Secure Communication and Intrusion Detection James Hidahl, Josh McCandless, Kyle Ray.
-
Upload
rhoda-clarke -
Category
Documents
-
view
220 -
download
0
Transcript of Secure Communication and Intrusion Detection James Hidahl, Josh McCandless, Kyle Ray.
Secure Communication
and Intrusion Detection
Secure Communication
and Intrusion Detection
James Hidahl, Josh McCandless, Kyle Ray
James Hidahl, Josh McCandless, Kyle Ray
Focused TopicsFocused Topics
Secure Communications Intrusion Detection Methods Used by
Intruders
Secure Communications Intrusion Detection Methods Used by
Intruders
Secure CommunicationsSecure Communications
What is security? Access Codes Strong Passwords S/Key Challenge Response Smart Cards
What is security? Access Codes Strong Passwords S/Key Challenge Response Smart Cards
What is Security?What is Security?
Security in the computer industry,
refers to technique for ensuring that data
stored in a computer cannot be read or
compromised by any individuals without
authorization.
Security in the computer industry,
refers to technique for ensuring that data
stored in a computer cannot be read or
compromised by any individuals without
authorization.
Access CodesAccess Codes
Access code is just another word used to describe a password.
Passwords are a secret series of characters that
enables a user to access a computer,
certain files, and programs.
Access code is just another word used to describe a password.
Passwords are a secret series of characters that
enables a user to access a computer,
certain files, and programs.
Strong PasswordsStrong Passwords
A strong password that is difficult to detect by
both humans and computer programs, protecting data from unauthorized access.
Usually a combination of both numbers and
letters, exceeding 6 characters.
A strong password that is difficult to detect by
both humans and computer programs, protecting data from unauthorized access.
Usually a combination of both numbers and
letters, exceeding 6 characters.
S/ KeyS/ Key
Developed by Bellecore, S/Key is used to
eliminate the need for the same password to
be processed over a network each time a
password is needed for access. It is also a well-
known challenge response password
scheme.
Developed by Bellecore, S/Key is used to
eliminate the need for the same password to
be processed over a network each time a
password is needed for access. It is also a well-
known challenge response password
scheme.
Challenge ResponseChallenge ResponseA commonly used technique
that prompts the user to provide private information. Most
security systems that rely on smart cards are based on
challenge-response. A user is given a code which he or she
enters into the smart card. The smart card then displays a new code that the user can present
to log in.
A commonly used technique that prompts the user to provide
private information. Most security systems that rely on
smart cards are based on challenge-response. A user is given a code which he or she
enters into the smart card. The smart card then displays a new code that the user can present
to log in.
Smart CardsSmart CardsA small electronic
device about the size of a credit card that
contains electronic memory, and possibly
an embedded integrated circuit (IC). Smart cards
containing an IC are sometimes called Integrated Circuit
Cards(ICC’s)
A small electronic device about the size of
a credit card that contains electronic
memory, and possibly an embedded integrated circuit (IC). Smart cards
containing an IC are sometimes called Integrated Circuit
Cards(ICC’s)
Intrusion DetectionIntrusion Detection
Firewalls Virus Scanners Intrusion Detectors
Firewalls Virus Scanners Intrusion Detectors
FirewallsFirewallsSystem designed to
prevent unauthorized access to or from a private network or
single computer
System designed to prevent unauthorized
access to or from a private network or
single computer
Virus ScannersVirus Scanners
You should know what that means. Basically scans your computer for known viruses. The effectiveness depends on the database. Here are examples. Norton Housecall AVG
You should know what that means. Basically scans your computer for known viruses. The effectiveness depends on the database. Here are examples. Norton Housecall AVG
Intrusion DetectorsIntrusion
DetectorsAn intrusion detection system (IDS)
inspects all inbound and outbound network activity and identifies suspicious patterns
that may indicate a network or system attack from someone attempting to break
into or compromise a system. There are several ways to categorize an
IDS:
An intrusion detection system (IDS) inspects all inbound and outbound network
activity and identifies suspicious patterns that may indicate a network or system
attack from someone attempting to break into or compromise a system.
There are several ways to categorize an IDS:
Misuse Detection vs. Anomaly Detection
Misuse Detection vs. Anomaly Detection In misuse detection, the IDS analyzes
the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
Network-Based vs. Host-Based Systems
Network-Based vs. Host-Based Systems
in a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host.
in a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall’s simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host.
Passive System vs. Reactive System
Passive System vs. Reactive System
In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.
Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system.
Intrusion MethodsIntrusion Methods
Hacker vs. Cracker Backdoor Port Scanning Sniffer Smurf
Hacker vs. Cracker Backdoor Port Scanning Sniffer Smurf
Hacker vs. CrackerHacker vs. Cracker Hacker- A slang term for a computer
enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s). Among professional programmers, depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has co opted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.
Hacker- A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s). Among professional programmers, depending on how it used, the term can be either complimentary or derogatory, although it is developing an increasingly derogatory connotation. The pejorative sense of hacker is becoming more prominent largely because the popular press has co opted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.
Hacker vs. Cracker (cont)Hacker vs. Cracker (cont) Crack- (1) To break into a computer system.
The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there's a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms -- hack and crack -- are often used interchangeably.
(2) To copy commercial software illegally by breaking (cracking) the various copy-protection and registration techniques being used.
Crack- (1) To break into a computer system. The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there's a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms -- hack and crack -- are often used interchangeably.
(2) To copy commercial software illegally by breaking (cracking) the various copy-protection and registration techniques being used.
BackdoorBackdoor
Also called a trapdoor. An undocumented way of gaining access to a program, online service or an entire computer system. The backdoor is written by the programmer who creates the code for the program. It is often only known by the programmer. A backdoor is a potential security risk.
Also called a trapdoor. An undocumented way of gaining access to a program, online service or an entire computer system. The backdoor is written by the programmer who creates the code for the program. It is often only known by the programmer. A backdoor is a potential security risk.
Port ScanningPort Scanning
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Port Scanning (cont)Port Scanning (cont) Types of port scans:
vanilla: the scanner attempts to connect to all 65,535 ports
strobe: a more focused scan looking only for known services to exploit
fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
UDP: the scanner looks for open UDP ports sweep: the scanner connects to the same
port on more than one machine FTP bounce: the scanner goes through an
FTP server in order to disguise the source of the scan
stealth scan: the scanner blocks the scanned computer from recording the port scan activities.
Types of port scans:
vanilla: the scanner attempts to connect to all 65,535 ports
strobe: a more focused scan looking only for known services to exploit
fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
UDP: the scanner looks for open UDP ports sweep: the scanner connects to the same
port on more than one machine FTP bounce: the scanner goes through an
FTP server in order to disguise the source of the scan
stealth scan: the scanner blocks the scanned computer from recording the port scan activities.
SnifferSniffer A program and/or device that monitors
data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal.
On TCP/IP networks, where they sniff packets, they're often called packet sniffers.
A program and/or device that monitors data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal.
On TCP/IP networks, where they sniff packets, they're often called packet sniffers.
SmurfingSmurfing A type of network security breach in which a
network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.
Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.
A type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker's victim. All the hosts receiving the PING request reply to this victim's address instead of the real sender's address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim's T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.
Smurfing falls under the general category of Denial of Service attacks -- security attacks that don't try to steal information, but instead attempt to disable a computer or network.