• Intruders

• Intrusion Detection System(IDS)

• Password Management
• Operating System Security
• Updates

Intruders
Person who enters a territory that does not belong to that person.

 Masquerader: An individual who is not authorized to use the computer and who penetrates a
system's access controls to exploit a legitimate user's account
 Misfeasor: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her privileges

 Clandestine user: An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection

Intrusion Detection System (IDS)

Intrusion detection systems do exactly as the name suggests: they detect possible intrusions. More
specifically, IDS tools aim to detect computer attacks and/or computer misuse, and to alert the proper
individuals upon detection. An IDS installed on a network provides much the same purpose as a
burglar alarm system installed in a house.
Intrusion detection systems serve three essential security functions: they monitor, detect, and respond
to unauthorized activity by company insiders and outsider intrusion. Intrusion detection systems use
policies to define certain events that, if detected will issue an alert. In other words, if a particular
event is considered to constitute a security incident, an alert will be issued if that event is detected.
Functions of IDS
• Monitor the events occurring in a computer system or network.
• Try to find out undesirable activity.
• In case of any intrusion IDS issue an alert.

Components of IDS
Traffic collector collects activity or events to examine and forward these activities to analysis
engine.
Analysis Engine collects activities from traffic collector and compares them with suspicious patterns
stored in signature database.
Signature Database collection of all known samples or patterns of malicious and suspicious
activities.
User Interface provide a framework to user , to operate IDS. User interface works as a mediator
between user and IDS system. IDS system can forward alerts to user by using it.

1
 Fig. Components of IDS

There are two mainstream options when implementing IDS Host based IDS and Network based IDS.
2
Host Based IDS
A host-based IDS analyzes several areas to determine misuse (malicious or abusive activity inside the
network) or intrusion (breaches from the outside). Host-based IDSes consult several types of log files
(kernel, system, server, network, firewall, and more), and compare the logs against an internal
database of common signatures for known attacks.

3
4
 Fig. Components of HIDS

HIDS works in two modes

1. Real time mode
In real time mode HIDS looks activity as it comes and try to monitor it.
2. Batch mode
In batch mode HIDS looks activity on periodic basis and try to detect undesirable activity.

HIDS check the log files, audit records, these log files and audit records contains record of all
activities performed on a particular host. So in HIDS traffic collector accept activities from log files
and audit records.

Network Based IDS

is an independent platform that identifies intrusions by examining network traffic and monitors
multiple hosts, developed in 1986 by Pete R. Network intrusion detection systems gain access to
network traffic by connecting to a network hub, network switch configured for port mirroring, or
network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in
the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyzes
the content of individual packets for malicious traffic. An example of a NIDS is Snort.

5
 Fig. Components of NIDS

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic
analysis and packet logging on IP networks. It can perform protocol analysis, content

6
searching/matching and can be used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
NIDS checks network traffic to collect different activities performed in network.

PASSWORD MANAGEMENT

Vulnerability to passwords

A number of possible vulnerabilities arise from the use of passwords:

 they could be guessed

 they could be forgotten
 they could be shared
 they could be written down and subsequently lost or stolen.

 There are two threats to the UNIX password scheme. First, a user can gain access on a
machine using a guest account or by some other means and then run a password guessing
program, called a password cracker, on that machine. The attacker should be able to check
hundreds and perhaps thousands of possible passwords with little resource consumption. In
addition, if an opponent is able to obtain a copy of the password file, then a cracker program
can be run on another machine at leisure. This enables the opponent to run through many
thousands of possible passwords in a reasonable period.
 Windows 8 is the first operating system from Microsoft to support alternative non-biometric
authentication mechanisms such as Picture password and PIN. A vulnerability discovered by a
password security vendor – “Passcape” in Microsoft’s Windows 8 operating system that it
saves a log on password in plain text and allows any user with admin rights to see the
password details.

Password Selection Strategies OR

Techniques to reduce guessable passwords
• User Education
Users can be told the importance of using hard-to-guess passwords and can be provided with
guidelines for selecting strong passwords. This user education strategy is unlikely to succeed
at most installations, particularly where there is a large user population or a lot of turnover.
Many users will simply ignore the guidelines. Others may not be good judges of what is a
strong password. For example, many users (mistakenly) believe that reversing a word or
capitalizing the last letter makes a password unguessable.
• Computer generated passwords
also have problems. If the passwords are quite random in nature, users will not be able to
remember them. Even if the password is pronounceable, the user may have difficulty
remembering it and so be tempted to write it down. In general, computer-generated password
schemes have a history of poor acceptance by users. FIPS PUB 181 defines one of the best-
designed automated password generators. The standard includes not only a description of the
approach but also a complete listing of the C source code of the algorithm. The algorithm
generates words by forming pronounceable syllables and concatenating them to form a word.
7
 A random number generator produces a random stream of characters used to construct the
syllables and words.
• Reactive password checking
strategy is one in which the system periodically runs its own password cracker to find
guessable passwords. The system cancels any passwords that are guessed and notifies the
user. This tactic has a number of drawbacks. First, it is resource intensive if the job is done
right. Because a determined opponent who is able to steal a password file can devote full CPU
time to the task for hours or even days, an effective reactive password checker is at a distinct
disadvantage. Furthermore, any existing passwords remain vulnerable until the reactive
password checker finds them.
• Proactive password checking
In this scheme, a user is allowed to select his or her own password. However, at the time of
selection, the system checks to see if the password is allowable and, if not, rejects it. Such
checkers are based on the philosophy that, with sufficient guidance from the system, users can
select memorable passwords from a fairly large password space that are not likely to be
guessed in a dictionary attack.

Component of good password

• At least 8 character long.
• Should have One or more uppercase letters.
• Should have One or more lowercase letters.
• Should have One or more special symbols.
• Should have One or more digits.
• Password should not consist dictionary words.
• Should not be same as login name.
• Should not consist family member names.

For example
Password = ~Ti4556M~12005

How to create a strong but simple logon password

Step 1. Pick any special character. You will always use it for your passwords
(like !@#$%^& (*+)=-;:’”~`][}{\|><?/.,`)
Step 2. Pick a secret 3 or 4 digit number (could be birthday, like April 5, 1956 or 4/5/96, written
without the slashes= 4596 (this is your secret code)
Step 3. Pick a very simple password that you can remember (this is the root of your password – it
can be the name of the application/site you are logging into, such as Windows, Hotmail, MS
Word, Resume, etc.)

Step 4. Always surround your root password with your favorite special character
Step 5. Always insert your special number after the second character of your root password
Step 6. Always capitalize the first character after your secret code (now you have the
unchanging part of your password – the Static Password)
Step 7. (Now for the part of your password that changes every 90 days when you are forced
create a new password) Always add the creation date to the end your new static

8
 password. Add it as a combination of the calendar quarter plus the calendar year (Quarter 1,
or Q1 of 2005 would be 1 and 2005 written together as 12005 – Now you have your Full
Password)

Example 1 (Password = ~Ti4556M~12005)

Step 1 ~
Step 2 4556
Step 3 Tim
Step 4 ~Tim~
Step 5 ~Ti4556m~
Step 6 ~Ti4556M~
Step 7 ~Ti4556M~12005

OPERATING SYSTEM SECURITY

Operating System Hardening

Process of securing operating system from different attacks or removing different vulnerabilities
from the operating system is known as hardening a operating system.
General steps to secure WINDOWS OS
• Disable all unnecessary services and applications.
• Remove all unnecessary programs.
• Remove all unnecessary user accounts.
• Ensure password guidelines are in place.
• Restrict the permission on critical files and access to registry.
• Use latest updates.
Hardening Unix/Linux based OS
• Easy to select services and applications during installation of OS, it help us to avoid
unnecessary services and applications.
• System package managers enable to remove unused components and apps.
• By examining password file administrator can see which user accounts are exist ,it will help
to identify unnecessary user accounts.
• By using kill command undesired processes can be removed.
• As a root login admin. can start and stop services manually.

Hot Fixes
A hotfix is a single, cumulative package that includes one or more files that are used to address a
problem in a software product (i.e. a software bug). Typically, hotfixes are made to address a specific
customer situation and may not be distributed outside the customer organization.

Patches
Patches are released to address different vulnerabilities of an application. Patches are available for all
through websites or by other sources while hotfixes are released for particular customer.
Service Packs

9
Service pack is an orderable or downloadable update to a customer's software that fixes existing
problems and, in some cases, delivers product enhancements. IBM and Microsoft are examples of
companies that use this term to describe their periodic product updates.

When a new product version comes out, it usually incorporates the fixes from the service packs that
have been shipped to update the previous product version.

Distributed IDS (summer 2011 for 4 marks)

A distributed IDS (dIDS) consists of multiple Intrusion Detection Systems (IDS) over a large
network, all of which communicate with each other, or with a central server that facilitates advanced
network monitoring, incident analysis, and instant attack data. By having these co-operative agents
distributed across a network, incident analysts, network operations, and security personnel are able to
get a broader view of what is occurring on their network as a whole.

The Central Analysis Server

10
The central analysis server is really the heart and soul of the operation. This server would ideally
consist of a database and Web server. This allows the interactive querying of attack data for analysis
as well as a useful Web interface to allow the corporate guys upstairs to see the current attack status
of your network. It also allows analysts to perform pre-programmed queries, such as attack
aggregation, statistics gathering, to identify attack patterns and to perform rudimentary incident
analysis, all from a Web interface.

The Co-operative Agent Network

The co-operative agent network is one of the most important components of the dIDS. An agent is a
piece of software that reports attack information to the central analysis server. The use of multiple
agents across a network allows the incident analysis team a broader view of the network than can be
achieved with single IDS systems.

Ideally these agents will be located on separate network segments, and geographical locations (See
diagram below.) The agents can also be distributed across multiple physical locations, allowing for a
single incident analysis team to view attack data across multiple corporate locations.

Attack Aggregation

attack aggregation by destination port

attack aggregation by Attacker IP

attack aggregation by date and time

Attack aggregation is another core part of the dIDS system. This part of the system is programming
logic based on the central server. Aggregation simply refers to the method in which users group or
order the information gathered from the agent network. One example of this would be to aggregate
information according to attacker IP, putting all attacks from an attacking IP together with other
attacks from the same IP. Another example is the aggregation of attack data according to destination
(attacked) port, or even by date and time. Uses for aggregation will be explained later in this paper.

11