures that needed materials are at hand

● Backups● Replacement hardware

The process of planning exposes weaknesses

Backups

● As we have discussed, on your level, recovery, generally means restoring from backups Unlikely to maintain duplicate equipment or file

systems Unlikely to employ a data warehouse

Recovery

● To restore usefulness to your system you must restore Operating System

● OS cd/dvd and/or system restore disks Application Programs

● Original installation disks● Original installation files on removable media● Web site addresses for downloading the programs

Recovery

● Critical Data Documents

● Don't forget email folders if stored locally Bookmarks

● Often forgotten in backups.● Use Export Bookmarks in favorite browser

Program configuration information Personal Digital certificates

● Else you will get encrypted emails you can't read

Recovery

● With a simple recovery plan like this you must budget hours or days to get back to full function

● However, it is cheap.● If your need do not permit that much downtime

you need to look for backup software and hardware that allows you to make complete disk or system images.