PAPER DSE 603(B) :CYBER SECURITY
UNIT-I: INTRODUCTION TO CYBER SECURITY, CYBER SECURITY VULNERABILITIES AND CYBER SECURITY SAFEGUARDS: INTRODUCTION TO CYBER SECURITY: OVERVIEW OF CYBERSECURITY, INTERNET GOVERNANCE – CHALLENGES AND CONSTRAINTS, CYBERTHREATS:- CYBER WARFARE-CYBER CRIME-CYBER TERRORISM-CYBER ESPIONAGE, NEED FORA COMPREHENSIVE CYBER SECURITY POLICY, NEED FOR A NODAL AUTHORITY, NEEDFOR AN INTERNATIONAL CONVENTION ON CYBERSPACE. CYBER SECURITYVULNERABILITIES: OVERVIEW, VULNERABILITIES IN SOFTWARE, SYSTEM ADMINISTRATION,COMPLEX NETWORK ARCHITECTURES, OPEN ACCESS TO ORGANIZATIONAL DATA, WEAKAUTHENTICATION, UNPROTECTED BROADBAND COMMUNICATIONS, POOR CYBER SECURITYAWARENESS. CYBER SECURITY SAFEGUARDS: OVERVIEW, ACCESS CONTROL, AUDIT,AUTHENTICATION, BIOMETRICS, CRYPTOGRAPHY, DECEPTION, DENIAL OF SERVICEFILTERS, ETHICAL HACKING, FIREWALLS, INTRUSION DETECTION SYSTEMS,RESPONSE, SCANNING, SECURITY POLICY, THREAT MANAGEMENT.
UNIT-II: SECURING WEB APPLICATION, SERVICES AND SERVERS: INTRODUCTION, BASICSECURITY FOR HTTP APPLICATIONS AND SERVICES, BASIC SECURITY FOR SOAPSERVICES, IDENTITY MANAGEMENT AND WEB SERVICES, AUTHORIZATION PATTERNS,SECURITY CONSIDERATIONS, CHALLENGES.
UNIT-III: INTRUSION DETECTION AND PREVENTION: INTRUSION, PHYSICAL THEFT, ABUSE OF PRIVILEGES, UNAUTHORIZEDACCESS BY OUTSIDER, MALWARE INFECTION, INTRUSION DETECTION AND PREVENTIONTECHNIQUES, ANTI-MALWARE SOFTWARE, NETWORK BASED INTRUSION DETECTIONSYSTEMS, NETWORK BASED INTRUSION PREVENTION SYSTEMS, HOST BASED INTRUSIONPREVENTION SYSTEMS, SECURITY INFORMATION MANAGEMENT, NETWORK SESSIONANALYSIS, SYSTEM INTEGRITY VALIDATION.
UNIT-III
INTRUSION DETECTION AND PREVENTION
Intrusion detection systems (IDSs) can
be defined as “ software or hardware systems that automate the process of
monitoring the events occurring in a computer system or network, analyzing them
for signs of security problems.”
Intrusion prevention systems (IPSs) are
systems that attempt to actually stop an active attack or security problem.
Though there are many IDS and IPS products on the market today, often sold as self-contained, network attached computer appliances, truly effective intrusion detection and prevention are achieved when viewed as a process coupled with layers of appropriate technologies and products.
WHAT IS AN “ INTRUSION, ”?
Information security concerns itself
with the confidentiality, integrity, and availability of information systems and
the information or data they contain and process. An intrusion, then, is any
action taken by an adversary that has a negative impact on the confidentiality,
integrity, or availability of that information.
Given such a broad definition of “ intrusion, ” it is instructive to examine a number of commonly occurring classes of information system (IS) intrusions.
Physical Theft
Having physical access to a computer
system allows an adversary to bypass most security protections put in place to
prevent unauthorized access. By stealing a computer system, the adversary has all
the physical access he could want, and unless the sensitive data on the system
is encrypted, the data is very likely to be compromised. This issue is most
prevalent with laptop loss and theft. A great deal of sensitive information can
be put at risk if a laptop containing this data is stolen.
In May 2006, for example, it was revealed that over 26 million military veterans ’ personal information, including names, Social Security numbers, addresses, and some disability data, was on a Veteran Affairs staffer’s laptop that was stolen from his home. The stolen data was of the type that is often used to commit identity theft, and due to the large number of impacted veterans, there was a great deal of concern about this theft and the lack of security around such a sensitive collection of data.
Abuse of Privileges (The Insider
Threat)
An insider is an individual who, due to
her role in the organization, has some level of authorized access to the IS
environment and systems. The level of access can range from that of a regular
user to a systems administrator with nearly unlimited privileges.
An insider may use her access to steal sensitive
data such as customer databases, trade secrets, national security secrets, or
personally identifiable information (PII).
Because she is a trusted user, and
given that many IDSs are designed to monitor for attacks from outsiders, an
insider’s privileged abuse can go on for a long time unnoticed, thus compounding the damage.
An appropriately privileged user may also use her access to make unauthorized modifications to systems, which can undermine the security of the environment. These changes can range from creating “ backdoor ” accounts to preserving access in the event of termination to installing so-called logic bombs, which are programs designed to cause damage to systems .
UNAUTHORIZED ACCESS BY AN OUTSIDER
An outsider is considered anyone who
does not have authorized access privileges to an information system or environment.
To gain access, the outsider may try to gain possession of valid system
credentials via social engineering or even by guessing username and password
pairs in a brute-force attack. Alternatively, the outsider may attempt to
exploit a vulnerability in the target system to gain access.
Often the result of successfully exploiting a system vulnerability leads to some form of high-privileged access to the target, such as an Administrator or Administrator equivalent account on a Microsoft Windows system or a root or root-equivalent account on a Unix- or Linux-based system. Once an outsider has this level of access on a system, he effectively “ owns ” that system and can steal data or use the system as a launching point to attack other systems.
MALWARE INFECTION
Malware can be generally defined as “ a set of instructions that run on your computer and make your system do something that allows an attacker to make it do what he wants it to do. ” Historically, malware in the form of viruses and worms was more a disruptive nuisance than a real threat, but it has been evolving as the weapon of choice for many attackers due to the increased sophistication, stealthiness, and scalability of intrusion-focused malware.
Today we see malware being used by intruders to gain access to systems, search for valuable data such as PII and passwords, monitor real-time communications, provide remote access/control, and automatically attack other systems, just to name a few capabilities.
Using malware as an attack method also provides the
attacker with a “ stand-off ” capability that reduces the risk of
identification, pursuit, and prosecution. By “ stand-off ” we mean the ability
to launch the malware via a number of anonymous methods such as an insecure,
open public wireless access point.
Once the malware has gained access to
the intended target or targets, the attacker can manage the malware via a
distributed command and control system such as Internet Relay Chat (IRC).
Not only does the command and control network help mask the location and identity of the attacker, it also provides a scalable way to manage many compromised systems at once, maximizing the results for the attacker. In some cases the number of controlled machines can be astronomical, such as with the Storm worm infection, which, depending on the estimate, ranged somewhere between 1 million and 10 million compromised systems. These large collections of compromised systems are often referred to as botnets .
Classifying Malware
Malware takes many forms but can be
roughly classified by function and replication method:
●
Virus. Self-replicating code that attaches itself to another program. It
typically relies on human interaction.
Examples are Melissa, Michelangelo, and Sobig.
●
Worm. Self-replicating code that propagates over a network, usually
without human interaction. Examples are Code Red, SQL Slammer, and Blaster.
●
Backdoor. A program that bypasses standard security controls to provide
an attacker access, often in a stealthy way.
Examples are Back Orifice, Tini, and
netcat (netcat has legitimate uses as well).
●
Trojan horse. A program that masquerades as a legitimate, useful program
while performing malicious functions in the background. Trojans are often used
to steal data or monitor user actions and can provide a backdoor function as
well.
Examples of two well-known programs that have
had Trojan versions circulated on the Internet are tcpdump and Kazaa.
●
User-level root kit. Trojan/backdoor code that modifies operating system
software so that the attacker can
maintain privileged access on a machine
but remain hidden.
Examples of user-level root kits are
the Linux Rootkit (LRK) family and FakeGINA.
●
Kernel-level root kit. Trojan/backdoor code that modifies the core or
kernel of the operating system to provide the intruder the highest level of
access and stealth. A kernel- level root kit inserts itself into the core of
the operating system, the kernel, and intercepts system calls and thus can
remain hidden even from trusted tools brought onto the system from the outside
by an investigator.
Examples are Adore and Hacker Defender.
●
Blended malware. A Trojan horse that, once activated by the user,
inserts a backdoor utilizing user-level root-kit capabilities to stay hidden
and provide a remote handler with access.
Examples of blended malware are Lion
and Bugbear.
INTRUSION DETECTION AND PREVENTION
TECHNOLOGIES
There are various technologies available to
detect and prevent intrusions. It is important to note that though technologies
such as firewalls, a robust patching program, and disk and file encryption can
be part of a powerful intrusion prevention program.
We are going to discuss some dynamic systems and technologies that can assist in the detection and prevention of attacks on information systems.
ANTI-MALWARE SOFTWARE
· Anti-malware software in the past typically
referred to as antivirus software , is designed to analyze
files and programs for known signatures, or patterns, in the data that make up
the file or program and that indicate malicious code is present.
· This signature scanning is often accomplished
in a multitiered approach where the entire hard drive of the computer is
scanned sequentially during idle periods and any file accessed is scanned
immediately to help prevent dormant code in a file that has not been scanned
from becoming active.
· When an infected file or malicious program is
found, it is prevented from running and either quarantined (moved to a location
for further inspection by a systems administrator)
or simply deleted from the system.
· There are also appliance-based solutions that
can be placed on the network to examine certain classes of traffic such as email
before they are delivered to the end systems.
· In any case, the primary weakness of the
signature based scanning method is that if the software does not have a
signature for a particular piece of malware, the malware will be effectively
invisible to the software and will be able to run without interference.
· A signature might not exist because a
particular instance of the antimalware software may not have an up-to-date
signature database or the malware may be new or modified so as to avoid
detection.
· To overcome this increasingly common issue,
more sophisticated anti-malware software will monitor for known-malicious
behavioral patterns instead of, or in addition to, signature-based scanning.
· Behavioral pattern monitoring can take many
forms such as observing the system calls
all programs make and identifying patterns of calls that are anomalous or known
to be malicious.
· Another common method is to create a whitelist
of allowed known-normal activity and prevent all other activity, or at least
prompt the user when a nonwhite listed activity is attempted.
· Though these methods overcome some of the
limitations of the signature-based model and can help detect previously never
seen malware, they come with the price of higher false-positive rates and/or
additional administrative burdens.
· While anti-malware software can be evaded by
new or modified malware, it still serves a useful purpose as a component in a
defense-in-depth strategy.
· A well maintained anti-malware infrastructure will detect and prevent known forms, thus freeing up resources to focus on other threats, but it can also be used to help speed and simplify containment and eradication of a malware infection once an identifying signature can be developed and deployed.
NETWORK-BASED INTRUSION DETECTION SYSTEMS
For many years, network-based intrusion detection systems (NIDS) have been the workhorse of information security technology and in many ways have become synonymous with intrusion detection. NIDS function in one of three modes:
· -Signature detection
· -Anomaly detection
· -Hybrid.
A signature-based NIDS operates by passively examining all the network traffic flowing past its sensor interface or interfaces and examines the TCP/IP packets for signatures of known attacks, as illustrated in Figure TCP/IP packet headers are also often inspected to search for nonsensical header field values sometimes used by attackers in an attempt to circumvent filters and monitors.
In much the same way that signature based anti-malware software can be defeated by never before-seen malware or malware sufficiently modified to no longer possess the signature used for detection, signature-based NIDS will be blind to any attack for which it does not have a signature. Though this can be a very serious limitation, signature-based NIDS are still useful due to most systems ’ ability for the operator to add custom signatures to sensors. Signature-based NIDS are also useful to monitor for known attacks and ensure that none of those are successful at breaching systems, freeing up resources to investigate or monitor other, more serious threats.
NIDS designed to detect anomalies in
network traffic build statistical or baseline models for the traffic they monitor
and raise an alarm on any traffic that deviates significantly from those
models. There are numerous methods for detecting network traffic anomalies, but
one of the most common involves checking traffic for compliance with various protocol standards such as
TCP/IP for the underlying traffic and application layer protocols such as HTTP
for Web traffic, SMTP for email, and so on.
For example, if Kiran never logs into the
network after 9:00 p.m. and suddenly a logon attempt is seen from
Kiran’s account at 3:00 a.m., this would
constitute a significant deviation from normal usage patterns and generate an
alarm.
Some of the main drawbacks of anomaly detection systems are defining the models of what is normal and what is malicious.
A hybrid system takes the best qualities of both signature-based and anomaly detection NIDS and integrates them into a single system to attempt to overcome the weaknesses of both models. Many commercial NIDS now implement a hybrid model by utilizing signature matching due to its speed and flexibility while incorporating some level of anomaly detection to, at minimum, flag suspicious traffic for closer examination by those responsible for monitoring the NIDS alerts.
NETWORK-BASED
INTRUSION PREVENTION SYSTEMS
NIDS are
designed to passively monitor traffic and raise alarms when suspicious traffic is detected, whereas
network-based intrusion prevention
systems (NIPS) are designed to go
one step further and actually try to prevent the attack from succeeding. This is typically achieved
by inserting the NIPS device inline
with the traffic it is monitoring.
Each network packet is inspected and only passed if it
does not trigger some sort of alert based on a signature match or anomaly threshold. Suspicious
packets are discarded
and an alert is generated.
The ability to intervene and stop known attacks, in contrast to the passive monitoring of NIDS, is the greatest benefit of NIPS.
NIPS Drawbacks
· -Heavy reliance on static signatures
· -Inability to examine encrypted traffic
· -Difficulties with very high network speeds.
HOST-BASED INTRUSION
PREVENTION SYSTEMS
A complementary approach to network-based intrusion
prevention is to place the detection
and prevention system on the system
requiring protection as an installed software package. Host-based intrusion prevention systems
(HIPS), though often
utilizing some of the same signature-based technology
found in NIDS and NIPS, also take advantage of being installed on the protected system to protect
by monitoring and
analyzing what other processes on the system are
doing at a very detailed level. This process monitors involves observing system calls, inter process communication, network traffic,
and other behavioral patterns for
suspicious activity.
Another benefit of HIPS is that encrypted network
traffic can be analyzed
after the decryption process has occurred on the
protected system, thus providing an opportunity to
detect an attack that would have
been hidden from a NIPS or NIDS device
monitoring network traffic.
Again, as with NIPS and NIDS, HIPS is only as
effective as its signature database,
anomaly detection model, or
behavioral analysis routines. Also, the presence of HIPS on a protected system does incur processing
and system resource utilization
overhead and on a very busy
system, this overhead may be unacceptable.
However, given the unique advantages of HIPS, such
as being able to inspect encrypted
network traffic, it is often used as a
complement to NIPS and NIDS in a targeted fashion and
this combination can be very effective.
SECURITY INFORMATION
MANAGEMENT SYSTEMS
Modern network environments generate a tremendous
amount of security event and log
data via firewalls, network routers and
switches, NIDS/NIPS, servers, antimalware systems, and so
on. Envisioned as a solution to help manage
and analyze all this information, security information
management (SIM) systems have since evolved to
provide data reduction, to reduce the sheer quantity of information that must analyzed, and event
correlation capabilities that assist
a security analyst to make sense of
it all.
A SIM system not only acts as a centralized
repository for such data, it helps organize it and provides an analyst the ability to do complex
queries across this
entire database. One of the primary benefits of a SIM system is that data from disparate systems
is normalized into a uniform
database structure, thus allowing an
analyst to investigate suspicious activity or a known incident across different aspects and elements
of the IT
environment. Often an intrusion will leave various
types of “ footprints ” in the logs
of different systems involved in the
incident; bringing these all together and providing the
complete picture for the analyst or investigator is the job of the SIM.
Even with modern and powerful event correlation
engines and data reduction routines,
however, a SIM system is only as
effective as the analyst examining the output.
Fundamentally, SIM systems are a reactive technology,
like NIDS, and because extracting
useful and actionable information
from them often requires a strong understanding of the various systems sending data to the SIM, the
analysts ’ skill set and experience
become very critical to the
effectiveness of the SIM as an intrusion detection system.
SIM systems also play a significant role during
incident response
because often evidence of an intrusion can be found in the
various logs stored on the SIM.
NETWORK SESSION ANALYSIS
Network session data represents a high-level summary
of “ conversations
” occurring between computer systems. No specifics about the content of the
conversation such as packet
payloads are maintained, but various elements about the conversation are kept and can be very useful
in investigating an incident or as
an indicator of suspicious activity. There
are a number of ways to generate and process
network session data ranging from vendor specific
implementations such as Cisco’s
NetFlow to session data reconstruction from full traffic analysis
using tools such as Argus. However the session data is
generated, there are a number of
common elements constituting the session,
such as source IP address, source
port, destination IP address,
destination port, time-stamp information,
and an array of metrics about the session, such as bytes
transferred and packet distribution.
Using the collected session information, an analyst
can examine traffic patterns on a
network to identify which systems
are communicating with each other and identify
suspicious sessions that warrant further investigation.
For example, a server configured for internal use
by users and having no legitimate
reason to communicate with addresses
on the Internet will cause an alarm to be generated
if suddenly a session or sessions appear between the
internal server and external addresses. At that point the
analyst may suspect a malware infection or other system
compromise and investigate further.
Numerous other queries can be generated to identify
sessions that are abnormal in some
way or another such as excessive
byte counts, excessive session lifetime, or unexpected ports being utilized. When run over a
sufficient timeframe, a
baseline for traffic sessions can be established and
the analyst can query for sessions that don’t fit the
baseline. This sort of investigation is a form of anomaly detection based on high-level network data
versus the more granular types
discussed for NIDS and NIPS.
Figure illustrates a visualization of
network session data.
The pane on the left side indicates one node communicating with many others; the pane on the right
is displaying the physical location
of many IP addresses of other flows.
Another common use of network session analysis
is to combine it with the use of a
honeypot or honeynet(A honeypot is a
computer system designed to act as a lure or trap
for intruders.). Any network activity, other
than known-good maintenance traffic such as patch
downloads, seen on these systems is, by definition,
suspicious since there are no
production business functions or
users assigned to these systems. Their sole purpose is to act as a lure for an intruder. By
monitoring network
sessions to and from these systems, an early warning can be raised without even necessarily needing
to perform any complex analysis.
SYSTEM INTEGRITY VALIDATION
The emergence of powerful and stealthy malware, kernel
level root kits, and so-called clean-state attack frameworks
that leave no trace of an intrusion
on a computer’s hard drive have
given rise to the need for technology that can analyze a
running system and its memory and provide a series of
metrics regarding the integrity of the system.
System integrity validation (SIV) technology is still
in its infancy and a
very active area of research but primarily focuses on live
system memory analysis and the notion of deriving
trust from known-good system elements.
This is achieved by comparing the system’s running
state, including the processes,
threads, data structures, and modules
loaded into memory, to the static elements on disk from
which the running state was supposedly loaded. Through
a number of cross-validation processes, discrepancies
between what is running in memory and what should be
running can be identified. When properly implemented,
SIV can be a powerful tool for detecting intrusions,
even those utilizing advanced techniques.
No comments:
Post a Comment